Your IT exposed

As the Internet is used to reach customers and suppliers alike, poor IT performance can directly damage brands worth millions of...

As the Internet is used to reach customers and suppliers alike, poor IT performance can directly damage brands worth millions of pounds. Karl Cushing investigates how risk management can insure your brand is not exposed

The recent glut of downtime and poor service availability affecting UK online banks and the difficult launch of loyalty card scheme Nectar, following security and technical glitches, has once again brought the issue of reputational damage into the media spotlight. Companies' brands and reputations can take a pounding from downtime, security concerns and resilience issues; and greater exposure to the Internet has increased the risk of serious damage exponentially. The marketplace itself can prove very unforgiving. As barrister and security expert Stephen Mason puts it, "Reputational issues are very important - if you're not careful, you can end up with a permanent black mark next to your name."

Risk management is, however, under-appreciated by the companies that rely so heavily on the good reputations of their brands. While this will come as no surprise to IT directors, it might well be news to their counterparts on the business side who all too often view such expenditure and effort as a cost not an investment. As Mason says, "We have to communicate to directors that they can have an effect on the bottom line." Hopefully, this will give IT directors more bargaining clout when trying to persuade the board of the importance of investing in IT security and infrastructure.

Reputational risk and risk management should be factored into every business decision, including IT decisions. "It is not just a PR issue it's a business issue," says David Saunders, managing director of PR consultancy Marketforce Communications. Saunders believes the problem is that reputational risk is "nebulous". "It's hard to quantify and it's subjective and that's why it's ignored," he says.

"If you can't quantify the scale of the risk it's hard to make a decision," adds Gavin George, a partner in retail and technology consultancy Itim. However, the cost of rebuilding a brand can be enormous, he says.

Mason stresses that it should not just be down to the IT department to combat such problems, which is often the case. All directors need to work together to identify and then assess the risks to their business before putting in place strategies to counter them, he says, with departments like HR and legal working with IT and pooling resources. However, Richard Hammond, managing director of advertising agency Spirit, points out that IT directors have to do more as well. Understanding brand relationships should be as big a priority for IT directors as it is for marketing directors, he says, and they can play a big part in combating "silo management" and creating synergy between departments to reduce potential for damage if they are proactive.

Effective risk management strategies need to be thorough and wide ranging as problems can come from many directions. In addition to the much-publicised external issues such as downtime and inability of Web sites to cope with spikes in demand at peak times there is a greater threat from the user. Staff can represent a ticking timebomb for a company's reputation. A saucy e-mail or rude attachment forwarded by an employee can spell big trouble for an organisation - especially if, like those of Claire Swire and Trevor Luxton describing oral sex encounters, they are forwarded around the world with lightning speed. Companies and their directors can find themselves open to civil and even criminal claims and liable for damages and, as Mason warns, the scale of those damages is uncapped. This has driven some companies to impose e-mail amnesties on their staff. Motor manufacturer Ford, for example, earlier in the year gave its 20,000 UK staff just two weeks to remove porn and other potentially offensive material off their PCs or risk facing disciplinary action.

From a reputational damage point of view, however, the key dangers come from technical glitches and security concerns. This is especially true in the early days, says Hammond, when the relationship between customer and supplier is more fragile and the consumers more sceptical. Effort spent building brand reputation can be wiped out and brands or companies tainted for the term of their natural life.

The partners behind loyalty card scheme Nectar reputedly spent £40m on advertising for its launch, which ended in a fiasco after one user complained that he could see another person's details on the site and thousands of users were unable to access the site as its servers buckled under the demand. The company might yet be left with more than egg on its face, as Hammond says the incident could have a lasting impact on customers' perception of the site. George agrees, "It's a very real risk. Customers will persevere with the service but not for long. We advise our clients that they should be obsessive about availability."

"If you have a new brand and you don't deliver, it can kill a business," says Hammond, who says that if Nectar was a stand-alone brand those technical glitches could have killed it. He claims that it's easier for bricks and mortar companies transferring their services and products online than for a pure play online firm to recover from technical glitches and other bad news events. But while once, even twice, might be ok, "After that you're jeopardising the future of the organisation", he says.

