In my last post, I walked through some of the reasons why compliant social business is so challenging. In this post, I want to take a look at the four steps organizations need to take in order to give themselves the best chance of solving the compliance challenges of going social.
The four steps to getting compliant are:
- Create a cross-functional body to 'own' the problem of social media compliance
- Find out what’s happening with social media at all levels of your organization
- Focus on creating a reasonable, defensible social media compliance strategy
- Manage social media compliance the way you manage traditional compliance
Let's look at each in detail:
1. Create a cross-functional body to 'own' the problem of social media compliance
Those of you who read me regularly could have guessed that this would be part of my top four best practices. I’m a huge believer in the efficacy of cross-functional teams for just about any business challenge.
And I know that center of excellence, community of practice, and so on, may be dirty words at some organizations, with good reason. Often, these groups end up being more about bureaucracy than results and take on a life of their own: they seem to spend more time justifying their own existence rather than delivering business-relevant results.
That’s not the kind of cross-functional body I have in mind.
Picture instead a group of folks drawn from IT, governance, risk management and compliance (GRC), and the relevant line of business functions, all of whom have a vested, personal interest in how their organization might use social media and enterprise collaboration modalities to become a truly social business.
These would be people like enterprise architects, network engineers, application developers, service desk associates or business analysts; HR, regulatory compliance, ethics, finance, records management or risk management representatives as well as those involved in all facets of legal operations, from contracting to litigation; and representatives from all areas of operations, from sales, marketing and customer service, to product development, supply chain and beyond.
They would be focused on making decisions about how the organization will pursue social media and enterprise collaboration to meet the varying requirements of the constituencies they represent.
And beyond just giving you the best chance of making sound business decisions about social media and enterprise collaboration, such a group allows you to have both the enterprise buy in and organizational visibility to succeed at building a compliant, competitive, effective social business.
2. Find out what’s happening with social media at all levels of your organization
First rule of compliance is if you don’t know about it, you can’t govern it.
Not surprisingly, then, a lot of Enterprise 1.0 compliance efforts are centered around ensuring adequate visibility into business operations to both monitor and better ensure compliance. And despite these efforts (and the years we’ve spent honing our compliance capabilities to maximize their effectiveness), achieving adequate E1.0 compliance visibility can still be a challenge at many organizations.
As you can imagine, the visibility challenge is multiplied with social media and enterprise collaboration, not only because the majority of corporate compliance practitioners are new to it, but also because the nature of these domains is federated, grass roots, agile and decentralized.
So the first step for your newly-minted cross-functional group of social business stakeholders is to document as much of the social media and enterprise collaboration activity currently in flight as possible.
Because of its cross-functional membership, your stakeholder group will likely have good initial visibility into what’s going on at the organization, and when you reach the limits of the group’s knowledge, each member then spearheads a fact-finding mission to their own areas to find out more.
The result will not be 100% visibility, but will definitely be head and shoulders above what a narrower group (for example, drawn primarily from marketing and corporate communications) could have achieved, even with two or three times as much effort.
3. Focus on creating a reasonable, defensible social media compliance strategy
Your first reaction on developing that long list of in-flight social media and enterprise collaboration efforts at your organization may be panic: how in the world are we going to govern all of them to ensure compliance? Heck, you may be wondering how you would even govern one of them, let alone the entire list.
Pause. Take a deep breath. And just own the fact that it’s not possible to be 100% compliant 100% of the time -- not with social media and enterprise collaboration and not with any of your E1.0 business processes either.
Even tried and true business activities like using the phone, which probably seems pretty benign, are in reality not at all benign. There are a whole host of ways employees could use the telephone that would make your organization non-compliant and put you at great risk. Yet, if asked, most folks responsible for compliance at organizations would not cite telephony as a burning issue.
In a nutshell, this is because they’ve come to accept the cost benefit equation of telephony’s risk profile. They understand what could go wrong, what the impact would be, what the chance of it happening is, and what their response needs to be, and that’s that. Not much more to be done.
The same is not true for the risk profile of social media and enterprise collaboration. The domain is so new that most folks wouldn’t say that they know the range of things that could go wrong; failures of corporate social media efforts happen in the most public of spheres -- the internet -- and receive tremendous publicity, both from traditional media outlets as well as those available on the internet itself, so we tend to associate “worst case” scenarios with E2.0 compliance failures. Given the ease of use and ubiquity of social media and enterprise collaboration tools, we assume that the chance of non-compliance is high. And as for what our response needs to be, the dearth both of regulatory rulings as well as of marketplace precedent makes this largely uncharted territory.
The answer, however, is not to block efforts to turn your organization into a social business. Instead, the answer is to take steps to understand the cost benefit equation of social business’ risk profile and then to design a compliance program that is reasonable and defensible - just like you already have for the range of E1.0 business activities that are core to your business’ operations.
4. Manage social media compliance the way you manage traditional compliance
What I don’t mean by this is to lift and shift the tried and true methods for E1.0 compliance to your E2.0 compliance activities - this is a recipe for failure. The specific, click here, click there aspects of compliance are not interchangeable between E1.0 and E2.0 activities.
What is interchangeable, however, is the fundamental orientation of E1.0 compliance activities on the business process being governed, rather than on the technology, systems or media used.
But frequently, in the attempt to make our social media and enterprise collaboration efforts compliant, we get fixated precisely on the technology, systems and media used to deliver E2.0 capabilities and lose sight of the core business process all this futuristic technology is enabling. And when we lose sight of the core business process, we lose sight of what should be the real object of our compliance efforts: how we run our business.
So it’s absolutely essential to make sure that your sole focus in pursuing social media and enterprise collaboration compliance is to ensure the compliance of core business activities (that happen to leverage social media and enterprise collaboration capabilities). It should not be to ensure the compliance of your organization’s use of Facebook, LinkedIn, Twitter, Jive, SharePoint, etc., because you will not succeed -- how could you, if you don’t have specific business processes in your line of sight?
The Final Word
Taken together, this post and my previous two give you a good blueprint for addressing E2.0 compliance, i.e., the compliant use of social media and enterprise collaboration in your business. You’ll need to take it and adapt it for the specifics of your organization: its history, its culture, its maturity with social media and enterprise collaboration, the nature of the relationship between compliance, IT and 'the business' and so on. But it should give you a place to start, which in the brave new world of E2.0 is often half the battle.
Editor's note: You may also be interested in reading: