All posts by Justin Doherty

  • Reputational consequences of a cyber breach – poachers and gamekeepers.

    November 5th is a significant date for Parliamentarians, Papists, children up and down the country, and for the neo-Guy-Fawkesian hacking collective Anonymous.

    The latest offshoot of Anonymous (allegedly), Ghost Security Group – or ‘Ghost Sec’ – is taking direct action against ISIS online.

    At a seminar last week we were exploring reputational consequences of cyber breaches.  Reputation risk and cyber risk top the list of issues keeping CEOs awake at night, and working with our friends at XQ Digital Resilience  we’ve been exploring these interrelated issues.

    Of particular interest was ‘posture.’  Is the company known to be weak and ill-prepared or is it famously robust?  And what about so-called ‘active defence’?

    A banking exec recalled the difficulties JP Morgan got into recently.  Frustrated by government inaction against hacker networks, somebody hacked back.  Hard.  Servers were taken down.  Was it the banks?

    The FBI thought so, and opened an investigation (the 30-year-old US Computer Fraud and Abuse Act prohibits ‘unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack’).

    It’s unlikely anybody is going to co-opt Ghost Sec types for any sort of commercial work (not least because they’re the bane of the corporate world and not particularly constrained by legal or regulatory rules.)

    But as this rather compelling new TV series Mr Robot dramatises, your cyber security expert by day may be an arch hacker by night.

    What do you make of ‘Ghost Sec’?

    Can you turn poachers into gamekeepers?

    How do you know that your cyber experts aren’t moonlighting for Anonymous by night?

    Let me know what you think!

    Happy bonfire night.

  • Thomas Cook Tragedy

    Two small children died in 2006, from carbon monoxide poisoning, in a Thomas Cook villa in Corfu.  A human tragedy.  And a sign of serious management malaise.

    Justin King, former Chief Executive of J Sainsbury Plc has issued an independent report into the company’s ‘customer health, safety, welfare, relations and crisis management’.  So not the events themselves, but the policies and actions of the company, and their responses after the event.

    Old Thomas Cook

    Old Thomas Cook

    King singles out a number of issues, including how the “legal backdrop to the case weighed heavily on the decision making of the company” and resulted in poor, slow, and at times non-existent communication with the family.  But also a decision at one point to refuse to pay the family’s legal fees in connection with the 2015 inquest.

    He also singles out Thomas Cook’s ‘risk dashboard’ process in which he observes an “over-emphasis on financial and reputational risk and less emphasis on customer consequences and outcomes…”

    Without seeing the actual ‘risk dashboard’ this is hard to judge.  BUT there’s an important point here. Customer experience is inextricably connected to a company’s reputation and its financial health.

    They are not separate issues to be itemised separately on a list.

    The start point for any assessment of the health of an organisation must be an appreciation of this issue.  If the leadership and senior management do not realise that ‘customer safety’ is everybody’s responsibility, ‘good financial management’ is everybody’s responsibility and ‘reputational stewardship’ is too, things are going to go badly awry.  And that they absolutely impact one another.

    These things are everybody’s business.  From the chief to the bottle washer.  And the supply chain too.

    Modern management practice is to try to structure and reorganise in ways that cut across organisational silos.  Allowing any employee to ‘pass the buck’ on a safety issue, customer service issue, or reputational issue cannot be good business sense.  Nor is it right to do so.

    Because all of this, in essence, is about doing the right thing.  Not by the lawyers.  Not by the shareholders. Not by the PR people.  But by the customers, past, present and future.

    Thomas Cook have done the right thing by commissioning this report.

    They will now be judged by their response to it.  Not a PR response (embarrassingly parts of the report were leaked to Sky News suggesting a spin operation).

    But a root and branch business response that ensures this sort of thing is never ever allowed to happen again.

  • Talk Talk – or Jaw Jaw?

    talktalk-cyberattack-linked-islamic-hackers

    I was rather impressed when I heard that (Baroness) Dido Harding was hitting the TV stations and papers to brief on the cyber troubles Talk Talk were facing.

    Best practice in a crisis, as we know, is to acknowledge and respond, and to engage all stakeholders openly, accurately, and honestly.

    Only last week we had heard Lord John Browne of Maddingley argue that in times of reputational crisis leaders had to ‘lean in’, ‘over-react’ and be ‘radical in their communication’.

    Well poor old Dido Harding has had a tough time of it over the past 72 hours.

    There is no doubt she has been a decent CEO. Talk Talk is a difficult business, sitting at the cut-price end of the broadband market.  But it has grown under Harding’s leadership and now has over 4M customers.

    So when the company faced its third cyber security breach this year she hit the airwaves.

