Sunday, August 19, 2012

Sample Social Media Policy for Banks

A frequent request is a sample Bank Social Media Policy.  Well here it is.  This sample policy is bare bones and is intended to be customized for each institution's specific social media strategy.



Bank recognizes the importance of the Internet in the day-to-day operations of the Bank.  From marketing to reputation management to recruitment of new employees, the Internet plays in major role in the Bank’s overall strategy.  And now, the Internet is generally synonymous with social media and its popular social networks such as Facebook and LinkedIn.  Use of Facebook, LinkedIn, blogging, wikis and other online social media vehicles are commonplace.

This policy is intended to assist employees in making appropriate decisions about work-related blogging social media interaction.  This policy must be used in conjunction with other tools provided to employees, including the Acceptable Use Policy, Employee Guide to Information Security, Human Resources Guide to Social Media Risks, and related training.

The lines between work and personal life can become blurred. In general, what you do on your own time is a personal decision. However, activities in or outside of work that affect your job performance, the performance of others, or Bank business interests are a proper focus for Bank policy.


As a community bank, Bank recognizes the importance of our employees joining in and helping to shape conversations regarding the Bank and the communities we serve.  Bank is committed to supporting employees desire to interact knowledgeably and socially on the Internet through social media.

Contributing to the online conversations about banking or our communities means being present where and when they are taking place. As technology tools enable an easy exchange with community members, governmental representatives, clients, and the public, we encourage employees to share the insights and expertise gained through work at Bank. This can be done without first asking permission provided this guidance is read and followed.


The Bank’s social media efforts are targeted at several stakeholders:

1.    Existing Customers:  To provide existing customers with information and conversation/engagement opportunities relative to ongoing activities at the Bank and in the community.  Ultimately, the goal is to convert a “customer” into an “evangelist” for the Bank.

2.    New Customers:  To create sufficient awareness in the local marketplace that results in new customer originations – deposit, lending, and other services.  The marketplace is full of competitors with similar “commodity” products and services.  Social media allows the Bank to “humanize” itself and set itself apart from the competition.

3.    Media:  Social media provides the Bank with a platform to communicate with the media regarding its ongoing activities and rich history.  Through social media the Bank can embed video and other media that can assist the media when developing content.  For example, a bank video can be reposted and potentially result in viral distribution.

4.    Regulatory Agencies:  Social media provides a channel through which the Bank can highlight compliance with regulatory requirements.  For example, social media allows the Bank to easily demonstrate its compliance with the Community Reinvestment Act.  Further, social media provides a convenient mechanism through which to receive consumer complaints or positive feedback.

5.    Community At-Large:  Social media introduces Bank to the community at-large.  The content created on social media provides an information distribution channel through which interested parties can learn about Bank.


Being able to share your and the Bank’s activities without prior management approval means the Bank trusts you to understand that by doing so you are accepting a higher level of risk for greater rewards. Each Bank employee is personally responsible for the content he or she publishes on any form of social media. Be thoughtful about how you present yourself in online social networks.

You may have identified yourself as a Bank staff member or the Bank as your employer, either directly or as part of a user profile. If so, ensure your profile and related content is consistent with how you wish to present yourself to the Bank’s stakeholders, your business contacts, and your colleagues and peers.

Senior management have special responsibility with their Internet presence by virtue of their high profile position within the Bank, even if they do not explicitly identify themselves as being affiliated with the Bank.  Such senior level staff should assume that his or her posts will be seen and read by Bank stakeholders and that they will presumptively associate such posts with the Bank.

Trust is an essential ingredient in the constructive culture we are striving to achieve at the Bank. We can’t be there to guide every interaction, so we expect you to follow these guidelines and advice to help you better balance the risk vs. reward ratio.


The Social Media Manager is responsible for managing the Bank’s social media strategy.  The Social Media Manager, or an assignee, will provide training and monitor activity on an ongoing basis.  Inquiries regarding the Bank’s social media strategy must be forwarded to the Bank’s Social Media Manager.

The Social Media Manager is responsible for determining “community managers.”  Community managers are employees and third parties that are provided with authority to act as administrators on the Bank’s behalf.  The Social Media Manager must select individuals as community managers that possess the requisite technical skills as well as understand the risks associated with social media.  All community managers report directly to the Social Media Manager relative to matters related to social media – regardless of their role within the Bank.


These guidelines will help you open up a respectful, knowledgeable interaction with people on the Internet. They also protect the privacy, confidentiality, and interests of the Bank and its customers.  Note that these policies and guidelines apply only to work-related sites and issues and are not meant to infringe upon your personal interaction or commentary online.  Regardless, all employees must determine the potential impact that “personal” interactions may have upon the Bank and its customers, vendors, and other stakeholders. Ultimately, employees are held accountable for ensuring that interaction is appropriate and consistent with this policy and other Bank guidance.

·         The goal is to ensure the Bank’s voice is part of the larger conversation relating to community banking and the communities the Bank serves.  Do not embark before understanding the conversation. First, explore the topic being discussed, read about it and contribute only when input adds or advances the discussion. Include an especially relevant link, since doing so further connects the Bank to the wider Web and can result in greater connectivity for the Bank.

·         Keep in mind that posts are visible by all with online access. It may be fine to share your work at the Bank as part of your participation in the online community, etc., but you DO NOT have permission to reveal any information that compromises Bank policy or public positions.  By that we mean don’t share anything that is proprietary and/or confidential to the Bank. For example, it is not okay to share any content that required a non-disclosure agreement or is part of a confidential management or Board discussion.  Other items that may not be disclosed include any customer and vendor information that is not publicly available. 

·         If you are developing a Web site or writing a blog or making any other social media comment that will mention Bank and/or our current and potential products, employees, partners, customers, and competitors, identify that you are an employee of Bank and that the views expressed on the blog or Web site are yours alone and do not represent the views of Bank.

·         Unless given permission by your manager, you are not authorized to speak on behalf of the Bank, nor to represent that you do so.

·         If you are developing a site or writing a blog or making any other social media comment that will mention our company and / or our current and potential products, employees, partners, customers, and competitors, as a courtesy to the company, please let your manager know that you are writing them.  Your manager may choose to visit from time to time to understand your point of view.

·         You may not share information that is confidential and proprietary about the Bank or its customers. This includes information about upcoming product releases, sales, finances, number of products sold, number of employees, Bank strategy, and any other information that has not been publicly released by the company.  These are given as examples only and do not cover the range of what the Bank considers confidential and proprietary. If you have any question about whether information has been released publicly or doubts of any kind, speak with your manager before releasing information that could potentially harm the Bank, or our current and potential products, employees, partners, and customers. Before embarking on any such endeavor employees should be familiar with the Bank’s other applicable policies, including the Acceptable Use Policy, Employee Guide to Information Security, etc. 

·         Bank logo and trademarks may not be used without explicit permission in writing from the Bank. This is to prevent the appearance that you speak for or represent the company officially.

·         Speak respectfully about the Bank and our current and potential employees, customers, partners, and competitors.  Do not engage in name calling or behavior that will reflect negatively on the Bank's reputation. Note that the use of copyrighted materials, unfounded or derogatory statements, or misrepresentation is not viewed favorably by the Bank and can result in disciplinary action up to and including employment termination.

·         The Bank encourages you to write knowledgeably, accurately, and using appropriate professionalism. Despite disclaimers, your Web interaction can result in members of the public forming opinions about the Bank and its employees, partners, and products.

·         Honor the privacy rights of our current employees by seeking their permission before writing about or displaying internal company happenings that might be considered to be a breach of their privacy and confidentiality.

·         You may not sell any product or service that would compete with any of the Bank's products or services without permission in writing from the Chief Administrative Officer.  This includes, but is not limited to training, books, products, and freelance writing. If in doubt, talk with your manager or the Chief Administrative Officer.

·         Recognize that you are legally liable for anything you write or present online. Employees can be disciplined by the Bank for commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libelous, or that can create a hostile work environment. You can also be sued by Bank employees, competitors, and any individual or company that views your commentary, content, or images as defamatory, pornographic, proprietary, harassing, libelous or creating a hostile work environment.

·         Media contacts about the Bank and our current and potential products, employees, partners, customers, and competitors should be referred for coordination and guidance to the Chief Administrative Officer. This does not specifically include your opinions, writing, and interviews on topics aside from the Bank and our current and potential products, employees, partners, customers, and competitors.

·         Make sure that your online activities do not interfere with your job performance.

·         Respecting differences, appreciating the diversity of opinions and speaking or conducting yourself in a professional manner is expected at all times. If you aren’t completely confident about what you intend to share, you should seek management input before you post.


The Social Media Manager of the Bank is accountable for determining the Bank’s Social Media Strategy.  The Bank’s use of social media is largely to develop a “community” of Bank supporters and to raise awareness of the Bank’s brand.  This is largely done through interaction on mainstream social media platforms such as Facebook, LinkedIn, Blogger, and Twitter.  The specific platforms used may change from time to time as technology evolves and audiences shift. Regardless, the guidelines above remain in effect.  Questions regarding the Bank’s use of social media should be directed to the Social Media Manager.


The primary purpose of the Bank’s social media activities is “community building.”  While the Bank will from time-to-time promote products and services, the primary focus is the creation of an online community where the Bank can share its history and mission and where stakeholders can maintain conversations with the Bank.  The Bank does not “censor” comments made by third parties and only removes comments if they are considered obscene, pornographic or similarly inappropriate.  As such, it is the Bank’s policy to remain transparent and not delete derogatory comments.  Instead, it is the Bank’s policy to attempt to understand the origin of any derogatory comment in an attempt to “correct” any error or misunderstanding caused by the Bank.  Management is responsible for monitoring content on an ongoing basis (generally daily).

The Social Media Manager is responsible for determining “community managers” given authority to post on behalf of the Bank.  The Social Media Manager is responsible for ensuring that such employees are “social media savvy” and understand social media risks.


Currently the Bank utilizes Facebook, Youtube, Blogger, LinkedIn, and Twitter.  These platforms provide for varying types of interaction.  Some are more information based such as LinkedIn.  Others are more collaborative, such as Facebook.  Currently the Social Media Manager is responsible for managing these accounts.


Regardless of any organization’s use of social media, Internet users can make comments that affect the Bank on locations outside of the Bank’s social media sites.  As such, the Bank utilizes Google Alerts and to monitor (listen) to conversations in social media and on Web sites that may affect the Bank.  Such reports are delivered directly to the Social Media Manager on an ongoing basis.  The Social Media Manager is responsible for determining appropriate action, if any.


On at least an annual basis the Bank will provide social media training to all personnel.  The training is intended to convert employees into social media evangelists while ensuring safe and sound use of social media.  Compliance with the guidelines noted above will largely ensure that employees act in a manner consistent with Bank expectations.


