A Comprehensive Approach to Managing Social Media Risk and Compliance

Page created by Rita Hill
 
CONTINUE READING
A Comprehensive Approach to Managing Social Media Risk and Compliance
A Comprehensive Approach to Managing
Social Media Risk and Compliance
A Comprehensive Approach to Managing Social Media Risk and Compliance
1
A Comprehensive Approach to Managing Social Media Risk and Compliance
FOREWORD

                                    In one year alone—from 2012 to 2013—the           negative consequences posed by social media
                                    number of social network users around the         in terms of brand, strategy, regulatory, legal
                                    world rose from 1.47 billion to 1.73 billion      and market risks. More important, it outlines
                                    (about 25 percent of the world’s population),     a holistic approach to identifying, assessing
                                    an 18 percent increase. By 2017, the global       and managing those risks.
                                    social network audience is expected to
                                    total 2.55 billion.1 More than 72 percent         Our focus is on distinctive responses—
                                    of all internet users regularly access social     policies, procedures, technologies and
                                    networking sites.2 And, in the UK and US          competencies—across traditional risk
                                    alone, people spend respectively 13 and           management categories of governance,
                                    16 minutes every hour using social media.3        processes and information technology.
Steve Culp
Senior Managing Director            Perhaps more important is take-up of social       Especially important is the human dimension—
Accenture Finance & Risk Services   media by businesses around the world.             creating a risk culture that is attuned to both
                                    Among Fortune 500 firms, 77 percent now           the significant benefits and the distinctive
                                                                                      risks of social media, and putting in place the
SOCIAL MEDIA HAS                    have active Twitter® accounts, 70 percent
                                    have Facebook® pages and 69 percent have          compliance and performance management
GROWN IN POPULARITY                 YouTube™ accounts.4                               capabilities that can lead to changed behaviors
                                                                                      in social media usage.
AND IMPORTANCE                      At issue here is the fact that traditional risk
                                    management policies and procedures were           We augment these discussions of methods and
FASTER THAN MOST                    not designed for, quite literally, minute-by-
                                    minute monitoring of social media chatter
                                                                                      best practices with practical advice from risk
                                                                                      professionals. These are especially interesting
COMPANIES’ RISK                     to identify brand, strategy, compliance, legal
                                    and market risks.
                                                                                      inputs to the discussion because they tap
                                                                                      into very timely concerns—such as the global
MANAGEMENT                          Those risks are considerable. Financial
                                                                                      head of privacy and information management
                                                                                      for a major US bank discussing how recent
CAPABILITIES CAN                    institutions have had to shut down social         regulatory changes require his bank to track
                                    media forums due to unanticipated negative        social media complaints, even if they have not
CURRENTLY HANDLE.                   feedback; the stock markets have been             been officially lodged. As he says, that demand
                                    buffeted by fraudulent social network             is “taking the industry by storm.”
                                    postings; businesses have had to change or
                                    rescind strategies in response to the force of    Another of our interviewees notes, however,
                                    social media; other businesses have suffered      that it’s important for financial services
                                    brand damage due to the power of social           institutions and all businesses to “be bold.”
                                    media to send negative impressions almost         Build a social media presence and “create
                                    instantly around the world.                       some cool things.” In fact, an effective social
                                                                                      media risk management capability can bring
                                    This Accenture paper, “A Comprehensive            bold ideas to life and make a difference in the
                                    Approach to Managing Social Media Risk and        business outcomes your company delivers.
                                    Compliance,” acknowledges the power and
                                    importance of social media to businesses
                                    in every industry. At the same time, it helps
                                    identify and explore many of the potential

                                                                                                                                    2
A Comprehensive Approach to Managing Social Media Risk and Compliance
INTRODUCTION: THE BENEFITS AND RISKS
OF SOCIAL MEDIA

DID YOU HEAR          Or the “pump and dump” stories about people
                      using social media to post fake news about a
                                                                       types of social media risks, and in some cases
                                                                       can hide or obscure other types of risks under
THE STORY ABOUT       company’s performance, then profiting from
                      the bump in stock price? Or the stories of
                                                                       a single label of brand value and reputation.

THE HACKER WHO        criminals who have used personal information
                      posted by people on their social media pages
                                                                       It stands to reason that if companies do not
                                                                       have a broad enough understanding of social
FRAUDULENTLY USED     to glean answers to security questions and
                      thereby gain access to their bank accounts?5
                                                                       media risks, they are likely not to have in
                                                                       place a broad enough approach to managing
THE ASSOCIATED        You have probably heard these stories and
                                                                       social media risks.

PRESS’S TWITTER®      many others like them. They are evidence of      A COMPREHENSIVE AND
                      the fact that, however many benefits social
ACCOUNT TO POST       media platforms provide for companies in         PROACTIVE RESPONSE
                      terms of communications, publicity, increased
NEWS OF AN            consumer engagement and more, social media
                                                                       This paper presents a comprehensive approach
                                                                       to managing these social media risks more
                      also carries with it many risks.
ALLEGED BOMBING                                                        effectively. The approach involves structures
                                                                       and actions across several major streams of
AT THE WHITE HOUSE,   SHORTFALLS IN MANAGING                           work, including governance, processes and
                                                                       information systems—supported by leadership,
                      SOCIAL MEDIA RISK
CAUSING THE STOCK     Are companies taking these risks seriously
                                                                       culture, compliance and performance
                                                                       management activities that strengthen the
MARKET TO DROP        and handling them methodically? The data         human dimension of risk management, which
                      strongly implies that they are at times          can often be the weakest link.
ABOUT 150 POINTS      overconfident and inadequately prepared.
                                                                       Although the paper focuses primarily on the
                      According to a recent survey that looked at
IN JUST MINUTES?      corporate social media risks and rewards,        financial services industry, the insights and
                      almost three out of four executives surveyed     prescriptions are applicable to most other
                      (71 percent) said that their company is          industries. We have augmented and supported
                      concerned about these risks but “believe         the analyses and recommendations in the
                      the risks can be mitigated or avoided.”          paper with insights from several banking
                      Another 13 percent indicated they felt their     executives in areas such as information
                      company does not currently believe it has any    security, social media and privacy who are
                      appreciable risks.6                              working to manage risk effectively while
                                                                       expanding their institution’s social media
                      Of equal concern to this kind of misplaced       presence. Interviews with these executives
                      overconfidence was the fact that 59 percent      were conducted exclusively for this report.
                      of respondents reported that they had no
                      social media risk assessment plan in place,      Social media is in many respects an
                      and only 36 percent reported offering social     unstoppable cultural force, in spite of some
                      media training.7 What could explain this         organizations’ attempts to block or curtail
                      apparent complacency?                            its use. Because social media is this kind of
                                                                       force—ubiquitous and powerful—it is better
                      One issue is that a great deal of press          to manage it effectively than try to stand in
                      coverage is focused on the brand or              its way.
                      reputational risk aspects of social media use.
                      But reputational risk is only one among many

3
A Comprehensive Approach to Managing Social Media Risk and Compliance
4
PART 1: THE RISE AND THE RISKS OF SOCIAL MEDIA

THE NUMBER OF                                         A significant sticking point when it comes to
                                                      properly leveraging social media is dealing
                                                                                                           personal life moments, which can bleed over
                                                                                                           into their professional life moments, and we
COMPANIES, AND                                        with the many risks to which companies are
                                                      exposed. According to the 2014 RiskTech100
                                                                                                           need those to be confidential.”

THE NUMBER OF                                         report,11 published by Accenture and Chartis,
                                                      reputational and brand risk is the one most
                                                                                                           Complicating companies’ plans to mitigate
                                                                                                           these risks are several marketplace, technology
COMPANY EMPLOYEES                                     often discussed, and certainly it is a serious
                                                      one. Negative exposure on social media sites,
                                                                                                           and organizational factors. For example, the
                                                                                                           number of social media platforms is growing
USING SOCIAL MEDIA                                    or inappropriate or unauthorized action in the       constantly, which means companies are, as
                                                                                                           the saying goes, trying to change the tires
                                                      company’s name, can result in lost trust and
APPLICATIONS                                          lost revenues.                                       on a moving vehicle. The complex media
                                                                                                           environment makes it difficult to integrate
IS GROWING AT                                         But underlying these reputational risks lie          with a company’s operating model, which
                                                      several other types of serious risk:                 means an organization is often reduced
A RAPID PACE.                                                                                              to simply reacting to events after they’ve
                                                      • Strategic risk                                     happened, instead of taking proactive steps.
According to one report,8 the number of social
                                                      • Business risk
network users around the world rose from                                                                   Finally, social media risks are difficult to
1.47 billion in 2012 to 1.73 billion in 2013 (about   • Regulatory risk                                    quantify. Most corporate initiatives are not
25 percent of the population), an 18 percent                                                               approved without a strong business case, but
                                                      • Legal risk
increase. By 2017, the global social network                                                               beyond pointing to well-known examples of
audience is expected to total 2.55 billion.           • Market risk                                        companies that have suffered losses because
(See sidebar, “Social media in context.”)                                                                  of social media, comprehensive cost/benefit
                                                      If not effectively mitigated, these risks can lead   analyses are still in their early stages—
Among corporations, establishing a social             to serious negative consequences including           meaning that many risks still go uncontrolled.
media presence is now more than accepted—             fraud, intellectual property loss, financial loss,
it’s expected. Among Fortune 500 firms,               privacy violations and failure to comply with        In fact, a standalone business case for
77 percent have active Twitter® accounts,             laws and regulations. (For more, see sidebar,        managing social media risk is rarely
70 percent have Facebook® pages and                   “Sources and types of social media risks.”)          necessary, assuming that companies already
69 percent have YouTube™ accounts.                                                                         have created a business case for expanding
About one-third (34 percent) maintain active          As an example, consider the mix of business,         their social media operations. Typically
blogs.9 Over 90 percent of US companies               regulatory and legal risks in the following:         the risk assessment that comes with this
use social media for recruiting.10 In the             According to the global head of privacy and          case involves looking at potential negative
financial services industry, other ways in            information management for a major US                outcomes, assessing the damage they could
which social media has value include:                 bank interviewed for this paper, “The biggest        do and then assigning a probability to those
                                                      risk for me is our employees disclosing              scenarios. What is the cost of those risks
• Branding                                            information about our clients on social              compared to the costs of not being in the
                                                      media. This risk is especially prevalent given       social media game at all?
• Marketing/advertising
                                                      the growing presence of Millennials in the
• Corporate communications                            workplace, because they are accustomed
                                                      to sharing personal information and many
• Servicing
                                                      of their current activities over social media.
• Grievances resolution                               At times there is over-disclosure of their

5
SOCIAL MEDIA IN CONTEXT                           Customer and client demographics are among
                                                  the factors playing a role in the extent to
In the words of a senior executive of social      which banks enter the social media arena and
media for a major international bank, “One        at what pace. The Chief Information Security
risk is actually not being open enough to         Officer (CISO) for a US regional bank notes,
social media, actually knowing its role in        “Social media is a channel, but because of the
business and culture. I still hear stories of     demographics of our business, at this time it
executives in the industry not taking social      is as important—no more and no less—as, say
media that seriously—that it's just a ‘nice       the branch channel, the call center or online
to have.’ But there is great power in it. This    banking. The story here is the demographics
can be negative, given the speed with which       of our customer base which tends to be a
issues spread on social media. But it can also    bit older. For other banks targeting younger
be extremely positive. It can foster better       and affluent communities, social media is
relationships or create additional touch points   more often prioritized higher than the other
in the digital marketing space.”                  traditional banking channels.”
At the same time, this executive notes that       For whatever reason and whatever the pace
social media “must be understood to be            at which a financial institution embraces
equally important as other channels: radio        social media, the channel’s many risks must
interviews, TV broadcasts, newspaper and          be identified, monitored and managed. To
magazine articles, web articles and so on.”       be prevented is a situation in which banks
                                                  extend their social media exposure before
                                                  recognizing and anticipating the threats.

                                                                                                   6
SOURCES AND TYPES OF SOCIAL MEDIA RISKS

WHILE OFFERING                               FRAUD                                            Fraud risks from social media are likely to
                                                                                              increase dramatically because of the Security
A HOST OF POTENTIAL                          Several high-profile cases of hackers
                                             representing themselves as organizations or
                                                                                              and Exchange Commission’s decision in early
                                                                                              2013 to let businesses conduct financial
BUSINESS BENEFITS,                           companies have highlighted the potential
                                             of social media to perpetrate fraud that is
                                                                                              disclosures and release material information
                                                                                              over social media platforms such as Twitter®
THE USE OF SOCIAL                            harder to deal with because information
                                             goes “viral” so quickly in an online and
                                                                                              and Facebook®.14 The stakes are getting higher.
                                                                                              Although no penalties are yet in place if a
MEDIA CAN EXPOSE                             wireless world. These cases have had
                                             serious consequences. Hackers representing
                                                                                              company has vulnerabilities that allow it to be
                                                                                              hacked in a way that manipulates a market,
COMPANIES TO                                 themselves on Twitter® as the Associated
                                             Press posted a false story about a bombing
                                                                                              this could change. One of the commissioners
                                                                                              with the US Commodity Futures Trading
NUMEROUS BUSINESS                            at the White House which caused the Dow          Commission has called for fines to be imposed
                                             Jones Industrial Average to fall about 150       on companies when such things happen.15
RISKS. MOST OF THESE                         points in a matter of minutes, representing      (For more on regulatory compliance and
                                             approximately $150 billion in market value.12    controls, see the sidebar, “A Summary of
RISKS RESULT FROM                            Several other news organizations have had        Social Media Regulations in the US and UK
                                             their online presence compromised through
A COMBINATION OF                             similar kinds of activities.
                                                                                              for Financial Services Companies,” page 19.)

