Firm Management
Developing a Social Media Crisis Communication Plan
When it comes to social media risk, you might think about hacking and incorrect/inaccurate company page posts. But, that’s not the only kind of social media risk. Here are some others.
Mar. 01, 2021
When it comes to social media risk, you might think about hacking and incorrect/inaccurate company page posts. But, that’s not the only kind of social media risk. Here are some others.
- Automated posts with a third-party tool gives hackers the ability to corrupt the automation and send out messages that look like yours. The remedy? Monitor the application(s) often.
- Weak passwords are especially important for corporate accounts. The remedy? Use a combination of numbers and letters, both upper and lower cases, and change them every 90 days.
- Who actually has access to your accounts? Be cautious about how you login to accounts, e.g., use my Google account, because if the third-party app is compromised, those credentials could also be compromised. The remedy? Quarterly, check admin authorization for any changes and avoid logging in with another account, e.g., Facebook, Google, etc.
Risk Management
It is hard to define risk, especially if you are a person who plays by the rules. I often recommend clients do the following activity with a group of people.
1. Create a Risk Matrix Chart, where the left side represents the likelihood the event will occur. The top represents the severity or impact the action will have on the firm.
2. Think about potential risks your firm faces and the measures to put in place to prevent it or address it when it happens. This is the fun part! Brainstorm ideas with other people. No idea is too trivial. Outline the list of threats or vulnerabilities.
3. Identify the systems you have in place to address those threats or vulnerabilities.
4. Define a measurement or likelihood (the left side bar in the chart) of the risk occurring.
5. Choose the level of severity the threat’s impact has on your brand/company.
Example
An employee accidentally releases a small number of client names on Facebook, but no other information was shared.
- Likelihood is high since it already occurred. Vulnerability is lack of training.
- The severity is negligible to marginal depending on your firm and/or if the clients are in a regulated industry, think medical or legal.
- Actions to take could range from making note of the error and moving on, to contacting clients, and/or adjusting workflows as needed.
Now consider if that person released first name, last name, email, address, and/or personally-identifiable information (PII). Would that increase the risk’s severity? Would that have a greater impact on your firm? How would you remedy that situation?
When you’re drafting your risk assessment, try to imagine each of the potential variations. List them in the matrix, along with the controls, its likelihood, and the potential impact on the firm.
Remedies
Once you’ve identified the risks, now’s the time to identify remedies. Consider remedy combinations to use in your plan.
For example, in the risk example an employee posted client names, the remedies might include items 4 and 6. But, if additional information was posted, including PII, then a more aggressive remedy is needed, such as 4, 6, 7, 9, 11, 13, 14, and/or 10 and 16.
Identify the remedies, including some of those below, and place them in a Crisis Response Grid.
1. Stay silent (in some cases this is the right thing to do)
2. Social media manager responds (vs. the posting / junior staff)
3. Blocking the offender on the platform
4. Removing the offending content
5. Official statement is made.
6. Compliance is notified and responds.
7. Executive team is notified and responds.
8. Blog post or a video is created addressing the issue.
9. Creation of a dedicated phone number and/or email address for those impacted.
10. A PR firm is consulted.
11. Send an email blast to all customers notifying them of the incident.
12. Issue a public apology.
13. Create a crisis FAQ.
14. Create a dedicated customer complaint page, forum, or phone number.
15. Take the conversation offline.
16. Pause all scheduled content.
Ways to Educate Staff
Now that you’ve identified risks, created an action plan, and written a process, now’s the time to share it with staff and consultants. Here are a several ways to accomplish that.
1. Host lunch-n-learns
2. Post social media office hours
3. Send social media “amplification” emails
4. Create a social media channel within the company
5. Send updates to employees & post on the intranet
6. Develop training videos
In the end, your goal is to create a social media crisis communication plan that’s right for your firm. If you’d like a step-by-step plan, download the Risk Management Primer.