In my most recent post, I walked through some of the reasons why compliant social business is so challenging. In this post, I want to take a look at the four steps organizations need to take in order to give themselves the best chance of solving the compliance challenges of going social.
The four steps to getting compliant are:
- Create a cross-functional body to “own” the problem of social media compliance.
- Find out what’s happening with social media at all levels of your organization.
- Focus on creating a reasonable, defensible social media compliance strategy.
- Manage social media compliance the way you manage traditional compliance.
Now let’s look at each of these steps in detail.
1. Create a cross-functional body to “own” the problem of social media compliance.
Those of you who read me regularly could have guessed that this would be part of my top four best practices. I’m a huge believer in the efficacy of cross-functional teams for just about any business challenge.
And I know that “Center of Excellence,” “community of practice,” and so on, may be dirty words at some organizations, with good reason. Too many times these groups end up being more about bureaucracy than results, and they take on a life of their own: They seem to spend more time justifying their own existence rather than delivering business-relevant results.
That’s not the kind of cross-functional body I have in mind.
Picture instead a group of folks drawn from IT, governance, risk management, and compliance, and the relevant line-of-business functions – all of whom have a vested, personal interest in how their organization might use social media and enterprise collaboration modalities to become a truly social business.
These would be people like enterprise architects, network engineers, application developers, service desk associates or business analysts; HR, regulatory compliance, ethics, finance, records management or risk management representatives, as well as those involved in all facets of legal operations, from contracting to litigation; and representatives from all areas of operations—from sales, marketing, and customer service, to product development, supply chain, and beyond.
They would be focused on making decisions about how the organization will pursue social media and enterprise collaboration to meet the varying requirements of the constituencies they represent.
And beyond just giving you the best chance of making sound business decisions about social media and enterprise collaboration, such a group allows you to obtain both the enterprise buy-in and organizational visibility to succeed at building a compliant, competitive, effective social business.
2. Find out what’s happening with social media at all levels of your organization.
The first rule of compliance is: If you don’t know about it, you can’t govern it.
Not surprisingly, then, a lot of Enterprise 1.0 compliance efforts are centered around ensuring adequate visibility into business operations to both monitor and better ensure compliance. And despite these efforts (and the years we’ve spent honing our compliance capabilities to maximize their effectiveness), achieving adequate E1.0 compliance visibility can still be a challenge at many organizations.
As you can imagine, the visibility challenge is multiplied with social media and enterprise collaboration, not only because the majority of corporate compliance practitioners are new to it, but also because the nature of these domains is federated, grassroots, agile, and decentralized.
So the first step for your newly-minted cross-functional group of social business stakeholders is to document as much of the social media and enterprise collaboration activity currently in flight as possible.
Because of its cross-functional membership, your stakeholder group will likely have good initial visibility into what’s going on at the organization, and when you reach the limits of the group’s knowledge, each member then spearheads a fact-finding mission to their own areas to find out more.
The result will not be 100 percent visibility, but will definitely be head and shoulders above what a narrower group (e.g. one drawn primarily from Marketing and Corporate Communications) could have achieved, even with two or three times the effort.
3. Focus on creating a reasonable, defensible social media compliance strategy.
Your first reaction on developing that long list of in-flight social media and enterprise collaboration efforts at your organization may be panic: How in the world are we going to govern all of them to ensure compliance? Heck, you may be wondering how you would even govern one of them, let alone the entire list.
Pause. Take a deep breath. And just own the fact that it’s not possible to be 100 percent compliant, 100 percent of the time — not with social media and enterprise collaboration, and not with any of your E1.0 business processes, either.
Even tried-and-true business activities like using the phone, which probably seems pretty benign, are in reality not at all benign. There are a whole host of ways employees could use the telephone that would make your organization noncompliant and put you at great risk. Yet, if asked, most folks responsible for compliance at organizations would not cite telephony as a burning issue.
In a nutshell, this is because they’ve come to accept the cost/benefit equation of telephony’s risk profile. They understand what could go wrong, what the impact would be, what the chance of it happening is, and what their response needs to be, and that’s that. Not much more to be done.
The same is not true for the risk profile of social media and enterprise collaboration. The domain is so new that most folks wouldn’t say that they know the range of things that could go wrong; failures of corporate social media efforts happen in the most public of spheres — the Internet — and receive tremendous publicity, both from traditional media outlets as well as those available on the Internet itself, so we tend to associate “worst-case” scenarios with E2.0 compliance failures. Given the ease of use and the ubiquity of social media and enterprise collaboration tools, we assume that the chance of noncompliance is high. And as for what our response should be, the dearth both of regulatory rulings and marketplace precedent makes this largely uncharted territory.
The answer, however, is not to block efforts to turn your organization into a social business. Instead, the answer is to take steps to understand the cost/benefit equation of the risk profile of social business and then to design a compliance program that is reasonable and defensible – just like you already have for the range of E1.0 business activities that are core to your business operations.
4. Manage social media compliance the way you manage traditional compliance.
What I don’t mean by this is to lift and shift the tried-and-true methods for E1.0 compliance to your E2.0 compliance activities; this is a recipe for failure. The specific, “click here, click there” aspects of compliance are not interchangeable between E1.0 and E2.0 activities.
What is interchangeable, however, is the fundamental orientation of E1.0 compliance activities on the business process being governed, rather than on the technology, systems, or media used.
But in the attempt to make our social media and enterprise collaboration efforts compliant, many of us fixate precisely on the technology, systems, and media used to deliver E2.0 capabilities, and we lose sight of the core business process all this futuristic technology is supposed to be enabling. And when we lose sight of the core business process, we lose sight of what should be the real object of our compliance efforts: how we run our business.
So it’s absolutely essential to make sure your sole focus in pursuing social media and enterprise collaboration compliance is to ensure the compliance of core business activities (that happen to leverage social media and enterprise collaboration capabilities). It should not be to ensure the compliance of your organization’s use of Facebook, LinkedIn, Twitter, Jive, SharePoint, etc., because you will not succeed. How could you, if you don’t have specific business processes in your line of sight?
The Final Word
Taken together, this post and my previous two give you a good blueprint for addressing E2.0 compliance – i.e. the compliant use of social media and enterprise collaboration in your business. You’ll need to take it and adapt it for the specifics of your organization: its history; its culture; its maturity with respect to social media and enterprise collaboration; the nature of the relationship among compliance, IT, and the business, and so on. But it should give you a place to start, which, in the brave new world of E2.0, is often half the battle.