A Comprehensive Approach to Managing Social Media Risk and Compliance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A Comprehensive Approach to Managing Social Media Risk and Compliance
1
FOREWORD
In one year alone—from 2012 to 2013—the negative consequences posed by social media
number of social network users around the in terms of brand, strategy, regulatory, legal
world rose from 1.47 billion to 1.73 billion and market risks. More important, it outlines
(about 25 percent of the world’s population), a holistic approach to identifying, assessing
an 18 percent increase. By 2017, the global and managing those risks.
social network audience is expected to
total 2.55 billion.1 More than 72 percent Our focus is on distinctive responses—
of all internet users regularly access social policies, procedures, technologies and
networking sites.2 And, in the UK and US competencies—across traditional risk
alone, people spend respectively 13 and management categories of governance,
16 minutes every hour using social media.3 processes and information technology.
Steve Culp
Senior Managing Director Perhaps more important is take-up of social Especially important is the human dimension—
Accenture Finance & Risk Services media by businesses around the world. creating a risk culture that is attuned to both
Among Fortune 500 firms, 77 percent now the significant benefits and the distinctive
risks of social media, and putting in place the
SOCIAL MEDIA HAS have active Twitter® accounts, 70 percent
have Facebook® pages and 69 percent have compliance and performance management
GROWN IN POPULARITY YouTube™ accounts.4 capabilities that can lead to changed behaviors
in social media usage.
AND IMPORTANCE At issue here is the fact that traditional risk
management policies and procedures were We augment these discussions of methods and
FASTER THAN MOST not designed for, quite literally, minute-by-
minute monitoring of social media chatter
best practices with practical advice from risk
professionals. These are especially interesting
COMPANIES’ RISK to identify brand, strategy, compliance, legal
and market risks.
inputs to the discussion because they tap
into very timely concerns—such as the global
MANAGEMENT Those risks are considerable. Financial
head of privacy and information management
for a major US bank discussing how recent
CAPABILITIES CAN institutions have had to shut down social regulatory changes require his bank to track
media forums due to unanticipated negative social media complaints, even if they have not
CURRENTLY HANDLE. feedback; the stock markets have been been officially lodged. As he says, that demand
buffeted by fraudulent social network is “taking the industry by storm.”
postings; businesses have had to change or
rescind strategies in response to the force of Another of our interviewees notes, however,
social media; other businesses have suffered that it’s important for financial services
brand damage due to the power of social institutions and all businesses to “be bold.”
media to send negative impressions almost Build a social media presence and “create
instantly around the world. some cool things.” In fact, an effective social
media risk management capability can bring
This Accenture paper, “A Comprehensive bold ideas to life and make a difference in the
Approach to Managing Social Media Risk and business outcomes your company delivers.
Compliance,” acknowledges the power and
importance of social media to businesses
in every industry. At the same time, it helps
identify and explore many of the potential
2
INTRODUCTION: THE BENEFITS AND RISKS
OF SOCIAL MEDIA
DID YOU HEAR Or the “pump and dump” stories about people
using social media to post fake news about a
types of social media risks, and in some cases
can hide or obscure other types of risks under
THE STORY ABOUT company’s performance, then profiting from
the bump in stock price? Or the stories of
a single label of brand value and reputation.
THE HACKER WHO criminals who have used personal information
posted by people on their social media pages
It stands to reason that if companies do not
have a broad enough understanding of social
FRAUDULENTLY USED to glean answers to security questions and
thereby gain access to their bank accounts?5
media risks, they are likely not to have in
place a broad enough approach to managing
THE ASSOCIATED You have probably heard these stories and
social media risks.
PRESS’S TWITTER® many others like them. They are evidence of A COMPREHENSIVE AND
the fact that, however many benefits social
ACCOUNT TO POST media platforms provide for companies in PROACTIVE RESPONSE
terms of communications, publicity, increased
NEWS OF AN consumer engagement and more, social media
This paper presents a comprehensive approach
to managing these social media risks more
also carries with it many risks.
ALLEGED BOMBING effectively. The approach involves structures
and actions across several major streams of
AT THE WHITE HOUSE, SHORTFALLS IN MANAGING work, including governance, processes and
information systems—supported by leadership,
SOCIAL MEDIA RISK
CAUSING THE STOCK Are companies taking these risks seriously
culture, compliance and performance
management activities that strengthen the
MARKET TO DROP and handling them methodically? The data human dimension of risk management, which
strongly implies that they are at times can often be the weakest link.
ABOUT 150 POINTS overconfident and inadequately prepared.
Although the paper focuses primarily on the
According to a recent survey that looked at
IN JUST MINUTES? corporate social media risks and rewards, financial services industry, the insights and
almost three out of four executives surveyed prescriptions are applicable to most other
(71 percent) said that their company is industries. We have augmented and supported
concerned about these risks but “believe the analyses and recommendations in the
the risks can be mitigated or avoided.” paper with insights from several banking
Another 13 percent indicated they felt their executives in areas such as information
company does not currently believe it has any security, social media and privacy who are
appreciable risks.6 working to manage risk effectively while
expanding their institution’s social media
Of equal concern to this kind of misplaced presence. Interviews with these executives
overconfidence was the fact that 59 percent were conducted exclusively for this report.
of respondents reported that they had no
social media risk assessment plan in place, Social media is in many respects an
and only 36 percent reported offering social unstoppable cultural force, in spite of some
media training.7 What could explain this organizations’ attempts to block or curtail
apparent complacency? its use. Because social media is this kind of
force—ubiquitous and powerful—it is better
One issue is that a great deal of press to manage it effectively than try to stand in
coverage is focused on the brand or its way.
reputational risk aspects of social media use.
