Research: Spotlight on social media risk management

Research: Spotlight on social media risk management

Summary: A new report by Altimeter Group sheds light on the importance of risk management as applied to social media.


As social media proliferates to become an accepted and enduring part of corporate life, organizations should invest time to understand and manage relevant risks. Although the benefits are clear -- direct access to customers, shortened feedback cycles, and personalized marketing -- the risks are less understood.


A new research report on social media risk, by analyst and consulting firm Altimeter Group, describes four broad categories of concern:

  • Damage to brand reputation
  • Releasing confidential information
  • Legal, regulatory, and compliance violations
  • Identity theft or hijacking

Key risks. The following chart offers a breakdown of survey respondents' view of risk sources in relation to social media:

Altimeter social media risk

It is interesting to note that 66 percent of respondents consider damage to reputation or brand a significant or critical risk, while only 32 percent called release of confidential information a significant or critical risk. This finding strongly suggests that social media professionals may underestimate the potential likelihood that employees might inadvertently, or even deliberately, release such information. However, it is also possible that respondents have sufficient confidence in their organization's social media policies to alleviate this concern.

Social media risk team. Overwhelmingly, in most organizations the social media team is responsible for managing social risk, as the following diagram illustrates:

Altimeter social media risk 2

Importantly, the report does make clear that social media risk management should involve a broad group of participants, include representatives from marketing, human resources, legal, IT, communications, and security.

Social media policies. According to the report, most corporate policies around social media relate to privacy, as shown below:

Altimeter social media risk 3


The Altimeter report is beneficial because it shines a light on an important aspect of social media. The relative immaturity of social media has caused it to lag behind other corporate domains, such as project management and legal, where risk management is highly structured and well understood.

Despite its utility, the report focuses almost entirely on risks emanating from the organization itself, particularly information leakage that can damage a brand or cause the public release of confidential information. It pays only cursory attention to an equally, if not more important, source of social media risk -- comments and campaigns from external sources such as a blogs and Twitter. Although the survey briefly discusses this set of issues, the coverage remains incomplete.

Managing risk that responds to external threats is a far more complex undertaking than developing internal policies that govern employee behavior and disclosure. External threats are less susceptible to control and generally can only be addressed through influence (or legal means, in some cases), which is precisely where the challenge and difficulty lies. Moreover, managing external threats effectively requires coordinated action between the social media team with legal, PR, and senior management. All this increases the level of complexity in responding to external social media threats.

I asked Altimeter Group partner, Jeremiah Owyang, to respond to this deficiency in the report. He told me that Altimeter covered social media crisis response in a separate survey:

We found that 76% of crises (including external and internal) could have been diminished or avoided had companies been ready. This was based on analysis of 50 social media crises that had achieved mainstream media attention.

The following chart, supplied by Jeremiah, lists the primary causes of social media crises:

Causes of social media crises

Finally, the framework described in the report is relatively generic but does conform to standard approaches to risk management. Readers should be aware that the utility of such frameworks is limited unless an organization commits to putting in place the components needed to execute risk management processes on an ongoing basis.

Topic: Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How social?

    These are great numbers. I work on a Social Media team for a major corporation, and wonder how these statistics stack up in my own workplace. I was wondering, do these numbers reflect Social Media Brand activity while employees are AT work, off work or both???
    James Keenan
  • Good, sane look

    Thank you. So much of what has been written about the risks involved from either a "what risk?" or a "hair on fire" point of view.

    "...only 32 percent called release of confidential information a significant or critical risk. This finding strongly suggests that social media professionals may underestimate the potential likelihood that employees might inadvertently, or even deliberately, release such information."

    This concern should also play in the mobile space. The potential of scattered intellectual property and proprietary information being housed in consumer-level cloud storage should not be underestimated either and as we know, mobile and social play together.
  • Thanks for the post!


    Thanks for posting about my report. You are correct, it does use a general framework because of the complexity of risks that social media presents. There are opportunities for more specific frameworks within the context of the general framework for risks like IP loss and Legala and Compliance. But, we had to start somewhere and the purpose of the report was to put a stake in the ground.

    I can also see where you would think that this is more internal focused. But when you look at the potential risks in Figure 1.1, a number of those risks can be both internal and external. For example, IP loss can happen through social engineering via a social media channel. The hard part about this space is that any risk is not necessarily unique and is generally combined with other risks.

    Thanks for the post! If anyone has additional questions about the report they are free to ping me on twitter @alanwebber.