A Shift in GRC: Consumers, Reputation, and Ethics

Steven Minsky | Nov. 10, 2017

Recently, Forrester Research published “GRC Vision 2017-2022: Customer Demands Escalate As Regulators Falter,” which explores challenges the GRC industry will inevitably face as it develops, and the proven solution that enterprise risk management provides.

We’ve broken this report down to reflect our key takeaway: Approaches to governance, risk management, and compliance (GRC) must now consider the company’s consumer base, reputation, and ethical conduct.

Traditionally, approaches to GRC entail responding to published, well-established, and legally binding regulations. As it happens, however, the social and technological climate is changing at a rate that regulators can’t keep up with.

Consider this example: Facebook’s revenue relies largely on selling targeted advertisements, which the company has done without regulation and limited scrutiny for many years. Recently, however, Facebook reported that Russian-linked accounts bought thousands of politically divisive ads during the 2016 campaign that reached 126 million users. By the time Sen. John McCain and other lawmakers could introduce a new “Honest Ads Act” that would hold sites like Facebook and Twitter to the same federal disclosure requirements as ads sold on TV, the damage had already been done.

Shortcomings in good governance such as this are proof that a new and better approach to GRC is needed.


Even if regulators can’t keep up with the times, consumers can. We’re in a see-through economy—a dizzyingly fast-paced age of transparency where consumers are empowered to impact a company’s reputation.

What does this mean for risk management? Simply put, it means that enterprise risk management (ERM) is an imperative business process; for, according to Forrester’s report, the consumer is taking matters into her own hands where regulators are falling short.

Reconsider the Facebook example: The Russian scandal was only a catalyst that brought the root of the issue to light—Facebook can allow others to use consumers’ personal data against them. It’s one thing to be shopping for a pair of shoes and notice that your sidebars are filled with Zappos ads; it’s another for our personal data to be used to create divisive messaging that we ourselves do not agree with.

GRC is changing. Read @LogicManager’s blog on consumers, ethics, and reputation.
       Click to tweet! 

Consumers are realizing that they can’t blindly trust tech giants to use their data, and that it’s up to them to demand more explicit privacy and consent policies. In response to customer outrage, as opposed to new regulations, Mark Zuckerberg announced changes in advertising practices that would improve transparency and make clear the sources of political ads run on their site.

Essentially, consumers become the new regulators on the block as they leverage social media to respond to corporate missteps within seconds of encountering them. This new age of rapid data sharing means that companies have nowhere to hide when their actions rub a customer the wrong way, be it a salty customer service rep or a threatening data breach.

The speed of our see-through economy means that risk managers must anticipate risk before it arises It’s time to be proactive, not reactive. Offensive, not defensive. Enterprise risk management provides the foundation and processes needed to connect departments and prevent actions that cause customer outrage.


Another symptom of this age’s data sharing habits is the inevitable effect it has on a brand’s reputation. If consumers are quick to share their negative experiences with a company, then patterns of negligence will surface. People can often forgive one faux pas, but they find it harder to forgive pervasive negligence.

Why does reputation matter to an organization? According to Forrester’s report, “Intangible assets — such as intellectual property, goodwill, proprietary ‘know-how,’ user base, customer experience, brand, and reputation — account for 87% of the net worth of the S&P 500.”

Why does reputation matter to risk management? Companies manage risk to achieve their business goals, which either explicitly or implicitly include building and maintaining a good reputation. But reputational risk does not exist in its own silo; it’s a negative impact of any risk event. And if a diminished reputation equals diminished market value, then companies today are more susceptible than ever to risk events that damage market perceptions.


There is, of course, a direct connection between consumers and reputation. Ultimately, a company’s reputation is decided and propagated by its customer base. So how does a business ensure that their customer base is endowing them with a “good” reputation?

More easily said than done, businesses are tasked with discovering, first, what’s important to their customers, and second, what actions they can take to align their values with those of their customers.

As Forrester’s report states, “Executives skeptical of the need to invest in GRC will cite lack of customer interest in corporate ethics.” Here are a few statistics we found that prove otherwise:

  • 66% of consumers are willing to spend more on a product if it comes from a sustainable brand.
  • 85% of consumers would switch brands to one associated with a cause.
  • 87% of consumers would rather purchase a product with a social or environmental benefit.
  • 81% of millennials expect their favorite companies to make public declarations of their corporate citizenship.

The bottom line is that customers are overwhelmingly concerned with the social, environmental, and overall ethical ramifications of a business’s actions. It’s the new and unique challenge of risk managers to discover risks that may impact a brand’s alignment with its customers’ ethics, and therefore its good reputation.

Where is GRC headed?

GRC has slowly developed over the past 15 years, heeding the consumer’s voice, the business’s reputation and ethical conduct only when scandal manifests. But the rate of social and technological change is too high for risk to be managed retroactively anymore.

LogicManager ERM Consulting Provided By Advisory Analysts

Adapt To Change

Hear how our software has empowered customers to adopt to the see-through economy here!

In order to comply with the changing climate in which risk abounds, governance, risk and compliance solutions must account for the consumer. How? In the report we’ve been discussing, Forrester shares some recommendations for better enterprise risk management, which we agree will lead to a new and better approach to GRC.

  1. Work with marketing peers to understand your customers’ expectations. Consumers are speaking out, and it’s always been the job of marketers to listen. This means that your organization’s marketing department is one of the best resources for the board and risk managers to determine what matters to their customers, and therefore what potential risks could relate to future business conduct.
  2. Create transparency for your business before your customers create it for you. Once again, consumers are talkative, and they have the means to expose any and all wrongdoings before you can even bat an eyelash. Companies are better off building a culture of responsibility into every area of their business, and being vocal about it.
  3. Add reputational risk to all risk assessments so you can work proactively to mitigate any risks that pose a threat to your company’s hard-earned reputation. Again, reputational risk doesn’t exist in any one silo. Take an enterprise risk management approach to ensure reputational risk is being managed across silos.

Read the full Forrester report here: McClean, Christopher, Nick Hayes, Renee Murphy, and Claire O’Malley. “GRC Vision 2017-2022: Customer Demands Escalate As Regulators Falter.” Forrester Research. 2 February 2017.