Audit and Assurance

Are organisations effectively managing social media risks?

Neal Taylor Neal Taylor

In less than 15 years, social networks such as Facebook, Twitter, LinkedIn and Instagram have significantly changed the way we do business, with increasing numbers of organisations now developing and investing in their social media presence.

While social network sites were originally designed for connecting people, they are now used by businesses as strategic marketing and customer engagement tools. Businesses use social media platforms for everything from increasing brand awareness and managing customer service to recruiting staff and increasing sales.

The benefits of a social media presence for businesses are clear, however, organisations need to be aware that the use of social media may bring an increased risk to their brand and reputation. In particular, the unauthorised disclosure of confidential information may jeopardise an organisation’s compliance with its legal obligations. Mistakes made on social media are highly visible and can spread quickly. For this reason, some organisations are now choosing not to engage in the use of social media, however, this approach raises a different set of problems with organisations running the risk of being left behind and losing a competitive advantage.

Given the potential risks, organisations need to formally identify, mitigate and monitor the risks posed to them through their use of social media and should ensure that they have established appropriate frameworks and guidelines over both business use of social media and employees’ personal use of social media. As part of this, Boards and Audit Committees should consider the role that internal audit or other third parties can play in providing coverage in this area through independent consultancy or assurance assignments, which are tailored according to the organisation’s social media ‘maturity’.

As a starting point, there are a number of key elements that should be considered by organisations in order to mitigate the risks involved with their social media presence. Organisations need to ensure that a fit-for-purpose social media strategy is in place, which establishes clear objectives for their use of social media and this should be clearly aligned with their corporate objectives. This strategy should be underpinned by appropriate policies and procedures which are communicated to all relevant staff and Board members. Roles and responsibilities should also be clearly defined and documented with appropriate social media training provided at all levels of the organisation.  Such training will help to ensure that everyone can effectively contribute to the achievement of the stated objectives and is aware of the risks associated with social media. Organisations should also ensure that social media risks are identified and recorded on risk registers and that updated reports on social media activity are periodically reported to senior management and the Board for monitoring purposes. Other areas for consideration include: return on social media investment; third party risks associated with outsourcing social media activity; and GDPR compliance.

For the most part, the impact of social media on business has been positive, however, now more than ever, organisations must ensure that they have the appropriate structures and controls in place to help them avoid the potential pitfalls of the social media minefield