Ray Bradbury once said, “Living at risk is jumping off the cliff and building your wings on the way down.”
Ray Bradbury was a phenomenal author, but, with an attitude like that, he’d never have made it as a CFO. CFOs see risks around every corner. If they work for a public company, they have to: the Securities and Exchange Commission requires publicly traded companies to submit a quarterly 10-Q and yearly 10-K report detailing all aspects of the organization’s financial status. The 10-Q and 10-K are kind of like a regular checkup, with an analysis of the company’s risks, opportunities, liabilities, acquisitions, performance, etc., taking the place of blood pressure and weight checks.
Some things that affect financial health are obvious, like a new competitor, disruptive technology, an unexpected change in the cost of goods, or increasing regulatory requirements. But in my nearly twenty years of consulting experience, including with Fortune 500 firms, there’s one thing that too many CFOs overlook: their company’s digital presence. If you did not calculate the actual digital risks that are represented in your most recent 10-Q and 10-K, you’ve got some work to do before you file your next one.
Why CFOs need to calculate the cost of digital risks
The costs relating to any digital risk can be material, and most organizations do not calculate the risk of such exposure. It is the job of the CFO to ensure that the business appropriately reflects those risks in the 10-Q and 10-K filings.
Probably the most common reason CFOs neglect to calculate and thereafter address digital risks appropriately in their 10-Q and 10-K filings is habit: It’s awfully easy to just pull up last year’s form and update the information. The problem is that, if you do that time after time, you might not be keeping up with changes in the business environment or truly quantify the risk to the business. Digital is one of those changes, and the potential risks should make any CFO sit up, take notice, and execute their fiduciary duty by translating digital risk into fiscal terms. Otherwise you will be left with nothing but your organization’s name on the front page of the daily news. It happens every day, as illustrated in the following examples:
- A laptop stolen from the U.S. Department of Veterans affairs in 2006 contained 26.5 million records with personally identifiable information on veterans, their families, and even active military personnel. That incident is estimated to have cost taxpayers a minimum of $100 million, according to Lloyds of London.
- In 2013, Target’s payment systems were breached during the peak holiday shopping center. That breach cost Target $300 million — and that doesn’t include the 46% drop in profit for the quarter.
- In a 2011 poll conducted by Symantec, respondents shared information on the cost of social media incidents (whether due to an employee’s statements on social media or the exposure of confidential information). For each of those incidents, the average estimated costs came to $1,038,40 in stock price, $650,361 in litigation, $619,360 in lost revenue, and $641,993 in direct financial costs. Those numbers don’t include soft costs like damage to the organization’s reputation.
And those examples barely scratch the surface, which is why CFOs need a strategic approach to identifying and responding to digital risks.
Factors affecting an organization’s digital risk
The first step in assessing your organization’s digital risk is knowing which questions to ask. Here are some of the most common areas of concern:
1. Have we calculated the potential cost of a data breach?
Data breaches are what most people think of when it comes to digital risks, and for good reason: They’re common and potentially devastating. As CFO, you need to understand the current state of your digital security as well as where regulations and industry standards say you should be. Your analysis should include:
- How do we process, transmit, and store payment data?
- How much personally identifiable information do we collect on customers, and what do we do with it?
- How secure are our partners both up and down the supply chain?
- How well do our security protocols measure up to current best practices?
- What are our plans for mitigation and remediation, and have we budgeted for the associated costs?
2. What areas of regulatory requirements weakness do we have?
Regulatory requirements vary from country to country and, within the U.S., from state to state. Such regulations can range from making sure your website meets Americans with Disabilities Act (ADA) requirements for accessibility to the location of the servers that store customer data. So it’s important to understand your organization’s approach to identifying the ever-changing rules of a global market as well as the financial impacts associated with both compliance and non-compliance. Your analysis should include:
- What are the local products and services regulations and have we met them in our digital channels? For example, the California Supply Chain Act?
- How well have we addressed privacy concerns, such as children’s online protection?
- Does our contracting process ensure that 3rd party partners and software vendors uphold the same level of regulatory commitments as we do?
3. Have we appropriately addressed intellectual property risks?
Nearly two decades after the Napster case brought global attention to the question of intellectual property rights in a digital world, there’s still not always a clear-cut answer. After all, the whole purpose of the Internet is to make information easily available. But just because you can access something doesn’t mean you have the right to use it. Your marketing team, for instance, can’t just grab an image from Pinterest or Snapchat and use it in a blog post. And, just because a customer Tweets you a photo of themselves using your product, you don’t necessarily have the right to use that photo on your website. As you look to account for any risks, your analysis should include:
- What are our digital marketing practices and do we ensure that campaigns, marketing efforts and communications respect the intellectual property of others?
- Have we appropriately protected our intellectual property, including registering domains, and applying to trademark social media accounts, hashtags, and other digital assets?
- Has our human resources adopted the corporate code of conduct for digital? Do we specify what employees should do or never do with regards to digital, including copy, share, post, or otherwise distribute internal information about your products, services, financial situation, etc.?
Whether it’s an unintentional mistake or the deliberate act of an angry employee, the risks are substantial. Understanding your organization’s approach to protecting both your own intellectual property and that of others is an important step in assessing digital risk.
4. What are the costs of business process disruptions?
Companies are increasingly dependent on technology for everything from taking orders and tracking shipments to procuring goods and paying vendors. The possibilities for a serious business disruption are almost endless. As you look to perform your analysis and exhaust the risk associated with digital operations, consider the following:
- Do we have a backup plan should a natural disaster occur where our servers are located?
- If there is a disaster and our people cannot physically get to the servers and other equipment required for digital operations, including their laptops, how will we operate or will we miss out on sales?
- If we host any services or product platforms in the cloud, does the cloud vendor have a backup plan and are we protected from downtime?
- If a virus or some other event were to wipe out all of our customer records, what is the recovery process and how many sales might we miss as a result?
Understanding your organization’s plans for business continuity is another critical step in assessing digital risks — one that is often overlooked by auditing firms when they attempt to quantify risk.
A stunning 60% of small business that suffer a data breach close their doors within six months. That’s because most don’t have the financial resources to cover the associated costs. Large, publicly traded companies do — but you still have to plan for it. The process of assessing your digital risks provides the information you need for setting aside funds to cover those expenses, should they occur. And including the information in your 10-Q and 10-K report reassures regulators and investors that you’re prepared for any eventuality.
I hope this information has provided you with the foundation you need to effectively assess and manage your organization’s digital risks, whether you include the information in your 10-K or use it to strengthen your overall approach to managing your financial health. I encourage you to start these conversations with your colleagues so that you’ll be ready to handle the challenges and opportunities technology will undoubtedly bring over the coming years.