The Bank’s social media activities will be audited as part of the Bank’s normal internal audit schedule.  Auditors will audit as appropriate.  For example, audits related to IT, consumer compliance, fair lending and CRA may all contain a social media component.

Tuesday, August 14, 2012

Community Outreach and Retail Banking

According to a recent article written by Alan Mattei of consultancy Novantas LLC, community outreach is fundamental to retail banking.  The problem banks face is determining how to best respond to the plethora of social platforms that include blogs, Facebook, Twitter, Pinterest, etc.

Mr. Mattei argues that social networking is forcing banks to think twice about the singular importance of branch banking.  As more time is spent online, shopping habits, including those related to bank products and services, have morphed and as such, banks must find ways to meet with customers at their new destinations – social media platforms.

As evidence of this transition, Mattei provides examples of two branchless financial services players that have begun to market products and services through social platforms: Ally Bank and American Express.

Ally’s online outreach includes a blog with self-help tips and expert advice; a continuing heavy stream of articles that are broadcast and posted on its Website; posts on Facebook; tweets; and infographics. Such activities have generated millions of Website visits and have become a driver in deposit account origination, according to Forresteor Research.

American Express launched its “Sync, Tweet, Save” program, which entices customers to sync their cards with their Twitter accounts. Under this arrangement, promotions from merchants and American Express are pushed to the customer via Twitter, with discount offers concurrently activated at the merchant point of sale.

Mattei states that today’s innovators in the use of social media are going beyond traditional banking’s defensive measures (e.g., reputation management).  Regardless, Mattei makes a point for walking before running by stating that “as a reasonable first step, institutions within the top 100 should establish an individual set of surveillance routines and contingency response plans for social media. This includes participating in conversational threads as appropriate; responding to customer service requests; diffusing negative events; and generally monitoring “the voice of the customer.” Much of this preparation remains to be done, although there are a few standout examples of banks with strong antennas in the virtual space.”  Here Mr. Mattei is spot on.  Mr. Mattei’s only error is that he has limited his advice to the top 100 when in fact every institution should follow this advice.

Mr. Mattei argues that social media and banking is about proactive involvement.  He argues that banks must learn to “proactively participate in the online dialogue, not just react in trying circumstances.”  The ultimate goal accord to Mattei is strengthening brand presence and building product awareness through:
  • Community Building
  • Two-Way Conversations
  • Content Threads
Mattei states that banks must begin incorporating social media into the overall marketing plan – despite the lack of maturity in the market.  Just like the online marketing scene created chaos for bankers yet bankers adapted, so too must bankers adapt to social media despite the chaos.  Mattei states that “institutions will have to start somewhere, just as they did when the Internet took off ten to fifteen years ago.”

Mattei attacks the ROI question head on when he states that “it is a mistake to begin using strict return on investment (ROI) calculations to evaluate social media initiatives right now.”  He compares today’s social ROI debate to that of online billpay of yesterday.  He points out that what years ago was a horrible ROI example, today has been an incredibly profitable service that creates serious retention.

For a second time in the article Mattei makes reference to the “majors” by stating that “for major banks, real traction with social media will require a dedicated team.”  While the advice he gives is sound, it applies to all banks.  Regardless, depending on the success and the leverage of social media within an organization, even smaller shops may want to consider community managers to run the day-to-day social operation.  Should they be outsiders or bank employees?  That is a conversation (debate) for another day.

Mattei goes on to address the use of social media for customer service.  He advises to start small and simple and figure out what works and what doesn’t.  He suggests using analytics to find the nuggets of gold that may result in an effective social effort.

Ultimately, Mattei states that “to mobilize for this new channel, executives must embrace the notion that building ‘social equity’ has long-term value for the institution. They then need to allocate the required resources, build the right teams, and craft a long-term strategy for transformation.”

I generally agree with Mattei.  I wish his focus would not have been so heavily slanted towards larger shops.  It is, after all, community banks that are best positioned to take advantage of the social media revolution.  Understandably, community banks are not likely going to spend the bucks on social like the top 100.  Regardless, it does not help the industry when the smaller players are ignored or left out of the "conversation."

Some useful links:  Social Media Risk Assessment Template

Thursday, July 19, 2012

Harnessing the Power of Social Media

In his article, "How Banks Can Harness the Power of Social Media," Tom Bukacek, CEO of Black Box Social Media LLC summarizes nicely the best way community banks should use social media.

Social Media Marketing And SEO For Business

According to Bukacek, banks have been slow to adopt social media in recent years due to factors such as ROI, risks and understanding how to best use social networks.  But this is changing every day.



Bukacek goes on to explain that the "sharing of experiences and stories brings the banks closer to customers and also ends up becoming a valuable source of information about consumer preferences."  He also addresses the issue of "negative feedback" by stating that a well handled social media crisis can result in a very positive outcome.

These are all simple but important rules when using social media in a community bank setting.  Forget the big and expensive national campaigns of the multinational banks.  Instead focus on micro-marketing through social media.  Win over new customers and turn existing customers into brand ambassadors and evangelists for your brand.

Wednesday, July 18, 2012

Social Media Policies Everywhere in Among Investment Advisors

The Investment Adviser Association, ACA Compliance Group and Old Mutual Asset Management released the 2012 Investment Management Compliance Testing Survey Report.  The report found that among the investment advisers surveyed:

  • 80% maintained formal written social media policies in 2012
  • 64%  maintained formal written social media policies in 2011
  • 43%  maintained formal written social media policies in 2012
The survey also found that in 2012, 54% of investment advisers prohibit personal social media sites such as Facebook to be used for business purposes.  Further, in 2012, 54% of investment adviser firms audit for compliance with social media policies.

