Identifying and assessing risk is the basis of most of the work done in internal audit, but it is getting harder to keep up with the most relevant risks. In today’s environment, new risks are introduced faster than we can react, and both the emerging and established risks are always changing. Often the most complicated risk to understand and evaluate is reputational risk, and one of the most volatile aspects of reputational risk comes from social media.
Social media touches nearly every aspect of our lives, including our work lives. Just 10 years ago, most corporations had a blanket policy to block employee access to social media sites. Now that policy is gone since social media sites are used for marketing, recruiting, and research. Blocking these sites would be irrelevant anyway. Nearly every employee carries a smart phone with access to any site they want to visit.
With the prevalence of social media in our lives and in our jobs, how does social media impact an organization’s reputational risk? The risk comes from many sources that tend to fall into several categories, such as network impact, failed campaigns, and individuals posting about your organization.
Individuals are the real wild card. These rogue posters are completely unpredictable and include your employees (current and former), your customers, your competitors, your suppliers, and even the general public. They can attack you on any social media site, and just one post can go viral, taking on a life of its own.
Your organization may have a very well controlled official social media process internally, but you probably have no idea what each of your employees are posting on their own. If you have 5,000 employees, then you have 5,000 risks. Each person in your organization has inside information that could be posted to social media, taken out of context, and have potentially devastating results.
The risk to your organization’s reputation should never be discounted. Every organization can be targeted by rogue posters on social media at any time. A non-profit could have a former employee post incorrect information about spending or salaries they perceive as wasteful or excessive. People reading the post can share and repost, and eventually the non-profit could lose donors and funding. A corporation could have an employee disclose confidential information about layoffs that have not yet been announced. Employees could find out they have lost their jobs before anyone has a chance to tell them directly. Even someone from your internal audit staff could be the one posting inappropriately on social media. Lately, less experienced staff have been using sites like LinkedIn as a place to ask audit questions. These questions could be innocent, like asking for an audit program covering a topic. Unfortunately, because of the sensitive nature of internal audit, what an inexperienced staff auditor thinks is a general online conversation could expose a confidential organizational weakness.
Every day you can find people on social media complaining about their jobs or their bosses, even though they are Facebook friends with their coworkers and maybe even the boss they are complaining about, as well as potential future employers. People have always made career limiting moves, but with Facebook and Twitter, it’s even easier since people can post whatever they are thinking to everyone they know. While this may not be a smart post on the person’s part, it could also reflect poorly on your organization. Your customers can see the post, and they may not want to interact with your disgruntled employee.
Your employees can post seriously damaging content to social media. In 2009, an employee at a pizza chain posted a video on YouTube where he stuffs cheese up his nose before adding it to the pizza. The employees involved were fired, and the store had to be closed for “decontamination” leading to an immediate loss of business, but the damage to the business’s reputation is ongoing. The video and the news reports are available forever on the internet.
If you have not considered the impact of social media as an element of the reputational risk to your organization, you should include this factor in your next risk assessment. More social media outlets are available all the time, and people are posting more frequently and more recklessly. Implementing a well-controlled social media program is crucial in today’s digitally connected world. We must also consider how our organization can be threatened by individuals posting outside the scope of the officially sanctioned social media account.
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.