03

BANKS: IT’S TIME TO LEVERAGE SOCIAL MEDIA FOR CRITICAL DISCOURSE

05

SOCIAL MEDIA OVERSIGHT LAGGING IN FIRMS: COMPLIANCE PROS SAY IN SEMINAR SURVEY

07

REGISTERED REPS SHOULD USE SOCIAL MEDIA, BUT WITH SAFEGUARDS

09

IA BRIEF: STATE LAWS MAY REQUIRE FIRMS TO RE-THINK SOCIAL MEDIA POLICIES

11

THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE

13

RISK MANAGEMENT IN AN EVOLVING WORLD:THE CASE FOR SOCIAL MEDIA GOVERNANCE

INSIDE…

RESPONSIBLY SOCIAL:

GOVERNING THE DIGITAL WORLD

We hope you enjoy our social media report. As is becoming more and more clear, governance,

clear guidelines and effective policy training and communication are paramount as the use of

social media continues to rise. Thomson Reuters Accelus’ new Social Media training course

will guide your employees through the acceptable personal and professional use of today’s

social media outlets whether you choose to use our off-the-shelf option or customize to suit

your company’s policies and procedures.

The Social Media course is just one of many courses we offer that will help you reduce the

burden of compliance and policy management.

To learn more, visit: accelus.thomsonreuters.com/solutions/training

RESPONSIBLY SOCIAL… HELPING YOU GOVERN THE DIGITAL WORLD

Schedule a demo of our new Social Media course today and

receive a $10 ITUNES gift card for listening!

Click here.

The SEC has called it “landscape

shifting” – social media takes a typical

face-to-face, adviser-client exchange

and transforms it into a multi-party

experience in which the users drive

the content.

As clients and employees continue to build their presence on LinkedIn,

Facebook, Twitter, forums and blogs, the conversation is opening up

alongside the increasing number of regulations that dictate the rules

of corporate responsibility.

When banks are fi rst building a social media strategy, they should begin

by forging strong partnerships with compliance and legal, Frank Eliason,

Senior VP of Social Media at Citibank, recommends. When Citi fi rst got

involved in social media just over two years ago “we met with our lawyers

to go through some of the initial challenges, and today we have two

counsel that are very familiar with this space,” Eliason says.

One of the fi rst things banks need to understand is that their advisors

are already on social media, notes Clarah Shah, author of The Facebook

Era and founder/CEO of Hearsay Social. The second-important question

they need to ask themselves is: Do they have a business case for being in

the space?

Shah says one of the fi rst things to recognize is that social media is

“all about trust, reputation and relationships.” In laying the foundations,

you have to look at the actual content, “the best way to add value is to

educate advisors, talk about what’s going on in the EU and talk about

retirement planning. People don’t want to get this information through

email anymore. You need to brand yourself as subject-matter experts,”

Shah says.

Banks also can be monitoring sites like LinkedIn for life-detail changes,

such as job transitions and location moves. These events can signal to

banks what clients could be looking for at different times in their lives,

like life insurance products and mortgages.

STAYING IN THE CONVERSATION

If banks know from the onset what their business case is for a social media

presence, chances are they will have also set goals for reaching target

demographics.

REUTERS / Dado Ruvic

BANKS: IT’S TIME TO LEVERAGE SOCIAL MEDIA FOR CRITICAL DISCOURSE

A lot of people access these sites through smart phones and follow certain blogs regularly. To be successful at this “you have to be where your clients are,” he says.

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 3

From a compliance perspective, “what keeps

banks on their toes are the changes to social

networks themselves, such as new features

on Facebook, Pinterest and YouTube,”

says Steve Marsh.

Shah says fi rms need to be monitoring who they are reaching through

social media and understanding the conversion rates from prospective

to new clients. Executives at all levels also need to ask themselves

if they are using the technology their clients are using on social

media? A lot of people access these sites through smart phones and

follow certain blogs regularly. To be successful at this “you have to

be where your clients are,” he says.

Being on these platforms and accessing social media through the same

methods is critical to viewing changes that are happening at a rapid pace.

“If you look at consumer behavior on social sites such as Facebook over

the past year and a half, there has been a big shift towards mobile device

access; and here, people tend to stick to their news feeds”, Elias says.

ARCHIVING SOCIAL MEDIA CONTENT

Once banks are in the space, the next step is ensuring they remain

compliant with electronic recordkeeping requirements under SEC

Rule 17A-4 and the Advisors Act.

Banks will perform a lot of customer-service functions on Twitter,

but here, advisers can’t ask clients to send over fi nancial information,

Eliason observes. To get off the Twitter server, Citibank has partnered

with Live Person (an online customer-conversation tool) so advisors

can send a link and take a conversation off of Twitter and place it

into a separate, secure area with the person to whom they are speaking.

