This post is about the development of a Social Media Risk Assessment Process (“SMRAP”). The SMRAP provides organizations with a systematic approach to evaluating exposure to social media-related risks. The SMRAP focuses on five components: Threats, Vulnerabilities, Controls, Likelihood of Occurrence and Impact.
 |
| Social Media Risk Assessment Matrix |
The SMRAP is intended to achieve one basic goal: the protection of the organization's reputation.
Management is responsible for ensuring that systems and data are adequately protected. Historically this has related to the systems and data maintained within the organization's walls. Unfortunately, as an organizations are increasingly moving to third-party social media platforms such as Facebook, Twitter and LinkedIn (and for good reasons), management must now take measures to adequately controls risks related to external systems.
Management is also responsible for protecting the organization's reputation from intentional and unintentional acts that may cause harm to the organization. Unfortunately, reputational harm can come from many directions, including public outcry (think Bank of America's debit card debacle or Occupy Wall Street).
An organizational key business objective is to maintain a set of policies and procedures that protect and mitigate against risks related to day-to-day operations. Social media risks have become part of the day-to-day risks of any organization. As has been previously stated, organizations cannot determine whether or not to participate in social media. Social media happens. And it has been happening for some time. The question is whether or not management has realized this fact and has moved to mitigate the risks before the risks mitigate the organization.
The SMRAP is used to identify, evaluate, document, monitor and manage social media risks. Through the SMRAP the organization is able to identify and prioritize social media-related risks and develop appropriate risk management strategies. Such strategies include the establishment of appropriate policies and the selection of cost-effective controls that implement the policies.
Part 2 of this series will begin the process of identifying the social media threats that must be evaluated as part of a risk assessment process.