The scale of the risk that companies face is well illustrated by the recent case of the Andersen partnership, which imploded earlier this year. What sunk Andersen in the end, according to Saunders, was the fact that companies simply did not wish to be associated with the Andersen name any more and they took their business elsewhere. "Andersen's credentials were destroyed by reputational risk long before the other liabilities had crystallised," claims Saunders, who says that Andersen is a great example of how a reputation built up over decades can be "dissipated overnight".

IT-related problems may not cause damage on the same scale, but they can hit your reputation.

Mason points to the case of Norwich Union, which in 1997 was forced to pay Friends Provident £450,000 in damages and pay its legal costs, reputed to be more than £1m, after it emerged that e-mails had been circulating around Norwich Union saying that Friends Provident was close to insolvency.

Another area where a strong brand is crucial is print media, as shown in the recent report, Investing Media Brand Equity Online, by Blue Rubicon. Based on interviews with 11 print publishing executives, the authors claim that media companies have invested up to 30% of their brand's reputation in their online offerings in the last three years, making security of supply a key factor in protecting the brand equity. "The reputation and performance of their print titles and of their online offerings are increasingly interdependent, so the imperative towards system uptime has never been more critical," says Simon Harrison, UK managing director of Web hosting firm Netscalibur, which sponsored the research.

And it's not just private sector companies who are at risk. Any organisation with a reliance on IT is at risk. On top of the risk of reputational damage caused by end users there is a real danger that risk management will be left out or merely paid lip service to as public sector institutions race to hit Government guidelines of providing 100% of services electronically by 2005. Paul Johnson, director of sales and marketing in the public sector division of IT services firm ITNet, claims that many local authorities have little or no appreciation of formal risk management strategies during change. "Change creates risk on a technical as well as operational level," says Johnson, and this risk needs to be recognised, evaluated and managed if local authorities and their citizens are to benefit from, rather than suffer from change," he says.

What is certain is the issue isn't going to go away and every organisation, regardless of size, would do well to bear that in mind.

They thought it couldn't happen to them
October 2002:
Nectar's £40m launch ended in fiasco as its servers failed to cope with large demand from consumers and one user was able to view others' details
October 2002: online bank Intelligent Finance suffered three days of downtime and further resilience issues
September 2002: Taxchecker, which runs a service for customers to submit their tax assessment forms online, was forced to take down its Web site after Computer Weekly revealed users could easily view other people's personal details
August 2000: Woolworths was forced to close down its Web site after customers found they were able to read other customers' credit card details.
August 2000: Safeway closed down its Web site after several thousand customers were sent a spoof e-mail claiming the supermarket had increased prices by 25%
July 2000: Powergen was heavily criticised after leaving thousands of customers' debit card details on an unsecured part of its Web site
July 2000: some customers of Barclays online were able to see other users' details, forcing the company to shut down its Web site
June 2000: Abbey National's standalone Internet bank Cahoot suffered a disastrous launch. The bank's Web site crashed on its first day, was unable to accept applications for accounts for most of its first two days and went down again on the fourth day.

How to guard against reputational failure
  • Form an active strategy to establish a strong reputation is the first part of an intelligent risk plan

  • The management of reputational risk must be embedded in the culture of the organisation, running right through the business, so that the reputational risk is assessed in all business decisions

  • Have a policy that is publicised and known to be enforced - then if something goes wrong it is the fault of the individual not the company

  • Lastly, a detailed crisis management plan should be put in place to help avoid "reputational meltdown".

Source: David Saunders, Marketforce

Securing funds for risk management
  • Tie such projects in with something else. Barrister and security expert Stephen Mason suggests storage, where funding is more readily available. Some storage products, like Archive It, also incorporate e-mail audits

  • Get HR and anyone responsible for control of data in the organisation in the organisation on your side by showing them how their workload will be reduced by improved e-mail storage and audit policy

  • Use the law to your advantage. Mason points to the recent employee data code published by the information commissioner in August requiring companies to get to grips with their e-mail policy and introduce audit trails, which he says will help IT directors "enormously". The IT director should be able to use legislation as a reason to look at security in general, Mason says.

Read more on IT risk management