RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL …...triple by 2017, to 19.5 percent of digital budgets....
Transcript of RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL …...triple by 2017, to 19.5 percent of digital budgets....
03
BANKS: IT’S TIME TO LEVERAGE SOCIAL MEDIA FOR CRITICAL DISCOURSE
05
SOCIAL MEDIA OVERSIGHT LAGGING IN FIRMS: COMPLIANCE PROS SAY IN SEMINAR SURVEY
07
REGISTERED REPS SHOULD USE SOCIAL MEDIA, BUT WITH SAFEGUARDS
09
IA BRIEF: STATE LAWS MAY REQUIRE FIRMS TO RE-THINK SOCIAL MEDIA POLICIES
11
THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE
13
RISK MANAGEMENT IN AN EVOLVING WORLD:THE CASE FOR SOCIAL MEDIA GOVERNANCE
INSIDE…
RESPONSIBLY SOCIAL:
GOVERNING THE DIGITAL WORLD
We hope you enjoy our social media report. As is becoming more and more clear, governance,
clear guidelines and effective policy training and communication are paramount as the use of
social media continues to rise. Thomson Reuters Accelus’ new Social Media training course
will guide your employees through the acceptable personal and professional use of today’s
social media outlets whether you choose to use our off-the-shelf option or customize to suit
your company’s policies and procedures.
The Social Media course is just one of many courses we offer that will help you reduce the
burden of compliance and policy management.
To learn more, visit: accelus.thomsonreuters.com/solutions/training
RESPONSIBLY SOCIAL… HELPING YOU GOVERN THE DIGITAL WORLD
Schedule a demo of our new Social Media course today and
receive a $10 ITUNES gift card for listening!
Click here.
The SEC has called it “landscape
shifting” – social media takes a typical
face-to-face, adviser-client exchange
and transforms it into a multi-party
experience in which the users drive
the content.
As clients and employees continue to build their presence on LinkedIn,
Facebook, Twitter, forums and blogs, the conversation is opening up
alongside the increasing number of regulations that dictate the rules
of corporate responsibility.
When banks are fi rst building a social media strategy, they should begin
by forging strong partnerships with compliance and legal, Frank Eliason,
Senior VP of Social Media at Citibank, recommends. When Citi fi rst got
involved in social media just over two years ago “we met with our lawyers
to go through some of the initial challenges, and today we have two
counsel that are very familiar with this space,” Eliason says.
One of the fi rst things banks need to understand is that their advisors
are already on social media, notes Clarah Shah, author of The Facebook
Era and founder/CEO of Hearsay Social. The second-important question
they need to ask themselves is: Do they have a business case for being in
the space?
Shah says one of the fi rst things to recognize is that social media is
“all about trust, reputation and relationships.” In laying the foundations,
you have to look at the actual content, “the best way to add value is to
educate advisors, talk about what’s going on in the EU and talk about
retirement planning. People don’t want to get this information through
email anymore. You need to brand yourself as subject-matter experts,”
Shah says.
Banks also can be monitoring sites like LinkedIn for life-detail changes,
such as job transitions and location moves. These events can signal to
banks what clients could be looking for at different times in their lives,
like life insurance products and mortgages.
STAYING IN THE CONVERSATION
If banks know from the onset what their business case is for a social media
presence, chances are they will have also set goals for reaching target
demographics.
REUTERS / Dado Ruvic
BANKS: IT’S TIME TO LEVERAGE SOCIAL MEDIA FOR CRITICAL DISCOURSE
A lot of people access these sites through smart phones and follow certain blogs regularly. To be successful at this “you have to be where your clients are,” he says.
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 3
From a compliance perspective, “what keeps
banks on their toes are the changes to social
networks themselves, such as new features
on Facebook, Pinterest and YouTube,”
says Steve Marsh.
Shah says fi rms need to be monitoring who they are reaching through
social media and understanding the conversion rates from prospective
to new clients. Executives at all levels also need to ask themselves
if they are using the technology their clients are using on social
media? A lot of people access these sites through smart phones and
follow certain blogs regularly. To be successful at this “you have to
be where your clients are,” he says.
Being on these platforms and accessing social media through the same
methods is critical to viewing changes that are happening at a rapid pace.
“If you look at consumer behavior on social sites such as Facebook over
the past year and a half, there has been a big shift towards mobile device
access; and here, people tend to stick to their news feeds”, Elias says.
ARCHIVING SOCIAL MEDIA CONTENT
Once banks are in the space, the next step is ensuring they remain
compliant with electronic recordkeeping requirements under SEC
Rule 17A-4 and the Advisors Act.
