Social Media Risk; The Solution!
A qualitative research of controlling social media risks in (semi-)public
organizations based on the perception of controllers
R.J. Brem S3524973 r.j.brem@student.rug.nl
24-6-2019
Master Thesis Accounting & Controlling; Controlling track (EBM870B20.2018-2019.2) University of Groningen
Faculty of Economics & Business
Supervisor: Dr. S. Girdhar Co-assessor: Dr. K. Linke Word count: 11.899
1
ABSTRACT
This research aims to examine how (semi-)public organizations control social media risks. The controller is designated as a representative of the organization to control social media risks due to its changing role. Using interviews with seven Dutch controllers in the (semi-) public organizations and a social media policy analysis result in that the controllers are not currently involved in controlling social media risks, however, they perceive the impact of social media. The organizations identify reputation risk from external stakeholders and data leakage risks as prominent social media risks. Currently, the social media control role is assigned to the communication department. The external reputational risk is controlled by monitoring, providing good services in front and taking complaints seriously. The social media usage of employees, including the data leakage risk, is controlled by creating awareness through an open culture by a connection with the organizational values. Finally, social media policies are actively set in front of a social media incident. However the controllers perceive training and repetition as important to get the proper social media behavior of employees, this is hardly present. These results conclude that organizations are controlling social media without the involvement of the controller.
Keywords: social media; risks; controller; (semi-)public organizations; internal control
Acknowledgment: I would like to express my gratitude towards Dr. S. Girdhar for the support and guidance during the thesis project. I am grateful to all controllers who participated in my research, especially the way they have set aside time and gave access to all relevant information. While conducting the research and writing the thesis, I had a valuable learning process which resulted in improving my academic research skills. I will use this knowledge in my further career.
2
Table of contents
1 INTRODUCTION………... 3
2 LITERATURE REVIEW……… 6
2.1 Social media……….. 6
2.2 Social media risks……….. 6
2.3 Social media risk control………... 7
3 RESEARCH METHODOLOGY……… 10
3.1 Data collection………... 10
3.2 Data analysis……….. 11
4 RESULTS ……….. 12
4.1 Social media use……… 12
4.2 Social media risk………... 13
4.3 Social media policy………... 14
4.4 Control measures………... 16
4.5 Archival policy analysis……… 18
5 CONCLUSION AND DISCUSSION ……… 20
5.1 Conclusion……….………..……….. 20 5.2 Discussion……….. 21 5.3 Limitations………. 22 5.4 Future research……….. 23 6 REFFERENCES ………. 24 APPENDICES ………. 31 Appendix A……… 32 Appendix B……… 33 Appendix C……… 35 Appendix D……… 39
3
1
Introduction
Worldwide social media is used increasingly, which leads to a major impact on society and business (Singh, Lehnert & Bostick, 2012; Culnan, Mc Hugh & Zubillaga, 2010; Investis, 2015; Ahmad, 2013). In organizations, social media is used in various ways which change the engagement with stakeholders, including enhancing the relationship between the organization and customers. Social media changes internal interaction and collaboration between employees, resulting in an increase in the effectiveness and efficiency of its operations (Kane, Alavi, Labianca & Borgatti, 2014; Investis, 2015; Harquail, 2011; Kietzmann, Hermkens, McCarthy & Silvestre, 2011). In addition, social media helps in recruiting and is currently integrated into marketing and its marketing purposes (Nikitkov & Sainty, 2014; Mangold & Faulds, 2009; Israel, 2009; Criado, Sandoval-Almazan & Gil-Gracia, 2013). Lastly, social media affects organizational reputation which could create loyal customers, price premiums and less financing costs (Dowling, 2006; Eccles, Newquist & Schatz, 2007; Haynes, 2016; Power, 2004; Brivot, Gendron & Guénin, 2017).
In contrast to the business advantages, social media creates several risks due to its interactivity, spontaneity, and likelihood of unedited content (Scott & Jacka, 2011; Arnaboldi, Busco & Cuganesan, 2017; Drahosova & Balco, 2017). Social media is by definition based on information technology (IT), resulting in IT security and information leakage risks, which includes identity theft and non-compliance (Demek, Raschke, Janvrin & Dilla, 2018; Eccles et al., 2007; Gaff, McDermott & Emery, 2014). A second risk is that social media challenges the boundaries between employees’ profession and their private atmosphere, possibly resulting in excessive private social media use which could lead to productivity decreases and misuse of resources (Ollier-Malaterre, Rothbard & Berg, 2013; Field & Chelliah, 2012; McDonald & Thompson, 2016). Lastly, social media use by external stakeholders and employees could harm the organizational reputation which negatively affects the creation of loyal customers, price premiums and financing costs (Dowling, 2006; Eccles et al., 2007; Haynes, 2016; Power, 2004; Brivot et al., 2017).
The social media risks described above are present in every organization (Scott & Jacka, 2011; Arnaboldi et. al., 2017; Drahosova & Balco, 2017). Especially in (semi-)public organizations, these risks are crucial to control due to the different role and position of these type of organizations in society compared with companies (Bovens, Tummers, van Twist, van der Steen & van den Berg, 2017; Wiebinga, 2015; Starreveld & Van Leeuwen, 2008). The position of (semi-)public organizations in society is based on trust of their stakeholders in these (semi-)public organization (Houston & Harding, 2013; Clark & Lee, 2001; Nationale Ombudsman, 2012). Organizational reputation, including reputation caused by social media, and trust influence each other resulting in a legitimate government (Shmatikov & Talcott, 2005). In addition, (semi-)public organizations have different objectives compared with for-profit organizations. Where for-for-profit organizations mainly focus on being for-profitable, (semi-)public organizations focus primarily at other goals, such as guaranteeing care and well-being, which are also largely legally established. Next to this, (semi-)public organizations gather and register much privacy data to comply with the law and execute their operations, this enhances the risks of privacy data leakage using social media (Rijksoverheid, 2013).