But reputational risk is only one among many
3
4
PART 1: THE RISE AND THE RISKS OF SOCIAL MEDIA
THE NUMBER OF A significant sticking point when it comes to
properly leveraging social media is dealing
personal life moments, which can bleed over
into their professional life moments, and we
COMPANIES, AND with the many risks to which companies are
exposed. According to the 2014 RiskTech100
need those to be confidential.”
THE NUMBER OF report,11 published by Accenture and Chartis,
reputational and brand risk is the one most
Complicating companies’ plans to mitigate
these risks are several marketplace, technology
COMPANY EMPLOYEES often discussed, and certainly it is a serious
one. Negative exposure on social media sites,
and organizational factors. For example, the
number of social media platforms is growing
USING SOCIAL MEDIA or inappropriate or unauthorized action in the constantly, which means companies are, as
the saying goes, trying to change the tires
company’s name, can result in lost trust and
APPLICATIONS lost revenues. on a moving vehicle. The complex media
environment makes it difficult to integrate
IS GROWING AT But underlying these reputational risks lie with a company’s operating model, which
several other types of serious risk: means an organization is often reduced
A RAPID PACE. to simply reacting to events after they’ve
• Strategic risk happened, instead of taking proactive steps.
According to one report,8 the number of social
• Business risk
network users around the world rose from Finally, social media risks are difficult to
1.47 billion in 2012 to 1.73 billion in 2013 (about • Regulatory risk quantify. Most corporate initiatives are not
25 percent of the population), an 18 percent approved without a strong business case, but
• Legal risk
increase. By 2017, the global social network beyond pointing to well-known examples of
audience is expected to total 2.55 billion. • Market risk companies that have suffered losses because
(See sidebar, “Social media in context.”) of social media, comprehensive cost/benefit
If not effectively mitigated, these risks can lead analyses are still in their early stages—
Among corporations, establishing a social to serious negative consequences including meaning that many risks still go uncontrolled.
media presence is now more than accepted— fraud, intellectual property loss, financial loss,
it’s expected. Among Fortune 500 firms, privacy violations and failure to comply with In fact, a standalone business case for
77 percent have active Twitter® accounts, laws and regulations. (For more, see sidebar, managing social media risk is rarely
70 percent have Facebook® pages and “Sources and types of social media risks.”) necessary, assuming that companies already
69 percent have YouTube™ accounts. have created a business case for expanding
About one-third (34 percent) maintain active As an example, consider the mix of business, their social media operations. Typically
blogs.9 Over 90 percent of US companies regulatory and legal risks in the following: the risk assessment that comes with this
use social media for recruiting.10 In the According to the global head of privacy and case involves looking at potential negative
financial services industry, other ways in information management for a major US outcomes, assessing the damage they could
which social media has value include: bank interviewed for this paper, “The biggest do and then assigning a probability to those
risk for me is our employees disclosing scenarios. What is the cost of those risks
• Branding information about our clients on social compared to the costs of not being in the
media. This risk is especially prevalent given social media game at all?
• Marketing/advertising
the growing presence of Millennials in the
• Corporate communications workplace, because they are accustomed
to sharing personal information and many
• Servicing
of their current activities over social media.
• Grievances resolution At times there is over-disclosure of their
5SOCIAL MEDIA IN CONTEXT Customer and client demographics are among
the factors playing a role in the extent to
In the words of a senior executive of social which banks enter the social media arena and
media for a major international bank, “One at what pace. The Chief Information Security
risk is actually not being open enough to Officer (CISO) for a US regional bank notes,
social media, actually knowing its role in “Social media is a channel, but because of the
business and culture. I still hear stories of demographics of our business, at this time it
executives in the industry not taking social is as important—no more and no less—as, say
media that seriously—that it's just a ‘nice the branch channel, the call center or online
to have.’ But there is great power in it. This banking. The story here is the demographics
can be negative, given the speed with which of our customer base which tends to be a
issues spread on social media. But it can also bit older. For other banks targeting younger
be extremely positive. It can foster better and affluent communities, social media is
relationships or create additional touch points more often prioritized higher than the other
in the digital marketing space.” traditional banking channels.”
At the same time, this executive notes that For whatever reason and whatever the pace
social media “must be understood to be at which a financial institution embraces
equally important as other channels: radio social media, the channel’s many risks must
interviews, TV broadcasts, newspaper and be identified, monitored and managed. To
magazine articles, web articles and so on.” be prevented is a situation in which banks
extend their social media exposure before
recognizing and anticipating the threats.
6SOURCES AND TYPES OF SOCIAL MEDIA RISKS
WHILE OFFERING FRAUD Fraud risks from social media are likely to
increase dramatically because of the Security
A HOST OF POTENTIAL Several high-profile cases of hackers
representing themselves as organizations or
and Exchange Commission’s decision in early
2013 to let businesses conduct financial
BUSINESS BENEFITS, companies have highlighted the potential
of social media to perpetrate fraud that is
disclosures and release material information
over social media platforms such as Twitter®
THE USE OF SOCIAL harder to deal with because information
goes “viral” so quickly in an online and
and Facebook®.14 The stakes are getting higher.
Although no penalties are yet in place if a
MEDIA CAN EXPOSE wireless world. These cases have had
serious consequences. Hackers representing
company has vulnerabilities that allow it to be
hacked in a way that manipulates a market,
COMPANIES TO themselves on Twitter® as the Associated
Press posted a false story about a bombing
this could change. One of the commissioners
with the US Commodity Futures Trading
NUMEROUS BUSINESS at the White House which caused the Dow Commission has called for fines to be imposed
Jones Industrial Average to fall about 150 on companies when such things happen.15
RISKS. MOST OF THESE points in a matter of minutes, representing (For more on regulatory compliance and
approximately $150 billion in market value.12 controls, see the sidebar, “A Summary of
RISKS RESULT FROM Several other news organizations have had Social Media Regulations in the US and UK
their online presence compromised through
A COMBINATION OF similar kinds of activities.
for Financial Services Companies,” page 19.)