ORGANIZATIONAL                               In other cases a hacker misrepresenting a        LOSS OF INTELLECTUAL
WEAKNESSES AND                               company has posted fake announcements            PROPERTY
                                             with exceptional financial news, causing and
                                                                                              Corporate espionage is a thriving business:
VULNERABILITIES                              then profiting from a rise in the company’s
                                             stock price. These actual cases and their        One estimate is that among the world’s 1,000
                                                                                              largest companies, espionage results in $45
EXPOSED THROUGH                              importance have not been helped by a new
                                             trend used by several companies which            billion in losses every year.16 It’s an activity
                                                                                              that has been made easier in many ways by
DATA MISUSE AND                              involves “fraudulent fraud”—that is, staging a
                                             fake hack as part of a promotional program.13    the growth of social media.
DATA SHARING.

    PLATFORMS FOR DATA SHARING   ORGANIZATIONAL WEAKNESSES            DATA MISUSE                         SOCIAL MEDIA RISKS

     Blogs and microblogs         Ambiguous policies                   By employees                         Fraud

                                                                         Accidental
     Photo- and video-sharing     Unclear roles                                                             Intellectual property loss

                                                                         Malicious
     Social networking            Inconsistent processes                                                    Financial loss

     Search engines               System vulnerabilities               By non-employees                     Privacy violations

                                                                         Accidental
     Auction sites                                                                                          Brand damage

                                                                         Malicious
     Business sites                                                                                         Non-compliance

     Message boards

Source: Accenture, August 2014

7
To understand why, consider the different         FINANCIAL LOSS DUE                            PRIVACY VIOLATIONS
ways that data and information can be
misused by people. First, it can be misused by    TO MALWARE                                    In some highly publicized cases, social media
people both inside a company and external                                                       sites have experienced security breaches
                                                  Because users of social media platforms
to it; second, it can be misused or shared                                                      in which confidential user information was
                                                  such as Facebook® so often send links to
accidentally or maliciously.                                                                    shared publicly. This happened to Facebook®
                                                  each other—links to videos, music and so
                                                                                                in early 2013, when a software bug enabled
                                                  forth—it has become distressingly easy
So the salesperson who establishes LinkedIn®                                                    a program to inadvertently share six million
                                                  for hackers and spies to install rogue
relationships with customers doesn’t intend                                                     users’ information such as email addresses
                                                  software on computers when people
to disclose a confidential and highly valuable                                                  and phone numbers. The breach meant that
                                                  inadvertently click a bad link—including,
customer list, but in effect is doing so.                                                       any company that was using Facebook®
                                                  in some cases, what looks like a legitimate
Employees who make a Facebook® posting or                                                       to promote its business might have had its
                                                  advertisement. Such malware can cause
tweet about interesting work they are doing                                                     customers’ information shared publicly.21
                                                  a variety of mischief, including luring
may mean no harm; but a good corporate            people into fraudulent transactions or
spy might be able to put several such pieces                                                    Another way that customer privacy can
                                                  using hidden software to steal data and       be violated is through a technique called
of information together to develop advance        personal information, as well as corporate
information about a company’s product                                                           “data scraping.” This is a method of tracking
                                                  information that might be on the computer.    people’s activities online and gathering
that’s still at the R&D stage. In one case,
spies working for a security consultancy were                                                   personal data from their use of social media
                                                  In another recent trend, hackers are
able to predict that a company would file                                                       sites as well as online sites. In some cases,
                                                  establishing second Facebook® pages for
for bankruptcy based on employee tweets                                                         this is done by research companies who then
                                                  people and companies, thus establishing
about budget cuts and the fact that the vice                                                    sell the data to other companies.
                                                  relationships in which someone might
president of operations was looking for a job     divulge important information. Some
on LinkedIn®.17 (The irony here is that in some                                                 And then there might always be some
                                                  other scams have used messaging               previously undiscovered back door into a
cases LinkedIn® is the only social media site     capabilities within social media platforms
that banks do not block for their employees                                                     social media application. This happened in
                                                  to conduct computer attacks.19                2010 to Foursquare®, the site where users
because they believe it is a “professional
networking” site.)                                                                              check in to let friends know where they
                                                  In other cases, phishing schemes that look
                                                                                                are and what they’re doing. A programmer
                                                  like legitimate messages from a social
In another case, a spy assumed a different                                                      discovered he could write a program mining
                                                  media company result in users revealing
identity and sent a Facebook® friend request                                                    the photos of users to know where they were
                                                  their password. Many people use the same
to a corporate executive. As the days went                                                      almost any hour of the day. Foursquare®
                                                  password for multiple accounts, which could
by, he dropped his guard and eventually                                                         fixed the bug, but the sense that social
                                                  mean someone now has a password to the
shared non-public information about his                                                         media users are laying down a constant
                                                  person’s corporate network.20
company’s revenues.18                                                                           track of information has to give people and
                                                                                                corporations pause.22

                                                                                                                                                8
9
PART 2: THE ESSENTIAL COMPONENTS OF EFFECTIVE
SOCIAL MEDIA RISK MANAGEMENT

COMPANIES TYPICALLY                                  For example, policies governing the use of
                                                     and access to data may be outdated or weak.
                                                                                                       and systems. (See Figure 1.) These become
                                                                                                       the value catalysts for realizing the full
ENCOUNTER A NUMBER                                   Roles and responsibilities for oversight of
                                                     the various risk dimensions could be unclear.
                                                                                                       potential of a social media strategy. The
                                                                                                       three main components are augmented and
OF ORGANIZATIONAL                                    Processes for managing risk are often
                                                     inconsistent from business unit to business
                                                                                                       supported by other activities having to do
                                                                                                       with compliance, culture and leadership, and
WEAKNESSES AS THEY                                   unit or from location to location.                performance management.

