"Once again, a new invention or advancement that is created to help has as much power to harm; in this case, the social media revolution. Noteworthy is the prevailing concern that businesses have about what uneducated employees may post to their platform of choice. In addition to the regulatory issues listed, the added security options that companies may need to consider appear endless. Will future job applications, for example, require access to a potential hire’s Facebook or Twitter account to determine what their posting habits are?"
Managing Social Business Risks: How CFOs Can Craft Governance and Compliance Policies
CFO Insight and Analysis written by Deloitte
Published November 9, 2012
To the regulatory agencies charged with enforcing rules and regulations governing publicly traded companies, a careless reference to a client’s confidential business goals or performance posted on a social networking site may be just as problematic as sharing insider information among friends over lunch. For all of its potential business value, social business may expose publicly traded companies to increased compliance risk that they need to incorporate into their risk management and governance policies, according to a Deloitte webcast, Social Business and Regulatory Compliance: What New Challenges Could You Face?.
“What makes social business riskier than other traditional or even online communications vehicles is its extreme viral and permanent nature. Information posted on social media platforms can potentially reach millions of people in a matter of minutes,” says Wallace D. Gregory, Jr., a partner at Deloitte LLP who specializes in risk management. Mr. Gregory was one of the webcast presenters explaining the risk considerations and steps CFOs and other business leaders can take to help their organizations govern social business activities and comply with the evolving regulatory environment.
The Challenge: Managing Social Business Risks and Issues
The benefits of employing social business reach across the business, to advance strategy, improve marketing, recruit and collaborate, gain competitive intelligence and enable innovation. But so do a slew of new risks and issues: reputation management, inappropriate use of content, loss of data or intellectual property and regulatory complications and penalties.
“As you formulate a strategy using social media you have to think of the risks involved and the impacts on your regulatory compliance,” says Mr. Gregory. The information on corporate social media sites may be subject to similar regulatory requirements as traditional content, but social-sphere activity may create situations not covered by traditional rules and risk frameworks. “The challenge companies—and their employees—now face with using social media tools in their business is managing that risk effectively,” Mr. Gregory adds.
The degree of that challenge was reflected in responses to polls taken during the webcast.
Regulatory Issues to Consider
“When you consider the regulatory issues around social media use, you have to look across the organization,” says J.R. Reagan, a principal at Deloitte & Touche LLP, who discussed how the various regulatory agencies approach the issue of social media use during the webcast. “Each agency has a different point of view, and companies should be aware of them when crafting their own compliance approach,” he observes.
Regulations and guidelines of the various regulatory agencies include the following:
- Financial Industry Regulatory Authority (FINRA), which has issued extensive guidelines concerning social networking websites and business communications, specifically retention of social media communications to customers, investment recommendations triggering National Association of Securities Dealers suitability requirements and blog participation supervision and advertisement rules.
- Securities and Exchange Commission, which issued the first set of guidelines to help investment advisers comply with antifraud and recordkeeping mandates through its National Examination Alert. The alert provides investment advisers considerations for evaluating use of social media compliance policies, including usage guidelines, monitoring, content standards and information security.
- National Labor Relations Board (NLRB), which focuses on workplace policies and their interaction with employees’ rights under Section 7 of the National Labor Relations Act. The NLRB’s approved policy prohibits “inappropriate postings.”
- Food and Drug Administration, whose communications rules led to the shutdown of many pharmaceutical social networking pages when the FDA eliminated the option to turn off public comments.
- Federal Trade Commission, which has issued rules regarding identity and affiliation disclosures, disclaimers and endorsements.
Develop a Risk Management and Governance Strategy for Social Business
Managing the potential risks entailed by the use of social business tools starts with incorporating social business risk into risk management and compliance programs. Deloitte, notes Mr. Gregory, has established a social media working group, comprised of people across the organization, from risk, talent, information technology and the business units. “This group brings together diverse perspectives to address and set policy on the various risks and issues that come up around using social tools and technologies,” he says.
Some actions to consider for social media risk management and regulatory compliance include:
- Incorporating social business risk into risk management and compliance programs.
- Planning for incident response.
- Stepping up customer service.
To govern social media effectively, companies should work closely with employees to help them understand the role that social media play in the company and the ways that they can be leveraged to help achieve strategic goals. “A sound governance policy and process for social media use are critical to your risk management,” says Mr. Gregory. Companies can create detailed social media policies that clearly communicate the “dos and don’ts” of social media usage.
Governance around social business should address the company’s vision as well as policy, training, monitoring and enforcement. Specifically, it should:
- Educate employees, then empower them.
- Help employees understand and own the risks.
- Hold employees accountable.
- Address organization social media account “ownership” and hand-offs when spokespeople leave.
Furthermore, companies should educate their employees on how violating rules of confidentiality and professional discretion can lead to regulatory noncompliance and legal difficulties that can have far-reaching consequences for those involved.
“Employees should understand the nature of the regulations in place, why they exist and the potential consequences of violating them,” Mr. Gregory says. “Some employees may think that because current regulations were not written specifically to address social media, that somehow social media is exempt from traditional oversight. As many companies have learned, that is not the case.”