Published on March 4, 2014
Title: Mapping Organizational Roles & Responsibilities for Social Media Risk Subtitle: How to Define and Implement Organizational Roles and Responsibilities for Enterprise Social Media Risk Management 1
Executive Summary Social media has introduced a wide array of opportunities for organizations to engage with customers and partners. Marketers have been tasked with capitalizing on these opportunities. But with these opportunities comes risks – like a damaged brand reputation, regulatory violations, privacy issues, intellectual property compromises, social engineering, Astroturf-‐ing, phishing, and the list goes on. What is less clear is who is responsible for managing and mitigating the risks tied to social media. To get optimal value from social media efforts, organizations need to establish controls for the downsides of the technology by first clearly defining which roles within their unique corporate structure should be involved in social media risk management and their specific responsibilities. Organizations then need to give those roles the proper tools, such as policies and technologies, to be successful at identifying, managing, and mitigating social media risks. This report will outline a framework for assigning roles and responsibilities to manage social media risk. 2
Social Media Is Opening New Opportunities… And Risks Whether it is a Facebook page, a Twitter stream, a Tumblr blog, a Pinterest page, or another social channel, consumers are jumping on the social media bandwagon. For example, it was reported that, on Facebook alone, there were 1.15 billion monthly active users with 819 million views via some kind of mobile device.i Twitter has approximately 500 million users with more than 200 million identified as active.ii Video platform, YouTube, has over a billion unique users every month.iii The most-‐ visited consumer social networks include well-‐known platforms like Facebook, Twitter, Foursquare, Pinterest, and Tumblr, along with lesser known, but growing, platforms like Pheed, Thumb, and Vine. Social Adoption in Organizations Is Maturing No brand wants to be too far away from their customers, so companies are working diligently to meet consumers where they are, on social media platforms. Today, more than 79% of all companies are using, or are in the process of adopting, one or more social media channels as a primary conduit to their customers.iv Many of these companies are experiencing great success, like iconic brands Walmart, Target, and Amazon (see Figure 1).v Their efforts are spread across channels, with 77% of the Fortune 500 using Twitter, 70% employing Facebook, and 69% on YouTube. What are companies using social media for? 59% use it to engage with their customers, 49% to advertise, 35% to conduct research on their customers, and 30% to conduct research on competitors and new products.vi Figure 1: Connecting with Customers on Social Media 3
Social Media Is Also Exposing Brands to Risk For all of its amazing upsides for companies, such as being able to directly interact with customers, there is also an ugly underside to social media – the risks to companies from social media. Whether it is damaging the reputation of a company, releasing of confidential information, regulatory and compliance risks, or identity theft, social media comes with its own set of risks based upon the unique, highly interactive, complex, and almost uncontrollable nature of the interactions. The manifestation of social media risk can be as low-‐level as an unsatisfied customer tweeting to someone, to as extreme as the $200 billion of value that was erased from the U.S. stock markets after a fraudulent tweet, supposedly from the Associated Press, was sent out about an explosion at the White House.vii Who Does What, and Who Pays for It? Social media is a new channel with new ways of interacting and new risks that prompt the question – who is responsible for managing the risks? For example, the CIO, if the company has one, is the person responsible for managing IT risks like hardware downtime, and stopping hackers. When it comes to managing financial risks, like regulatory changes, fraud and interest rate changes, it is pretty clear that the CFO should be responsible for ensuring that those types of risks don’t significantly affect the company. But who is responsible for managing social media risk? Roles with an Interest in Social Media Risk Management With the unique nature of social media, responsibility for managing and mitigating social media risk is often spread across numerous departments. That responsibility is also typically spread across a number of corporate functions, including Marketing, IT, Communications, Legal, Audit, Risk, and Human Resources. The best way for companies to align organizational responsibility and governance is to break it down by three levels – titles, roles, and responsibilities across seven necessary functional areas as follows: Marketing and Communications Management Representative Titles: Chief Marketing Officer, Vice President of Marketing, and Vice President of Corporate Communications. Role Level: Strategic. Social Media Responsibilities: Generally serves as executive sponsor or executive owner of social media initiatives within an overall marketing and brand management effort. Accountable to the Board of Directors and executive team for the success and failure of social media efforts, including 4