BEGIN TO ANALYZE                                     In the face of social media risks and
                                                     these organizational vulnerabilities,
THEIR VULNERABILITIES                                Accenture recommends a social media risk
                                                     management approach with distinctive
TO SOCIAL MEDIA RISKS.                               activities across governance, processes

FIGURE 1: ACCENTURE’S COMPREHENSIVE FRAMEWORK FOR EFFECTIVELY MANAGING SOCIAL MEDIA RISK

                          Risk-Aware Culture: Generating enterprise-wide responsibility for social media risk management

                       Compliance: Monitoring of regulatory initiatives related to social media risk management at all levels

                                 Performance Management: Assessing effectiveness and progress toward improvement

        GOVERNANCE                                     PROCESSES                                     SYSTEMS
        Creating new structures and policies           Adjusting operations for proactive social     Managing data effectively and
        for managing social media risks                media risk assessment and monitoring          leveraging new technologies to mitigate
                                                                                                     social media risks

        An established social media risk               Consistent processes to manage                Effective use of technologies to improve
        management structure including:                operations while identifying business         data management and the monitoring of
                                                       opportunities. Processes include:             social media activity, including:
        • Formally defined roles and
          accountabilities enterprise-wide             • Social media risk identification            • Social media data mining and capture
          and within exposed functions                   across categories (e.g., reputation,          (e.g., analytics, web crawlers)
                                                         intellectual property, fraud prevention,
        • Coordination among business units                                                          • Text analytic engines
                                                         business disruption)
        • Acceptable-use policies for social media                                                   • Data security and storage
                                                       • Risk assessment, reporting and
        • Well-defined risk tolerance levels             monitoring                                  • Reporting and dashboards
        • Defined escalation pathways                  • Cost-effective risk mitigation/transfer
        • An operating model for crisis
          management

Source: Accenture, August 2014

                                                                                                                                                 10
I. GOVERNANCE                                         Part of this shared understanding involves
                                                      clearly defined roles and accountabilities.
                                                                                                          COORDINATION WITH
Governance is focused on creating new                 In Figure 2, we show a sample or                    OTHER BUSINESS UNITS
structures, policies and accountabilities for         illustrative governance structure which             Although the banking social media executive
managing social media risk, as well as the            provides an idea not just of the lines              had some caveats about the limitations of
awareness of how the organization is using            of reporting, but also what role each               a central risk group, he went on to speak of
social media strategically and operationally.         function can play in identifying, assessing         the importance of coordinating the social
Although general governance principles                and managing particular kinds of risks.             media strategy itself as a means of mitigating
apply in the realm of social media as with            The marketing organization, for example,            reputational and business risks. “We occupy
other corporate strategies, some specific             might be primarily focused on brand or              a very large piece of real estate in the social
differences and permutations need to be               reputational risk, while the legal and audit        media sphere, covering all our business units.
noted in several areas, including the need            departments would be accountable for                So from that perspective, it is important
to coordinate effectively across functions            privacy issues and fraud, respectively.             to have a central group—in our case, the
and the need to have well-defined crisis                                                                  marketing and branding division—that
management procedures that can be                     As noted by the social media executive              oversees the social media strategy.” Larger
instituted at a moment’s notice.                      for an international bank, it is important          organizations need to make sure that different
                                                      to structure the organization and the               units do not post conflicting statements. “It’s
                                                      assignment of responsibilities such that
DEFINED ROLES AND                                     the risk function is always participating
                                                                                                          very important to make sure everyone knows
                                                                                                          what each other is doing,” he concluded.
ACCOUNTABILITIES FOR                                  in strategic discussions. “We have an
                                                      extensive risk management network.
SPECIFIC TYPES OF SOCIAL                              Each part of the business has its own               ACCEPTABLE-USE POLICIES
MEDIA RISKS                                           team, so there needs to be coordination.            FOR SOCIAL MEDIA
                                                      From a risk perspective, having a central
As noted earlier, the risks arising from                                                                  Creating an acceptable-use policy
                                                      steering group may not always be the
the use of social media in a corporate                                                                    for employees (as well as, potentially,
                                                      most effective way to get things done
environment expose many different functions                                                               contractors and vendors) when it comes
                                                      quickly. However, it is always important
and groups to risks—from compliance to                                                                    to social media does not involve starting
                                                      to have a representative from risk sitting
corporate affairs to IT to marketing. These                                                               with a blank page, but rather building on
                                                      at the table—someone from compliance,
groups need to cooperate to combat their                                                                  existing policies covering media interaction,
                                                      someone from legal, and so forth, to provide
mutual vulnerabilities, which means sharing                                                               public communications, the handling of
                                                      guidance to the business and make sure
information and operating according to                                                                    confidential information and how to protect
                                                      what the company is doing is sound.”
consistent policies and understandings.                                                                   against the misuse of information.

FIGURE 2: AN ILLUSTRATIVE EXAMPLE OF A SOCIAL MEDIA RISK MANAGEMENT GOVERNANCE AND ACCOUNTABILITY STRUCTURE

                                                                Executive Sponsor Group
                                                                • Sets role of social media
                                                                  in enterprise
                                                                • Sets risk tolerance levels

                                 Risk Management                Corporate Communications       IT
                                 • Embeds social media in       • Sets communications policy   • Implements data and
                                   enterprise risk management   • Identifies social platform      analysis technology
                                 • Audits processes               and channels                 • Secures data and IT

                                                                Social Media Risk Manager
                                                                • Reports risks
                                                                • Trains personnel
                                                                • Audits processes

 Audit                           Marketing                      Legal                          Strategy                           Human Resources
 Manages risks such as fraud     Manages risks such             Manages risks such             Manages risks such as              Manages risks such
                                 as brand damage                as privacy violations          intellectual property disclosure   as misconduct

Source: Accenture, August 2014

11
(The Social Media Governance organization          WELL-DEFINED SOCIAL MEDIA                         of people through social media; if a large
maintains a database of sample social                                                                number of people retweet or repost this
media acceptable-use statements from               RISK TOLERANCE LEVELS                             information, the bad impression can go viral
more than 200 organizations at: http://            Companies with a mature enterprise risk           very quickly.
socialmediagovernance.com/policies.php.)           management function are accustomed
                                                   to speaking about risk tolerance levels.          Two things are especially important in these
In general, such policy statements should          For example, they set trading limits or,          instances, notes this executive. First, for
encourage, rather than discourage, social          if they are operating in a country where          some types of issues, some messaging and
media activity, and help provide strong            unrest is present, will set a tolerance           responses need to be pre-written and pre-
guidelines and examples of behaviors that are      level about employee safety and when              approved by public relations and the legal
acceptable and not acceptable.                     they need to pull employees out.                  department, “so responses can be made very
                                                                                                     quickly by approved people who are notified
However, among the policies that banks need        Similarly, companies need to define what          of an incident.”
to be wary of is how to reconcile building         their risk tolerances are for social media. For
relationships over social media with their         example, if a company wants to encourage          Second, for instances when pre-approved
consequent risks. One policy among some            more open engagement with the public at           responses are not enough, “it is vital to
banks, as noted by the CISO of a US regional       large and get many people talking about their     ensure that you’re able to get key decision-
financial institution, is that the bank does       brand, that is an opportunity that carries with   makers together very quickly and agree
not interact with customers (yet) over social      it a higher degree of risk; people who do not     on some joint messaging. It’s also very
media but only through branch, phone or            know the company very well will be making         important that every stakeholder in social
banking channels. Said this executive, “It’s       posts visible to thousands of people.             media within a large organization buys into
vitally important for banks to consider                                                              that as well, because if they don’t think it
the many risks—including reputation and            Another consideration is about what kind          has anything to do with them the entire
compliance—that come with customer                 of information the company is comfortable         organization could be at risk.”
interaction over social media.”                    sharing over social media sites. Does
                                                   it want to share financial information            In some cases, continues the executive,
According to the head of privacy and               that increases transparency—something             “the correct rapid response is a high-level
information management for a major US              welcomed by suppliers and contractors             acknowledgment of an issue, with the
bank, sometimes the goals of the marketing         but which could also expose information           clear message that you are looking into
organization and the risk organization may         to competitors? In general, it is important       it and will provide an update as soon as
come into conflict. Said this executive,           for companies to run scenarios with               possible. Such an answer can go a long
“The bank has been increasing our social           outcomes of increasing levels of impact to        way toward placating dissatisfied people.
media presence for our client-facing staff.        determine where they want to set limits.          It’s even better if you can give them an
Given that emphasis, salespeople might                                                               estimate as to when you’ll get back to
want to establish a LinkedIn® or Facebook®                                                           them. So managing expectations is very
relationship with a client. Although not yet       DEFINED ESCALATION PATHWAYS                       important.” In some cases, companies
an official policy, we strongly discourage this    AND REPORTING LINES                               have stumbled in the social area “because
because of the heightened risk it brings of                                                          they either just went silent or, equally
disclosing private information about clients       It is important to appoint, for each key          bad, simply pushed out responses without
on a public social media site.”                    category risk, an individual who is responsible   establishing a two-way conversation.”
                                                   for making ultimate decisions about social
In other cases, social media sites are blocked     media risks, managing risks and handling any
from a bank’s corporate workstations.              crises that may arise. From the risk owner        FROM GOVERNANCE
Although such a policy might be viewed as          downward in the organizational structure          TO PROCESSES
untrusting or overbearing, the banking social      there should be a clear reporting line—an
                                                   escalation pathway such that if an indicator      Together, these capabilities and structures
media executive we spoke with offered a
                                                   of risk appears everyone knows exactly how        define an effective governance structure.
different perspective. “When I first joined
                                                   the issue is to be escalated.                     However, policies and structures only come
the bank,” he said, “I thought that blocking
                                                                                                     alive as they become actions. For that, we
social media access was a backward step;
                                                                                                     turn to the second component, processes.
my attitude was, ‘It’s a new age, get with the     AN OPERATING MODEL
program.’” Earlier in his career, this executive
had worked in an industry more reliant on          FOR CRISIS MANAGEMENT
social media. “In a banking environment,           In a certain percentage of cases, almost
however, the risk of personal data getting out     inevitably, “risks” become real issues that
is so much greater. So, being blocked from         need to be dealt with. To plan for such
social media by default is not about being Big     an occurrence, companies need what the
Brother. After all, an employee can still use      banking social media executive terms, “an
a smartphone to access social media. From          operating model for crisis management.”
a policy perspective, this is part of doing        In today’s environment, when a customer
everything we can to protect everyone—             is dissatisfied, they are now empowered
clients, employees and our stakeholders.”          to complain instantly to a large number