Banks will perform a lot of customer-service functions on Twitter,
but here, advisers can’t ask clients to send over fi nancial information,
Eliason observes. To get off the Twitter server, Citibank has partnered
with Live Person (an online customer-conversation tool) so advisors
can send a link and take a conversation off of Twitter and place it
into a separate, secure area with the person to whom they are speaking.
From a compliance perspective, “what keeps banks on their toes are
the changes to social networks themselves, such as new features on
Facebook, Pinterest and YouTube,” says Steve Marsh, founder and
CEO of Smarsh, an email archiving and compliance service.
Shah reports there are up to a thousand small updates to Facebook
alone per month, on average.
Given these circumstances, Smarsh works directly with companies
to regularly archive their social media content. From a compliance
standpoint, outside of archiving, he says that banks need to be taking
the following actions:
• Pre-reviewing static content;
• Saving all communications, especially those related to handling
customer complaints and endorsements;
• Implementing strong supervision requirements for employees.
The last point is especially important, since “a lot of emphasis gets put
on the technology to become compliant, but you still have to clearly
communicate to employees what is or isn’t allowed. It can’t be loosely
stated via an email,” Smarsh notes.
He says that banks should start with a decision in terms of what they
want to permit and prohibit and they should “document these items –
then train employees – then put the technology in place to enforce
their policies.”
Above all, “don’t let the technology dictate what your policies are,”
he says. There are many ways social tools can be adapted to suit a bank’s
needs, such as not allowing comments on Facebook posts. The media tools
should not be working in opposition to the bank’s needs.
www.sec.gov/rules/fi nal/34-38245.txt
AUTHOR
Jennifer Lee, a freelance writer living in Toronto who covers compliance
and regulatory developments for Thomson Reuters Accelus.
REUTERS / Petr Josek
The last point is especially important, since “a lot of emphasis gets put on the technology to become compliant, but you still have to clearly communicate to employees what is or isn’t allowed. It can’t be loosely stated via an email,” Smarsh notes.
4 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD
Social media overSight lagging in firmS: compliance proS Say in Seminar SurveyAt a social media webinar hosted by Thomson Reuters Accelus entitled “The Case for Social Media Governance,” participants learned that business spending for social media is predicted at current rates to triple by 2017, to 19.5 percent of digital budgets. The number of social media job-related positions in business-to-business firms has grown by 600 percent in the last five years.
“A company should not forget that (social media) deployment across the enterprise needs to be monitored and measured so the tools are used to the company’s advantage and according to regulations appropriate to the company’s industry,” said John Hair, director and social media governance lead at KPMG LLP. Hair and Sanjaya Krishna, principal, digital risk consulting at KPMG, conducted the webinar.
In a survey of webinar participants, 81 said their companies had a social media use policy and 102 said they did not.
Marketing departments were cited most commonly as having accountability for social media communications in a company, with 73 participants citing those units, compared with 27 who said compliance had the duty and 21 saying it was a duty of the communications department.
Each department has its own objectives in using social media – from attracting the best new hires to acquiring new customers, the speakers said.
A key way to manage risk, Hair noted, was to spread the use and monitoring across departments, so each one had a seat at the table in setting policy.
Few participants said their employers were using social media tools to learn what people were saying about their companies, although the speakers recommended doing so. Nearly one-fourth said they did not think their companies were using such tools, others were unsure.
“Understanding what the marketplace is saying is important not just for measuring success of marketing efforts, but also so the company can determine what reputational risks might potentially exist,” Krishna said.
The participants also expressed uncertainty or doubt that their companies conducted a formal review of the terms and conditions of a social media site each time they established a new presence; for example, when setting up a new Facebook page.
An effective external social media governance program will monitor these terms and conditions to make sure they address key areas such as intellectual property rights, disclaimers and whether social media postings are discoverable in legal actions.
A full two-thirds of the listeners who responded said “no,” when asked if they felt confident that their organizations have an adequate social media governance program in place.
Both presenters stressed how important it is to establish effective governance protocols expressing the “voice of the company” on social media. These include identifying behaviors expected of social media participants, monitoring emerging regulatory guidelines across multiple jurisdictions and having a data- retention policy for legal and audit purposes.
The challenges are evolving, they said, but the companies that tackle them early will profit most from the careful application of good governance when implementing these increasingly popular tools.
Article Link: http://www.complinet.com/global/news/news/article.html?ref=158418
AUTHOR Julie DiMauro is a senior editor with Thomson Reuters-GRC in New York. She writes pieces on regulatory compliance issues and edits contributions from a wide variety of expert authors. Follow Julie on Twitter: https://twitter.com/Julie_DiMauro
REUTERS / Toru Hanai
Many compliance and governance professionals at an online seminar on social media said they did not believe their companies were monitoring online discussions carefully, even though several reported their companies had adopted or recently amended policies intended to better control corporate use of social networks.