This data suggests that the regulated financial services industries have realized the ubiquity of social media - not only in the personal lives of employees and clients, but in the financial services industries.

With so few investment advisers maintaining formal written social media policies, the regulatory expectation, AKA Best Practice, will be for every regulated firm to not only maintain such policies but also test for compliance with the policies.

Thursday, March 1, 2012

Complying with the HR Component

At the risk of being called a shameless plugger, I am referring you to my recent book, "Human Resources Guide to Social Media Risks" as a tool for complying with the human resources related threats found on yesterday's Social Media Risk Assessment.

I think that the book is a necessary read for not only HR professionals, but any manager and employee in and around social media (e.g., everyone).  There are some very important lessons in the book that can really help organizations manage their social media risks from an HR perspective.  As I like to say, social media risks are human risks.  They are not technology risks.  A review of the risk assessment document in yesterday's post makes that very apparent.  As such, be sure to pick up a copy of the guide.  I think you'll be very happy you did and I really do believe that you will be doing your organization a great service.

Social Media Risk Assessment Process - Part 5

Ahhhh. The fifth and final part of this series on the Social Media Risk Assessment Process ("SMRAP").  I hope you've enjoyed the series up to this point.  I know I've enjoyed bringing it to you.

This last segment is all about completing the SMRAP.  I've created a fairly basic yet effective social media risk assessment model.  As you will note from the graphic below, my model uses the concept of "Threat/Vulnerability" pairs to isolate weaknesses that can result in disaster.  In a nutshell, here's the deal:  there are threats and there are vulnerabilities.

Threats are actions or events that can cause harm to the organization.  For example, when it comes to social media risks, an example of a threat is the disclosure of confidential customer information over social media.

Vulnerabilities are simply weaknesses in the system.  They are the chinks in the armor.  Vulnerabilities are what enable the threats to take form.  For example, a vulnerability related to the threat above could be a lack of understanding of social media-related information security risks by employees.

Therefore, using the same threat example above, a way for the threat to manifest or occur can be due to a lack of adequate employee training.  In other words, an employee does not know that it is a bad idea to post confidential employee information on social media sites and as such, the employee post information or takes part in conversations that reveal confidential customer information.

This is what I refer to as the Threat/Vulnerability pair.  A threat creates havoc and a vulnerability permits the threat to wreak havoc.  It must be noted that threats in of themselves are fairly harmless.  Without a vulnerability threats have no life.

STEP 1:  Determine the threats that apply to the organization's social media environment.  I have created a social media risk assessment template that contains the majority of "high level" organizational threats.  You can download the social media risk assessment document here.

STEP 2: Determine the vulnerabilities (weaknesses) that can create an environment in which the threats can manifest.  In some cases a threat will have only one vulnerability associated with it.  However, in the majority of cases there will be multiple vulnerabilities associated with each threat.  If you inspect the template social media risk assessment you will see multiple vulnerabilities per threat (see graphic above).

STEP 3:  Once the threats and vulnerabilities have been identified it is time to determine the internal controls that are in place.  Internal controls are the practices and processes that will keep the vulnerability from turning the threat into a reality.  The template provided contains common controls.  It is not likely that every organization will have every control listed.  The greater the number and breadth of controls in place, the less likely the threat will take place.  Each control should be listed on the risk assessment as shown in the template document.

STEP: 4:  Based upon the internal controls in place and the nature of the threat and vulnerability, the organization must determine the likelihood that the threat will take place.  A sample Likelihood Matrix is such as the one shown below is contained in the template.

STEP 5:  Next, the organization must determine the severity of the effect of the threat if it were to manifest based upon the existing controls.  Similar to the Likelihood Matrix, the template contains a Severity Matrix such as the one below.

STEP 6: Finally, the organization uses both the Likelihood of Occurrence and the Impact of Severity to determine the Risk Level.  The template also contains a matrix to assist in the determination of risk.

STEP 7:  After completing the social media risk assessment it should be reviewed.  Considerations in the review include a risk level that is too high relative to the organization's risk appetite.  For example, it may be the policy that all "moderate" and "high" risk areas be reviewed with senior management to discuss further internal controls that can be implemented to reduce the risks. It is generally a good idea to summarize the risk assessment process and deliver a report to the organization's Audit Committee and possibly the Board of Directors.  Along with the report may be recommendations or action items that will be taken to increase the number of internal controls to reduce the overall risk.  Once such action items are completed the organization can again perform the risk assessment to determine if the internal controls have been effective in reducing the risk level.

It must be noted that there are many ways to conduct a risk assessment.  This method is just one.  There is no right or wrong methodology as long as the end result provides an assessment of the residual risk and considers all of the practical threats.

I encourage you to take this template and turn it into your own.  I also ask that you return to this post with you recommended revisions/enhancements to the template so that others may also benefit.


Wednesday, February 22, 2012

Social Media Risk Assessment Process - Part 4

The Social Media Risk Assessment Process ("SMRAP") should be incorporated as a component of the organization’s overall risk management strategy.  