                                                                                                                                                   12
II. PROCESSES                                     attention to the early warning signals that
                                                  indicate something could go wrong. The
                                                                                                    Other technologies are now helping
                                                                                                    companies monitor employee activity on
Effective social media risk management            methodology used may differ by function           social media to assess business risks. For
processes protect operations and the              because they are dealing with different           example, many financial institutions are
brand in a cost-effective way—adjusting           channels and platforms. An HR director might      looking into more compliance-related tools
operations for proactive social media risk        be paying attention to sites such as LinkedIn®,   that prevent an employee from saying
assessment and monitoring. Companies              while legal might be monitoring email traffic     anything on social media that violates a
are already aware of the importance of            to see if any issues of liability are arising.    particular regulation. In the UK, Hearsay
having consistent processes in place to           Marketing would be monitoring various             Social, Inc. offers financial services
handle identifying, measuring, managing           platforms to understand how the brand is          institutions a platform, integrated with
and reporting on risks. However, such             being used or discussed by customers.             existing systems, to roll out and manage
processes will often look somewhat                                                                  social programs while meeting compliance
different in the social media world, in           In each case, however, what is consistent is      requirements. In the US, Actiance Inc.
part because of the always-on nature              that companies are identifying, assessing         provides a platform that helps firms manage
of social networking platforms.                   and managing risk and then reporting this         social media channels by:23
                                                  up to a social media risk manager who
                                                  consolidates the information, escalates any       • Controlling access to applications,
IDENTIFYING THE RISKS                             issues and effectively audits the process           including authorizations.
OF SOCIAL MEDIA AS WELL                           being used by the various functions. The risk
                                                                                                    • Monitoring social media content to protect
                                                  manager works to ensure that the groups
AS THE OPPORTUNITIES                              are monitoring activities with the right
                                                                                                      brand value and ensure data security.
Social media risks need to be accurately          frequency and that the data and reports           • Capturing social media conversations in
identified across categories—for example,         they are providing are of high quality.             context to provide more robust information.
reputation, intellectual property, fraud                                                            • Searching all captured content quickly,
prevention and business disruption.               MONITORING RISKS                                    supporting legal and discovery inquiries.
Risk identification builds upon the guidance      CONTINUOUSLY                                      • Archiving all social media activity captured
set forth in this paper’s discussion of           Senior management needs to be provided              to support compliance with regulations.
governance. That is, to identify risks properly   with the appropriate information with
requires knowing what the company’s                                                                 The ability to halt risky social media activity
                                                  the right amount of frequency to manage
risk tolerance levels are for different                                                             before it becomes a problem is an important
                                                  social media risks appropriately. However,
activities. It means being familiar with                                                            feature, notes the banking social media
                                                  risk monitoring is a more complicated
policies to understand broadly what the                                                             executive. “For example, say a customer
                                                  process in the social media world than it
company’s attitudes are. And it means                                                               tweets you with an issue with their business
                                                  is with more traditional transactions and
understanding roles and accountabilities                                                            credit card, and you respond and say if
                                                  communications. Social media is always
to bring the right people together to                                                               you’re having trouble with your credit card,
                                                  on, especially for a global business, so
properly and accurately define risks.                                                               call this number, that tweet will get blocked
                                                  monitoring in effect needs to be continuous.
                                                                                                    and rerouted to monitoring. This way a bank
Part of risk identification is actually           One of the benefits of social media               knows if the tweet was a promotion or
identifying business opportunities. For           monitoring is early identification of problems    whether it indicated an issue with service.”
example, given your institution’s known           that can lead to increased business risk.
social media risk strengths and weaknesses,                                                         In some cases, companies have established
                                                  According to the banking social media
what could be done in the way of new                                                                a social media center of excellence to gather
                                                  executive, “Input from social media can help
products, services, product development                                                             better insights on their customers’ needs,
                                                  companies take rapid steps to fix a problem.
partnerships and so forth? What are                                                                 understand the perceptions held of their
                                                  If you get 500 tweets on a particular issue,
the opportunities to cut costs or reach                                                             brands and help better engage with customers
                                                  those people cannot possibly all know each
customers in new ways? Risk management,                                                             on social media going forward. For example,
                                                  other, so it’s an indication of a real problem
after all, is not about suppressing profit-                                                         a US-based global pharmaceutical company
                                                  that you can then quickly address. With
generating activities but rather about                                                              asked Accenture to help set up a regional
                                                  tweets, you can also identify a general
properly directing those activities.                                                                Social Media Centre of Excellence (CoE) for
                                                  geographic area, which also really helps to
                                                                                                    Europe, Australia and Canada. The center will
                                                  identify where the issue is occurring.”
                                                                                                    provide brand, corporate communications and
ASSESSING AND REPORTING                                                                             medical teams in the region with strong social
                                                  Some companies are taking advantage of
ON RISK FROM DIFFERENT                            technologies to augment actual human              media monitoring and engagement support.
FUNCTIONAL PERSPECTIVES                           monitoring. Web crawlers can be deployed
                                                                                                    Accenture leveraged best-of-breed social
                                                  that use sentiment analysis technology to
If we refer back to Figure 2, the illustrative                                                      media management solutions and its
                                                  find references to a company, infer whether
governance structure, another way to                                                                proprietary Social CRM Integration solution
                                                  the reference is positive or negative and in
understand the responsibilities of the                                                              to provide a 360-degree social view of the
                                                  what context (e.g., customer care, product
individual functions is to say that they                                                            customer, personalized customer support
                                                  quality) and report back. In this way,
are charged with collecting information,                                                            and peer support to drive superior customer
                                                  reputational risks can be identified faster
monitoring the risk environment and paying                                                          satisfaction and reduce operational costs.
                                                  and counter-actions put in place quickly.

13
MITIGATING AND/OR                                  Data mining of social media can improve          SOCIAL MEDIA MONITORING
                                                   business intelligence to provide better
TRANSFERRING RISKS                                 services and develop innovative opportunities.   SERVICES FOR A GLOBAL BANK
COST-EFFECTIVELY                                   For example, data mining can help identify       This major financial institution had in
                                                   who the influential people are in the social     place a sophisticated monitoring capability
A key goal of effective risk management            media world, detect groupings of people,         for traditional media such as newspaper
is to decrease the likelihood that risks will      sense user sentiments, protect security and      coverage. However, it needed the ability to
occur, as well as improve the capabilities         user privacy, and help build trust between       adapt its risk management approach in light
and capacities of the organization—people,         companies and customers.24                       of its move into social media.
processes, technologies and structures.
However, it can also mean transferring
some or all of the risk elsewhere. This could      TEXT ANALYTIC ENGINES                            The bank was challenged by not having
                                                                                                    sufficient skills in-house to move to social
mean insuring against it—providing some            While crawlers and other tools gather            media monitoring as quickly as needed.
compensation in case of brand damage or            the information or mine it, text analytic
protection against directors’ liability.           engines find meaningful patterns in the          Accenture now runs social media monitoring
                                                   data to deliver insights. These engines can      for the bank as a managed service. It is based
On the other hand, companies may decide            also segment information to support better       on a global operating model designed to
that an entire process is too risky for them       decision making—decisions based on hard          deliver more than a dozen services in four
and that their internal skills are not up to the   data, especially unstructured or “Big” data.     languages for the company’s major markets
challenge, which could lead to a decision to                                                        around the world as well as for various local
outsource the performance of a particular
function. (See “Social media monitoring            DATA SECURITY AND STORAGE                        and corporate business functions.

services for a global bank.”)                      Social media regulations and technologies
                                                   present new challenges for storing data—
If companies have done their analyses properly     challenges related to architectures and
of where the risks are, what the indicators are    security. These challenges are complicated by
and what the risk tolerance level is, then that    the fact that social media is generally based
should provide them with strong guidance as        on third-party cloud applications—meaning
to whether to mitigate the risk or transfer it.    that a company cannot itself control the
                                                   security of those applications.

III. SYSTEMS                                       REPORTING AND DASHBOARDS
Are you capable of monitoring social media
                                                   When data has been mined, analyzed,
networks in real time to identify what is being
                                                   organized and stored effectively, this enables
said about your company and what issues
                                                   companies to do reporting in a more effective
arise from that chatter from the standpoint
                                                   and timely manner. More comprehensive
of regulatory, business and brand risks?
                                                   reporting can bring together multiple
Such monitoring is now largely dependent
                                                   performance dimensions into a dashboard,
on advanced technology. Improving the
                                                   helping management look across factors and
effectiveness of IT systems in the context of
                                                   see where vulnerabilities and risks are, then
social media risk management is primarily
                                                   make better decisions.
about improving the management and analysis
of data and using new technologies to monitor
social media sites as a means of mitigating
risks. Vast amounts of data are now on social
media platforms and so companies need
and want to manage that data effectively.
Several capabilities are important here.

SOCIAL MEDIA DATA MINING
AND CAPTURE
A number of tools are now available that
enable companies to mine data across social
media platforms and look for particular kinds
of information. Web crawlers, referred to
earlier, can extract user data from social
networks. Data mining and analytics can
turn the apparent randomness and chaos of
millions of posts and tweets into information
to guide marketers and business strategists.

