Quick and Dirty (and Effective) Social Media Training Tool

ATTENTION BANKS USING SOCIAL MEDIA!  The day you have been fearing is here!

With the recent release of draft guidance by the FFIEC regarding social media use, social media is now front and center.

Conversations with auditors and examiners is revealing an interesting audit and regulatory expectation - mandatory social media training for all employees and directors.

As social media matures and more and more senior managers and directors feel comfortable with the use of social media, auditors and regulators have begun to look more closely at social media use by organizations.  Unfortunately, there still exists in many cases a lack of understanding on the part of internal auditors and examiners in terms of what exactly what and how social media works.  This ALWAYS spells trouble for bankers.

As we move forward as an industry in terms of social media adoption financial institutions must focus on three primary areas:

1. Social Media Risk Assessment
2. Social Media Policy
3. Social Media Training

Social Media Risk Assessment

I have previously covered and provided social media risk assessment tools.  See my post "Social Media Risk Assessment Process - Part 5."  This is one of the most visited posts - with good reason, auditors and regulators expect institutions to conduct a risk assessment before deploying social media.

Social Media Policy

I have also previously covered and provided a sample social media policy.  See my post "Sample Social Media Policy for Banks."  This is another one of my most visited posts.  Even institutions that do not use social media are being required in some cases to have a policy confirming that fact!

Social Media Training

The final piece of the trifecta is Social Media Training.  Due to the widespread use of social media within society, auditors and regulators are now treating social media like they do areas such as information security and the Bank Secrecy Act.  Increasingly auditors and regulators want to see social media training for all new employees.  The thinking is that social media can do some real damage if employees are not aware of the risks.  As such, just like information security and money laundering, social media is equally risky.  In addition to new employee training, there is an increasing expectation of annual training and director training.  All this is new and sudden and many organizations have not been prepared.

In an effort to assist the banking industry, Pan American Bank made available on its YouTube channel a 30 minute social media training video.  Pan American Bank does not guarantee that the video will meet auditor or regulator requirements but it is a good starting point for those that need to quickly ramp up their employee and director training relative to social media use.

Check out the video and make use of it for training if it meets your needs.  And good luck with your upcoming audits and examinations!

Sample Social Media Policy for Banks

A frequent request is a sample Bank Social Media Policy.  Well here it is.  This sample policy is bare bones and is intended to be customized for each institution's specific social media strategy.

Enjoy.

BANK SOCIAL MEDIA POLICY

Bank recognizes the importance of the Internet in the day-to-day operations of the Bank.  From marketing to reputation management to recruitment of new employees, the Internet plays in major role in the Bank’s overall strategy.  And now, the Internet is generally synonymous with social media and its popular social networks such as Facebook and LinkedIn.  Use of Facebook, LinkedIn, blogging, wikis and other online social media vehicles are commonplace.

This policy is intended to assist employees in making appropriate decisions about work-related blogging social media interaction.  This policy must be used in conjunction with other tools provided to employees, including the Acceptable Use Policy, Employee Guide to Information Security, Human Resources Guide to Social Media Risks, and related training.

The lines between work and personal life can become blurred. In general, what you do on your own time is a personal decision. However, activities in or outside of work that affect your job performance, the performance of others, or Bank business interests are a proper focus for Bank policy.

WHAT THE BANK EXPECTS TO GAIN FROM SOCIAL MEDIA

As a community bank, Bank recognizes the importance of our employees joining in and helping to shape conversations regarding the Bank and the communities we serve.  Bank is committed to supporting employees desire to interact knowledgeably and socially on the Internet through social media.

Contributing to the online conversations about banking or our communities means being present where and when they are taking place. As technology tools enable an easy exchange with community members, governmental representatives, clients, and the public, we encourage employees to share the insights and expertise gained through work at Bank. This can be done without first asking permission provided this guidance is read and followed.

“TARGET” OF THE BANK’S SOCIAL MEDIA EFFORTS

The Bank’s social media efforts are targeted at several stakeholders:

1.    Existing Customers:  To provide existing customers with information and conversation/engagement opportunities relative to ongoing activities at the Bank and in the community.  Ultimately, the goal is to convert a “customer” into an “evangelist” for the Bank.

2.    New Customers:  To create sufficient awareness in the local marketplace that results in new customer originations – deposit, lending, and other services.  The marketplace is full of competitors with similar “commodity” products and services.  Social media allows the Bank to “humanize” itself and set itself apart from the competition.

3.    Media:  Social media provides the Bank with a platform to communicate with the media regarding its ongoing activities and rich history.  Through social media the Bank can embed video and other media that can assist the media when developing content.  For example, a bank video can be reposted and potentially result in viral distribution.

4.    Regulatory Agencies:  Social media provides a channel through which the Bank can highlight compliance with regulatory requirements.  For example, social media allows the Bank to easily demonstrate its compliance with the Community Reinvestment Act.  Further, social media provides a convenient mechanism through which to receive consumer complaints or positive feedback.

5.    Community At-Large:  Social media introduces Bank to the community at-large.  The content created on social media provides an information distribution channel through which interested parties can learn about Bank.

EMPLOYEE ACCOUNTABILITY

Being able to share your and the Bank’s activities without prior management approval means the Bank trusts you to understand that by doing so you are accepting a higher level of risk for greater rewards. Each Bank employee is personally responsible for the content he or she publishes on any form of social media. Be thoughtful about how you present yourself in online social networks.

You may have identified yourself as a Bank staff member or the Bank as your employer, either directly or as part of a user profile. If so, ensure your profile and related content is consistent with how you wish to present yourself to the Bank’s stakeholders, your business contacts, and your colleagues and peers.

Senior management have special responsibility with their Internet presence by virtue of their high profile position within the Bank, even if they do not explicitly identify themselves as being affiliated with the Bank.  Such senior level staff should assume that his or her posts will be seen and read by Bank stakeholders and that they will presumptively associate such posts with the Bank.

Trust is an essential ingredient in the constructive culture we are striving to achieve at the Bank. We can’t be there to guide every interaction, so we expect you to follow these guidelines and advice to help you better balance the risk vs. reward ratio.

SOCIAL MEDIA OVERSIGHT

The Social Media Manager is responsible for managing the Bank’s social media strategy.  The Social Media Manager, or an assignee, will provide training and monitor activity on an ongoing basis.  Inquiries regarding the Bank’s social media strategy must be forwarded to the Bank’s Social Media Manager.

The Social Media Manager is responsible for determining “community managers.”  Community managers are employees and third parties that are provided with authority to act as administrators on the Bank’s behalf.  The Social Media Manager must select individuals as community managers that possess the requisite technical skills as well as understand the risks associated with social media.  All community managers report directly to the Social Media Manager relative to matters related to social media – regardless of their role within the Bank.

GENERAL GUIDELINES

These guidelines will help you open up a respectful, knowledgeable interaction with people on the Internet. They also protect the privacy, confidentiality, and interests of the Bank and its customers.  Note that these policies and guidelines apply only to work-related sites and issues and are not meant to infringe upon your personal interaction or commentary online.  Regardless, all employees must determine the potential impact that “personal” interactions may have upon the Bank and its customers, vendors, and other stakeholders. Ultimately, employees are held accountable for ensuring that interaction is appropriate and consistent with this policy and other Bank guidance.

·         The goal is to ensure the Bank’s voice is part of the larger conversation relating to community banking and the communities the Bank serves.  Do not embark before understanding the conversation. First, explore the topic being discussed, read about it and contribute only when input adds or advances the discussion. Include an especially relevant link, since doing so further connects the Bank to the wider Web and can result in greater connectivity for the Bank.

·         Keep in mind that posts are visible by all with online access. It may be fine to share your work at the Bank as part of your participation in the online community, etc., but you DO NOT have permission to reveal any information that compromises Bank policy or public positions.  By that we mean don’t share anything that is proprietary and/or confidential to the Bank. For example, it is not okay to share any content that required a non-disclosure agreement or is part of a confidential management or Board discussion.  Other items that may not be disclosed include any customer and vendor information that is not publicly available. 