Generally, a revised social media risk assessment should be conducted on an annual basis.  The fundamental basis of the SMRAP is to balance the Bank’s desire and need to utilize social media with other factors associated with doing business.  The organization must recognize that some risk must be accepted to make use of social media business.  The organization must also recognize that some social media risks exist regardless of the organization's social media strategy.  As such, the risk assessment program provides a practical approach to efficiently and cost-effectively identifying risks associated with social media use - regardless of the look and feel of the organization's social media strategy.

Risk assessments help ensure that employees comply with the organization's requirements as outlined in its  social media policy, code of conduct and other related policies.  The SMRAP also raises employee awareness regarding social media risks associated with their business unit’s use of social media.  Additionally, the SMRAP assists the organization in making informed decisions about the need for additional risk mitigation controls. 

The SMRAP can be conducted by a centralized department or rolled out to departments and sites on a decentralized basis.  Each organization must determine how to best disseminate the SMRAP.  The goal of the SMRAP is to identify threats and vulnerabilities posed by social media.  This may be difficult to do through a centralized approach if the organization is large and/or spread out geographically.

Those responsible for performing the SMRAP must determine each threat and associated vulnerabilities.  For each vulnerability the manager must determine the controls in place to prevent the vulnerability from exploiting severity of impact upon the organization and determine the likelihood of the vulnerability exploit occurring given existing internal controls.  It is important to note that this process requires a certain level of subjectivity.  As such, the success or failure of the SMRAP hinges upon the knowledge and understanding of the individual(s) performing the SMRAP.  As such, the organization should select individuals with experience in assessing risks and business impact.  The use of junior staff to conduct the SMRAP may under- or overestimate the conclusions - unless the staff are well supervised.  Part 5 of this series will describe an easy manner to document the SMRAP.

Once the risk level is determined for each threat/vulnerability pair, organizations may consider additional controls for moderate- and high-risk levels.  After the control enhancements have been incorporated, the risk threat/vulnerability pair is re-evaluated to determine the residual risk after the  control is implemented. 

The outcome of the SMRAP process is the mitigation of risk to acceptable levels, thereby providing adequate protection to the organization.  As such, to the extent that moderate- and high-risk levels exist after the implementation of mitigating controls, a discussion of the threat should be elevated to senior management for further discussion.  It is important to note that operating under moderate- or high-risk levels is not uncommon.  However, under such circumstances it is important to ensure that the appropriate parties are aware of the risks in order to ensure that all options have been considered as well as to ensure that all parties are aware of the risks.  This awareness is crucial for line units - particularly during periods of duress.  Consider it a form of CYA!

In cases in which additional controls must be implemented to mitigate moderate and high risks, the organization should consider the development of a formal written action plan that documents the controls.  The action plan should include the steps to be taken, the time frame for completion and the individuals responsible for implementation of the controls.

It is highly recommended that the SMRAP be evaluated by the appropriate parties within the organization.  This may include the CEO, CIO, IT Steering Committee, Compliance Committee, Audit Committee and the Board of Directors.  The purpose of the review should be to share the strengths and weaknesses of the organization’s social media strategy from a risk perspective.  Identified organizational vulnerabilities should be addressed with the appropriate personnel for the purpose of implementing corrective actions.

The SMRAP focuses on strategic and operational issues.  Organizational vulnerabilities are weaknesses related to the organization’s policies or practices that can result in the manifestation of a threat.  Part 5 of this series will drill down into specific threats and vulnerabilities.  Part 5 of this series will provide as a template  the most common threats and vulnerabilities.  However, the framework that will be introduced in Part 5 provides sufficient flexibility to allow the user of the SMRAP to customize the  process with organization-specific threats and vulnerabilities.

Tuesday, February 21, 2012

Social Media Risk Assessment Process - Part 3

Risk is the possibility of an act or event occurring that would have an adverse effect on the organization.  Risk can also be the potential that a given threat will exploit vulnerabilities to cause loss of, or damage to, the organization.  Risk is generally measured by a combination of severity and likelihood of occurrence.

A threat is an action or event that might jeopardize the organization.  It is a sequence of circumstances and events that allow a human (disgruntled employee, etc.) or other agent (virus, Trojan horse, etc.) to cause a misfortune by exploiting vulnerabilities.  A vulnerability is a weakness that allows a threat to manifest itself. 

Considerations to keep in mind when determining threats:

  • Determining the legal implications and contingent liability associated with any identified risks.  For example, if hackers successfully access the organization’s Facebook account and use it to subsequently attack followers/friends, the organization may be liable for damages incurred by the party that is attacked.
  • Capability and motivation are important attributes of threats.  Threats need both attributes (capability and motivation) to be credible.  For example, a skilled hacker seeking access to a Facebook account is considered a credible threat because the hacker has the capability (skills) and motivation (financial/ideological gain from the use of the organization's Facebook account).
  • Interested parties.  Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime rings or even agents of espionage pose a potential threat.
  • Poor security program/poor employee security awareness.  Hackers often exploit well-known weaknesses in creating secure passwords.

Internal controls are mechanisms that enable the organization to achieve its business objectives.  With appropriate controls in place the organization is able to effectively mitigate the risk posed by a threat.  With respect to social media, internal controls are designed to meet three main objectives:

  • Confidentiality:  Preventing the disclosure of sensitive information;
  • Integrity:  Preventing unauthorized modifications to information and maintaining internal and external consistency; and,
  • Availability:  Ensuring that the systems are working and that the data is accessible to users as required.