ORGANIZATIONAL In other cases a hacker misrepresenting a LOSS OF INTELLECTUAL
WEAKNESSES AND company has posted fake announcements PROPERTY
with exceptional financial news, causing and
Corporate espionage is a thriving business:
VULNERABILITIES then profiting from a rise in the company’s
stock price. These actual cases and their One estimate is that among the world’s 1,000
largest companies, espionage results in $45
EXPOSED THROUGH importance have not been helped by a new
trend used by several companies which billion in losses every year.16 It’s an activity
that has been made easier in many ways by
DATA MISUSE AND involves “fraudulent fraud”—that is, staging a
fake hack as part of a promotional program.13 the growth of social media.
DATA SHARING.
PLATFORMS FOR DATA SHARING ORGANIZATIONAL WEAKNESSES DATA MISUSE SOCIAL MEDIA RISKS
Blogs and microblogs Ambiguous policies By employees Fraud
Accidental
Photo- and video-sharing Unclear roles Intellectual property loss
Malicious
Social networking Inconsistent processes Financial loss
Search engines System vulnerabilities By non-employees Privacy violations
Accidental
Auction sites Brand damage
Malicious
Business sites Non-compliance
Message boards
Source: Accenture, August 2014
7To understand why, consider the different FINANCIAL LOSS DUE PRIVACY VIOLATIONS
ways that data and information can be
misused by people. First, it can be misused by TO MALWARE In some highly publicized cases, social media
people both inside a company and external sites have experienced security breaches
Because users of social media platforms
to it; second, it can be misused or shared in which confidential user information was
such as Facebook® so often send links to
accidentally or maliciously. shared publicly. This happened to Facebook®
each other—links to videos, music and so
in early 2013, when a software bug enabled
forth—it has become distressingly easy
So the salesperson who establishes LinkedIn® a program to inadvertently share six million
for hackers and spies to install rogue
relationships with customers doesn’t intend users’ information such as email addresses
software on computers when people
to disclose a confidential and highly valuable and phone numbers. The breach meant that
inadvertently click a bad link—including,
customer list, but in effect is doing so. any company that was using Facebook®
in some cases, what looks like a legitimate
Employees who make a Facebook® posting or to promote its business might have had its
advertisement. Such malware can cause
tweet about interesting work they are doing customers’ information shared publicly.21
a variety of mischief, including luring
may mean no harm; but a good corporate people into fraudulent transactions or
spy might be able to put several such pieces Another way that customer privacy can
using hidden software to steal data and be violated is through a technique called
of information together to develop advance personal information, as well as corporate
information about a company’s product “data scraping.” This is a method of tracking
information that might be on the computer. people’s activities online and gathering
that’s still at the R&D stage. In one case,
spies working for a security consultancy were personal data from their use of social media
In another recent trend, hackers are
able to predict that a company would file sites as well as online sites. In some cases,
establishing second Facebook® pages for
for bankruptcy based on employee tweets this is done by research companies who then
people and companies, thus establishing
about budget cuts and the fact that the vice sell the data to other companies.
relationships in which someone might
president of operations was looking for a job divulge important information. Some
on LinkedIn®.17 (The irony here is that in some And then there might always be some
other scams have used messaging previously undiscovered back door into a
cases LinkedIn® is the only social media site capabilities within social media platforms
that banks do not block for their employees social media application. This happened in
to conduct computer attacks.19 2010 to Foursquare®, the site where users
because they believe it is a “professional
networking” site.) check in to let friends know where they
In other cases, phishing schemes that look
are and what they’re doing. A programmer
like legitimate messages from a social
In another case, a spy assumed a different discovered he could write a program mining
media company result in users revealing
identity and sent a Facebook® friend request the photos of users to know where they were
their password. Many people use the same
to a corporate executive. As the days went almost any hour of the day. Foursquare®
password for multiple accounts, which could
by, he dropped his guard and eventually fixed the bug, but the sense that social
mean someone now has a password to the
shared non-public information about his media users are laying down a constant
person’s corporate network.20
company’s revenues.18 track of information has to give people and
corporations pause.22
89
PART 2: THE ESSENTIAL COMPONENTS OF EFFECTIVE
SOCIAL MEDIA RISK MANAGEMENT
COMPANIES TYPICALLY For example, policies governing the use of
and access to data may be outdated or weak.
and systems. (See Figure 1.) These become
the value catalysts for realizing the full
ENCOUNTER A NUMBER Roles and responsibilities for oversight of
the various risk dimensions could be unclear.
potential of a social media strategy. The
three main components are augmented and
OF ORGANIZATIONAL Processes for managing risk are often
inconsistent from business unit to business
supported by other activities having to do
with compliance, culture and leadership, and
WEAKNESSES AS THEY unit or from location to location. performance management.