Based on the crucial role of organizational reputation, caused by social media, and a large amount of privacy data in (semi-)public organizations, this research aims to examine how and why (semi-)public organizations control internal and external social media risks.
The importance of controlling social media risks in (semi-)public organizations, as described above, is in contrast with the currently limited accounting and controlling knowledge. Even though, social media is a hot item at the business level for researchers,
4
social media in the accounting and control literature remains limited (Israel, 2009; Harquail, 2011; Demek et al., 2018). Prior studies addressed the risks involved with social media use (Demek et al., 2018). On the contrary, limited studies show how to act upon these risks, while controllers recognize the importance of social media risks (Scott & Jacka, 2011; Deloitte 2012; Brivot et al. (2017). Demek et al. (2018) developed and used a social media risk model, based on the COSO enterprise framework, with four components. Based on the social media risk model and a quantitative approach, Demek et al. (2018) show that organizations act in a reactive manner instead of using formalized risk management processes. This could possibly result in unduly exposure to social media risks. Next to Demek et al. (2018), Brivot et al. (2017) used a qualitative approach in understanding how to control reputational risk concerning social media use. This study gives four different perspectives on how to manage reputational risk arising from social media use resulting in a comprehensive understanding of controlling reputational risk. The accounting professions recommend controlling reputational risk using the control measures which are already implemented in the organization. These two studies indicate that accounting and controlling literature starts to move to the explanation of how organizations control social media risks.
In line with the described findings of these two prior studies, Demek et al. (2018) and Brivot et al. (2017) showed the importance of controlling social media risk and addressed the importance of examining this more in-depth. Although these two studies extend the controlling literature on social media issues, these two studies have their limitations. Firstly, Demek et al. (2018) tested their designed model using a reactive approach instead of a proactive approach. A reactive approach is solving social media issues reactively, ad-hoc, after an incident has occurred. A proactive approach manages social media issues beforehand using a standardized system to prevent and repair social media risks. Best practices, such as COSO ERM, recommend using a proactive approach. Using a proactive approach results in achieving organizational goals more efficiently. In this reactive approach, Demek et al. (2018) showed a relation between social media policy adoption at an ad hoc basis and the extent of social media use, however, this study did not examine how and why organizations do not use a formalized control system. This contrasts with regular operational and financial risk issues and its control systems. Secondly, Demek et al. (2018) do not use the internal environment component of COSO ERM in their designed model, because they think this component touches the whole risk analysis and not specifically social media risk analysis. In-depth interviews in our research could give insight if this is a proper exclusion or if this should be included. Next to this, Demek et al. (2018) recommend a more in-depth study, where more attention is paid to the policy implementation and training and technical controls, as a supplement to their own study. Lastly, Demek et al. (2018) and Brivot et al. (2017) used USA based data and did not distinguish between private and public organizations. This research examines Dutch (semi-)public organizations. Due to the differences in institutional settings between the USA and other countries, the results between the prior studies and this research may differ. Prior literature showed that culture affects management control. In addition, culture differs the law and regulation of the USA and other countries, such as labor protection law, which is especially in the Netherlands very strict, and the recently introduced GDPR in Europe (Jansen, Merchant, van der Stede, 2009; Kapteyn, Smith, van Soest & Banks, 2007, European Union, 2016; International Trade Union Confederation, 2018; Hofstede, 2001).
Based on the above limitations of prior studies, this research aims to add additional insights to the model designed by Demek et al. (2018) using a qualitative approach where more in-depth information will be obtained from different perspectives using interviews with controllers and content analysis of social media policies. This is relevant because an in-depth analysis will help us understand why and how organizations implement policies and control measures in reaction to social media use and why and how they do not use a standardized
5
control system. In addition, this research analyses if the model of Demek et al. (2018) is complete, including which impact culture has on managing social media risks. Furthermore, cultural and law differences may change the manner of controlling social media risks compared with the findings of Demek et al. (2018) and Brivot et al. (2017). Since culture and law differ between Europe, including the Netherlands, and the USA it is relevant to understand how Dutch controllers manage social media risk on behalf of their organization. The focus on only (semi-)public organizations may change the way of controlling since these organizations have broader goals and a different position in society compared with profit organizations (Bovens et al, 2017; Wiebinga, 2015; Starreveld & Van Leeuwen, 2008). Finally, these mentioned new insights match with prior studies in which they plead for updating the accounting and control literature (Berry, Coad, Harris, Otley & Stringer, 2009; Vaivio, 2008).
Based on the described insights, this research contributes to accounting knowledge and literature by extending the discussion on social media in general and its associated business risks. The discussion will be extended with a new point of view, which includes explaining the perception and involvement of business controllers on social media and its business risks on behalf of their (semi-)public organization. This research follows the call of Demek et al. (2018) to extend the accounting research by using the social media risk management model. In practice, organizations could use these new insights in performing their risk analysis and control measures.
The remainder of this research is organized as followed. The second section reviews the relevant previous literature concerning social media risks. The third section displays the research methodology among which the data collection and data analysis are discussed. The fourth section gives the results of the interviews and archival study. The fifth section concerns the discussion and conclusion.
