Enterprise Risk & Security Management
What is Enterprise Risk and Security Management and why should we do it? Well, we need to think beyond most existing practices in security and risk management. Many organisations have an assortment of measures to protect themselves:
- Corporate security standards and practices
- Technology security standards and practices
- Physical Security
- Logical security that protects information assets
- Corporate Risk Assessment as recommended by the Turnbull Report and required under the Combined Code for listing on the London Stock Exchange
- Compliance activities required by regulators or legislation
- Operational Risk Management activities
- Insurance
- Health and Safety programmes
- Information Technology Disaster Recovery Planning to recover from loss of computing and telecommunications assets
- Business Continuity planning to ensure the continued viability and operation of an organisation in the event of a disaster resulting in the major loss of product or denial of access to mission-critical facilities.
- Product recall arrangements
- Project risk management
- Crisis Management plans covering all contingencies, including issues like adverse publicity.
Often these are developed in isolation and do not form a coherent, holistic approach to security and risk management - an approach we have named Enterprise Risk and Security Management. Why should we adopt such an approach?
According to a joint DTI/APR report, the proportion of companies' intangible assets (essentially goodwill) to tangible assets have grown over the last 15 years to represent, on average, 70% of their balance sheets during mergers and acquisitions.1 An Enterprise Risk and Security Management approach therefore needs to cover all other situations from which an organisation can lose its goodwill, image and reputation.
To justify the extent of funding Enterprise Risk and Security Management for any organisation, Business Impact Analysis may be undertaken to identify the impact on an enterprise, in cash and non-cash terms, of a security breaches and of risks occurring.
The traditional Business Impact Analysis too frequently fails to quantify longer-term losses (e.g. lifetime value of customers; cost to regain market share and image). One powerful justification for the Enterprise approach lies in Marketing Protection, which looks at the whole value of the business at stake from a marketing perspective.
Brands and companies have outlived nations. Smirnoff, the Diageo vodka brand, has survived the reigns of the Tsars, Marx, Lenin, Stalin, Gorbachov, and Yeltsin. The USA beer Budweiser is some 130 years old.
The brand has value outside of any single product: Persil, originally a soap powder, was re-launched as a detergent, followed by an automatic version, followed by a low temperature product, followed by Persil liquid and by washing-up liquid.
When Nestlés purchased Rowntree in 1988 for £2.55 billion, tangibles on the balance sheet totalled £409 million. Allowing for the "going concern" value, Nestlé paid £1.25 billion for the brands and the strategic value that went with them. Reckitt and Coleman has put acquired brands as assets on the balance sheet since 1988. Rank Hovis McDougal declared, in the same year, that the development of Mr Kipling, Hovis and Mother's Pride was worth £678 million.2
It is no coincidence that, as soon as Grand Metropolitan proposed the merger with Guinness in 1997 - making the combined £24 billion operation sixth among the world's food and drink companies - they announced the proposed new name: GMG Brands (subsequently changed to Diageo). Grand Met's price immediately rose 76.5p to 591.5p and Guiness' climbed 86 to 602.5p - the first time they had been above 600p since 1992. 3 GMG expected the brands' stated value could rise from £5.7 billion to £12 billion.4
Another way of approaching the value of a brand is to assess the amount that has been invested in creating it - the advertising and public relations spend over many years. Moreover, advertising impact has its own momentum after advertising spend has stopped. Often the effect of advertising lasts three years after the advertising campaign ceases. And these effects may spin off onto other "sister" brands.
So, what sort of money is invested in creating brands? An examination of some of the best recent campaigns will illustrate the large sums of money involved.
Reebok spent £2 million on advertising in the UK alone in 1994-95 to generate a £2.2 million - £2.8 million incremental gross profit.
Nescafe Gold Blend advertising ran at £5 million a year in the UK and delivered £50 million a year sales.
Barclaycard's advertising campaign from 1991 - 1995 featuring Rowan Atkinson as a bungling secret agent cost £40 million, stimulating 3% extra card usage and increasing its share of new card users from 15% to 25%.
Renault Clio's "Papa, Nicole" advertising campaign took Renault UK sales from an all-time low in 1991 to almost double in 1995 and has sustained the Clio's success at a higher level and for longer than could reasonably have been expected, as well as creating a "halo" effect on other Renault models.
Reputation value can apply to government and public organisations as well as to the private sector. A recent survey conducted for insurer AON5 showed business leaders saw loss of reputation as the biggest risk facing business in 2001.
The corollary of this is that, in the event of loss of image or reputation through a disaster, market share losses from "negative advertising" could be equally as dramatic and these sums of money would have to be spent in addition to the normal ongoing advertising which has to continue merely in order to preserve market share. These days, volume is often the key to viability: lose volume, and viability is lost. The loss of a brand could mean the extinction of a company. Moreover, the "halo" effect could work in reverse: like guilt by association. Using the argument of Marketing Protection, the justification for Enterprise Risk and Security Management becomes immediately obvious and immensely strengthened.
The downside is equally dramatic - as can be seen from the Perrier water benzene contamination incident in 1990. In 1989, Perrier was the market leader in bottled mineral water, its name synonymous with purity and quality. Perrier water was on the tables of virtually every high-class restaurant around the world. Sales peaked at 1.2 billion bottles a year. The plant at Vergzem, near Nmes, was tooled up for 1.5 billion, with capital investment and personnel to match. A lifetime investment in promoting the images of purity and quality was effectively written off: all had to be started from scratch.
When considering advertising campaigns, how many agencies consider the downside of the advertising slogan? How can a ruthless journalist turn the slogan against the company? Should not that be part of a risk analysis of the campaign? Before a crisis and during each advertising campaign, consider how that campaign would be developed to mitigate the results of a disaster.
The Marketing Protection approach brings a new dimension, urgency and a financial justification for Enterprise Risk and Security Management. Every CEO, every Finance Director, every Marketing Manager, every Advertising Agency and every security and risk professional should be aware of it and apply it to their own (or their client's) organisation.
(c) Andrew Hiles, Kingswell International 2002
1 Tim Sutton, CEO of Charles Barker plc, in Finance Director Europe, March 1998, p34
2 How advertising affects brands - an overview by Simon Broadbent, Leo Burnett in The longer and broader effects of advertising, IPA March 1990
3 Nils Pratley and Kate Rankine, Daily Telegraph Business News, 13 May 1997, page 23
4 Daily Telegraph The City Checklist, 19 May 1997, quoting Sunday Business
5 Reported in The Review (Worldwide Reinsurance) June 2001 p6
Top of Page
|