1

December 2011

www.crowehorwath.com

What Boards Should Know About Social MediaBy Dorri C. McWhorter, CPA, CIA, and Erika L. Del Giudice, CISA, CRISC

Social networking is here to stay, and board members can’t simply ignore it. For directors to play their governance role effectively, they need to understand both the risks and the opportunities social media offers their organization – and see that they are managed effectively.

The proliferation of these very public forums has opened the door to unprecedented opportunities in the areas of marketing, customer service, recruiting, and relationship building. However, the potential rewards of social media must be weighed against the associated reputational, legal and employment, and information security risks. The damage from a disgruntled former employee’s comments on Facebook, for example, customer complaints on Twitter, or criticism of management on LinkedIn can be substantial and long-lasting.

Social Media and the Seven Components of Corporate GovernanceLooking at social media risks and rewards through the lens of Crowe’s Corporate Governance Framework (below) helps to clarify the role board members should play relative to social media. The seven components of the framework provide a comprehensive view of the complexity, interrelationships, and variables that an organization must manage in order to strengthen governance – for which the primary responsibility rests with the board of directors.

Monitoring

Enterprise Risk Management

Communication

Disclosure &Transparency

Board of Directors& Committees

Legal &Regulatory

Business Practices& Ethics

The Crowe Corporate Governance FrameworkWhen all components operate efficiently and effectively, corporate governance provides a platform for improving business performance and enhancing shareholder value.

© 2009 Crowe Horwath LLP

2

Crowe Horwath LLP

1. Board of Directors and Committees. In addition to being responsible for effective corporate governance, the board establishes the direction and values of an organization, oversees performance, and protects shareholder interests. As part of overseeing performance, board members should understand the opportunities and rewards, as well as the risks, of social media use by the constituents of the organization, as shown on the next page.

2. Legal and Regulatory. Board members need to be aware of the legal risks associated with social media use. Human resources or recruiting might expose the organization to legal and employment risks by basing hiring and termination decisions on information gleaned from social media websites. Labor practices are changing as a result of social media use in the workplace, and keeping up with those changes is essential to avoiding exposures.1

3. Business Practices and Ethics. The board needs to confirm that the social media policy the organization adopts is based on best practices and is enforced consistently. So that no stakeholders in the organization are neglected, a social media policy is best determined by a multidisciplinary team of senior representatives from human resources, legal, IT, marketing, public relations, risk management, compliance, and other relevant functions.2 The resulting written policy needs to address the appropriate use of social media by employees at all levels and in all functions of the organization.

4. Disclosure and Transparency. Shareholders need to be made aware of the risks associated with social networking and how the organization is managing them. Some public companies are now including social media as a risk factor in their annual reports.3

5. Enterprise Risk Management. Before developing and implementing its social media policy, an organization should undertake an initial risk assessment, which identifies and quantifies the various risks associated with social media use. The assessment should take into account not only the likelihood of and potential damage from incidents resulting from social media use but also the cost of opportunities lost as a result of social media not being used. Once the policy is in place, social media risk mitigation should be integrated into the organization’s everyday risk management processes.

6. Monitoring. After an organization implements its social media policy, it needs to monitor employee compliance. Monitoring requires periodic social media risk assessments, which show if any internal controls need to be enhanced.

7. Communication. Communication holds together the various components of the governance framework and keeps the process improving over time. The board should make sure that the social media policy is communicated appropriately and relevant business practices and codes of conduct are addressed.

3www.crowehorwath.com

What Boards Should Know About Social Media

Rewards Risks

1 Customers When social media is used in addition to traditional customer support channels, customers can easily post comments requesting assistance.

An organization might miss business development or marketing opportunities because of a failure to exploit a social media channel.

2 Between Customers and the Public

Customers sharing positive experiences with products or services can inspire the confidence of new customers and be an important deciding factor for choosing a company over its competitors.

Customers can post criticism or defamatory comments about a business and its products or services and are able to share negative comments with each other.

3 The Public Acceptance of social media in the workplace could encourage talented candidates to seek out an organization for employment instead of employers that are not embracing this type of access.

The exponential growth of social media users has generated public disclosure of a great amount of personal data. Malicious users can take advantage of information employees share and use it for social engineering attacks.

4 Between Employees and the Public

Employee communication with the public via social media provides the means to build relationships faster and reach far more potential customers.

If it includes confidential or other sensitive information, a single tweet by an employee or affiliated party could damage an organization’s reputation, disclose business plans, or violate privacy laws and regulations.

5 Employees Human resources departments take advantage of social media as a tool for researching and recruiting new talent.

Using information found on a social media site to make hiring decisions about individuals could result in a claim of discrimination.

6 Between Employees and Customers

Social media encourages an open dialogue, allowing customers to stay up-to-date about product or service offerings.

In the world of social media, employees’ voices are as prominent as those of official company representatives. If employees post offensive content, customers might wonder whether to take their business elsewhere.

Customers

The PublicEmployees

2

4

6

Social Media Rewards and Risks

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2011 Crowe Horwath LLP

4

RISK12917

www.crowehorwath.com

The board should see that the organization invests time and resources in educating its entire workforce – plus its suppliers and business partners – on the intricacies of the policy. In addition, social media policy training should be an ongoing effort rather than a one-time event.

To stay informed about social media’s ongoing impact, board members can deter-mine the type of information the organization communicates to them – for example, customer complaints, employee issues gone viral, or social engineering attacks that take advantage of information shared online.

Enhancing GovernanceNone of the myriad risks associated with social media can be eliminated completely, of course, but responsible corporate governance requires attention to mitigating those risks. An organization’s governance can be enhanced with a thoughtful and structured approach to understanding and assessing social media risks and devel-oping and implementing a comprehensive plan.

Contact InformationDorri McWhorter is a partner with Crowe Horwath LLP in the Chicago office. She can be reached at 312.857.7414 or dorri.mcwhorter@crowehorwath.com.

Erika Del Giudice is with Crowe  Horwath LLP in the Chicago office. She can be reached at 630.575.4366 or erika.delgiudice@crowehorwath.com.

1 See Raj Chaudhary, “Reducing Social Media Risk in the Workplace,” Oct. 14, 2011, http://www.crowehorwath.com/3-column-page.aspx?id=3088&terms=chaudhary

2 For more about creating a social media policy and risk management strategy, see Raj Chaudhary, Jill Frisby-Czerwinski, and Erika L. Del Giudice, “Social Media Uncovered: Mitigating Risks in an Era of Social Networking,” a Crowe white paper, July 2011, pp. 8 – 10, http://www.crowehorwath.com/folio-pdf/TR11908_SocialMediaWhitePaper.pdf

3 Theo Francis, “Warning: Social Media at Estee Lauder…,” footnoted.com, Aug. 23, 2010, http://www.footnoted.com/on-the-lighter-side/warning-social-media-at-estee-lauder/