A social media governance framework can be used to address a range of internal and external risks.
Engaging customers in real time. Adding sales channels. Listening to the marketplace for risks and opportunities. Communicating with shareholders. Collaborating across the enterprise. The power of social media as a strategic business tool also presents substantial risk that can undermine a company's reputation, at viral speed.
As many companies and their boards are learning firsthand, the company no longer controls its own brand on social media sites like LinkedIn, Twitter, Facebook, YouTube and others.
In addition, the lines between personal and work-related social media use are easily blurred. And now, employees can collaborate via social media with or without the company's approval. Even to those companies not actively using them, social networks pose inherent risk -- from threats to confidential information or intellectual property to reputational damage, and the potential for regulatory infractions.
Indeed, the SEC's announcement that companies can use social media outlets to announce key information about the company further highlights the challenges posed by these networks as a source of information to investors and the marketplace. A key challenge for audit committees -- or whichever board committee has responsibility for this area of risk -- is to help ensure that management (often spearheaded by marketing and closely supported by legal, HR, compliance and IT) has in place a social media governance framework that effectively addresses the range of internal and external risks.
To this end, we offer some key considerations:
Can management demonstrate an understanding of how the use of social media is evolving and impacting the business -- and the associated risks? How can social media impact our marketing strategy and sales channels, and how we reach and engage our customers? Are we listening to what the marketplace is saying about the company? Have we identified and communicated the risks posed by the evolution of social media, including unique risks to the organization in areas such as workforce effectiveness, information protection, reputation risk and legal/regulatory risk? How effective are our controls around these risks?
Is someone actively monitoring the major social media networks to identify potential problems and opportunities? Is the company using a social media-monitoring tool, and is the use of such a tool incorporated into the company's enterprise risk management process? How does the company decide when to react to potential reputational issues being discussed in various social media -- and, when needed, how does the company respond, and under whose direction?
Do we have a single, clearly defined policy regarding employee use of social media both on the company's enterprise technology and employees' personal devices? Employee use of social media raises a host of issues unique to the company, including employee commentary on company matters and workplace conduct, the protection of the company's IP rights (logos, registered phrases, developing products, business plans), information privacy, proper use of company devices to access external social media sites and the company's right to monitor employee postings on those sites. What training on the use of social media do we provide employees?
Does the company's social media governance framework define how the "voice of the company" will be managed? Without guidance, employees, by default, become unsupervised spokespeople for the company. Investor relations and marketing/communications should play a central role here. How will social media be used, and by whom? What is the target audience, and what behaviors do we want to drive? Have we identified and trained the organizations and key staff -- and clarified roles and responsibilities -- that will be accountable for the company's social media activity? Do we have formal guidelines for all-market-facing organizations? Do we have procedures for message approval so that key constituents (e.g., legal/regulatory compliance, IR, marketing/communications, et al.) can have timely input? If the company decides to use social media to release key material information to the marketplace, are there disclosure controls and procedures in place to ensure compliance with the SEC's "fair disclosure" requirements (Reg FD)?
How do we monitor compliance with the company's social media policy? Who is responsible for enforcement of the policy? Internal audit may have a central role to play, focusing particularly on the adequacy of controls around the key risks posed by the use of social media, and auditing the adequacy of the company's social framework, including employee adherence to the policy and the effectiveness of employee training. Agreement on the frequency and nature of reports from management on the company's social media activities -- compliance, reputational issues, customer sentiment, emerging risks and opportunities, etc. -- is vital.
Directors should also have a clear understanding of the risks their own participation on social media can pose to the company. By all means, follow relevant tweeters, link in, listen to what's being said about (and by) the company; but caution is key. Ask for guidance from the company about its expectations for directors' use of social media and how to handle communications that directors may receive over these channels related to their service as board members. If none is readily available, this may signal a need for social media risk to be more deeply assessed.
Sanjaya Krishna, Advisory principal and U.S. Digital Risk Consulting leader, KPMG LLP, contributed to this article.