Reputational risk and IT in the energy and utilities sectorHow security and business continuity can shape the reputationand value of your company

Global Technology ServicesResearch Report

Energy and utilities

Findings from the 2012 IBM Global Reputational Risk and IT Study

Reputational risk and IT in the energy and utilities sector: How security and business continuity can shape the reputation and value of your company is an IBM study that investigates how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of the organization and IT failures can result in reputational damage. The report was written by the Economist Intelligence Unit, which also executed the online survey and conducted the interviews on behalf of IBM.

We would like to thank all of the executives who participated in the survey and interviews for their valuable time and insight.

About the survey The survey, conducted in June 2012 by the Economist Intelligence Unit, included responses from 427 senior executives from around the world. Of them, 42 percent are C-level executives. About 33 percent of respondents are from North America, 29 percent from Europe, and 26 percent from Asia-Pacific. Companies with less than US$500M in revenue comprise 37 percent of respondents, and 52 percent come from companies with more than US$1B in revenue. The survey covers nearly all industries, including banking (19 percent), IT and technology (15 percent), energy and utilities (13 percent), and insurance (11 percent).

Middle East/ Africa, 8%

Latin America, 5%

North America, 33%

Europe, 29%

Asia Pacific, 26%

Professional Services, 5%

All others, 28% Banking, 19%

IT/Tech, 15%

Fiscal Markets, 9%

Energy/ Utilities, 13%Insurance,

11%

IT manager, 24%

CIO/CTO/Tech Director, 12%

CEO/President/ Managing Director, 13%

CRO/Risk Director, 3%

Other C-suite, 14%

SVP/VP/ Director, 11%

Other non C-suite, 23% $500M or less,

37%

$500M to $1B, 13%

$1B to $5B, 16%

$5B to $10B, 9%

$10B or more, 27%

Respondents: 427 Industries: 23*

Job titles: 15* Company sizes: 5

The 2012 IBM Global Reputational Risk and IT Study survey, conducted by the Economist Intelligence Unit, gathered information from 427 senior executives from around the world.

*Top responding categories shown

IntroductionEnergy and utility (E&U) executives recognize the value of their company’s reputation. A strong reputation generates stakeholder trust. If an E&U company is trusted, communities will be more likely to support its position in regulatory affairs; customers will be more receptive to new technologies and change; and the good will generated by trust can serve as reputational protection should a disaster occur. That is not to suggest that a good reputation replaces safe operations or reliable services. Rather, they are inextricably linked.

The unfortunate reality, however, is that corporate reputations are increasingly difficult to manage in the digital era, and can be easily sullied by any number of factors—among them IT failures that underpin operations. Service outages can have serious impacts on customers. With social media sites such as Facebook and Twitter boasting over 950 million and 500 million users, respectively, complaints from even a relatively small number of affected customers can become widely known in minutes. E&U companies worldwide realize their increased vulnerability to reputational harm and are introducing reputational risk as a distinct category into their enterprise risk management frameworks.

This study, based on a survey of more than 400 senior executives worldwide, finds that E&U companies, like those in other industries, have begun to pay closer attention to the links between IT failures and reputational damage. Three principal forces drive corporate reputations: provision of a best-in-class

product or service, customer engagement and trusted-partner status. Considering how companies are becoming increasingly dependent on technology to fulfill all three—to say nothing of running the business—the consensus is clear: IT risk can imperil companies’ productivity, damage customer relations and ultimately erode trust.

“IT risk is ever present. Just because we have had minimal incidents in the past 12 months does not mean the threat is not there.”—Business unit executive, energy and utilities company, Philippines

These observations apply across industries, but the study found that companies in the E&U sector perceive themselves as particularly vulnerable to reputational threats. The industry operates in an environment of intense public scrutiny, where physical disruptions to vital infrastructure can affect millions of citizens and cost billions of dollars to remediate. High-profile reputational failures in recent years have motivated aggressive efforts to mitigate the risks of future occurrences. The IT function is expected to support this objective by ensuring that all threats within its purview are identified, assessed and controlled.

Energy and utilities 3

A premium on corporate citizenshipAlthough deregulation has brought increasing competition to the industry, many E&U companies are still regulated geographical monopolies and as such are protected from customer churn. This might suggest that reputation would not be as top-of-mind as in other industries. In reality, however, E&U businesses are governed by complex regulatory regimes, leaving them highly vulnerable to political forces that are profoundly influenced by reputation. A senior European executive who was interviewed for this study puts it bluntly, “All politics is local. We’re accustomed to functioning at the behest of societies where we operate.” His company places great value on its reputation, he says, “because if we have a serious incident it could otherwise be extremely difficult to resume normal operations within an economic time frame.”

Their keen awareness of community-level pressures leads E&U companies to put a great deal of emphasis on conveying a broad positive image. E&U executives who participated in the survey are three times as likely as counterparts in other sectors to cite corporate citizenship as the single most important factor driving their company’s reputation. But they are only half as likely to say that customer engagement is their top concern. This is not to suggest that E&U companies don’t care about their customers. Compared with other survey respondents, E&U executives give similar priority to providing

4 Reputational risk and IT in the energy and utilities sector

As providers of essential services to consumers and businesses, E&U companies must ensure a strong focus on business continuity and minimizing downtime. As a result they are somewhat less focussed than companies in other industries on data security, especially data theft/cyber crime. Dr. Stefan Ulerich, a political and regulatory affairs executive with a major European power and gas utility, attributes this to the fact that utilities have very large investments in physical assets that depend on IT systems mainly for process control purposes.

IT failures in areas such as customer billing are driving a growing realization that E&U companies need to focus more strongly on data security risks.

“We have power plants, we have transmission lines and we have a lot of other things you can touch,” he says,” and this naturally makes us more focused on threats to physical infrastructure.” Dr. Ulerich notes, however, that this is beginning to change as IT failures in areas such as customer billing have driven “a growing realization that we need to focus more strongly on data security risks.” But change has been slow, he says, and “the sector is still fairly relaxed on these issues.”

best-in-class service. On the other hand they tend to perceive their stakeholder base in very broad terms. For example, corporate citizenship and trusted partner status rank ahead of customer engagement as drivers of organizational reputation for E&U companies.

Their responsibility for keeping complex infrastructure operating 24 hours a day also gives E&U executives a different perspective of IT risks. Most other companies represented in the survey perceive data theft/cybercrime as their biggest IT-related reputational threat. But E&U businesses see things differently (see Figure 1). About 59 percent of E&U respondents rate systems failures as one of the top three IT risks threatening their company’s reputation, compared with 43 percent overall. Insufficient disaster recovery measures and compliance failures also rank higher for E&U companies than for the study group as a whole.

This concern about continuity of operations is reflected in the IT controls that E&U companies implement. Although they generally rely on a narrower range of controls than other companies, they make more intensive use of perimeter controls like identity and access controls and intrusion detection systems. They are also more likely to keep technical support specialists on duty 24x7 to maintain operating systems and critical applications.

Energy and utilities 5

59%44%

46%61%

37%

010 20 30 40 50 60 70 80

020 40 60 80 100

010 20 30 40 50 60 70 80

Systems failures

Data breaches/data theft/cybercrime

Data loss failed backup or restore

Compliance failures

Inadequate business continuity plans

Website outages

Lack of IT skills/poor technical support

Workforce mobility (e.g. bring your own device)

Technology adoption (e.g. cloud)

34%

27%17%

23%22%

20%15%

18%18%

9%14%

2%3%

Energy and utilities All industries

Top IT-related reputational risks

Insufficient disaster recovery measures

0%8%

Figure 1. Percent of respondents naming specified IT failures as one of the top three threats to their company’s reputation.

6 Reputational risk and IT in the energy and utilities sector

Smart Meters Smart meters provide an interesting illustration of how IT risks, corporate reputation and the regulatory/political processes can intersect. By enabling remote access to electricity meters, this technology can greatly streamline the billing process. Smart meters are controversial, however, because they can also enable market-based (peak-load) pricing. “This eliminates the need for the utility company to build excess capacity to handle the peak load,” says Mark Czarnecki, President of the Benchmarking Network, an international organization that studies utility company best practices, “and the most expensive capacity you’ll ever build is that last power plant for peaking.”

“This eliminates the need for the utility company to build excess capacity to handle the peak load, and the most expensive capacity you’ll ever build is that last power plant for peaking.”— Mark Czarnecki, President of the Benchmarking Network

Since market-based pricing promotes efficient energy use and is clearly in the public interest, it might seem that implementing smart meter programs would be straightforward. But Mr. Czarnecki says that the political nature of the regulatory process complicates the picture, “You not only have to do it from a technical standpoint; you also have to inform your customers, and then get it rolled into the rate base.” He adds that the political nature of the regulatory process can call attention to seemingly unrelated aspects of previous performance. “Utilities that have a good reputation get a lot less scrutiny than those that have issues. Issues come from a hundred different directions and smart meters are just one piece of the picture.

