Continuously monitor social media for risk and control issues and opportunities
This week, I met with a software company that specializes in monitoring social media. Their customers are interested in spotting ‘chat’ and discussions about their organization, its products and services, and the extended enterprise (e.g., vendors and channel partners). The company’s products identify and analyze all of this and report the results (generally on an exception basis) so that management can take action.
For example, this technology can be used to identify and report:
- Negative sentiment about the company, its brand, or its products and services
- Employee morale issues
- Inappropriate comments about the company, such as leakage of financial/operating information, by employees, management, or the board
- Potential leakage of intellectual property, plans for new products, strategies, or plans
- Workforce management issues (think of Apple’s problems at FoxConn) at a major supplier or service provider
- Chatter about the company’s credit position
- Comments about new products from competitors
- Discussions of potential new regulations or enforcement actions in locations where the company operates but has little on-the-ground insight (human intelligence)
- Indications of changes in the economy – good or bad
- Potential problems at competitors that might be an opportunity for the company
- and so on
I have been talking (in my various presentations) about the value of monitoring social media as part of a continuous program of risk management and of controls assurance. Clearly, that technology is developing fast and every organization should be giving strong consideration to its deployment.
My belief is that many companies use it to monitor comments about the company, brand, products and services. Some use it to monitor platforms like Twitter for complaints and then respond promptly to satisfy customers. By the way, this has surprisingly excellent results when used effectively: those complaining are so pleased with a prompt response that their attitude turns around and they become advocates. The companies that are silent to Twitter complaints only amplify the voice of the disaffected.
I think the potential for monitoring risks and identifying opportunities is excellent. But, a disciplined process and platform is critical for the efficient and effective use of the tools.
You don’t want to have scattered and uncoordinated, even overlapping, use. You don’t want to have a process where issues are identified in 5 minutes but only acted on in 5 days because they don’t reach the right desk in a useful fashion.
I prefer a top-down approach:
- Identify the risk areas that can benefit from social media (or general web) monitoring. These will generally be to identify changes in the level of risk indicators (and especially leading risk indicators).
- Define the tools that will be used to monitor the risk areas, and how the results will be routed and acted on. Include in the process the ability to monitor delays in taking action as well as the updating of risk levels by linking or integrating the tool with the ERM solution.
- Implement the tools.
- Monitor and adjust for continuous improvement.
Now there is a disciplined process for defining the need, implementing the tools in a way that will update risk levels as needed, and routing the results so they can be acted on.
What do you think? Are you using this technology effectively? If not, why not and when will you do so?
Who should drive the use of the tools? Should it be left to Marketing, or should risk management, IT security, and internal audit be part of the owner group?
Recent Posts on this Blog
- The value of a risk register January 21, 2017
- Risk in the Fourth Dimension January 15, 2017
- How much cyber risk should an organization take? January 7, 2017
- The real risks: the ones not in the typical list of top risks December 31, 2016
- An expert shares his views on the future of risk management December 18, 2016
- Selecting software to help manage user access risk December 17, 2016
- User access risk and SOX compliance December 12, 2016
- Risk and Culture December 9, 2016
- New guidance on operational risk December 3, 2016
- Why do so many practitioners misunderstand risk? November 26, 2016
- A new front opens in the SOX battle November 20, 2016
- Internal audit reports do the function a great disservice November 12, 2016
- My new book on Auditing that Matters is available November 9, 2016
- Time for a leap change in risk management guidance November 5, 2016
- Cyber security and the board October 29, 2016
- Monitoring laws and regulations and their effect on your organization January 21, 2017
- An Important Cyberrisk Framework January 16, 2017
- Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond January 9, 2017
- What Does the New Year Hold for Internal Audit? January 5, 2017
- The Decision-maker's View of Risk December 19, 2016
- How Much Cyberrisk Should We Take? January 4, 2017
- Do We Know How to Audit Technology-related Risks? December 5, 2016
- The State of Information or Cybersecurity November 28, 2016
- Back to the Future for Internal Audit November 21, 2016
- How Do You Change the Culture of the Organization? November 15, 2016