6
2
Literature review
2.1
Social media
Social media compared with traditional mass-media differs mainly in a more active audience and the control of the audience over the information for what enters public debate (Humphreys, 2016; Mergel & Greeves, 2012). A key characteristic of social media is the social interaction and communication between their users (Chen, Lu, Cau & Gupta, 2014; Mergel, 2013). Social media could be used for communication and conversations, education, organize communities and groups, gathering and sharing information, entertainment and other purposes (Kietzmann et al., 2011; Kane et al., 2014; Investis, 2015; Harquail, 2011). Social media is a broad concept, even in the literature, the concept remains unclear (Obar et al., 2015). The speed of social media technology developments and the similarity of social media and other communication forms challenges the conceptualization of social media (Obar et al., 2015; Mergel, 2013). However, Kaplan and Haenlein (2010) define social media as ‘a group
of Internet-based applications that build on the ideological and technological foundations of Web 2.0, and that allow the creation and exchange of user generated content’. Aspects arising
in social media services and technology are first that the participants interact and engage interactively based on Web 2.0. Secondly, the participants create their own profiles, and thirdly, the participants generate content. Finally, social media services connect user profiles in order to socially online networking (Obar et al., 2015; Chun, Shulman, Sandoval & Hovy, 2010). Scott and Jacka (2011) give a practical insight by differentiating the following social media tools: social networking sites, blogs, review and rating services, photo and video sharing, podcasts, and knowledge sharing.
2.2
Social media risks
Organizations use social media to serve several purposes. Ployhart (2012) identified seven of them: recruitment and selection, socialization and onboarding, training and development, knowledge sharing, branding and marketing, creativity and problem solving, and influencing organizational culture/change. Besides that, social media contributes positively to achieving organizational goals, it may have negative consequences either due to its complexity and involvement of many organizational units, and spontaneous and unedited content (Bennet, 2008).
These negative effects may result in undesired organizational risks. Demek et al. (2018) identified four risks arising from social media usage based on prior literature. These risks stem from different sources, such as the organization itself, employees, external parties or a combination of these sources.
To start with, social media brings IT security risks due to its IT-based services. Through social media usage in the organization, the IT systems could be infected by spam, viruses, and malware (van Zyl, 2009; Romney & Steinbart, 2018). Next to these technology-based risks, social media could enhance the risk of social engineering, at which employees are seduced through social media to disclose organizational information, including passwords (Langheinrich & Karjoth, 2010; Romney & Steinbart, 2018). A hacking incident is related to reputational risks since hackers could post misleading information which could result in a damaged reputation (Castillo, Mendoza & Poblete, 2011).
Secondly, social media brings information leakage risks. Both confidential corporate, such as intellectual property, as well as private information, personal consumer or employee data, could be intended or unintended being disclosed. Not only the organization but also employees could disclose this information on their social media profiles. Information leakage could result in non-compliance and legal issues (Langheinrich & Karjoth, 2010; Greene & O’Brien, 2013). The GDPR gives regulatory issues about privacy and data protection. Since
7
the introduction of the GDPR, there is more awareness of privacy and data protection by organizations and employees (Laybats & Davies, 2018; European Union, 2016). This awareness provides attention and insight into the consequences of data leakage, this awareness and insight help in preventing employees from leaking data (Romney & Steinbart, 2018).
Thirdly, social media brings unproductivity risks since it diminishes the boundary between employees’ private and professional life (Ollier-Malaterre et al., 2013; McDonald & Thompson, 2016). This may result in excessive private use of social media during work, which results in unnecessary costs due to productivity loss and misuse of resources (Field & Chelliah, 2012; Khansa, Kuem, Siponen & Kim 2017). Next to the empirical studies which show a negative relation, Smith (2013) shows a positive relationship between social media usage by employees and efficiency.
Finally, social media brings reputational risks. Organizational reputation is important since several advantages involve a prominent reputation, such as higher consumer loyalty, higher market value and attracting better employees (Eccles et al., 2007; Haynes, 2016; Power, 2004; Brivot, 2017). Employees’ online posts contribute significantly to shaping organizational reputation (Dreher, 2014). However social media usage by consumers and employees could damage organizational reputation by posting negative comments and hacking incidents (Brivot et al., 2017; O'Leary, 2011; Castillo et. al., 2011). The previous described social media risks are connected with reputational risks.
Reputation risk due to social media could have a big negative impact on the organization. This research splits the reputational risk in internal reputation risk and external reputation risk since this reputational risk arises from both inside the organization by employees as outside the organization by external stakeholders. Furthermore, these two perspectives affect the way of controlling the reputation risk, since the organization has no influence on external parties in contrast to their employees who they do have an influence on. (COSO, 2004; Spira & Page, 2003; Mergel & Greeves, 2012; Ott & Theunissen, 2015). Many studies in accounting and controlling literature are based on identifying social media risks, limited studies are focused on controlling these risks (Demek et al., 2018; Brivot et al., 2017).
2.3
Social media risk control
COSO Enterprise Risk Management (ERM) gives an integrated framework to organize and execute internal control proactively (COSO, 2004). COSO ERM is a best practice to manage risks (Arena, Arhaboldi & Azzone, 2010; Hayne & Free, 2014). This framework encompasses eight interrelated components: internal environment assessment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. The presence of all eight components in an organization results in achieving organizational goals in an effective manner (COSO, 2004).
Demek et al. (2018) used COSO ERM to develop the social media risk management model (SM-RMM) to manage risks associated with social media. Organizations manage social media risks reactively, while best practices, such as COSO, plead for a proactive manner, indicating a formalized process (Scott & Jacka, 2011). The SM-RMM could be interpreted both proactively and reactively.
SM-RMM incorporates four components (appendix A). The first component is social
media use. This element relates to the objective setting in COSO ERM and addresses the
internal and external use of social media in the organization. This item only refers to the use of social media that organizations could control. The base of this component is the fact that organizations use social media to achieve organizational objectives. Before conducting a formal risk assessment, these goals, including how to use and implement social media, should be clear because these objectives affect the assessment of social media risks. Due to the
8
reactive fashion of social media control, organizations may implement social media applications to achieve its strategic goals without considering the impact to other departments and risk management (Larcker, Larcker & Tayan, 2012). As indicated before, social media could be used for different reasons, such as recruiting, marketing purposes, and distributing and collecting information (Ployhart, 2012, Scott & Jacka, 2011; Mergel, 2013).
