Incident Prevention, Not Incident Recovery: How to Preserve Your Company’s Reputation
Steven Minsky | April 17, 2017
For companies that care about their reputation, incident prevention is a must. Said best by Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Building and preserving that reputation through proactive incident prevention must be a top priority. Post-scandal PR efforts and other attempts to recoup losses prevent only a fraction of the long-term damage.
A company’s reputation can be quantified. Few would disagree that reputation has real economic value; a good reputation results in greater brand awareness, more sales and service inquiries, fewer distractions from regulators, and ultimately a higher cash flow.
With this in mind, what happens when a risk management failure leads to damaged reputation? The business is likely to suffer consequences far greater than the cost of a compliance penalty. Consider the following events:
- Chipotle’s norovirus outbreak: This is a particularly poignant example of the importance of a preserving your reputation. The company has not suffered any regulatory penalties as a result of its food safety issues, but Chipotle stock has taken a major blow since its August 2015 high. The incident has forced the restaurant chain to take extra efforts to demonstrate prevention strategies and coax back wary consumers, and free guacamole doesn’t seem to be cutting it.
- Wells Fargo’s accounts scandal: In the wake of $185 million in penalties (still a drop in the bucket for the bank’s revenue), 5,300 fired employees, and the resignation of CEO John Stumpf, Wells Fargo will be grappling with a severely damaged reputation for the foreseeable future.
The Lesson Learned: Incident Prevention is More Powerful than a Quick Recovery
Considering the many examples of organizations struggling after suffering reputational damage, it’s clear incident prevention pays more dividends than insurance packages, PR, and other attempts to recoup losses. Even with insurance coverage, only a fraction of the monetary loss associated with damaged reputation can be recovered.
When a root-cause issue is detected, it pays to take proactive action, preventing surprises down the road. The axiom “an ounce of prevention is worth a pound of cure” holds especially true here. To be more proportionate, Warren Buffet says an ounce of prevention is worth a ton of cure.
Historical data demonstrates that the financial cost of damaging one’s reputation far outweighs the comparatively minuscule cost of prevention with ERM/GRC software. Johnson & Johnson, for example, a near-universally trusted brand, took a major blow in March 2015, when it pled guilty to criminal charges for distributing children’s medicine contaminated with metal shavings (the result of operational risk negligence).
“The metal bits were made primarily of nickel and chromium, and came off of the manufacturing equipment…” according to NewsWorks. J&J acknowledged that poor manufacturing processes caused the problem (which resulted in a child’s death and criminal charges). Even so, it allegedly attempted to minimize fallout and preserve its reputation by initiating a “stealth recall.”
J&J’s market cap at the end of January 2017 was approximately $308.02 billion. ERM software, which is priced according to size of operations, would have cost J&J less than .02% of that figure! That would have been the ounce of prevention needed, and could have helped uncover the responsible manufacturing errors. If senior management had tapped into the front-line knowledge of managers at the plant, it might have converted an “unknown known” (a risk known to someone, just not the right person) into a “known known,” which could then have been mitigated.
For a smaller organization – such as a financial institution with $1 billion in assets – that same proactive incident prevention power would cost $30,000 or less, which is again a small investment for a strong, unwavering reputation.