Social networking is here to stay, and board members
can’t simply ignore it. For directors to play their
governance role effectively, they need to understand both
the risks and the opportunities social media offers their
organization – and see that they are managed effectively.
2. Crowe Horwath LLP
1. Board of Directors and Committees. In addition to being responsible
for effective corporate governance, the board establishes the direction and
values of an organization, oversees performance, and protects shareholder
interests. As part of overseeing performance, board members should
understand the opportunities and rewards, as well as the risks, of social
media use by the constituents of the organization, as shown on the next page.
2. Legal and Regulatory. Board members need to be aware of the legal risks
associated with social media use. Human resources or recruiting might expose
the organization to legal and employment risks by basing hiring and termination
decisions on information gleaned from social media websites. Labor practices are
changing as a result of social media use in the workplace, and keeping up with
those changes is essential to avoiding exposures.1
3. Business Practices and Ethics. The board needs to confirm that the
social media policy the organization adopts is based on best practices and is
enforced consistently. So that no stakeholders in the organization are neglected,
a social media policy is best determined by a multidisciplinary team of senior
representatives from human resources, legal, IT, marketing, public relations, risk
management, compliance, and other relevant functions. 2 The resulting written
policy needs to address the appropriate use of social media by employees at all
levels and in all functions of the organization.
4. Disclosure and Transparency. Shareholders need to be made aware of the
risks associated with social networking and how the organization is managing them.
Some public companies are now including social media as a risk factor in their
annual reports.3
5. Enterprise Risk Management. Before developing and implementing its
social media policy, an organization should undertake an initial risk assessment,
which identifies and quantifies the various risks associated with social media use.
The assessment should take into account not only the likelihood of and potential
damage from incidents resulting from social media use but also the cost of
opportunities lost as a result of social media not being used. Once the policy is
in place, social media risk mitigation should be integrated into the organization’s
everyday risk management processes.
6. Monitoring. After an organization implements its social media policy, it needs
to monitor employee compliance. Monitoring requires periodic social media risk
assessments, which show if any internal controls need to be enhanced.
7. Communication. Communication holds together the various components of
the governance framework and keeps the process improving over time. The board
should make sure that the social media policy is communicated appropriately and
relevant business practices and codes of conduct are addressed.
2
3. What Boards Should Know
About Social Media
Social Media Rewards and Risks
Customers
6 2
Employees The Public
4
Rewards Risks
1 Customers When social media is used in addition to An organization might miss business
traditional customer support channels, customers development or marketing opportunities because
can easily post comments requesting assistance. of a failure to exploit a social media channel.
2 Between Customers sharing positive experiences
Customers and Customers can post criticism or defamatory
with products or services can inspire the
the Public comments about a business and its
confidence of new customers and be an
products or services and are able to share
important deciding factor for choosing
negative comments with each other.
a company over its competitors.
3 The Public Acceptance of social media in the The exponential growth of social media users
workplace could encourage talented has generated public disclosure of a great
candidates to seek out an organization amount of personal data. Malicious users can
for employment instead of employers that take advantage of information employees share
are not embracing this type of access. and use it for social engineering attacks.
4 Between If it includes confidential or other sensitive
Employees and Employee communication with the
information, a single tweet by an employee or
the Public public via social media provides the
affiliated party could damage an organization’s
means to build relationships faster and
reputation, disclose business plans, or
reach far more potential customers.
violate privacy laws and regulations.
5 Employees Human resources departments take Using information found on a social media
advantage of social media as a tool for site to make hiring decisions about individuals
researching and recruiting new talent. could result in a claim of discrimination.
6 Between In the world of social media, employees’
Employees and Social media encourages an open dialogue, voices are as prominent as those of official
Customers allowing customers to stay up-to-date company representatives. If employees post
about product or service offerings. offensive content, customers might wonder
whether to take their business elsewhere.
www.crowehorwath.com 3