Auditing Social Media

The Practicalities SOPAC2103 Session 1B by Walter.Adamson@KinshipDigital.com

m: +61 403 345 632 Twitter: @adamson 4 March 2013, Brisbane, Australia

Contents
1. Having a Social Media Strategy is Key

2. Governance
3. Auditing Practicalities

Presentation at: www.slideshare.net/kinshipdigital/

About me

Hypothetical

Risk
NOT just PR / brand reputation BUT also implications for logistics, retail stores, customer experience, purchasing, supplier relations, purchasing, government relations, regulators e.g. ACCC

DO YOU have cross-functional social media risk management plans?

Objectives

1. To convey the importance of an effective social media Strategy 2. To outline the components of social media Governance 3. To address some auditing practicalities

Key aspects of social media in business

Strategy
formulating policy and strategy through researching your brand, customers, partners and competitors

Intelligence
Communities Governance

monitoring, collecting and analyzing social data to make informed, agile business and policy decisions building owned social platforms for listening, support, building, collaborating, content

social business metrics, ROI, policy and guidelines, processes, risk management, compliance

About you? Personal audience poll - show of hands

On which networks are you active?

Having a Social Media STRATEGY is Key

This is the first question for auditors

Social Media Policy is not Strategy

NOT Strategy
NOT Governance
But is important, and specifically, it should: Educate employees, then empower them; Help employees understand and own the risks; Hold employees accountable; Address organization social media account ownership and handoffs when spokespeople leave.

Good news! There IS a methodology

1.Assess

8.Monitor

2.Strategise

7.Engage

Social Business Framework

3.Create

6.Share

4.Protect
5.Participate

Key is to integrate social with business

1. Social strategy which aligns with business strategy 2. Social business risk which is part of business risk management and compliance programs
Regulators ? Advertising Standards Bureau, ACCC, Australian Association of National Advertisers (AANA), ASIC, APRA, etc.

Cross-functional
A social risk management program needs cross-functional input: Compliance Technology Information Security Legal HR PR & Comms Digital Marketing Social Media!

12

Governance
Social Media Strategy Regular Reporting of ROI Mandatory Monitoring of Social Channels Social Media Policy Plans, Action, Compliance Management of 3rd Party Vendors Employee Training Compliance Protocols

Governance - Heads-Up Be prepared !

Social Media Strategy Required
A strategic plan with actions and operational descriptions. Clear roles and responsibilities whereby the board of directors and/or senior management spell out how use of social media contributes to the strategic goals of the institution, while also spelling out what kind of controls will be put in place. How ongoing social media risks will be monitored and assessed.

Regular Reporting of ROI

Regular reports to the board of directors and/or senior management, which enable a periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

14

Governance - Heads-Up Be prepared 2

Mandatory Monitoring of Social Channels
An oversight process for monitoring information posted to social media sites (administered by the institution or a contracted third party).

Social Media Policies & Procedures & Compliance

Policies regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws. Social media policies should incorporate procedures addressing risks from online postings, edits and replies.

15

Governance - Heads-Up Be prepared 3

Manage 3rd-Party Vendors Ensure Customers Are Protected
Customer privacy and security of their personal data are a top concern. Institutions working with third-party social media vendors will be required to manage those relationships within defined parameters to ensure compliance with all regulations

You Have to Tell Employees Whats Okay and Whats Not

An employee training program that incorporates the organisationss policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities.

Compliance Protocols
Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance.

16

Relevant laws (US) Financial Institutions

Truth in Savings Act/Regulation DD and Part 707 Fair Lending Laws: Equal Credit Opportunity Act/Regulation B and Fair Housing Act Truth in Lending Act/Regulation Z Real Estate Settlement Procedures Act Fair Debt Collection Practices Act Unfair, Deceptive, or Abusive Acts or Practices Deposit Insurance or Share Insurance. Electronic Fund Transfer Act/Regulation E Rules Applicable to Check Transactions Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML) Community Reinvestment Act Privacy Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines. CAN-SPAM Act and Telephone Consumer Protection Act Childrens Online Privacy Protection Act Fair Credit Reporting Act

17

Audit questions
Are there methodologies, techniques and tools in place covering: Social Media Strategy Regular Reporting of ROI Mandatory Monitoring of Social Channels Social Media Policy Plans, Action, Compliance Management of 3rd Party Vendors Employee Training Compliance Protocols

18

Auditing Practicalities

6 Step Audit Approach

1. 2. 3. 4. 5. 6. Strategy Assessment overall goals, plans, actions, reporting? Presence Assessment where are you the social web? Listening Assessment what data and how managed? Organisation & Internal Culture Assessment Process Assessment workflow, timeliness, escalation? Governance Assessment Policy Roles Risk Assessment Compliance

Practicalities
Examine risks by business use case

Recruitment & Retention Investor relations Public relations Marketing / branding

Lead generation
Customer service & complaints Innovation & product development Employee relations Business partner relations

Operational Risk
1. Social media is one of several platforms vulnerable to account takeover and the distribution of malware.
2. Organisations must ensure that the controls they implements to protect their systems and safeguard customer information from malicious software adequately address social media usage.

3. Financial institutions incident response protocol regarding a security event, such as a data breach or account takeover, should include social media.

22

Hijacked

Burger Kings official Twitter handle suffered a cyber attack on Monday [Feb 18, 2013]. Hackers switched the branding to that of rival McDonald's and claimed the restaurant chain just got sold ... because the whopper flopped.
The hackers sent more than 25 tweets and re-tweets on the handle, several poking fun at Burger King, insinuating unethical behaviour about its employees and using intentionally offensive language and racial slurs.
http://www.foxbusiness.com/technology/2013/02/18/burger-king-twitter-account-hacked-rebranded-to-mcdonald/

23

No opt-out !

An institution that has chosen not to use social media must still be prepared to address the potential for negative comments or complaints that may arise within social media platforms and provide guidance for employee use of social media.

24

Resources

Awareness
Mark Pearson @journlaw

Social media best practice: New guidelines released Australian Association of National Advertisers (AANA) see
http://www.leadingcompany.com.au/technology/social-media-bestpractice-new-guidelines-released/201211283150

New US Financial Institution Regulation http://www.ffiec.gov/press/pr012213.htm

About KINSHIP Digital

KINSHIP Digital is a social consultancy that specialises in understanding, developing and protecting its clients reputation, brands, businesses and people in Social Media. Follow us @KinshipD www.kinshipdigital.com

27

Join the Social Governance Community

Easiest way - SEARCH

28

Walter Adamson
Speaker Notes
Walter Adamson is a social media business specialist. He is General Manager Victoria of Kinship Digital which helps clients attract & retain employees & customers by leveraging social media tools. This includes reputation monitoring, governance and risk management. Walter has an extensive background in enterprise and as an independent consultant focused on IT strategy and advising owners and managers of IT businesses. He was also the Independent Advisor to the ICT Strategy Board of the Government of Victoria for 4 years. He has held executive roles as CIO, VP International Business Development, and Corporate VP IT Strategy, and also worked in Corporate Planning at BHP. Walter established the Internal IT Audit function at BHP and led it for 3 years, and was one of the first Certified Information Systems Auditors in Australia. He is also a Certified Social Media Strategist and holds a M.Sc. in Computing Science.

walter.adamson@kinshipdigital.com Connect on Linkedin http://linkedin.com/in/adamson Follow me on Twitter @adamson m: +61 403 345 632
29