I am the kind of guy who is interested in how all companies – not just telcos – deal with the risks created by electronic communications. One man’s risk is another man’s risk management sales opportunity. It makes sense for telcos to think how they can improve the management of risks around the services they provide, in order to please customers. This is true whether the telco helps parents to filter the content seen by their children, or implements encryption for secure communications. The right kinds of risk mitigation can be turned into a source of profit. So imagine my disappointment when I read article after article which agrees that tweeting, blogging, and social networks can all increase risk, but rarely say anything about what companies should do in response. After reading this particularly pointless article from TechTarget.com, I decided to analyse how little was being done by large corporates to manage social media risk.
The article presented the viewpoints of five senior managers with responsibility for risk in their businesses, talking about the impact of social media. For each manager, I counted every sentence, and identified every verb which indicated they were doing something to manage the risk (as opposed to thinking about how bad the risk, and how it was getting worse).
Adi Agrawal (Executive Director, Enterprise Risk Management, Chicago Mercantile Exchange)
Number of sentences in total: 15
Actions: “very quickly study how this uncertainty impacts [your business]”; “study the regulatory, privacy and other implications, and then come up with a way to deal with it”; “start thinking about how [we are] going to deal with this risk”
Frank Fiorille (Senior Director, Risk Management, Paychex Inc.)
Number of sentences in total: 9
Actions: “spend some time thinking”; “make sure that we’re controlling those risks”
Sean Browning (Director, Enterprise Risk Management, Vectren Corp.)
Number of sentences in total: 7
Actions: “respond in a much different way than we would have in the past”
Victor J. Haddock (Senior Vice President, Internal Audit, Magellan Health Services)
Number of sentences in total: 10
Actions: “develop some internal policies in how they’re going to use those technologies and what is the purpose of those technologies going forward”
Tate Mitchell (director, internal audit, Aegion Corp.)
Number of sentences in total: 5 (though some were very long!)
Actions: “developing policies”; “developing mechanisms to monitor [data leaving] the organization”; “monitoring social networking activity”; “strengthening their cloud technology versus just having a third-party provider giving them a tool”; “tightening up the reins a little bit more”; “make sure that if there is data that goes out, that it’s controlled and they can monitor it as it goes out”
My conclusion is simple. People find it hard to admit that there are risks they are incapable of managing. Everyone interviewed was willing to admit, and even to hype, the dangers posed by social networking and rapid distribution of communications across the planet. But they had very little to say about mitigating the risk. “Have a think”, “develop a policy”, and “make sure you control stuff” are the kinds of suggestions I expect to hear when people cannot identify genuinely useful strategies for mitigating a risk. And the one real activity which was suggested – monitoring/preventing data being sent from the organization – is of limited value. The ubiquity of smartphones, which are powerful and independently-networked computers, means you cannot monitor everything done by staff, unless you start invading their privacy too.
When it comes to changing paradigms for how people communicate, there is a pervasive sense that ‘something must be done!’ Unfortunately for risk managers, the truth is that some technological leaps – gunpowder, biological warfare, nuclear bombs – lead to a one-sided increase in risk that cannot be compensated for. The power to communicate with everyone else on the planet is a marvellous gift of the information era. But the truth is, no business is able to greatly limit the downsides that come with it. The real mitigation comes from employing people who understand how communication might hurt their business, and motivating them so they have no reason to hurt their business. And yet, that might require such a thorough change in how the business communicates with its own employees, that almost no senior manager wants to openly talk about it, never mind actively pursuing the goal. Most prefer to have a think, and come up with a policy, that aims to ‘control’ people…