The Whole World's Talking

June 2011

The Whole World’s Talking

By understanding the opportunities and challenges posed by social media, auditors can provide assurance that their organization has an active voice in the global conversation.

J. Michael Jacka, CIA, CPA

Senior Audit Manager

Farmers Insurance Group

Peter R. Scott, APR

Vice President

IZEA Inc.

Picture the bleak and barren landscape that was the Internet 10 years ago. LinkedIn would not bring us into contact with our fellow professionals until 2003. Mark Zuckerberg would not have us making friends through Facebook until 2004. And the now ubiquitous Twitter would not spread its 140 characters of wisdom until 2006. By the end of 2010 LinkedIn claimed to have more than 50 million users, Facebook 500 million users, and Twitter 190 million users generating 65 million Tweets a day with a growth rate of 15 million users per month.

Today, social media is an intrusive, yet unavoidable, presence that permeates our personal, social, and business lives. Ten years ago, the primary Internet risks faced by any organization revolved around firewalls, encryption keys, and computer security. While these IT risks are still important considerations in any organization’s risk evaluation, today there is also an explosion of reputational, strategic, and governance risks resulting from the new ways people are interacting through the Internet. Every auditor needs a basic understanding of the impact these new interactions are having on how they once viewed risks

THE BASIC RISK

The No. 1 risk for any organization in this new world of social media is reputational risk. The primary mitigation for this risk is an organization’s attempt to control the conversation about its brand.

Social media has allowed one-to-one conversations to become one-to-millions, and those conversations can be about anything. Anyone can find evidence of this by Googling their organization’s name. Is the organization one of the groups that have a “sucks.com” website (e.g., SpacelySprocketsSucks.com)? Are there viral videos showing customer service gone wild? Are bloggers specifically citing the inappropriate activities of the organization? The old adage “any publicity is good publicity” no longer is true.

In a recent global survey, The Rising CCO III, by New York-based public relations firm Weber Shandwick, approximately one-third of the 127 chief communications officer respondents reported that their organizations experienced a social media-based reputation threat during the past 12 months. Even after an incident, 67 percent still said they were either not prepared or had no formal plan to address such a threat.

What’s the potential impact if the organization’s reputation is harmed? Another Weber Shandwick report, Safeguarding Reputation, attributes 63 percent of an organization’s market value to reputation. And once lost, the rebuilding process is neither easy nor short-term. Reputation recovery takes approximately three-and-one-half years, according to global business executives surveyed. This level of risk provides auditors with a compelling argument to partner with their communications teams to address these issues.

Internal auditors can gain an initial perspective on the organization’s understanding of the risks by looking at the approach it uses for social media. This review can reveal a fundamental misunderstanding of the broad conversational risk that is occurring, which can be seen most often through the organization’s strategy — or lack thereof.

STRATEGIC RISKS

The success or failure of any major business initiative is rooted in establishing a solid strategy. The organization’s approach to social media is no different. And there are two strategic risks that, because of the unique nature of social media, warrant specific mention: a lack of strategy and inadequate strategies.

Lack of Strategy

The most fundamental strategic risk — the risk most organizations currently face in relation to social media — is not having a strategy. Organizations spend vast resources (time, money, people) ensuring advertising, public relations, and miscellaneous communications are managed and aligned appropriately. Yet, organization after organization dives into social media with a helter-skelter approach that provides no assurance of success — in many instances because “success” has not even been defined. Establishing a social media strategy is the first step to that success.

Not having a strategy is the most obvious “lack of strategy” risk. However, there are two “pseudo-strategies” that, upon further examination, effectively mean the organization has no strategy. The first is ignoring social media. This is not the same as making an informed decision to not be involved in social media. Rather, this is the risk that the organization, without any understanding or analysis of the ramifications, ignores what is going on in social media. This strategic risk is familiar to anyone who has seen something new emerge — a new business paradigm, technology, manufacturing method, etc. — that upper management subsequently ignored.

The second pseudo-strategy is equating nonparticipation with noninvolvement. In this situation, the organization has made the decision to not be involved in social media initiatives. Although this can be an appropriate business decision, the strategic failure lies in management assuming that, because it is not driving the initiative, it has avoided social media risks. This approach ignores the conversation that is going on about the organization. Accordingly, any organization that takes no action to monitor those conversations is exposing itself to a litany of risks that might arise in places it decided not to look.

