The Social Media Risk Assessment Process ("SMRAP") should be incorporated as a component of the organization’s overall risk management strategy.
Generally, a revised social media risk assessment should be conducted on an annual basis. The fundamental basis of the SMRAP is to balance the Bank’s desire and need to utilize social media with other factors associated with doing business. The organization must recognize that some risk must be accepted to make use of social media business. The organization must also recognize that some social media risks exist regardless of the organization's social media strategy. As such, the risk assessment program provides a practical approach to efficiently and cost-effectively identifying risks associated with social media use - regardless of the look and feel of the organization's social media strategy.
Risk assessments help ensure that employees comply with the organization's requirements as outlined in its social media policy, code of conduct and other related policies. The SMRAP also raises employee awareness regarding social media risks associated with their business unit’s use of social media. Additionally, the SMRAP assists the organization in making informed decisions about the need for additional risk mitigation controls.
The SMRAP can be conducted by a centralized department or rolled out to departments and sites on a decentralized basis. Each organization must determine how to best disseminate the SMRAP. The goal of the SMRAP is to identify threats and vulnerabilities posed by social media. This may be difficult to do through a centralized approach if the organization is large and/or spread out geographically.
Those responsible for performing the SMRAP must determine each threat and associated vulnerabilities. For each vulnerability the manager must determine the controls in place to prevent the vulnerability from exploiting severity of impact upon the organization and determine the likelihood of the vulnerability exploit occurring given existing internal controls. It is important to note that this process requires a certain level of subjectivity. As such, the success or failure of the SMRAP hinges upon the knowledge and understanding of the individual(s) performing the SMRAP. As such, the organization should select individuals with experience in assessing risks and business impact. The use of junior staff to conduct the SMRAP may under- or overestimate the conclusions - unless the staff are well supervised. Part 5 of this series will describe an easy manner to document the SMRAP.
Those responsible for performing the SMRAP must determine each threat and associated vulnerabilities. For each vulnerability the manager must determine the controls in place to prevent the vulnerability from exploiting severity of impact upon the organization and determine the likelihood of the vulnerability exploit occurring given existing internal controls. It is important to note that this process requires a certain level of subjectivity. As such, the success or failure of the SMRAP hinges upon the knowledge and understanding of the individual(s) performing the SMRAP. As such, the organization should select individuals with experience in assessing risks and business impact. The use of junior staff to conduct the SMRAP may under- or overestimate the conclusions - unless the staff are well supervised. Part 5 of this series will describe an easy manner to document the SMRAP.
Once the risk level is determined for each threat/vulnerability pair, organizations may consider additional controls for moderate- and high-risk levels. After the control enhancements have been incorporated, the risk threat/vulnerability pair is re-evaluated to determine the residual risk after the control is implemented.
The outcome of the SMRAP process is the mitigation of risk to acceptable levels, thereby providing adequate protection to the organization. As such, to the extent that moderate- and high-risk levels exist after the implementation of mitigating controls, a discussion of the threat should be elevated to senior management for further discussion. It is important to note that operating under moderate- or high-risk levels is not uncommon. However, under such circumstances it is important to ensure that the appropriate parties are aware of the risks in order to ensure that all options have been considered as well as to ensure that all parties are aware of the risks. This awareness is crucial for line units - particularly during periods of duress. Consider it a form of CYA!
In cases in which additional controls must be implemented to mitigate moderate and high risks, the organization should consider the development of a formal written action plan that documents the controls. The action plan should include the steps to be taken, the time frame for completion and the individuals responsible for implementation of the controls.
It is highly recommended that the SMRAP be evaluated by the appropriate parties within the organization. This may include the CEO, CIO, IT Steering Committee, Compliance Committee, Audit Committee and the Board of Directors. The purpose of the review should be to share the strengths and weaknesses of the organization’s social media strategy from a risk perspective. Identified organizational vulnerabilities should be addressed with the appropriate personnel for the purpose of implementing corrective actions.
It is highly recommended that the SMRAP be evaluated by the appropriate parties within the organization. This may include the CEO, CIO, IT Steering Committee, Compliance Committee, Audit Committee and the Board of Directors. The purpose of the review should be to share the strengths and weaknesses of the organization’s social media strategy from a risk perspective. Identified organizational vulnerabilities should be addressed with the appropriate personnel for the purpose of implementing corrective actions.
The SMRAP focuses on strategic and operational issues. Organizational vulnerabilities are weaknesses related to the organization’s policies or practices that can result in the manifestation of a threat. Part 5 of this series will drill down into specific threats and vulnerabilities. Part 5 of this series will provide as a template the most common threats and vulnerabilities. However, the framework that will be introduced in Part 5 provides sufficient flexibility to allow the user of the SMRAP to customize the process with organization-specific threats and vulnerabilities.