BLUE HILL RESEARCH

Foundations of Social Media

Risk ManagementDecember 9, 2014

David Houlihan

Principal Analyst

Finance: What’s the ROI & TCO?

Information Technology: How do I implement & manage this?

How does this affect our business?

Line of Business: Does it improve my performance?

Focuses on technology investment questions.

Common Questions:

Understanding Social Media Risk

What is social media risk?

How do I understand the value at risk?

How do we effectively respond to these risks?

The Goal

Cost of Prevention /Mitigation

+ResultingCost of Risk

< Cost of “Doing Nothing”

Challenges of Social Media Risk Management

• Technology is still emerging and changing

• Lack of transparency regarding how social media is used across the enterprise

• Difficult to estimate / quantify cost of risk

• Multiple or unclear owners for social media risk

• Unclear legal and regulatory requirements for social media use and policy

Poll 1: What’s Your Top Challenge ManagingSocial Media Risk?

(A) KEEPING PACE WITH CHANGES TO SOCIAL MEDIA

(B) UNDERSTANDING HOW SOCIAL MEDIA IS USED

(C) QUANTIFYING THE COST OF RISK

(D) LACK OF CLEAR ENTERPRISE OWNERSHIP

(E) UNCERTAINTY REGARDING LEGAL REQUIREMENTS

(F) OTHER

We All Know Social Media When We See It. . .

Personal Social Enterprise SocialCorporate Accounts

Individual personal / professional tools

Internal corporate collaboration platform

Exposes organizationindirectly

External corporate comms platforms

Exposes organizationdirectly

Exposures about recordor compliance

Social Media Categories

Hacked Jeep Twitter account announces sale of Chrysler to Cadillac.

We All Have An Idea of What’s at Risk. . .

Netflix under SEC scrutiny for potential Regulation FD violation over CEO Reed Hastings’s Facebook brag about Netflix’s subscriber count.

2012

Feb 2013

Stock market drops $136 billion after hackers tweet about explosion at the White House from Associated Press accounts.

Apr 2013

BBC uncovers over 800 investigations of police officers for posting racist content to social media sites and attempts to “friend” alleged victims of crimes.

Apr 2013

Hearst Entertainment executive Scott Sassaretires after legal department receives sexually explicit text messages Sassa sent in a suspected catfishing and extortion scam. Apr 2013

What Makes Social Media Valuable, Makes it Risky

What are the Risks?

DISCLOSURE

DISCOURSE

CONFLICT OF INTEREST

FRAUD

Disclosure Risk

n. Intentional or accidental release of sensitive information

Business

Legal

Reputation

- Loss of intellectual property- Loss of competitive market advantage- Delayed or lost transactions/customers

- Regulatory and private legal liability

- Brand damage- Lost revenue- Erosion in shareholder value

Employees or closely related third-parties

+

Discourse Riskn. Publication of content that harasses others, or negatively impacts corporate image

Business

Legal

Reputation

- Delayed or lost transactions/customers

- Legal liability

- Brand damage- Revenue loss- Erosion in shareholder value

Employees with access to corporate social media

Identifiable employeesusing personal

social media

Third-parties’ discussion of organization

…

…

Conflict of Interest Risk

n. Use of social media to connect individuals inappropriately or in violation of restrictions

Business

Legal

- Loss of intellectual property- Loss of competitive market advantage

- Regulatory and private legal liability

Employees or closely related third-parties

Reputation

- Brand damage- Lost revenue- Erosion in shareholder value

Fraud Risk

n. Use of social media to obtain access to employees or sensitive information

Business

Legal

- Loss of intellectual property- Loss of competitive market advantage- Delayed or lost transactions/customers

- Regulatory and private legal liability

Third-partiesseeking access through social media

Reputation- Brand damage- Lost revenue- Erosion in shareholder value

Poll 2: What Type of Social Media Risk Causes You the Most Worry?

(A) DISCLOSURE

(B) DISCOURSE

(C) CONFLICT OF INTEREST

(D) FRAUD

(E) OTHER

HarmWhat are the potential results of a risk event?

1. Direct financial costs2. Reputation and brand erosion3. Lost customers and revenue4. Lost shareholder value5. Regulatory penalties, legal exposure, and litigation cost

Determining the Strategy That’s Needed

ScopeWhat are the risk events that could affect our organization?

1. Requirements on corporate statements and disclosures2. Constraints on relationships and information sharing3. Sensitivity of information handled by organization4. Public “profile” of the organization

LikelihoodWhat is the probability that a risk event will occur?

1. Number of employees using corporate social media2. Number of employees using personal social media3. Variety of social media tools used per employee4. Frequency of use

Mapping Costs to Investment Planning

Cost of Prevention /Mitigation

+ResultingCost of Risk

< Cost of “Doing Nothing”

Estimated Harm ($) ofIncident

Likelihood (%) ofIncident

X

Estimated Potential (#) Incidents

X( (Preventative Investments ($)

Cost ($) of Doing Nothing

- Value ($) of Mitigation(

(

BudgetResidual Risk

Inherent Risk

Source: Symantec’s 2011 Social Media Protection Flash Poll

Financial Costs$641,993

What’s at Risk?

Average costs following social media risk incidents:

Litigation Costs$650,361

Lost Revenue$619,360

Reduction in Stock Price$1,038,401

Reputational Losses

Direct Losses

Options for Combating Social Media Risk

POLICY

EDUCATION

MONITOR / ARCHIVE

ACCESS CONTROL

- Expense- Does not affect

authorized users- Does not limit

risks resulting from personal accounts

POLICY EDUCATION MONITORACCESS

CONTROL

- Little preventative value

- No identification of issues

- No control over activities

- Expense- No control

over activities

Advantages and Disadvantages

- Set standards and limit liability

- Identify issues

- Maintain records for remediation & liability

- Limit ability to access and misuse

- Educate employees on standards & encourage behavior change

Poll 3: Where has your Organization Placed Resources to Combat Social Media Risk?

(A) POLICY

(B) EDUCATION, TRAINING, AND AWARENESS

(C) SOCIAL MEDIA MONITORING

(D) SOCIAL MEDIA ARCHIVING

(E) ACCESS CONTROL

(F) OTHER

Poll 4: Which of the Following is Your Top Priority for Social Media Risk Investment?

(A) POLICY

(B) EDUCATION, TRAINING, AND AWARENESS

(C) SOCIAL MEDIA MONITORING

(D) SOCIAL MEDIA ARCHIVING

(E) ACCESS CONTROL

(F) OTHER

Disclosure Discourse

Conflict of Interest Fraud

Root Cause Analysis

+

+

+

Employees

The Role of Training in Social Media Risk

Training and Education

Access Control

Monitoring

Policy

Employee engagement

Clear communication of

requirements and responsibilities

Motivation for behavior change

Principles and guidelines of

ambiguous situations

Encourage, retention, application,

and promotion

Employee Education Program

Objectives

1. Explain social media risks and standards

2. Encourage compliance with social policies and standards

3. Identify guidelines and best practices that reduce risks

4. Encourage self-motivation and ownership

Thank You!To join the conversation, follow us on

Phone: +1 (617) 624-3600Contact Sales: sales@bluehillresearch.com

Contact Research: research@bluehillresearch.com