    She was frank enough to admit what she did and did not know.  Talking to John Humphreys she revealed she had no idea whether Talk Talk had encrypted its customers’ data.

    And honest enough to accept failings, for example telling the Daily Telegraph: “Do I wish I had done more? Of course I do. But would that have made a difference? If I’m honest I don’t know.”

    And she has apologised.

    Lady Harding clearly has a personal interest in online security.  When she accepted her peerage she said “whether it’s child internet safety, cyber security, internet freedoms, there are some really difficult issues.”

    And this weekend, “This is happening to a huge number of organisations all the time. The awful truth is that every company, every organisation in the UK needs to spend more money and put more focus on cyber security – it’s the crime of our era.”

    But a personal – genuine and authentic – crusade on internet security is not enough.

    Actions speak louder than words.  Two earlier break-ins in the past year have already tarnished Talk Talk’s reputation for keeping data safe.  This should have been the catalyst for serious activity addressing IT issues.  And if anybody in the company had any doubt as to the importance of this the reputational consequences ought to have been spelled out.  At all levels of the company.

    And there has obviously been a terrible breakdown in communication between the IT people and the corporate leadership.  A senior churn involving the loss of the Chief Information Officer over the summer can be no excuse.

    The message has been confused.   At one point it was 4 million customers.  Then a back-pedalling 400,000 over the weekend.  And then news broke that this might have affected millions of former customers.

    And the analysis of the nature of the attack has sounded amateurish.  Cyber security experts I have spoken to are sceptical of some of Talk Talk’s claims, and some of the language has displayed unfamiliarity with the subject.

    Talk Talk have suffered terribly in the past few days, and the damage to the company’s reputation enormous.  Yet again it’s a case of lack of preparedness and poor attention paid to reputation resilience.

    It is high time organisations like this took reputation resilience more seriously, and realise that reputation stewardship is the responsibility of everybody in the organisations. Not just the CEO.  Not just the communications people.  Everybody.  Even – especially – the IT Department.

     

  • Why Smart Managers Are Embedding The Holy Grail of Reputation Resilience Into Their Organisation

    Have you ever wondered why the world’s 435 nuclear reactors experience a failure less than once in a generation?

    4117707013

    Or why aircraft seldom fall out of the sky, despite 38 million flights per year?

    And why air travel is 22 times safer than travelling by car?

    The energy and aerospace industries have spent a generation developing management systems to reduce risk by introducing business-wide processes that identify risks and use all means available to reduce or eliminate them.

    These processes become so embedded in the operations and culture of an organisation that entire industries become almost immune to the kind of failure which can seriously damage their reputations.

    So why do so many Chief Executives live in mortal fear of the reputation crisis that will sweep them away, along with shareholder value, customer loyalty, and personal repute?

    Most often when a reputation crisis occurs, enormous energy is expended as management works out what to do ‘on the hoof’, and carries out a ‘mopping up exercise’.  Reputation rebuild is challenging and time consuming.  And the damage, once inflicted, can be incredibly difficult to move on from.

    A recent survey conducted by Hemington Consulting and Gablesmead revealed that only 1 in 5 CEOs are comfortable with the reputation resilience of their organisation.  Most have ‘crisis communication plans’ that serve an important but limited purpose.  Communication will usually be part of the response to a real crisis, but mopping up the blood on the carpet is by far the least desirable option.

    At Hemington we believe a much smarter approach is for organisations to apply a systematic approach to preventing reputational damage.  The tools for preventing quality failures have been used successfully in industries where product failure could wipe out a company.   We advocate establishing robust processes for identifying and managing risk, within a ‘management system’ tailored for that organisation.

    For more on Reputation Resilience management systems contact Justin Doherty at Hemington Consulting.

  • Job Vacancy – Political and Corporate Communications Analyst

    Hemington is a growing consultancy, specialising in issues and reputation management for international governments and corporations.   We have operations in London, Washington and Dubai.

    We have a vacancy for an analyst to support our work for two significant clients – an African country, and a FTSE 100 company.

    The role will involve:

    • background research on key issues
    • media monitoring and analysis
    • summarising reports
    • stakeholder identification and mapping
    • drafting briefing notes
    • issue identification and alerting colleagues/clients in real time

    Our clients use us for sound advice, on complex issues, at the highest level.  For this role we will be looking for:

    • experience of African affairs as well as UK corporate/board level issues
    • research/analyst experience
    • excellent written skills
    • ability to synthesise complex information, spot emergent issues and trends, and present clearly and persuasively
    • willingness to operate outside normal office hours, and to travel

    In this role you will get closely involved in some the pressing issues of the day and have the opportunity to work with a senior, dynamic and cross-border team.

