Corporate Digital Responsibility

I've started listening to the Economist Audio Edition on my iPod while running. Last week I listened to a special report on Corporate Social Responsibility. I was struck by the language used and issues discussed in the report. Here are a few excepts.

First, from Just good business:

Why the boom [in CSR initiatives]? For a number of reasons, companies are having to work harder to protect their reputation — and, by extension, the environment in which they do business...

CSR is now made up of three broad layers, one on top of the other. The most basic is traditional corporate philanthropy... [T]he second layer of CSR... is a branch of risk management... So, often belatedly, companies respond by trying to manage the risks. They talk to NGOs and to governments, create codes of conduct and commit themselves to more transparency in their operations. Increasingly, too, they get together with their competitors in the same industry in an effort to set common rules, spread the risk and shape opinion.

All this is largely defensive, but companies like to stress that there are also opportunities to be had for those that get ahead of the game. The emphasis on opportunity is the third and trendiest layer of CSR: the idea that it can help to create value...

That is just the sort of thing chief executives like to hear... Businesses have eagerly adopted the jargon of “embedding” CSR in the core of their operations, making it “part of the corporate DNA” so that it influences decisions across the company.

With a few interesting exceptions, the rhetoric falls well short of the reality.


Next, from The next question: Does CSR work?:

Three years ago a special report in The Economist acknowledged, with regret, that the CSR movement had won the battle of ideas. In the survey by the Economist Intelligence Unit for this report, only 4% of respondents thought that CSR was “a waste of time and money”. Clearly CSR has arrived...

[In one sense], the best form of corporate responsibility boils down to enlightened self-interest. And the more that firms embracing it are seen to be successful — through astutely managing risks and recognising opportunities — the more enlightened their leaders will be perceived to be. But do such policies really help to bring success? If not, the whole CSR industry has a problem. If people are no longer asking “whether” but “how”, in future they will increasingly want to know “how well”. Is CSR adding value to the business?

At present few companies would be able to tell. CSR decisions rely more on instinct than on evidence. But a measurement industry of sorts is springing up. Many big firms now publish their own sustainability reports, full of targets and commitments. The Global Reporting Initiative, based in Amsterdam, aspires to provide an international standard, with 79 indicators that it encourages companies to use. This may be a useful starting point, but critics say it often amounts to little more than box-ticking; worse, it can provide a cover for poor performers...


From A stich in time: How companies manage risks to their reputation:

Business leaders embrace corporate responsibility for a number of reasons... For some, though, it is public embarrassment and lawsuits that concentrate the mind... Trouble seems to come in waves, pounding industry after industry, each time for a different reason... Most of the rhetoric on CSR may be about doing the right thing and trumping competitors, but much of the reality is plain risk management. It involves limiting the damage to the brand and the bottom line that can be inflicted by a bad press and consumer boycotts, as well as dealing with the threat of legal action...

Time and again companies fail to see the problems coming. Only once they have had to deal with, say, a lawsuit or strong public pressure do they start to change their thinking...

For the moment, though, the biggest problem many companies have to deal with is something that has sprung from rapid globalisation. It is the risks associated with managing supply chains that spread around the world, stretching deep into China, India and elsewhere...

Firms can set standards of behaviour for suppliers, but they do not find it easy to enforce them... So inspection regimes are set to intensify, at a time when audit fatigue has already become a problem for suppliers...

Each industry has its own specific issues, but there are some common themes in how firms are approaching the risk-management side of CSR. One is to put in place proper systems for monitoring risk across the supply chain, including listing who the suppliers are, having well-established channels of communicating with them and auditing their compliance with ethics codes. Basic as it sounds, even many big companies fail to do this...

Beyond the basics, prudent companies include a CSR perspective when considering new projects...

Novo Nordisk, a Danish company that supplies a big share of the world's insulin, has written the “triple bottom line” — that is, striving to act in a financially, environmentally and socially responsible way — into its articles of association...


Finally, from Do it right:

One way of looking at CSR is that it is part of what businesses need to do to keep up with (or, if possible, stay slightly ahead of) society's fast-changing expectations. It is an aspect of taking care of a company's reputation, managing its risks and gaining a competitive edge. This is what good managers ought to do anyway. Doing it well may simply involve a clearer focus and greater effort than in the past, because information now spreads much more quickly and companies feel the heat...

If it is nothing more than good business practice, is there any point in singling out corporate social responsibility as something distinctive? Strangely, perhaps there is, at least for now. If it helps businesses look outwards more than they otherwise would and to think imaginatively about the risks and opportunities they face, it is probably worth doing. This is why some financial analysts think that looking at the quality of a company's CSR policy may be a useful pointer to the quality of its management more generally...

[I]n a growing number of companies CSR goes deeper than that and comes closer to being “embedded” in the business, influencing decisions on everything from sourcing to strategy. These may also be the places where talented people will most want to work.

The more this happens, ironically, the more the days of CSR may start to seem numbered. In time it will simply be the way business is done in the 21st century. “My job is to design myself out of a job,” says one company's head of corporate responsibility...


Is it obvious by now that you could replace CSR in all of these cases with "digital security"? Is it now time for a "quadruple bottom line" -- "striving to act in a financially, environmentally, socially, and digitally responsible way?

We in the digital security field need to talk to these CSR people and figure out how they are making progress. We share almost exactly the same goals but they are winning the battle of ideas. In digital security, too many companies "fail to see the problems coming. Only once they have had to deal with, say, a lawsuit or strong public pressure do they start to change their thinking."

Note: Prior to this blog post the only mention of "corporate digital responsibility" I could find via Google is a SEC filing for Bank Bradesco.

Comments

Anonymous said…
Smart Post Richard.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics