Social business: Taming compliance risks
Without an eye toward compliance and governance risk, the social tools that CFOs see as fundamentally changing their business, could in fact harm it.
To the regulatory agencies charged with enforcing rules and regulations governing publicly traded companies, a careless reference to a client’s confidential business goals or performance posted on a social networking site may be just as problematic as sharing insider information among friends over lunch. For all of its potential business value, social business may expose publicly traded companies to increased compliance risk that should be incorporated into their risk management and governance policies.
What makes social business riskier than other traditional or even online communications vehicles is its extreme viral and permanent nature. Information posted on social media platforms can potentially reach millions of people in a matter of minutes. And given that almost 60 percent of finance executives view social business as an opportunity to fundamentally change the way their organizations work—according to findings from the 2013 Social Business Global Executive Study and Research Project, conducted by MIT Sloan Management Review in collaboration with Deloitte (see, “Despite risks, CFOs embracing social business”)—containing compliance risks is one way to make sure social business changes your company in a positive way.
In this issue of CFO Insights, we’ll address the risk considerations and steps CFOs and other business leaders can take to help their organizations govern social business activities and comply with the evolving regulatory environment.
Managing social business risks and issues
The benefits of employing social business reach across the business to advance
As companies formulate strategies for using social media, it is important to think of the risks involved and the impacts on regulatory compliance. The information on corporate social media sites may be subject to similar regulatory requirements as traditional content, but social-sphere activity may create situations not covered by traditional rules and risk frameworks. The challenge companies—and their employees—now face with using social media tools in their business is managing their risks effectively.
The degree of that challenge was reflected in responses to polls taken during a recent Deloitte webcast, “Social Business and Regulatory Compliance: What New Challenges Could You Face?” According to 23 percent of the almost 1,500 respondents, employees not educated in
Regulatory issues to consider
When considering the regulatory issues around social media use, it is important to look across the organization and understand how individual businesses areas and activities are regulated. Each regulatory agency has a different point of view, and companies should be aware of them when crafting their compliance approaches. The regulations and guidelines of the various regulatory agencies include the following:
- Financial Industry Regulatory Authority. The FINRA has issued extensive guidelines concerning social networking websites and business communications, specifically retention of social media communications to customers, investment recommendations triggering National Association of Securities Dealers suitability requirements, and blog participation supervision and advertisement rules.
- Securities and Exchange Commission. In April 2013, the SEC issued a report that clarifies that companies can use social media outlets to announce key information in compliance with Regulation Fair Disclosure (Regulation FD) as long as investors have been alerted about which social media platform will be used. However, a company should be careful to review the specific guidance, as some types of social media may restrict access or investors may not know about it.1
- National Labor Relations Board. The NLRB focuses on workplace policies and their interaction with employees’ rights under Section 7 of the National Labor Relations Act. Their approved policy prohibits “inappropriate postings.”
- Food and Drug Administration. The FDA’s communications rules led to the shutdown of many pharmaceutical social networking pages when the agency eliminated the option to turn off public comments.
- Federal Trade Commission. The FTC has issued rules regarding identity and affiliation disclosures, disclaimers, and endorsements.
1 Regulation FD and Section 13(a) of the Exchange Act; http://www.sec.gov/litigation/investreport/34-69279.pdf.
Develop a social business governance strategy
Managing the potential regulatory risks entailed by the use of social business tools starts with incorporating social business risk into risk management and compliance programs. Deloitte, for example, has established a social media working group, comprised of people across the organization, from risk, talent, information technology, and the business units. This group brings together diverse perspectives to address and set policy on the various risks and issues that come up around using social tools and technologies.
To govern social media effectively, however, companies should work closely with employees to help them understand the role that social media plays in the company and the ways that it can be leveraged to help achieve strategic goals. In addition to detailed social media policies that clearly communicate the “dos and don’ts” of social media usage, governance around social business should address the company’s vision as well as policy, training, monitoring, and enforcement. Specifically, social business governance should:
- Educate employees, then empower them.
- Help employees understand and own the risks.
- Hold employees accountable.
- Address organization social media account “ownership” and handoffs when spokespeople leave.
Furthermore, companies should educate their employees on how violating rules of confidentiality and professional discretion can lead to regulatory noncompliance and legal difficulties that can have far-reaching consequences for those involved.
Employees should understand the nature of the regulations in place, why they exist, and the potential consequences of violating them. Some employees may think that because current regulations were not written specifically to address social media, that somehow social media is exempt from traditional oversight. As many companies have learned, that is not the case.