  • Payday Lending

    The Archbishop of Canterbury has ‘declared war’ on payday lenders, and in doing has been tripped up over his church’s own investment in a private equity group which invests in Wonga.

    The Archbishop doesn’t need a lecture from me on hypocrisy, the dangers of inconsistency, or indeed the impact upon personal or organisational reputation.

    He has been embarrassed, and he has said so publicly.

    Loan depot

    Loan depot

    But I can’t help feeling there’s a considered strategy in play here.

    The idea of church-supported credit unions competing with pay-day lenders is a smart one.

    Short term lending is important for many people, and can provide emergency cash to tie people over, without which a job might be lost or a child go hungry.

    So the Archbishop recognizes the problem, and intends to follow in the footsteps of others such as the Catholic Church in Ireland, by making use of church premises, manpower, skills, and infrastructure to help those in need.

    But the Archbishop needs this matter to be in the headlines.

    If church based credit unions are to succeed they need to raise their profile and make a case for why they should be the first choice. And they will need to compete with slick websites and marketing from companies such as Wonga. (Look at ‘Wonga’s Ten Commitments’ on p. 15 of today’s Times).

    They will need supporters and advocates.

    The internal consistency issue can be rectified. Lambeth Palace is already on the hunt for new staff to support the Archbishop, and after this episode there will certainly be an internal review which takes in reputation risk and internal consistency.

    If the Archbishop is as serious about church based credit unions as he seems to be, then we can expect to see a great deal more communication and debate around this issue.

    [Photograph: Evening Standard]

  • Ten Million Dollars, Anybody?

    If you could get away with it would you engage in a spot of insider trading?

    A new report by Wall Street law firm Labaton Sucharow, suggests that 24% of people in the financial services sector would do so (nearly twice as many as in the same poll last year).
    200397812-001

    Labaton Sucharow run a special advocacy programme for whistleblowers, and the report makes for gloomy reading.

    The report suggests:

    • financial misconduct is still widespread
    • there has been a decline in leadership, individual integrity and corporate culture on Wall Street
    • 28% feel that their organisations do not put their clients’ interests first

    The insider trading point is instructive.

    The question was whether respondents – if guaranteed anonymity and $10M – would engage in insider trading. On the basis that insider trading is a crime, this suggests that a quarter of people on Wall Street are either prepared to commit a wrongdoing, or they do not see this as a crime.

    Labaton’s strapline is “we have the power to change course, but first we must accept that Wall Street has a significant and growing ethical crisis and act now to address the problem”.

    Either way, if this report is to be believed, five years after the financial crisis –it suggests not only no change, but that things may be heading in precisely the wrong direction.

  • Murdoch

    Poor old Mr Murdoch.

    The newspaper baron is back in the spotlight, this time for secretly recorded comments in which he is heard suggesting that paying police for tips has been going on for a hundred years, and that the police investigation into corrupt payments is incompetent.

    News International Reputation

    Press Baron

    How have the reputaitons of Murdoch, News International and newspaper journalism been affected over the past two years since the allegations of hacking first emerged?

    Reputations are complex and cannot simply be assesed on a simple good/bad axis.

    It is true that the phone hacking saga has been distasteful, and distressing for many, and has pitched the media in an unflattering light. The fall out is likely to be tighter regulation and resticted freedom for the press.

    But let’s not lose sight of the fact that we are discussing the methods used to acquire the stories, not the credibility of the product itself.

    All of these activities were driven by a culture in which fearless pursuit of big news stories was the name of the game.

    But it would have been a different matter had we discovered that stories were being fabricated (which would have been easier and cheaper).

    I recently had a conversation with a newspaper editor (not in the UK) who admitted that his op ed desk had been making up letters for the letters page.

    Now that would be damaging to the reputation of newspapers.

    [Photograph: Noah Berger/AP]

  • Booz Allen Hamilton – Snowden

    Reporting of the Snowden/NSA case has focused on the wild goose chase for Snowden himself.

    But what about the reputational impact upon Booz Allen Hamilton, Snowden’s employer, and Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple – all of whom are in the spotlight for allegedly allowing access to users’ data through the US government PRISM programme.

    Edward Snowden

    Big mole

    In Booz Allen’s case they saw it coming.

    Take this from their annual SEC filing for 2012/13:

    “We depend on contracts with U.S. government agencies for substantially all of our revenue. If our relationships with such agencies are harmed, our future revenue and operating profits would decline.”

    And this:

    “Our professional reputation is critical to our business, and any harm to our reputation could decrease the amount of business the U.S. government does with us, which could have a material adverse effect on our future revenue and growth prospects.”