                                                                                                                                                   14
PART 3: ENABLERS OF EFFECTIVE SOCIAL MEDIA
RISK MANAGEMENT

A NUMBER OF              RISK-AWARE CULTURE                                  Making this happen requires that employees:

CAPABILITIES UNDERPIN    One of the critical points to remember
                         about risk management is that, in spite of
                                                                             • Know the rules and guidelines;
                                                                             • Adhere to those rules and guidelines; and
THE GOVERNANCE,          the importance of governance, processes
                         and technologies, much of risk management           • Be held accountable for their performance.
PROCESSES AND            is still dependent on people, and therefore
                         people’s behaviors must be managed. In the          Driving a more risk-aware culture also
SYSTEMS OF EFFECTIVE     words of a banking social media executive,
                         “Mitigating social media risks is not all about
                                                                             requires proper objective setting, clear
                                                                             roles and responsibilities, proper training
SOCIAL MEDIA RISK        the technology. You can put in as many
                         firewalls as you like, but people still need to
                                                                             and communication and, most important,
                                                                             a unified message from top management
MANAGEMENT. THESE        be knowledgeable about risks and understand         demonstrating its importance.
                         their role in mitigating them.”
INCLUDE A FOCUS                                                              More specifically, proper awareness and
                         Consequently, one of the key factors                management of risk exposure comes from
ON LEADERSHIP AND        that distinguishes the best social media            a properly integrated operating model that
                         risk managers from their peers is their             links the legal function (for regulation
CULTURE CHANGE;          commitment to creating and infusing a               interpretation and guidance), compliance
                         risk-aware culture—an awareness of how the          (for program design and implementation),
A SOCIAL MEDIA RISK      company is being exposed to social media            operational risk (for proper control
                         risks and what each individual must do to           and governance), business heads (for
COMPLIANCE PROGRAM;      help manage those risks. It is also important       implementation and accountability), internal/

AND PERFORMANCE          to conduct more detailed tacit knowledge and
                         training across the corporate culture.
                                                                             external audit (as a third line of defense and
                                                                             testing), and technology (for automation
MANAGEMENT               In every industry, people and skills are critical
                                                                             and preventive controls that reduce human
                                                                             error). Managing all these moving parts
CAPABILITIES TO ASSESS   components in achieving risk mastery. One
                         Chief Risk Officer that Accenture spoke to
                                                                             effectively does not happen overnight or as
                                                                             a one-time exercise, but rather operates in a
EFFECTIVENESS AND        as part of another research initiative placed
                         the challenge of the people dimension on the
                                                                             cycle of continuous improvement.

PROGRESS TOWARD          same level as increased regulatory risk and
                         the challenge of organizational integration.
                                                                             Leadership and sponsorship are equally
                                                                             important to creating a culture attuned
IMPROVEMENT.             The company has lost a number of critical
                         risk management personnel, and the
                                                                             to social media risks. A story told by one
                                                                             of our interviewees is a reminder that it
                         executive faces the challenge of replacing the      is important to bear in mind generational
                         knowledge held by those people. In a market         differences that will persist—at least for a
                         where demand for risk management skills             time—when it comes to social media and
                         remains high, it is important that companies        leadership. A US bank’s head of privacy and
                         build these capabilities in a broader               information management spoke of the work
                         population and have up-to-date plans to             he did to understand this gap and to bridge
                         fill key positions promptly when they are           it in a way that created change sponsors
                         vacated.25 Alternatively, as discussed earlier,     among the executive team. He says, “We had
                         a managed services approach can be a way            a long look at social media from a culture
                         to obtain leading-edge skills and capabilities      perspective. I facilitated a conversation with
                         over the long term.                                 our senior management group. Interestingly,
                                                                             no one in the room actually had a
                         Effective managers of social media risks            Facebook® or Twitter® account. When asked
                         emphasize the importance of making                  their opinion about approving the use of
                         risk management part of everyone’s                  social media, half said yes and half said no.
                         daily responsibilities. In a company with           Technology and HR were in the yes column
                         a risk-aware culture, people at all levels          because they used social media to connect
                         instinctively look for risks and their              with partners and to recruit, respectively.
                         impacts when using social media.                    But the others didn’t see the need.”

15
The executive then met with the bank’s            The compliance risk framework is designed to       Some fear that a performance management
youth affinity group, a team of high-potential    serve as a “safety net” to identify and capture    and measurement capability could stifle
younger professionals. Not surprisingly,          emerging risks that could negatively impact a      innovation, something critically important to
100 percent of them had Facebook® and             company’s financials, reputation and systems.      delivering a successful social media strategy;
Twitter® accounts, as well as a presence on                                                          however, in fact, a proper performance
other social media platforms. So, part of         One thing important to understand is what’s        management approach framework can
building strong leadership and sponsorship        different in the social media arena than in        actually enable people and the entire
when it comes to social media, concluded          other areas of compliance. According to            organization framework to pursue new
the executive, is understanding not only your     the global head of privacy and information         approaches with proper protections in place.
current customer demographics, but also           management for a major US bank, in the
what those demographics will be in 10 years.      US a recent change from the Consumer               With effective measurement and control
                                                  Financial Protection Bureau (CFPB) is that         capabilities, risk management procedures and
                                                  financial institutions are now required            a risk-aware culture, companies should be
COMPLIANCE                                        to track complaints that occur on social           positioned to exploit future opportunities to
The complex regulatory landscape regarding        media—even if the complaint has not been           leverage social media as a customer channel.
social media was discussed earlier, and the       lodged officially to the regulator or to the
accompanying table (page 19) summarizes           financial institution itself. Web crawler
recent regulatory rulings regarding social        technologies, discussed earlier, can help
media in the US and UK. Many companies            by looking for key words and phrases for
find it challenging to manage and comply          further analysis and reporting, but complaint
with multiple regulatory agencies, differing      tracking is a huge task and responsibility
interpretations of regulations, and varying       that is, in his words, “taking us all by storm.”
degrees of guidance on regulatory compliance.

