Risk Angles: Five Questions on Social Business
Social business opens the door to drastically different, potentially disruptive ways to engage with, learn from and collaborate with customers, suppliers, employees, and even the general public. In fact, in the 2013 Social Business Global Executive Study and Research Project¹, a clear majority of respondents said social business has the opportunity to fundamentally change the way their organizations work.
What surveys can’t reveal is whether the impact of social business on these organizations will be positive or negative. This can hinge on how well the associated risks are managed, which can include compliance, security, reputational and employee-related risks, among others. There is also risk associated with not participating in social business, so merely “opting out” is not the easy solution it might appear to be.
In this issue of Risk Angles, Steve Lunceford, specialist leader with Deloitte Digital, Deloitte Consulting LLP in the United States, answers five questions about social business risk, and Joost Toussaint, director of Risk Services, Deloitte Netherlands, takes a closer look at compliance-related risk.
|What is social business?||Social business refers to the use of social media, networks and technologies to drive business decisions and influence business outcomes in an organization. Going beyond marketing or PR, social media networks and related technologies are being used strategically to enable people inside and outside the organization to connect, interact and share information in new and more efficient ways. While sales, branding and customer service are the most recognized uses of social media in enterprises, companies are beginning to use social tools and technologies to facilitate product development, recruiting, talent management, and supply chain — a host of uses across nearly all functions.|
|What risks are involved in social business?||As both an enabler and a disruptor, social business can carry risks including brand/reputation damage, legal and regulatory compliance, security and privacy and employee/HR issues. There’s also strategic risk in that social strategy could be misaligned with the overall strategic goals for the organization. Conversely, not participating in social business carries its own risk of being left behind as competitors take advantage of the power of social to improve their business.|
|Who in the organization should be overseeing these risks?||Deloitte has conducted many surveys around the broad use of social media and how groups responsible for managing organizational risk are responding to this new area. We see a lot of ambiguity: One-third of those we question don’t know enough about the company’s social media activities to comment, while about 60 percent report there has been no review of social media activities by internal audit or other risk management groups.² We believe internal auditors have the broad view of the organization necessary to examine the company’s social footprint to identify and assess risk, but many may need to ensure they increase their understanding of this fast-moving and complex environment. It may take some additional training and education for internal audit (IA) to be in an effective position to provide advice on implementing strategies to capitalize on the opportunities presented by the use of social media, while also managing risks appropriately.|
|How can organizations get started building effective social business risk management?||We see many organizations that have incorporated some aspect of social into their risk management efforts, such as into a crisis communications plan. But most have not looked holistically at how they will manage and mitigate social media risks as part of their overall business strategy. A high-level assessment of social media activities across the organization can be an effective first step in including social business in overall governance. Elements of this assessment might include planning to include relevant internal and external stakeholders; listening to understand what is being said about the organization in social media and who’s saying it; discovery to understand the current state of social media use and governance in the organization; analysis of the current state to identify risks and potential impacts; and roadmapping to chart a course for adopting an appropriate risk mitigation response aligned with the strategic vision for the organization.|
|What tools and technologies are available to help manage social business risks?||I think a foundational element is a social listening tool that is able to scan and capture mentions of your organization and other relevant terms in social media. There are also a number of social media management systems that range in features, but consider looking at the more sophisticated enterprise-grade systems that have built-in governance capabilities such as rules-based user permissions, robust content review and other checks and balances.|
A closer look: Compliance risks in social business
By Joost Toussaint
Various regulatory agencies in the U.S. offer guidelines governing social media and it’s important for companies to understand and address these in their compliance efforts. For example, the Financial Industry Regulatory Authority (FINRA) has extensive guidelines concerning communications with customers via social media, blog participation and advertising. The Securities and Exchange Commission (SEC) allows companies to use social media outlets to announce key information in compliance with Regulation Fair Disclosure, with some requirements and caveats. The National Labor Relations Board (NLRB) has issued several guidelines on employees’ use of social media, including the types of online activity protected by the National Labor Relations Act. The Gramm-Leach-Bliley Act (GLBA) requires information protection, monitoring for sensitive content and ensuring that such content is not sent over public channels.
Failure to adequately address compliance risks can expose an organization to enforcement actions and/or civil lawsuits (which themselves carry reputational and financial risk). IA can be a valuable resource in combatting these risks by spearheading efforts to include a social business governance strategy into risk management and compliance programs. An effective practice we’ve seen — and use ourselves at Deloitte — is to establish a steering committee comprising representatives from across the organization who are involved or have a stake in social media to guide policymaking. This might include people from marketing, risk, sales, legal, IT, HR, various business units and IA.
IA can then proactively assess the breadth and depth of the organization’s involvement in social business and perform a gap analysis of current policies and procedures against legal and regulatory requirements and guidelines. IA can also help develop business processes and controls to mitigate risks, monitor compliance and assess the effectiveness of these processes and controls over time.
¹ The 2013 Social Business Global Executive Study and Research Project, conducted by MIT Sloan Management Review in collaboration with Deloitte, analyzed more than 2,500 business executives, managers and analysts from 25 industries. 70 percent of respondents view social business as an opportunity to fundamentally change the way their organizations work. 36 percent say social business is important for their business today, and 54 percent expect it to be important a year from now.
² 2014 Deloitte & Touche LLP Social media internal audit survey.
By participating in this poll, you consent and acknowledge that your responses may be disclosed without attribution by Deloitte in future publications and you are authorized to respond to the poll on behalf of your company.
*Please review the guidelines before providing your comments.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.