PRSA presentation auditing social media presented by PeteScott, APR @prscott
-
Upload
kevin-mcgee-mba -
Category
Social Media
-
view
89 -
download
2
Transcript of PRSA presentation auditing social media presented by PeteScott, APR @prscott
Overview• The Disconnect
• How I Got Here
• The Major Risks
• A Governance Structure
• The Social Media Audit
• Three Cases
• Ques/ons
What They Say• How good the company is in leveraging the various social media tools? !
• How good the company is in engaging with the target audience? !
• How good the company is in amplifying its messages? !
• How good the company is in targe/ng customers? !
• How good the company is in building posi/ve influence among customers?
What they saySocial media oversight is lagging in firms !The evalua;on and monitoring of risk needs to be a key component of any organiza;on’s social media strategy !Organiza;ons do not have an adequate social media governance program in place !For all its advantages, social media also brings inherent risks, including threats to confiden;al informa;on, intellectual property, and reputa;on as well as the poten/al for regulatory infrac/ons !Governance for social media compliance remains fragmented
Trained over 5,000 internal auditors globally Most of the Fortune 500 All of the Big Four and major professional services firms
What Went Wrong? • United Airlines -‐ baggage handling -‐ YouTube
• Nestle -‐ product sourcing -‐ Facebook
• Francesca Holdings -‐ financial communica/ons -‐ Twi7er
• Dell -‐ customer service -‐ Blog
• Chrysler -‐ third party agency -‐ Twi7er
• Taco Bell and Domino’s Pizza -‐ employee training -‐ Facebook & YouTube
What Went Wrong? • Kenneth Cole -‐ employee training -‐ Twi7er
• Hooters -‐ employee policies
• ADT -‐ disclosure -‐ Twi7er and Facebook
• Delta Airlines -‐ Twi7er
Proac/vely Solved Issue:
• Best Buy -‐ employee compensa/on -‐ Twi7er
Major Risk Areas• Brand & Reputa/on Risk
• Strategic Risks
• Technology and Data Leakage Risks
• Third Party Risks
• Legal Risks
• Governance Risks
Brand & Reputa/on Risk Iden%fying Risk • Accelerated Corporate Reputa/on Loss
• CASE: TripAdvisor Ra;ngs • Financial Loss from Inaccurate Social Media Posts • Ineffec/ve Crisis Management
• CASE: Discovery Communica;ons • Accelerated Consumer /Employee Dissa/sfac/on
• CASE: Dell Hell
Brand & Reputa/on Risk Mi%ga%ng Risk • Social Media Strategy, Plans and Metrics aligned with Business
Objec/ves • Social Media Policies • Employee Training • Social Media Monitoring • Social Media Triage • Incident Escala/on Policies and Procedures
Brand & Reputa/on Risk Mi%ga%ng Risk • Account Inventory
• Person(s) Accountable • Ac2vity Level • Content Ownership • Account Ownership & Iden2fica2on
• CASE: Dell, Delta and TD Bank • Content Taxonomy
• Oversight • On Message? • Achieving Objec2ves?
Strategic Risk Iden%fying Risk • Lack of Enterprise Strategy • Failure to fully leverage Social Media Opportuni/es to full poten/al
• Inability to determine return on investment of social media • CASE: NAVC
• Speed of Service Inadequate for consumers and employees • CASE: Delta Airlines
• Lack of resource commitment to social media impac/ng consumers
Strategic Risk Mi%ga%ng Risk • Social Media Strategy • Tracking and KPI’s • Professional Development • Business Case for Social Media
Technology & Data Leakage Iden%fying Risk • Data Leakage
• CASE: DM from CEO • CASE: TheOldCFO
• Increase in Cyber Threats • Lack of Auditability
Technology & Data Leakage Mi%ga%ng Risk • Social Media Policies • Employee Training • Social Media Monitoring • Data Archiving • IT Security
Third Party RisksIden%fying Risk • Lack of Control over Agency Rela/onships • Lack of Func/onality Control on Third Party Sites
• POTENTIAL CASE: Facebook • Lack of Business Con/nuity onThird Party Sites
• POTENTIAL CASE: TwiUer • Lack of Content Control on Third Party Sites
• CASE: Novar;s • Lack of Control over Hijacked Accounts for Fake Sites
• CASE: Farmer’s Insurance • Lack of Control over Depar/ng Employees
Third Party RisksMi%ga%ng Risk • Set expecta/ons on employee training and oversight in agency agreements
• Conduct periodic audits of the agency • Set goals, expecta/ons, metrics, policies and accountabili/es • Establish social media monitoring program, even if using an agency for monitoring • CASE: Major SoVware Company
• Establish escala/on and triage policies • Establish policies and tes/ng plan for removing access to social media accounts
Legal RisksIden%fying Risk • Expansive Federal and State Legal and Regulatory Concerns
• Inadequate Contracts
• Online Bullying/ Harassment / Personal Reputa/on
• Negligent Hiring & Reten/on Liability
Governance RisksIden%fying Risk • Lack of Enterprise Governance • Lack of Compliance • Inadequate Policies • Inadequate Training
U.S. Guidelines• FTC -‐ Social Media Disclosures
• NLRB -‐ Social Media Policies
• HIPPA -‐ Healthcare Disclosure
• FFIEC -‐ Banks and Financial Ins%tu%ons
• SEC/FINRA -‐ Financial Advisors
• FDA -‐ Pharmaceu%cal
U.S. Guidelines• TTB -‐ Alcohol
• State Guidelines -‐ Insurance Companies
• CASE: Farmer’s Insurance
• ASRC -‐ (NAD) Self Regula%on in Adver%sing
• Others -‐ Compensa%on, Harassment, Employment
FTC Guidelines
State of Sponsored Social Report Izea.com (December 2013)
h7p://www.olshanlaw.com/resources-‐events-‐Webinar-‐Digital-‐Social-‐Media-‐Promo/ons.html
Team Effort • Managing social risk is oaen found in numerous business units
• Communica/ons
• Marke/ng
• Customer Service
• Product Development
• IT
• Human Resources
• Legal
• Internal Audit
Governance Architecture• The governance architecture should detail:
• Social Media Objec;ves -‐ strategy, objec;ves and goals
• Departmental responsibili;es
• Individual accountabili;es
• Brand guidelines
• Approval processes and procedures
• Training
Why You? • Though the risk might not happen in your area, it will probably become your issue
• Why are we doing this?
• How did this happen? What did you do?
• Chances are, you manage or have influence over:
• The voice, brand, reputa/on, ac/vi/es, strategies, plans and monitoring
• An opportunity to demonstrate value at the highest levels
Objec/ves of an AuditIden/fica/on of Risks • Iden;fy all poten;al risks • Assess likelihood and significance • Set priori;es !Controls to Mi/gate Risks • Verifying documents, policies, procedures and ac;vi;es !Tes/ng • Is the procedure followed? • Could the procedure be improved? • Could work prac;ces be improved? • Is risk mi;gated? • Are opportuni;es leveraged?
Risk Assessment
Significance
Risk Ra/ng Descrip/on
Managable Small impact, able to recover with minor effort
Major Medium to serious impact, able to recover with serious effort
Cri;cal Very serious impact, very difficult recovery
Likelihood
Risk Ra/ng Descrip/on
Remote Small impact, able to recover with minor effort
Possible Possible and could occur during the period
Likely Expected to occur
Risk Assessment
Medium High Critical
Low Medium High
Low Low Medium
Significance
Manageable
Major
Critical
Remote Possible Likely Likelihood
Controls• Exis/ng Controls
• Plans
• Policies
• Processes
• Ac/vi/es
• Control Objec/ves
• Gaps in Controls
Three Cases• Francesca Holdings -‐ Inappropriate Tweets by CFO
• Hooters -‐ Social Media Policy
• Best Buy
Francesca HoldingsThe Issue: Inappropriate Tweets by Gene Morphis, CFO -‐ Francesca Holdings !March 6 2012 he tweeted: !"Dinner w/Board tonite. Used to be fun. Now one must be on guard every second." !March 7, 2012 he tweeted !"Board mee/ng. Good numbers=Happy Board.” !Stock increased 15%
Francesca Holdings
The Result -‐ On May 14, 2012 !
CFO Fired Stock temporarily dropped by more than 20%
Audit• Risk was Iden/fied: Employees Use of Social Media, especially as a public company
• Risk was Assessed: Likelihood and Severity Assessed
• Controls Established: Employee Policies Were in Place
• Controls Tested: There was inadequate training on use of policy and there was a lack of monitoring of key employees
• Work Plan: Reassess Policy and Training Plan, Update Monitoring Plan
Alexis Hanson
Result A New York Na;onal Labor Rela;ons Board judge ruled that a Hooters franchise cannot force its employees to act in a respecaul manner toward customers, nor could managers punish employees for
insubordina;on.
The Issue: A Tirade Over A Rigged Bikini Contest
Courtesy
Courtesy: Courtesy is the responsibility of every employee. Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees. No one should be disrespecaul or use profanity or any other language which injures the image or reputa;on of the Dealership.
Audit• Risk was Iden/fied: Employees Disrespect and Use via Social Media
• Risk was Assessed: Likelihood and Severity Assessed
• Controls Established: Employee Policies Were in Place
• Controls Tested: The Policy Was Not Updated in Light of Updated NLRB Guidelines
• Work Plan: Update the Policy and Communicate and Train All Staff
Best Buy
Result As Best Buy developed a plan to compensate associates for Twelpforce,
so they can answer ques;ons on TwiUer from customers
The Issue: Compensa/ng Employees for Social Media Engagement
Audit• Risk was Iden/fied: Employees Needed to be Compensated for Work
• Risk was Assessed: Likelihood and Severity Assessed
• Controls Established: A Compensa/on Program was Developed
• Controls Tested: Were Employees Compensated? Review of Payroll Records was Conducted
• Work Plan: Periodic Review of Compensa/on Records as well as Tweets to Mi/gate Employee Fraud