Responsibly social: GoveRninG THe DiGiTal WoRlD 5
In a recent webcast sponsored by Thomson Reuters Accelus and KPMG an audience of 355 attendees were polled on their organization’s use of social
media and the governance policies in place to address risk exposure and employee training. Below are the results of the interactive polling session.
To view the on-demand webcast click here. Full web link: http://accelus.thomsonreuters.com/content/case-social-media-governance
PRESENT
%
71
10
10
4 5
What is the primary way in which your
organization currently uses social media? What
is the primary focus of future development of
social media for your organization?
Enagaging with customers
Connect with current or potential employees
Support use of mobile technologies
Supporting a change of culture across your organization
Manage or gain insight into market risk
629
11
12
6
FUTURE
%
When did your organization create or last
amend policies that address social media
use by your workforce?
Does your organization have specifi c employee
training modules covering social media use?
Less than 6 months ago
6 – 12 months
12 – 18 months
45%
19.5
10
More than 18 months ago
We’ve never considered theimpact of social media oncurrent policies or guidelines
6
19.5
Yes
No
28
%
72
What operational area within your organization
holds ultimately accountability for social media?
Marketing
Communications
Compliance
Legal
39%
1115
5
6
IT
Other
I don’t know
8
15
Are you actively using social media monitoring/
listening tools to better understand discussions
about your company?
Yes
No
I am not sure if we are using these tools
30
%
44
26
Do you feel confi dent that your organization has
adequate governance in place in all of
the areas discussed?
Yes
No
25
%
75
6 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD
REGISTERED REPS SHOULD USE SOCIAL MEDIA, BUT WITH SAFEGUARDS
While social media may be used by
investment professionals, it is tricky
and full of potential compliance traps.
Proper precautions are necessary to
avoid administering blanket opinions
that may mislead investors.
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 7
Certain types of investment firms, such as hedge funds and registered investment advisors, that use media should be aware of the legal constraints that they are obligated to follow. Professionals should weigh the cost versus the benefit of communicating to investors and the public through social media, given the high risk of impropriety.
Social media riSkSA general rule for use of social media is that a person should never email or post any information to the Internet that he would not be comfortable with his mother or a law enforcement official reading.
For investment advisors, there are more specific guidelines to be followed. Under the prudent investor rule, it is permissible for named fiduciaries to administer investment advice, but they must go about this in a careful way. The fiduciary must make sure that the recommendation is suitable for the particular client, and the process of issuing a proper recommendation involves ample due diligence and an assessment of return and risk tolerance.
An assessment of risk comprises an analysis of the client’s willingness and ability to bear risk. Willingness is highly specific to the individual; it is defined as the client’s emotional preferences about volatility. Ability is not participant specific; it is defined as the volatility level that should pertain to a client given his age, dependents, life expectancy, etc. A fiduciary must take into account the overall portfolio objectives when determining the suitability of the investment. Factors such as timing, taxes, liquidity, legal and unique circumstances should be considered.
A significant risk for investment professionals who use social media is having their ideas become construed as investment advice. The high degree of prudence for fiduciaries required seems to be at odds with the way that social media works. The speed of response is a mouse click on social sites. Discussions that occur in chat rooms, on Facebook status updates, and through tweeting can instantly spiral out of control. Messages can go very far, very fast.
If an investor following a portfolio manager on Twitter interprets her general statements as a suggestion to buy a security that goes south, this could constitute potential liability for her. This can happen easily because of the lightning speed at which information is disseminated on the Internet.
Testimonials represent another potential trap. If an advisor writes a testimonial on LinkedIn about how successful at picking stocks a friend from business school has become, people reading this on LinkedIn may think that the advisor is endorsing the friend. If the friend recommends a stock that goes the wrong way, it is a potential liability to the recommender. Simply “liking” someone a particular company on Facebook may be taken as an endorsement. Registered professionals must also use caution about who writes testimonials about them, because the claims may be exaggerated, vague or misleading, this could potentially be false advertising.
Other risks are reputational. Social media has made it easy for personal information to be displayed to the public. Personal and professional lives are no longer separate on the Internet. Investment advisers who are users of Facebook should be aware that clients and prospects might be able to read what they post on their walls and the comments they make. It can be beneficial to adjust privacy settings so they can control what is posted on their wall by others. They should exercise discretion over the photos in which they may be “tagged.” Prudence should be espoused when posting personal photographs, and access should be limited.
mitigate the riSkSThere are numerous ways to decrease the risk of using social media. Investment professionals should consult an attorney who is an expert on these compliance issues for day-to-day guidance. Merely including disclaimers at the end of a thought piece, for example, seems like a quick fix – but it is not a comprehensive solution.