In addition to requiring the documentation of threats and vulnerabilities, the SMRAP also requires the documentation of associated controls.  To maintain an effective social media risk assessment process the organization must ensure that the organization has adequately considered the implementation of the following types of controls:

  • Preventative Controls:  These controls are established to avoid occurrences of unwanted events.  This type of control may include passwords, policies, procedures, security awareness program, etc.  These controls are considered “proactive.”
  • Detective Controls:  These controls alert and identify violations after the fact.  These controls can include social media monitoring and other information that provides notification after the event has occurred.  These controls are considered “reactive.”
  • Corrective Controls:  These controls are intended to remedy unauthorized events and to restore the original controls.  For example, the ability to reset the custodian of a social media account that has been locked-out due to some adverse event is considered a corrective control.
  • Deterrent Controls:  These controls discourage violations. For example, a policy statement that states that violators may be terminated for non-compliance with the social media policy is considered a deterrent control.

Part 4 of this series will begin discussion on the risk assessment process.

Monday, February 20, 2012

Social Media Risk Assessment Process - Part 2

The first step in the Social Media Risk Assessment Process ("SMRAP") is to identify the social media-related threats that can adversely affect the organization.  While these threats can be technology-based, they are most dangerous when they originate from human acts.

The ubiquitous use of social media has brought social media-related threats to the forefront.  Among the threats associated with social media are:

  • Disclosure of Confidential Customer Information by Employees;
  • Disclosure of Confidential Company Information by Employees;
  • Systems Outages Due to Social Media-Based Virus/Malware Infections;
  • Remediation Expenses Related to  Social Media-Based Virus/Malware Infections;
  • Loss of Branding Content Contained on Social Media Platforms;
  • Lawsuits Related to Alleged Improper Use of Social Media in the Hiring Process;
  • Lawsuits Related to Alleged Improper Use of Social Media in the Termination Process;
  • Loss of Opportunity to Hire Star Employees Due to Information Contained on Social Media Platforms;
  • Spam/Malware/Virus Attacks Against Social Media Platform Friends/Followers; and, 
  • Excessive/Inappropriate Use of Social Media by Employees.

The SMRAP in and of itself does not assure adequate protection against social media-related risks.  Rather, the SMRAP is part of the organization’s overall Risk Management Program that includes the written policies, guidelines, employee awareness/training and an independent review of the organization’s social media practices.

The SMRAP concludes with a determination of the adequacy of existing controls relative to the identified threats and vulnerabilities.  The SMRAP allows management to determine the need for additional controls to reduce the Bank’s risk exposure. 

Since threats and vulnerabilities change over time, the SMRAP must be updated and reviewed on a regular basis to ensure the appropriateness and effectiveness of the controls in place.  Updates are minor changes to the existing risk profile.  These include changes resulting from the implementation and/or removal of a control, or when the effectiveness of a control changes.  Updates occur when the following events take place:

  • New control is implemented;
  • An incident highlights a minor discrepancy in the current risk profile (i.e., the likelihood or severity of a threat requires minor adjusting or the effectiveness of a control requires adjustment);
  • A risk is no longer applicable; and,
  • A new risk emerges.

The SMRAP should generally occur on an annual basis.  The SMRAP should also take place when the following occurs:

  • Increase in security risks/exposures due to an event or series of events (i.e., significant change in organization's social media strategy, development/implementation of in-house social network, etc.);
  • Cumulative updates indicate the need for a review;
  • Changes in regulatory requirements; and,
  • Serious social media-related incident.

The results of the initial SMRAP and periodic SMRAP updates should be provided to the appropriate party within the organization such as the organization's Audit Committee and Board of Directors. 

Part 3 of this series will discuss risks, threats and vulnerabilities.

Social Media Risk Assessment Process - Part 1

Sunday, February 19, 2012

Social Media Risk Assessment Process - Part 1

Do you hear that?  There it is again.  Did you hear it that time?!  Oh man, it's worse than I thought.  The bank examiners are updating their examination procedures to include "social media" and the industry is not ready for it.  What does that mean?  Low Hanging Fruit Time.  Noooooooooo....   

This post is about the development of a Social Media Risk Assessment Process (“SMRAP”).  The SMRAP provides organizations with a systematic approach to evaluating exposure to social media-related risks.  The SMRAP focuses on five components: Threats, Vulnerabilities, Controls, Likelihood of Occurrence and Impact.

Social Media Risk Assessment Matrix

The SMRAP is intended to achieve one basic goal: the protection of the organization's reputation.

Management is responsible for ensuring that systems and data are adequately protected.  Historically this has related to the systems and data maintained within the organization's walls.  Unfortunately, as an organizations are increasingly moving to third-party social media platforms such as Facebook, Twitter and LinkedIn (and for good reasons), management must now take measures to adequately controls risks related to external systems.

Management is also responsible for protecting the organization's reputation from intentional and unintentional acts that may cause harm to the organization.  Unfortunately, reputational harm can come from many directions, including public outcry (think Bank of America's debit card debacle or Occupy Wall Street).

An organizational key business objective is to maintain a set of policies and procedures that protect and mitigate against risks related to day-to-day operations.  Social media risks have become part of the day-to-day risks of any organization.  As has been previously stated, organizations cannot determine whether or not to participate in social media.  Social media happens.  And it has been happening for some time.  The question is whether or not management has realized this fact and has moved to mitigate the risks before the risks mitigate the organization.

The SMRAP is used to identify, evaluate, document, monitor and manage social media risks.  Through the SMRAP the organization is able to identify and prioritize social media-related risks and develop appropriate risk management strategies.  Such strategies include the establishment of appropriate policies and the selection of cost-effective controls that implement the policies.