The second element is perceived risk of use. This component is related to the event identification and risk assessment in COSO ERM and involves the identification and assessment of social media risks. The organization should identify opportunities and risks which affect the achievement of organizational goals. The likelihood and impact of the risk items should be assessed. The users’ perception of social media risk is directly related to the event identification and risk assessment. Also, due to the reactive fashion of social media control the perceived risk of use does not lean on a formalized risk assessment. In the previous section, social media risks are discussed.
The third factor is policy implementation. This component is related to the risk response and control activities in COSO ERM and refers to the design and existence of policies concerning social media use. This item addresses how to manage the identified social media risks using policies and procedures. Composing and implementing policies is an important first step in managing social media risks (Scott & Jacka, 2011). An advantage for (semi-)public organizations is that policies are a standard due to their legal and policy-based foundation and right to exist (Van Gunsteren, 1985; Van der Knaap, 1995; Bovens et al., 2017). The social media policies need, among others, providing information and guidelines about social media use during working hours and what employees are allowed to say regarding organizational information (Scott & Jacka, 2011; Mergel & Greeves, 2012). Due to the reactive fashion of social media control organizations may adopt policies ad hoc without a formalized risk assessment beforehand. The rules in policies must be in balance because too much and unclear rules cannot be maintained and too many rules will cause problems (Pheijffer, 2018; Wood, 2003). In addition, human beings could not process too many rules, because their brains are cognitive constraints (Roberts & Greenwood, 1997).
The latest factor is training and technical controls. This component is related to the control activities and, information and communication in COSO ERM and relates to the measures adopted in the organization to control the social media risks. This item addresses the dissemination of information about the new policies during training and technical controls such as identifying, detecting and repairing IT security issues and monitoring social media use. Training and repeating are important in adopting rules in human behavior and so getting the proper social media behavior of employees (Burns & Scapens, 2000; Gioia & Poole, 1984; Becker, 2004). In addition, Kaptein (2016) shows the importance of training in getting the proper culture. The monitoring systems concerning social media is functioning for identificatory reasons, which is being expressed in identifying relevant information outside the organization. The literature recommends appointing one person as accountable for the monitoring system or tool (Hadi & Fleshler, 2016; COSO, 2004; Scott & Jacka 2011). Lastly, the literature shows a lot of IT security tools, such as a firewall, passwords and penetrating testing, the literature indicate that these IT security tools have to fit with the degree of IT use in organizations (Romney & Steinbart, 2018; Harmer, 2014).
In addition to the concepts of SM-RMM, Demek et al. (2018) tested their model based on the reactive nature of social media control by questioning risk management, audit, and finance professionals in the USA via surveys and found three relations between the components. Firstly, the degree of social media use affects positively the perceived risk of social media use. Clarifying that due to the reactive nature of social media control, the organization and its employees are more aware of the consequences of social media and its risks if the organization and employees use social media extensively. Secondly, the degree of
9
social media use and the perceived risk of use affects positively policy implementation. Clarifying that when the awareness of social media risk increases this results in more establishing policies regarding social media use. Due to the reactive fashion and by supporting on existing systems the policy implementation concerning social media use will be ad-hoc, without a formalized risk assessment at the front. Thirdly, the extent of social media policy implementation affects positively the degree of training and technical controls. Clarifying that performance of the policy requires training and technical controls. The policy has to be clear and employees need appropriate and regular training before they adopt the policy in their behavior (Shields, 1995; Kaptein, 2016). Technical controls enforce policy adoption by preventing, detecting and repairing of policy violations.
The SM-RMM does not address the internal environment and monitoring component from COSO ERM. The internal environment concerns the whole organization and all processes. The major component of the internal environment is culture, including the tone at the top (COSO, 2004). Other studies showed that this component is important for changing human behavior (Shields, 1995; Kaptein, 2016). The organizational culture is important in controlling the organization because culture is the foundation of the organization and control system (Basil & Thompson, 2018; COSO, 2004). The organizational culture affects the internally created social media risks, such as data leakage risk and internal reputation risk but does not have a direct influence on external reputation risk caused by external stakeholders. Kaptein (2016) distinguishes eight cultural components which provide a solid foundation for the organization and control system. These cultural components are clarity, role modeling, commitment, achievability, transparency, discussability, call someone to account and enforcement (appendix A).
Culture, training, and monitoring help in controlling internal social media risks, these control tools do not directly influence on external social media risks (COSO, 2004; Kaptein, 2016; Demek et al., 2018). However, it is difficult to preventively control external social media, reactive controls, such as monitoring, could signal negative posts. The organization could react on these posts and so mitigate the external and internal social media risk (Mergel & Greeves, 2012; Zhang & Vos, 2014).
Largely built on the concepts of the SM-RMM model, including the discussed relationships between these components and the cultural complement, the following expectations could be set. Firstly, the controller would be active in controlling social media risks since the controller has a broader focus than just financial. Secondly, the research expects that the controller has an overview of the social media risks and actively manages them. Especially external reputation risk is expected to be seen as the primary social risk, due to its major impact and its limited controllability. Thirdly, the controls within the organization could be consisting of social media policies, training, monitoring and open culture in line with the organizational core values. All these controls are expected to be present in the organizations. These controls could be filled in differently by each organization (Savovic, 2017). Fourthly, especially the cultural component will be important due to its foundation in the organization. Fifthly, the social media policies are also expected to be substantive since (semi-)public organizations exist based on regulation and policies (Bovens et al, 2017; Van Gunsteren, 1985; Van der Knaap, 1995). Lastly, these controls only affect internal social media risks. Monitoring is expected to be the major and only control component in controlling external social media risks.
