Continuously monitor social media for risk and control issues and opportunities
This week, I met with a software company that specializes in monitoring social media. Their customers are interested in spotting ‘chat’ and discussions about their organization, its products and services, and the extended enterprise (e.g., vendors and channel partners). The company’s products identify and analyze all of this and report the results (generally on an exception basis) so that management can take action.
For example, this technology can be used to identify and report:
- Negative sentiment about the company, its brand, or its products and services
- Employee morale issues
- Inappropriate comments about the company, such as leakage of financial/operating information, by employees, management, or the board
- Potential leakage of intellectual property, plans for new products, strategies, or plans
- Workforce management issues (think of Apple’s problems at FoxConn) at a major supplier or service provider
- Chatter about the company’s credit position
- Comments about new products from competitors
- Discussions of potential new regulations or enforcement actions in locations where the company operates but has little on-the-ground insight (human intelligence)
- Indications of changes in the economy – good or bad
- Potential problems at competitors that might be an opportunity for the company
- and so on
I have been talking (in my various presentations) about the value of monitoring social media as part of a continuous program of risk management and of controls assurance. Clearly, that technology is developing fast and every organization should be giving strong consideration to its deployment.
My belief is that many companies use it to monitor comments about the company, brand, products and services. Some use it to monitor platforms like Twitter for complaints and then respond promptly to satisfy customers. By the way, this has surprisingly excellent results when used effectively: those complaining are so pleased with a prompt response that their attitude turns around and they become advocates. The companies that are silent to Twitter complaints only amplify the voice of the disaffected.
I think the potential for monitoring risks and identifying opportunities is excellent. But, a disciplined process and platform is critical for the efficient and effective use of the tools.
You don’t want to have scattered and uncoordinated, even overlapping, use. You don’t want to have a process where issues are identified in 5 minutes but only acted on in 5 days because they don’t reach the right desk in a useful fashion.
I prefer a top-down approach:
- Identify the risk areas that can benefit from social media (or general web) monitoring. These will generally be to identify changes in the level of risk indicators (and especially leading risk indicators).
- Define the tools that will be used to monitor the risk areas, and how the results will be routed and acted on. Include in the process the ability to monitor delays in taking action as well as the updating of risk levels by linking or integrating the tool with the ERM solution.
- Implement the tools.
- Monitor and adjust for continuous improvement.
Now there is a disciplined process for defining the need, implementing the tools in a way that will update risk levels as needed, and routing the results so they can be acted on.
What do you think? Are you using this technology effectively? If not, why not and when will you do so?
Who should drive the use of the tools? Should it be left to Marketing, or should risk management, IT security, and internal audit be part of the owner group?
Recent Posts on this Blog
- New guidance on operational risk December 3, 2016
- Why do so many practitioners misunderstand risk? November 26, 2016
- A new front opens in the SOX battle November 20, 2016
- Internal audit reports do the function a great disservice November 12, 2016
- My new book on Auditing that Matters is available November 9, 2016
- Time for a leap change in risk management guidance November 5, 2016
- Cyber security and the board October 29, 2016
- The biggest obstacle to effective risk management October 28, 2016
- A revolution in risk management October 22, 2016
- Why do people commit fraud? October 14, 2016
- What could go wrong with strategy and its execution? October 6, 2016
- Is a new maturity model for GRC the right model? September 25, 2016
- The Wells Fargo “Staff Scam”: More questions and fewer answers September 16, 2016
- The astonishing Wells Fargo fraud September 10, 2016
- Leading an effective information security capability September 4, 2016
- Do we know how to audit technology-related risks December 3, 2016
- The State of Information or Cybersecurity November 28, 2016
- Back to the Future for Internal Audit November 21, 2016
- How Do You Change the Culture of the Organization? November 15, 2016
- Why Does ERM Fail So Often? November 7, 2016
- Incentives and Ethics: Transparency International Speaks Out October 31, 2016
- A COSO Gem Helps Assess Risks and Related Control Deficiencies October 25, 2016
- Focusing on the Wrong Line of Defense October 17, 2016
- Internal Audit and the Internet of Things October 10, 2016
- Fraud, Abuse, and Corruption September 26, 2016