One way to avoid issuing blanket investment advice through social media is to refrain from phrasing thoughts in ways that sound like suggestions. To do this, it may be necessary to limit the scope of commentary or adopt a reflective, rather than authoritative, writing tone. Many professionals will refuse to discuss their opinions on specific stocks or exchange-traded funds publicly, so their ideas about such instruments will not be interpreted as an official recommendation.
Hedge funds cannot publicly advertise their products to non-accredited investors. Such professionals should therefore use caution even when setting up personal profiles on social sites such as Facebook. The most prudent course of action is to present only basic information such as the fund’s name and standard contact information.
Social media policy should be applied to the Internet behavior of all members of a company. Employees should be administered a handbook containing the explicitly stated social media policy that they must read and agree in writing to follow. Employers should randomly audit their employees’ profiles on such sites as LinkedIn, Facebook and Twitter to ensure that rules are being followed, and make a plan to update the policy as the business changes and technology advances.
Weighing the coSt and benefitThe administrative task of maintaining compliance for registered investment advisor firms using social media can be time consuming and costly. It is unclear if social media is even an effective way to market investment services. The boom of digital communication has generated an information overload. Even in the Internet age, relationships of trust are still built through face-to-face contact and handshakes. Social media users should weigh the potential benefits versus the burden necessary to ensure compliance with legal guidelines.
Disclaimer: This document is not intended as a form of legal recommendation or advice. Professionals seeking such advice should contact their compliance personnel or seek the guidance of an attorney.
article link: http://www.complinet.com/global/news/news/article.html?ref=158343
aUthor Sara grillo, CFA, is a portfolio manager at Grillo Investment Management
Grillo Investment Management: http://saragrilloinvestments.com/
“ A general rule for use of social media is that a person should never email or post any information to the Internet that he would not be comfortable with his mother or a law enforcement official reading.”
8 ResponsIbly socIAl: GoveRnInG the DIGItAl WoRlD
Financial services fi rms have been carefully
embracing social media over the last few years.
Firms have shaped policies and procedures with
a balance between the needs and wants of their
representatives while still making it possible
to supervise and ensure compliance with
regulatory regulations and guidance.
Some adopted and proposed state legislation
on social media confl icts with that delicate
balance, even preventing fi rms from fulfi lling
current regulatory obligations. The legislation
may require a fi rm to modify its policies and
procedures in areas including: types of sites
allowed, frequency and content of attestations
or certifi cations of adherence to the fi rm
policies, surveillance techniques and the
amount of staff or time allotted to social-media
supervision.
The Financial Industry Regulatory Authority
(FINRA) and the Securities and Exchange
Commission (SEC) have published recent
notices that include defi ning the types of
social media postings, general supervision
guidelines and specifi c electronic record-
keeping requirements. The SEC and FINRA
have laid out general regulatory guidance but
left most of the specifi cs to the fi rms and their
compliance departments.
Under federal and FINRA guidance, a fi rm
that allows any type of business-related
social media is required to supervise the
business communications, offer training for
those individuals and fulfi ll certain record-
keeping requirements. The regulators have
been in concert with their message, if a fi rm
believes that they cannot effectively capture
social media communications, they shouldn’t
allow it.
IA BRIEF: STATE LAWS
MAY REQUIRE FIRMS TO
RE-THINK SOCIAL MEDIA
POLICIESFederal and state privacy legislation aiming to protect
against employer access to private social media
websites may put Broker-Dealers and Investment
Advisers in a bind – unable to fully supervise certain
social-media and electronic communications used
by their representatives.
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 9
“ Few if any fi rms are believed to allow representatives to use personal social media outlets for business.”
At the state level, Maryland, Illinois and
California have already passed social-media
legislation. Other states including Delaware,
Massachusetts, Minnesota and New York
are considering similar social media privacy
bills. For example, in Maryland, employers
are prohibited from requesting or requiring
information such as the username or password
to access an employee’s or applicant’s personal
social media accounts, such as on Facebook
and Twitter. The legislation does have a slight
carve-out, permitting an investigation for
ensuring compliance with applicable securities
requirements, although the fi rm must fi rst have
information indicating a potential wrongdoing.
Some fi rms use online monitoring systems
that require a representative’s social media
credentials, so fi rm’s can retain the business
communications and supervise. Few if any
fi rms are believed to allow representatives to
use personal social media outlets for business
said Paul Cox, CEO of Business Compliance
Partners, a San Diego-based compliance
consulting fi rm. For those who do, the practice
will be eliminated as a result of the many
state laws.
Exceptions to the MD law allowing access
to personal accounts based on indications
of wrongdoing nonetheless sharply restricts
routine monitoring, contrary to the principles
of continuous supervision required at broker-
dealers or investment advisers. Firms will have
to rely on a representative’s word or written
attestation and public information from social
media sites to ensure that someone is not using
a personal site for business use, violating fi rm
polices and ultimately misleading the investing
public.
POSSIBLE CONSEQUENCES OR CHANGES
Social media use will grow at a rapid pace,
but the state laws may make fi rms re-think their
current social media programs and even limit
them further in some cases.
Possible consequences or changes to
consider may include:
• A shift to more corporate social media
sites. This is especially apparent with social
media sites with privacy settings, such as
Facebook. “The progressive fi rms will build
company websites and have their associates’
link to their corporate sites so that they can
integrate their marketing efforts,” Cox said.
This would be, he said, “likely to deter the
temptation to use a personal account for
business purposes.”
• Limits or bans on the use of social media
sites that have private content. For example,
fi rms may modify their procedures to only
allow sites like LinkedIn or Twitter that have
a more open architecture.
• Require more-specifi c personal-use policies,
including a ban on business content on a
personal social media site.
A fi rm may also have to be specifi c on what
social media sites it does not allow for any
type of business communications.
• More frequent attestations or certifi cations
of policy adherence at fi rms that bar
business communications on personal
sites or certain social media sites. Increased
training may also be necessary.
• Reviewing in routine supervision of public
information on social media, gathered
through an online retention tool or
manually. This may require more staff
and time.
• Firms may try to have representatives agree
to a “friend” relationship, or to follow a
specifi c individual at the fi rm to enable
ongoing supervision. This type of fi x may
contradict the spirit of the new laws and
may be challenged by a representative.
• Firms may also have to resort to reviewing
an individual’s personal social media sites
“over-the-shoulder” to ensure compliance,
resulting in additional time and resources.
The wave of state legislation on this issue will
most likely continue and federal legislation
has been proposed. The brokerage and adviser
community along with FINRA will continue to
make their point heard – industry groups had
proposed a broker exception for the California
law. In other words, it’s time to consider the
options to ensure compliance on all points.
The California and Maryland laws can be found
here and here. A copy of the proposed federal
legislation can be found here.
California
http://leginfo.legislature.ca.gov/faces/
billSearchClient.xhtml
Maryland
http://mlis.state.md.us/2012rs/bills/sb/
sb0433t.pdf
Copy of proposed legislation
http://www.gpo.gov/fdsys/pkg/BILLS-
112hr5684ih/pdf/BILLS-112hr5684ih.pdf
AUTHOR
Jason Wallace is a senior editor for
Thomson Reuters Accelus. Jason began
his career at TD Waterhouse Securities Inc.,
now TD Ameritrade Inc., where he held key
positions in the Trading, Risk Management
and Compliance departments for both retail
and institutional sides of the fi rm. Jason joined
Thomson Reuters Accelus after serving as
an associate director for National Regulatory
Services, in San Diego, California. Follow Jason
on Twitter @Wallace_iabrief
10 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD
It is important for compliance professionals and
other managers in a company to consider how
it uses its social media communications when
tackling incident response. Even with a crisis
communication process already in place, one
must make sure it includes the use of social
media as instruments in relaying information
to the public.
After all, it’s been widely demonstrated how quickly news can spread
on Twitter. LinkedIn’s own social-media crisis response did not impress
many after more than 6 million user passwords got leaked recently, and
cloud-storage fi rm Dropbox faced challenges of its own dealing with
a security breach. While the National Institute of Standards and
Technology (NIST) Report SP 800-61 gives good guidelines on the
positive aspects of fully and effectively communicating important
information to the public, there is more that could be done to harness
social media to response to unwelcome events and allegations against
a company.
THE NEED FOR SPEED
Social-media crisis response elevates the importance of speed in crisis
communications. With social media crisis management, time is of the
essence: The fi rst 24 hours are crucial, as this is when people will cast
their digital nets out and frantically search for information.
Assuming that you have an established and tested incident response
plan, the next stage is being prepared, since the Internet does not wait
for a company to respond. The news will spread with or without your
involvement.
You have a chance to take control, however. Assuming incident response
is already well established in your organization, you are in good shape,
as you have most of the building blocks in place. One easy block that
should be added right away is a Web page dedicated to a potential
crisis or breach.
Having this prepared with an easy structure to follow will enable you
to control the fl ow of information very quickly. The structure of your Web
page should follow what I call the “Three As,” with the following sections:
• Acknowledgement: This early, you may not know much, but you could
look at: Who attacked you? Why? When did it happen? How did it
happen? How widespread? What or who does it affect? How did you
fi nd out?
THE SOCIAL MEDIA SIDE
OF INCIDENT RESPONSE
REUTERS / Wolfgang Rattay
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 11
“ Social-media crisis response elevates the importance of speed in crisis communications. With social media crisis management, time is of the essence: The fi rst 24 hours are crucial, as this is when people will cast their digital nets out and frantically search for information.”
