In many ways, managing reputational risks is like fighting a many-headed monster: no matter how much attention the board and the organisation pay to hard and soft controls, a new threat is always sure to rear its head. Following a survey to find out what reputational risks give companies and organisations the most concern, Houthoff hosted two round table sessions where executives and general counsels/company secretaries were invited to share their insights and best practices: “You can never tell just where the banana skin is hiding.”
Sooner or later, every single company, organisation, executive and supervisory authority has to deal with reputational issues. This prompted Houthoff to organise two round table sessions at its offices to discuss reputational management and share ideas and lessons learned. The firm invited 16 board members and general counsels/company secretaries who are tasked with this duty in their organisations. The sessions were hosted by Houthoff’s Marianne Bloos (Of Counsel Public Law, Investigations & Corporate Crime), Marry de Gaay Fortman (Advocaat-Partner and trusted boardroom adviser) and Thomas de Weerd (Advocaat-Partner IT & Privacy).
A survey that Houthoff conducted among the leaders of 90 companies prior to the discussion already clearly showed that reputational management is a concern for boardrooms: 74.4 % of the respondents indicated that they spend part of their day managing reputational risks, ranging from business integrity risks such as bribery and fraud to disruptive technologies, class actions, political uncertainty, cyber security, difficulties attracting the best talent and social pressure. Not surprisingly, cyber risks (combined with data breaches) were identified by 43.3 % of the respondents as posing the greatest threat.
The survey and the round table sessions inspired us to prepare and organise an Expert Event on Reputationmanagement as they showed how relevant knowledge sharing on such a delicate topic is.
Nevertheless, during the round table sessions only one person raised their hand in response to the first agree/disagree statement based on the survey: “For our organisation, cyber security is just as important as our core business.” That came as something of a surprise to Houthoff Partner Thomas de Weerd, who believes the two topics go hand in hand. “Although the phrasing is perhaps somewhat stark, impactful incidents justify approaching the situation from a different angle. For example, each and every group of companies runs the risk of becoming a victim of corporate espionage. While many of these cases are kept under wraps, theft of corporate secrets not only carries a substantial financial cost but also leads to reputational risks if the press gets wind of it. Data breaches are another cause for concern: this year, personal data stolen from the Dutch Joint Health Service ended up in the hands of criminals.” As De Weerd explained, situations become extremely dangerous when hackers use ransomware to seize control of critical infrastructures. “This happened in the US at Colonial Pipeline, which manages the largest oil pipeline in the US. Using ransomware, hackers brought the systems down, which resulted in fuel shortages on the country’s East Coast. Colonial Pipeline paid the hackers millions of dollars to regain access to the systems.”
Only Thomas Oremus, Director of Legal Affairs and Compliance of insurance company a.s.r., agreed entirely with the statement: “People see us as a gatekeeper. They trust us to take care of their pension capital, so it must be kept 100% secure. We can’t run our core business properly if we don’t give cyber security our full attention.” Still, cyber security was no less prominent for other executives, although they admitted that their organisations needed to raise the bar. While cyber security is “top of mind”, it is still a relatively new topic. Awareness needs to improve, but changes do not happen overnight.
Many organisations still lack maturity in matters of cyber security. Vanessa van Baasbank, General Counsel/Corporate Secretary of Stedelijk Museum Amsterdam, explained: “Cyber security isn’t part of our core business and so people aren’t always properly aware of the dangers. Anyone with malicious intentions can take advantage of the situation: they threaten to use data breaches that don’t actually exist as a way to extort you. Things can get difficult if you’re vulnerable to such threats.” Stijn Schoonderwoerd, Managing Director of Dutch National Opera & Ballet, acknowledged that not everyone is properly informed. “Our organisation recently introduced an IT master plan. Although it might seem rudimentary to others, it actually represents a major step for us. In the cultural sector, IT is still seen primarily as a tool to support our people and less to professionalise the business. Moreover, we also can’t pay high salaries for IT.”
Companies and organisations work day and night to avoid being shut down. For some of them, money appears to be an Achilles’ heel. Digital security was mentioned as consuming much of the budget, including funds that are not earmarked for that purpose. This complicates matters and leads to dilemmas. Calluna Euving, Secretary General of the University of Amsterdam, also faces this problem: “In the space of a few years, we’ve gone from spending zero work-hours to 24/7 security. That’s become normal now, and we spend taxpayer money on it. But there are limits.” Adding to this comment, Maarten van Rossum, Global Director of Public Affairs of the Heineken brewery, pointed out the constant game of cat and mouse that is played out on social media: “It’s a full-time job to eliminate half-truths and outright lies on Twitter and Facebook. We’re vulnerable to fake news and similar problems: people want to show what they can do, or they’re in cahoots with another party. If someone tags Heineken in a message, it will have over a million views in no time.” He has accepted it as part of life now. “There’s nothing you can do to prevent it.”
