Walter Adamson of Kinship Digital spoke at the Institute of Internal Auditors South Pacific and Asia Conference SOPAC 2013 on how to a grip on auditing social media and the components of governance. Adamson was previously an Internal Auditor, a Certified Information Systems Auditor, and a is a Certified Social Media Strategist.
HypotheticalRisk• NOT just PR / brand reputation• BUT also implications for logistics, retail stores, customer experience, purchasing, supplier relations, purchasing, government relations, regulators e.g. ACCCDO YOU have cross-functional social media risk management plans? 4
Objectives1. To convey the importance of an effective social media Strategy2. To outline the components of social media Governance3. To address some auditing practicalities
Key aspects of social media in business formulating policy and strategy through researching Strategy your brand, customers, partners and competitors monitoring, collecting and analyzing social data to Intelligence make informed, agile business and policy decisions building ‘owned’ social platforms for listening, support, Communities building, collaborating, content social business metrics, ROI, policy and guidelines, Governance processes, risk management, compliance
About you?Personal audience poll - show of handsOn which networks are you active?
Having a Social Media STRATEGY is Key This is the first question for auditors
Social Media Policy is not Strategyχ NOT Strategyχ NOT GovernanceBut is important, and specifically, it should: Educate employees, then empower them; Help employees understand and own the risks; Hold employees accountable; Address organization social media account “ownership” and hand- offs when spokespeople leave.
Good news! There IS a methodology 1.Assess 8.Monitor 2.Strategise Social 7.Engage Business 3.Create Framework 6.Share 4.Protect 5.Participate
Key is to integrate social with business1. Social strategy which aligns with business strategy2. Social business risk which is part of business risk management and compliance programs Regulators ? Advertising Standards Bureau, ACCC, Australian Association of National Advertisers (AANA), ASIC, APRA, etc.
Cross-functionalA social risk management program needs cross-functional input: Compliance Technology Information Security Legal HR PR & Comms Digital Marketing Social Media! 12
Governance Social Media Strategy Regular Reporting of ROI Mandatory Monitoring of Social ChannelsSocial Media Policy Plans, Action, Compliance Management of 3rd Party Vendors Employee Training Compliance Protocols
Governance - Heads-Up – Be prepared !Social Media Strategy Required• A strategic plan with actions and operational descriptions.• Clear roles and responsibilities whereby the board of directors and/or senior management spell out how use of social media contributes to the strategic goals of the institution, while also spelling out what kind of controls will be put in place.• How ongoing social media risks will be monitored and assessed.Regular Reporting of ROI• Regular reports to the board of directors and/or senior management, which enable a periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives. 14
Governance - Heads-Up – Be prepared 2Mandatory Monitoring of Social Channels• An oversight process for monitoring information posted to social media sites (administered by the institution or a contracted third party).Social Media Policies & Procedures & Compliance• Policies regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws.• Social media policies should incorporate procedures addressing risks from online postings, edits and replies. 15
Governance - Heads-Up – Be prepared 3Manage 3rd-Party Vendors Ensure Customers Are Protected• Customer privacy and security of their personal data are a top concern.• Institutions working with third-party social media vendors will be required to manage those relationships within defined parameters to ensure compliance with all regulationsYou Have to Tell Employees What’s Okay and What’s Not• An employee training program that incorporates the organisations’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.Compliance Protocols• Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance. 16
Relevant laws (US) Financial Institutions• Truth in Savings Act/Regulation DD and Part 707• Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act• Truth in Lending Act/Regulation Z• Real Estate Settlement Procedures Act• Fair Debt Collection Practices Act• Unfair, Deceptive, or Abusive Acts or Practices• Deposit Insurance or Share Insurance.• Electronic Fund Transfer Act/Regulation E• Rules Applicable to Check Transactions• Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)• Community Reinvestment Act• Privacy Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines.• CAN-SPAM Act and Telephone Consumer Protection Act• Children’s Online Privacy Protection Act• Fair Credit Reporting Act 17
Audit questionsAre there methodologies, techniques and tools in place covering:• Social Media Strategy• Regular Reporting of ROI• Mandatory Monitoring of Social Channels• Social Media Policy Plans, Action, Compliance• Management of 3rd Party Vendors• Employee Training• Compliance Protocols 18
6 Step Audit Approach1. Strategy Assessment – overall goals, plans, actions, reporting?2. Presence Assessment – where are you the social web?3. Listening Assessment – what data and how managed?4. Organisation & Internal Culture Assessment5. Process Assessment – workflow, timeliness, escalation?6. Governance Assessment • Policy • Roles • Risk Assessment • Compliance
Practicalities Examine risks by business use case Recruitment & Retention Investor relations Public relations Marketing / branding Lead generation Customer service & complaints Innovation & product development Employee relations Business partner relations
Operational Risk1. Social media is one of several platforms vulnerable to account takeover and the distribution of malware.2. Organisations must ensure that the controls they implements to protect their systems and safeguard customer information from malicious software adequately address social media usage.3. Financial institutions’ incident response protocol regarding a security event, such as a data breach or account takeover, should include social media. 22
Hijacked Burger King’s official Twitter handle suffered a cyber attack on Monday [Feb 18, 2013]. Hackers switched the branding to that of rival McDonalds and claimed the restaurant chain “just got sold ... because the whopper flopped.”The hackers sent more than 25 tweets and re-tweets on the handle, several poking fun at Burger King, insinuating unethical behaviour about its employees and using intentionally offensive language and racial slurs. http://www.foxbusiness.com/technology/2013/02/18/burger-king-twitter-account-hacked-rebranded-to-mcdonald/ 23
No opt-out ! An institution that has chosen not to use social media must still be prepared to address the potential for negative comments or complaints that may arise within social media platforms and provide guidance for employee use of social media. 24
Awareness• Mark Pearson @journlaw• Social media best practice: New guidelines released Australian Association of National Advertisers (AANA) see http://www.leadingcompany.com.au/technology/social-media-best- practice-new-guidelines-released/201211283150• New US Financial Institution Regulation http://www.ffiec.gov/press/pr012213.htm
About KINSHIP Digital KINSHIP Digital is a social consultancy that specialises in understanding, developing and protecting its clients’ reputation, brands, businesses and people in Social Media. Follow us @KinshipD www.kinshipdigital.com 27
Join the Social GovernanceCommunity Easiest way - SEARCH 28
Walter AdamsonSpeaker NotesWalter Adamson is a social media business specialist. He is General Manager Victoria of Kinship Digitalwhich helps clients attract & retain employees & customers by leveraging social media tools. Thisincludes reputation monitoring, governance and risk management.Walter has an extensive background in enterprise and as an independent consultant focused on ITstrategy and advising owners and managers of IT businesses. He was also the Independent Advisor tothe ICT Strategy Board of the Government of Victoria for 4 years.He has held executive roles as CIO, VP International Business Development, and Corporate VP ITStrategy, and also worked in Corporate Planning at BHP. Walter established the Internal IT Audit functionat BHP and led it for 3 years, and was one of the first Certified Information Systems Auditors in Australia.He is also a Certified Social Media Strategist and holds a M.Sc. in Computing Science. email@example.com Connect on Linkedin http://linkedin.com/in/adamson Follow me on Twitter @adamson m: +61 403 345 632 29