Recent surveys reveal that social media governance is disjointed and even nonexistent within many of our corporate structures. In a September 2013 Financial Executives Research Foundation Inc. (FERF)/Grant Thornton LLP survey of senior level executives from both public and private companies, 59 percent of executives say their company does not perform risk assessments of social media. Additionally, in a recent IIA quick poll asking respondents about the maturity of their organization's approach to social media, nearly two-thirds say they have done nothing in this area.
These survey findings show that little has been accomplished regarding governance of social media, despite the fact that, according to the FERF study, 55 percent of respondents say social media will be an important component of corporate marketing efforts going forward, and 66 percent see their company's use of social media increasing over the next 12 months.
Is your organization among the majority that are not conducting risk assessments? If the newness of the medium strikes fear in your heart, just return to the basics of risk assessment. It is partially about the "what if" and involves speculating about risk and potential outcomes. One way to do this is to ask yourself and your senior leadership questions that begin with, "What would happen to the company's reputation if, say, a negative tweet were posted about…?" The executives' reactions are a good measurement of the severity of the threat.
We are starting to see more collateral on addressing social media risk. Recent conferences are braced with practical advice, and books have been written to assist us with points of policy development, identifying users, and training.
Policies, for example, should provide structure for oversight, monitoring, and consistency as to how social media is used within the organization. This policy should outline the corporate social media strategy, identify who owns the oversight, explain why social media is important to the organization, and present the dos and don'ts of social media participation. This activity is key when beginning to address the reputational and compliance risk embedded within social media.
Another key element of social media governance is identifying the corporate social media users. Are there corporate accounts in the social media space? If so, who manages those accounts? Who monitors activity on those accounts? These user groups should be aligned with the goal of the policy — to provide a platform for consistency of practice among the user group. The policy should be used as a guide to what is expected and who is responsible, thus creating consistency for all users. Be sure to maintain this library of users, as it likely will change regularly. Stay plugged in through oversight as specified by the policy.
The organization should identify a social media spokesperson who is charged with accountability for social media governance, including official company account activity, policy enforcement, and monitoring the "mentions" of the company on social media. The key is ensuring any negative activity is understood and evaluated to determine if an official response is warranted. This role is vital to managing corporate responses.
Training is fundamental to understanding the rationale for governance and accountability. In the most recent FERF survey, 36 percent of executives say their company has social media training, compared to just 21 percent who reported training in 2011. A key component of training is a clear discussion of risks. Ask the trainees what they see as risks. Some of the answers might be surprising. Many times, training provides a basis to recognize the risks. Once individuals grasp the importance of risks, significant foundational support is in place for governance and policy. Gaps in understanding of oversight, roles, and responsibilities could be a focus of training.
Clearly the full embrace of diverse communication tools is upon us, as these recent surveys identify. This shift in corporate culture forces a shift of standard for internal auditors and how they approach reputational and compliance risks associated with issues such as compliance, shareholder expectations, and information for decision-making.