BEGIN TO ANALYZE In the face of social media risks and
these organizational vulnerabilities,
THEIR VULNERABILITIES Accenture recommends a social media risk
management approach with distinctive
TO SOCIAL MEDIA RISKS. activities across governance, processes
FIGURE 1: ACCENTURE’S COMPREHENSIVE FRAMEWORK FOR EFFECTIVELY MANAGING SOCIAL MEDIA RISK
Risk-Aware Culture: Generating enterprise-wide responsibility for social media risk management
Compliance: Monitoring of regulatory initiatives related to social media risk management at all levels
Performance Management: Assessing effectiveness and progress toward improvement
GOVERNANCE PROCESSES SYSTEMS
Creating new structures and policies Adjusting operations for proactive social Managing data effectively and
for managing social media risks media risk assessment and monitoring leveraging new technologies to mitigate
social media risks
An established social media risk Consistent processes to manage Effective use of technologies to improve
management structure including: operations while identifying business data management and the monitoring of
opportunities. Processes include: social media activity, including:
• Formally defined roles and
accountabilities enterprise-wide • Social media risk identification • Social media data mining and capture
and within exposed functions across categories (e.g., reputation, (e.g., analytics, web crawlers)
intellectual property, fraud prevention,
• Coordination among business units • Text analytic engines
business disruption)
• Acceptable-use policies for social media • Data security and storage
• Risk assessment, reporting and
• Well-defined risk tolerance levels monitoring • Reporting and dashboards
• Defined escalation pathways • Cost-effective risk mitigation/transfer
• An operating model for crisis
management
Source: Accenture, August 2014
10I. GOVERNANCE Part of this shared understanding involves
clearly defined roles and accountabilities.
COORDINATION WITH
Governance is focused on creating new In Figure 2, we show a sample or OTHER BUSINESS UNITS
structures, policies and accountabilities for illustrative governance structure which Although the banking social media executive
managing social media risk, as well as the provides an idea not just of the lines had some caveats about the limitations of
awareness of how the organization is using of reporting, but also what role each a central risk group, he went on to speak of
social media strategically and operationally. function can play in identifying, assessing the importance of coordinating the social
Although general governance principles and managing particular kinds of risks. media strategy itself as a means of mitigating
apply in the realm of social media as with The marketing organization, for example, reputational and business risks. “We occupy
other corporate strategies, some specific might be primarily focused on brand or a very large piece of real estate in the social
differences and permutations need to be reputational risk, while the legal and audit media sphere, covering all our business units.
noted in several areas, including the need departments would be accountable for So from that perspective, it is important
to coordinate effectively across functions privacy issues and fraud, respectively. to have a central group—in our case, the
and the need to have well-defined crisis marketing and branding division—that
management procedures that can be As noted by the social media executive oversees the social media strategy.” Larger
instituted at a moment’s notice. for an international bank, it is important organizations need to make sure that different
to structure the organization and the units do not post conflicting statements. “It’s
assignment of responsibilities such that
DEFINED ROLES AND the risk function is always participating
very important to make sure everyone knows
what each other is doing,” he concluded.
ACCOUNTABILITIES FOR in strategic discussions. “We have an
extensive risk management network.
SPECIFIC TYPES OF SOCIAL Each part of the business has its own ACCEPTABLE-USE POLICIES
MEDIA RISKS team, so there needs to be coordination. FOR SOCIAL MEDIA
From a risk perspective, having a central
As noted earlier, the risks arising from Creating an acceptable-use policy
steering group may not always be the
the use of social media in a corporate for employees (as well as, potentially,
most effective way to get things done
environment expose many different functions contractors and vendors) when it comes
quickly. However, it is always important
and groups to risks—from compliance to to social media does not involve starting
to have a representative from risk sitting
corporate affairs to IT to marketing. These with a blank page, but rather building on
at the table—someone from compliance,
groups need to cooperate to combat their existing policies covering media interaction,
someone from legal, and so forth, to provide
mutual vulnerabilities, which means sharing public communications, the handling of
guidance to the business and make sure
information and operating according to confidential information and how to protect
what the company is doing is sound.”
consistent policies and understandings. against the misuse of information.
FIGURE 2: AN ILLUSTRATIVE EXAMPLE OF A SOCIAL MEDIA RISK MANAGEMENT GOVERNANCE AND ACCOUNTABILITY STRUCTURE
Executive Sponsor Group
• Sets role of social media
in enterprise
• Sets risk tolerance levels
Risk Management Corporate Communications IT
• Embeds social media in • Sets communications policy • Implements data and
enterprise risk management • Identifies social platform analysis technology
• Audits processes and channels • Secures data and IT
Social Media Risk Manager
• Reports risks
• Trains personnel
• Audits processes
Audit Marketing Legal Strategy Human Resources
Manages risks such as fraud Manages risks such Manages risks such Manages risks such as Manages risks such
as brand damage as privacy violations intellectual property disclosure as misconduct
Source: Accenture, August 2014
11(The Social Media Governance organization WELL-DEFINED SOCIAL MEDIA of people through social media; if a large
maintains a database of sample social number of people retweet or repost this
media acceptable-use statements from RISK TOLERANCE LEVELS information, the bad impression can go viral
more than 200 organizations at: http:// Companies with a mature enterprise risk very quickly.
socialmediagovernance.com/policies.php.) management function are accustomed
to speaking about risk tolerance levels. Two things are especially important in these
In general, such policy statements should For example, they set trading limits or, instances, notes this executive. First, for
encourage, rather than discourage, social if they are operating in a country where some types of issues, some messaging and
media activity, and help provide strong unrest is present, will set a tolerance responses need to be pre-written and pre-
guidelines and examples of behaviors that are level about employee safety and when approved by public relations and the legal
acceptable and not acceptable. they need to pull employees out. department, “so responses can be made very
quickly by approved people who are notified
However, among the policies that banks need Similarly, companies need to define what of an incident.”
to be wary of is how to reconcile building their risk tolerances are for social media. For
relationships over social media with their example, if a company wants to encourage Second, for instances when pre-approved
consequent risks. One policy among some more open engagement with the public at responses are not enough, “it is vital to
banks, as noted by the CISO of a US regional large and get many people talking about their ensure that you’re able to get key decision-
financial institution, is that the bank does brand, that is an opportunity that carries with makers together very quickly and agree
not interact with customers (yet) over social it a higher degree of risk; people who do not on some joint messaging. It’s also very
media but only through branch, phone or know the company very well will be making important that every stakeholder in social
banking channels. Said this executive, “It’s posts visible to thousands of people. media within a large organization buys into
vitally important for banks to consider that as well, because if they don’t think it
the many risks—including reputation and Another consideration is about what kind has anything to do with them the entire
compliance—that come with customer of information the company is comfortable organization could be at risk.”
interaction over social media.” sharing over social media sites. Does
it want to share financial information In some cases, continues the executive,
According to the head of privacy and that increases transparency—something “the correct rapid response is a high-level
information management for a major US welcomed by suppliers and contractors acknowledgment of an issue, with the
bank, sometimes the goals of the marketing but which could also expose information clear message that you are looking into
organization and the risk organization may to competitors? In general, it is important it and will provide an update as soon as
come into conflict. Said this executive, for companies to run scenarios with possible. Such an answer can go a long
“The bank has been increasing our social outcomes of increasing levels of impact to way toward placating dissatisfied people.
media presence for our client-facing staff. determine where they want to set limits. It’s even better if you can give them an
Given that emphasis, salespeople might estimate as to when you’ll get back to
want to establish a LinkedIn® or Facebook® them. So managing expectations is very
relationship with a client. Although not yet DEFINED ESCALATION PATHWAYS important.” In some cases, companies
an official policy, we strongly discourage this AND REPORTING LINES have stumbled in the social area “because
because of the heightened risk it brings of they either just went silent or, equally
disclosing private information about clients It is important to appoint, for each key bad, simply pushed out responses without
on a public social media site.” category risk, an individual who is responsible establishing a two-way conversation.”
for making ultimate decisions about social
In other cases, social media sites are blocked media risks, managing risks and handling any
from a bank’s corporate workstations. crises that may arise. From the risk owner FROM GOVERNANCE
Although such a policy might be viewed as downward in the organizational structure TO PROCESSES
untrusting or overbearing, the banking social there should be a clear reporting line—an
escalation pathway such that if an indicator Together, these capabilities and structures
media executive we spoke with offered a
of risk appears everyone knows exactly how define an effective governance structure.
different perspective. “When I first joined
the issue is to be escalated. However, policies and structures only come
the bank,” he said, “I thought that blocking
alive as they become actions. For that, we
social media access was a backward step;
turn to the second component, processes.
my attitude was, ‘It’s a new age, get with the AN OPERATING MODEL
program.’” Earlier in his career, this executive
had worked in an industry more reliant on FOR CRISIS MANAGEMENT
social media. “In a banking environment, In a certain percentage of cases, almost
however, the risk of personal data getting out inevitably, “risks” become real issues that
is so much greater. So, being blocked from need to be dealt with. To plan for such
social media by default is not about being Big an occurrence, companies need what the
Brother. After all, an employee can still use banking social media executive terms, “an
a smartphone to access social media. From operating model for crisis management.”
a policy perspective, this is part of doing In today’s environment, when a customer
everything we can to protect everyone— is dissatisfied, they are now empowered
clients, employees and our stakeholders.” to complain instantly to a large number
12II. PROCESSES attention to the early warning signals that
indicate something could go wrong. The
Other technologies are now helping
companies monitor employee activity on
Effective social media risk management methodology used may differ by function social media to assess business risks. For
processes protect operations and the because they are dealing with different example, many financial institutions are
brand in a cost-effective way—adjusting channels and platforms. An HR director might looking into more compliance-related tools
operations for proactive social media risk be paying attention to sites such as LinkedIn®, that prevent an employee from saying
assessment and monitoring. Companies while legal might be monitoring email traffic anything on social media that violates a
are already aware of the importance of to see if any issues of liability are arising. particular regulation. In the UK, Hearsay
having consistent processes in place to Marketing would be monitoring various Social, Inc. offers financial services
handle identifying, measuring, managing platforms to understand how the brand is institutions a platform, integrated with
and reporting on risks. However, such being used or discussed by customers. existing systems, to roll out and manage
processes will often look somewhat social programs while meeting compliance
different in the social media world, in In each case, however, what is consistent is requirements. In the US, Actiance Inc.
part because of the always-on nature that companies are identifying, assessing provides a platform that helps firms manage
of social networking platforms. and managing risk and then reporting this social media channels by:23
up to a social media risk manager who
consolidates the information, escalates any • Controlling access to applications,
IDENTIFYING THE RISKS issues and effectively audits the process including authorizations.
OF SOCIAL MEDIA AS WELL being used by the various functions. The risk
• Monitoring social media content to protect
manager works to ensure that the groups
AS THE OPPORTUNITIES are monitoring activities with the right
brand value and ensure data security.
Social media risks need to be accurately frequency and that the data and reports • Capturing social media conversations in
identified across categories—for example, they are providing are of high quality. context to provide more robust information.
reputation, intellectual property, fraud • Searching all captured content quickly,
prevention and business disruption. MONITORING RISKS supporting legal and discovery inquiries.
Risk identification builds upon the guidance CONTINUOUSLY • Archiving all social media activity captured
set forth in this paper’s discussion of Senior management needs to be provided to support compliance with regulations.
governance. That is, to identify risks properly with the appropriate information with
requires knowing what the company’s The ability to halt risky social media activity
the right amount of frequency to manage
risk tolerance levels are for different before it becomes a problem is an important
social media risks appropriately. However,
activities. It means being familiar with feature, notes the banking social media
risk monitoring is a more complicated
policies to understand broadly what the executive. “For example, say a customer
process in the social media world than it
company’s attitudes are. And it means tweets you with an issue with their business
is with more traditional transactions and
understanding roles and accountabilities credit card, and you respond and say if
communications. Social media is always
to bring the right people together to you’re having trouble with your credit card,
on, especially for a global business, so
properly and accurately define risks. call this number, that tweet will get blocked
monitoring in effect needs to be continuous.
