Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated. In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much more difficult. And because you are expected to assess the risks before you jump in, many of you may already be accepting unknown risks.
I see 4 big challenges to managing social media risk:
- Strategic Risk – If you determine that engaging in social media would be beneficial to achieving the goals and objectives of your business plan, you’ve made a strategic decision. But even if you decide NOT to engage, you’ve still made a strategic decision because strategic risk exists if you fail to respond to industry changes. (“If you choose not to decide, you still have made a choice”*.) And you are expected to justify your strategy by periodically assessing whether or not you have achieved the goals you anticipated when you made the decision to engage in social media, which leads to challenge #2:
- Cost / Benefit – This is closely related to strategic, but relates to the difficulty of quantifying both the costs (strategic and otherwise) and the tangible benefits. Most institutions decide to engage in social media as a “me too” reaction, but 1 or 2 years later they can’t go back and validate their decision on business grounds because they didn’t have well defined, quantifiable, expectations going in. Anchor your decision on a set of specific goals, which could include increased brand or product exposure, but which should ultimately be defined in terms of an increase in capital and earnings. And although there is a very small financial barrier to entry, there are other costs which leads to my next challenge;
- Reputation Risk – This is where the decision to not engage in social media really manifests itself, because reputation risk exists regardless…it cannot be avoided. All it takes is one disgruntled employee or customer (or a competitor) to post a negative comment about you or your products or services on-line, and your reputation could suffer. If you do have an on-line presence, you may be able to quickly respond to counter the comments, but if you decided to stay out you have no recourse. Also, are your employees blurring the line between their professional lives as official (and controllable) representatives of your institution, and their (un-controlled) personal, on-line lives? In a traditional risk management model, each risk identified would be accompanied by an off-setting control or set of controls. In the case of reputation risk, there really in no way to off-set, or control, the risk. This brings me to the final, and perhaps biggest, challenge;
- Residual Risk – This is the end result of the risk management process; the amount of risk remaining after the application of controls. Essentially, this is what you deem “acceptable” risk. Since social media risk can never be completely avoided (see #3 above), you are already accepting some measure of risk. The challenge is to quantify it. Auditors and examiners expect you to have a firm grasp on residual risk, because that is really the only way to validate the effectiveness of your risk management program. An uncertain or inaccurate level of residual risk implies to examiners an ineffective (or even non-existent) risk assessment.
So managing social media risk boils down to this: You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis. Both costs (reputation, and other residual risks) and benefits (strategic) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit. Ordinarily that would be a regulatory red-flag, but clearly many institutions currently have an on-line social media presence. So at this point the question becomes not so much how did they arrive at that decision, but how will they justify their decision (and manage the risk) going forward?
*Lee, Geddy; Lifeson, Alex; Peart, Neil