What is best practice when it comes to the use of social media by employees and what should internal auditors be mindful of in this area?
Before we look in detail at social media use by employees, we need to establish that social media covers a range of channels and these channels may be owned by the employer or the employee. For each channel there may also be a range of user profiles created with different promotional responsibilities.
The number of social media channels is growing, and the popularity of individual channels ebbs and wanes over time. Facebook and Twitter are recent examples on how the mismanagement of posts that are viewed as offensive and the unfortunate placement of advertisements has had a potentially damaging impact on brands. Organisations have recognised that reputation by association can be negative as well as positive and have boycotted channels that do not have adequate controls in place.
If we consider the channels that are owned by the organisation the objective of using these channels is ultimately to promote and maintain the brand.
Employers should be able to control the narrative of these channels. They can ensure that only approved content is put out and they can ensure that their use of social media is governed by a strategy that is capable of being monitored.
Successful corporate use of social media relies on developing a social media strategy. The strategy defines the objective, purpose and identifies the channels to be used.
The paradox for many organisations is balancing control with empowerment. Some of the best ideas can come from employees who are not central to sales and marketing, for example some of the organisations best salespeople may be the service engineers who go out to client’s sites. So by centralising the function, it is easier to manage the profiles, control the narrative, but this could be at the expense of limiting ideas.
There are two audit areas to consider, measuring efficiency and effectiveness and then control. In the digital age companies are focusing more of their advertising budgets on social media channels so we as auditors need to consider value for money as well as compliance.
Due to how the use of social media has evolved in business one of the issues faced by many larger organisations is housekeeping. Over time various departments could have built up numerous social media profiles that are no longer maintained, and even have been forgotten about as the employee who managed the profile could have moved on.
In one medium sized public body, a recent audit identified over 200 different user profiles covering numerous channels – the issue for the organisations management was that many of the profiles had not been used for several years and as an they had been created and maintained by employees who were no longer with the organisation they could not be accessed.
As a result, an auditors first task is often to undertake a discovery exercise. If the IT department are not able to assist there are numerous “eDiscovery” and “Social Listening” tools available and these are an effective method of identifying both profiles linked to the organisation and references to the organisation.
But as auditors we want to focus on how well the organisation manages risk and these can typically be grouped as follows:
The organisation fails to suitably manage its Social Media presence generated internally (or by associated third parties) impacting upon its reputation;
The organisation fails to harvest ideas from its wider employee base: and
The organisation fails to suitably monitor and where appropriate respond to externally generated Social Media activity including:
That from which it can benefit and therefore contribute to; and
That which may cause harm and therefore needs to respond to.
Value for Money
Just a reminder that in this context value for money is about achieving the right balance between economy, efficiency and effectiveness, the 3Es – spending less, spending well and spending wisely;
Economy – Acquisition of resources in appropriate quality and quantity, at minimum cost.
Efficiency – Maximum output for any given set of inputs or the minimum inputs for any given quantity and quality of goods and services provided.
Effectiveness – Extent to which any activity achieves the intended results, which can be either quantitative or qualitative.
We should be focusing on how management are planning and monitoring the use of social media to achieve this balance.
Typically, we would expect that the team responsible for social media are compiling metrics to aid management assess performance that includes as a minimum:
Analysis of each social media profile
Identifying top performing social media posts
Identify your site’s most shared content
Fortunately, most of the well-known platforms are able to generate analytics for example Facebook’s include;
Most engaging posts
As auditors we should be looking at the governance and reporting arrangements around this information to ensure that the metrics are accurate, appropriate and provided to management in format that informs decisions that are in line with the 3Es.
Personal Social Media Use
This is the area that can cause the most issues for management, it is a balancing act between empowerment and control set against privacy.
Take for a moment the scenario where a company’s management team are looking at options for re-structuring, there will be scenarios, papers other documents and discussions, all of which are highly confidential. Someone who is not part of the senior management team became aware and using their personal social media accounts divulges, albeit without naming the organisation, something of the plans.
Confidential information leaked, hence potential damage to the brand
Break down in trust between employee and employer
Company goes into damage limitation exercise
Company considers action against employee – but can they?
Many organisations will have a confidentiality clause in the contract of employment, but is it always reasonable to assume the employee understood the clause and its intent?
Does the company have in place a Data Classification scheme and employ protective marking?
Has the company implemented a Social Media Policy and instructed staff on its interpretation?
This particular incident occurred about 5 years ago and despite the fact that the organisation was a public body it did not have in place a Social Media policy, nor had it adequately covered confidentiality in its terms and conditions of employment, the Employee Handbook or at Induction.
As a result, the organisation took no further action above and beyond a formal interview but what it did was to:
Amend the contract of employment and employee handbook;
Include data privacy and security as part its induction course;
Set up a project to look at Data Classification; and
Draw up a Social Media policy
Social Media Policy
The purpose of a policy is to give clear guidelines on how employees should and should not communicate using social media channels with regard to the organisation. The number and variety of social media channels is changing with increased regularity so the policy should not seek to identify channels nor be too prescriptive.
Encouragement, trust and empowerment can have a very positive impact on the way employees talk about organisation on social media, but there needs to be rules, guidance and above clarity on where the line is that should be crossed.
Use of social media is in the end a balancing act and it is probably easier to get it wrong than it is to get it right.
The following are some common ways for that to happen.
Often, it can be difficult to distinguish personal opinions from those of the company.
Employees may talk about the company and its practices on social media, which can lead to a breakdown in trust.
As in the example above information that employees share about a company may damage its brand; and
Excessive use of social media in the workplace can lead to loss of productivity.
By its very nature the social media environment is a dynamic environment so activity and policy should be kept under continual review. Earlier in the article I referred to “Social Listening” tools, these are crucial to protecting the brand and refining the approach but be mindful as focusing on an individual rather than a general sweep could be construed as an infringement on employee privacy rights.
When developing and auditing a social media policy for personal social media use it should be a statement of principles that is supported by a guidance that may be updated as frequently as required. Some of the better guidance I have reviewed consists of following three sections; - Do, Don’t and Helpful Links.
There are a few basics to consider:
It is not possible to exercise control over personal social media profiles.
It is possible to have employees and contractors sign an agreement stating that they won't divulge confidential information or maliciously seek to damage the brand through their social media activity.
Remind employees that not only are their posts open to public scrutiny, but comments they leave on others’ posts are too. As such, they should be careful not to post anything that could be detrimental.
Ensure you communicate to employees and contractors what is considered inappropriate activity that may result in disciplinary action. For example, racist and sexist posts, hate speech against anyone (not only their employer), inappropriate behaviour and images, as well as any other actions that are restricted from social media itself should all be mentioned on this list.
Ensure that the work environment is one where employees don’t feel the need to air their grievances online and can approach management to solve any issues related to the workplace.
Steven Connors - Director, HWCA
If you enjoyed this article but were unable to rate it, please subscribe to receive the next ebulletin directly and then you’ll be able to rate articles.