From a compliance perspective, “what keeps banks on their toes are

the changes to social networks themselves, such as new features on

Facebook, Pinterest and YouTube,” says Steve Marsh, founder and

CEO of Smarsh, an email archiving and compliance service.

Shah reports there are up to a thousand small updates to Facebook

alone per month, on average.

Given these circumstances, Smarsh works directly with companies

to regularly archive their social media content. From a compliance

standpoint, outside of archiving, he says that banks need to be taking

the following actions:

• Pre-reviewing static content;

• Saving all communications, especially those related to handling

customer complaints and endorsements;

• Implementing strong supervision requirements for employees.

The last point is especially important, since “a lot of emphasis gets put

on the technology to become compliant, but you still have to clearly

communicate to employees what is or isn’t allowed. It can’t be loosely

stated via an email,” Smarsh notes.

He says that banks should start with a decision in terms of what they

want to permit and prohibit and they should “document these items –

then train employees – then put the technology in place to enforce

their policies.”

Above all, “don’t let the technology dictate what your policies are,”

he says. There are many ways social tools can be adapted to suit a bank’s

needs, such as not allowing comments on Facebook posts. The media tools

should not be working in opposition to the bank’s needs.

www.sec.gov/rules/fi nal/34-38245.txt

AUTHOR

Jennifer Lee, a freelance writer living in Toronto who covers compliance

and regulatory developments for Thomson Reuters Accelus.

REUTERS / Petr Josek

The last point is especially important, since “a lot of emphasis gets put on the technology to become compliant, but you still have to clearly communicate to employees what is or isn’t allowed. It can’t be loosely stated via an email,” Smarsh notes.

4 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD

Social media overSight lagging in firmS: compliance proS Say in Seminar SurveyAt a social media webinar hosted by Thomson Reuters Accelus entitled “The Case for Social Media Governance,” participants learned that business spending for social media is predicted at current rates to triple by 2017, to 19.5 percent of digital budgets. The number of social media job-related positions in business-to-business firms has grown by 600 percent in the last five years.

“A company should not forget that (social media) deployment across the enterprise needs to be monitored and measured so the tools are used to the company’s advantage and according to regulations appropriate to the company’s industry,” said John Hair, director and social media governance lead at KPMG LLP. Hair and Sanjaya Krishna, principal, digital risk consulting at KPMG, conducted the webinar.

In a survey of webinar participants, 81 said their companies had a social media use policy and 102 said they did not.

Marketing departments were cited most commonly as having accountability for social media communications in a company, with 73 participants citing those units, compared with 27 who said compliance had the duty and 21 saying it was a duty of the communications department.

Each department has its own objectives in using social media – from attracting the best new hires to acquiring new customers, the speakers said.

A key way to manage risk, Hair noted, was to spread the use and monitoring across departments, so each one had a seat at the table in setting policy.

Few participants said their employers were using social media tools to learn what people were saying about their companies, although the speakers recommended doing so. Nearly one-fourth said they did not think their companies were using such tools, others were unsure.

“Understanding what the marketplace is saying is important not just for measuring success of marketing efforts, but also so the company can determine what reputational risks might potentially exist,” Krishna said.

The participants also expressed uncertainty or doubt that their companies conducted a formal review of the terms and conditions of a social media site each time they established a new presence; for example, when setting up a new Facebook page.

An effective external social media governance program will monitor these terms and conditions to make sure they address key areas such as intellectual property rights, disclaimers and whether social media postings are discoverable in legal actions.

A full two-thirds of the listeners who responded said “no,” when asked if they felt confident that their organizations have an adequate social media governance program in place.

Both presenters stressed how important it is to establish effective governance protocols expressing the “voice of the company” on social media. These include identifying behaviors expected of social media participants, monitoring emerging regulatory guidelines across multiple jurisdictions and having a data- retention policy for legal and audit purposes.

The challenges are evolving, they said, but the companies that tackle them early will profit most from the careful application of good governance when implementing these increasingly popular tools.

Article Link: http://www.complinet.com/global/news/news/article.html?ref=158418

AUTHOR Julie DiMauro is a senior editor with Thomson Reuters-GRC in New York. She writes pieces on regulatory compliance issues and edits contributions from a wide variety of expert authors. Follow Julie on Twitter: https://twitter.com/Julie_DiMauro

REUTERS / Toru Hanai

Many compliance and governance professionals at an online seminar on social media said they did not believe their companies were monitoring online discussions carefully, even though several reported their companies had adopted or recently amended policies intended to better control corporate use of social networks.

Responsibly social: GoveRninG THe DiGiTal WoRlD 5

In a recent webcast sponsored by Thomson Reuters Accelus and KPMG an audience of 355 attendees were polled on their organization’s use of social

media and the governance policies in place to address risk exposure and employee training. Below are the results of the interactive polling session.