Even where the problem is not money or a lack of personnel to deal with social media, a further difficulty is the shortage of experts to keep systems and networks secure. “Everyone is screaming for experts. Constant monitoring is only one side of the story: doing it properly is a job for the professionals,” explained Malinda Miener, Director of Security, Legal and Compliance at Holland Casino. This is complicated because everyone is fishing in the same pool of IT specialists: the playing field is by no means a level one, and the painful truth is that companies and organisations sometimes have to pay the price in terms of their reputation.
It is easy to forget that organisations also face other problems besides cyber security. However, the vigorous discussion sparked by the statement “To prevent internal fraud, we should decentralise the responsibilities in the business integrity arena as much as possible” showed that integrity carries numerous challenges of its own. In addition, 42.2 % of the survey’s respondents declared that they regarded business integrity as a major risk, making it the runner-up to the threat of cyber security. From her long career, Marianne Bloos (who was a chief public prosecutor before she joined Houthoff) knows that hard controls can only do so much to prevent fraud and corruption. “Not feeling connected with each other, not knowing who you’re dealing with: that’s just asking for trouble. Scammers are smart enough to get around administrative obstacles: that’s why people need to feel comfortable expressing any concerns that they see in the organisation. People who feel involved with their organisation place a higher value on integrity: they’re more likely to act with integrity and expect the same from colleagues. That makes it useful to focus on soft controls and to delegate responsibilities to the right people.”
While four people agreed with that statement, Thomas Lampe, General Counsel and Company Secretary of construction company VolkerWessels, was not one of them. “We might want to delegate responsibilities to lower levels of the organisation, but because control ultimately comes from the top down – and that’s how it should be, I believe: it’s about demonstrability, and therefore, about clearly defined procedures.” Hedwig Heikens confirmed that KPMG has centralised controls in place, driven by past incidents. She added: “But also because it’s vital to prevent situations from arising where people in the organisation find themselves solving problems in isolation. The organisation needs to maintain an overview.”
Maarten van Rossum believes that the tendency towards top-down control will eventually break down. “Ultimately, you simply need too many people to deal with compliance.” Baukje Dreimuller, General Counsel of waste processing and recycling company Renewi, drew the focus of the discussion back to the day-to-day practices in the workplace, and explained how effective decentralisation can be: “Occasionally some of our employees will take valuable items from the waste that we collect, which is essentially theft. The solution is a decentralised approach: the layers below the executive management possess more social control and business acumen. As a consequence, many of the people in those positions know just how to tackle this problem. Still, the executive management needs to facilitate this through training”. Sigrid van Aken was also in favour of decentralisation, though for a different reason: “Employees will perform better if they feel trusted and if the controls are kept to a minimum. In a small and flat organisation, you can invest in personal meetings and create a strong culture.” Malinda Miener explained that she believes in a transparent speak-up system: “People need to know who they can report something to, that it’s safe for them, and what will be done about their concerns.”
Another participant distinguished between system risks such as fraud and business integrity risks (e.g. academic and scientific fraud) and #MeToo type of behaviour. “Those last two are topics that I hope people feel comfortable enough to report, although it often comes quite late. But I’m actually very much in favour of centralising system risks, otherwise you lose grip of them.”
Annemarie Manger, Director of Sustainability at Tata Steel, addressed another issue: “I almost wish that digital matters were our greatest concern.” Although Tata is strong enough to invest in cyber security and hire ethical hackers to identify potential weaknesses, the facts show that this does not always provide a fool-proof solution: “Humans are the weakest link.” That “weakness” is virtually impossible to eliminate: “All it takes is for one person to reply to a phishing email,” agreed Hedwig Heikens, Corporate Secretary and Deputy General Counsel of KPMG. Sigrid van Aken, CEO of Novamedia/Postcode Lotteries added, “Exactly. Whether it’s about following protocols or using passwords: we’re only human. To make our people aware of the dangers of clicking on links, we sometimes send out unusual, tempting emails internally as a test. That’s a useful learning experience because there are always people who click on the link.” It would not surprise Van Aken to learn that the reports in the newspaper – from using ransomware for taking organisations hostage to CEO fraud – is only the tip of the iceberg. “You run the risk of becoming a figurative hostage because reputational risks are so elusive and sensitive at the same time. That’s what I guard against. We need to be open with each other and talk about the problems. It’s just so important to share what we know.” In fact, organisations are not competing with each other on this point, another participant added: “Sharing information is a responsibility for everyone, since our clients’ security is at stake. We can only learn from each other.”