    And this:

    “Our employees or subcontractors may engage in misconduct or other improper activities, which could harm our ability to conduct business with the U.S. government.”

    And this:

    “Internal system or service failures, including as a result of cyber or other security threats, could disrupt our business and impair our ability to effectively provide our services to our clients, which could damage our reputation and have a material adverse effect on our business and results of operations.”

    All of which looks spookily prescient.

    The conclusion one would hope to draw from this is:

    • Booz Allen Hamilton has robust reputation risk identification processes in place
    • They have active internal controls to pre-empt these sort of occurrences
    • The Snowden case is a one-off / ‘rogue employee’ rather than an ingrained problem with the culture of the organisation

    We will see.

    But it’s also worth noting that Snowden is 30 years old (his birthday was 2 weeks ago).

    He is what demographers call a Millenial’ or Generation Y-er.

    Compared to previous generations Gen-Y-ers tend to be more idealistic, more cynical and questioning, less loyal, and less accepting of all forms of authority. And they are also the generation with the knowledge and skills most in demand in the digital age.

    Time for some real work on the implications of Generation-Y attitudes in the workplace, and the potential reputational risks posed to employers.

    [Photograph: Guardian]

  • BBC and LSE – Reputation Battle

    It’s clear how this London School of Economics/BBC argument will end. In the eyes of students, academics and the public (but not dictators) the reputations of both institutions will benefit – in the long run, and as long as the right decisions are made by the heads of both institutions.

    They have fallen out after a Panorama journalist secretly filmed during a LSE student visit to North Korea.

    North Koreans

    North Koreans

    Journalist Paul Sweeney posed as “Dr John Paul Sweeney, LSE Student, PhD History”. I understand that he was referred to throughout the visit as “the professor”.

    The LSE has demanded the BBC withdraw the planned episode and issue a full apology for the actions of BBC staff in using the School and its good reputation as a means of deception”.

    What implications does this row have for the reputations of these two venerable institutions?

    Firstly, LSE.

    The LSE unhappiness is to do with (a) its ability to conduct similar trips in future and (b) Sweeney gained access by deception.

    Other academics have waded in:

    “The UK’s academics have a global reputation and it is vitally important that they can be trusted and seen to be working in an open and transparent manner. The way that this BBC investigation was conducted might not only have put students’ safety at risk, but may also have damaged our universities’ reputations overseas” said Nicola Dandridge, chief executive officer of UUK, the body representing university sector in the UK.

    Reputations are complex, and have many dimensions to them. One group may have very different perceptions than another, for quite legitimate reasons.

    Dandridge’s point here is actually about universities’ reputation overseas amongst despotic regimes and dictators. Not about its reputation amongst students, academics and the public.

    Lets take as a starting point the purpose of the University. In the LSE’s own words it exists to teach, research and “to improve society and to “understand the causes of things”.

    How does this episode impact on that?

    Clearly they runs interesting trips, and if they can access such relevant places as North Korea as part of their study programmes, student applications are not going to suffer

    What about the LSE’s apparent lack of internal controls? Who was in charge? Why weren’t the three imposters spotted? (Presumably lugging around bits of camera equipment.) This does reinforce a perception of scatty academics who lack basic management and organisational skills.

    The LSE’s pursuit of access to foreign dictators has caused it problems in the past. In 2011 the university’s director resigned after it was alleged that it was involved in a multi-million pound deal to train future members of the country’s elite, and was suspected of facilitating Saif Gaddaffi’s studies there.

    Given its recent form some may see the LSE’s slightly hysterical demands as high handed, and even hypocritical. And the call by one of the student representatives that the BBC reporter “is as unwelcomed to be associated with the LSE as Saif al-Islam Gaddafi” is rather silly.

    Now to the BBC.

    The BBC’s reputation has taken a battering in recent months. A poll by YouGov in December found that only 31 per cent of respondents rated the BBC’s reputation as “high”, down from an approval rating of about 80 per cent that it had enjoyed for years.

    In the words of one overseas newspaper the broadcaster has been “condemned worldwide for a sexual abuse scandal involving a predator presenter.”

    But this episode does show BBC’s commitment to fearless journalism. Its stated mission is to enrich people’s lives with programmes and services that inform, educate and entertain“. And in this case bringing news to the world of truly terrible suffering in this benighted country.

    The BBC’s robust defence has centred on the public interest of getting the story.

    BBC News head of programmes Ceri Thomas said yesterday: “This is an important piece of public interest journalism.” Asked whether that justified putting student lives at risk, he replied: “We think it does.”

    So there we are. Fearless journalism, acting in the public interest, and a university running relevant courses, taking students to far flung and interesting places.

    We’ll be tuning in to Panorama tonight. Expectations are running high.