10 minute read 19 Aug. 2022
Six ways to prioritize the trust agenda now

Six ways to prioritize the trust agenda now

Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

Roobi Alam

EY Canada Privacy Leader

Roobi is a privacy professional who is determined to help organizations and individuals realize why privacy is power.

10 minute read 19 Aug. 2022
Related topics Technology Consulting

Co-authored by Nick Galleto, EY Partner, Technology Consulting

Trust is now a key value driver for stakeholders, driving organizations to evolve and centralize their operations through a Chief Trust Officer.

Shareholders, investors, partners, customers, employees, suppliers, regulators and communities — all types of stakeholders now emphasize trust as a key value driver. This shift is driving a new need for Canadian organizations to evolve their operations accordingly. Businesses that centralize a holistic approach through a Chief Trust Officer (CTrO) stand to gain sustainable momentum over the long term.

What does trust really mean for organizations today?

Trustworthiness isn’t any one thing. It’s an equation: the combination of credibility, reliability and intimacy or self-orientation.

Credibility is achieved when organizations align their words with their brand and stakeholder promise. Reliability is established when actions support those words and stakeholders know they can depend on an organization for the same consistent level of service. Intimacy is reached over time, when stakeholders have confirmed the organization is credible and reliable. Self-orientation is achieved when stakeholders are truly the organization’s top priority. That means the organization prioritizes stakeholders’ best interests over the enterprise itself. 

Why establish a Chief Trust Officer now? 

With such vast and far-reaching implications, trust and trustworthiness extend well beyond the confines of any one business unit or functional area. While many different leaders in an organization might address trust as a component of their mandate, businesses haven’t typically formalized a role that seeks to weave trust consistently across responsibilities. Doing so now represents a strategic move that can fuel top- and bottom-line results.

That’s because sustainable long-term value has taken on a new meaning, one that extends far beyond dollars and cents. Stakeholders are increasingly interested in the wider ways a business makes — or doesn’t make — a positive impact on the world by doing the right thing. Canadians have expanding expectations for CEOs to lead on societal issues, with people here looking for more business leadership, not less. In this new reality, CEOs now find themselves accountable for company values, social impacts, ethics, and governance practices. 

This broader appreciation for trust cuts right across functional areas and business priorities. What does that look like? EY research shows that:

  • 97% of senior executives agree that integrity is important;, but more than half say organizational standards for integrity have stayed the same or worsened over the last 18 months. 
  • 90% of institutional investors attach greater importance to a company’s environmental, sustainability and governance (ESG) priorities than they did pre-pandemic. 
  • 42% of Canadian consumers surveyed during the pandemic said they’d be paying more attention to the social impact of their purchases from here on out.
  •  54% of Canadians say COVID-19 pandemic made them even more aware of the personal data they share. Meanwhile, 40% of businesses acknowledge they have never been more concerned about managing cyber threats than they are right now.

As each of these drivers gathers additional stakeholder steam, it’s becoming clear that trustworthiness doesn’t live in a silo. It affects every team, business unit and department. Hence the need to prioritize trust at the very top of the house and manage it proactively as a critical business imperative. This helps align strategies, to get people working towards common, trustworthiness goals that create sustainable stakeholder value, (such as initiatives tied to ESG, privacy, cybersecurity, responsible AI, data ethics and more). 

How would a Chief Trust Officer move the trust agenda forward?

Empowered with a direct reporting relationship to the CEO, a CTrO becomes the person responsible for delivering against the trust equation. The CTrO builds confidence around the use of customer information and takes proper measurements to ensure that information can be trusted.

Looking outward, the CTrO will make customers aware of the appropriate levels of protection for their information, advocating for customers and interacting with them to understand their changing needs.

On the flip side, the CTrO will advocate internally for trust-centric decisions at the executive level and create company-wide initiatives that support employee retention and satisfy goals. Working in complementary ways with the rest of the C-suite-, the CTrO will build trust inside the company and with external partners and stakeholders. 

What’s the first step to prioritizing the trust agenda through a CTrO? 

Repositioning an organization’s success in the market through the broader lens of trust starts by understanding the six pillars of trustworthiness. Asking these key questions now can help you explore trust through a more holistic lens, to shape an effective strategy:

1. What’s the best way to show tone from the top at our organization? The trust equation will look different at different organizations. Define what trustworthiness means to you and your stakeholders. Map out the areas where you excel at generating trust and identify the gaps. With that insight in mind, you can unify your approach at the most senior levels of the organization. This sends a very clear message to internal and external stakeholders: we value your trust and we’re working deliberately to protect, cultivate and grow trustworthiness in our organization.

At this stage, consider: 

  • Creating KPIs that encourage risk reduction and trust generation vs. revenue generation alone
  • Using KPIs to measure success without bypassing the importance of risk management
  • Formalizing the role all senior execs must play in achieving trust principles
  • Providing continuous cultural evolution training
  • Assessing the ways in which the business performs as a steward of the natural environment

2. How are we cultivating a spirit of transparency? Research has shown that 41% of board members, senior managers, managers and employees at the world’s largest organizations say the pandemic made it harder for businesses to act with integrity. Transparency — whether between companies and third-party businesses, boards and auditors, or just about anyone in between — is increasingly important. This includes not only disclosing in plain and simple language what data is being collected and why, and how it will be used, but also ensuring stakeholders have a say in whether they want their data to be used that way.

At this stage, consider: 

  • Meaningful disclosures and consent throughout the onboarding journey
  • “Just in time” notices that includes relevant privacy information presented up front where it’s clear, easy to see and easy to comprehend
  • Walkthrough videos that explain privacy settings and the benefit of each
  •  Educate the consumer around potential privacy issues at various points of the customer journey
  • Using purpose statements that explain why the data needs to be collected
  • Real time functionality to support various different data subject requests (e.g., the right to access, delete and extract data) 

3. Are we safeguarding data in ways that build trust? Ensuring security safeguards and privacy risks are prioritized at the initial stages of innovation and throughout the ecosystem helps create solutions that are fundamentally more secure from the get-go. Whether you’re ideating around 5G, advanced analytics, digital marketing, cloud migration or even ESG initiatives : privacy and cybersecurity must be discussed at the very front end of your planning using a by design approach. 

At this stage, consider: 

  • Identifying and clearly documenting all processing activities and understanding how they are supported by IT
  • Enabling risk management practices to detect early the things that can go wrong and negatively impact the cybersecurity and privacy controls effectiveness within the known processing activities
  • Enabling trust by design through the early definition of cybersecurity and privacy controls in all processes and applications
  • Incorporating within the third-party risk management program a solid model to clearly identify, test and validate cybersecurity and privacy controls across the lifecycle of the organizational relationship with third parties
  • Defining and using standard cybersecurity and privacy frameworks across the organization

 4. Can putting humans at the centre of our business improve trustworthiness? Technology and process do not move organizations forward. People do. Connecting all three can spark new progress in your organization. Framed externally, putting humans at the centre brings you closer to understanding customers and other stakeholders.

But this isn’t happening nearly enough. While 90% of employers believe they’re prioritizing employees when making decisions, only 69% of employees feel the organization has given their needs top billing. Rectifying this means making the customer journey easier to comprehend, in a short period of time, while establishing trust so data is shared and the ultimate customer experience is achieved.

At this stage, consider: 

  • Putting humans@centre through social criteria around the organization’s treatment of people
  • Giving back to the community
  • Delivering exceptional customer service
  • Treating partners and suppliers fairly
  • Evolving to address changing employee needs
  • Protecting customer rights over their data
  • Improving service quality

5. How can we expand our risk management strategy to actually build trust? Risk management shouldn’t be one team’s responsibility for the entire organization. Just like how business function leaders determine what success looks like, they need to take the ownership and accountability in understanding risks associated with their “success” strategy and proactively plan to remediate any risk. Executives need to ensure risk management is part of their business strategy to monitor the balance between data utility and regulatory risk.

Operational silos hold organizations back. Integrating the way we manage risk with the rest of your operations makes for better results. Whether we’re talking about the 7 out of 10 executives who say navigating regulation will be time consuming and expensive going forward, or the 40% of cyber leaders who are more concerned than ever about managing cyber threats: the risks we face have evolved. Connecting them through a more integrated approach linked by a focus on trust sets a common foundation.

In addition, a cultural transformation needs to be embedded in the day-to-day operations so the organization cultivates a way of thinking that prioritizes the generation of trust.

At this stage, consider: 

  • Adding a risk management mandate to all business strategies
  • Creating key risk indicators that can be constantly measured to confirm that risk is managed in alignment with corporate risk appetite
  • Embedding trust generation in the corporate strategy and the definition of risk appetite
  • In addition to controls around risk reduction, creating and embedding additional controls around the ethical use of data and trust generation in key business processes such as AI, automated decision-making and data strategies. This can also create a strong foundation for fraud and financial crime prevention. 
  • Identifying the proper vehicles to incorporate in the ESG report a clear message to talk to the markets about how cybersecurity and privacy are effectively managed to generate trust

6. Are we consistently doing the right thing? Supporting the trust agenda may require a cultural shift at the organizational level. People at every level of the company must understand their part in doing the right thing and be supported in delivering on that promise including understanding the convergence between the physical and digital world. Organizations that go beyond establishing trust as a priority to weave this principle into the fabric of the enterprise itself will be best positioned to thrive going forward. 

At this stage, consider: 

  • Providing additional cultural evolution or on-the-job training
  • Reframing data collection to only gather what is absolutely required
  • Obtaining meaningful consent when required
  • Retrenching around the ethical use of data
  • Disposing of data when it’s no longer required
  • Striking a balance between delivering on promises, doing the right thing and working to improve society

What’s the bottom line?

Trusted companies have a bright future. Ensconcing organizational trust as a top priority now can position you to deliver against a host of evolving stakeholder expectations. Doing so through clear CTrO leadership, enhancing the digital experience, securing the ecosystem, enabling ethics and integrity and overall contributing to safe and sustainable communities — are key steps that can fuel the trust agenda in the years ahead. 


Through a Chief Trust Officer, Canadian organizations can evolve their operations to reflect changing times and meet stakeholder requirements. Positioning trust at the centre of your strategy allows the cultivation of transparency and to put humans at the centre of the business. 

About this article

Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

Roobi Alam

EY Canada Privacy Leader

Roobi is a privacy professional who is determined to help organizations and individuals realize why privacy is power.

Related topics Technology Consulting