To view the on-demand webcast click here. Full web link: http://accelus.thomsonreuters.com/content/case-social-media-governance

PRESENT

%

71

10

10

4 5

What is the primary way in which your

organization currently uses social media? What

is the primary focus of future development of

social media for your organization?

Enagaging with customers

Connect with current or potential employees

Support use of mobile technologies

Supporting a change of culture across your organization

Manage or gain insight into market risk

629

11

12

6

FUTURE

%

When did your organization create or last

amend policies that address social media

use by your workforce?

Does your organization have specifi c employee

training modules covering social media use?

Less than 6 months ago

6 – 12 months

12 – 18 months

45%

19.5

10

More than 18 months ago

We’ve never considered theimpact of social media oncurrent policies or guidelines

6

19.5

Yes

No

28

%

72

What operational area within your organization

holds ultimately accountability for social media?

Marketing

Communications

Compliance

Legal

39%

1115

5

6

IT

Other

I don’t know

8

15

Are you actively using social media monitoring/

listening tools to better understand discussions

about your company?

Yes

No

I am not sure if we are using these tools

30

%

44

26

Do you feel confi dent that your organization has

adequate governance in place in all of

the areas discussed?

Yes

No

25

%

75

6 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD

REGISTERED REPS SHOULD USE SOCIAL MEDIA, BUT WITH SAFEGUARDS

While social media may be used by

investment professionals, it is tricky

and full of potential compliance traps.

Proper precautions are necessary to

avoid administering blanket opinions

that may mislead investors.

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 7

Certain types of investment firms, such as hedge funds and registered investment advisors, that use media should be aware of the legal constraints that they are obligated to follow. Professionals should weigh the cost versus the benefit of communicating to investors and the public through social media, given the high risk of impropriety.

Social media riSkSA general rule for use of social media is that a person should never email or post any information to the Internet that he would not be comfortable with his mother or a law enforcement official reading.

For investment advisors, there are more specific guidelines to be followed. Under the prudent investor rule, it is permissible for named fiduciaries to administer investment advice, but they must go about this in a careful way. The fiduciary must make sure that the recommendation is suitable for the particular client, and the process of issuing a proper recommendation involves ample due diligence and an assessment of return and risk tolerance.

An assessment of risk comprises an analysis of the client’s willingness and ability to bear risk. Willingness is highly specific to the individual; it is defined as the client’s emotional preferences about volatility. Ability is not participant specific; it is defined as the volatility level that should pertain to a client given his age, dependents, life expectancy, etc. A fiduciary must take into account the overall portfolio objectives when determining the suitability of the investment. Factors such as timing, taxes, liquidity, legal and unique circumstances should be considered.

A significant risk for investment professionals who use social media is having their ideas become construed as investment advice. The high degree of prudence for fiduciaries required seems to be at odds with the way that social media works. The speed of response is a mouse click on social sites. Discussions that occur in chat rooms, on Facebook status updates, and through tweeting can instantly spiral out of control. Messages can go very far, very fast.

If an investor following a portfolio manager on Twitter interprets her general statements as a suggestion to buy a security that goes south, this could constitute potential liability for her. This can happen easily because of the lightning speed at which information is disseminated on the Internet.

Testimonials represent another potential trap. If an advisor writes a testimonial on LinkedIn about how successful at picking stocks a friend from business school has become, people reading this on LinkedIn may think that the advisor is endorsing the friend. If the friend recommends a stock that goes the wrong way, it is a potential liability to the recommender. Simply “liking” someone a particular company on Facebook may be taken as an endorsement. Registered professionals must also use caution about who writes testimonials about them, because the claims may be exaggerated, vague or misleading, this could potentially be false advertising.

Other risks are reputational. Social media has made it easy for personal information to be displayed to the public. Personal and professional lives are no longer separate on the Internet. Investment advisers who are users of Facebook should be aware that clients and prospects might be able to read what they post on their walls and the comments they make. It can be beneficial to adjust privacy settings so they can control what is posted on their wall by others. They should exercise discretion over the photos in which they may be “tagged.” Prudence should be espoused when posting personal photographs, and access should be limited.

mitigate the riSkSThere are numerous ways to decrease the risk of using social media. Investment professionals should consult an attorney who is an expert on these compliance issues for day-to-day guidance. Merely including disclaimers at the end of a thought piece, for example, seems like a quick fix – but it is not a comprehensive solution.

One way to avoid issuing blanket investment advice through social media is to refrain from phrasing thoughts in ways that sound like suggestions. To do this, it may be necessary to limit the scope of commentary or adopt a reflective, rather than authoritative, writing tone. Many professionals will refuse to discuss their opinions on specific stocks or exchange-traded funds publicly, so their ideas about such instruments will not be interpreted as an official recommendation.

Hedge funds cannot publicly advertise their products to non-accredited investors. Such professionals should therefore use caution even when setting up personal profiles on social sites such as Facebook. The most prudent course of action is to present only basic information such as the fund’s name and standard contact information.

Social media policy should be applied to the Internet behavior of all members of a company. Employees should be administered a handbook containing the explicitly stated social media policy that they must read and agree in writing to follow. Employers should randomly audit their employees’ profiles on such sites as LinkedIn, Facebook and Twitter to ensure that rules are being followed, and make a plan to update the policy as the business changes and technology advances.

Weighing the coSt and benefitThe administrative task of maintaining compliance for registered investment advisor firms using social media can be time consuming and costly. It is unclear if social media is even an effective way to market investment services. The boom of digital communication has generated an information overload. Even in the Internet age, relationships of trust are still built through face-to-face contact and handshakes. Social media users should weigh the potential benefits versus the burden necessary to ensure compliance with legal guidelines.

Disclaimer: This document is not intended as a form of legal recommendation or advice. Professionals seeking such advice should contact their compliance personnel or seek the guidance of an attorney.

article link: http://www.complinet.com/global/news/news/article.html?ref=158343

aUthor Sara grillo, CFA, is a portfolio manager at Grillo Investment Management

Grillo Investment Management: http://saragrilloinvestments.com/

“ A general rule for use of social media is that a person should never email or post any information to the Internet that he would not be comfortable with his mother or a law enforcement official reading.”

8 ResponsIbly socIAl: GoveRnInG the DIGItAl WoRlD

Financial services fi rms have been carefully

embracing social media over the last few years.

Firms have shaped policies and procedures with

a balance between the needs and wants of their

representatives while still making it possible

to supervise and ensure compliance with

regulatory regulations and guidance.

Some adopted and proposed state legislation

on social media confl icts with that delicate

balance, even preventing fi rms from fulfi lling

current regulatory obligations. The legislation

may require a fi rm to modify its policies and

procedures in areas including: types of sites

allowed, frequency and content of attestations

or certifi cations of adherence to the fi rm

policies, surveillance techniques and the

amount of staff or time allotted to social-media

supervision.

The Financial Industry Regulatory Authority

(FINRA) and the Securities and Exchange

Commission (SEC) have published recent

notices that include defi ning the types of

social media postings, general supervision

guidelines and specifi c electronic record-

keeping requirements. The SEC and FINRA

have laid out general regulatory guidance but

left most of the specifi cs to the fi rms and their

compliance departments.

Under federal and FINRA guidance, a fi rm

that allows any type of business-related

social media is required to supervise the

business communications, offer training for

those individuals and fulfi ll certain record-

keeping requirements. The regulators have

been in concert with their message, if a fi rm

believes that they cannot effectively capture

social media communications, they shouldn’t

allow it.

IA BRIEF: STATE LAWS

MAY REQUIRE FIRMS TO

RE-THINK SOCIAL MEDIA

POLICIESFederal and state privacy legislation aiming to protect

against employer access to private social media

websites may put Broker-Dealers and Investment

Advisers in a bind – unable to fully supervise certain

social-media and electronic communications used

by their representatives.

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 9

“ Few if any fi rms are believed to allow representatives to use personal social media outlets for business.”

At the state level, Maryland, Illinois and

California have already passed social-media

legislation. Other states including Delaware,

Massachusetts, Minnesota and New York

are considering similar social media privacy

bills. For example, in Maryland, employers

are prohibited from requesting or requiring

information such as the username or password

to access an employee’s or applicant’s personal

social media accounts, such as on Facebook

and Twitter. The legislation does have a slight

carve-out, permitting an investigation for

ensuring compliance with applicable securities

requirements, although the fi rm must fi rst have

information indicating a potential wrongdoing.

Some fi rms use online monitoring systems

that require a representative’s social media

credentials, so fi rm’s can retain the business

communications and supervise. Few if any

fi rms are believed to allow representatives to

use personal social media outlets for business

said Paul Cox, CEO of Business Compliance

Partners, a San Diego-based compliance

consulting fi rm. For those who do, the practice

will be eliminated as a result of the many

state laws.

Exceptions to the MD law allowing access

to personal accounts based on indications

of wrongdoing nonetheless sharply restricts

routine monitoring, contrary to the principles

of continuous supervision required at broker-

dealers or investment advisers. Firms will have

to rely on a representative’s word or written

attestation and public information from social

media sites to ensure that someone is not using

a personal site for business use, violating fi rm

polices and ultimately misleading the investing

public.

POSSIBLE CONSEQUENCES OR CHANGES

Social media use will grow at a rapid pace,

but the state laws may make fi rms re-think their

current social media programs and even limit

them further in some cases.