·         If you are developing a Web site or writing a blog or making any other social media comment that will mention Bank and/or our current and potential products, employees, partners, customers, and competitors, identify that you are an employee of Bank and that the views expressed on the blog or Web site are yours alone and do not represent the views of Bank.

·         Unless given permission by your manager, you are not authorized to speak on behalf of the Bank, nor to represent that you do so.

·         If you are developing a site or writing a blog or making any other social media comment that will mention our company and / or our current and potential products, employees, partners, customers, and competitors, as a courtesy to the company, please let your manager know that you are writing them.  Your manager may choose to visit from time to time to understand your point of view.

·         You may not share information that is confidential and proprietary about the Bank or its customers. This includes information about upcoming product releases, sales, finances, number of products sold, number of employees, Bank strategy, and any other information that has not been publicly released by the company.  These are given as examples only and do not cover the range of what the Bank considers confidential and proprietary. If you have any question about whether information has been released publicly or doubts of any kind, speak with your manager before releasing information that could potentially harm the Bank, or our current and potential products, employees, partners, and customers. Before embarking on any such endeavor employees should be familiar with the Bank’s other applicable policies, including the Acceptable Use Policy, Employee Guide to Information Security, etc. 

·         Bank logo and trademarks may not be used without explicit permission in writing from the Bank. This is to prevent the appearance that you speak for or represent the company officially.

·         Speak respectfully about the Bank and our current and potential employees, customers, partners, and competitors.  Do not engage in name calling or behavior that will reflect negatively on the Bank's reputation. Note that the use of copyrighted materials, unfounded or derogatory statements, or misrepresentation is not viewed favorably by the Bank and can result in disciplinary action up to and including employment termination.

·         The Bank encourages you to write knowledgeably, accurately, and using appropriate professionalism. Despite disclaimers, your Web interaction can result in members of the public forming opinions about the Bank and its employees, partners, and products.

·         Honor the privacy rights of our current employees by seeking their permission before writing about or displaying internal company happenings that might be considered to be a breach of their privacy and confidentiality.

·         You may not sell any product or service that would compete with any of the Bank's products or services without permission in writing from the Chief Administrative Officer.  This includes, but is not limited to training, books, products, and freelance writing. If in doubt, talk with your manager or the Chief Administrative Officer.

·         Recognize that you are legally liable for anything you write or present online. Employees can be disciplined by the Bank for commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that can create a hostile work environment. You can also be sued by Bank employees, competitors, and any individual or company that views your commentary, content, or images as defamatory, pornographic, proprietary, harassing, libelous or creating a hostile work environment.

·         Media contacts about the Bank and our current and potential products, employees, partners, customers, and competitors should be referred for coordination and guidance to the Chief Administrative Officer. This does not specifically include your opinions, writing, and interviews on topics aside from the Bank and our current and potential products, employees, partners, customers, and competitors.

·         Make sure that your online activities do not interfere with your job performance.

·         Respecting differences, appreciating the diversity of opinions and speaking or conducting yourself in a professional manner is expected at all times. If you aren’t completely confident about what you intend to share, you should seek management input before you post.

HOW WILL SOCIAL MEDIA BE IMPLEMENTED AT THE BANK

The Social Media Manager of the Bank is accountable for determining the Bank’s Social Media Strategy.  The Bank’s use of social media is largely to develop a “community” of Bank supporters and to raise awareness of the Bank’s brand.  This is largely done through interaction on mainstream social media platforms such as Facebook, LinkedIn, Blogger, and Twitter.  The specific platforms used may change from time to time as technology evolves and audiences shift. Regardless, the guidelines above remain in effect.  Questions regarding the Bank’s use of social media should be directed to the Social Media Manager.

