Reputation Risk, protecting your brand and the fear of loosing ones credibility is one of the most important aspect of today's business. With the advent of technology, Internet, and the so called information age has opened the doors for information to flow freely. In a way, it brings in transparency, with the business fraternity in terms accurate news and information on the other, it brings with itself the Risk of letting out too much.
Information Security, Data Privacy, Corporate Governance, Risk Management are today not mere line items in a compliance check list, these are today a necessary process & tools to safeguard your business from vulnerabilities which are mostly overlooked or done to keep the regulators and auditors in the good books.
What took Satyam to loose its credibility in eyes of its share holder? What took it to be black listed by World Bank, which gave them approximately $100 million a year? The reasons may be many, but imagine being the 4th largest software company in India, hence forth will be viewed without confidence & trust by people from the business fraternity across the globe. This is the biggest price a credible company like Satyam pays today because of bad governance and for a few wrong people.
What is the reason? I would sum it up as " Lack of corporate governance & effective awareness"
Today we talk about Satyam, cos we know it, they are exposed, but if we dig we shall find many. There have been cases outside India, when companies have been picked be it Nike for its Child Labor, Enron for its accounting mis management, Walmart for its discrimination or be it a ostrich mentality of Barring Bank or Soc Gen. We have been given so many of such stories, but are we sensitive to it? Or are we still playing the Ostrich Mentality. We bury our head, in hope and pray that such things do not happen with us.
I being from a Governance Risk & Compliance background, have had the privilege to interact with decision makers and business executives on these issues, though risk management in the country is picking up, with most of the companies in their initial days of risk assessment, employee awareness still has low priority on their agenda and plan for risk mitigation. It was amazing to know a multi billion dollar company executive when asked about budget for his information security awareness for 20 thousand people came up with a mere $2500, but admitted that it is one of the top priority for the company this year.
People here are not concerned with the outcome, they are concerned with their job at hand, and that reflects on the annual budgets for compliance trainings , tools and process. We need to look at Outcomes when it comes to compliance and not the Cost associated.
E&Y came up with a survey on Information Security Survey and the essential questions they asked were:
- How do you convince your customers, trading partners & investors of your commitment to information security?
- How do you build confidence in your ability to protect their information?
- How do your reputation & brand in an environment of escalating threats?
The survey brought out some exciting outcomes, where some are encouraging and positive, but as I made my point, so much emphasis is given to technology, that the "people" component of information security is always overlooked.
People still remains the weakest link. Organizations must view their people to be as critical as any other information security component - so they can help prevent & properly respond to information security incidents in an effective and timely manner. I recently experienced this, where the board turned down an effective spent on awareness training citing reasons of economic slow down. But I would like to ask, in such tough times, is this not the right time to stand up and be counted?
People tend to forget the intangible benefits of such initiatives. These initiative enhance a brand, helps you to answer the questions posed earlier effectively and in turn build a credible brand, recognised as a trusted partner, and reap the competitive advantage.
"Managing Risk is not Expensive, Not managing Risk is Expensive" ; I hope India Inc and its executives understands the real meaning of this statement.