Possible consequences or changes to

consider may include:

• A shift to more corporate social media

sites. This is especially apparent with social

media sites with privacy settings, such as

Facebook. “The progressive fi rms will build

company websites and have their associates’

link to their corporate sites so that they can

integrate their marketing efforts,” Cox said.

This would be, he said, “likely to deter the

temptation to use a personal account for

business purposes.”

• Limits or bans on the use of social media

sites that have private content. For example,

fi rms may modify their procedures to only

allow sites like LinkedIn or Twitter that have

a more open architecture.

• Require more-specifi c personal-use policies,

including a ban on business content on a

personal social media site.

A fi rm may also have to be specifi c on what

social media sites it does not allow for any

type of business communications.

• More frequent attestations or certifi cations

of policy adherence at fi rms that bar

business communications on personal

sites or certain social media sites. Increased

training may also be necessary.

• Reviewing in routine supervision of public

information on social media, gathered

through an online retention tool or

manually. This may require more staff

and time.

• Firms may try to have representatives agree

to a “friend” relationship, or to follow a

specifi c individual at the fi rm to enable

ongoing supervision. This type of fi x may

contradict the spirit of the new laws and

may be challenged by a representative.

• Firms may also have to resort to reviewing

an individual’s personal social media sites

“over-the-shoulder” to ensure compliance,

resulting in additional time and resources.

The wave of state legislation on this issue will

most likely continue and federal legislation

has been proposed. The brokerage and adviser

community along with FINRA will continue to

make their point heard – industry groups had

proposed a broker exception for the California

law. In other words, it’s time to consider the

options to ensure compliance on all points.

The California and Maryland laws can be found

here and here. A copy of the proposed federal

legislation can be found here.

California

http://leginfo.legislature.ca.gov/faces/

billSearchClient.xhtml

Maryland

http://mlis.state.md.us/2012rs/bills/sb/

sb0433t.pdf

Copy of proposed legislation

http://www.gpo.gov/fdsys/pkg/BILLS-

112hr5684ih/pdf/BILLS-112hr5684ih.pdf

AUTHOR

Jason Wallace is a senior editor for

Thomson Reuters Accelus. Jason began

his career at TD Waterhouse Securities Inc.,

now TD Ameritrade Inc., where he held key

positions in the Trading, Risk Management

and Compliance departments for both retail

and institutional sides of the fi rm. Jason joined

Thomson Reuters Accelus after serving as

an associate director for National Regulatory

Services, in San Diego, California. Follow Jason

on Twitter @Wallace_iabrief

10 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD

It is important for compliance professionals and

other managers in a company to consider how

it uses its social media communications when

tackling incident response. Even with a crisis

communication process already in place, one

must make sure it includes the use of social

media as instruments in relaying information

to the public.

After all, it’s been widely demonstrated how quickly news can spread

on Twitter. LinkedIn’s own social-media crisis response did not impress

many after more than 6 million user passwords got leaked recently, and

cloud-storage fi rm Dropbox faced challenges of its own dealing with

a security breach. While the National Institute of Standards and

Technology (NIST) Report SP 800-61 gives good guidelines on the

positive aspects of fully and effectively communicating important

information to the public, there is more that could be done to harness

social media to response to unwelcome events and allegations against

a company.

THE NEED FOR SPEED

Social-media crisis response elevates the importance of speed in crisis

communications. With social media crisis management, time is of the

essence: The fi rst 24 hours are crucial, as this is when people will cast

their digital nets out and frantically search for information.

Assuming that you have an established and tested incident response

plan, the next stage is being prepared, since the Internet does not wait

for a company to respond. The news will spread with or without your

involvement.

You have a chance to take control, however. Assuming incident response

is already well established in your organization, you are in good shape,

as you have most of the building blocks in place. One easy block that

should be added right away is a Web page dedicated to a potential

crisis or breach.

Having this prepared with an easy structure to follow will enable you

to control the fl ow of information very quickly. The structure of your Web

page should follow what I call the “Three As,” with the following sections:

• Acknowledgement: This early, you may not know much, but you could

look at: Who attacked you? Why? When did it happen? How did it

happen? How widespread? What or who does it affect? How did you

fi nd out?

THE SOCIAL MEDIA SIDE

OF INCIDENT RESPONSE

REUTERS / Wolfgang Rattay

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 11

“ Social-media crisis response elevates the importance of speed in crisis communications. With social media crisis management, time is of the essence: The fi rst 24 hours are crucial, as this is when people will cast their digital nets out and frantically search for information.”

Although it is the key function of your public relations or media department to formulate these communications, your role as a compliance professional is to make sure you have reviewed them and they accurately reflect your responsibilities in informing the public and regulators of your company’s incident response efforts. Plus, it is best not to be taken by surprise by any of these announcements to the public, given your role as a compliance or risk manager for the company.

First and foremost, take ownership: Passing the buck or blaming others is not an acceptable response. Of course, there will be instances where you cannot divulge much of the details (eg. if law enforcement is involved), but do not let this distract from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, which should be avoided.

• Apology: All too often, organizations do not acknowledge that their customers, partners, stakeholders, etc. may be worried, inconvenienced or in need of reassurance. Even if you do not know much at this stage, show you feel the pain and that you are trying to make it go away. Acknowledgment that you are listening and seeking answers buys a lot of time and, more importantly, can quell anger and resentment.

• Action: You need to share what steps you propose to take or have already taken to: 1) determine what happened; 2) prevent it from recurring, and 3) maintain the trust of customers, stakeholders, partners, and others.

You also need to reassure your customers, partners, stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis, and we also know that this is an excellent opportunity to start social engineering attacks (e.g., phishing), which are always launched very quickly. Take this opportunity to warn everyone that this could happen and how you will communicate (e.g., “we will always...” or “we will never...”) and make sure everything is consistent. In other words, if you send an email out, make sure the text of the email is included on your website, so your customers can clearly see it is not a phishing scam. It is often best to avoid including links in emails to support this impression.

Design your Web page with this structure in mind so content can easily be dropped in as needed.

Head for spreadWith your Web page, you now have a single and simple point of referral. But having a page does not ensure that people seeking information will find it. You need to become the central hub for information on the crisis.

You cannot do this on your own. Again, I offer another “Three As”:

• Amplification: Use all the social media avenues available to you: Twitter, Facebook, YouTube, Google+, LinkedIn, and blogs. Use these to direct information seekers to your crisis webpage. Do this often – at least two or three times a day to cater for the different time zones, and understand that the world is watching you, even if you only operate in one country or time zone. Keep your Web page updated as and when you know more and amplify it by using all the tools at your disposal (e.g., create your own hash tag first). Offer advice when you can, but be careful not to be patronizing.

• Advocacy: It is not new that in any kind of crisis communication, third-party experts (these can be industry commentators, journalists, experts in your field, etc.) will be the most trusted group. Seek them out and give them the information. Also, seek out your allies and partners and keep them informed. Finally, take a deep breath and trust your employees to be your advocates.

There is limitless untapped value in personal social networks. If you want your employees to be your advocates, be sure they know first -- before the media and external parties – what messages are going to be delivered, and where possible, draft messages that they can use if they so wish. They can not only alert you to opportunities but also to crisis issues via their own networks. The key word here is enablement.

• Adhesion: Facing a crisis situation does not mean you have to surrender your corporate values. Be sure your messages are constructed within the framework of your corporate image, as now is not the time to surrender caution and governance. In addition, be clear about your limits: You cannot solve every problem for everyone, so you’ll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly. In addition, now is not the time to lapse on customer service. You can be speedy and achieve spread successfully, if you don’t follow through with good customer service and deliver on your promises, all of this would be in vain.

CHeCk tHe deCksSo now that you have achieved speed and spread, you have a couple more things to do before you become the de facto information hub for the crisis at hand. This is perhaps the scariest step, because this is where you have to open up. Yet again, there are three more “As” for you, and these are about stacking the odds in your favor:

• Analysis: You have to monitor real time content on the various networks to categorize and prepare the type of content needed on your webpage.

• Answer: Invite comments and answer them on your Web page. This can be scary, but bear in mind that not inviting comments will have a negative impact on your brand. It is possible to manage comments successfully by remembering a few things. First, not every comment requires a reply and you must know when to disengage; if a hostile ring leader emerges, it is sometimes best to take the discussion out of the social media sphere and engage directly. Second, there is never any harm in specifying your rules of engagement (e.g., no foul language allowed). Third, keep up with the Joneses: If a negative blog entry is posted, respond with a positive entry from you, the communications team or your CEO, etc. A dignified reply will go a long way, as you prepare to distribute a longer message or action plan later.

• Aggregation: As you are getting the hang of it, you are now ready to become the de facto information hub by posting all stories on the crisis on your webpage, positive or negative. You will rapidly realize that you cannot control the conversation – but you are in complete control of where the conversation appears on your webpage, so make sure your opinion and your content has prominent and favorable placement.

Basically, a successful social media crisis response strategy can be summarized by:

1. The need for speed;

2. Head for spread; and

3. Check the decks.

Suffering a crisis is not the end of the world, and you might just be able to turn it to your advantage. As ever, the best line of defense is being prepared.

Link to Article: http://www.complinet.com/global/news/news/article.html?ref=158022

aUtHor Neira Jones is Head of Payment Security at Barclaycard, where she manages security compliance for approximately 100,000 customers. She has been on the PCI Security Standards Council Board of Advisors since 2009, and she was inducted to the Infosecurity Europe Hall of Fame in April 2011.