TYPES OF BANK ACTIVITIES/POSTINGS

The primary purpose of the Bank’s social media activities is “community building.”  While the Bank will from time-to-time promote products and services, the primary focus is the creation of an online community where the Bank can share its history and mission and where stakeholders can maintain conversations with the Bank.  The Bank does not “censor” comments made by third parties and only removes comments if they are considered obscene, pornographic or similarly inappropriate.  As such, it is the Bank’s policy to remain transparent and not delete derogatory comments.  Instead, it is the Bank’s policy to attempt to understand the origin of any derogatory comment in an attempt to “correct” any error or misunderstanding caused by the Bank.  Management is responsible for monitoring content on an ongoing basis (generally daily).

The Social Media Manager is responsible for determining “community managers” given authority to post on behalf of the Bank.  The Social Media Manager is responsible for ensuring that such employees are “social media savvy” and understand social media risks.

TYPES OF SOCIAL MEDIA USED BY BANK

Currently the Bank utilizes Facebook, Youtube, Blogger, LinkedIn, and Twitter.  These platforms provide for varying types of interaction.  Some are more information based such as LinkedIn.  Others are more collaborative, such as Facebook.  Currently the Social Media Manager is responsible for managing these accounts.

OTHER FORMS OF SOCIAL MEDIA

Regardless of any organization’s use of social media, Internet users can make comments that affect the Bank on locations outside of the Bank’s social media sites.  As such, the Bank utilizes Google Alerts and SocialMention.com to monitor (listen) to conversations in social media and on Web sites that may affect the Bank.  Such reports are delivered directly to the Social Media Manager on an ongoing basis.  The Social Media Manager is responsible for determining appropriate action, if any.

TRAINING

On at least an annual basis the Bank will provide social media training to all personnel.  The training is intended to convert employees into social media evangelists while ensuring safe and sound use of social media.  Compliance with the guidelines noted above will largely ensure that employees act in a manner consistent with Bank expectations.

AUDIT

The Bank’s social media activities will be audited as part of the Bank’s normal internal audit schedule.  Auditors will audit as appropriate.  For example, audits related to IT, consumer compliance, fair lending and CRA may all contain a social media component.

Community Outreach and Retail Banking

According to a recent article written by Alan Mattei of consultancy Novantas LLC, community outreach is fundamental to retail banking.  The problem banks face is determining how to best respond to the plethora of social platforms that include blogs, Facebook, Twitter, Pinterest, etc.

Mr. Mattei argues that social networking is forcing banks to think twice about the singular importance of branch banking.  As more time is spent online, shopping habits, including those related to bank products and services, have morphed and as such, banks must find ways to meet with customers at their new destinations – social media platforms.

As evidence of this transition, Mattei provides examples of two branchless financial services players that have begun to market products and services through social platforms: Ally Bank and American Express.

Ally’s online outreach includes a blog with self-help tips and expert advice; a continuing heavy stream of articles that are broadcast and posted on its Website; posts on Facebook; tweets; and infographics. Such activities have generated millions of Website visits and have become a driver in deposit account origination, according to Forresteor Research.

American Express launched its “Sync, Tweet, Save” program, which entices customers to sync their cards with their Twitter accounts. Under this arrangement, promotions from merchants and American Express are pushed to the customer via Twitter, with discount offers concurrently activated at the merchant point of sale.

Mattei states that today’s innovators in the use of social media are going beyond traditional banking’s defensive measures (e.g., reputation management).  Regardless, Mattei makes a point for walking before running by stating that “as a reasonable first step, institutions within the top 100 should establish an individual set of surveillance routines and contingency response plans for social media. This includes participating in conversational threads as appropriate; responding to customer service requests; diffusing negative events; and generally monitoring “the voice of the customer.” Much of this preparation remains to be done, although there are a few standout examples of banks with strong antennas in the virtual space.”  Here Mr. Mattei is spot on.  Mr. Mattei’s only error is that he has limited his advice to the top 100 when in fact every institution should follow this advice.

Mr. Mattei argues that social media and banking is about proactive involvement.  He argues that banks must learn to “proactively participate in the online dialogue, not just react in trying circumstances.”  The ultimate goal accord to Mattei is strengthening brand presence and building product awareness through:

• Community Building
• Two-Way Conversations
• Content Threads

Mattei states that banks must begin incorporating social media into the overall marketing plan – despite the lack of maturity in the market.  Just like the online marketing scene created chaos for bankers yet bankers adapted, so too must bankers adapt to social media despite the chaos.  Mattei states that “institutions will have to start somewhere, just as they did when the Internet took off ten to fifteen years ago.”

