What boards should know about social media

Jim Stempak, Principal, Crowe Horwath LLP

By now, most business leaders have recognized the opportunities social media offers in the areas of marketing, customer service, recruiting and relationship building. But not as many have weighed the rewards of social media use with the potential risks, including reputational, legal, employment and information security-related risk.
“Social networking is here to stay, and board members cannot simply ignore it,” says Jim Stempak, a principal at Crowe Horwath LLP. “For directors to perform their governance role effectively, they need to understand both the risks and the opportunities social media offers their organizations — and see that both are managed effectively.”
Smart Business spoke to Stempak about how to incorporate social media use into the governance framework to best protect and promote your business.
What are some of the risks businesses face when engaging in social media platforms?
The damage from a disgruntled current or former employee’s comments on Facebook, customer complaints on Twitter, or criticism of management on LinkedIn can be substantial and long-lasting.
An organization that uses social media for customer support (a channel in which they allow customers to post comments requesting assistance) opens itself up to new marketing and business opportunities, but needs to monitor these channels closely and timely. Customers can post criticism or derogatory comments about the business and its services and share negative comments with one another.
Businesses must also keep an eye on the social media activity of employees. Their voices can be as prominent as those of official company representatives. If employees post offensive or confusing content, customers might consider taking their business elsewhere.
What other ways can an employee’s use of social media harm operations?
While the acceptance of social media in the workplace can encourage talented candidates to seek out organizations that embrace this type of access, employees still need to understand that certain practices are exposing them and the company to risk. The explosion of social media in everyday life has generated public disclosure of a great amount of personal data. Malicious users can take advantage of information employees share and use it for social engineering attacks.
In addition, the human resources function needs to be made aware of the restrictions surrounding the use of social media channels to research and recruit new talent. Misuse of information found on social media sites to make hiring decisions could result in a claim of discrimination. Even though potential candidates post personal information on a public site, an expectation of privacy still exists in the hiring process regarding certain protected statuses, including disabilities, age, religion, etc.
Finally, employees must take extra care to understand the implication of the information they share with customers through these channels. While employee communication with the public and customers provides the means to build relationships and good will, if that communication includes confidential or sensitive information, a company could end up with a damaged reputation or even a violation of privacy laws and regulations.
How can leaders take advantage of the rewards and minimize the risks?
Having a robust corporate governance framework helps to clarify the role board members should play relative to social media, as well as address the complexity, interrelationships and variables that an organization must manage in order to strengthen governance over this area.

  • Board of directors and committees. In addition to being responsible for effective corporate governance, the board establishes the direction and values of an organization, oversees performance and protects shareholder interests. As part of overseeing performance, board members should understand the opportunities, as well as the risks, of social media use by the constituents of the organization.
  • Legal and regulatory. Labor practices are changing as a result of social media use in the workplace, and board members need to keep up with those changes to avoid exposure.
  • Business practices and ethics. The board needs to confirm that the social media policy the organization adopts is based on best practices and is enforced consistently. So that no stakeholders in the organization are neglected, a social media policy is best determined by a multidisciplinary team of senior representatives from human resources, legal, IT, marketing, public relations, risk management, compliance and other relevant functions. The resulting written policy needs to address the appropriate use of social media by employees at all levels and in all functions.
  • Disclosure and transparency. Shareholders need to be made aware of the risks associated with social networking and how the organization is managing them. Some public companies are now including social media as a risk factor in their annual reports.
  • Enterprise risk management. Before developing and implementing its social media policy, an organization should undertake an initial risk assessment that takes into account not only the likelihood of and potential damage from incidents resulting from social media use, but also the cost of opportunities lost as a result of social media not being used. Once the policy is in place, social media risk mitigation should be integrated into the organization’s everyday risk management processes.
  • Monitoring. After an organization implements its policy, it needs to monitor employee compliance. This requires periodic social media risk assessments, Internet and site monitoring, and control testing, all of which will show if internal controls need to be enhanced.
  • Communication. Communication holds together the various components of the governance framework and keeps the process improving over time. The board should ensure that the social media policy is communicated appropriately and relevant business practices and codes of conduct are addressed.

Jim Stempak is a principal in and leader of the Risk Consulting practice for the Crowe Horwath LLP Dallas office. Reach him at (214) 777-5203 or [email protected].
Insights Accounting is brought to you by Crowe Horwath LLP