Continuously monitor social media for risk and control issues and opportunities
This week, I met with a software company that specializes in monitoring social media. Their customers are interested in spotting ‘chat’ and discussions about their organization, its products and services, and the extended enterprise (e.g., vendors and channel partners). The company’s products identify and analyze all of this and report the results (generally on an exception basis) so that management can take action.
For example, this technology can be used to identify and report:
- Negative sentiment about the company, its brand, or its products and services
- Employee morale issues
- Inappropriate comments about the company, such as leakage of financial/operating information, by employees, management, or the board
- Potential leakage of intellectual property, plans for new products, strategies, or plans
- Workforce management issues (think of Apple’s problems at FoxConn) at a major supplier or service provider
- Chatter about the company’s credit position
- Comments about new products from competitors
- Discussions of potential new regulations or enforcement actions in locations where the company operates but has little on-the-ground insight (human intelligence)
- Indications of changes in the economy – good or bad
- Potential problems at competitors that might be an opportunity for the company
- and so on
I have been talking (in my various presentations) about the value of monitoring social media as part of a continuous program of risk management and of controls assurance. Clearly, that technology is developing fast and every organization should be giving strong consideration to its deployment.
My belief is that many companies use it to monitor comments about the company, brand, products and services. Some use it to monitor platforms like Twitter for complaints and then respond promptly to satisfy customers. By the way, this has surprisingly excellent results when used effectively: those complaining are so pleased with a prompt response that their attitude turns around and they become advocates. The companies that are silent to Twitter complaints only amplify the voice of the disaffected.
I think the potential for monitoring risks and identifying opportunities is excellent. But, a disciplined process and platform is critical for the efficient and effective use of the tools.
You don’t want to have scattered and uncoordinated, even overlapping, use. You don’t want to have a process where issues are identified in 5 minutes but only acted on in 5 days because they don’t reach the right desk in a useful fashion.
I prefer a top-down approach:
- Identify the risk areas that can benefit from social media (or general web) monitoring. These will generally be to identify changes in the level of risk indicators (and especially leading risk indicators).
- Define the tools that will be used to monitor the risk areas, and how the results will be routed and acted on. Include in the process the ability to monitor delays in taking action as well as the updating of risk levels by linking or integrating the tool with the ERM solution.
- Implement the tools.
- Monitor and adjust for continuous improvement.
Now there is a disciplined process for defining the need, implementing the tools in a way that will update risk levels as needed, and routing the results so they can be acted on.
What do you think? Are you using this technology effectively? If not, why not and when will you do so?
Who should drive the use of the tools? Should it be left to Marketing, or should risk management, IT security, and internal audit be part of the owner group?
Recent Posts on this Blog
- The risk of material errors in the quarterly financial statements March 10, 2017
- Is your compliance program strong enough? March 4, 2017
- Embedding risk into strategic planning and more February 25, 2017
- Cyber and reputation risk are dominoes February 18, 2017
- The current state of risk management February 11, 2017
- When an acceptable level of risk is not acceptable February 4, 2017
- How to mess up your risk management program January 28, 2017
- The value of a risk register January 21, 2017
- Risk in the Fourth Dimension January 15, 2017
- How much cyber risk should an organization take? January 7, 2017
- The real risks: the ones not in the typical list of top risks December 31, 2016
- An expert shares his views on the future of risk management December 18, 2016
- Selecting software to help manage user access risk December 17, 2016
- User access risk and SOX compliance December 12, 2016
- Risk and Culture December 9, 2016
- The Idea of a Unified Risk Oversight Council March 10, 2017
- The Integration of Governance, Risk, Compliance, and Related Activities March 6, 2017
- Cybersecurity Effectiveness February 27, 2017
- Cyber Root Cause Alarm Bells Are Ringing February 20, 2017
- Reports That Provide Actionable Information February 14, 2017
- What Is Holding the Company Back? February 6, 2017
- Do Internal Audit Reports Matter? February 1, 2017
- Monitoring Laws and Regulations and Their Effect on Your Organization January 24, 2017
- An Important Cyberrisk Framework January 16, 2017
- Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond January 9, 2017