Mattei attacks the ROI question head on when he states that “it is a mistake to begin using strict return on investment (ROI) calculations to evaluate social media initiatives right now.”  He compares today’s social ROI debate to that of online billpay of yesterday.  He points out that what years ago was a horrible ROI example, today has been an incredibly profitable service that creates serious retention.

For a second time in the article Mattei makes reference to the “majors” by stating that “for major banks, real traction with social media will require a dedicated team.”  While the advice he gives is sound, it applies to all banks.  Regardless, depending on the success and the leverage of social media within an organization, even smaller shops may want to consider community managers to run the day-to-day social operation.  Should they be outsiders or bank employees?  That is a conversation (debate) for another day.

Mattei goes on to address the use of social media for customer service.  He advises to start small and simple and figure out what works and what doesn’t.  He suggests using analytics to find the nuggets of gold that may result in an effective social effort.

Ultimately, Mattei states that “to mobilize for this new channel, executives must embrace the notion that building ‘social equity’ has long-term value for the institution. They then need to allocate the required resources, build the right teams, and craft a long-term strategy for transformation.”

I generally agree with Mattei.  I wish his focus would not have been so heavily slanted towards larger shops.  It is, after all, community banks that are best positioned to take advantage of the social media revolution.  Understandably, community banks are not likely going to spend the bucks on social like the top 100.  Regardless, it does not help the industry when the smaller players are ignored or left out of the "conversation."

Some useful links:  Social Media Risk Assessment Template

Harnessing the Power of Social Media

In his article, "How Banks Can Harness the Power of Social Media," Tom Bukacek, CEO of Black Box Social Media LLC summarizes nicely the best way community banks should use social media.

According to Bukacek, banks have been slow to adopt social media in recent years due to factors such as ROI, risks and understanding how to best use social networks.  But this is changing every day.

Bukacek makes a strong point:  "CONSUMER INTERACTION CAN  ONLY OCCUR AT THE SMALLER COMMUNITY LEVEL."  

BINGO!!!!!!

Bukacek goes on to explain that the "sharing of experiences and stories brings the banks closer to customers and also ends up becoming a valuable source of information about consumer preferences."  He also addresses the issue of "negative feedback" by stating that a well handled social media crisis can result in a very positive outcome.

These are all simple but important rules when using social media in a community bank setting.  Forget the big and expensive national campaigns of the multinational banks.  Instead focus on micro-marketing through social media.  Win over new customers and turn existing customers into brand ambassadors and evangelists for your brand.

Social Media Policies Everywhere in Among Investment Advisors

The Investment Adviser Association, ACA Compliance Group and Old Mutual Asset Management released the 2012 Investment Management Compliance Testing Survey Report.  The report found that among the investment advisers surveyed:

• 80% maintained formal written social media policies in 2012
• 64%  maintained formal written social media policies in 2011
• 43%  maintained formal written social media policies in 2012

The survey also found that in 2012, 54% of investment advisers prohibit personal social media sites such as Facebook to be used for business purposes.  Further, in 2012, 54% of investment adviser firms audit for compliance with social media policies.

This data suggests that the regulated financial services industries have realized the ubiquity of social media - not only in the personal lives of employees and clients, but in the financial services industries.

With so few investment advisers maintaining formal written social media policies, the regulatory expectation, AKA Best Practice, will be for every regulated firm to not only maintain such policies but also test for compliance with the policies.

Complying with the HR Component

At the risk of being called a shameless plugger, I am referring you to my recent book, "Human Resources Guide to Social Media Risks" as a tool for complying with the human resources related threats found on yesterday's Social Media Risk Assessment.

