Research: Spotlight on social media risk management

A new report by Altimeter Group sheds light on the importance of risk management as applied to social media.
Written by Michael Krigsman, Contributor

As social media proliferates to become an accepted and enduring part of corporate life, organizations should invest time to understand and manage relevant risks. Although the benefits are clear -- direct access to customers, shortened feedback cycles, and personalized marketing -- the risks are less understood.


A new research report on social media risk, by analyst and consulting firm Altimeter Group, describes four broad categories of concern:

  • Damage to brand reputation
  • Releasing confidential information
  • Legal, regulatory, and compliance violations
  • Identity theft or hijacking

Key risks. The following chart offers a breakdown of survey respondents' view of risk sources in relation to social media:

Altimeter social media risk

It is interesting to note that 66 percent of respondents consider damage to reputation or brand a significant or critical risk, while only 32 percent called release of confidential information a significant or critical risk. This finding strongly suggests that social media professionals may underestimate the potential likelihood that employees might inadvertently, or even deliberately, release such information. However, it is also possible that respondents have sufficient confidence in their organization's social media policies to alleviate this concern.

Social media risk team. Overwhelmingly, in most organizations the social media team is responsible for managing social risk, as the following diagram illustrates:

Altimeter social media risk 2

Importantly, the report does make clear that social media risk management should involve a broad group of participants, include representatives from marketing, human resources, legal, IT, communications, and security.

Social media policies. According to the report, most corporate policies around social media relate to privacy, as shown below:

Altimeter social media risk 3


The Altimeter report is beneficial because it shines a light on an important aspect of social media. The relative immaturity of social media has caused it to lag behind other corporate domains, such as project management and legal, where risk management is highly structured and well understood.

Despite its utility, the report focuses almost entirely on risks emanating from the organization itself, particularly information leakage that can damage a brand or cause the public release of confidential information. It pays only cursory attention to an equally, if not more important, source of social media risk -- comments and campaigns from external sources such as a blogs and Twitter. Although the survey briefly discusses this set of issues, the coverage remains incomplete.

Managing risk that responds to external threats is a far more complex undertaking than developing internal policies that govern employee behavior and disclosure. External threats are less susceptible to control and generally can only be addressed through influence (or legal means, in some cases), which is precisely where the challenge and difficulty lies. Moreover, managing external threats effectively requires coordinated action between the social media team with legal, PR, and senior management. All this increases the level of complexity in responding to external social media threats.

I asked Altimeter Group partner, Jeremiah Owyang, to respond to this deficiency in the report. He told me that Altimeter covered social media crisis response in a separate survey:

We found that 76% of crises (including external and internal) could have been diminished or avoided had companies been ready. This was based on analysis of 50 social media crises that had achieved mainstream media attention.

The following chart, supplied by Jeremiah, lists the primary causes of social media crises:

Causes of social media crises

Finally, the framework described in the report is relatively generic but does conform to standard approaches to risk management. Readers should be aware that the utility of such frameworks is limited unless an organization commits to putting in place the components needed to execute risk management processes on an ongoing basis.

Editorial standards