10
3
Research methodology
3.1
Data collection
This research used a qualitative approach to study the research question because this approach fits the exploratory nature of this research and gives a rich understanding of the examined phenomena. In addition, qualitative research ensures insight into the framing of practice in line with the research question and ensures a solid understanding of controllers their view as key individuals (Bluhm, Harman, Lee & Mitchel, 2011; Radcliffe, 2010). A field study could obtain detailed data about the controllers’ perception over social media risk control (Edmondson & McManus, 2007). This research used a field study conducting interviews with business and concern controllers of different organizations. In total, seven interviews were conducted with seven controllers each by a different organization.
Controllers are suitable participants since they are controlling the organization. In the organizations, the controller is the designated person who should control social media issues based on previous literature. According to previous studies, the controller takes a different role in the organization than several years ago (Kaplan, 1995; Lambert & Sponem, 2012; Goretzki, Strauss & Weber, 2013; Järvenpää, 2007). The controller’s role evolved from a bean-counter to a business partner (Goretzki et al., 2013; Järvenpää, 2007). A bean-counter controller is concerned with the registration of financials and has little contact with others. A business partner has to be more open and is a sparring partner of management including financials and non-financials (Goretzki et al., 2013; Järvenpää, 2007; Granlund & Lukka, 1998). In addition, Sathe (1983) splits the responsibilities of the controller in 1) support management in decision making and 2) internal control. Since risk management including financials as well as non-financials is part of internal control, risk management should be part of controllers’ concerns (COSO, 2004; Spira & Page, 2003). Therefore, social media issues could be included in non-financials. The prior statements result in business controllers who could be responsible for the risk management concerning social media risks.
This research gathered data of Dutch (semi-)public organizations for two main reasons. Firstly, (semi-)public organizations do not have financials as the main motivator, which leads to a broader focus of internal control. In addition, these organizations gave accessibility to all relevant information, such as insight in their perception concerning social media and their policy documents concerning social media, which fits the timeframe of research. The controllers and organizations have different characteristics (e.g. organization size differs from 100 employees to 12.000 employees) (see appendix B for overview characteristics). The data is collected in a period of four weeks between the sixth of March 2019 and the fifth of April 2019.
The interviews are based on a semi-structured approach since this adds structure through the various interviews. But it also allows flexibility to adjust the interview based on information shared by controllers and the company their specific information and practices, since the organizations and controllers have different backgrounds (Smith, 2003). The interviews were recorded and afterward transcribed. The interview guide is included in Appendix C. The duration of the interview is on average 45 minutes, no major variances in duration between the interviews are detected except the pilot interview. Based on a deductive approach, the interview themes and questions are based on the theoretical concepts of the literature review, literature gap and the research question (Smith, 2003; Guion, Diehl & McDonald, 2011). The themes are social media use, social media risks and opportunities, social media policies and social media control.
The first interview is considered a pilot interview since during and after the interview the clarity and integrality of the questions and structure of the interview were discussed (Qu & Dumay, 2011). Based on the feedback in the pilot interview, the questions and interview
11
structure are adjusted. The substantive information in the pilot interview is adopted in the analyses.
The interviews have two different points of view, based on the same foundation and goal. When the controller manages social media risks, questions are based on why and how the controller is using their system. When the controller does not control social media risks, questions are based on why the controller does not use a system, and ‘what if’ questions will be asked based on the theoretical concepts.
In addition, secondary data is gathered concerning social media policies (Smith, 2003). These policies are publicly available, not present in the organization or shared by the concerned controller, dependent on the organization. One organization does not give access to the communication policy, including social media issues. This additional analysis verifies the alignment of controllers’ perception with the organization. In addition, policies are important in controlling social media risks and one component in the SM-RMM model.
This research uses data triangulation because different data sources are used. Therefore, different controllers and organizations with different backgrounds were interviewed. Furthermore, next to the interview data, archival sources are used in the form of policy documents. Data triangulation enhances the validity and reliability of the research (Smith, 2003).
3.2
Data analysis
The data from the interviews and archival data are analyzed in the same way using content analyses. The first step is to set a thematical coding schedule (appendix D) based on the literature review, literature gap, and research question. Relevant sentences in the transcript and the gathered policies were coded based on the coding schedule (Lillis, 1999; Smith, 2003). The next step is to analyze the data using pattern-matching analysis where the data in a coding theme are reflected with the theoretical framework. In addition, a cross-case analysis is conducted to reflect the data within a coding theme between the different transcripts. The focus is to identify and understand the patterns in both analyses. In addition, the identification, understanding, and explanation of deviations from the pattern are relevant to analyze in contrast to quantitative research (Lillis & Mundy, 2005). As indicated in section data collection, all interviews and transcripts are in Dutch. To ensure proper analysis and conclusion, and to eliminate a translation bias, the analysis and all other parts of this research is verified by a Cambridge C1-degree translator.
The archival policy analysis consists of two phases. The first phase is an initial screening, where all potentially relevant policy documents based on the title are analyzed if the document consists ‘steering human behavior rules’. The second phase is the content analysis of the documents which involve ‘steering human behavior rules’.
12
4
Results
4.1
Social media use
The informative aspect to external stakeholders is in all organizations the most important aspect to use social media. This corresponds to the public functions and social tasks that all these organizations perform in society (Overheid; 2015, Bovens et al., 2017, Starreveld & Van Leeuwen, 2008). All organizations experience social media as a positive supplement to their traditional communication sources. At a detailed level, there are differences in the use of social media mediums. This is in line with the uniqueness and different characteristics of each organization (Savovic, 2017). Where all organizations use Twitter, Facebook, and Linked In, three organizations use other social media mediums, such as WhatsApp, for external communication. In addition, the degree of in-depth information differs. Where one organization posts superficial messages, another organization shares more substantive information on social media as illustrated in two quotes below.
