Creating a Social Media Risk Assessment

By Andrew Swinney

One of your employees goes home having a bad day and posts an inappropriate comment on his or her personal Facebook, Instagram or Twitter account. Do you know how you would handle it? Would you respond? If so, what would you say?

This was exactly the case for Bank of America when an employee posted racist comments about customers on her personal account. That employee ultimately lost her job, but the damage was done.

Whether or not it’s to this extent, financial institutions will face a social media crisis, making it critical that every bank have a documented social media risk assessment in place.

To ensure effective crisis preparedness, banks must create a social media risk assessment, or a thorough examination and documentation of all risks your institution faces and the measures in place to help prevent and mitigate them. Such an assessment should outline the potential threats, the systems in place to address the vulnerabilities those threats expose, and a measurement of the likelihood of the risk occurring and the potential severity of the threat’s impact.

For example, an employee accidentally releases consumer information. This was the case last year for Wells Fargo, when an outside lawyer accidentally released confidential information about tens of thousands of the bank’s wealthiest clients. While it wasn’t necessarily released over social media, the prominence of social media usage is making it more likely. In this case, the cause (or vulnerability) may be a lack of training or understanding of security steps. You can minimize that vulnerability by establishing documented workflows, training programs and employee or vendor guidelines. Banks should house that information in a risk assessment matrix in Excel or Google spread sheets.

Identify Social Media Risks

At some point, every bank will face some type of social media risk, such as a leak of company or customer information, security compromises, platform outages, lawsuits, PR issues such as consumer complaints or negative press, violation of state or local laws, etc. These risks are broad and can have many nuances.

As with the earlier example, an employee who leaks customer information may have done so accidentally or intentionally. It could be from their personal social media account or from the bank’s account. Those variables change the scope of the risk, the exploited vulnerability and the measures required for it to be avoided.

When drafting your risk assessment, try to imagine each of these potential variations. List them all in your risk assessment matrix, along with the controls, the likelihood and the potential impact on your institution.

For example, consumer complaints on social media come in many forms. Perhaps there is a helpful complaint where a consumer is just alerting you that there is a maintenance issue with one of your ATMs. Or maybe the complaint is about the quality of service at a branch. Or a specific employee being abusive. Or an accusation that your lending practices are biased. While these are all “consumer complaints,” they all have different chances of occurring and potential impacts to your institution.

Determine Controls for Social Media Risk

Once you’ve identified the potential risks faced by your institution, you must then determine the actions to reduce the threat or potential damage. Common actions (or controls) include drafting a content creation workflow that involves compliance, publishing a playbook for all marketing and creative roles that state brand voice and guidelines, conducting digital security training, and having all employees read and acknowledge a social media employee policy.

Whatever direction you choose to take regarding your social media policy, the important thing is that it is accessible. Not just physically, but that it is easy for your team to understand. A policy littered with legal jargon is hard to understand. If a policy isn’t understood, then it doesn’t work. You’d be better served making one that is humorous so that employees want to engage with it.

Some great examples of social media policies to follow include:

  • Air Force, with its military precision and all the details you could imagine;
  • Nordstrom, which is concise and to the point; and
  • Best Buy, which is also clear and straightforward.

Create a Crisis Response Grid

Once your bank has identified the risks and determined the controls, creating a crisis response grid will then allow you to plan for emergencies.

On the Y-axis of your crisis response grid, outline crisis “levels” to indicate the degree of severity of potential damage. This should be determined by the size of the audience impacted, the potential cost of damages, the newsworthiness of this crisis, and how quickly the situation can be remedied; however, these levels may also be determined by your bank’s risk tolerance.

The X-axis should include all the tools used to respond; for instance, stay silent, have the social media manager respond, block the offender, remove the offending content, post an official statement in response, issue an apology and consult with your PR firm. Some levels may require multiple tools or actions.

Activate Your Crisis Plan

Once you’ve created your crisis response plan, your bank should have a social media listening strategy across all major platforms (Facebook, Twitter, LinkedIn, Instagram, Yelp, web mentions, etc.). At a minimum, you should listen for any mention of your brand (including common misspellings) and products, enabling you to know what’s being said about your institution and uncovering news and trends about your brand. Anything that is included in your risk assessment or has a negative sentiment should trigger a response, and you should then consult with your grid. Most incidents will likely be minor, but catching it early will help eliminate or lessen damage.

Revisit Your Social Media Risk Assessment

Finally, every crisis plan requires regular review and assessment. Perhaps there are new social media channels to add or new types of risk that are becoming more prevalent. Media and the industry landscape change swiftly, and your bank needs to be ready to react.

At a minimum, you should update your social media risk assessment at least once a year and any time your brand experiences a crisis. Ask yourself: Were there any crises we experienced that we don’t have documented? Has anyone else in our industry had a crisis that we can learn from? Has the likelihood or severity of these risks changed? Do we have new tools or partnerships that might serve as an effective control for risk?

A social media crisis is inevitable, making it critical that you create and implement a social media risk assessment to examine and document all potential risks your bank may face. By identifying these risks, having controls in place to effectively hande those risks, creating a response grid, acting on your plan and implementing a listening strategy, and re-assessing your plan at least once a year will help put your institution as ease the next time it encounters a crisis. 

Andrew Swinney is the digital content manager of Kasasa, an award-winning financial technology and marketing technology provider. For more information on Kasasa, visit, or visit them on Twitter @Kasasa, @KasasaNews, Facebook, or LinkedIn.

  • Sign Up

  • Categories

  • Archive

Software: Kryptronic eCommerce, Copyright 1999-2019 Kryptronic, Inc. Exec Time: 0.056715 Seconds Memory Usage: 3.807922 Megabytes