Although it is the key function of your public relations or media department to formulate these communications, your role as a compliance professional is to make sure you have reviewed them and they accurately reflect your responsibilities in informing the public and regulators of your company’s incident response efforts. Plus, it is best not to be taken by surprise by any of these announcements to the public, given your role as a compliance or risk manager for the company.
First and foremost, take ownership: Passing the buck or blaming others is not an acceptable response. Of course, there will be instances where you cannot divulge much of the details (eg. if law enforcement is involved), but do not let this distract from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, which should be avoided.
• Apology: All too often, organizations do not acknowledge that their customers, partners, stakeholders, etc. may be worried, inconvenienced or in need of reassurance. Even if you do not know much at this stage, show you feel the pain and that you are trying to make it go away. Acknowledgment that you are listening and seeking answers buys a lot of time and, more importantly, can quell anger and resentment.
• Action: You need to share what steps you propose to take or have already taken to: 1) determine what happened; 2) prevent it from recurring, and 3) maintain the trust of customers, stakeholders, partners, and others.
You also need to reassure your customers, partners, stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis, and we also know that this is an excellent opportunity to start social engineering attacks (e.g., phishing), which are always launched very quickly. Take this opportunity to warn everyone that this could happen and how you will communicate (e.g., “we will always...” or “we will never...”) and make sure everything is consistent. In other words, if you send an email out, make sure the text of the email is included on your website, so your customers can clearly see it is not a phishing scam. It is often best to avoid including links in emails to support this impression.
Design your Web page with this structure in mind so content can easily be dropped in as needed.
Head for spreadWith your Web page, you now have a single and simple point of referral. But having a page does not ensure that people seeking information will find it. You need to become the central hub for information on the crisis.
You cannot do this on your own. Again, I offer another “Three As”:
• Amplification: Use all the social media avenues available to you: Twitter, Facebook, YouTube, Google+, LinkedIn, and blogs. Use these to direct information seekers to your crisis webpage. Do this often – at least two or three times a day to cater for the different time zones, and understand that the world is watching you, even if you only operate in one country or time zone. Keep your Web page updated as and when you know more and amplify it by using all the tools at your disposal (e.g., create your own hash tag first). Offer advice when you can, but be careful not to be patronizing.
• Advocacy: It is not new that in any kind of crisis communication, third-party experts (these can be industry commentators, journalists, experts in your field, etc.) will be the most trusted group. Seek them out and give them the information. Also, seek out your allies and partners and keep them informed. Finally, take a deep breath and trust your employees to be your advocates.
There is limitless untapped value in personal social networks. If you want your employees to be your advocates, be sure they know first -- before the media and external parties – what messages are going to be delivered, and where possible, draft messages that they can use if they so wish. They can not only alert you to opportunities but also to crisis issues via their own networks. The key word here is enablement.
• Adhesion: Facing a crisis situation does not mean you have to surrender your corporate values. Be sure your messages are constructed within the framework of your corporate image, as now is not the time to surrender caution and governance. In addition, be clear about your limits: You cannot solve every problem for everyone, so you’ll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly. In addition, now is not the time to lapse on customer service. You can be speedy and achieve spread successfully, if you don’t follow through with good customer service and deliver on your promises, all of this would be in vain.
CHeCk tHe deCksSo now that you have achieved speed and spread, you have a couple more things to do before you become the de facto information hub for the crisis at hand. This is perhaps the scariest step, because this is where you have to open up. Yet again, there are three more “As” for you, and these are about stacking the odds in your favor:
• Analysis: You have to monitor real time content on the various networks to categorize and prepare the type of content needed on your webpage.
• Answer: Invite comments and answer them on your Web page. This can be scary, but bear in mind that not inviting comments will have a negative impact on your brand. It is possible to manage comments successfully by remembering a few things. First, not every comment requires a reply and you must know when to disengage; if a hostile ring leader emerges, it is sometimes best to take the discussion out of the social media sphere and engage directly. Second, there is never any harm in specifying your rules of engagement (e.g., no foul language allowed). Third, keep up with the Joneses: If a negative blog entry is posted, respond with a positive entry from you, the communications team or your CEO, etc. A dignified reply will go a long way, as you prepare to distribute a longer message or action plan later.
• Aggregation: As you are getting the hang of it, you are now ready to become the de facto information hub by posting all stories on the crisis on your webpage, positive or negative. You will rapidly realize that you cannot control the conversation – but you are in complete control of where the conversation appears on your webpage, so make sure your opinion and your content has prominent and favorable placement.
Basically, a successful social media crisis response strategy can be summarized by:
1. The need for speed;
2. Head for spread; and
3. Check the decks.
Suffering a crisis is not the end of the world, and you might just be able to turn it to your advantage. As ever, the best line of defense is being prepared.
