December 2011What Boards Should KnowAbout Social MediaBy Dorri C. McWhorter, CPA, CIA, and Erika L. Del Giudice, CISA, CRI...
Crowe Horwath LLP    1. Board of Directors and Committees. In addition to being responsible       for effective corporate ...
What Boards Should Know                                                                                  About Social Medi...
The board should see that the organization invests time and resources in educating                                        ...
Upcoming SlideShare
Loading in …5
×

What Boards Should Know About Social Media

518 views

Published on

Social networking is here to stay, and board members
can’t simply ignore it. For directors to play their
governance role effectively, they need to understand both
the risks and the opportunities social media offers their
organization – and see that they are managed effectively.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
518
On SlideShare
0
From Embeds
0
Number of Embeds
69
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

What Boards Should Know About Social Media

  1. 1. December 2011What Boards Should KnowAbout Social MediaBy Dorri C. McWhorter, CPA, CIA, and Erika L. Del Giudice, CISA, CRISCSocial networking is here to stay, and board memberscan’t simply ignore it. For directors to play theirgovernance role effectively, they need to understand boththe risks and the opportunities social media offers theirorganization – and see that they are managed effectively.The proliferation of these very public forums has opened the door to unprecedentedopportunities in the areas of marketing, customer service, recruiting, and relationshipbuilding. However, the potential rewards of social media must be weighed againstthe associated reputational, legal and employment, and information security risks.The damage from a disgruntled former employee’s comments on Facebook, forexample, customer complaints on Twitter, or criticism of management on LinkedIncan be substantial and long-lasting.Social Media and the Seven Componentsof Corporate GovernanceLooking at social media risks and rewards through the lens of Crowe’s CorporateGovernance Framework (below) helps to clarify the role board members shouldplay relative to social media. The seven components of the framework provide acomprehensive view of the complexity, interrelationships, and variables that anorganization must manage in order tostrengthen governance – for which theprimary responsibility restswith the board of directors. Board of Directors The Crowe Corporate & Committees Governance Framework Legal & When all components operate Regulatory efficiently and effectively, corporate Monitoring governance provides a platform for improving business performance and enhancing shareholder value. Communication © 2009 Crowe Horwath LLP Business Practices Enterprise Risk & Ethics Management Disclosure & Transparencywww.crowehorwath.com 1
  2. 2. Crowe Horwath LLP 1. Board of Directors and Committees. In addition to being responsible for effective corporate governance, the board establishes the direction and values of an organization, oversees performance, and protects shareholder interests. As part of overseeing performance, board members should understand the opportunities and rewards, as well as the risks, of social media use by the constituents of the organization, as shown on the next page. 2. Legal and Regulatory. Board members need to be aware of the legal risks associated with social media use. Human resources or recruiting might expose the organization to legal and employment risks by basing hiring and termination decisions on information gleaned from social media websites. Labor practices are changing as a result of social media use in the workplace, and keeping up with those changes is essential to avoiding exposures.1 3. Business Practices and Ethics. The board needs to confirm that the social media policy the organization adopts is based on best practices and is enforced consistently. So that no stakeholders in the organization are neglected, a social media policy is best determined by a multidisciplinary team of senior representatives from human resources, legal, IT, marketing, public relations, risk management, compliance, and other relevant functions. 2 The resulting written policy needs to address the appropriate use of social media by employees at all levels and in all functions of the organization. 4. Disclosure and Transparency. Shareholders need to be made aware of the risks associated with social networking and how the organization is managing them. Some public companies are now including social media as a risk factor in their annual reports.3 5. Enterprise Risk Management. Before developing and implementing its social media policy, an organization should undertake an initial risk assessment, which identifies and quantifies the various risks associated with social media use. The assessment should take into account not only the likelihood of and potential damage from incidents resulting from social media use but also the cost of opportunities lost as a result of social media not being used. Once the policy is in place, social media risk mitigation should be integrated into the organization’s everyday risk management processes. 6. Monitoring. After an organization implements its social media policy, it needs to monitor employee compliance. Monitoring requires periodic social media risk assessments, which show if any internal controls need to be enhanced. 7. Communication. Communication holds together the various components of the governance framework and keeps the process improving over time. The board should make sure that the social media policy is communicated appropriately and relevant business practices and codes of conduct are addressed.2
