Lack of social media policies seen as risky for organizations

Many organizations are using social media actively within their businesses, but recent survey results suggest that a lack of clear policy on its use, combined with its evolving nature, makes social media risk a top concern for internal audits.

The 2013 Internal Audit Capabilities and Needs Survey Report from research and consulting firm Protiviti includes results from a survey of about 1,000 internal audit professionals.

Among those surveyed, 64% said their organization uses social media for external communication, while 44% said they use it for internal communication.

Just over half (53%) said they have social media strategies in place and 57% said they have some kind of a social media policy.

Still, those “formalized” policies are still in the beginning stages, the report suggests, 43% placing their organization’s social media process in the “initial state,” and 33% placing it in the “repeatable state.”

Thirteen percent said their organization was in the “defined state” and 10% claimed to be in the “managed state.” Only 1% surveyed said they were in the “optimized state.”

“The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media,” Brian Christensen, executive vice president of the global internal audit business, at Protiviti noted in statement on the report.

“From a risk management perspective, this poses significant potential problems for businesses that can range from reputational risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.”

Twenty percent of those surveyed said social media risk evaluation is included in audit plans, while 35% said that it is not, but will be in next year’s.

The remaining 45% said they have no plans to include it. However, 49% did say their organization currently addresses social media in risk assessment processes.

In terms of risk, those surveyed said that social media presents the greatest risk in brand or reputational damage, data security and regulatory or compliance violations. Respondents also ranked data leakage and viruses or malware as concerns.

Monitoring reputation risks and being able to identify issues, risks or control problems were the major perceived benefits of addressing social media risk, the report notes.

However, the majority (84%) said their organization was only moderately effective or not at all effective at identifying, assessing and mitigating social media risk.

A lack of skills and resources is the greatest challenge for addressing social media risk, the report suggests.