Smart meter systems are controversial for two reasons: they capture potentially sensitive household-level consumption data and they can also support pricing schemes that allocate higher generation costs to peak-load users. Mr. Czarnecki sees data confidentiality as straightforward. “Other industries—like stockbrokers and health insurers—have already done that,” he says. “So these are not insurmountable problems, and specific issues of smart meters are really just a subset of the bigger data security issue.” He adds that a combination of controls on internal use of the data and prevention of external security breaches are the principal solutions.

Energy and utilities 7

“Utilities that have a good reputation get a lot less scrutiny than those that have issues. Issues come from a hundred different directions and smart meters are just one piece of the picture.”— Mark Czarnecki, President of the Benchmarking Network

Whether customers and other stakeholders accept such assurances depends greatly on the degree of trust that the utility has previously established. The same applies to the proposition that peak-load pricing isn’t just a cash grab. If trust is lacking, regulatory approvals may prove elusive.

“Implementing smart meters can be harder or easier depending on whether people believe what you are saying,” says Mr. Czarnecki, “a lot of people at rate hearings do not believe the utility companies, sometimes because of past failures.” A poor reputation can hurt a lot, he says, “It means a lot more cost: more attorneys, more accountants, and a lot more analysis to see if stakeholder concerns are real or not.”

Lack of trust can also motivate more intervention, drawing in fringe stakeholders. “You start pulling all kinds of people out of the woodwork like those who think that smart meters are evil,” he says. “They think that smart meters are going to overcharge them, and if your reputation has been compromised, you’re just giving them another opening. Why would you want to leave yourself open to that?”

00 000 000

0000000

8 Reputational risk and IT in the energy and utilities sector

Concerned about continuous operations, E&U companies are more likely than other industries to have technical support specialists on duty 24x7.

E&U companies are not as concerned about theft of sensitive customer information as firms in other industries. But as they gather more and more customer data, those threats are moving up the E&U agenda: potential cybercrime ranks second behind systems failure as one of the top three IT-related reputational risks. “Utility companies collect a tremendous amount of private data in their routine operations,” says Mark Czarnecki, President of the Benchmarking Network, an international organization that studies utility company best practices. “They know what you use, they know whether you pay your bills on time, they may have your driver’s license number, and if you’re set up for auto pay, they have your credit card or bank account details.” As new technologies such as smart meters and electric vehicle charging stations spread, this emphasis on data security will become more important.

E&U executives are sanguine about the short-run impacts of an IT-related reputational incident, pointing instead to longer-term political consequences. Dr. Ulerich suggests that even in markets where consumers are free to switch providers, the more affluent consumers are not particularly price sensitive. “Their main interest is in societal issues like

renewable energy,” he says, “and in those areas they react slowly.” These customers may complain about the company in private conversations, he adds, but in the short term “they don’t do anything about it.” However, when a high-profile industry proposal comes along, latent lack of trust can create political or regulatory obstacles. In this setting, Dr. Ulerich says, “positions taken by the media can ultimately determine the consequences of a reputational failure.”

“Critical IT systems are part of core business, not cost centres. If they are not properly built and maintained, the company risks major reputational loss.”— IT manager, energy and utilities company, United Kingdom

A senior European executive interviewed for this study suggests another reason for the relative lack of short-term consequences of IT failures: reputational damage is limited mainly to major incidents. He says that while E&U businesses suffer IT failures at a similar rate to other industries, they are mostly transparent to stakeholders because “we avoid creating single points of failure.” He adds that redundancy and diversity throughout the physical infrastructure reduce the need for other types of risk control.

Energy and utilities 9

Results from the executive survey confirm that companies in this industry experience far fewer severe IT failures in most risk categories. For example, only 7 percent report a data theft incident leading to severe reputational harm in the previous 12 months compared with 12 percent overall. System failures are the only area where E&U executives report relatively poor experience and even then, their companies barely exceed the industry average of 14 percent severe failures.

