If you think a GRC professional can't benefit from social media, think again. 

Social Media and the GRC Professional

What I want to cover in this piece is how in general individuals involved in managing GRC processes (such as risk officers, compliance professionals, internal auditors, corporate counsel, etc.) can derive professional value from their use of social media. In my personal blog, I share details of the people I follow, what discussion groups I belong to, and why.

So, for frame of reference, I use the following:

  • Facebook: To keep up with my friends around the world and family in the UK and elsewhere.
  • LinkedIn: To build and manage a professional network and for various discussion groups.
  • Twitter: To follow the news about our profession and related events, and to share my views.
  • Blogs: In my blog for the Institute of Internal Auditors, I share my views and commentary on governance, risk management and internal audit in general. I use my personal blog to broaden the coverage to include GRC, and for “rants” that are not suitable for a professional association site. Finally, I occasionally post on SAP’s massive Community Network; this site is open to all SAP customers, consultants, partners and employees.
  • Other: I am a member of SAP’s internal social network, for sharing with other employees. I also use a number of collaboration sites, sharing documents, primarily relating to my IIA committee work.

In my experience, few GRC professionals are using social media effectively.

Before I launch into my views, have a look at this video from the AICPA. This is admittedly from the CPA practitioner perspective, but it should shed some light on the possibilities.

How To Benefit From Social Media

Now let’s explore each of these social media services. By the way, I will talk only about the ones I use. I realize there are many others.


Some are using this for their business and have set up their own page. For example, the IIA has one, as does ESPN. I have to presume they see a business value, perhaps in their ability to socialize with members or customers, share news about their products and services and get feedback.

From a risk management or internal audit perspective, I would be concerned with the reputation risk that may be associated with a corporate Facebook page. Certainly, there should be a solid social media policy. SAP has shared its guidelines for public consumption, and I recommend viewing this. In addition, care should be taken to ensure the staff managing the Facebook page have received training, use judgment and their work is reviewed periodically.

Risk managers and internal auditors might consider monitoring the Facebook page to detect not only potential reputation risk issues, but to see what people are saying about their organization. They might, for example, be able to detect the signs of product acceptance or employee morale risks.

I limit my use of Facebook to friends with whom I want to stay in touch, especially friends I don’t see as often.


Over the years, I have met hundreds of people I wanted to include in my network -- but lost contact when they moved on in their career. Now, I use LinkedIn to ensure I can still reach people. I have also been able to use the search capability and reconnect with many old friends.

They say that successful people take care of their network, and build it. Certainly, I have found it useful on several occasions and my contact list is now over 1,000 strong. In addition, I understand that LinkedIn is the #1 source recruiters use to find people -- not a bad reason to be there, and have an updated profile!

The LinkedIn groups are a good source for asking questions and getting comments, insights, and advice from your peers. I am a member of many, covering my interests from internal audit to risk management to governance, and more.


If I recall correctly, my first post (a.k.a. ‘tweet’) on Twitter asked whether I was a ‘twit’ to be on Twitter. I had been persuaded to join by an expert and heavy user, and thought I would try it for a while to see whether there was value for me. I think I have a better idea now how other internal auditors can benefit.

  1. Many on Twitter (known as ‘tweeps’) specialize in different areas. They follow the news, events, surveys, research, etc. and post comments and links to it. My advice is to select tweeps who tweet on the topics you are interested in. For example, you might follow people like me (@normanmarks) who tweet about internal audit, governance, risk management, GRC and so on. Others focus on IT governance, data privacy, technology (such as cloud computing), the external auditing firms, health and safety compliance, etc. or who tweet about their firm’s services and products (valuable if you are a customer).

    The value is expressed in the AICPA video: you can get news and avoid having to read a number of magazines. People are basically doing the sifting through the news for you and letting you know what might be interesting.

    My only word of caution is to follow only the number of people you have time for. I expect you will only log in occasionally, so make sure you don’t have more tweets than time to review them. Some people also follow public figures. I don’t do this, but will follow some of my friends.
  2. The major news services offer Twitter feeds so you can get breaking news, whether general, business, sporting or other news.
  3. Your company may have official and unofficial representatives on Twitter. You should consider following to see what they say. Make sure they have read and comply with the corporate social media policy.
  4. Some organizations use Twitter as a way to share information --in both directions -- with consumers. Check out some of the traffic on Pacific Gas & Electric’s Twitter account. If you go to their website, you can see at the bottom that they also use Facebook, YouTube and Flickr.
  5. Consider using the search capability to see what others are saying about your organization. It might give you some interesting insights into employee morale, customer concerns and other risk-related information.


I have two blogs, and I hope they add value to internal auditors. These days, many people have blogs and internal auditors should be able find several of value -- including those at the Internal Auditor site. I recommend subscribing to those of interest, so you can be notified when posts are added.


The Internal Auditor site has a number of discussion groups, as does ISACA. I look at those and contribute from time to time.

The collaboration sites can be great for sharing draft documents for collective review, communicating ideas and getting feedback, posting materials for common consumption (such as copies of studies, papers from the consulting firms, etc.) and more.

Final Thoughts

GRC professionals tend to be professional paranoids. It is their job to worry about risks, compliance and such. They are right to do so when it comes to social media. But, they should also be thinking about how they can use social media to be more effective.

You read more articles on GRC from Norman Marks, including: Why is GRC an Important Topic?