Part 2 of this series will begin the process of identifying the social media threats that must be evaluated as part of a risk assessment process.

Tuesday, January 17, 2012

Social Media-Based Brand Ambassadors - Part 4

The Costs and Risks of Social Media Brand Ambassador Programs

[This post is part 4 in a series of posts related to Social Media-Based Brand Ambassadors.  This post focuses on the costs and risks associated with a brand ambassador program.]

Before an organization chooses to empower and unleash social media-enabled employee brand ambassadors to represent its brand and influence consumers, the organization should carefully consider the costs and risks associated with a social media-enabled brand ambassador program – or any social media effort.  

While social media accounts are generally free and can be created in less than 10 minutes, these accounts are of little use without the human capital (e.g., brand ambassadors) needed to add value to the organization’s social media efforts.  As such, every organization considering the use of social media-enabled brand ambassadors should conduct a risk assessment that will help to identify potential pitfalls which will ultimately protect the organization and ensure the success of the social media-based brand ambassador program.  The organization should use the results of the risk assessment in determining the appropriate strategy.

Bloomberg Businessweek writers Michelle Conlin and Douglas MacMillan address social media risks in their blog post, “Web 2.0: Managing Corporate Reputations.”  According to Conlin and MacMillan, “Social networking is a love-hate relationship.  On the one hand managers want their workers to experiment so they can cultivate new-world skills.  Employees as brand ambassadors!  Products virally transformed into overnight hits!  On the other hand, bosses are filled with foreboding about social networking’s dark side – losing secrets to rivals, the corporate embarrassment of errant employee tweets, becoming the latest victim of a venomous crowd.”

Regardless of the puffery taking place regarding the low- or no-cost features of social media implementations, organizations must not be fooled.  Social media properly implemented costs money.  As such, organizations must determine the social media strategy that best fits the organization’s risk appetite and budget.  In an effort to assist with this analysis the following section discusses the various risks and costs associated with social media implementations – including a social media-based brand ambassador program.

Commitment:  According to consultant Tony de Bree (, organizations have done a horrible job of taking care of their employees and customers.  “Clients nor employees believe those companies anymore. We are far from ‘how to turn your ex-employees into ambassadeors/promotors.’” 

Julie Arnsdorf, President of J. Arnsdorf & Company (, agrees with de Bree.  “It's similar to the proverbial tag of we have ‘quality products’ or ‘competitive rates’…it's just talk.  I've seen many marketing departments or ad agencies develop brilliant tag lines for an organization, but the organization never implements the tag line's sentiment throughout their business or bank.  It's simply a hollow statement.”

De Bree’s and Arnsdorf’s comments are not uncommon.  Over the course of the past several decades, organizations have lost credibility with their workers as a result of actions that have eliminated jobs and cut wages.  Most recently, the Occupy Wall Street movement brought to light society’s discontent with the widening gap between the have and have-nots.

As a result of the natural skepticism of employees and customers, organizations seeking to implement a brand ambassador program must be committed to making the long-term investment necessary to win over both employees and customers.  Lip service is no longer adequate and will surely result in failure.

Expenses:  Many publications, consultants, Web sites and other sources refer to social media as a “no cost” or “low cost” undertaking.  This advice has the effect of misleading many organizations into believing that the implementation and maintenance of a social media strategy, including a social media-based brand ambassador program, is a largely inexpensive undertaking.

In a interview with SmartBlog blogger Sam Taute (“A LookAt Social Media Costs And Returns With Erik Qualman”), Socialnomics author Erik Qualman stated regarding social media implementations that “Over 50 percent of businesses found it was more work than they expected.  The most overlooked cost for big and small businesses is the soft-cost in terms of the hours employees must commit to engage properly in the space.”

Blogger Mark W. Schaefer presents a compelling, though potentially discouraging, argument for employee social media ambassadors.  In his post “The Hidden Costs of Social Media Conversation” Schaefer states about social media-enabled employee brand ambassadors, “Certainly this interaction can humanize a brand.  But at the end of the day, is paying your employees to be a psychotherapist to a lonely widow in Pittsburgh going to sell hamburgers?  Is that the company’s core business?  And when does it end?  Do you keep adding people to have infinite conversations?”  Schafer’s comments were in reference to an interview by McDonald’s Social Media Director Rick Wion regarding McDonald’s goal of initiating social media conversations.

Providing a less severe analysis is Brand Infection blogger Nader Cserny who states that “Social Media is affordable and you don’t need large marketing budgets.  The only main cost is time while developing relationships.”  While Nader’s conclusion is largely true, as stated by Schaefer, organizations must invest time and money to develop the depth and range of online relationships that meet the organization’s expectations.

Heidi Cohen provides on her blog (“How To Calculate Social Media Costs”) 10 types of social media marketing expenses that every organization should take into consideration when developing a social media strategy.  Heidi’s list is not specific to brand ambassadors.  It is a list that addresses the costs necessary to develop an environment in which brand ambassadors can operate.

    1. Brand Monitoring:  This expense relates to the act of “listening” to conversations on the Internet.  Costs can range from the software used to “listen” to the employee time spent “listening” to the time spent analyzing the conversations to the time spent producing reports.  As previously stated, brand monitoring is a key activity for all organizations.  Regardless of the organization’s decision to enter into social media, every organization at a minimum should actively listen to comments made on the Internet in an effort to better serve customers and take proactive measures, if applicable.  As such, all organizations should realistically budget for this item.