and rerouted to monitoring. This way a bank
Part of risk identification is actually One of the benefits of social media knows if the tweet was a promotion or
identifying business opportunities. For monitoring is early identification of problems whether it indicated an issue with service.”
example, given your institution’s known that can lead to increased business risk.
social media risk strengths and weaknesses, In some cases, companies have established
According to the banking social media
what could be done in the way of new a social media center of excellence to gather
executive, “Input from social media can help
products, services, product development better insights on their customers’ needs,
companies take rapid steps to fix a problem.
partnerships and so forth? What are understand the perceptions held of their
If you get 500 tweets on a particular issue,
the opportunities to cut costs or reach brands and help better engage with customers
those people cannot possibly all know each
customers in new ways? Risk management, on social media going forward. For example,
other, so it’s an indication of a real problem
after all, is not about suppressing profit- a US-based global pharmaceutical company
that you can then quickly address. With
generating activities but rather about asked Accenture to help set up a regional
tweets, you can also identify a general
properly directing those activities. Social Media Centre of Excellence (CoE) for
geographic area, which also really helps to
Europe, Australia and Canada. The center will
identify where the issue is occurring.”
provide brand, corporate communications and
ASSESSING AND REPORTING medical teams in the region with strong social
Some companies are taking advantage of
ON RISK FROM DIFFERENT technologies to augment actual human media monitoring and engagement support.
FUNCTIONAL PERSPECTIVES monitoring. Web crawlers can be deployed
Accenture leveraged best-of-breed social
that use sentiment analysis technology to
If we refer back to Figure 2, the illustrative media management solutions and its
find references to a company, infer whether
governance structure, another way to proprietary Social CRM Integration solution
the reference is positive or negative and in
understand the responsibilities of the to provide a 360-degree social view of the
what context (e.g., customer care, product
individual functions is to say that they customer, personalized customer support
quality) and report back. In this way,
are charged with collecting information, and peer support to drive superior customer
reputational risks can be identified faster
monitoring the risk environment and paying satisfaction and reduce operational costs.
and counter-actions put in place quickly.
13MITIGATING AND/OR Data mining of social media can improve SOCIAL MEDIA MONITORING
business intelligence to provide better
TRANSFERRING RISKS services and develop innovative opportunities. SERVICES FOR A GLOBAL BANK
COST-EFFECTIVELY For example, data mining can help identify This major financial institution had in
who the influential people are in the social place a sophisticated monitoring capability
A key goal of effective risk management media world, detect groupings of people, for traditional media such as newspaper
is to decrease the likelihood that risks will sense user sentiments, protect security and coverage. However, it needed the ability to
occur, as well as improve the capabilities user privacy, and help build trust between adapt its risk management approach in light
and capacities of the organization—people, companies and customers.24 of its move into social media.
processes, technologies and structures.
However, it can also mean transferring
some or all of the risk elsewhere. This could TEXT ANALYTIC ENGINES The bank was challenged by not having
sufficient skills in-house to move to social
mean insuring against it—providing some While crawlers and other tools gather media monitoring as quickly as needed.
compensation in case of brand damage or the information or mine it, text analytic
protection against directors’ liability. engines find meaningful patterns in the Accenture now runs social media monitoring
data to deliver insights. These engines can for the bank as a managed service. It is based
On the other hand, companies may decide also segment information to support better on a global operating model designed to
that an entire process is too risky for them decision making—decisions based on hard deliver more than a dozen services in four
and that their internal skills are not up to the data, especially unstructured or “Big” data. languages for the company’s major markets
challenge, which could lead to a decision to around the world as well as for various local
outsource the performance of a particular
function. (See “Social media monitoring DATA SECURITY AND STORAGE and corporate business functions.
services for a global bank.”) Social media regulations and technologies
present new challenges for storing data—
If companies have done their analyses properly challenges related to architectures and
of where the risks are, what the indicators are security. These challenges are complicated by
and what the risk tolerance level is, then that the fact that social media is generally based
should provide them with strong guidance as on third-party cloud applications—meaning
to whether to mitigate the risk or transfer it. that a company cannot itself control the
security of those applications.
III. SYSTEMS REPORTING AND DASHBOARDS
Are you capable of monitoring social media
When data has been mined, analyzed,
networks in real time to identify what is being
organized and stored effectively, this enables
said about your company and what issues
companies to do reporting in a more effective
arise from that chatter from the standpoint
and timely manner. More comprehensive
of regulatory, business and brand risks?
reporting can bring together multiple
Such monitoring is now largely dependent
performance dimensions into a dashboard,
on advanced technology. Improving the
helping management look across factors and
effectiveness of IT systems in the context of
see where vulnerabilities and risks are, then
social media risk management is primarily
make better decisions.
about improving the management and analysis
of data and using new technologies to monitor
social media sites as a means of mitigating
risks. Vast amounts of data are now on social
media platforms and so companies need
and want to manage that data effectively.
Several capabilities are important here.
SOCIAL MEDIA DATA MINING
AND CAPTURE
A number of tools are now available that
enable companies to mine data across social
media platforms and look for particular kinds
of information. Web crawlers, referred to
earlier, can extract user data from social
networks. Data mining and analytics can
turn the apparent randomness and chaos of
millions of posts and tweets into information
to guide marketers and business strategists.
14PART 3: ENABLERS OF EFFECTIVE SOCIAL MEDIA
RISK MANAGEMENT
A NUMBER OF RISK-AWARE CULTURE Making this happen requires that employees:
CAPABILITIES UNDERPIN One of the critical points to remember
about risk management is that, in spite of
• Know the rules and guidelines;
• Adhere to those rules and guidelines; and
THE GOVERNANCE, the importance of governance, processes
and technologies, much of risk management • Be held accountable for their performance.
