Tuesday, 3 August 2010

How regulated organisations can deal with social networking issues

In my last post I raised the point that in amongst the excuses applied in some organisations, particularly regulated ones, to avoid letting employees use social media, there are some real issues. This post looks at some of them, and proposes solutions.

I can think of four main types of issue, which I'll call, respectively, Conduct Unbecoming, Company Secrets, Off-the-Record Contracting and Chinese Walls. Let's look at each in turn.

Conduct Unbecoming

This rather old-fashioned expression I take to mean anything that an employee might say that the firm would not wish to be associated with its name. This could be inside or outside the firewall. The fears are more reputational than regulatory, although for internal-only material they may well be more about power and the prevention of the usurping thereof.

It should be possible to deal with both instances (inside and outside the firewall) by means of a policy. I'm tempted to say this could be as short as "Don't give away company secrets and don't diss the firm", but it will probably be a little longer and more formal than that. Nevertheless, that's basically the message. Whistleblowing rights would of course remain, but those aside a company can reasonably expect some measure of loyalty and good behaviour from its people.

Company Secrets

This covers commercially confidential material, client confidential material and so on. There's an art to saying something interesting online that doesn't breach confidences. Ever since the invention of email people have been learning the hard way that people react differently to opinions expressed in writing as opposed to face-to-face or on the phone, especially when the opinions are negative. It's not a simple matter to craft work-related posts that are interesting to you and your readers, and at the same time won't upset your boss. But this art must be learnt, because short of never mentioning work online - which probably means not being online at all - everyone will have to face up to the consequences of getting it wrong. As far as the company's concerned, again policies have a role, but they might amount to closing the stable door after the horse has bolted. Someone who doesn't understand 'netiquette' might blunder even though s/he's read the policy, and once that tweet or Facebook post's in the public domain it's too late. So there's a role for training here: in how to use social media effectively and safely in a work-related context.

Off-the-Record Contracting

This is the issue of people using unofficial channels to record or make agreements which could bind the firm legally. The issue isn't so much about secret or under-the-counter deals - intentional concealment - as people wanting to do them will always find a way, and there are legal sanctions available to deal with transgressions. It's more about the fact that there's a grey area between the conversations that lead up to a deal, and the formal contract documents. A firm can't afford to lose track of even the 'grey' bits. That is very tricky even if email were to be the only channel used, both in relation to finding stuff later and to dealing with multiple email accounts and platforms. Banks that I have worked for tend to block webmail at work to try to deal with the second point. (As for finding stuff for, for example, disclosure purposes, social media platforms can score over email there, but that's a bit off topic). The problem with blocking email, as opposed to making it a policy not to use non-firm email for business purposes, is it's a slippery slope towards banning all non-firm communication platforms. This can mean no access to (public) blogs, wikis, social networking sites and so on. in fact, no Web 2.0 at all. For me, that's throwing the baby out with the bath water. A better approach would be to state in a policy that such channels shouldn't be used for anything that could have contractual implications. But, of course, the regulators, and not just the firms, need to be convinced that this is satisfactory before it has a chance of flying.

Chinese Walls

A well-known concept in banking circles, the Chinese Wall is a necessary separation of communication between certain departments, usually to prevent conflicts of interest. Any 'social' platforms must take them into account. Broadly, there are two possible approaches. the first is to make all social platforms inside the firewall accessible to everyone in the firm, and make it clear that no discussion that should be bounded by a Chinese Wall should appear on them. This has the virtues of simplicity, clarity and ease of maintenance. Its downside is that it precludes the use of social tools within a Chinese Wall, which can seriously limit useful knowledge-sharing and collaboration. If a firm does decide to allow confidential social platforms it needs to be aware that it could let itself in for a big maintenance overhead - as I know from experience! The chances are that your Active Directory (or equivalent) does not flag people with the characteristics that your Chinese-wall-related privacy settings require on your social platform. Therefore, you'll need to have someone constantly adding leavers and joiners of the department or project in question, possibly by hand. It's wise to think hard at the outset how you can best set things up to minimise this manual effort. If you use Sharepoint, make sure you fully understand how security-enabled groups work.

Policing

Whether you adopt the approach that, broadly, I'm recommending, namely to allow quite liberal access to Web 2.0 sites outside the firewall and encourage their equivalent inside it, and deal with potential 'issues' by means of policies and training, or you decide to 'batten down the hatches' and block or ban most things Web 2.0, you'll probably wonder how you can police what's actually going on. In an ideal world you'll have trusted and trustworthy employees who are netiquette-savvy and won't put a foot wrong. If they do, however, you will probably want to know about it. But how to do this?

You might run searches for the company name on, say, Google. This should pick up most stuff on public platforms. It won't pick up 'walled' material like email, of course, or Facebook posts behind privacy settings. Then, of course, as there's no search that I know of that will pick up only 'inappropriate' comments about the firm, there will be a lot of link-clicking and reading for somebody to do. Auto-moderation software exists, and I'm guessing this could pick up combinations of swear words plus company name, for example, thus narrowing things down. But there might still be a lot to read, and as I said earlier, it will be after the fact. So you might decide not to monitor at all, and just deal with incidents as they arise and are made known.

A bit scary? Welcome to the new world! Now's maybe the time to reflect on the way your employees might feel about the firm, and, if that feeling's more negative, overall, than positive, whether it's actually realistic to try to keep the lid on that.

No comments: