Framework to Deal with the Use of Social Media
Nothing short of a revolution in online communication and social media has been occurring over the last few years. The movement has gone beyond being an information security challenge and become a genuine governance issue. Boards of directors must take notice of these new challenges, identify oversight responsibilities, and develop the appropriate policies and procedures to protect the integrity of company data and make sure the use of social media is consistent with the company’s values. In this blog I look at what can be done to get ahead of the situation.
Social media are no longer just social— these tools are commercial, and they are becoming a key element of business strategy. From engaging customers in real time, to adding sales channels, to enhancing market research, companies are discovering many ways to take advantage of social media.
Social media brings many advantages including getting one’s message out to potential customers, promoting brand, and communicating with stakeholders. But for all their advantages, social media also bring inherent risk, even to those companies not actively using them—e.g., threats to confidential information or intellectual property, reputational risk and the potential for regulatory infractions, to name a few. As a result, it is critical that management develop and maintain a clear-cut governance framework as a central part of its social media development initiatives.
The work time use – and/or misuse – of Facebook, MySpace, LinkedIn, Twitter and YouTube is a management and human resources issue; data leakage through these channels is a compliance and, potentially, a competitiveness issue; and the risks to confidentiality, availability and integrity of information is an information security issue. But social media may also have a significant role to play in how the organization communicates with customers, partners, suppliers, potential employees and stakeholders. Social media have an increasingly important part to play in corporate marketing strategies, whether in brand development or product positioning.
Organizations that embrace social media increasingly recognize that they need a coherent, comprehensive approach, an approach that ensures clarity about corporate policy, identifies roles and responsibilities, and provides appropriate training to individuals supported by guidance and practical tips for effective use of these media. They need, in other words, a governance framework that contains board-level guidance about the role of social media in the business strategy, which ensures that roles, responsibilities and resources are allocated, that risks are identified and controlled, and that appropriate business objectives are achieved.
The international accounting firm of KPMG examined the role of audit committees in ensuring that management (often spearheaded by marketing and closely supported by legal/compliance and information technology) has in place a social media governance framework that effectively addresses the range of internal and external risks, and that it is designed to keep pace with the rapid speed at which this area is evolving.
To address this challenge the firm identifies five areas of focus for audit committees:
- Can management demonstrate an understanding of how the use of social media is evolving and impacting the business—and the associated risks? This would include how social media impacts marketing strategy; advertising and communications strategies; workforce effectiveness; information protection; reputation risk; and legal/regulatory risk; and how effective are social media monitoring controls?
- Is someone actively monitoring the major social media networks to identify potential problems and opportunities? How does the company monitor the use of social media tools and its role in the enterprise risk management process? How does the company decide when to react to potential reputational issues being discussed in various social media—and, when needed, how does the company respond?
- Do we have a single, clearly defined policy regarding employee use of social media both on the company’s enterprise technology and employees’ personal devices? Employee use of social media raises a variety of issues unique to the company, including employee commentary on company matters and workplace conduct, the protection of the company’s intellectual property rights (logos, registered phrases, developing products, business plans), information privacy, proper use of company devices to access external social media sites, and the company’s right to monitor employee postings on those sites. What training on the use of social media is provided employees?
- Does the company’s social media governance framework define how the company’s message will be managed through use of social media for marketing and communications? Protections should be in place to prevent employees from becoming unsupervised spokespeople for the company. Investor relations and marketing/ communications should play a central role to monitor the use of social media and by whom. Questions to ask: Do we have formal guidelines for all market-facing organizations? Do we have procedures for message approval so that key constituents (e.g., legal/regulatory, and marketing/communications) can have timely input?
- How do we monitor compliance with the company’s social media policy? Who is responsible for enforcement of the policy? Internal audit may have a central role to play, focusing particularly on the adequacy of controls around the key risks posed by the use of social media, and auditing the adequacy of the company’s social media governance framework, including employee adherence to the policy—and the effectiveness of employee training.
Social media governance was at one time dismissed as an idea that something as individually-based as social media might be governed. Now, it’s an essential step for forward-looking organizations. Boards should no longer be asking if social media will be used by the company; instead they should be asking for transparency in how social media are being used and managed across the enterprise. An effective social media governance policy should become part of the ethical culture of an organization.
Blog posted by Steven Mintz, aka Ethics Sage, on October 12, 2011