I think that the book is a necessary read for not only HR professionals, but any manager and employee in and around social media (e.g., everyone).  There are some very important lessons in the book that can really help organizations manage their social media risks from an HR perspective.  As I like to say, social media risks are human risks.  They are not technology risks.  A review of the risk assessment document in yesterday's post makes that very apparent.  As such, be sure to pick up a copy of the guide.  I think you'll be very happy you did and I really do believe that you will be doing your organization a great service.

Social Media Risk Assessment Process - Part 5

Ahhhh. The fifth and final part of this series on the Social Media Risk Assessment Process ("SMRAP").  I hope you've enjoyed the series up to this point.  I know I've enjoyed bringing it to you.

This last segment is all about completing the SMRAP.  I've created a fairly basic yet effective social media risk assessment model.  As you will note from the graphic below, my model uses the concept of "Threat/Vulnerability" pairs to isolate weaknesses that can result in disaster.  In a nutshell, here's the deal:  there are threats and there are vulnerabilities.

Threats are actions or events that can cause harm to the organization.  For example, when it comes to social media risks, an example of a threat is the disclosure of confidential customer information over social media.

Vulnerabilities are simply weaknesses in the system.  They are the chinks in the armor.  Vulnerabilities are what enable the threats to take form.  For example, a vulnerability related to the threat above could be a lack of understanding of social media-related information security risks by employees.

Therefore, using the same threat example above, a way for the threat to manifest or occur can be due to a lack of adequate employee training.  In other words, an employee does not know that it is a bad idea to post confidential employee information on social media sites and as such, the employee post information or takes part in conversations that reveal confidential customer information.

This is what I refer to as the Threat/Vulnerability pair.  A threat creates havoc and a vulnerability permits the threat to wreak havoc.  It must be noted that threats in of themselves are fairly harmless.  Without a vulnerability threats have no life.

STEP 1:  Determine the threats that apply to the organization's social media environment.  I have created a social media risk assessment template that contains the majority of "high level" organizational threats.  You can download the social media risk assessment document here.

STEP 2: Determine the vulnerabilities (weaknesses) that can create an environment in which the threats can manifest.  In some cases a threat will have only one vulnerability associated with it.  However, in the majority of cases there will be multiple vulnerabilities associated with each threat.  If you inspect the template social media risk assessment you will see multiple vulnerabilities per threat (see graphic above).

STEP 3:  Once the threats and vulnerabilities have been identified it is time to determine the internal controls that are in place.  Internal controls are the practices and processes that will keep the vulnerability from turning the threat into a reality.  The template provided contains common controls.  It is not likely that every organization will have every control listed.  The greater the number and breadth of controls in place, the less likely the threat will take place.  Each control should be listed on the risk assessment as shown in the template document.

STEP: 4:  Based upon the internal controls in place and the nature of the threat and vulnerability, the organization must determine the likelihood that the threat will take place.  A sample Likelihood Matrix is such as the one shown below is contained in the template.

STEP 5:  Next, the organization must determine the severity of the effect of the threat if it were to manifest based upon the existing controls.  Similar to the Likelihood Matrix, the template contains a Severity Matrix such as the one below.

STEP 6: Finally, the organization uses both the Likelihood of Occurrence and the Impact of Severity to determine the Risk Level.  The template also contains a matrix to assist in the determination of risk.

STEP 7:  After completing the social media risk assessment it should be reviewed.  Considerations in the review include a risk level that is too high relative to the organization's risk appetite.  For example, it may be the policy that all "moderate" and "high" risk areas be reviewed with senior management to discuss further internal controls that can be implemented to reduce the risks. It is generally a good idea to summarize the risk assessment process and deliver a report to the organization's Audit Committee and possibly the Board of Directors.  Along with the report may be recommendations or action items that will be taken to increase the number of internal controls to reduce the overall risk.  Once such action items are completed the organization can again perform the risk assessment to determine if the internal controls have been effective in reducing the risk level.

It must be noted that there are many ways to conduct a risk assessment.  This method is just one.  There is no right or wrong methodology as long as the end result provides an assessment of the residual risk and considers all of the practical threats.

I encourage you to take this template and turn it into your own.  I also ask that you return to this post with you recommended revisions/enhancements to the template so that others may also benefit.

Enjoy.