Why CMOs can't ignore social media governance

Social media has become an intrinsic part of our brand and corporate lives. Yet the number of organisations lacking governance strategies around these highly interactive and dynamic channels is alarming.

According to an Altimeter Group report on social media strategy released in November, just one-fifth of organisations can claim to be truly strategic when it comes to executing social activities, and many in fact remain ‘in anarchy’. Only one quarter of the US respondents maintained a holistic policy governing social media, and nearly half had yet to inform, engage or align top executives with social strategy.

This is despite the fact that social pervades all aspects of the corporate environment, raising issues around data and information leaks; how to deploy and support social as a collaboration tool internally; and also securing access and assets from external threats.

When you consider the many ways social media is being used today, the reason for the governance gap is perhaps obvious. Having grown up organically as a consumer-based communication channel, then as a method of interaction by brands with consumers, and now a collaboration tool within organisations, social media platforms are instrumental in ways no one would have thought possible or even practical.

But that doesn’t excuse the lack of action being taken about social at a company-wide level today. What many also still fail to realise is that social is not just about marketing teams managing a brand’s presence on Twitter, interacting in real-time with customers during a sporting event, or IT offering Yammer internally and blocking user access to Facebook. It’s an organisation-wide challenge and responsibility falls equally on marketers and IT, HR, employees and CEOs.

During the recent ADMA Engage events in Sydney and Melbourne, vice-president of social at BBC Worldwide, Vincent Sider, shared his organisation’s social media security strategy and urged the customer engagement and marketing audience to take governance more seriously.

“It’s time the industry wakes up to this – there is currently no standard to the way we manage social,” he said. “If you organically create stuff, at some point you’re going to look to who created the information and realise the person left the company.

“Being secure enables us to focus on what matters, which is engagement.”

The brand considerations

As Sider makes plain, brands are doing much more with social than ever before. At the BBC Worldwide, the commercial arm of the UK British Broadcasting Corporation, there are 17 teams involved in managing its many brand social activities worldwide, covering 73 active Facebook pages, 74 Twitter accounts, five Google+ pages, five Tumblr accounts, and 18 other social brand assets.

Social is the deepest way to connect and create engagement, but a rise in social media incidents in recent years has triggered a significant structural rethink around how BBC Worldwide uses and manages these channels.

“It’s one thing to engage, but you have a duty of care around security to consider,” Sider told CMO. In 2012, there were three high-profile brand attacks and numbers in 2013 are exploding. These have significant consequences, Sider pointed out – just think back to the corruption of AAP’s Twitter feed in April, where hackers posted a false report of a White House explosion, wiping billions off the US stock markets and raising credibility issues for the media agency.

This rise in incidents prompted BBC Worldwide to reinforce its social media security agenda, Sider said, through an all-encompassing policy covering auditing, immediate remediation, governance guidelines, and technology tools.

The first step was an audit of social inventory. “That’s how we realised we had 200 pages to take care of,” Sider explained. “We also reviewed our control access when we engage on these pages and the apps – you tend to forget what rights individuals have and if these are compromised, your pages are compromised.

“It was pretty scary to notice that in most cases, our community managers had full rights to change the pages. We also realised that when it comes to responding to these messages online, we were not prepared at all.”

In response, BBC Worldwide introduced a two-step verification process for LinkedIn, Facebook pages and Twitter accounts. Many posters were downgraded to ‘content providers’, and all accounts were aligned to one administration account, ensuring they weren’t attached to private email addresses. “We also made sure passwords were changed every month and that these were complex,” Sider said.

The next project was to implement a full social media crisis management and escalation process that could be used if an issue arises. “We start by identifying if there really is a threat – sometimes you may be compromised but you don’t know as it’s not physical,” Sider said. “It could be because the threat sits within comments or posts, and these could include malware that can compromise access to your pages.”

Three key issue types – threat, guideline or technical – form the basis of BBC Worldwide’s escalation process and require different responses. Each brand, from Doctor Who to Top Gear, also has different characteristics and audiences, so criteria around what is considered a threat also varies.

To handle this, BBC Worldwide has devised a list of the type of content per brand considered a threat or inappropriate, its level of seriousness, and who to escalate it to if a major issue arises.

[Related article: Vincent Sider discusses BBC Worldwide’s social media content structure]

“In the case of a threat issue, we have a way of specifying content and a way to act on that type of content,” Sider said. “If it’s content that’s a threat, and a legal or copyright issue, there will be a certain way of dealing with that which escalates it quickly to a person in charge.”

Once identified, the next phase is informing management and kick-starting the remediation process. “It’s very easy in a panic to just remove stuff and lose the evidence of an attack, which could be very useful when you want to get back to Twitter or Facebook and ask them to help you deal with the risks related to that issue and where the social media attack came from,” Sider continued.