Inadequate Strategy

Developing a strategy is only part of the answer. A social media strategy that addresses the complete range of issues is necessary to ensure the organization has understood and acted upon that understanding appropriately. A complete social media strategy:

Focuses on strategy, not just on tactics; it articulates what is going to be accomplished, not how it will be accomplished.
Aligns social media activities with the organization’s business objectives.
Articulates the organization’s time commitment, providing insight on whether this is a long-term commitment or a series of strategic experiments used to determine the validity of various approaches.
Incorporates the social media strategy into other existing strategic plans.
Identifies the target audiences with a focus on the specific business objectives that will be achieved.
Identifies the appropriate social media channels as well as the conversational style that will best engage the target audiences.
Verifies that social media activities have received adequate staffing and funding.

While it is not necessary to have every one of these elements included in the strategy, internal auditors should recognize that including most of them is evidence of a well-rounded approach to social media.

GOVERNANCE RISKS

Just as with any endeavor within an organization, there are many different risks related to governance of social media activities. The first risk is that no one group or individual has oversight for all social media activities. Separate departments often take completely different approaches. A single department will have a champion for social media — someone who has seen what it can do and convinces the department head to move forward. Six months later, another department, unaware of what the first has done, has its own champion and starts its own presence. There is no communication, no standardized approach, and no awareness at the top that the customers may be getting mixed messages. Aligning brand, message, and image is never so important as when an organization is about to send daily messages to millions of people.

Another risk is that the group or individual with oversight does not have a good understanding of both the risks and rewards of social media. Social media is new enough and misunderstood enough that oversight must be provided by people who believe in the initiative and understand how it is used. If the only person who understands social media is the intern in charge of the blog, then oversight will fail.

Although there is no wrong department to have in charge, leadership provided by certain departments may be a warning that the organization misunderstands the role social media will play. For example, if the chief risk officer, chief compliance officer, or chief legal counsel is charged with overseeing social media, this may indicate that the organization is placing too much emphasis on the risks. It is important to have an executive responsible who sees the full benefits of social media and understands how it aligns with the organization’s strategies.

A related risk is that those responsible for implementing social media are only looking at the risks and not the opportunities. No one can guess what the next big thing will be, but organizations must be aware of the changing environment to ensure they do not miss out on the growing opportunities. Good oversight includes monitoring the changes in social media with the intent of identifying those that will be of value to the organization. This means more than just being aware of popular adaptations such as Facebook and Twitter, but also changes within the organization’s niche area (e.g., business, profession, distribution method, etc.).

EXECUTION AND PROCESS RISKS

Strategy is nothing without execution, and the mitigation of strategic risk is nothing without addressing the risks to execution and operations. Two of the biggest risk areas related to social media are metrics and monitoring.

Metrics

Organizations often jump into social media with no idea how success will be measured. Before metrics can be identified, the organization must understand how social media is being used and its purpose for the business. Next, leaders of the initiative must determine what actions and habits social media is meant to drive. From this, success can be identified and metrics of that success can be developed and measured.

The next risk is having metrics that do not measure the right things. Often, organizations establish metrics such as hits, retweets, and page views without determining the impact, if any, of these actions on the organization’s objectives. If the only thing the organization is trying to do is have people visit its site — a relatively limited goal — then those are good measures. However, most organizations want more out of social media than just visits. Therefore, robust metrics should be established, such as:

The number of comments, bookmarks, images, videos, etc., that mention the organization in some fashion (to show stakeholder engagement).
The number of mentions compared to competitors’ results (to demonstrate the organization’s increased share of the conversation).
The number of issues successfully resolved using social media (to show successful use of social media in the complaint process).
The satisfaction level of customers interacting with the organization through social media, including comparison to satisfaction levels outside social media (to determine whether social media is achieving or surpassing the organization’s other customer communication methods).
The number of usable ideas submitted by stakeholders (to determine social media’s success in generating ideas).
The number of prospective customers that originate from social media and the number of customers converted (to determine the success rate of social media in comparison to other channels).
The retention rate and repeat purchase rate for customers acquired from social media (to determine whether social media is a viable alternative to other purchase methods).