Link to Article: http://www.complinet.com/global/news/news/article.html?ref=158022
aUtHor Neira Jones is Head of Payment Security at Barclaycard, where she manages security compliance for approximately 100,000 customers. She has been on the PCI Security Standards Council Board of Advisors since 2009, and she was inducted to the Infosecurity Europe Hall of Fame in April 2011.
12 Responsibly social: GoveRninG the DiGital WoRlD
RISK MANAGEMENT IN AN EVOLVING WORLD:THE CASE FOR SOCIAL MEDIA
GOVERNANCE
REUTERS / K.C. Alfred
SANJAYA KRISHNA
PHILLIP J. LAGESCHULTE
H. JOHN HAIR
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 13
Social media vehicles such as Internet forums, blogs,
podcasts, and tweeting are becoming a key element
of business strategy. From engaging customers in real
time, to adding sales channels and enhancing market
research, organizations are discovering new ways
to use social media. As the evolution continues,
innovative organizations will fi nd even more ways to
increase the return on their social media investments.
For all its advantages, social media also brings inherent risks, including
threats to confi dential information, intellectual property, and reputation
as well as the potential for regulatory infractions. Thus, organizations
must develop and maintain a clear-cut governance framework as a
central part of their social media strategy.
A key challenge for corporate audit committees is to help ensure that
management – spearheaded by marketing and closely supported
by legal/compliance and IT – develops a social media governance
framework that can address the range of internal and external risks
and keep pace with social media’s rapid evolution. Organizations
need to focus on social media through three separate – but overlapping
– lenses:
• Governance of workforce use of social media through both
personal and corporate platforms
• Governance of public-facing “voice of the company” programs
that employ social media for marketing and communications
purposes; and
• Consideration of how social media monitoring can inform a company’s
policy enforcement and enterprise risk management (ERM) programs
and enhance reputational risk management.
SOCIAL MEDIA GOVERNANCE FOR THE WORKFORCE
Corporate workforces are continually active on social networking sites
through both personal and corporate platforms. This activity poses
considerable reputation and revenue risks to organizations, such as data
leakage via posting of work-related matters or other misuse of company
intellectual property; reduction in workforce effectiveness; ineffective use
of company bandwidth; and introduction of viruses
and malware.
Organizations need to develop internal social media governance
guidelines and inform employees and third-party entities about
expectations regarding the use of social networking applications. At the
same time, organizations will want to avoid a “big brother” reputation
when it comes to workforce privacy, which can undermine employee trust.
Balancing these competing concerns is a daunting task.
Studies show that employees spend signifi cant time accessing and using
social media while at work, using company devices. Security technologies
can help address potentially detrimental issues of bandwidth utilization
and virus/malware introduction. An added dimension of risk arises from
workforce use of social media because most of these communications
occur outside the direct control of the company, such as via home PCs
and cell phones.
Therefore, organizations must develop a clearly defi ned policy for
employee use of social media – on both the company’s enterprise
technology and employees’ personal devices. This policy should address:
• Proper use of company devices to access external social media sites
• Guidelines and restrictions regarding disclosure of company matters,
including product development and business plans; use of registered
phrases and other intellectual property; and workplace conduct
• Training requirements for social media technologies
• Rights and responsibilities of the company to monitor
workforce postings on social media.
GOVERNING THE “VOICE OF THE COMPANY” IN SOCIAL MEDIA
Without guidance, social media participants can become unsupervised
company spokespeople. Thus, managing reputational risk remains a key
challenge. The goal should be to design an enterprise-wide governance
program that supports innovative adoption of social media tools while
addressing their risks.
The fi rst step in developing a market-facing social media program is to
assess where you are now in your social media maturity. Management
should then address the following issues:
• How will social media be used and by whom (both within the company
and in the external marketplace)?
• Who is our target audience, and what behaviors do we want to drive?
• Who are the key staff who will be accountable for social media activity
and what training will they require?
• What are our procedures for message approval so that key
constituents – such as legal/regulatory, HR, and marketing/
communications – can provide timely input?
• What crisis response practices have we established? Do they
refl ect the aggressive timeline that social media requires?
• What are our access control frameworks for responsibilities
that we share with external parties?
• What are the rights and responsibilities of the company in our
use of social monitoring data from public forums?
“ For all its advantages, social media also brings inherent risks, including threats to confi dential information, intellectual property, and reputation as well as the potential for regulatory infractions.”
SANJAYA KRISHNA
PHILLIP J. LAGESCHULTE
H. JOHN HAIR
14 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD
MANAGING RISKS AND OPPORTUNITIES OF SOCIAL MEDIA
Social media technologies are continuing to evolve quickly, promising
shifts in behavior by customers and workforces, new regulatory
implications, and new risks and opportunities. Hence, organizations
can use social media monitoring to inform their ERM programs.