PROCESSES AND is still dependent on people, and therefore
people’s behaviors must be managed. In the Driving a more risk-aware culture also
SYSTEMS OF EFFECTIVE words of a banking social media executive,
“Mitigating social media risks is not all about
requires proper objective setting, clear
roles and responsibilities, proper training
SOCIAL MEDIA RISK the technology. You can put in as many
firewalls as you like, but people still need to
and communication and, most important,
a unified message from top management
MANAGEMENT. THESE be knowledgeable about risks and understand demonstrating its importance.
their role in mitigating them.”
INCLUDE A FOCUS More specifically, proper awareness and
Consequently, one of the key factors management of risk exposure comes from
ON LEADERSHIP AND that distinguishes the best social media a properly integrated operating model that
risk managers from their peers is their links the legal function (for regulation
CULTURE CHANGE; commitment to creating and infusing a interpretation and guidance), compliance
risk-aware culture—an awareness of how the (for program design and implementation),
A SOCIAL MEDIA RISK company is being exposed to social media operational risk (for proper control
risks and what each individual must do to and governance), business heads (for
COMPLIANCE PROGRAM; help manage those risks. It is also important implementation and accountability), internal/
AND PERFORMANCE to conduct more detailed tacit knowledge and
training across the corporate culture.
external audit (as a third line of defense and
testing), and technology (for automation
MANAGEMENT In every industry, people and skills are critical
and preventive controls that reduce human
error). Managing all these moving parts
CAPABILITIES TO ASSESS components in achieving risk mastery. One
Chief Risk Officer that Accenture spoke to
effectively does not happen overnight or as
a one-time exercise, but rather operates in a
EFFECTIVENESS AND as part of another research initiative placed
the challenge of the people dimension on the
cycle of continuous improvement.
PROGRESS TOWARD same level as increased regulatory risk and
the challenge of organizational integration.
Leadership and sponsorship are equally
important to creating a culture attuned
IMPROVEMENT. The company has lost a number of critical
risk management personnel, and the
to social media risks. A story told by one
of our interviewees is a reminder that it
executive faces the challenge of replacing the is important to bear in mind generational
knowledge held by those people. In a market differences that will persist—at least for a
where demand for risk management skills time—when it comes to social media and
remains high, it is important that companies leadership. A US bank’s head of privacy and
build these capabilities in a broader information management spoke of the work
population and have up-to-date plans to he did to understand this gap and to bridge
fill key positions promptly when they are it in a way that created change sponsors
vacated.25 Alternatively, as discussed earlier, among the executive team. He says, “We had
a managed services approach can be a way a long look at social media from a culture
to obtain leading-edge skills and capabilities perspective. I facilitated a conversation with
over the long term. our senior management group. Interestingly,
no one in the room actually had a
Effective managers of social media risks Facebook® or Twitter® account. When asked
emphasize the importance of making their opinion about approving the use of
risk management part of everyone’s social media, half said yes and half said no.
daily responsibilities. In a company with Technology and HR were in the yes column
a risk-aware culture, people at all levels because they used social media to connect
instinctively look for risks and their with partners and to recruit, respectively.
impacts when using social media. But the others didn’t see the need.”
15The executive then met with the bank’s The compliance risk framework is designed to Some fear that a performance management
youth affinity group, a team of high-potential serve as a “safety net” to identify and capture and measurement capability could stifle
younger professionals. Not surprisingly, emerging risks that could negatively impact a innovation, something critically important to
100 percent of them had Facebook® and company’s financials, reputation and systems. delivering a successful social media strategy;
Twitter® accounts, as well as a presence on however, in fact, a proper performance
other social media platforms. So, part of One thing important to understand is what’s management approach framework can
building strong leadership and sponsorship different in the social media arena than in actually enable people and the entire
when it comes to social media, concluded other areas of compliance. According to organization framework to pursue new
the executive, is understanding not only your the global head of privacy and information approaches with proper protections in place.
current customer demographics, but also management for a major US bank, in the
what those demographics will be in 10 years. US a recent change from the Consumer With effective measurement and control
Financial Protection Bureau (CFPB) is that capabilities, risk management procedures and
financial institutions are now required a risk-aware culture, companies should be
COMPLIANCE to track complaints that occur on social positioned to exploit future opportunities to
The complex regulatory landscape regarding media—even if the complaint has not been leverage social media as a customer channel.
social media was discussed earlier, and the lodged officially to the regulator or to the
accompanying table (page 19) summarizes financial institution itself. Web crawler
recent regulatory rulings regarding social technologies, discussed earlier, can help
media in the US and UK. Many companies by looking for key words and phrases for
find it challenging to manage and comply further analysis and reporting, but complaint
with multiple regulatory agencies, differing tracking is a huge task and responsibility
interpretations of regulations, and varying that is, in his words, “taking us all by storm.”
degrees of guidance on regulatory compliance.
On the other hand, as one of our executive
PERFORMANCE MANAGEMENT
interviewees noted, another way to look at AND MEASUREMENT
social media compliance is that it is simply an
Integrated risk performance management is
extension of things banks are already doing.
essential if leadership at all levels is to have
According to this CISO, “We’ve done a deep dive
an end-to-end view of social media risks,
into the regulatory guidance for social media.
their impacts, and their ability to be mitigated
The good news is that the implied guidance
or controlled.
is: go back to what the bank does normally in
handling complaints, suspicious activity and A framework for effective performance
inquiries from customers at large. Make sure measurement in a social media risk
that you comply with extant requirements; management context includes:
file regulatory claims and suspicious activity
reports; make sure that you get the Consumer • Identifying risks (emerging/emerged/
Financial Protection Bureau involved; and make realized) through data mining, trend
sure that your complaint process is well vetted analysis, systems and security.
and well thought through.”