social media activity and brand presence, return on investment, and any associated crises. Key Social Media Risk Concerns: Brand and image protection, reputation management, and regulatory compliance for Marketing. Information Technology Representative Titles: Chief Information Officer and Chief Information Security Officer Role Level: Strategic. Social Media Responsibilities: Generally serves as executive co-‐sponsor or co-‐owner of social media initiatives and efforts within the context of an overall information technology architecture and an overall security architecture. Accountable to the Board of Directors and Chief Executive, in conjunction with the CMO, for social media compliance, privacy, IP and company information protection, and any channel breaches. Key Social Media Risk Concerns: Regulatory compliance, data privacy and security, social engineering, data management, and network and resource protection. Social Media Technology Representative Titles: Chief Technology Officer, Enterprise Architect, Digital Security Manager, and Digital Infrastructure Manager. Role Level: Strategic to tactical. Social Media Responsibilities: Select, deploy, and standardize social media management applications and tools, social media account management, social media policy enforcement, and social media training. Key Social Media Risk Concerns: Social media account security, social media privacy, API vulnerabilities, standardization of risk mitigation efforts across channels, app proliferation, and channel proliferation. Social Media Marketing Representative Titles: Director/Manager of Social Media, Director/Manager of Digital Marketing, Director/Manager of Corporate Communications, and any agencies with social media responsibility. Role Level: Managerial. Social Media Responsibilities: Responsible for day-‐to-‐day management of social media efforts including channel management, content and channel planning, content creation and approval, channel and application security, 5
social analytics, social network monitoring, and initial issue and crisis identification and response. Key Social Media Risk Concerns: Internal and external (fraudulent or copycat) channel and site proliferation, minimizing operational risks through policies and training, and on-‐channel security management. Social Community Management and Customer Service Representative Titles: Social Community Manager and Social Customer Service Manager Role Level: Managerial and operational Social Media Responsibilities: Day-‐to-‐day customer interaction, community management, monitoring of the community and brand in the social landscape, and management of acceptable-‐use policies. Key Social Media Risk Concerns: Poor community management, inappropriate community use, customer interactions, customer data management, social media spam, and customer issue escalation and intensification. Legal and Audit Representative Titles: Chief Legal Officer, Chief Compliance Officer, Chief Risk Officer, Compliance Manager, and Audit Manager. Role Level: Strategic to operational Social Media Responsibilities: Regulatory and legal compliance, oversight of social media policies and governance, auditing of brand accounts, fraud identification and management, ensuring standardization of the brand and brand compliance across social networks, identification and addressing of brand hijacking, and brand/reputation management and protection. Key Social Media Risk Concerns: Brand compliance, including internal use, partner and affiliate use, and community use, intentional and unintentional brand hijacking, and erosion of brand reputation. Human Resources Representative Titles: Chief People Officer and Director/Manager of Human Resources Role Level: Strategic to operational Social Media Responsibilities: Employee oversight, training on social media governance, policies and tools, and management of internal non-‐compliance with social media policies. 6
Key Social Media Risk Concerns: Lack of employee training on social media policies and tools, identification and correction of employee actions on social media, and safety of employee personal use of social media. Social Media Risk Management Responsibilities For too many companies, initial social media efforts are haphazard and uncoordinated, yet require the participation of multiple roles (see Figure 2). While Marketing has set up a Facebook page and maybe a Twitter feed, Human Resources has established a presence on LinkedIn for recruiting, and individual sales reps are tweeting away, while IT is trying to lock down all of the systems to protect the company. It borders on the edge of pandemonium and it exposes the brand to unnecessary risk. Effective social media risk management requires internal coordination across departments and groups for the following: 1) Agreeing on the corporate purposes and strategy for adopting social media channels and platforms; 2) Claiming the corporate geography on the different social media channels; 3) Monitoring access, content, and applications across the social landscape; 4) Putting together and executing an implementation plan for the strategy, including a crisis communications and response plan; and 5) Following up on the execution, including success metrics. None of these can happen without help from multiple parts of the organization. 7
Figure 2: What Roles Should Be Involved in Social Risk Management? Marketing & Communications Managements • Chief Marketing Ofhicer • Vice President of Marketing • Vice President of Corporate Communications Information Technology • Chief Information Ofhicer • Chief Information Security Ofhicer Social Media Technology • Chief Technology Ofhicer • Digital Security Manager • Digital Infrastructure Manager Social Media Marketing Social Community Management & Customer Service Legal and Audit Human Resources • Director/Manager of Social Media • Director/Manager of Digital Marketing • Director/Manager of Corporate Communications • Social Media Agency • Social Community Manager • Social Customer Service Manager • Social Media Agency • Chief Legal Ofhicer Chief Risk Ofhicer • Chief Compliance Ofhicer Compliance/Audit Manager • Chief People Ofhicer • Director/Manager of Human Resources For example, agreeing on the corporate purposes and strategies for social media is primarily a function of marketing or corporate communications. But, as social media is used for purposes other than marketing, such as a customer service tool or a recruiting tool, the Customer Service team and the HR team need to be involved from a platform and tool selection perspective, and IT from a security technology view. The monitoring of social media is primarily the responsibility of the social media team and any agency support they utilize, but could also include Customer Service, as customers compliment or complain about the brand on social media. It could include market research, as information is gleaned about customers. It should also include risk and security teams as social media provides a channel for spear-‐phishing, social engineering and other risks. Though different for each organization, effective social media risk management requires the active participation of, at the minimum, Marketing, IT, Legal, and perhaps, other departments like Human Resources, Audit, and Customer Service. 8
Roles and Responsibilities in Common Risk Scenarios Once roles with a vested interest in social media are identified, clear lines of responsibility for issues, incidents, and normal management aspects of social media need to be clearly defined. The best way to do this is by recognizing common risk scenarios that the company faces from social media and identifying the necessary roles and responsibilities of the various interested and involved departments and groups in addressing those risks. Below are five commonly-‐seen risk scenarios and issues in social media. For each one, a high-‐level overview is provided, along with example roles and responsibilities found in most companies and organizations. Scenario 1: Tracking and reporting approved and fraudulent social media accounts • Overview: It is determined that someone external to the organization has set up one or more unauthorized social media accounts that purport to represent the organization. • Roles and Responsibilities: o Social Marketing tech team and any agency supported and services, Marketing and IT are responsible for monitoring for new, unauthorized accounts. o Legal is responsible for notifying the social network with a request to remove the account. Once complete, legal should report back to Marketing for verification. Scenario 2: Social media account being hacked • Overview: One or more social media accounts are compromised and unauthorized content is published on those accounts. • Roles and responsibilities: o Corporate Communications is responsible for having a defined (and tested) internal / external communications plan and process created that includes agency support. o Social Media with any agency support is responsible for monitoring all social channels. o Marketing leads communications with the advisement of Legal. o IT leads from a systems perspective, interfacing with Marketing and the o social networks. IT Security should investigate and respond to each incident as a security breach, and take actions to preclude future risk. 9
o Marketing and Security should report to a broader Social Media Committee and Board with regard to outcome and risk mitigation. Scenario 3: Spam and malware content identified • Overview: Malware, and to a lesser degree spam, is identified either being introduced through or existing on corporate social media accounts. • Roles and responsibilities: o Community Manager first identifies the bad content, ideally using automated technology, implemented with the support of IT Security and policy already defined by Legal. o Security and Legal review incident reports, remediation efforts, and workflow periodically for verification. Scenario 4: Release of customer data • Overview: There is the potential for a release of customer data either by the customer, inadvertently by the company, or through hacking efforts. • Roles and responsibilities: o Community Manager should identify incidents using technology configured by the IT security team, under the guidance of Legal and/or Compliance. o Community manager and Social Media team should audit and report issues regularly to Legal and/or Compliance. o Legal and/or Compliance should monitor incidents and changes to laws and government guidelines, and recommend necessary policy changes accordingly. o Risk Management should evaluate risk to the organization based on the potential, volume and, severity of incidents. o Compliance reviews incidents and handling of regulated or controlled data in coordination with IT Security. Scenario 5: Compliance violations or release of sensitive company data • Overview: The company has the potential for violations of compliance regulations or is susceptible to unauthorized release of company data. • Roles and responsibilities: o Legal and/or Compliance should define a policy and plan for addressing this issue, based on state, regional, and industry requirements. o Legal and/or Compliance should work with the Social Media team to understand application, and with IT to map technology against enforcement capabilities. 10
o o o Compliance reviews incidents and handling of regulated data, and adjusts policy and rules for communication on a regular basis. IT Security implements the policy via technology controls. Social Media team follows defined process and is audited, and reports back on progress and any irregularities or challenges to the workflow. Who Is Responsible for the Costs? The most often asked question regarding new technology, after answering “Who is responsible for what?” is “Who has to pay for it?” Social media protection is no exception. With the social media platforms, the cost of the technology and managing it is often a shared expense between the IT department and Marketing, with Marketing assessed the largest portion. The cost of managing the risk of social media is also often a shared expense (see Figure 3). Figure 3: Functional Areas and Common Social Media Risk Cost Responsibilities Functional Area Marketing and Communications Management Information Technology Common Cost Responsibilities • • • • • • • Social Media Technology Social Media Marketing • • • Social Community Management and Customer Service Legal and Audit • Human Resources • • • Agency services and support fees (Marketing) Social media risk management system (Share with IT) Social media listening system (Share with IT) Other social media technologies and platforms (Share with IT) Social media risk management system (Share with Marketing and Communications) Social media listening system (Share with Marketing and Communications) Other social media technologies and platforms (Share with Marketing and Communications) Ongoing management of social media risk management system Ongoing management of social listening system Staffing costs of social media marketing efforts, including agency services Staffing and related costs of community platforms and social customer management systems Staffing and related costs related to legal management and ongoing audit efforts Staffing and related costs related to social media training Staffing and related costs related to internal policy management For example, the actual technology need, such as a risk and compliance application or a monitoring application, is often a shared expense between IT and Marketing or Corporate Communications, with Marketing assessed a majority of the expense. Other costs, such as legal support, audit and compliance support, and employee training are often taken on by other groups in whole or with a charge back 11
mechanism to Marketing. For example, the costs taken on by Legal and Compliance for resources, such as having an attorney and/or compliance person on staff that has been trained and has expertise in social media, would be taken by the Legal or Compliance departments with the potential for some chargeback to Marketing. Training all employees and agency staff on good social media policies and practices is often times covered by Human Resources, though training specific groups such as social media Customer Service representatives, or the home department of employees who engage in social media. Making It Real: Actual Responses to Social Media Risk In order to understand how this plays out in reality, we spoke with the former Vice President of Social Media for one of the world’s largest financial institutions. He described two use cases, based on actual events, and how his cross-‐functional team worked together to manage them. Use Case #1: Discovering and tracking bank-‐owned social media accounts and reporting fraudulent accounts At our bank we had a Social Media Operations team that reported to me as the head of Social Media. The staff on the operations team was responsible for finding, via any mechanism possible, social accounts owned and being run by the bank. This involved web searches, as well as querying the social networks via their native search tools, and leveraging data from listening platforms. The team maintained a running list of accounts. For any accounts that were deemed ‘unauthorized,’ we would try to connect directly via internal company communications to either authorize and incorporate the account, or have it shut down. For any accounts that were external and were found to be fraudulent and otherwise inappropriately using our bank’s brand, we would report the account to our assigned legal resource. The Legal Compliance Department had a person assigned to work with the Social Media team on this very issue. They would take any list of fraudulent and inappropriate accounts and report them to the social networks themselves to confiscate them or have them shut down. 12
Figure 4: Real-‐World Case One -‐ Unauthorized Accounts Use Case #2: Handling ‘bad content’ moderation Our bank is a highly visible entity that has garnered a significant amount of social engagement and interaction. As engagement increased, such as Facebook comment interaction, we recognized the need to remove and hide certain comments on the page to protect sensitive data of the commenter where, for example, they inappropriately posted PII, account info, and other confidential data to our wall. We also had to remove things like social spam, offensive content, and audience-‐on-‐audience abuse or exploitation. For all of these, it is important to note that this was and is not about removing negativity toward the bank. It is about protecting the audience and fostering a positive social community. First, my Social Media team – in conjunction with the Social Customer Service team – worked with Legal to create a content use policy to publish on our accounts as a link (see Figure 5). After publishing our policy, the Social Customer Service team was responsible for enforcing the policy across our accounts, while our Social Operations team kept reports on bad content moderation activity and published that metric in broader social media reports for our executive stakeholders. Figure 5: Real-‐World Case Two -‐ Effective Moderation 13
Next Steps The only guarantee is this new age is that every company is at risk. It may be today or it may be next year, but it is more likely than not that a social media risk will manifest itself. To mitigate and minimize the potential impact to your company, you need to act today by doing the following: Step 1: Define a governance structure. Any successful social media risk management and mitigation effort needs a foundation. That foundation is a governance structure. The governance structure is often determined by the head of social media, leading a working group made up of representatives from Marketing Management, IT, Social Media Marketing, Legal and Audit, and Human Resources. The governance architecture, at a minimum, needs to explain who is responsible for what, but should also address items like the scope of your social media efforts, branding guidelines, approval processes, continuity planning, and training and education. Step 