Leveraging internal audit capabilities
To help assess and reduce the risks of social media usage, an important, but often overlooked, resource is internal audit (IA). Internal auditors, with their training and experience in identifying and assessing risk, and their broad view of the organization, are often in an ideal position to advise their organizations on how to manage risks appropriately. And when addressing regulatory and governance issues, IA can help organizations understand potential risks, develop business processes to help mitigate them, monitor compliance with implemented processes, and assess implemented controls.
For example, IA can assist with guidance on the policies that need to be developed so that social media activities comply with current regulations. IA can also perform gap assessments of the organization’s current policies and procedures against legal and regulatory requirements and guidelines governing enterprise social media use. After all, when an organization’s social media policies and procedures have not kept pace with regulatory changes, compliance and legal risks can emerge. If these risks aren’t adequately addressed, an organization could stand exposed to enforcement actions or civil lawsuits.
Similarly, inadequate governance of social media can result in a number of uncoordinated and inefficient activities that can translate into missed opportunities. For example, a lack of a broad vision for how social media will transform the business may lead companies to pursue the wrong goals and metrics or, worse, not pursue transformative opportunities at all. Or a gap in implementing mature operating models for social media may result in duplicate efforts, wasted investment, poorly allocated resources, and limited organizational learning.
Organizations should consider tapping internal audit to serve as an objective assessor of their social media governance programs. Through independent audits and risk assessments, IA can play a critical role in providing insights into the effectiveness of governance structures that have been implemented. The internal audit function can also help foster positive change by helping to create effective governance structures that are in line with the organization’s culture and risk appetite.
With more and more users linking, liking, friending, and following, social media is an important medium for communicating with customers, increasing brand awareness, and promoting innovation and collaboration among employees. Without an eye toward compliance and governance risk, however, the tools that CFOs see as fundamentally changing their business could, in fact, harm it.
Despite risks: CFOs embracing social business
CFOs and other C-level executives are rapidly warming to the benefits and value social business can bring to their organizations. However, adoption and implementation of social business as an integral part of the enterprise remains nascent at many companies, according to findings from the 2013 Social Business Global Executive Study and Research Project, conducted by MIT Sloan Management Review in collaboration with Deloitte. The project surveyed 2,545 business executives, managers, and analysts from 25 industries and 99 countries.
For 70 percent of respondents―and 59 percent of those in the CFO/Treasurer/Comptroller group―social business is viewed as an opportunity to fundamentally change the way their organizations work. “Where many CFOs and C-suite executives were once quick to dismiss social business as a fad or distraction, more and more are recognizing the important role social business can play in driving performance for their organization,” says David Kiron, Ph.D., a co-author of the report and executive editor of the Big Ideas Initiatives at MIT Sloan Management Review.
C-suite executives’ embrace of social business bodes well for the success of “social” initiatives within their organizations, notes study co-author Doug Palmer, a principal at Deloitte Consulting LLP and leader of Deloitte Consulting’s Social Business practice. “We have found that companies with strong executive support for social business tend to have more effective programs and experience better results. If employees see top executives genuinely excited
The number of respondents indicating that social business is important to their businesses today (36 percent) doubled over the previous year, and a majority (54 percent) now expect social business to be important to their organization one year from now, compared with 40 percent in last year’s study. “These results suggest that managers increasingly view social business as a source of business value and relevant to how their companies compete in their markets,” Kiron observes.
Despite the increasing recognition of social media’s importance, the study found less progress when it comes to organizations becoming social businesses. “We see evidence of burgeoning social business activity, but the majority of companies appear to be stuck in first gear,” says Anh Nguyen Phillips, senior manager, Deloitte Services LP, and a member of Deloitte’s US Strategy, Brand & Innovation group. For example, nearly 90 percent of respondents said their companies are currently using social media to some extent. Yet, when respondents ranked their organizations’ social maturity on a 1-to-10 scale (10 being very close to maturity and 1 not close to maturity), 52 percent rated their organization at the early stage. Thirty-one percent fell into the developing stage and 17 percent assessed their company at being in the maturing stage. “In many organizations, social business is still an experiment,” Phillips adds. Of the 44 percent of respondents who said a social business initiative is being implemented in their departments, more than half of those initiatives were identified as pilot projects.
About Deloitte’s CFO Program
The CFO Program brings together a multidisciplinary team of Deloitte leaders and subject matter specialists to help CFOs stay ahead in the face of growing challenges and demands. The Program harnesses our organization’s broad capabilities to deliver forward thinking and fresh insights for every stage of a CFO’s career–helping CFOs manage the complexities of their roles, tackle their company’s most compelling challenges, and adapt to strategic shifts in the market.
For more information about Deloitte’s CFO Program, visit our website at: www.deloitte.com/us/thecfoprogram.