• Reporting on risks (visibility,
In other words, an effective social media accountability, awareness).
risk compliance program should not differ • Managing risks (policies, procedures,
significantly from other compliance risk preventive and detective controls, transfer
management programs. A compliance risk or sharing of risk).
framework should include:
• Measuring performance of risk mitigation
• Proper governance and oversight (benchmarks, key risk indicators and key
performance indicators).
• Policies and procedures
• Identifying opportunities to improve
• Risk assessments
control effectiveness, reduce exposure and
• Risk monitoring automate processes.
• Testing
• Metrics and reporting
1617
PART 4: CONCLUSION
INSTITUTIONS 1. Assess vulnerabilities arising from social
media use beyond just reputational risk.
5. Engage in enterprise-wide change
management activities to create a more
LOOKING TO ADVANCE Consider how social media activity can
expose the organization in terms of business,
risk-aware culture. In our view, the most
important (and most difficult) aspect of social
THEIR SOCIAL MEDIA regulatory, legal and market risks. media control centers on cultural awareness
and change. Setting proper expectations and
RISK MANAGEMENT 2. Expand existing risk governance structures
and activities to include social media activity.
engaging in culturally aware implementation
can have a great impact on social media
CAPABILITIES Define risk tolerance levels and acceptable-
use policies and have in place effective means
risk control. Establish influential leaders in
sponsorship positions to drive awareness
RAPIDLY CAN FOCUS for issue escalation and crisis management and acceptance of the organization’s overall
where necessary. A decentralized governance monitoring of social media use. Conduct
ON SEVERAL KEY model can lead to inconsistency in how social training initiatives that use action learning
media policy is interpreted and implemented, principles, guiding employees at all levels
INFLUENCE POINTS: so institutions should ensure governance toward behaviors that are more likely to
structures cross organizational lines, making decrease overall risk.
every part of the organization aware of
what others are doing. Set a single point of As one of our executive interviewees
accountability in the governance structure noted, social media can offer considerable
that crosses lines of business. advantages to financial institutions and most
other types of companies. As the executive
3. Establish advanced social media monitoring said, “My advice is to be bold.” Establish a
tools and technologies. These enable the presence on the most-used social platforms
risk organization to (a) collect data from and “think about creating some cool things.”
various social media sources; (b) analyze
unstructured data (such as information about The other advice: learn to listen. “Listening
customer sentiment) to enhance monitoring; is absolutely critical for any company that
(c) provide insights into the company’s overall wants to take social media seriously—
risk situation; and (d) measure social media listening to what people say to them and
risk exposure according to the institution’s what they say about them. It’s very important
risk appetite. to have the ability to analyze who is saying
what, and then to be able to dig deep into
4. Enhance existing performance it, establishing trusted relationships and
management capabilities to analyze and act improving the business at the same time.”
on the metrics delivered from monitoring
activities. These metrics are defined based on Yet, inherent in the use of social media
different models that consider, for example, are serious risks—reputational, business,
the use of crisis-scenario analysis and/or the strategic, regulatory and more. To mitigate
decomposition of risk factors that may affect these risks and to get more value from a
company’s overall risk picture. The focus social media strategy, companies need to
of risk measurement should be on defining institute governance structures, processes
how well controls are performing and where and technologies unique to meeting social
control improvement opportunities may exist. media challenges.
18A SUMMARY OF SOCIAL MEDIA REGULATIONS IN THE
US AND UK FOR FINANCIAL SERVICES COMPANIES
Areas (by agency) Objectives Impacts
GOVERNANCE
Federal Financial Institutions • Policies and guidelines for advertisement content, • Enhanced control and monitoring of third parties
Examination Council (FFIEC) selection of third parties, staff training and clear • Changes to risk management framework
preview of roles and responsibilities
• Enhanced data monitoring capabilities
• Policies and procedures for data monitoring
Financial Industry Regulatory • Firms must adopt policies to ensure that • Enhanced HR polices for internal staff and training
Authority (FINRA) persons participating in social media sites are for third-party staff
appropriately supervised, have the necessary
training and background to engage in such
activities and do not pose a risk
Securities and Exchange • Restrictions and prohibitions regarding the use of • Changes to existing content monitoring and approval
Commission (SEC) social media sites by investment advisers based on process
the firm’s analysis • Changes to sales and marketing guidelines for
• Check appropriateness of pre-approval investment advisers
requirements—either after-the-fact review or
before publication
Financial Conduct Authority • Social media includes any real time financial • Changes to sales and marketing guidelines on usage
(FCA) promotions like interactive dialog or telephone for social media channels
conversation
• Social media includes any non-real time financial
promotions like email
DISCLOSURE
Federal Financial Institutions • Disclosure of privacy policy • Control in content approval for external
Examination Council (FFIEC) • Regulations for unsolicited commercial messages communication and external reporting
(spam) and unsolicited communications by • Changes to sales and marketing channels as well
telephone or SMS as third-party guidelines for sales
Securities and Exchange • Publish corporate website address and disclosures • Changes to public relations, corporate
Commission (SEC) on external reports communications and external reporting guidelines
• Disclosures on corporate websites identifying the • Robust approval process of content on social
specific social media channels for company usage media sites
PRODUCTS
Federal Financial Institutions • Requirements to control misleading, inaccurate or • Enhanced control over approval and publication
Examination Council (FFIEC) misrepresentation of information of sales, advertisement and product content
• Requirements for control of advertisement content • Changes to document retention policy
SALES, MARKETING AND DISTRIBUTION
Federal Financial Institutions • Obligation on operators of commercial websites • Process level changes for sales, marketing,
Examination Council (FFIEC) content and disclosure of personal information underwriting and legal
collected from children • Control of content approval
• Collection of medical and loan information
19You can also read
