P&O – What’s in a Name: A Case Study in Brand Risk

Cyber Security - Resilience - Data Protection

P&O – What’s in a Name: A Case Study in Brand Risk


What’s in a company name. Quite a lot. It’s a key part of an organisation’s brand. It’s how customers identify an organisation. A company’s name is sacrosanct! Organisations want their customers to think positively about their name. They want their customers to tell their friends positive things about their experiences with their brand. What organisations don’t want is for someone to hear their name and think “eugghh, I wouldn’t go near them with a barge pole”. What they don’t want to see on social media is #boycottcompanyX. We have seen hashtag activism happen to some large brands #boycottNFL, politicians #boycottTrump and even nation-states #boycottRussia. But what happens when it’s your name, but it’s not your name. What happens when your precious brand reputation is tarnished by a company of a similar name but who has absolutely nothing to do with you (anymore at least). That’s exactly what has happened to P&O Cruises in March 22.

What happened?

On the 18th March 2022, P&O Ferries took the decision to make 800 of their workers redundant. Staff were told in a pre-recorded message that if the redundancies weren’t made right now, then the company would no longer be a viable business. Handling of the situation became so bad, some employees were taken off P&O Ferries owned vessels in handcuffs. Agency workers from outside the UK have been shipped in who are, allegedly, on wages significantly below minimum wage. The damage to P&O Ferries has been a total, out-and-out public relations PR disaster! I say a PR disaster, but one can only assume no one from PR was involved in this. Even the most wet-behind-the-ears intern would have likely suggested the approach taken by P&O Ferries parent company DP World was going to tremendously backfire.

Pot&tO Ferries, P&tatO Cruises

It’s only natural when people see media reports of P&O Ferries sacking workers in such a horrendous manner to want to distance themselves from the P&O brand altogether. Many, like me, don’t use P&O Ferries and so a boycott would have little impact. But, I have holidayed with P&O Cruises and it did make me seriously consider whether I would book a holiday with P&O Cruises in the future. I was not alone. Even though P&O Cruises, owned by Carnival, is owned by a totally different group. its reputation has tanked since the P&O Ferries, owned by DP World, redundancy debacle. If you look at the chart below to see that, in fact, P&O Cruises, now has a worse reputation for an event they had nothing to do with. P&O Ferries’ actions appear to have materially damaged P&O Cruises’ reputation – and for how long this will remain is uncertain.

No alt text provided for this image

For P&O Cruises, such an event coming off the heels of the global pandemic must be a devastating blow as the cruise industry was hit particularly hard. What makes it a more bitter pill to swallow is that it wasn’t their fault…or was it?

What is the risk angle?

What we are seeing, in the last two decades, as globalisation has bedded in, is that more and more organisations are exposed to risk caused by external events out of their control. If we look at the last two decades there has been a global financial crisis, a global pandemic and the potential start of World War 3 (of which even if it doesn’t become WW3, events in Ukraine are still having global ramifications). I believe this trend will only continue and issues such as climate change, globalisation and artificial intelligence (when it actually does come) will only increase the velocity of events. The gap in many Enterprise Risk Management (ERM) programmes is that risk management tends to be highly focussed on maintaining internal control. Sure, there may be controls around the supply chain (to varying degrees) and reputational damage is often considered in the lens of an organisation’s own behaviour. External threats, however, are often paid lip service.

P&O Cruises was able to weather the global financial crisis, and will likely weather the pandemic. They may weather this reputational crisis too but could they have already mitigated this risk ahead of time. Was lack of control over its own brand even recorded as a risk? Given it does not have full control over its brand, should it not have taken steps, at any time during the last 21 years, to have full control over its brand’s reputation? Should P&O Cruises have planned to rebrand as soon as it was spun off? Maybe, maybe not. Such a calculation would need to be calibrated against the value of the P&O brand at regular intervals against the cost of reputational damage – for 20 years, that bet had paid off. The question I don’t have the answer to is if such calibration was ever formally made, did it even consider the actions of other companies also using the P&O brand. Whilst brands take seconds to destroy, they take years to build. P&O Cruises could have been building a new brand, perhaps around the parent company’s name Carnival. or maybe something like Peninsular Cruises that has a nod to the past. If P&O Ferries are dragged through the courts, lose government contracts and, are dealing with mass employment tribunals, P&O Cruises may want to be shot of such a [potentially] long-term toxic association. I would not be surprised if such conversations are already going on and significant PR dollars are being spent! But is the damage already done? We will have to see.

Learning from Others

So, what can we learn from the fall out of the P&O Ferries PR disaster from a risk management perspective? In the following sections we shall look at some key things all businesses should consider.

Ensure Brand Risk is Managed

One of the first things organisations should consider is including Brand Risk within your Enterprise Risk Management (ERM) Framework. Don’t just consider how things your organisation does on its own could damage your brand, think about your sector as a whole – Remember the “Blame it on the Bankers“. Think about the damage of brand association. Are you partnering with other organisations that don’t align with your values? Are you an environmental charity that is inadvertently supporting a company in its efforts to greenwash? Could your customer base confuse your brand with the brand of another company that has a similar name?

Plan for Operational Impacts

Invariably, when a PR disaster of someone else’s making hits, there will be little time to respond to the events as they are unfolding. You need to be ahead of the curve. Customer Service will be key and it needs to fire on all cylinders. It’s likely your operational staff will need to deal with questions from customers. People may want to cancel services or orders – some of these may be preventable if your Customer Service Agents can offer some context. If One unintended consequence could be that employees from one company may inadvertently take legal action against the wrong legal entity. As a precursor to this, they may make Data Subject Access Requests (DSARs). Being ready to communicate with Data Subjects quickly may save a lot of pain and wasted effort.

Establish Threat Intelligence Feeds

ISO 27002:2022 has included threat intelligence within its updated list of information security controls and breaks up threat intelligence into three types (strategic, operational and tactical). Whilst aimed specifically at information security, threat intelligence would not be out of place as a component of any solid risk management framework. Organisations should seek to establish feeds of intelligence and incorporate them into their risk assessment processes. This doesn’t have to be expensive but organisations should consider collecting and analysing threat intelligence feeds that cover external events dealing with geopolitical, economic, environmental, technological, social and legal issues.

Look outside your own bubble

To sum up, running a successful company can become all-consuming. All your focus will likely be directed towards improving your offerings and developing new innovative products. That said, it’s critical for all businesses to look outwards on the threats that could damage their brand’s reputation. To scan the horizon from time to time. Even, if you have a really small business, simply reading a weekly newspaper like the Economist or listening to the Intelligence Podcast is well worth it…and as always, if you need help implementing your risk management framework, get in contact, we can help!

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resiliencedata protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.

Disclaimer: Fox Red Risk Solutions Ltd has no association with P&O Ferries, P&O Cruises, or their parent companies. Fox Red Risk Solutions Ltd has no association with the Economist Group Ltd. No compensation or inducement has been made to Fox Red Risk Solutions to produce this article.

22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.