Continuously monitor social media for risk and control issues and opportunities
This week, I met with a software company that specializes in monitoring social media. Their customers are interested in spotting ‘chat’ and discussions about their organization, its products and services, and the extended enterprise (e.g., vendors and channel partners). The company’s products identify and analyze all of this and report the results (generally on an exception basis) so that management can take action.
For example, this technology can be used to identify and report:
- Negative sentiment about the company, its brand, or its products and services
- Employee morale issues
- Inappropriate comments about the company, such as leakage of financial/operating information, by employees, management, or the board
- Potential leakage of intellectual property, plans for new products, strategies, or plans
- Workforce management issues (think of Apple’s problems at FoxConn) at a major supplier or service provider
- Chatter about the company’s credit position
- Comments about new products from competitors
- Discussions of potential new regulations or enforcement actions in locations where the company operates but has little on-the-ground insight (human intelligence)
- Indications of changes in the economy – good or bad
- Potential problems at competitors that might be an opportunity for the company
- and so on
I have been talking (in my various presentations) about the value of monitoring social media as part of a continuous program of risk management and of controls assurance. Clearly, that technology is developing fast and every organization should be giving strong consideration to its deployment.
My belief is that many companies use it to monitor comments about the company, brand, products and services. Some use it to monitor platforms like Twitter for complaints and then respond promptly to satisfy customers. By the way, this has surprisingly excellent results when used effectively: those complaining are so pleased with a prompt response that their attitude turns around and they become advocates. The companies that are silent to Twitter complaints only amplify the voice of the disaffected.
I think the potential for monitoring risks and identifying opportunities is excellent. But, a disciplined process and platform is critical for the efficient and effective use of the tools.
You don’t want to have scattered and uncoordinated, even overlapping, use. You don’t want to have a process where issues are identified in 5 minutes but only acted on in 5 days because they don’t reach the right desk in a useful fashion.
I prefer a top-down approach:
- Identify the risk areas that can benefit from social media (or general web) monitoring. These will generally be to identify changes in the level of risk indicators (and especially leading risk indicators).
- Define the tools that will be used to monitor the risk areas, and how the results will be routed and acted on. Include in the process the ability to monitor delays in taking action as well as the updating of risk levels by linking or integrating the tool with the ERM solution.
- Implement the tools.
- Monitor and adjust for continuous improvement.
Now there is a disciplined process for defining the need, implementing the tools in a way that will update risk levels as needed, and routing the results so they can be acted on.
What do you think? Are you using this technology effectively? If not, why not and when will you do so?
Who should drive the use of the tools? Should it be left to Marketing, or should risk management, IT security, and internal audit be part of the owner group?
Recent Posts on this Blog
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Have your provided comments on the COSO ERM draft? August 31, 2016
- How to do your internal audit risk assessment August 27, 2016
- Do techies really understand cyber risk? August 20, 2016
- Continuing to learn about culture from Toyota August 13, 2016
- The danger of an arrogant board August 7, 2016
- The Board and Technology: Questions to ask the management team July 31, 2016
- IIA Insights on Internal Audit Effectiveness July 22, 2016
- Deloitte predicts change for Internal Audit July 20, 2016
- Risk and Opportunity Management July 2, 2016
- Risk reporting to the Board June 26, 2016
- We need to review and provide feedback on the COSO ERM Exposure Draft June 19, 2016
- Fraud, Abuse, and Corruption September 26, 2016
- Reconsidering the Board: Its Composition and Oversight of Management September 19, 2016
- Time for the Board to Take a Deep Dive Into Risk Management and Risks September 12, 2016
- Oversight of the External Auditor September 6, 2016
- Signs of a Failing Board August 29, 2016
- Contrasting Comments on Internal Audit From a CAE and a Consultant August 23, 2016
- Asking the Tough Questions About Internal Audit August 15, 2016
- When Risk Management Fails August 8, 2016
- An Internal Audit Ambition Model August 1, 2016
- Understanding and Assessing Governance Risk July 25, 2016