Blogpost

Putting Reputational Risk in Perspective in a VUCA World

Each year there is an annual Summit for third party risk professionals to network, train, and learn from each other and discuss with regulators how to manage third party risk and protect their company’s brand and assets. This year, the Shared Assessments Summit 2015 was held in Baltimore, MD. Being in Baltimore for the entire week influenced the conference dialog on risk management and crisis communication.

Being under curfew during a state of emergency, with visible National Guard presence showed how quickly a situation can morph or change under the influence of social media. The concept of a VUCA world – Volatile, Uncertain, Complex, and Ambiguous, has never been so clearly brought to life than by last week’s events in Baltimore and solidarity protests in many urban cities across the United States.
For the third party risk professionals attending the risk conference the governance themes focused on these topics:

  • Ethics, Compliance, and Operational Risk
  • The Heightened Expectations for Boards of Directors
  • Breach Incident Management
  • Impact of demographic shifts on our culture

Shift in perspectives played out in the streets
The intent of our week was on how organizations need to mature their third party risk management processes – not just due to cybersecurity, but for broader risks of regulatory compliance and operational risk. However I saw a dialog shift in the perspectives from both presenters and attendees as the lessons learned and risk management themes were played out on the streets, on the media, and how quickly the information sharing shifted the speed of response, or interpretation of speed of response. The crisis communication training session became a more hands on application of lessons learned in real or reel time as the attendees got updates on the situation from their smart phones.

Even the session on demographics and how the millennial generation thinks differently about risk and communication was driven home by the escalated events. Actions planned by high school students to do a “purge” quickly escalated when combined with the factors being discussed regarding the Freddie Gray situation. For the residents of Baltimore the numbers were striking: 400+ arrests, 113 police officers injured, 200 small businesses lost or unable to reopen, 144 vehicle fires, and 19 burning structures. For the companies located in Baltimore with executives monitoring the situation, key processes were triggered to enact crisis communication teams and deployment teams for incident response.

An organization can only lose its reputation once
The media points and counterpoints frame up the debate of public policy and reputation risk. In fact, 90% of executives surveyed by Forbes Insights last year on behalf of Deloitte stated that reputation risk is their key business challenge. The essence of a corporate reputation is about what a company “is”, what “it does”, and how “it does it.” An organization can only lose its credibility once, and it takes time and resource to recoup lost trust. Deloitte issued an updated Directors Report to focus on governance on the top governance issues for 2015.
Communication during crisis even more crutial

How do you develop a strategy in a VUCA world or in a VUCA crisis? As any situation develops, organizational crisis teams near clear roles for navigation and to think clearly in a crisis. While individuals can become desensitized to recent data breach incidents, the intense pace by which situations can escalate due to social media requires a different leadership approach to managing risk. Communication in a crisis becomes even more critical.

While our conference attendees were focused on an analysis of the Cyber Security breaches of 2014 and the resulting implications for Executives and Boards of Directions, we also internalized these perspectives to the evolving situation.

Key takeaways
Key “nuggets” from our conference speakers that I jotted down as most memorable takeaways to apply back into my organization included:

  • Build a plan for the risks you don’t expect
  • Remember that hope is not a strategy
  • Frame the narrative when sharing bad news
  • Tell a Story – and build your own story arc
  • Know the media cycles for when to share updates
  • Speak like The Choir – all singing from the same song sheet
  • Operationalize risk management

I co-facilitated a pre-conference workshop on “The New Normal” for third party risk, and unfortunately that “tagline” became an often used phrase by local and national reporters as we got hourly and daily updates on the situation. For corporations the VUCA factor of social media factor and quick to judgment by the public, increases the importance of reputation risk management. “The New Normal” for reputation risk is not only a faster pace, but competing or opposing strategies to be able to handle situations that come out of left field.

Due to the city-wide curfew, conference attendees stayed at the hotel, and continued the dialog on what they learned this week, not only by academic sessions but watching the events unfold in basically our back yard.

From the Social Media Mom, to the community regrouping together to quell the protests, each day was a new day in a VUCA world. There will be a series of debates on response from government, academia, media, law enforcement and corporations on what to learn from the Baltimore 2015 riots. Reputation risk will clearly be top of mind for Boards of Directors and Executives in cities across the nation in the coming weeks.

From a personal view, the experience was historic to see how quickly the situation began to change conversations – and I even got to meet CNN’s Anderson Cooper in the proces

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs