Social Media and Enterprise RiskBy
Social media is quickly changing how organizations are managing risks, controls, and policies.
For example, according to The Washington Post, Fisher-Price and the Boy Scouts of America were recently criticized for announcing product recalls on only a few social media channels. In 2017, a fake McDonald’s-branded Twitter account from Hong Kong posted messages from distressed employees, and a hacked U.S. McDonald’s Twitter account included political attacks.
A 2020 PwC report finds that social media risks are a top concern of CEOs. Chief financial, information, and internal audit officers need to adequately respond to boards of directors’ concerns regarding social media risk management with effective internal control policies and incident response protocols. Primary risks commonly originate from attacks on brand and reputation through slow responses to false information, privacy intimidations, and ransom-related operational interruptions. The lost revenues, direct costs, and capital market losses from these attacks can be very expensive.
Two contrasting cases illustrate the significance of managing these risks: Volkswagen’s slow response to social media signals concerning its emission-system issues further ignited its problems, ultimately costing the company more than $35 billion, including a 25% drop in its capital market value. In contrast, Samsung immediately responded on social media to its cell phone battery issues, effectively mitigating its customer and capital market reactions. Within one year, Samsung had recovered, as evidenced by its capital market value increases of $50 billion.
The most effective social media risk management internal controls include four components: (1) hiring, developing, or engaging experts in state-of-the-art social technology expertise; (2) developing a social media code of conduct that clearly defines prohibited as well as acceptable organizational topics and behaviors on both personal and organizational social media channels, when specific authorizations are needed, and when and how incidents are reported; (3) developing and maintaining incident detection information systems resources; and (4) rolling out organization-wide training so all employees understand their accountability.
Identifying risks and establishing appropriate controls for social media are difficult due to three critical dimensions: its value to communicate to a wider population, its ability to be used by that population to provide potentially unwanted commentary, and its speed and volume in amplifying that public backlash. If a post goes viral for the wrong reasons, stakeholder comments and reputational damage can quickly become uncontrolled. (See “Reputational Damage” for two examples of social media missteps.)
These examples highlight key strategic concerns for social media governance—how it’ll be used and how it conforms to organizations’ images and stories. In this new environment, organizations are quickly discovering that adopting social media is a significant challenge for organizations’ risk management activities.
Conventional risk frameworks concentrate on internal elements and typically frame risk through financial statement effects. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework identifies organizational and control system layers designed to address accurate financial reporting and asset protection concerns. The Enterprise Risk Management—Integrated Framework (COSO ERM Framework) builds on COSO’s original financial statement orientation. These frameworks don’t address social media risks, as social media involves both internal communications and external shareholder interaction.
To address this duality, we’ve developed the Integrated Social Media Strategy and Risk Management Framework (Integrated Framework; see “Social Technology: An Integrated Strategy and Risk Management Framework,” Journal of Information Systems, Summer 2019, pp. 129-153) that highlights the scope of social media by integrating its role within conventional risk management frameworks. Thus, without strategic social media management, organizations’ risk management efforts may fail. We highlight social media use challenges and present a framework that encourages a broad risk perspective as part of the social media assessment and consideration process.
GO BEYOND CONVENTIONAL RISK CONSIDERATIONS
To address these social media risks, we consider both the COSO ERM Framework and Robert S. Kaplan and David P. Norton’s balanced scorecard. While the balanced scorecard is traditionally seen as a strategy alignment tool, we adopt its learning and growth, internal processes, customer, and financial perspectives as a basis for considering social media risks in an enterprise risk management setting. These perspectives provide a framework that explicitly considers both the internal and external elements of social media risks.
The Integrated Framework proposes two phases: strategy selection and risk assessment followed by strategy implementation and risk management (see Figure 1).
These phases draw on the strategic aspects of the balanced scorecard and the risk management perspective of the COSO ERM Framework to offer a framework for selecting, developing, and implementing social media solutions. In phase 1, strategy selection and risk assessment, an organization will consider different social media strategies and the related risks, whether internal or external, across the four perspectives of the balanced scorecard.
After phase 1 is complete and a strategy has been selected, the organization implements the selected social media and evaluates its impact on risk management in phase 2, strategy implementation and risk management. In phase 2, the organization considers the four perspectives of the balanced scorecard, this time starting with the learning and growth perspective.
Then, in the internal process perspective, the organization addresses the five components of risk management per COSO: How does the selected social media strategy impact governance and culture risks; strategy and objective setting risks; performance execution risks; review and revision risks; and information, communication, and reporting risks? From this analysis, the organization develops social media controls, including those addressing relevant data governance issues. It then considers how the selected social media strategy may impact client growth and satisfaction measures, followed by profit and revenue metrics.
To validate this framework, we conducted field interviews with representatives from several professional organizations. These individuals were responsible for social media strategy and implementation as well as monitoring the impact of external parties (e.g., customers’ comments, analysts’ concerns, etc.) on their organizations’ brands and reputation.
START WITH STRATEGY
The framework starts with consideration of the four balanced scorecard perspectives as presented in phase 1. Field interview participants indicated that social media strategy is more than pure risk management or pure strategy. Rather, internal reflexivity shapes social media considerations. Their social media projects typically began with broader strategic perspectives as emphasized in the first phase.
Participants used one specific strategic perspective to start evaluating social media. The chosen perspective varied depending upon the goal of the strategy. To illustrate, one organization used LinkedIn to target employee recruitment while another used Yelp to monitor product satisfaction. Rather than seeing social media as a panacea that would address all strategic issues and challenges, organizations had a specific strategic goal when using social media.
Broadly, the four strategic balanced scorecard perspectives reflect either an external focus (financial and customer perspectives), an internal focus (the internal process design and improvement perspective), or a mixed focus with both internal and external elements (learning and growth investments in humans, information, and IT). These perspectives inform the considered risk elements as suggested by the COSO ERM model (i.e., consideration of risks regarding governance and culture; strategy and objective setting; performance execution; review and revision; and information, communication, and reporting).
Social media risk management is driven by one initial strategic starting point rather than by considering the risks for all possible strategic outcomes. Organizations may emphasize different strategic areas of importance when implementing social media projects. For example, an organization may choose to use certain social media channels to recruit employees (e.g., LinkedIn) in order to gain new business intelligence, capacities, and capabilities, and would therefore use the learning and growth perspective. That same organization may choose to use different channels (e.g., Twitter) to communicate financial information, adopting the financial perspective.
Further, at this initial stage, organizations are attentive to social media risks. Combining the COSO ERM Framework risks and strategic starting points in phase 1 highlights how the dual imperatives of strategy and risk shape initial social media deliberations. Once organizations clarify their strategic social media imperatives, risks are framed before a social media strategy is implemented.
After approving their social media strategy, participants moved to the Integrated Framework’s second phase, strategy implementation planning. This stage uses a more traditional, four-perspective balanced scorecard approach to guide social media strategy planning and risk management.
Participants consider what social media project perspectives to measure and how to develop these measures. This is illustrated by the arrow flowing from an individual strategic focus in phase 1 to the learning and growth perspective in phase 2. Participants indicated they emphasize objectives, measures, targets, and initiatives for achieving learning and growth before considering how social media use may change internal processes such as risk management and internal control.
Organizations implement social media strategy by first making learning and growth investments in IT and increasing employee social technology skills. They then analyze how these investments may change internal processes before developing objectives and metrics to evaluate the impact of the social media investment on external perspectives, specifically client growth and satisfaction, and increases in revenues and profits.
To illustrate the Integrated Framework, we provide three brief use cases. These examples illustrate and emphasize the benefits of the two-stage nature of the framework’s implementation, concerns that implementing organizations may anticipate, and the most likely potential outcomes.
LinkedIn to Boost Recruitment
Assume that an organization is considering LinkedIn to boost recruitment options. While objectives can be framed for LinkedIn engagement and presence, there are many risks. Possible concerns include misleading information on a profile or a failure to check a candidate’s online activities. The organization needs to consider its own social media capabilities—whether those capabilities need to be upgraded and the potential cost of such an upgrade—before opting for such a strategy.