‘We are an active social media user in our primary process. … We post the first message within half an hour after an incident has started. … These messages are functional substantive.’ (Controller E)
‘We use social media, like Facebook and Twitter, to post messages like the first lamb is born.’ (Controller D)
Social media has a more limited contribution to internal communication. However, all organizations have an intranet, which in two organizations serve as a discussion and blog forum. Sharing internal general information is the most important aim to use social media intern. In addition, all organizations use WhatsApp in an informal way for communication between employees. Prior literature also recognized these forms of social media tools as mentioned in the literature review (Scott & Jacka, 2011).
For a more comprehensive understanding, organizations use social media to spread information because this technology gives opportunities to reach many people and to react fast to questions and comments of external parties. In addition, social media is used to notice signals in society and react to these signals. Also, social media is used by organizations to eliminate fake information and maintain control of the provided information. This is in line with the following statements and prior literature (Humphreys, 2016; Obar et al., 2015; Mergel & Greeves, 2012).
‘We use the technical opportunities which arise. We look what sources people in our society use and try to respond to that. … We could react more quickly to questions and comments than the traditional communication resources.’ (Controller B)
‘It is often on social media before we have said anything about it. … We have to try to post the message as clear and reliable as possible, especially since outsiders post incorrect information.’ (Controller E)
Next to the informative aspect, semi-public organizations use social media for marketing purposes, in contrast to public organizations. Social media is an important tool to set a positive reputation and indicates what makes the organization unique. This is because competition is becoming increasingly important for semi-public organizations (Tamminga, 2017; Brain, 1951; Coevering, van der Werf, 2001).
13
In all organizations, social media is integrated into the responsibility of the communication department. This department takes the executive role and a central directing role in social media use and behavior. The next section addresses this issue in more depth.
4.2
Social media risk
All interviewed controllers do not currently pay attention to identifying and assessing the social media risks, in contrast to prior literature, including the involvement of the controller in identifying and controlling social media risk based on the broadening role of the controller. The controllers perceive reputation risk from external stakeholders as the most important risk due to its limited controllability and unpredictability, illustrated by the quote below. When a controller himself is not active on social media, the main risk shifts to the leakage of confidential information risk and the reputation risk from external stakeholders is seen as a subordinated social media risk. These two risks are in line with the identified social media risks in the literature. The controllers perceive that the degree of social media use affects the awareness of social media risks and opportunities, corresponding to the relation found by Demek et al. (2018). The controllers perceive awareness as an important control and will be addressed in more depth in the next paragraphs. The IT security risk and unproductivity risk from social media use are not perceived by the controller as isolated risks.
‘I see this risk (reputation risk from negative posts by citizens) as the biggest risk, since we (the organization) don’t have any influence what others post on social media, that makes it difficult. I identify risks based on the impact and likelihood of events where we (the organization) are not allowed to anticipate’. (Controller A)
Controllers give different reasons on why they do not pay attention to managing social media risks. Social media risk and management is not, in general, identified in relation to the profession of the controller, in line with the quote below. Another controller addressed that the impact and likelihood of social media risks are not fully recognized yet. Another controller addressed that the organization does not use social media as a formal communication source in their organization, that is why the controller and the organization are not involved in social media risks. A fourth reason is that the control role concerning social media risk is not assigned to the controller but assigned to other departments in the organization, this will be further explained at the end of this section.
‘Now that we are talking about it (social media risks), I am getting new insights…’ (Controller C)
All controllers have a control plan/ system, except for one organization. The control plans or systems consist of an overview with risks and implemented control measures throughout the year. Although the forms of these plans differ per organization, the scope and purpose remain the same. However, social media risks are not adopted in these plans/systems, controllers think it is important to adopt these risks in these plans/systems since social media is a source that is used widely and is being used more and more. This is shown in the quote below. In addition, all controllers recognize that the impact when something negative happens could be immense. The use of a control plan or system is in line with the controllers’ best practice models such as COSO ERM.
‘I (the controller) think very largely of the internal control plan, all processes in view and which risks do we run on those processes and a one to two annual updates of the picture of the risks that we are running, and which measures we should take to tackle the risks. I must
14
say that social media as an item of risks is never mentioned in the control plan. So, it is not a process that I focus on in terms of risk thinking.’ (Controller A)
‘Currently, we have not adopted social media in our risk analysis. But it is very good that when we do a risk analysis, we should adopt the whole communication in this analysis, including social media.’ (Controller D)
‘I think we could add social media in a process. Processes are important in controlling risks. I think we have to go to an integrated process. Where all aspects, including control measures, is included in these processes. We could add social media very good in these processes as an aspect. But this is currently not the way, we are evaluating our processes.’ (Controller B)
In contrast to the controllers of the smaller organizations, the controllers of the larger organizations do not see social media as their risk area and therefore believe that the controller should not have to act upon social media risks. These larger organizations have risk departments and information security departments where social media risks should be addressed. These departments address the reputation risks in general and likely also specific to social media risks. In addition, all controllers recognize that social media risks are engaged in more general risks, such as the poor performance of an employee, the IT security controls, and reputation risk in general.
However, the controller does not focus on social media risk and control, this does not mean that the organizations are not doing anything with these risks and control at the moment. All organizations have a communication department. This department executes internal and external communication and takes the directing role. Furthermore, the controllers perceive this department as a part-time controller, where this department next to the execution of the communication is also responsible for the risks and control measures in the communication processes. The communication department should periodically update their processes and risk analyses and execute detective controls to guarantee their processes. The controllers take the advisory function and are the third line of defense due to its execution of audits. So, the controllers assign the control role concerning social media to the communication department, but the controllers are also noticing that the communication department is partially aware of their role as ‘part-time’ controller (Burns & Baldvinsdottir, 2005). This finding is in contrast to Demek et al. (2018) and Brivot et al. (2017) because these two studies indicate that the controller is involved with controlling social media and its risks.