2: Put a social media policy in place. A social media policy (or set of policies) that provides guidance for employees and protects the company and customers from risk should come right after governance. This may take the form of a single policy, a set of policies, or even a set of guidelines. The purpose of these policies should be to provide a set of guardrails for all employees, those specifically engaged in social media on behalf of the brand, and managers across the organization. For a social media policy or set of guidelines to be both useful and usable, the policy should: 1) Be clear in its purpose; 2) Be in sync with the company culture; 3) Explain how the correct use of social media is beneficial to the company; 4) Be written in plain language and not legalese; 5) Have the input and buy-‐in from all departments; and 6) Be as short and to the point as possible. Step 3: Select technologies that will support your organization. Once companies have a foundational governance structure in place, then IT departments and social media technology groups can put into place the appropriate technology tools to manage and mitigate risk. This should include tools that allow the company to have visibility into the social infrastructure (how many accounts and on 15
what platform) of the company, provide governance for those accounts around types of content and data that are published across them, ensure compliance with internal policies and external regulations, and protect company social accounts and platforms from being hacked. Once these platforms are in place, the Social Media Technology Group would be responsible for training the social media marketing roles, the social media community management and customer service roles, and as necessary legal, audit, and human resources roles. Step 4: Test your organization. After the governance, the policies, and the technologies, companies need to test and retest to make sure that all the moving parts remain in sync. For example, training employees and agency staff on an out-‐of-‐date social media policy is almost as dangerous as not having one. Not keeping track of all of the brand presences on social media and allowing them to proliferate without control can open the brand to unnecessary risks. Not updating a technology application to cover a new platform can place the company at increased risk. Companies should test their ability to respond to different social media risks by running a series of scenario exercises based upon known or expected social media risks. These might range from a scenario covering a miss sent tweet, such as a personal statement on a company channel, to a scenario involving an irate customer who takes to social media to voice their issue, to a scenario covering a social-‐media based reputation attack by an NGO, like efforts by Greenpeace against Nestle and British Petroleum. 16
About Nexgate Nexgate provides cloud-‐based brand protection and compliance for enterprise social media accounts. Its patent-‐pending technology seamlessly integrates with leading social media platforms and applications to find and audit brand affiliated accounts, control connected appliances, detect and remediate compliance risks, archive communications, and detect fraud and account hacking. Nexgate is based in San Francisco, California, and is used by some of the world’s largest financial services, pharmaceutical, Internet security, manufacturing, media, and retail organizations to discover, audit, and protect their social infrastructure. i Facebook Reports Second Quarter 2013 Results, July 24, 2013. http://investor.fb.com/releasedetail.cfm?ReleaseID=780093 ii Smith, Craig. (September 2013) By The Numbers: 31 Amazing Twitter Stats. September 5, 2013. http://expandedramblings.com/index.php/march-‐2013-‐by-‐the-‐ numbers-‐a-‐few-‐amazing-‐twitter-‐stats/ iii YouTube Hits a Billion Monthly Users. March 3, 2013. http://youtube-‐ global.blogspot.com/2013/03/onebillionstrong.html iv Harvard Business Review Analytics Services. The New Conversation: Taking Social Media from Talk to Action. http://www.sas.com/resources/whitepaper/wp_23348.pdf v Fox, Zoe. 10 Most Liked Brands by U.S. Facebook Users. Mashable, Sept 6, 2013. http://mashable.com/2013/09/06/facebook-‐brands-‐likes/ vi Larcker, David, Larker, Sarah, and Tayan, Brian. What Do Corporate Directors and Senior Managers Know about Social Media? The Conference Board, October 2012. http://www.gsb.stanford.edu/sites/default/files/documents/TCB_DN-‐V4N20-‐ 12.Social_Media.pdf vii Lauicella, Tom, Stewart, Christopher, and Ovide, Shira. Twitter Hoax Sparks Swift Stock Swoon, The Wall Street Journal, April 23, 2013, http://online.wsj.com/article/SB1000142412788732373560457844120160519348 8.html 17
... and mitigating social media risks. ... Mapping your Organizational Roles ... Define the responsibilities of each role in a variety of common risk ...
Hi . Thank you for your interest in Mapping Organizational Roles & Responsibilities for Social Media Risk.
Mapping Roles and Responsibilities for Social Media Risk. How to Define and Implement Organizational Enterprise Social Media Risk ... responsibilities to ...
Mapping Roles and Responsibilities for ... Organizational Enterprise Social Media Risk ... media risk management responsibilities; Roles and ...
Social media has introduced a wide array of opportunities for ... Mapping Organizational Roles and Responsibilities for Social ... The risks and rewards ...
Mapping Organisational Roles & Responsibilities ... This report will outline a framework for assigning roles and responsibilities to manage social media risk.
Mapping Organisational Roles & Responsibilities for ... give those roles the ... roles and responsibilities to manage social media risk ...
> Nexgate > Mapping Roles and Responsibilities for Social Media ... a framework for assigning roles and responsibilities to manage social media risk.