Privacy Matters Blog Series: Quantifying Reputational Risk

There are many kinds of risk: operational, legal, and reputational risk. Most large enterprise IT teams are comfortable and proficient at measuring operational risk. It features in reports as minutes of downtime, incidents of endpoint reimages, number of patches installed, hours of overtime.
Legal risk isn’t that hard to handle, either. IT can draw on peers, auditors, and legal staff for expertise.
However, reputational risk seems to be a far more unfriendly concept. I find technical people typically consider reputation a soft science, a squishy topic that can’t be measured. As a result, IT can’t set goals, gauge progress, or claim success based upon “reputation,” and product creators cannot specify requirements for “reputation.” Because it can’t be managed like other metrics, IT staff and technical business units may ignore or downplay reputational risk’s potential impact on the business—and their roles in protecting it.
IT is missing a gigantic opportunity
I believe you can measure or at lest approximate reputation, applying metrics to the same influences that affect your customers and your C-Suite executives: news headlines and stock prices. If you count the number of published reputation-buffeting events each month—the headlines in the email news summaries you receive from SC Magazine, for example—you can see what the public is talking about, and that dialog will affect the rise and fall of organizational stock prices. Reputation and market sentiment are (continue reading...)