  3. 3. What Boards Should Know About Social MediaSocial Media Rewards and Risks Customers 6 2 Employees The Public 4 Rewards Risks 1 Customers When social media is used in addition to An organization might miss business traditional customer support channels, customers development or marketing opportunities because can easily post comments requesting assistance. of a failure to exploit a social media channel. 2 Between Customers sharing positive experiences Customers and Customers can post criticism or defamatory with products or services can inspire the the Public comments about a business and its confidence of new customers and be an products or services and are able to share important deciding factor for choosing negative comments with each other. a company over its competitors. 3 The Public Acceptance of social media in the The exponential growth of social media users workplace could encourage talented has generated public disclosure of a great candidates to seek out an organization amount of personal data. Malicious users can for employment instead of employers that take advantage of information employees share are not embracing this type of access. and use it for social engineering attacks. 4 Between If it includes confidential or other sensitive Employees and Employee communication with the information, a single tweet by an employee or the Public public via social media provides the affiliated party could damage an organization’s means to build relationships faster and reputation, disclose business plans, or reach far more potential customers. violate privacy laws and regulations. 5 Employees Human resources departments take Using information found on a social media advantage of social media as a tool for site to make hiring decisions about individuals researching and recruiting new talent. could result in a claim of discrimination. 6 Between In the world of social media, employees’ Employees and Social media encourages an open dialogue, voices are as prominent as those of official Customers allowing customers to stay up-to-date company representatives. If employees post about product or service offerings. offensive content, customers might wonder whether to take their business elsewhere.www.crowehorwath.com 3
  4. 4. The board should see that the organization invests time and resources in educating Contact Informationits entire workforce – plus its suppliers and business partners – on the intricacies of Dorri McWhorter is a partner withthe policy. In addition, social media policy training should be an ongoing effort rather Crowe Horwath LLP in the Chicago office.than a one-time event. She can be reached at 312.857.7414 orTo stay informed about social media’s ongoing impact, board members can deter- dorri.mcwhorter@crowehorwath.com.mine the type of information the organization communicates to them – for example, Erika Del Giudice is with Crowe customer complaints, employee issues gone viral, or social engineering attacks that Horwath LLP in the Chicago office.take advantage of information shared online. She can be reached at 630.575.4366 or erika.delgiudice@crowehorwath.com.Enhancing GovernanceNone of the myriad risks associated with social media can be eliminated completely,of course, but responsible corporate governance requires attention to mitigating 1 See Raj Chaudhary, “Reducing Social Mediathose risks. An organization’s governance can be enhanced with a thoughtful and Risk in the Workplace,” Oct. 14, 2011, http:// www.crowehorwath.com/3-column-page.structured approach to understanding and assessing social media risks and devel- aspx?id=3088&terms=chaudharyoping and implementing a comprehensive plan. 2 For more about creating a social media policy and risk management strategy, see Raj Chaudhary, Jill Frisby-Czerwinski, and Erika L. Del Giudice, “Social Media Uncovered: Mitigating Risks in an Era of Social Networking,” a Crowe white paper, July 2011, pp. 8 – 10, http://www.crowehorwath.com/ folio-pdf/TR11908_SocialMediaWhitePaper.pdf 3 Theo Francis, “Warning: Social Media at Estee Lauder…,” footnoted.com, Aug. 23, 2010, http:// www.footnoted.com/on-the-lighter-side/warning- social-media-at-estee-lauder/Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity.Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specificallydisclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and NorthCarolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial orlegal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2011 Crowe Horwath LLP RISK12917www.crowehorwath.com 4

×