12 Responsibly social: GoveRninG the DiGital WoRlD

RISK MANAGEMENT IN AN EVOLVING WORLD:THE CASE FOR SOCIAL MEDIA

GOVERNANCE

REUTERS / K.C. Alfred

SANJAYA KRISHNA

PHILLIP J. LAGESCHULTE

H. JOHN HAIR

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 13

Social media vehicles such as Internet forums, blogs,

podcasts, and tweeting are becoming a key element

of business strategy. From engaging customers in real

time, to adding sales channels and enhancing market

research, organizations are discovering new ways

to use social media. As the evolution continues,

innovative organizations will fi nd even more ways to

increase the return on their social media investments.

For all its advantages, social media also brings inherent risks, including

threats to confi dential information, intellectual property, and reputation

as well as the potential for regulatory infractions. Thus, organizations

must develop and maintain a clear-cut governance framework as a

central part of their social media strategy.

A key challenge for corporate audit committees is to help ensure that

management – spearheaded by marketing and closely supported

by legal/compliance and IT – develops a social media governance

framework that can address the range of internal and external risks

and keep pace with social media’s rapid evolution. Organizations

need to focus on social media through three separate – but overlapping

– lenses:

• Governance of workforce use of social media through both

personal and corporate platforms

• Governance of public-facing “voice of the company” programs

that employ social media for marketing and communications

purposes; and

• Consideration of how social media monitoring can inform a company’s

policy enforcement and enterprise risk management (ERM) programs

and enhance reputational risk management.

SOCIAL MEDIA GOVERNANCE FOR THE WORKFORCE

Corporate workforces are continually active on social networking sites

through both personal and corporate platforms. This activity poses

considerable reputation and revenue risks to organizations, such as data

leakage via posting of work-related matters or other misuse of company

intellectual property; reduction in workforce effectiveness; ineffective use

of company bandwidth; and introduction of viruses

and malware.

Organizations need to develop internal social media governance

guidelines and inform employees and third-party entities about

expectations regarding the use of social networking applications. At the

same time, organizations will want to avoid a “big brother” reputation

when it comes to workforce privacy, which can undermine employee trust.

Balancing these competing concerns is a daunting task.

Studies show that employees spend signifi cant time accessing and using

social media while at work, using company devices. Security technologies

can help address potentially detrimental issues of bandwidth utilization

and virus/malware introduction. An added dimension of risk arises from

workforce use of social media because most of these communications

occur outside the direct control of the company, such as via home PCs

and cell phones.

Therefore, organizations must develop a clearly defi ned policy for

employee use of social media – on both the company’s enterprise

technology and employees’ personal devices. This policy should address:

• Proper use of company devices to access external social media sites

• Guidelines and restrictions regarding disclosure of company matters,

including product development and business plans; use of registered

phrases and other intellectual property; and workplace conduct

• Training requirements for social media technologies

• Rights and responsibilities of the company to monitor

workforce postings on social media.

GOVERNING THE “VOICE OF THE COMPANY” IN SOCIAL MEDIA

Without guidance, social media participants can become unsupervised

company spokespeople. Thus, managing reputational risk remains a key

challenge. The goal should be to design an enterprise-wide governance

program that supports innovative adoption of social media tools while

addressing their risks.

The fi rst step in developing a market-facing social media program is to

assess where you are now in your social media maturity. Management

should then address the following issues:

• How will social media be used and by whom (both within the company

and in the external marketplace)?

• Who is our target audience, and what behaviors do we want to drive?

• Who are the key staff who will be accountable for social media activity

and what training will they require?

• What are our procedures for message approval so that key

constituents – such as legal/regulatory, HR, and marketing/

communications – can provide timely input?

• What crisis response practices have we established? Do they

refl ect the aggressive timeline that social media requires?

• What are our access control frameworks for responsibilities

that we share with external parties?

• What are the rights and responsibilities of the company in our

use of social monitoring data from public forums?

“ For all its advantages, social media also brings inherent risks, including threats to confi dential information, intellectual property, and reputation as well as the potential for regulatory infractions.”

SANJAYA KRISHNA

PHILLIP J. LAGESCHULTE

H. JOHN HAIR

14 RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD

MANAGING RISKS AND OPPORTUNITIES OF SOCIAL MEDIA

Social media technologies are continuing to evolve quickly, promising

shifts in behavior by customers and workforces, new regulatory

implications, and new risks and opportunities. Hence, organizations

can use social media monitoring to inform their ERM programs.

Management must demonstrate a strategic understanding of how

social media is evolving, how it affects the business, and what risks

are associated with it. Questions to consider include:

• How can we listen and respond to what the marketplace is saying

about the company?

