A firm’s employees are going to post on their personal social media accounts. So how can a company quantify and mitigate the risks those posts can spawn?
Social media is the defining communication development of our generation. It might also be one of the most complex, broad and hardest to monitor areas of risk.
In Accenture’s paper, ‘A Comprehensive Approach to Managing Social Media Risk and Compliance’, Steve Culp, senior managing director, Accenture Finance & Risk Services, makes the point that traditional risk management policies and procedures were not designed for the minute-by-minute monitoring of social media chatter.
“[The] risks are considerable. Financial institutions have had to shut down social media forums due to unanticipated negative feedback,” Culp says.
But while much of social media risk centres on general users taking aim at a corporation, the risk may lie closer to home. And this too goes beyond the firm’s own social media account. It’s to do with the social media presence of employees on their own personal accounts.
The actions of employees outside of work hours is an area of risk which brings its own unique challenges and the proliferation of social media has taken those staff actions and placed them in the public sphere like never before.
A single social post has ended many an employment in recent years.
In 2013, Justine Sacco, a senior director of corporate communications at IAC, tweeted to her small follower base before her flight to South Africa: “Going to Africa. Hope I don’t get AIDS. Just kidding. I’m white!” Sacco was fired for “hateful statements” soon after and has reportedly struggled to find work since.
In 2015, a Sydney man was sacked as a hotel manager after calling feminist writer Clementine Ford a ‘sl**’ on Facebook, while in the UK six HSBC bankers were fired over re-enacting a mock ISIS beheading. The Russian paramedic who posted selfies with dying patients also swiftly joined the job queue.
The risks are not as cut-and-dry as firms simply firing employees after offensive social posts. This is an area of risk that incorporates reputation risk, and HR and people risk too.
What are the risks?
“Whenever an individual discloses their place of employment on their social media accounts, such as listing it on their Facebook profile, there is a risk that any negative or controversial online behaviour of the individual could negatively impact the employer organisation’s brand,” says Kate Potter, digital media specialist at Hughes PR.
Charlie Pownall, a reputation and communications advisor, and author of Managing Online Reputation, says research consistently shows the top risk of social media to companies is damage to reputation.
“Rank-and-file employees may be seen as the most trusted sources of information on, and credible advocates for an organisation, yet the flip side is equally true: inappropriate, offensive, unethical or defamatory behaviour by those seen as the most authentic embodiment of a company has a nasty habit of spilling into the broader public domain and bringing their employer’s name and image into disrepute,” says Pownall.
Douglas White, founder and chief executive of social media strategy company PRDA, says risks from employee comments are as old as time.
“It is only in the digital age have employees gained power beyond the boundaries of an organisation in a more significant and, possibly, longer lasting concern,” White says.
Peter Sutton, a social and business strategy expert and co-author of Social Remediation, uses the example of an employee who has his Facebook privacy settings as ‘public’, where anyone can see his ‘Likes’, ‘Friends’, ‘Comments’ and the content he posts and ‘Follows’.
“In his frustration with a leader’s actions he decides to post a meme and commentary that is sexist and slanderous thinking that only his ‘Friends’ can view the material,” Sutton says.
“The post bleeds via an online connection with another work colleague who takes a screenshot and a copy of the URL, reporting the post to Human Resources.
“The incident becomes known to a local media outlet who decide it should have coverage resulting in reputational damage to the organisation on their treatment of women in leadership,” he says.
The trigger posts
A vital part of understanding the risks that employees’ personal social media accounts pose is knowing which types of posts are most likely to be damaging.
“There is more tolerance around social media posts that use offensive language, but less tolerance around posts that discriminate, threaten or make ‘jokes’ about minority groups,” Potter says.
Pownall says the degree of damage depends on factors such as the nature of the post, the resonance of the topic, the credibility of the employee, whether the post is seen as accidental or deliberate, and the visibility and reputation of the company.
“It can be particularly damaging if it is seen to involve confidential or highly sensitive information, racist, sexist or discriminatory comments, the harassment or smearing of colleagues, customers or competitors, or which point to corporate hypocrisy or double standards - all of which will quickly attract negative coverage and can result in legal action, financial penalties, or lost sales,” he says.
Sutton warns that an employee’s behaviour will inextricably link to a corporate brand as an employee’s personal social life is now public and the bleed of extracurricular information creates a stain that can never be completely removed.
“Critical to any organisation is to understand, plan and mitigate the negative impact of the speed, reach and transparency of social media,” Sutton says.
Genevieve Hilton, head of external communications Asia Pacific for chemical company BASF, says organisations should be aware of different possibilities.
“On one hand, slow-burning, but long-term damage to reputations, can result from a pattern of unprofessional conduct by employees online,” Hilton says.
“On the other hand, severe and sudden damage to a company — including legal violations — can result from, for example, clever phishing attacks that elicit the disclosure of proprietary information, or from the misconduct of a high-profile employee.”
Not all employee posts are destined to directly smear the company which employs them though. White uses the example of President Donald Trump’s rants on Twitter: “Though they are beyond the pale, I do not think anyone considers it an indictment of the US and this is from the President of the US. It is his actions within the government that draws greater concern.”
Mitigating the risks
So how can firms mitigate these risks? Is employee training necessary, or does it need to go further into rules in contracts and disciplinary action?
Hilton says many firms already have excellent measures in place to manage such risks – for example, contractual obligations not to disclose proprietary information.
“What is needed is not necessarily additional training and separate policies, but the explicit inclusion of social media into existing training and policies,” he says.
“In practical terms this could be, for instance, a section on social media privacy obligations during ordinary employee security briefings.”
Pownall says the blurring of employees’ personal and professional lives online presents a tricky challenge for any organisation.
“While some companies continue to limit workplace access to social media, or to personal social media accounts during working hours, most accept that the great majority of their people have a personal presence on social media,” he says.
“At one level, the risks of rogue social employees can be reduced by having strong values and culture, ensuring good behaviour across the corporate ecosystem, having a healthy working environment and fair compensation, and being open and honest whenever possible.”
Pownall adds it is also essential to have strong social media governance, most obviously in the form of a corporate social media policy and set of guidelines that spell out the expected parameters of online behaviour.
Sutton says there is no budget big enough to build a buffer to the negative potential of social media.
“It is only through good policy and staff training, that employees can be expected to understand the ramifications of their online social life,” Sutton says.
“Without policy, planning and education around the use of social media, a company’s reputation is left precariously exposed — teetering on the edge of a digital cliff,” Sutton adds.
It is this digital cliff that risk managers must navigate away from in collaboration with the firms’ employees.