Before committing your organization’s formal social media policy and procedures to writing, you’ll want to conduct a clear-eyed, comprehensive review of all the social networking–related risks and challenges, laws and regulations, opportunities, and benefits facing your business, employees, customers, prospects, and other audiences with whom you currently communicate—or hope to reach—via external social networking sites, private enterprise-grade networking and collaboration tools, and smartphones and other mobile devices. In other words, conduct a social media policy and procedures audit to determine the shape your workplace social media compliance management program should take, along with the risks and rules your social media policies should address.

Ten Steps to Audit Success

An effective social media policy audit should incorporate the following ten steps:

1. Review all of the social media–related legal risks facing your organization as a whole and its individual users. Assign experienced legal counsel or your company’s compliance officer the task of reviewing current laws governing electronic content, use, record retention, e-discovery, monitoring, privacy, security, and other legal issues. Be sure to review the laws of every jurisdiction (federal, state, county, and local) in which you operate, litigate workplace lawsuits, employ workers, serve customers or patients, or otherwise have a business presence.

If you operate internationally, be sure to retain the services of a legal expert who is familiar with the laws, particularly those related to security, privacy, and monitoring, of every country in which you conduct business, employ workers, or operate facilities.

Once your comprehensive legal review is complete, the next step is to determine exactly what your organization needs to do— from the standpoint of social media policy, employee training, and technology solutions—to achieve 100 percent legal compliance on the federal, state, county, and local level, as well as internationally, if you operate a multinational business.

Fail to complete this step, and you may find yourself on the wrong side of a workplace lawsuit triggered by an inappropriate blog post, defamatory tweet, discriminatory video, pornographic photograph, harassing comment, or otherwise illegal, offensive, or inappropriate electronic content.

2. If you operate within the financial services industry, healthcare arena, or any other regulated industry, then best practices call for a comprehensive review of all of the regulatory risks facing your company and its regulated employees. Assign an experienced legal, compliance, or regulatory expert the task of reviewing federal, state, industry, and government regulations pertaining to social media content, use, security, privacy, and business records. If you operate internationally, you will need to investigate the regulatory guidelines that govern your business and industry in every country in which you engage in commerce, operate facilities, or employ workers.

Your goal is to determine exactly what your organization needs to do—from the standpoint of social media policy, training, and technology—to adhere to all of the regulatory rules governing your business and industry. Skip this step, and it’s possible that careless comments about patients, thoughtless tweets about consumers, or premature posts about company financials could put your organization at risk of regulatory violations and penalties, including potentially steep monetary fines.

3. Review all of the internal, organizational risks facing your company and your employee-networkers. Has excessive personal use of social media led to a slide in workplace productivity? Have you been forced to terminate otherwise valuable employees because of inappropriate tweeting, blogging, commenting, or posting? Do you use social media sites to screen prospective job candidates, opening the organization to possible discrimination claims? Have employee-drivers, distracted by texting, talking, or tweeting, ever caused car crashes, hit pedestrians, or broken federal, state, or local driving laws governing the use of handheld or hands-free cell phones? When it comes to social media use and electronic business (and personal) communication in general, the list of organizational risks is a long one. Use your social media policy audit to help uncover—and then address through formal rules and written policies—all of the potentially costly exposures facing your organization when employees log onto blogs, social networking sites, or other web 2.0 applications at work, home, or on the road.

4. Review all of the data security risks that social networking and computer use overall poses to your company, customers, and employees. Are telecommuters, remote workers, and mobile device users accessing the social web outside the security of your corporate network? Do you allow employees to access and download confidential company and customer data via their own personal smartphones? Has your organization’s Internet system ever been attacked by hackers or cyber-criminals? Has the electronic protected health information (EPHI) of patients or the private financial data of consumers ever been inappropriately accessed by employees or exposed—accidentally or intentionally—to third parties?

Ever since email and the Internet first entered the workplace, security concerns have kept chief information officers up at night—for good reason. Take advantage of this opportunity to inventory—and address through formal, mandatory, written policies— all of the new and emerging security risks that social media, mobile devices, and other twenty-first-century technology tools have introduced into your place of business.

5. Evaluate the ways in which your organization uses public social networking sites. Do you use Facebook, Twitter, YouTube, Flickr, Digg, Squidoo, LinkedIn, or other external public sites to interact with customers and prospects, vendors and decision makers, shareholders and the media, prospective employees and the general public? Does your company operate an external business blog or maintain a corporate Facebook page? Do your executives use Twitter to connect with the public? Do you produce YouTube videos to educate consumers about products and services? Or, does your company currently lack any form of public social media presence?