On the other hand, as one of our executive
                                                  PERFORMANCE MANAGEMENT
interviewees noted, another way to look at        AND MEASUREMENT
social media compliance is that it is simply an
                                                  Integrated risk performance management is
extension of things banks are already doing.
                                                  essential if leadership at all levels is to have
According to this CISO, “We’ve done a deep dive
                                                  an end-to-end view of social media risks,
into the regulatory guidance for social media.
                                                  their impacts, and their ability to be mitigated
The good news is that the implied guidance
                                                  or controlled.
is: go back to what the bank does normally in
handling complaints, suspicious activity and      A framework for effective performance
inquiries from customers at large. Make sure      measurement in a social media risk
that you comply with extant requirements;         management context includes:
file regulatory claims and suspicious activity
reports; make sure that you get the Consumer      • Identifying risks (emerging/emerged/
Financial Protection Bureau involved; and make      realized) through data mining, trend
sure that your complaint process is well vetted     analysis, systems and security.
and well thought through.”
                                                  • Reporting on risks (visibility,
In other words, an effective social media           accountability, awareness).
risk compliance program should not differ         • Managing risks (policies, procedures,
significantly from other compliance risk            preventive and detective controls, transfer
management programs. A compliance risk              or sharing of risk).
framework should include:
                                                  • Measuring performance of risk mitigation
• Proper governance and oversight                   (benchmarks, key risk indicators and key
                                                    performance indicators).
• Policies and procedures
                                                  • Identifying opportunities to improve
• Risk assessments
                                                    control effectiveness, reduce exposure and
• Risk monitoring                                   automate processes.
• Testing
• Metrics and reporting

                                                                                                                                                 16
17
PART 4: CONCLUSION

INSTITUTIONS         1. Assess vulnerabilities arising from social
                     media use beyond just reputational risk.
                                                                        5. Engage in enterprise-wide change
                                                                        management activities to create a more
LOOKING TO ADVANCE   Consider how social media activity can
                     expose the organization in terms of business,
                                                                        risk-aware culture. In our view, the most
                                                                        important (and most difficult) aspect of social
THEIR SOCIAL MEDIA   regulatory, legal and market risks.                media control centers on cultural awareness
                                                                        and change. Setting proper expectations and
RISK MANAGEMENT      2. Expand existing risk governance structures
                     and activities to include social media activity.
                                                                        engaging in culturally aware implementation
                                                                        can have a great impact on social media
CAPABILITIES         Define risk tolerance levels and acceptable-
                     use policies and have in place effective means
                                                                        risk control. Establish influential leaders in
                                                                        sponsorship positions to drive awareness
RAPIDLY CAN FOCUS    for issue escalation and crisis management         and acceptance of the organization’s overall
                     where necessary. A decentralized governance        monitoring of social media use. Conduct
ON SEVERAL KEY       model can lead to inconsistency in how social      training initiatives that use action learning
                     media policy is interpreted and implemented,       principles, guiding employees at all levels
INFLUENCE POINTS:    so institutions should ensure governance           toward behaviors that are more likely to
                     structures cross organizational lines, making      decrease overall risk.
                     every part of the organization aware of
                     what others are doing. Set a single point of       As one of our executive interviewees
                     accountability in the governance structure         noted, social media can offer considerable
                     that crosses lines of business.                    advantages to financial institutions and most
                                                                        other types of companies. As the executive
                     3. Establish advanced social media monitoring      said, “My advice is to be bold.” Establish a
                     tools and technologies. These enable the           presence on the most-used social platforms
                     risk organization to (a) collect data from         and “think about creating some cool things.”
                     various social media sources; (b) analyze
                     unstructured data (such as information about       The other advice: learn to listen. “Listening
                     customer sentiment) to enhance monitoring;         is absolutely critical for any company that
                     (c) provide insights into the company’s overall    wants to take social media seriously—
                     risk situation; and (d) measure social media       listening to what people say to them and
                     risk exposure according to the institution’s       what they say about them. It’s very important
                     risk appetite.                                     to have the ability to analyze who is saying
                                                                        what, and then to be able to dig deep into
                     4. Enhance existing performance                    it, establishing trusted relationships and
                     management capabilities to analyze and act         improving the business at the same time.”
                     on the metrics delivered from monitoring
                     activities. These metrics are defined based on     Yet, inherent in the use of social media
                     different models that consider, for example,       are serious risks—reputational, business,
                     the use of crisis-scenario analysis and/or the     strategic, regulatory and more. To mitigate
                     decomposition of risk factors that may affect      these risks and to get more value from a
                     company’s overall risk picture. The focus          social media strategy, companies need to
                     of risk measurement should be on defining          institute governance structures, processes
                     how well controls are performing and where         and technologies unique to meeting social
                     control improvement opportunities may exist.       media challenges.

                                                                                                                      18
A SUMMARY OF SOCIAL MEDIA REGULATIONS IN THE
US AND UK FOR FINANCIAL SERVICES COMPANIES

 Areas (by agency)               Objectives                                               Impacts
GOVERNANCE
Federal Financial Institutions   • Policies and guidelines for advertisement content,     • Enhanced control and monitoring of third parties
Examination Council (FFIEC)        selection of third parties, staff training and clear   • Changes to risk management framework
                                   preview of roles and responsibilities
                                                                                          • Enhanced data monitoring capabilities
                                 • Policies and procedures for data monitoring

Financial Industry Regulatory    • Firms must adopt policies to ensure that               • Enhanced HR polices for internal staff and training
Authority (FINRA)                  persons participating in social media sites are          for third-party staff
                                   appropriately supervised, have the necessary
                                   training and background to engage in such
                                   activities and do not pose a risk

Securities and Exchange          • Restrictions and prohibitions regarding the use of     • Changes to existing content monitoring and approval
Commission (SEC)                   social media sites by investment advisers based on       process
                                   the firm’s analysis                                    • Changes to sales and marketing guidelines for
                                 • Check appropriateness of pre-approval                    investment advisers
                                   requirements—either after-the-fact review or
                                   before publication

Financial Conduct Authority      • Social media includes any real time financial          • Changes to sales and marketing guidelines on usage
(FCA)                              promotions like interactive dialog or telephone          for social media channels
                                   conversation
                                 • Social media includes any non-real time financial
                                   promotions like email

DISCLOSURE
Federal Financial Institutions   • Disclosure of privacy policy                           • Control in content approval for external
Examination Council (FFIEC)      • Regulations for unsolicited commercial messages          communication and external reporting
                                   (spam) and unsolicited communications by               • Changes to sales and marketing channels as well
                                   telephone or SMS                                         as third-party guidelines for sales

Securities and Exchange          • Publish corporate website address and disclosures      • Changes to public relations, corporate
Commission (SEC)                   on external reports                                      communications and external reporting guidelines
                                 • Disclosures on corporate websites identifying the      • Robust approval process of content on social
                                   specific social media channels for company usage         media sites

PRODUCTS
Federal Financial Institutions   • Requirements to control misleading, inaccurate or      • Enhanced control over approval and publication
Examination Council (FFIEC)        misrepresentation of information                         of sales, advertisement and product content
                                 • Requirements for control of advertisement content      • Changes to document retention policy

SALES, MARKETING AND DISTRIBUTION
Federal Financial Institutions   • Obligation on operators of commercial websites         • Process level changes for sales, marketing,
Examination Council (FFIEC)        content and disclosure of personal information           underwriting and legal
                                   collected from children                                • Control of content approval
                                 • Collection of medical and loan information

19
You can also read