• Have we identifi ed and communicated the risks posed by our industry

and market’s use of social media related to information protection,

reputation risk, and legal/regulatory risk?

• How effective are our controls around these risks?

Still, an organization’s social media focus should not entirely be about

mitigating risk. It must also examine trends to identify opportunities,

such as establishing new electronic product channels for a specifi c

target audience or creating a viral advertising campaign through social

media vehicles. As a result, organizations need to monitor the major

social media networks to identify both potential problems and major

opportunities. This may require dedicated resources. It may also be

a good idea to have a proactive plan for deciding when and how

to respond to potential reputational issues being discussed in

social media.

CONCLUSION

For most organizations, social media is at the beginning of its maturity

curve. The rapid adoption of social media vehicles, combined with

the rapid evolution of the Web 2.0 technologies, presents a complex

challenge, especially for organizations in highly regulated industries.

Harnessing the power of social media can present specifi c risks to

the organization. At the same time, the speed at which Web 2.0

technologies and market demands are evolving presents organizations

with both great opportunity and greater need for governance.

Organizations need to build on their social media strengths while helping

to ensure they have a strong foundation of governance – a foundation

that enables them to:

• Identify social media risks and opportunities

• Enhance demonstrable controls of social media programs, satisfying

both audit and compliance program demands

• Anticipate emerging regulatory compliance issues that may dictate

their social media activities on a global basis

• Improve key third-party relationships with regard to social media

technologies and utilization

• Gain stronger consensus among internal organizational areas affected

by social media regarding strategic direction and risk management.

ABOUT THE AUTHORS

Sanjaya Krishna is a principal in KPMG’s Advisory practice and U.S.

Digital Services Leader within KPMG’s Information, Communications

and Entertainment practice. Sanjaya focuses on client challenges and

opportunities related to emerging digital media areas, including

social media.

Phillip J. Lageschulte is an IT Advisory partner and the Global and

Americas Service Line Leader for KPMG’s IT Audit Services practice, with

over 23 years experience providing information technology consulting and

assurance services to clients across a variety of industries. He recently led

an Information Systems Audit and Control Association (www.isaca.org)

task force to publish a book on cloud computing, IT Control Objectives for

Cloud Computing (2011 ISACA).

H. John Hair, an Advisory director in KPMG LLP’s IT Internal Audit

practice, leads KPMG in the area of social media governance, with

over 20 years of global development and operational management

experience in new technology adoption. John has led KPMG teams

providing audit/assessment reviews of social media programs for

some of the fi rm’s key national clients.

ABOUT KPMG LLP

Advisory

KPMG’s professionals combine technical, market, and business skills that

allow them to deliver objective advice and guidance that help the fi rm’s

clients grow their businesses, improve their performance, and manage

risk more effectively.

Audit

Audit teams equipped with a high level of technical skills and empowered

with professional skepticism provide the heart and soul of a good audit.

Tax

Through a forward-thinking multidisciplinary approach, technical

experience, and deep industry knowledge, KPMG’s Tax professionals

can add value and help organizations manage the tax complexities

of an ever-changing business environment.

CONTACT US

For more information about KPMG’s Social Media services,

please contact:

Sanjaya Krishna

Principal, Advisory and U.S. Digital Services Leader

212-954-6451

skrishna@kpmg.com

Phil Lageschulte

Partner, Advisory and Global IT Internal Audit Services Leader

312-665-5380

pjlageschulte@kpmg.com

H. John Hair

Director, Advisory

312-665-3606

hhair@kpmg.com

SANJAYA KRISHNA

PHILLIP J. LAGESCHULTE

H. JOHN HAIR

RESPONSIBLY SOCIAL: GOVERNING THE DIGITAL WORLD 15

THOMSON REUTERS GOVERNANCE, RISK AND COMPLIANCE

Through the Thomson Reuters Accelus suite of products, the Governance, Risk &

Compliance business dynamically connects business transactions, strategy and

operations to the ever-changing regulatory environment, providing highly regulated

fi rms with informed outcomes.

Thomson Reuters Accelus is a comprehensive suite of solutions specifi cally built to

address the governance, risk and compliance challenges faced by the boardroom, and its

legal, compliance, audit and risk management professionals. Thomson Reuters Accelus

helps customers manage their risk exposure and accelerate their business at every step.

© Copyright Thomson Reuters 2012. All rights reserved.Except as permitted by law, no part of this document may be reproduced or transmitted by any process or means without the prior consent of Thomson Reuters. Thomson Reuters, by publishing this document, does not guarantee that any information contained herein is and will remain accurate or that use of the information will ensure correct and faultless operation of the relevant service or equipment. Thomson Reuters, its agents and employees shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained herein. 002449 1012.