4.3
Social media policy
All organizations have policies concerning social media. However, the form and depth of these social media documents and policies differ. This section highlights the results concerning social media policies based on the conducted interviews. This section does not analyze the actual social media policies and documents, the section ‘Archival policy analysis’ conducts an analysis between the actual policy documents concerning social media of the organizations. Both analyses are relevant since the results of these two different analyzes should be in the same line, this is especially relevant since controllers are not actively controlling on social media which indicates that these results could differ.
When asked about the social media policies, the controllers are not immediately aware of whether there is a policy concerning social media, which may indicate that there is not much awareness and attention from controllers around this document. The controllers perceive that social media policies have added value, although some controllers indicate that too many policies are not good either, the organization has to find a balance which is in line with the quotes below. This may have been caused by an information overload since public
15
organizations have a lot of different policies and the peoples’ brains are cognitively constrained. This corresponds to the mentioned balance and clarity of rules in the literature review (Bovens et al. 2017; Roberts & Greenwood, 1997; Pheijffer, 2018; Wood, 2003).
‘It feels double because an abundance of rules is not good, but you want to agree on something in advance about how we do it.’ (Controller C)
‘Rules do not always solve everything. So, you should only come up with rules if it is necessary as a control measure to cover your risks.’ (Controller D)
All organizations have policies about rules of conduct and integrity, these policies could be broadly interpreted and act in any way. The controllers think that social media behavior is indirectly included in these policies. However, they also believe that making the policies to social media more specific would be added value, due to the fact that social media has an increasing influence on the organization and human behavior. This is expressed in the quote below.
‘All employees have to sign the integrity statement, so this means that they conform to these rules and they are approachable on these rules, this integrity statement could be interpreted as wide as possible, so also how to behave on social media.’ (Controller B)
The controllers indicate that two types of policies are presented. On the one hand, how to use social media to reach the organizational goals. On the other hand, how to use social media concerning behavior. Where the public organizations perceive rules concerning behavior on social media to be relevant, the controllers of the semi-public organizations perceive that this is the responsibility of the employer himself. These controllers also believe that the policy should only focus on the goal of social media. However, all controllers relate to their core values and vision which incorporates indirectly the social media behavior. The literature stated that the content of the social media policy is dependent on the organization but the goal of social media, the behavior of employees and the relation with the code of conduct, should be adopted in the social media policy (Scott & Jacka, 2011). The information from the interviews is in line with the recommended content of social media policies in the literature.
The controllers indicate that the policies arose based on a combination of internal and external circumstances. This is based on the communication department in the organization, which has stated that social media control is needed. In addition, in two circumstances an incident/problem happened on social media before. Demek et al. (2018) conclude that social media policies are set based on a reaction to a social media incident. This finding does not correspond to Demek et al. (2018) since most of the interviewed organizations have set social media policies beforehand.
Setting a policy helps to show the line what the organization desires. It also helps to get a strong legal status when a problem appears. In addition, public organizations are seeing themselves as representatives of the government, so there is a feeling of pressure to act uniformly. This is in line with how the literature review outlined the right to exist and legal foundation of the (semi-)public organizations (Van Gunsteren, 1985; Van der Knaap, 1995; Bovens et al., 2017).
16
However, the controllers agree policies helps controlling social media risks and behavior, the rules in the policy are not the solution. It is about creating awareness in which social media policies help. This is in line with the control best practices such as COSO ERM which indicate that setting goals and policies is one component in the integral control system. In the next section, the other controls will be addressed.
4.4
Control measures
The controllers agree that setting policies helps to set the focus, but it is not enough to control social media risks. The organization has to propagate the policy. Stated in, for example, the quote below. Only by setting rules an organization does not change human behavior. The controllers all point to monitoring and responding actively on social media messages, and training of employees. In addition, the controllers indicate that culture including awareness of the consequences is the most important preventive control concerning social media risk. This is in line with the relation described by Demek et al. (2018) that the amount of training and monitoring activities increases when an organization has social media policies.
‘If you capture it in rules, you can do it or not. But if you do not capture it in rules, you can do it or not either. It is important to be aware of it in any case. As an organization, we could write so much when it comes to policy documents, such as social media documents. But the practice may be that we do not control anything at all and let everyone go.’ (Controller A)
All organizations have assigned a monitoring activity to the communication department. This department analyzes social media posts. The reason for this is twofold. On the one hand, questions are observed and answered. On the other hand, negative posts are observed which could harm the organizational reputation. The communication department could respond to this quickly by monitoring. In addition, the semi-public organizations use the monitoring component for marketing purposes as well, for example, the number of search results or recommendations. The method of analysis differs per organization. Where smaller organizations search on social media tags themselves, the larger and security organizations have special tools when it comes to monitoring to analyze patterns. The controllers agree that this helps to a large extent, but messages outside the tags are not noticed. This social media monitoring system, which is conducted in the organizations, is in line with the recommended social media monitoring system described in the literature (Hadi & Fleshler, 2016; COSO, 2004; Scott & Jacka 2011).
The above is mainly about general social media use by external parties. Internally, the controllers rely on monitoring by an open culture, where employees confront each other about their behavior, including social media behavior. This is possible due to the open workplaces and the flat organization. Therefore, there is no formal monitoring except for one organization, this organization monitors the application use on mobile devices of employees. In addition, controllers perceive that when an employee is doing personal activities during working hours, for example, social media use, this person could work in the evening in private time. This is in line with the literature review and three of the cultural pillars of Kaptein (2016), namely to call someone to account, clarity, and transparency. When an employee violated the established rules, there are consequences, this is up to the direct supervisor. The first step in addressing employees on their behavior, which could lead to procedures concerning non-functioning. This is in line with the literature review and one of the cultural pillars of Kaptein (2016), namely the call someone to account and enforcement, this component includes sanctioning by misconduct.