When it’s advisable to do so, the BBC Worldwide team then removes the posts, scan devices and remove malware. Then it’s about recovering, responding to those issues and ongoing monitoring of pages, Sider said.

“When you do get hacked and you’re trying to recover your accounts, it may take time between checking in Facebook or Twitter and getting that access back,” he commented. “If you don’t have a clear process in place with them, you may have to wait 6-7 hours before you get your pages back. That really has to be thought through.”

Supporting BBC Worldwide’s policy are a host of technology platforms including Hootsuite (for a view of who is managing pages and security levels); asset moderation and monitoring, that allows us to escalate actions around threats; and Brandwatch’s conversation monitoring solution.

Health sensitivity

At Metro South Health in Queensland, social media governance is about three things: Staff and how they view social channels; visitors and patients commenting, interacting, or sharing information on its website; and social media as a community engagement tool.

The organisation’s CIO, Michael Draheim, is in charge of rolling out a comprehensive approach to social media policy, which kicks off initially through an education program for its 12,000 staff. From January, new inductees will be trained up on social media policy and usage, followed by ward employee and business executives. Metro Health South plans to do the latter through online-based awareness training.

The education component will also become an embedded process that sits within general competency training, Draheim said.

“Health is a complex area and we have a range of individuals working for us along with individuals stretching from cleaning and catering to the highest learned professionals in the country,” he said. “We didn’t want to limit people’s access to a range of collaborative and communication tools. What we needed to do was make sure people are aware of their responsibilities and are accountable for their interactions through social channels in an environment where the line between business and personal requirements is increasingly blurring.”

While the governance initiative is being championed by the IT department, Draheim said social media is an executive consideration and his plans have the support of the full management team. “Being the CIO is actually irrelevant – this is not just about technology but information,” he said.

“IT is no longer just the reserve of the traditional IT department, it’s everyone’s responsibility. It’s about changing the executive mindset.

“The whole of management is keen to support this because it’s our responsibility as a business to support our staff.”

On the brand side, social media is managed by the community engagement team. Draheim said it is working on a guidelines strategy that will support how its social pages are maintained and presented. In the interim, the team has temporarily shut down several different social pages and is endeavouring to foster more dialogue through a registration-based and mediated online forum.

“We have to step lightly and carefully towards this because we don’t want to create angst, or hurt individuals through social interaction,” Draheim said. “There are a lot of sensitive things in health and if you don’t mediate comments that may be racially focused or culturally insensitive, you could be held responsible for them.”

How to get on top of social governance

Co-founder of eConscious Consulting, Kirra Pendergast, has witnessed a dramatic shift in the last 12 months in how organisations view social media and compares it to what happened around email and Web security. Her organisation assisted Metro South Health in creating its social media security strategy and provides consulting services around social media governance.

“Smarter organisations have seen this as a real issue, and are realising that if it doesn’t happen, there are potentially massive legal issues to be faced,” she said.

While Metro Health South’s initiative came via the IT department, often HR and legal are pushing social media up the security agenda, Pendergast commented. “It’s not really owned by anyone at this stage,” she claimed.

Coping with social media’s unpredictability
Why social media matters
Aussie consumers will drop brands that upset them on social channels

But given how important social media has become from an organisation and brand point of view, Pendergast said organisations should be investing in detailed policies. All too often, social media governance is just a line in a two-page policy.

“In our consultations we often compare it to travel insurance: You can take an umbrella approach, but if you don’t tell them that you’re an experienced snowboarder, you could get in trouble,” she said.

One of the challenges Sider identified hindering governance adoption is the IT/marketing gap. “There is an education process needed at an IT level around governance of these social platforms because IT is going to support these things,” he told CMO. “Things have been created organically in organisations, and that’s where risks will happen.

“It’s time companies structure security specifically for social media, because right now it’s being treated as an IT problem, but it’s a social problem. Your communications team, PR, and IT all need to focus on the threats.”

Pendergast agreed the silo-based approach to social media was a mistake. “Many senior executives don’t use Facebook and don’t know what the risk is, but have digital natives on their teams preferring to communicate on social over email,” she added.

While it is hard to specify one policy that fits all, Pendergast said organisations that don’t have something in place should quickly adopt a stop-gap measurement then get cracking on an audit. “The most important thing is education and training; if your staff are not educated, they’ll keep doing the same things,” she said.

Draheim advised organisations to understand, plan a roadmap for social media usage, and define its strategic use. “Without that approach, there are a lot of pitfalls,” he said.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO Australia conversation on LinkedIn: CMO Australia, or join us on Facebook: https://www.facebook.com/CMOAustralia