Whether the organization has the necessary internal resources (captured by learning and growth in the balanced scorecard) is key to successfully engaging with the given social media and using it in recruitment campaigns. Assessing this strategy involves such metrics as:
- Number of clicks, forwards, or comments on a job ad posted on social media (effectiveness of the technology for communicating opportunities),
- Nature of comments received on each job ad (qualitative guide to perceptions of the job and the organization),
- Number of applicants received through the social media (use of the social media as a pool of candidates),
- Ratio of applicants to interviewed candidates (initially suitable candidates),
- Number of hires originating from social media sources (effectiveness of social media campaigns), and
- Comparison of subsequent performance to skills furnished through social media (contribution of hires to internal growth and learning).
These metrics map the initial learning and growth strategy to subsequent social media internal processes and provide an important link between what the organization wants to do and what it actually does, with measures along the way to track performance. Subsequent perspectives may also measure the initiative’s success. For example, has the customer perspective been enhanced (e.g., has the organization made a new sector of the market aware of its offerings)? Has financial performance improved through the social media initiative?
The organization must also consider IT governance risk. An external malicious actor could mimic the organization on LinkedIn and steal applicant data, while an internal one with sufficient permissions could use LinkedIn to voice dissatisfaction or otherwise damage the organization’s reputation. The implications for additional monitoring investments must be considered.
Yelp to Monitor Customer Satisfaction
An organization considering using Yelp to monitor customer satisfaction would first evaluate this proposed strategy against customer perspectives in phase 1 of our Integrated Framework. Publicly shared stories of customer satisfaction could grow the organization’s client base, while stories of dissatisfaction would have the opposite effect.
Once the social media strategy has been set, the organization will list on Yelp and identify what changes need to be made to its risk management process. This starts with the learning and growth (internal focus) perspective.
Once the organization identifies learning and growth measures, it examines the impact of Yelp ratings and reviews on risk management and identifies appropriate internal controls in the internal process perspective. The organization must also identify client growth and satisfaction measures and finally the financial impact of Yelp ratings and reviews on the organization’s profit and revenue numbers.
Blogs to Share Best Practices
Consider an organization’s corporate accounting staff evaluating whether to develop an internal blog to share best practices with accounting employees located throughout the world to improve reporting quality and timeliness. The staff would calculate the total expected costs from risks associated with this strategy, such as the loss of competitive advantage resulting from the dissemination of best practices, and other risks from governance to monitoring activities. The staff would compare these costs to the expected benefits, such as incremental expertise, report preparation time reduction, and increased employee satisfaction.
If benefits exceed costs, the organization would work through a traditional balanced scorecard process by first considering if it needs to hire experts, engage third parties, or develop social media expertise within its employees (learning and growth perspective). Next, the organization would evaluate whether the financial reporting processes would be impacted by including this expertise (internal process perspective) in order to provide improved information to more satisfied report recipients (customer perspective, as managers are the “customers” for accounting departments) and higher quality reporting for the organization (financial perspective).
SOCIAL MEDIA MANAGEMENT
Our framework highlights how social media changes organizations’ risk management strategies. Social media use dramatically increases exposure to external threats that may negatively impact organizations’ operations and bottom line. Organizations have always been able to monitor and exert some level of control over internal communication, but social media requires organizations to attend to what outsiders are saying.
When discussing social media risk management, our research participants emphasized reacting to external threats, highlighting how organizations can have well-designed internal processes and controls but not being able to stop negative tweets or posts from causing harm. Social media changes how controls operate. Organizations need to monitor and react to external dialogue as a key element of their social media control approach.
Our framework assists management in addressing the challenges of social media risk management, including three key takeaways:
- For any given initiative, social media risk management is driven by a single strategic starting point from within the four balanced scorecard perspectives.
- Social media strategy implementation typically begins with learning and growth-oriented investments in IT.
- Reaction to external dialogue is a key and novel element of an organization’s social media internal control practices.
Social media has changed the dynamics of how organizations communicate with their stakeholders. While strategic benefits result from social media use, significant vulnerabilities must be managed. Social media has blurred the traditional internal/external boundaries of conventional internal control and risk. Careful alignment of social media strategy and specifically tailored risk management is crucial in order to optimize the organizational value and stakeholder relationships. We welcome input regarding the Integrated Social Media Strategy and Risk Management Framework.