Many of these metrics assume that social media is being used for much more than just talking; they are focusing on such things as complaint resolution, purchasing, or idea generation. These examples demonstrate an organization that is proactive in its approach to
social media.

Metrics also must be aligned with objectives and metrics for the organization as a whole. For example, if the success of social media is measured by sales calls generated, while the success of advertising campaigns is measured by completed sales, it is unclear which the organization values most — the phone call or the sale. Because organizations are just now establishing a social media presence, they seem satisfied that people know they exist, but they may be ignoring whether their efforts relate to the core purpose of the business.

Monitoring

The other important and often overlooked area is how social media will be monitored. This broad category includes more than just organization-sponsored content. The organization must ensure processes and procedures are in place for constant monitoring.

To monitor activity effectively, it is important to understand the full range of sites that make up social media. It is more than just Twitter, Facebook, and blog conversations. Organizations may need to determine what is out there on file sharing sites (YouTube or Flickr) or on customer service sites (Yelp, etc.). That does not mean organizations have to spring to action every time someone posts a photo of their logo with a giant circle and hash mark over it. However, it does mean they need to recognize that it is happening.

The final aspect of monitoring is ensuring everyone in the organization knows what to do when the unexpected happens in the conversation. Because of the speed of social media, there is not time to sit around in the boardroom discussing what committee should be established to identify potential options.

ORGANIZATIONAL AND LEGAL RISKS

There are many other risks related to social media that auditors should consider. A few general categories include:

Development of a social media policy. The organization should develop and publicize (extensively and repeatedly) a policy for social media. This should include areas such as rules for use, taboo and blocked areas, a statement on proprietary information, and how to handle identified problems.
Staffing and funding. The myth is that social media is free and that an organization can staff the function with interns or lower-level employees. The fact is that, while there are some free tools available, under-investing in the right tools, the right skill set, and an adequate knowledge base can lead to significant issues.
Appropriate training. This includes training all individuals involved in developing content to ensure it aligns with the organization’s objectives and teaching all employees their roles and responsibilities in all aspects (organizational and private) of social media.
Organizational structure. The organization should proactively develop an organizational structure that ensures alignment with various business units to avoid conflicts in messaging or use of social media.
Keeping abreast of regulatory changes. The organization should ensure there is a method in place to monitor changes in all regulations that have an impact on the use of social media, including regulations related to their profession or industry. The organization’s leaders also must be aware that as the social media landscape changes, the impact of all regulations changes as well.

The preceding is just a small sample. Other areas may include vendor management, contract management, human resources, IT, and expense management. In general, most of the risks identified for any process or business unit can be applied to social media. They just have to be viewed within the new framework of social media.

THE AUDITOR’S FIRST STEPS

There is a lot of ground to cover when internal auditing begins looking at the organization’s social media efforts. The first step is to talk with those directly involved with the project: Learn about their understanding of the risks and how they are addressing them. As a start, auditors can gain a good idea of the maturity of the organization’s social media initiatives by asking:

Has a robust strategy been developed that aligns with the organization’s overall objectives?
How are results of social media initiatives reported to senior management?
What metrics have been established, and are they aligned with the organization’s goals?
Are all social media channels — even those not owned by the organization — monitored, and how are identified issues elevated?
What training has been provided to employees related to the organization’s social media policies and procedures?

With a basic knowledge of social media and the related risks, these questions should lead the auditor to an understanding of where the organization can improve its processes, procedures, and controls.

THE CONVERSATION CONTINUES

Somewhere out there, someone is talking about your organization. In fact, there is a good chance they are saying something that is not particularly nice. There is a conversation going on, and every organization should attempt to manage that conversation proactively. Internal auditors have an important role to play in ensuring the organization has evaluated the risks related to social media and taken appropriate steps to mitigate those risks.

If nothing else, auditors should perform that Google search on their organization’s name. They, and their organization’s executives, will probably be surprised with what they find. And that surprise may spark an exploration of how they can better address the new risks of social media.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>