An employee goes home and writes inappropriate remarks on their personal social media account. Do you know how you would respond? That's exactly the scenario Bank of America faced last year when an employee wrote racist comments about patrons through her personal account. It's also why every bank and credit union needs a documented social media risk assessment in place.
Creating a Social Media Risk Assessment
A social media risk assessment is a thorough examination and documentation of all risks your institution faces and the measures in place to help prevent/mitigate them. It outlines a list of threats, the vulnerabilities they exploit, the systems you have in place to address those vulnerabilities, and a measurement of the likelihood of the risk occurring and the potential severity of the threat's impact.
For example, a threat all institutions face is the risk of an employee accidentally releasing consumer information. If it is accidental, then the cause (vulnerability) is a lack of training and understanding of security steps. You can minimize that vulnerability by establishing documented workflows, training programs, guardrail software, and establishing employee guidelines.
The odds of this happening are low, but the impact on your institution is moderate.
We recommend creating a risk assessment matrix in Excel or Google sheets to house all of this information.
Common Social Media Risks for Banks
Social media risks your institution could face are:
- A leak of company or customer information
- Public relations issues
- Consumer complaints
- Insensitive content
- Accidental posts
- Employee misbehavior
- Negative press
- Poor company performance
- Security compromises
- Platform outages
- Copyright infringements
- Platform TOS violation
- Violation of local, state, or federal law
The risks listed above are broad categories and can have many nuances. As an example, an employee leaking customer information in a Facebook post could be accidental or intentional. It could be from their personal account, or from the brand’s account. Those variables change the scope of the risk, the exploited vulnerability, and the measures required for it to be avoided. When you're drafting your risk assessment, try to imagine each of these potential variations. List them all in your risk assessment matrix, along with the controls, the likelihood, and the potential impact on your institution.
Common Controls for Social Media Risk
Now that you have listed and defined as many potential risks targeting your institution, it's time to pair them with actions to reduce the threat or resulting damage. Consider some of these common controls for social media risks:
- Draft a content creation workflow that involves compliance
- Publish a playbook for all marketing and creative roles that state brand voice and guidelines
- Have all employees read and acknowledge a social media employee policy
- Documented and approved content strategy
- Annual employee training on the most popular social media networks
- This should include your organization's policy and the potential security threats on each network
- Restricting web access on work devices
- Device monitoring for work-owned devices
- Digital security training
- Creating a social listening strategy that encompasses any variation of brand mentions
- Drafting a crisis response grid with the compliance team
- Employee pre-screening that includes an examination of past social media behavior
- Publishing an employee code of conduct
- Installing anti-virus software on all company-owned machines
- An extension of this can be restricting what employees can install on their work machines
- Content archiving
- Vendor risk assessment
Sample Risk Assessment for Banks
It’s important to note that every assessment will be different depending on the size of the institution, the scope of social media activities, and the communities served.
We collected some other social media risk assessment examples from the CBANC community and have linked to them here;
Social Media Risk Assessment (Word)
Social Media Risk Assessment (Excel)
You can see that they share the core components that we have gone over so far; risk, threat measurement, and an outlining of the controls in place to help mitigate that impact.
Creating a Crisis Response Grid
A crisis response grid allows you to plan for emergencies. Low risk is not the same as no risk, and in the evolving landscape of social media, it is difficult to anticipate emerging exposures.
The Y-axis of your crisis response grid should outline crisis “levels,” indicating the degree of severity of potential damage should the risk come to fruition. This is somewhat determined by your institution’s risk tolerance, but some factors to consider are the size of the audience impacted, the potential cost of damages, the newsworthiness of this crisis, and how quickly the situation can be remedied.
For example, the potential severity of damage would be different if I had 100 Facebook followers as compared to having 100,000 Facebook followers. The trigger might be the exact same (say, a disgruntled employee) but my exposure is in the two scenarios is very different.
On the X-axis, you should list all the tools you can use to respond. Here’s a list of common responses:
- Stay silent
- Social media manager responds
- Blocking the offender
- Removing the offending content
- Official statement is made
- Compliance is notified and responds
- Executive team is notified and responds
- Blog post or a video is created addressing the issue
- 24-hour social media monitoring is instituted
- Creation of a dedicated phone number and/or email address for those impacted
- A PR firm is consulted
- Send an email blast to all customers notifying them of the incident
- Issue a public apology
- Create a crisis FAQ
- Create a dedicated customer complaint page, forum, or phone number
- Take the conversation offline
- Pause all scheduled content
Once completed, your crisis response grid will look something like this:
When to Activate your Crisis Plan
Listening is an important part of managing your brand’s reputation. You should have a social media listening strategy that encompasses all major platforms (Facebook, Twitter, LinkedIn, Yelp, and web mentions). At a minimum, you should listen for any mention of your brand (including common misspellings) and products.
If you’re listening effectively, you’ll know what’s being said about your institution and you’ll discover trending news about your brand or industry. Anything that has been identified in your social media risk assessment or has a negative sentiment should trigger some response or consultation of the crisis grid. A vast majority of triggers will be minor, but by making this your operating procedure, you will catch incidents before they have the chance to grow and have a negative impact on your institution. With a plan in place, you can relax knowing you’re ready.
Revisiting Your Social Media Risk Assessment
A year ago, you might not have been concerned about Instagram as a social media channel and left it out of your risk assessment. Today, however, the channel has 800 million monthly users and is ranked as the most influential social media platform for Millennials and Gen Z.
Things change quickly on the internet and part of effectively managing risk is constantly revisiting your documentation. At a minimum, you should update your social media risk assessment at least once a year and any time your brand experiences a crisis. Ask yourself:
- Were there any crises we experienced that we don't have documented?
- Has anyone else in our industry had a crisis that we can learn from?
- Has the likelihood or severity of these risks changed?
- Do we have new tools or partnerships that might serve as an effective control for risk?
Interested in learning more about social media, check out our free Social Media eBooks in our resources section.