Ways to mitigate risk with a corporate social media policy

Companies need an effective way to mitigate the risks of increasingly ubiquitous social media. But establishing a solid corporate social media policy is no easy task.

Companies increasingly use social media to augment their marketing and sales efforts and improve how they connect...

with customers. But as recent news events demonstrate, being able to manage the risks inherent in social media is vital.

The most egregious violators of reasonable social media use frequently demonstrate a lack of common sense regarding the technology. An effective corporate social media policy must, within reason, take such cluelessness into consideration.

"There is never going to be a perfect defense against bone-headedness,” said Adam Turteltaub, vice president of member development for the Society of Corporate Compliance and Ethics (SCCE). “But you can't treat everyone like they are bone-headed, especially when your company is actually using [social media] for business purposes."

In May, the SCCE and its affiliated Health Care Compliance Association released survey results that show 42% of 485 respondents have had to discipline an employee for bad behavior on social media sites. That’s an increase from 24% in 2009.

However, only about one-third of survey respondents report that their organizations have adopted policies specifically addressing the use of social media sites. Despite the growth of social media, nearly half the respondents (48%) said they relied on passive systems for monitoring social media policies, or acted only when notified of an issue.

Developing a solid corporate social media policy isn’t easy. Marketing departments use social media to communicate with customers; salespeople use tools such as LinkedIn to learn about prospects. Severely restricting such activities in your corporate social media policy can be counterproductive, Turteltaub said. It’s also difficult to monitor employee usage outside of work; several states have laws limiting what employers can do to control employees' actions outside of the workplace.

"When it comes to auditing and monitoring, what an employee says or does is going to be very difficult [to control], especially if the employee has decent privacy settings," Turteltaub said. "And you don’t' want to create a policy that you can't enforce in a reasonable and consistent way. I also don’t think companies should necessarily set their policies in stone because the media changes so quickly."

The broader risks of social media

The risks of social networking sites do not end with the kinds of personal indiscretions that have been in the news of late. M86 Security Inc. has tracked a number of Facebook scams using malicious photos, wall posts and third-party applications. M86 researchers say they’ve seen an increase in the risks associated with social media and vulnerabilities that leverage the technology. Today’s hackers "are even willing to go in and hack individuals’ accounts and utilize that information in order to target people who are on their friends lists," said William Kilmer, chief marketing officer at Orange, Calif.-based M86 Security. “We've also seen a number of instances where we've had attacks eventually come through hot links inside of social media that have led to malware attacks."

Despite the risks, business-related social media continues to proliferate. Fifty percent of U.S. businesses use social media to connect with and inform customers, according to a survey released in June from workplace solutions provider Regus PLC. The survey polled 17,000 companies in 80 countries. In addition, 38% of U.S. companies dedicate at least 20% of their marketing budget to business social networking activity, the survey found.

In another survey released in June, this one by the financial advisor coaching firm Peak Advisor Alliance, more than 50% of 200 respondents said they view social media as beneficial to business but also see it as a "major compliance risk." Todd Pack, president and chief operating officer of Financial Advisers of America LLC (FAA), said companies need to better understand the risks of social media.

"Work proactively with representatives and what they need and how they want to use it," Pack said. "You want to try to embrace some of the benefits but at the same time have a really good understanding of the risks. From there, analyze what the risks are and how you can mitigate that risk."

Corporate social media policy best practices

Pack suggested addressing questions of suitability and licensing need. For example, is the message suitable for the person to whom you are sending it? Do you have control over and know who is going to see it? Also, if a social media message is traveling across state lines, are you technically licensed to do business in that state?

You don’t want to create a policy that you can't, in fact, enforce in a reasonable and consistent way.

Adam Turteltaub, vice president of member development, Society of Corporate Compliance and Ethics

And, as always, it’s important to define guidelines and processes surrounding social media risk management. Locking down who can post what on the company's social networking sites, requiring pre-approval of posts, and barring use of unauthorized sites in company settings are all possibilities. This includes having disciplinary systems in place, such as letters of caution or reprimand when someone crosses the line when using social media in the business setting. An automated archiving system to help monitor activity could be beneficial to mitigate the risks of social media as well.

"You have to have a set of procedures and documents -- you've got to have very clear expectations of what people can and cannot do," Pack said. "You have to be very proactive with that, you have to have defined procedures. Because if you don't, somebody inadvertently is going to cause a regulatory problem for you, and you just don't want to go down that road."

There are also some guidelines surrounding business ethics that companies involved in business-related social media should take into consideration. Posting a comment reviewing a product and not disclosing that one actually works for the company could be deemed unethical, for example.

"If you are a spokesperson for the company, there's a need to disclose that fact, and likewise if you're not, you don't want to pretend that you are," Turteltaub said.

Turteltaub compared the increased use and risk-averse skepticism of social media with the start of email. He said there were similar questions about who should have email, should employees be able to use it internally, and how much access to other people should be made available.

"It took a while to realize all the potential of it, and to educate people to the risks of it," Turteltaub said. "In many ways, social media is the same. I think what companies need to do is first of all understand it better. And secondly, recognize that there is always going to be limits in what you can do."

Let us know what you think about the story; email Ben Cole, Associate Editor.

Dig Deeper on Risk management and compliance