Sharing the lessons learned is precisely what the University of Amsterdam did after the cyber attack at the start of the year, Calluna Euving explained. “Cyber security is a moving target, the situation is constantly evolving, and that makes protecting yourself a highly complicated matter. The attack on us demonstrated how important stakeholder management is. We invested a great deal of time in communicating openly about what had and had not happened, and what we were doing. Evaluating matters after the fact is also part and parcel of that process. Actively involve stakeholders, seize the moment and capitalise on it.” Marianne Bloos agreed with the need to be open: “Studies show that being open-minded helps to manage your reputation and works to your advantage. It’s best to be honest about what information has been breached.”
This evolution will pick up pace if organisations and companies in the ecosystem are transparent and share their best practices. Organisations need to start by properly embedding awareness among their own people, Marry de Gaay Fortman stressed. “Cyber security is a topic of discussion at the boardroom level, but it’s a strategic topic that concerns more than the board alone. What’s the best way to decisively respond? That’s a discussion that requires input from the entire organisation.” For Malinda Miener, it should go further than merely discussing the topic: “I used to work for grid operator Enexis, where we used red teaming to practise for everything that could go wrong: from gas pipelines being out of operation to general grids being hacked.” Alfred Levi added, “That’s the simple necessity, unfortunately. From hacking to blackmail: everyone will be a victim more than once.” Coen de Ruiter agreed, giving an example from when he was still Managing Director of an online financial products comparison platform. “I thought to myself: this is a problem that we might encounter at some point, Instead, I learned from an IT manager that the reality was very different: we dealt with multiple DDoS attacks every single day, even from countries such as Korea. And we were just an online comparison platform, not even a government authority or a corporate.” That is why Alfred Levi believes that organisations should focus primarily on having clear protocols. “What’s the appropriate action if a particular situation materialises? Take a proactive approach to that question.”
Thomas Lampe argued that positive feedback stimulates the right behaviour. “Our organisation encourages good behaviour: if someone reports an unsafe situation, they’re put in the limelight with a mention in our internal newsletter.” If anyone who reports an unsafe situation receives praise, should the same apply to whistle-blowers? The participants did not automatically consider whistle-blowers to be good guys. Often, their reports concern conflicts between persons. The overall consensus was that the problem could just as easily lie with the whistle-blower. Marry de Gaay Fortman posited a dangerous side to zero tolerance, if incidents are judged too hastily without further investigating. Alfred Levi explained that this does not diminish the fact that some situations are black or white. “In such cases, you need to act, and zero tolerance is justified.”
Maarten van Rossum addressed another danger related to centralisation: the idea that has emerged from political circles that the CEO is a first among equals, and therefore is responsible whenever anything at all goes wrong. “They should be personally liable. That’s the general consensus that has been fostered in the media, public opinion based on passing fads, and response to those stories and opinions from the government in The Hague. That’s what creates incident-driven policymaking. It poses a problem: what has happened to people’s awareness that sometimes situations are just difficult?” Van Rossum referred to an affair concerning brand promoters operating in African and Asian countries. One journalist for newspaper NRC Handelsblad wrote an article about the wrongdoings of those promoters, and the entire Dutch media jumped on the bandwagon. “We were accused of being aware of what was happening and not taking any action. Our reputation had already taken a hit by this time, even while we were in the middle of trying to identify what the problems were and what we could do to improve them.” Heineken found itself in the eye of the storm, though in the end the findings did not raise much interest. “We published the outcome of our investigation on our website, but no one cares about that anymore.” It is not unusual for companies and organisations not to have any time to properly investigate an incident, nor is it rare that hardly any interest is shown in a balanced response. Marianne Bloos explained, “People want simple solutions so any form of nuance gets drowned out if society wants to hear that everything will be different tomorrow.”
On a more positive note, it seems that awareness is steadily developing in the right direction as an organic process. As Alfred Levi, Chair of the Supervisory Board of health insurer VGZ, said, “Little by little, the fact that cyber security is so extremely important is starting to gain a foothold in the culture of companies and organisations. It’s impossible to speed up this process, though, since the cyberworld didn’t exist before, it just gradually happened. To exaggerate mildly, it took me ten years to even realise that an IT manager was an important person. By now, everyone knows that you might as well close shop if your IT isn’t in order. Everything is IT, and that makes cyber security part of the core business. Not every organisation realises this to the same degree, though, nor are their cultures changing at the same pace.”
Coen de Ruiter, Managing Director of energy company Greenchoice, mentioned one cultural element that can be influenced: hierarchy. “The relationships within the company shouldn’t prevent its people from daring to point out anomalies. At Greenchoice, I think that it’s unlikely that anyone will fall for the ‘email from the CEO’ scam, requesting an urgent transfer of EUR 20,000. They’ll always walk into each other’s offices to check whether it’s legitimate.” Some of the participants in the discussion also expressed a sobering outlook on interpersonal trust: it is good to check, but be careful with the idea that you know each other. Anyone with that mindset will organise their systems in such a way that it becomes impossible – although of course no system is ever fool-proof. Nevertheless, it is a good aim to eliminate vulnerabilities wherever possible, for example, by applying the four-eyes principle.
This finding brings us to our final agree/disagree statement. In the survey, 24.4 % replied that they regarded social pressure – on matters such as climate change, diversity & inclusion and investigative journalism – as a risk. Social pressure is the last of the three largest issues associated with reputational risks. Three people raised their hands in response to the agree/disagree statement “My company or organisation is under a great deal of social pressure, but I am not sure what exactly it is that I should be afraid of.” Marry de Gaay Fortman explained that organisations are under a great deal of incessant pressure. “The world around us is changing rapidly. The question is, can you change with the times? Core values such as openness, transparency, taking responsibility and the tone at the top provide guidelines, yet even so it is essential to prepare for unforeseen events: sometimes reputational risks can appear out of thin air. Personally, I believe that you should always face the problem head on. Don’t say that you can’t say anything: share whatever information you can.” De Gaay Fortman is very much aware that reassuring the public can also trigger a boomerang effect: “If you take control of the situation yourself and are open about it, investigative reporters will show up on your doorstep and you won’t be able to contain the problem. Still, it’s better to address the issue.”
Sometimes an organisation might be accused of covering up an issue even if it is open about the situation. This was highlighted by an experience recounted by Calluna Euving: “The University of Amsterdam was faced with a #MeToo situation. Internally, we handled it with due care: we communicated openly and directly with the persons involved about what steps we were taking. We kept their best interests in mind all the time.” Scrutiny would not necessarily be in the interests of the persons involved. “Even so, everyone here knows this example from the media: NRC later claimed that the situation had been covered up. That was demonstrably incorrect, but that didn’t alter the effect.” Trying to refute these claims can leave you fighting a rearguard action: even if you are right, that does not mean that you will win the argument. This means constantly weighing the various interests at stake, and – as was noted – some organisations’ actions are restricted by law and they might want to share more information than they are permitted to.
Vanessa van Baasbank agreed entirely with the statement: “To me, it’s a positive step when senior management offers a platform to discuss what it doesn’t know precisely. People are afraid of all kinds of risks, but your attitude is what makes the difference. If you take a positive approach to potential problems, you’re already ahead of the game.” One participant admitted candidly that they did not know everything. “Even if you’re aware of the publicity and you know what’s going on in society, you can still be caught off guard. You never know exactly where a banana skin might be hiding. I sometimes lose quite a bit of sleep worrying about what I don’t see coming.”
Hedwig Heikens argued that weighing decisions carefully is even more important for companies and sectors of the economy that are under close scrutiny. “What information should you disclose? When do you proactively decide to share details in the media? Negative publicity has an enormous impact, within the organisation and outside, and making a full recovery takes a long time, no matter how much positive publicity you use to balance it out.” Suddenly getting caught up in a geopolitical storm is a realistic scenario. Thomas Oremus put forward some questions of conscience that his organisation faces: “Investing in solar panels seems like a good idea, as the Netherlands needs to meet the climate change goals. But then you find out about a possible risk of forced labour in the solar panel production chain in China. How exactly do you map out that risk? What action do you take – what actions are even possible? Do you fundamentally change your entire supply chain? The truth is that principles cost money, and choices require a constant internal dialogue.” Naturally, organisations run the risk of slipping and falling before they have even decided internally what answer to give. Alfred Levi added, “If you can’t explain a decision to yourself, you won’t be able to explain it to your stakeholders either. If a supermarket wants to promote health, it can’t sell cigarettes.”
Steel company Tata Steel is all too familiar with negative publicity fuelled by emotion. Annemarie Manger explained, “Being honest about mistakes – which we all make – also poses a risk: if the question becomes a legal one, you’re going to be less eager to scrutinise your own role. Still, I’m proud of my company, and I believe that it has a strong future.” After a short silence, she continues: “We’re learning to listen to what people have to say, to lower our defences and to respond to concerns.”
To summarise, reputational management is a learning process. The organisations at the table face a wide range of risks, with no easy solutions. Alfred Levi added that this is nevertheless no reason for companies and organisations to be weighed down by the complexity of the issues that could impact their reputations: “I haven’t seen many cases where bad press had a lasting effect – or good press either. The world is changing so rapidly: what happened yesterday will be forgotten by tomorrow.”