6. Assess the ways in which your organization uses enterprise-grade social networking software and internal collaboration tools. Do you operate internal, employee-only blogs or wikis? Do you use private social media sites like Yammer or Socialtext to facilitate secure communication and collaboration, team-building and brainstorming, information-sharing, and relationship-building solely among employees and executives, vendors, and trusted partners? Increasingly, organizations are discovering that, for business purposes, effective social networking does not necessarily involve participation on free public sites. Many organizations prefer the security of internal social media tools, which offer all of the benefi ts of in-house social networking—minus many of the risks to confidentiality, privacy, and productivity that are inherent in public social networking.


7. Evaluate employees’ personal use of the company’s computer system. Do you allow personal use of the company web? Has personal use of business blogs had a negative impact on productivity or job performance? As the popularity of social media grows, are employees spending less time on job-related tasks and more time networking with colleagues and outsiders? Does personal use of social media compromise the company’s bandwidth? Do workers use company-provided BlackBerries strictly to conduct business, or are they carrying on personal relationships on your corporate dime? Is your archive a dangerous mix of business-critical email records and insignificant and potentially embarrassing personal posts, messages, and other forms of electronic content?

8. Investigate employees’ personal, after-hours use of social media—within reason. Are employees using their own personal blogs to whine about their jobs, criticize colleagues, gossip about executives, complain about managers, ridicule customers, or denigrate your products or services? Has a worker ever posted classified business information or confidential consumer data on a private Facebook account, damaging the organization’s reputation and triggering a lawsuit or regulatory investigation in the process? Have staff members ever tweeted unauthorized or inappropriate photos of themselves in company uniforms?

Your company’s social media policy and training program creates the ideal opportunity to let employees know that all of the organization’s employment policies, rules, and guidelines (including social media policy) apply 24 hours a day, seven days a week, 365 days a year, at work and home, on company equipment and private accounts. Don’t forfeit the opportunity to deliver that message to employees—loud and clear.

9. Research the level of interest that your customers, prospects, business partners, vendors, job applicants, the media, decision-makers, investors, and other target audiences have in communicating with your company via social media. If you currently have a business blog or company presence on Facebook, Twitter, or YouTube, evaluate the responses (positive or negative) that you have received from your various corporate constituencies. If you have yet to develop a social media presence, this is a good time to consider how your organization’s most important audiences—including customers and patients, investors and suppliers, and regulators and decision makers—are likely to react once you dive into the social networking pool (or fail to do so).

Take advantage of this opportunity to conduct some demographic research related to your customers’ and prospects’ use of social media. Don’t assume, for example, that online networking is strictly a young person’s game that holds limited—if any— interest for older customers. Social networking among Americans ages 50 and older nearly doubled in 2010, up to 42 percent from 22 percent the previous year, according to the Pew Internet & American Life Project, 2010.1 We can safely assume that the adoption of social media by older users will continue to increase, along with overall growth of business and personal use among people of all ages.

Don’t play guessing games with social media. Use your social media policy audit to help determine exactly how to make the most beneficial use of networking tools as a means to promote your brand, position your products and services, and communicate corporate messages to important audiences.

10. Review all of your organization’s existing policies governing social media, blogs, mobile devices, email, the Internet, instant messenger, text messaging, and all other electronic business communication tools. Do you have in place free-standing policies governing all of the electronic tools and technologies that employees currently are using at work, home, and on the road? You should.

When was the last time your formal rules and written policies were updated? If it’s been more than a year, that’s too long. Are your acceptable use policies (AUPs) well written, easy to read, understand, and adhere to? Are your policies well designed and visually appealing?

How do you distribute policies to employees? Best practices call for formal, onsite employee training, yet most employers rely solely on the employee handbook or Intranet to introduce AUPs to users. Where do you stand?

In addition to auditing social media and other electronic policies, now is the time to review all of your organization’s business rules and employment policies. Use the social media policy audit process as an opportunity to take a strategic look at, for example, your current harassment and discrimination policy, employee code of conduct, confidentiality policy, writing style guidelines, ethics rules, mobile device policy, dress code, and all other workplace policies. Ideally, you have the human and financial resources necessary to update all of your organization’s employment policies simultaneous to the development and implementation of your social media policy program.

Also, take advantage of opportunities to “cross promote” policies. Use blog policy, for example, to inform employees that they must adhere to the company’s ethics guidelines when blogging. Use harassment and discrimination policy to remind workers that the rules apply, regardless of whether they are communicating internally or externally, for business or personal reasons, in-person or online via social media or any other electronic communication tool. Finally, use your policy program to remind the workforce that a policy is a policy, and all employees must adhere to all employment policies at all times.

Reprinted by permission of the publisher, John Wiley & Sons, Inc., from The Social Media Handbook: Rules, Policies, and Best Practices to Successfully Manage Your Organization's Social Media Presence, Posts, and Potential by Nancy Flynn.  Copyright (c) 2012 by John Wiley & Sons, Inc.  All rights reserved.