In the Forrester independent review of ‘Social Media Risk and Compliance’ report 2014, they stated that “All organisations need to manage social media risk” but very few do. So where are we today?
In a recent survey we conducted across the Automotive sector we discovered that 52% of businesses claimed that they were yet to identify the risks. More worryingly, a further 64% admitted that they were probably in breach of the FCA guidelines on promotion using social media. Some were certain they may face heavy fines in the future if they did not act now to manage the risk.
The fact is that today we face an almost total adoption of social media by both consumers and organisations alike, which drastically increases the organisation’s exposure to new levels of risk. There is no longer an option to prohibit the use of social media either within the organisation or by the organisation itself. Quite often the horse has bolted as these social profiles have already been set up and are being used to engage with customers, potential employees, stakeholders, suppliers and employees.
Key trends that are of note are that organisations are increasing the number of social profiles that represent them. These same organisations are increasing the number of users that require access to these profiles. At the same time social media is becoming far more operational.
At this stage it is probably worth exploring a definition of risk management; A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action.
All sounds sensible, but how do we apply this to social media? Stage one is to get a thorough understanding of the risks and potential exposure.
It is probably worth breaking down the various areas in which social media could and should be included; Legal, Reputation, Operations, IT and regulation.
Social Media IT Risks
HMV showed a complete lack of control around the access to their social media. The organisation got into some financial difficulty and had to call in the administrators. Employees were invited to a confidential company meeting. It was expected that employees would be talking amongst themselves during and after the meeting about the potential impact on both customers and themselves. It wasn’t expected that the content of the meeting would be posted out on the organisation’s corporate twitter account, live. The Marketing Director was even quoted as saying “Does anyone know how to shut this Twitter thing off?”.
The organisation did not have a way to disable employee access to the company’s social media accounts. This is a huge risk and caused financial losses for the organisation that could have quite easily have been avoided had the right policies been in place and then followed.
Social Media Regulatory Risk
We have referenced the FCA guidelines in previous posts and have shared the key take aways that all organisations can learn from. The guidelines require that organisations not only consider the risks of social media but ensure there are provisions within the ‘senior management arrangements, systems and controls’ in place to manage social media in the course of business.
A key challenge is in how we define the term ‘in the course of business’, recognising that many individuals utilise personal social media channels as well as having access to work accounts. Organisations need to take personal social profiles into account when developing and policing social media policies as well as the corporate accounts.
Social Media Operational Risk
One of the UK’s police forces decided that they should be on social media. They put the usual caveats on their Facebook page — please do not report crime on social media please ring 999.
So what happened one Friday evening? Someone reported a crime on one of their social media pages and it didn’t get picked up until Monday morning! This caused huge embarrassment for the force. This example really supports the argument that says if you are going to be on social media and use it as a communication channel then you cannot think about how you, the organisation, wants to use it, but how your customers want to use it. Once that is clear then it has to be resourced properly. The general issue here is that quite often organisations are operating without a social media plan. If the plan did exist then it would have/ should have addressed the issue of how to resource it.
Social Media Legal Risk
There are a number of legal areas that need to be considered and defamation is one critical element. The case in which Sally Bercow tweeted about Lord McAlpine was a land mark case. It got to court and the judge found Bercow guilty of defamation and was forced to pay damages. Acting on behalf of McAlpine, solicitor Andrew Reid announced: “Twitter is not just a closed coffee shop among friends. It goes out to hundreds of thousands of people and you must take responsibility for it. It is not a place where you can gossip and say things with impunity
What happens if a high profile person in the organisation tweets some defamatory content and they reference their role and their position in the organisation? Who is responsible and has the damage already been done to the organisation?
Social Media Reputational Risk
Organisations have multiple audiences; the media, journalists, customers, potential customers, local communities, suppliers, partners and the list goes on. The organisation’s reputation is not always in the hands of the organisation itself, but they can certainly influence it by what they do and how they behave. There are some simple rules that need to be worked into organisational processes:
- Listen – People are talking about your products, therefore it is essential you are listening to these conversations, especially your customer service teams. It will provide valuable insight into what your organisation can do better, gauge how happy customers are and understand what your competitors are doing.
- Respond – If your organisation is on social media then you have to ensure you respond within a reasonable timescale. Set service level agreements (SLAs) and then monitor performance to see if they are being achieved.
- Control – Social media has an ability to get out of control so your organisation needs to think about how it is governed. Policies need to be put in place and then policed. Organisations need to think about governance and the policies that exist with other communications channels and how this can apply to social.
Just understanding the risks isn’t enough. Grant Thornton have put together a simple set of questions that every organisation should be able to answer in assessing the risks:
- What role does social media play in the strategic plan?
- Who, if anyone, reports to the board on social media?
- How is social media used inside and outside the organisation?
- How are you telling employees to use or not use social media?
- How much and where are you monitoring social media activity?
- What products and services can you deliver through social media?
Social media strategy needs to go hand in hand with corporate strategy, with questions about governance, education and training, and risk and impact considered at board level. Unless all of this is tied together then it is impossible to drill into the detail around each of the areas of Legal, Reputation, Operations, IT and Regulation.