43%

59%

Respondents that report a data theft incident leading to severe reputational harm

Energy and utilities

All industries

companies in this industry experience far fewer severe IT failures in most risk categories

Keeping the CEO out front The vast majority (over 80 percent) of executives in our cross-industry study say the CEO is most accountable for their company’s reputation, followed by the CFO (31 percent), the CIO (27 percent), the CRO (23 percent) and the CMO (22 percent). E&U executives strongly agree that responsibility rests with the CEO, who in many cases is the sole authorized spokesperson in the wake of an incident. But whereas two-thirds of respondents as a whole say that accountability is shared among more than one C-level position, the trend towards shared responsibility among C-level executives has not yet significantly penetrated the E&U sector. E&U respondents report relatively small roles for Chief Risk Officers and Chief Information Security Officers. Since serious failures in the E&U sector tend to have community-level impacts, it makes sense to have related responsibility handled at the most senior level. “We have risks associated with everything from nuclear power plants to energy trading systems,” one executive says. “We have a lot of specialists managing these things, but ultimately accountability rests with the CEO, whether the risks are rooted in IT or something else.”

10 Reputational risk and IT in the energy and utilities sector

The community-wide dimensions of a major E&U failure explain the primacy of the CEO’s role when it comes to communications. Preventing failures is critical, but convincing stakeholders that problems have been fixed and that robust controls are in effect is the other half of the equation. While IT specialists are responsible for technical recovery after an incident, they need to work closely with counterparts in marketing and public relations to ensure that the CEO is fully briefed in the aftermath of a failure.

Specialists may manage risks associated with nuclear power plants, energy trading systems or online bill-pay, but accountability ultimately rests with the CEO.

Experienced IT executives invariably say that these messages need to be both swift and brutally honest, especially in an environment where the media are primed to pounce on perceived corporate deceit. As one executive put it, “we get a lot of attention from the media that can lead to reputational damage that may be severe or even irreparable.” The rules are simple, he says, “secure the station, inform the CEO and focus on controlling the issue. And nobody speaks to the media or to the public without the express permission of the CEO.”

82%

CEO

40CFO

%

34%

CIO18%

CRO 16%

CMO

Functions within the E&U C-suite most accountable for the organization’s reputation

Energy and utilities 11

ConclusionThe trend towards more integrated enterprise-wide risk management led from the C-suite is evident across the E&U industry. The links between IT risks and reputational damage have been clearly recognized. Understandably for an industry so heavily invested in physical infrastructure that must be working around the clock, the focus is still concentrated on business continuity and avoidance of systems failures. But there is an emerging focus on data security. Indeed, executives who were surveyed or interviewed for this study suggest that E&U enterprises are beginning to shift their risk strategies in a number of ways:

• Theyarebeginningtoplaceincreasedemphasisonreputational risk. E&U executives are significantly more likely than the average respondent to say their organization will focus more on managing its reputation than five years ago.

• TheywillpayincreasingattentiontospecificITrisksinthe future, especially potential theft of customer data and interruptions to operational systems, and they will spend more on managing IT-related reputational risk than in the past.

• Theywilladapttoaliberalizedregulatoryenvironmentbystrengthening their consumer focus.

• Responsibilityforreputationalriskwillremainfirmlyinthe hands of the CEO but communications will improve as new systems are implemented to present an integrated risk profile to C-level executives, who are becoming increasingly IT literate.

Please Recycle

© Copyright IBM Corporation 2012

IBM CorporationIBM Global Technology ServicesRoute 100Somers, NY 10589

Produced in the United States of AmericaOctober 2012

IBM, the IBM logo and ibm.com are are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

1Key trends driving global business resilience and risk: Findings from the 2011 IBM Global Business Resilience and Risk Study. September, 2011.

2Reputation: Risk of risks. Economist Intelligence Unit. December, 2005.

For more informationTo learn more about how IBM can help you protect your organization’s reputation by strengthening IT risk management, contact your IBM representative or visit the following websites.

For security and IT risk management, visit:ibm.com/services/security

For business continuity and IT risk management, visit:ibm.com/services/continuity

For technical support and IT risk management, visit:ibm.com/services/techsupport

View the IBM reputational risk and IT infographic at:ibm.co/repriskinfographic

Add your voice to the discussionYour opinion matters! Participate in the extension of our 2012 reputational risk and IT survey. Just scan the quick response code here or go to ibmrisksurvey.com

Your input will be added to what we anticipate will be the largest survey ever conducted on this important subject. You will receive the new analysis and report on the survey findings in early 2013. Thank you very much for your participation.

RLW03013-USEN-00