When businesses scan the horizon for operational and reputational risks, they have tended in the past to look outwards – at external threats like climate change, political instability, supply chain interruptions, natural disasters and war. But as we reflect on the big business news stories, and what kept my team busy, in 2023, I suggest that many more businesses will (or at least should) focus in 2024 on the potential threats which are closer to home.
Employees are often referred to as businesses' biggest asset, and their biggest threat. Privy to varying depths of extremely valuable and sensitive information (trade secrets, payroll data, security details), it is increasingly easy for disenfranchised employees to "speak out" when they are dissatisfied and want to cause pain. Research suggests that the motivation behind many data breaches and 'whistleblowing' disclosures is rarely financial, but more often vengeful, and part of vendettas against leadership. Remember the ex-Morrisons auditor, disciplined for dealing in a slimming drug at work (he was initially suspended pending analysis of white powder delivered to the office), who went on to copy and leak the payroll data of almost 100,000 employees. At his criminal trial, he was found to have harboured "very considerable bad feelings towards Morrisons". Eventually, the Supreme Court found the supermarket not to be vicariously liable for his actions, but it still faced a lengthy and expensive legal battle, the costs of rectifying the data breach, and unquantifiable reputational damage.
News that an alleged Chinese spy had been recruited to work as a parliamentary researcher and was in contact with senior MPs sent shockwaves through Westminster last year. This is not confined to politics, and businesses should not be complacent about the risk of nefarious organisations or individuals infiltrating their staff to try to obtain confidential information or secure an advantage. In fact, actors from hostile governments have been identified as a key threat to UK industry through the targeting of experts, intellectual property and knowledge of cyber weaknesses. The National Protective Security Authority (NPSA) defines insider risk as "the likelihood of harm or loss to an organisation, and its subsequent impact, because of the action or inaction of an insider"; it defines an insider as "any person who has, or previously had, authorised access to or knowledge of the organisation’s resources, including people, processes, information, technology, and facilities". Insiders can become instruments - targeted and used by competitors to cause significant operational and reputational damage.
Whistleblowers and public interest journalism
The Confederation of British Industry (CBI) is just one example of an esteemed institution rocked by multiple allegations of sexual misconduct last year, and criticised for its handling of those allegations. Multiple past and current employees told journalists that they had not felt confident that the CBI – set up by Royal Charter, with a mandate to speak as the voice of British business – would properly and appropriately investigate and deal with their complaints, in part because of how it had addressed sensitive issues in the past. Teams of investigative journalists are now devoted to working up 'public interest' stories, which aim to highlight where businesses and leaders are falling short – hoping to move the cultural dial by shaming those which are lagging behind, or not living up to the standards they set for themselves.
Meanwhile, the long-running investigation into serious allegations against Russell Brand left many in the entertainment industry wondering how they can be better prepared to address allegations of sexual or other improper conduct. This issue is by no means confined to the arts, however, and is of particular concern and complexity in industries and businesses where personal/employment relationships are blurred, where power dynamics are asymmetric, and where work is of a more peripatetic nature.
Whatever the sector, it has never been more important to inspire confidence that sensitive issues will be dealt with properly, and to communicate effectively where changes are made.
Areas to target
So, as Executives and leaders return from their festive breaks, what should they be focusing on to ensure they are prepared and can react confidently and decisively in a crisis?
- Culture and communication with employees
People who are engaged and invested in the success of a business and its leadership are less likely to leave and/or turn against you. Even if your staff do not agree with all management decisions or the stance taken on divisive issues, the more they see and believe in the values and culture of an organisation, understand the rationale for challenging decisions, and feel able to ask questions, the more likely they are to get on board. Internal communications often sits somewhere between the broader communications function and HR, because it is central to both, and ought not be overlooked nor deprioritised.
- Security and insider risk
Cyber security and testing are now standard, but not all businesses may be as confident that they have processes in place to identify and stop "insiders" exploiting their systems. The NPSA recommends using its Insider Risk Mitigation Framework, including advice on employment screening, and investigation and disciplinary practices. Managing insider threats requires robust monitoring, clear reporting, and crucially, targeted investigations. Such investigations (often overseen by our MDR Cyber colleagues) address immediate threats, identify patterns, and aid in improving preventive measures. They provide insights for refining security protocols and training, enhance access control and audits, and are key to reducing future insider threats, thereby bolstering long-term business security and resilience.
- Internal investigations and complaints handling
All businesses must keep their policies around conduct in the workplace, relationships at work, discrimination and bullying up to date, and should act with transparency and consistency when conducting internal grievances or investigating whistle-blowing disclosures. This not just reassures and protects staff, but also reduces the risk that an unhappy employee or their supporters will ventilate their concerns (including around your response) elsewhere. Setting and enforcing consistent standards has never been more important.
- Crisis preparation
Do the hard work early and be prepared to challenge yourself. Do not put your head in the sand. Many, if not all, reputational crises, stem from failings that are homegrown. Document your reasons for difficult decisions, so you can answer questions quickly and with confidence and consistency. Ensure your playbooks and crisis response procedures are fit for purpose and up to date and practise your reactions to the foreseeable risks so that you can spot gaps and learn from any mistakes ahead of time.