Social networking is here to stay, and board members can’t simply ignore it. For directors to play their governance role effectively, they need to understand both the risks and the opportunities social media offers their organization – and see that they are managed effectively.

1. December 2011
What Boards Should Know
About Social Media
By Dorri C. McWhorter, CPA, CIA, and Erika L. Del Giudice, CISA, CRISC
Social networking is here to stay, and board members
can’t simply ignore it. For directors to play their
governance role effectively, they need to understand both
the risks and the opportunities social media offers their
organization – and see that they are managed effectively.
The proliferation of these very public forums has opened the door to unprecedented
opportunities in the areas of marketing, customer service, recruiting, and relationship
building. However, the potential rewards of social media must be weighed against
the associated reputational, legal and employment, and information security risks.
The damage from a disgruntled former employee’s comments on Facebook, for
example, customer complaints on Twitter, or criticism of management on LinkedIn
can be substantial and long-lasting.
Social Media and the Seven Components
of Corporate Governance
Looking at social media risks and rewards through the lens of Crowe’s Corporate
Governance Framework (below) helps to clarify the role board members should
play relative to social media. The seven components of the framework provide a
comprehensive view of the complexity, interrelationships, and variables that an
organization must manage in order to
strengthen governance – for which the
primary responsibility rests
with the board of directors. Board of Directors The Crowe Corporate
& Committees
Governance Framework
Legal &
When all components operate
Regulatory efficiently and effectively, corporate
Monitoring
governance provides a platform for
improving business performance
and enhancing shareholder value.
Communication
© 2009 Crowe Horwath LLP
Business Practices
Enterprise Risk & Ethics
Management
Disclosure &
Transparency
www.crowehorwath.com 1

2. Crowe Horwath LLP
1. Board of Directors and Committees. In addition to being responsible
for effective corporate governance, the board establishes the direction and
values of an organization, oversees performance, and protects shareholder
interests. As part of overseeing performance, board members should
understand the opportunities and rewards, as well as the risks, of social
media use by the constituents of the organization, as shown on the next page.
2. Legal and Regulatory. Board members need to be aware of the legal risks
associated with social media use. Human resources or recruiting might expose
the organization to legal and employment risks by basing hiring and termination
decisions on information gleaned from social media websites. Labor practices are
changing as a result of social media use in the workplace, and keeping up with
those changes is essential to avoiding exposures.1
3. Business Practices and Ethics. The board needs to confirm that the
social media policy the organization adopts is based on best practices and is
enforced consistently. So that no stakeholders in the organization are neglected,
a social media policy is best determined by a multidisciplinary team of senior
representatives from human resources, legal, IT, marketing, public relations, risk
management, compliance, and other relevant functions. 2 The resulting written
policy needs to address the appropriate use of social media by employees at all
levels and in all functions of the organization.
4. Disclosure and Transparency. Shareholders need to be made aware of the
risks associated with social networking and how the organization is managing them.
Some public companies are now including social media as a risk factor in their
annual reports.3
5. Enterprise Risk Management. Before developing and implementing its
social media policy, an organization should undertake an initial risk assessment,
which identifies and quantifies the various risks associated with social media use.
The assessment should take into account not only the likelihood of and potential
damage from incidents resulting from social media use but also the cost of
opportunities lost as a result of social media not being used. Once the policy is
in place, social media risk mitigation should be integrated into the organization’s
everyday risk management processes.
6. Monitoring. After an organization implements its social media policy, it needs
to monitor employee compliance. Monitoring requires periodic social media risk
assessments, which show if any internal controls need to be enhanced.
7. Communication. Communication holds together the various components of
the governance framework and keeps the process improving over time. The board
should make sure that the social media policy is communicated appropriately and
relevant business practices and codes of conduct are addressed.
2

3. What Boards Should Know
About Social Media
Social Media Rewards and Risks
Customers
6 2
Employees The Public
4
Rewards Risks
1 Customers When social media is used in addition to An organization might miss business
traditional customer support channels, customers development or marketing opportunities because
can easily post comments requesting assistance. of a failure to exploit a social media channel.
2 Between Customers sharing positive experiences
Customers and Customers can post criticism or defamatory
with products or services can inspire the
the Public comments about a business and its
confidence of new customers and be an
products or services and are able to share
important deciding factor for choosing
negative comments with each other.
a company over its competitors.
3 The Public Acceptance of social media in the The exponential growth of social media users
workplace could encourage talented has generated public disclosure of a great
candidates to seek out an organization amount of personal data. Malicious users can
for employment instead of employers that take advantage of information employees share
are not embracing this type of access. and use it for social engineering attacks.
4 Between If it includes confidential or other sensitive
Employees and Employee communication with the
information, a single tweet by an employee or
the Public public via social media provides the
affiliated party could damage an organization’s
means to build relationships faster and
reputation, disclose business plans, or
reach far more potential customers.
violate privacy laws and regulations.
5 Employees Human resources departments take Using information found on a social media
advantage of social media as a tool for site to make hiring decisions about individuals
researching and recruiting new talent. could result in a claim of discrimination.
6 Between In the world of social media, employees’
Employees and Social media encourages an open dialogue, voices are as prominent as those of official
Customers allowing customers to stay up-to-date company representatives. If employees post
about product or service offerings. offensive content, customers might wonder
whether to take their business elsewhere.
www.crowehorwath.com 3

4. The board should see that the organization invests time and resources in educating Contact Information
its entire workforce – plus its suppliers and business partners – on the intricacies of
Dorri McWhorter is a partner with
the policy. In addition, social media policy training should be an ongoing effort rather
Crowe Horwath LLP in the Chicago office.
than a one-time event.
She can be reached at 312.857.7414 or
To stay informed about social media’s ongoing impact, board members can deter- dorri.mcwhorter@crowehorwath.com.
mine the type of information the organization communicates to them – for example,
Erika Del Giudice is with Crowe
customer complaints, employee issues gone viral, or social engineering attacks that
Horwath LLP in the Chicago office.
take advantage of information shared online.
She can be reached at 630.575.4366 or
erika.delgiudice@crowehorwath.com.
Enhancing Governance
None of the myriad risks associated with social media can be eliminated completely,
of course, but responsible corporate governance requires attention to mitigating 1
See Raj Chaudhary, “Reducing Social Media
those risks. An organization’s governance can be enhanced with a thoughtful and Risk in the Workplace,” Oct. 14, 2011, http://
www.crowehorwath.com/3-column-page.
structured approach to understanding and assessing social media risks and devel- aspx?id=3088&terms=chaudhary
oping and implementing a comprehensive plan.
2
For more about creating a social media policy and
risk management strategy, see Raj Chaudhary, Jill
Frisby-Czerwinski, and Erika L. Del Giudice, “Social
Media Uncovered: Mitigating Risks in an Era of
Social Networking,” a Crowe white paper, July
2011, pp. 8 – 10, http://www.crowehorwath.com/
folio-pdf/TR11908_SocialMediaWhitePaper.pdf
3
Theo Francis, “Warning: Social Media at Estee
Lauder…,” footnoted.com, Aug. 23, 2010, http://
www.footnoted.com/on-the-lighter-side/warning-
social-media-at-estee-lauder/
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity.
Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically
disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North
Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or
legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2011 Crowe Horwath LLP
RISK12917
www.crowehorwath.com 4