Created by George Campbell, Security Executive Council Emeritus Faculty
What is the value of a company’s reputation to its shareholders and the marketplace? Ask British Petroleum. Where are Enron and Arthur Andersen? Sure, these are large, high-profile cases, but even a single insider incident can rise to the level of a serious crisis.
The knowledgeable insider is at the top of the list of threats to any organization — public or private. Part of our job is to make business leaders aware of the seriousness of this threat by using metrics that catch their attention. The following graph measures one small aspect of reputational risk: the time involved in resolving an insider misconduct case resulting in termination for cause.
In this simplified case, let’s say the employee’s manager was suspicious of several items in two prior travel and entertainment claims and confronted him. The employee denied any wrongdoing, and an argument ensued. Over the next few weeks Security performed audits of several prior claim forms, and investigation confirmed multiple fraudulent entries. In subsequent interviews the employee admitted to the false claims and was terminated.
In all, 91 days were required to go through the steps from identification of the potential problem to resolution of the case and replacement of the employee. Moreover, there were 85 days of lost productivity by the incumbent. If we use an average loaded hourly rate of $75.00/hr. for all staff working the steps seen in the graph, the cost from initial confrontation to termination would be $105,600. If this were a more consequential, high-profile fraud, this cost would not account for the financial impact to the bottom line or the potential damage to the brand when the case was highlighted in the upper right-hand corner of The Wall Street Journal.
Measuring reputational risk: While our graph focuses only on the potential financial impact of an investigation and termination for questionable conduct, this area of operational risk really centers on the market’s perception of the trustworthiness of the business and the potential impact of lapses of corporate integrity on shareholder value. Think about the potential for internal misconduct or criminal activity by insiders at your company. What events could cause significant financial impact or longer-term loss of market share?
We security leaders enjoy a unique perch from which to view the resilience of the ethical framework — the hygiene — of the organization. We need to send up red flags when incident post mortems indicate trends in sloppy internal controls and lack of management engagement. We need to seek common denominators across multiple types of internal investigations. We need to share our well-thought-out and documented concerns with our corporate governance colleagues in Audit, Risk, Legal and HR and work together to connect the dots.
Security incidents offer unique opportunities to drill down and identify a finding or two that can be used to demonstrate to management that we are not simply responding but digging for root causes of business risk. The message in this simple example is not the cost of one employee gone bad, but the need to set clear expectations for doing the right thing and to use commonsense controls to test for conformance.