     2. People:  A social media-enabled brand ambassador program requires people.  In small and mid-sized organizations most brand ambassadors will maintain other positions within the firm and will act as brand ambassadors as time and opportunity permits.  In large organizations, brand ambassadors may be dedicated social media-enabled brand ambassadors whose responsibility is to comb the social media universe for branding/influencing opportunities.  Regardless of the format used, people cost money.  As such, to the extent that brand ambassadors conduct their influencing while on the clock, the organization incurs a cost.

      3. Content:  Content is King!  According to the HR Management Guide blog (“SocialMedia Costs”), “The social media are about the interaction.  The dedicated employee has to find appealing information and has to publish information on a regular basis.”  The content used by brand ambassadors to engage with customers and potential customers must be created either internally or externally.  The nature, complexity and source of the content will determine the expense.

    4. Social Media Platforms:  As previously noted, most social media platforms are free to use.  However, there may be costs associated with their use such as the development of platform specific pages/screens (e.g., Facebook landing pages) that require resources to create.  Organizations must be aware of such costs as part of the planning stage of a social media strategy.

      5. Support Media:  The social media strategy will determine the extent to which support media will be necessary.  For example, organizations may create mailings, newspaper advertisements and other activities to drive traffic to the social media platform.

   6. Marketing:  Activities needed to convert social media prospects to buyers.  This includes the marketing campaigns that run on the social media platforms such as custom “apps.”

    7. Agencies:  Certain organizations may choose to outsource some or all of the social media activities.  These costs must be taken into consideration as part of the overall social media strategy.  Agencies costs may include consulting fees, social media outsourcing costs, and other associated expenses.

     8. Technology:  To the extent that technology support is needed to launch and maintain a social media-based brand ambassador program, these costs must be taken into consideration.  Such costs may include providing employees with social media enabled smart phones, upgrade of computers, and any other technology that may be needed.

     9. Analytics:  Every organization with a social media program should have in place a program to analyze the overall effectiveness of the organization’s social media strategy, including brand ambassadors.  The analytics provide the organization with the social media program’s return on investment.

   10. Complexity:  Organizations can spend very little on their social media efforts.  Likewise, organizations with large budgets can spend millions of dollars creating elaborate and complex social media strategies.  With social media there is something for every budget.  This amount must be taken into consideration as part of the planning process.

Code of Conduct:  Brand ambassador success requires that employees commit to the organization’s code of conduct (e.g., respectful tone, free of profanity, etc.) whenever they interact on a social media platform.  Brand ambassadors must understand that their personal social media activity may be interpreted as organization-sanctioned activity.  Therefore, whether on or off the clock, employees must be aware of the effect that their interactions on social media platforms may have on the organization.

A major challenge in developing a strong Brand Ambassador Program is that employees continue to become less loyal.  Back in 2004 Ronald J.Alsop had the following to say about the state of employee relations: “Employees are more cynical and less trusting because of all the recent cases of accounting abuse and executive greed.  What’s more, job insecurity, poor morale, and excessive workloads have eroded employees’ commitment to companies.”  In the post-Occupy Wall Street era it is very likely that these same issues continue to concern workers in 2012.

Blogger Linda Tucci describes in the TotalCIO blog at (“SocialMedia Risks That Will Make Your Hair Stand on End”) an instance involving an executive at a public relations firm.  The seasoned public relations executive was flying to meet with a major client.  Upon arriving at the client’s hometown, the public relations executive tweeted that the client’s hometown was one of those places where he would rather die than have to live in.  An employee of the client’s firm read the tweet and passed it on to senior officials at the client and the public relations firm.  To say that the public relations executive had some explaining to do is an understatement.  The embarrassment caused to the public relations firm by its executive was further exacerbated by the fact that the public relations executive was meeting with the client to pitch, of all things, social media communications! 

The public relations executive story noted above is an example of a major concern with social media-enabled brand ambassadors.  For this reason it is crucial that organizations provide necessary guidance and training to brand ambassadors.  Ignoring this call to action may result in similarly embarrassing situations that may damage reputation and the bottom line.

Customer Service:  Rajib Kumar, blogger on, states that “When a consumer posts an issue online, he expects instant response which should be done promptly.  If the response drags, then it has a negative effect on the brand.  Don’t give the consumer time to start bad-mouthing.”

While a 24X7 response is not required for all social media programs, customers now expect to reach organizations via their social media platform of choice.  Further, customers expect prompt responses during business hours.  Their inability to resolve issues in that manner will go a long way in pushing them to organizations that do provide the expected service.

To the extent that the organization provides customer service through a call center, it is in the organizations best interest to equip the service center with the training and tools needed to provide the expected level of service.

Inconsistent Messaging:  Rajib Kumar emphasizes the importance of providing consistent messaging by stating that “If a query has been posted on different social platform, the response should be the same and consistent throughout so as not to confuse the customers.”  As such, “The staff managing the social media platforms needs to be organized and have a common vision and goal so that they do not speak in different voices on different platforms.”

Scale:  The HR Management Guide blog suggests that organizations should seek as large of a social media presence as possible to maximize use and investment in social media.  “The social media need a strong and constant presence.  The small presence means no influence, and it does not bring any benefits.  The organization has to build a strong and focused presence to be successful.”

Before developing a program to unleash the organization’s employees as brand ambassadors, the organization must ensure that it truly understands the costs and risks involved and is committed to the undertaking.  Without such a commitment the organization will ultimately fail in its attempt to leverage the advantages of social media.