Governance Framework for Social Media Audits - Part 2

We started Part 1 of this series on auditing social media by saying that it is a bit like trying to eat an elephant - where do you start and how do you not let it get out of hand during the process. 

We concluded Part 1 with these most important opening assessment questions:
  1. Do we have in place a social media strategy which is a real strategy, not a series of tactics?
  2. Has the strategy used a formal development process, which has effective risk mitigation steps?
  3. Were multiple stakeholders and disciplines consulted or engaged during the strategy development?
  4. By what process is the strategy maintained and reviewed

Not having a proper Social Media Strategy exposes your organisation to potentially unacceptable exposures not just in marketing or PR but across the whole dimension of stakeholder relationships. In this Part 2 we'll present a Governance Framework for social media, which Auditors can use to plan the task of effective social media auditing.

Just to recap the intention of the series of three posts, we cover in each post, respectively:

  1. To convey the important of a social media strategy
  2. To outline the components of social media governance
  3. To address some auditing practicalities

Governance framework for social media audits

First of all let's look at the bigger picture. The business use of social media has several major components, and as an auditor you are looking to see that all of those are in place. We've mentioned strategy, and there is the role of social media intelligence - monitoring and analysis, and the role of social communities for business, and then governance itself.

Key components of social media planning for business

These are all connected components of how social operates in an organisation, and auditors need to look for how all these components are organised and managed when planning a review. The absence of any of those components is a negative. In particular in this series we are focusing on the strategy element to give insights into governance.

Governance requires a framework, and although "social media policy" and "governance" are often used as interchangeable words, concepts and issues that is simply not the case. If you work in an industry with strong Safety rules you will know what I mean, because Safety Rules are not Safety Governance, and the same in social. A social media policy is an essential element of governance, but it is one part of one section of a governance framework. As an auditor you can view a social media policy as necessary, but far from sufficient to provide appropriate risk mitigation.

Social Media Governance Framework KINSHIP Digital

The governance framework we recommend, and which will satisfy you as auditors and provide adequate coverage of social media exposures has seven major components:

  1. Social media strategy
  2. Reporting of performance and ROI
  3. Mandatory monitoring of social channels (see our Intelligence section of the opening model)
  4. Social media policy, plans, actions, compliance
  5. Management of 3rd party vendors
  6. Employee Training
  7. Compliance protocols

Understanding how these seven areas are planned, and how they are implemented, and operate is the absolute key to effectively auditing an organisations exposures in social media.

How internal auditors need to prepare for a social media audit

The preparation is simple, in theory! Take the seven components, then gather from the relevant parties across the organisation their planning, implementation and review practices for each one, and then (a) decide if those processes are adequate, and (b) if so decide then on an audit approach for each. That's the theory!

In practice there are impediments. An organisation may do all those things, but under different categories. The categories may mean different things to different people - especially as social media is in such an emergent stage. On our part, we have methodologies, techniques and tools behind each of the seven components. We can't fit those into a blog post, so I will describe the key features of each component so that an auditor can understand what fits where in this model.

Social media strategy

This has been covered in Part 1 as an essential element of governance. There needs to be a strategic plan, developed with cross-functional inputs, resulting in a cross-functional Social Media Team, with clear roles, clear links to business strategies, and clear KPIs and review points.

Regular reporting of ROI

Whether is it advertising, sponsorship, recruiting or social media, these need to be monitored against business goals, and reported on at regular intervals. The purpose of reporting is not so much the report itself, but the discipline of review in the sense of Plan Do Check Act as in continuous improvement. We want results, and we need to make adjustments along the way using as much fact-based data as possible.

Mandatory monitoring of social channels

This would seem so blindingly obvious - that if you are not listening in the right places at the right time then you WILL be caught out. Auditors need to understand the detailed processes here, the relationships, the roles, the procedures for handling adverse criticism and trolls, the escalation processes, and how it is determined who speaks on behalf of the company. This development process must involve the strategic communications folk, and the PR and corporate communications folk. As you can imagine, the processes behind this component are quite extensive. Are they in place, are they extensive, are they well managed, are they tested

This issue of monitoring is very complex operationally and organizationally - right now we are just at the tip of the iceberg. It is also linked to framework item #5 "management of 3rd party vendors".

Social media policies and procedures and compliance

In our framework this is where social media policy sits. But it is not all that is in this section of the framework, unless it also covers how things are done operationally, how escalated, what monitoring and response expectations are set, the full breadth and depth of training, and how the policy itself is developed, approved, reviewed, improved, and promulgated. Many of these issues also link and have to align with other sections of the framework, such as the monitoring of social channels.

With regard to the specific issue of social media policies, there are many fine examples and a huge amount of discussion. An example of this approach done well is the publicly available Telstra social media policy, the 3 R’s of Social Media whose outline of 3 simple (and easy to remember) values, which are representation, responsibility, respect each has its own set of real-world behaviours to be demonstrated by staff and in what scenarios they need to be applied.

If you, as an auditor, need a sobering lesson on the scope or lack there-of of a social media policy then please take the time to read the recent case of Applebee (February 2013) see Applebee’s Overnight Social Media Meltdown. You will rapidly appreciate how tangled and confused the web can become, and the exposures of not having a complete and an aligned governance framework. Applebee's did OK, but it was controversial and many thought that they did the wrong thing. 

Management of 3rd-party vendors

This section of the framework refers in particular to the contractual obligations and responsibilities of 3rd parties acting on behalf of an organisation in social media. Outsourcing social media activities is common. You can witness it everywhere, on many of the major brands in Australia for example. Just take a look at their Facebook page or Twitter account and you can see this is an agency or other 3rd party doing the work. You can see the lame risk-free tweets which accompany My Kitchen Rules for example - clearly a 3rd Party with the intern playing it safe as instructed by the owners. The exposures come when things go wrong, and especially when they go wrong out of hours and where there has not been a clear coordination, escalation and resolution process between an organisation and the 3rd party.

Regulatory authorities are increasingly making it clearer that an organisation can not transfer its legal obligations related to social media to a 3rd party - this is not insurance! And hopefully Boards, CEOs, and investors are making it clear that an organisation cannot allow brand value, reputation and customer advocacy to be destroyed by management contracting to 3rd parties. 

Outsourcing is an area which auditors must review in detail, and they are well equipped to do this.

Compliance protocols

OK this is what auditors do. Ensure that procedures are in place to ensure compliance with internal policies and all applicable laws, regulation, and guidance. This cuts across all other areas of our Framework, and is also an important section in its own right. This is a complex part of the work. Just stop and consider the laws and regulations applicable to the finance industry (US example) - below.

That list is staggering isn't it? But auditors in the finance industry are used to coping with this level of complex compliance, including guidance, and now this expertise needs to be applied to social media enabled by a comprehensive framework.

Summary and questions to ask in using the auditing social media governance framework

In summary auditors need to know what processes and procedures their organisations have in place, and are using, covering:

  1. Social media strategy
  2. Reporting of performance and ROI
  3. Mandatory monitoring of social channels (see our Intelligence section of the opening model)
  4. Social media policy, plans, actions, compliance
  5. Management of 3rd party vendors
  6. Employee Training
  7. Compliance protocols

In Part 3 we will discuss some of the practicalities in how to approach a complex organisation to prepare for a social media audit. (If you missed Part 1 see here.)

Download my complete SOPAC 2013 Presentation: Auditing Social Media - the practicalities (Slideshare, PDF).

Walter Adamson
Join me on Google+
My Social Presence

Connect with me /adamson at Linkedin
Follow Kinship Digital our Linkedin Company Page
comments powered by Disqus