Management must demonstrate a strategic understanding of how
social media is evolving, how it affects the business, and what risks
are associated with it. Questions to consider include:
• How can we listen and respond to what the marketplace is saying
about the company?
• Have we identifi ed and communicated the risks posed by our industry
and market’s use of social media related to information protection,
reputation risk, and legal/regulatory risk?
• How effective are our controls around these risks?
Still, an organization’s social media focus should not entirely be about
mitigating risk. It must also examine trends to identify opportunities,
such as establishing new electronic product channels for a specifi c
target audience or creating a viral advertising campaign through social
media vehicles. As a result, organizations need to monitor the major
social media networks to identify both potential problems and major
opportunities. This may require dedicated resources. It may also be
a good idea to have a proactive plan for deciding when and how
to respond to potential reputational issues being discussed in
social media.
CONCLUSION
For most organizations, social media is at the beginning of its maturity
curve. The rapid adoption of social media vehicles, combined with
the rapid evolution of the Web 2.0 technologies, presents a complex
challenge, especially for organizations in highly regulated industries.
Harnessing the power of social media can present specifi c risks to
the organization. At the same time, the speed at which Web 2.0
technologies and market demands are evolving presents organizations
with both great opportunity and greater need for governance.
Organizations need to build on their social media strengths while helping
to ensure they have a strong foundation of governance – a foundation
that enables them to:
• Identify social media risks and opportunities
• Enhance demonstrable controls of social media programs, satisfying
both audit and compliance program demands
• Anticipate emerging regulatory compliance issues that may dictate
their social media activities on a global basis
• Improve key third-party relationships with regard to social media
technologies and utilization
• Gain stronger consensus among internal organizational areas affected
by social media regarding strategic direction and risk management.
ABOUT THE AUTHORS
Sanjaya Krishna is a principal in KPMG’s Advisory practice and U.S.
Digital Services Leader within KPMG’s Information, Communications
and Entertainment practice. Sanjaya focuses on client challenges and
opportunities related to emerging digital media areas, including
social media.
Phillip J. Lageschulte is an IT Advisory partner and the Global and
Americas Service Line Leader for KPMG’s IT Audit Services practice, with
over 23 years experience providing information technology consulting and
assurance services to clients across a variety of industries. He recently led
an Information Systems Audit and Control Association (www.isaca.org)
task force to publish a book on cloud computing, IT Control Objectives for
Cloud Computing (2011 ISACA).
H. John Hair, an Advisory director in KPMG LLP’s IT Internal Audit
practice, leads KPMG in the area of social media governance, with
over 20 years of global development and operational management
experience in new technology adoption. John has led KPMG teams
providing audit/assessment reviews of social media programs for
some of the fi rm’s key national clients.
ABOUT KPMG LLP
Advisory
KPMG’s professionals combine technical, market, and business skills that
allow them to deliver objective advice and guidance that help the fi rm’s
clients grow their businesses, improve their performance, and manage
risk more effectively.
Audit
Audit teams equipped with a high level of technical skills and empowered
with professional skepticism provide the heart and soul of a good audit.
Tax
Through a forward-thinking multidisciplinary approach, technical
experience, and deep industry knowledge, KPMG’s Tax professionals
can add value and help organizations manage the tax complexities
of an ever-changing business environment.
CONTACT US
For more information about KPMG’s Social Media services,
please contact:
Sanjaya Krishna
Principal, Advisory and U.S. Digital Services Leader
212-954-6451
Phil Lageschulte
Partner, Advisory and Global IT Internal Audit Services Leader
312-665-5380
H. John Hair
Director, Advisory
312-665-3606
SANJAYA KRISHNA
PHILLIP J. LAGESCHULTE
H. JOHN HAIR
RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 15
THOMSON REUTERS GOVERNANCE, RISK AND COMPLIANCE
Through the Thomson Reuters Accelus suite of products, the Governance, Risk &
Compliance business dynamically connects business transactions, strategy and
operations to the ever-changing regulatory environment, providing highly regulated
fi rms with informed outcomes.
Thomson Reuters Accelus is a comprehensive suite of solutions specifi cally built to
address the governance, risk and compliance challenges faced by the boardroom, and its
legal, compliance, audit and risk management professionals. Thomson Reuters Accelus
helps customers manage their risk exposure and accelerate their business at every step.
© Copyright Thomson Reuters 2012. All rights reserved.Except as permitted by law, no part of this document may be reproduced or transmitted by any process or means without the prior consent of Thomson Reuters. Thomson Reuters, by publishing this document, does not guarantee that any information contained herein is and will remain accurate or that use of the information will ensure correct and faultless operation of the relevant service or equipment. Thomson Reuters, its agents and employees shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained herein. 002449 1012.