Creating effective governance for social media and social networks in regulated business environments

New social technologies have become part of the mainstream and they will clearly impact the privacy landscape for the foreseeable future. However, the web 2.0 world is very much the wild, wild West with technology advances far outstripping existing consumer protections and regulatory statues. While we are strong advocates of the use of these tools in business – even in regulated environments – privacy, compliance and risk must be strongly considered before corporate-sanctioned engagement begins.  This is a broad topic that shifts constantly. To help you get started, we’ll cover the following in this post:

  • What are the main considerations when setting up governance?
  • Who needs to be involved with the discussion?
  • Establishing ownership is an important business decision.
  • Conducting a risk assessment of the current environment.

The importance of continuity and sustainability in regards to an organization’s approach to these tools.
What are the main considerations when you are setting up governance?

First consideration – there really are no best practices. While many companies are feeling the urgency to use social media, governance is often neglected, ignored or overbuilt. Regulatory agencies are in the same predicament as most companies. They are learning as they go. Early writings provide some clear guidelines (e.g. FDA, FINRA Regulatory Notice 10.06 and Massachusetts 201 CMR 17.00) but much of this may transform as the technology continues to evolve, ecommerce expands and global forces have their say. While it is always good to “comparison shop” and look at how other companies are handling these issues, be wary of “silver-bullet” solutions. Evaluate using a simple test:

  • Is the system measurable and reportable?
  • Is it tied to business strategy and likely business uses for the organization?
  • Does it fairly balance business advantage with business risk?
  • Is it simple enough that the average user can easily comply?
  • Is it designed for easy up-dating…as everything in this area should be evaluated frequently to ensure its relevance?

Second consideration – governance and user policies are different areas for consideration. Social media governance is an enterprise concern and it requires executive participation to allocate the necessary level of organizational clout and top-level resources to ensure success. Policies are tactical. We recommend companies develop executive steering committees to determine governance while leveraging existing technology use and proper business conduct policies to cover users.

Third consideration – seek guidance from experts who understand these technologies in a broad market sense and who understand how your business works. There is no point in investing in these tools unless you actually intend to use them. They take time and resources to deliver ROI. In addition, the power comes from long term engagement, not periodic use. The most effective business strategies have a longer horizon than most companies realize. This is not a job for an intern or a non-strategic thinker. Poor management of these tools has potentially serious consequences as mistakes are amplified. Seek resources with considerable skill, expertise with the tools and knowledge of the regulations your companies face. If you don’t have in-house talent seek outside subject-matter experts with practical business knowledge.

Fourth consideration – passive vs active approaches present different levels of risk. Social media is extremely versatile and companies reluctant to adopt a high-profile presence can still take advantage of these powerful tools. Adopting a passive approach is one way to get started. Passive social media users take advantage of the content and the accelerated speed of delivery through twitter and Google searches; blogs streamed using RSS feeds and targeted use of tools like LinkedIn for recruiting talent and collaboration. It makes good business sense and is pretty low risk. Actively posting content, publishing blogs, uploading to YouTube, building facilitated communities and soliciting followers introduces higher risk. Lock down is not the answer; determine the solution that’s right for your organization by carefully considering the business goals vs the appetite for risk.

Who needs to be involved with the governance discussion?
Unsurprisingly, a collaborative approach at the enterprise-level usually yields the best business results and can also significantly reduce overall risk. One caveat, the key word is collaboration. We recommend an executive steering committee comprised of key players that don’t normally cooperate easily. Look at your organization to determine the appropriate participants. We think the list should include some combination of HR, IT, Risk, Privacy, Compliance, Audit, Legal, Marketing, Investor Relations, PR and Security along with representatives from any business areas utilizing the tools. As these tools touch so many business areas and represent layered risk, anything less leaves an organization vulnerable. You also need someone with real-world; up-to-date understanding of the tools and the latest user trends to provide subject matter expertise and a highly skilled moderator/facilitator so the group remains productive.

We also counsel businesses to treat governance as a corporate responsibility because of the potential impact to brand integrity in the event of a problem. In a web 2.0 world, a company’s response to a mistake or a negative campaign is vital as missteps can amplify and accelerate a  negative message (e.g. Nestle vs Greenpeace).  Companies engaging in social media need to prepare for this possibility in advance as there is no time to create a coherent plan once a problem occurs.

Establishing ownership is an important business decision:
As part of the governance process, ownership must be established to ensure a single entity manages these tools. Social media is extremely powerful and should not be maintained by interns or non-strategic employees (even very skilled ones). Ad hoc use increases corporate risk ten-fold. While marketing is a natural early adopter; sales, PR and HR are also becoming heavy users. IT may manage the platforms and the vendor relationships and they will certainly use the tools for collaboration, but they are far removed from the business applications. Choose a social media business owner within the organization who can:

  • chair the steering committee in a productive manner.
  • strategically analyze social media data and synthesize it for executive use.
  • analyze risk factors and elevate concerns professionally.
  • evaluate regulatory statutes in relation to the sanctioned tools.
  • manage crisis using sound professional judgment.
  • balance long term needs with short term concerns.
  • balance the business demands with the risk concerns.

Conducting a risk assessment of your current environment:
Once you have a designated business owner, now you need data. Like it or not, your employees are undoubtedly utilizing social media in some form within your company today. Handhelds, iPads and netbooks have reduced our dependence on desktops and keep employees connected 24×7 regardless of their physical location. To ascertain the existing organizational risk, we recommend the designated business owner conduct a preliminary assessment to allow for a quick analysis of the existing risk. Don’t get too bogged down by this, you only need enough data to get started. Schedule the assessment concurrently with the formation of the steering committee. Once you have the steering committee, ongoing risk assessments should be a continued part of any agenda because of the changing environment. A sample of useful data includes:

  • a catalog of the tools currently sanctioned by the company.
  • how they are used within the business and any known associated risks.
  • a list of the current tool “owners”.
  • any security protocols and user policies in existence.
  • data associated with or stored in the tools along with a list of who has access.
  • any outstanding or pending issues (related to regulatory or even internal audit complaints) associated with the tools.

The importance of continuity and sustainability in regards to an organization’s approach to these tools. A distinct difference between social media and more traditional, static technology is the high level of engagement demanded to achieve the maximum ROI. Building engagement takes time, there is no short cut and once it is achieved, it must be facilitated and maintained over time for it to continue to provide value. Choosing to utilize social media effectively requires a long term business commitment of resources, analysis and oversight. As long as social media is an active part of a company’s business strategy, this will not change. Sufficient executive sponsorship, budget resources and ROI analysis are key elements to business success. Companies unable or unwilling to devote this level of commitment should a) maintain more of a passive presence and avoid more visible, active participation in social media or b) avoid it altogether.

Photo by NordWood Themes