One of the biggest challenges that we find at board level is in defining, explaining and educating senior management teams and employees about the risks of social media. There is a worrying management gap that exists; those that are responsible for risk management and governance in the organisation do not understand social media and those that do understand social media do not understand the risk exposure that exists around poor governance of this new communications channel.
We do believe that things have come a long way since late 2012 when the team attended a marketing conference and overheard an enthusiastic (and incredibly naïve) marketing consultant present a very upbeat message about getting employees tweeting, with the call to action “everyone should give social media a try, what’s the worst that can happen?"
The bottom line is that there are many risks associated with social media and the same due care and attention should be applied when setting up a new social media channel, in the same manner of any other channel of communication. The trouble with social media is that every message can and will be amplified because of the nature of the mechanism that is social media. The amplification of positive messages is the holy grail of marketers and one that they're searching for every day. The amplification of social media disasters, harming reputation is much more predictable - if through error, mis-judgement, lack of training, lack of process or poor governance you can be sure that it will affect your reputation.
The key social media risks:
Theft of company owned assets: There have been a number of examples of popular Facebook pages and Twitter profiles being lost or ‘stolen’ when an employee leaves an organisation. This can become an extremely grey area if you are using key individuals to promote the company’s products and services. Who really owns the social media accounts?
Sabotage: The HMV example of a disgruntled employee highlighted how damaging to a brand’s reputation an employee could be, if they took control of the social mouthpiece of the organisation. In this particular example the administrators were working with the company trying to secure the highest possible value for the organisation. The social media accounts were broadcasting confidential information and being used to hold the company hostage.
Password security and IT Governance: Research has shown that social media access and passwords are often shared widely amongst internal teams as well as outside the organisation. The result has been a number of high profile cases where anonymous posts, attacking the organisation, which were posted from within could not be traced to the originator. The response from one marketing director was that they had no idea how it had happened or how it could be stopped in the future. IT teams are often blissfully unaware of the best (and worse) practices going on within marketing teams.
Audit trails: With social media moving up the risk register there has been increasing pressure on organisations to manage social media risk more effectively. Providing audit trails of who posted what, when and recording the conversation arising with customers is now an essential element of social media risk management. The FCA have mandated this in the most recent issue of their guidelines on social media, but is a sensible step for all organisations not just those associated with the finance industry.
UK data compliance: Many of the popular social media platforms are located in the US. Many governance policies now dictate that social media management tools need to store social media interaction in the UK in accordance with UK data compliance.
Defamation and the law: In the UK, the Defamation Act 2013 has strengthened the protection of channels such as Facebook and Twitter, which will encourage those who have been subject to libel to pursue someone else responsible for the media post or repost. The impact and extent of social media reach and the damage arising is a considerable risk to organisations.
Trolls and brand terrorists: Increasingly protection of the public, who are using a brand’s social media asset is becoming a necessity. The more popular a Facebook page or a LinkedIn group, the more likely it is to be spammed or targeted for abuse. Organisations are expected to moderate and protect engagement within the social media environment.
Policing Policies: Too many organisations put policies in place and expect that to be the end of it. How can these policies act as a deterrent if they are not being policed? This should cover off both the standards and rules for operating the organisation’s owned social media accounts as well as what happens on people’s personal social media accounts.
Lack of Controls: Social media access to the company accounts is often handed out after some brief training. In the example of Greater Manchester Police there are a handful of individuals that are able to issue press releases on behalf of the organisation, but almost 400 users that can issue a tweet or a 140 character press release. The devolution of social media can ensure much greater engagement between the organisation and its audiences, but controls need to be in place to ensure that if content has the potential to damage the organisation’s reputation then it can be captured before being made public.
To return to the question at hand, I am afraid that the risks are still being ignored because of the knowledge gap that still exists. It is really pleasing to see more organisations taking the time to audit the level of risk associated with their social media activity, but these firms are still in the minority.
For those that have started to take social media risk seriously it has led to the tightening up of social media and IT governance policies and much greater understanding of the practical elements required for the management and delivery of social media.
Boards need to take the time to understand the risks, challenge the marketing team on the difficult questions to ensure that the brand is protected, along with protecting the customer and of course the bottom line!
James Leavesley is CEO of CrowdControlHQ, the UK’s leading social media risk management and compliance platform built for enterprise.