17
The degree of training differs per organization. Where the public security services train employees in formal training (e.g. what to do when an incident occurs). The other employees in the secondary processes of public security services, such as finance and HRM, and the other organizations receive no or limited training. The smaller organizations use an online awareness tool concerning IT security and privacy, the controllers of these organizations indicate that social media issues could be adopted in this program. The controllers think it is important to reach all employees, the controllers see other sources to reach employees concerning social media behavior. The communication department actively informs the organization, using the intranet or physical news magazines and meetings with teams concerning the communication policies. In addition, new employees get an introduction meeting where the core values are propagated. The controllers indicate that repetition is a key aspect in standardizing the desired behavior, and therefore showing the importance of the organizational values. Overall, the actual training in organizations is currently limited in contrast to the recommended training and repetition in the literature review and in contrast to the finding of Demek et al. (2018) except the public security services. Since Demek et al. (2018) finds a relationship between the degree of policies and the degree of training, the result in this study shows there is no such relation since the organizations all have social media policies but little to no training at the moment.
The most important control is creating a culture where loyalty to the employer, addressing each other, integrity and being heard are important aspects. This culture must ensure that awareness is created when using social media. This awareness is important because this helps to estimate the opportunities and risks of social media and the desirability and undesirability of the expected responses. The tone at the top is an important aspect within the culture because the board and management express what they think is important, this is in line with the following quote. This finding is in line with the literature review and cultural pillars of Kaptein (2016), such as transparency, role modeling, commitment, and discussability. The later concerns communicating and giving the opportunity to discuss dilemmas.
‘It is important that the manager sets the right example. We also do this consciously to show that it is important to handle this with care.’ (Controller C)
However, controllers perceive that the organization could not exercise direct influence on external parties, the organization should deliver the best possible service at front which affects the social media behavior of external parties. This is not in line with the literature review, because the literature says that uncontrollable risks are out of the scope of the organization since the organization cannot influence that risk directly (COSO, 2004; Spira & Page, 2003; Mergel & Greeves, 2012). The ‘listening to each other’ value in the culture could also be applied to external parties. The impact of this value is that people get the feeling that they are being heard. This results in the removement of the incentive to post negative messages on social media. This is in line with the following statement.
‘I think the organization has a lot of influence (on external posts), because in the end, it is about people being heard, that they could tell their story. … The majority of people who post something negative on social media is because they have not been heard or because they feel they could not tell their story. So, if people initially have a complaint or something is bothering them that they can get rid of it and that they feel that something is being done, which minimizes the chance that they will post something negative on social media which harms the organization. In fact, it is all about providing good services.’ (Controller G)
18
The controllers perceive that the IT risks, as a result of social media use, is covered by the IT security policies and its implementation, this is based on the expertise of the IT security department. In addition, organizations use the general expertise of the national IT department of public organizations. Since social media is an open source, the most important IT security is the firewall. Based on the controllers, no explicit IT security concerning social media is taken except for one organization which blocks social media sites like Facebook, Linked in and Twitter. However, these sites are still accessible via mobile networks outside the IT environment of the organization. This is in line with the IT control measures described in the literature (Romney & Steinbart, 2018; Harmer, 2014). In addition, the organizations have appointed a privacy officer and IT security officer, in line with the law and prescribed rules (European Union, 2016). These officials are responsible for the private sensitive data and IT security for the whole organization. These officials are both responsible for the hard controls, as well as creating awareness imparted to the employees. These officials are proactive in informing the organizational teams and departments. However, the controls are general and not specific to social media use.
4.5
Archival policy analysis
As noted in the previous analysis, the controller is currently not in the lead concerning identifying and managing social media risks. The controllers attribute this control role to other departments. The communication department is the one which composes the communication policies, including rules and guidelines concerning social media. The archival analysis of social media policies is relevant because this will verify if the controllers’ perception is in line with the organization. In addition, social media policies are a starting point of controlling social media risks and are one of the four control components in the study of Demek et al. (2018) (COSO, 2004). The interviews showed that the controllers are partly aware of these documents. Hence it is interesting to analyze these documents and analyze which rules the organizations set.
Within all organizations, the communication department composes rules about organizational use and the behavior concerning social media. The board or management determines these rules, depending on the organization. However, the extent, shape, and depth of these documents differ, at a certain height, these rules correspond to the values and standards set in the society and organization. However, the board or management which sets these social media rules differ per organization. Still, the rules concerning behavior and organizational values are all set by the highest board level. This is in line with the legislation concerning decision making accountabilities in public organizations and literature (Gemeentewet, 2015; Harrison & Pelletier, 2000). Where one organization has composed these rules in response to a social media incident, another organization has set these rules to prevent beforehand. This is in contrast with the study of Demek et al. (2018), which shows that policies are composed after a social media incident has occurred.
The perception of how controllers perceive the communication departments concerning their control role is in line with the comments in social media policies. Besides that, the communication department composes the social media rules and guidelines, the policies state the monitoring and advisory role of the communication department explicitly. Implementing the social media policy is an interaction between the substantive expertise of the primary departments and advisory role of the communication department. The responsibility for a social media medium differs per organization. Whereas one organization assigns the responsibility of social media mediums to the communication department, other organizations assign these responsibilities to other departments in the primary and secondary processes. This is in line with the literature review which recommends setting a responsible
19
person for social media use and monitoring either (Scott & Jacka, 2011; Mergel & Greeves, 2012).
The policies explicitly state that reputation, which is largely filled in by external parties outside the organization, and sharing of privacy-sensitive information are the major risks of social media use. This corresponds to the controllers’ view and is in line with two of the four identified risks in the literature. All policies pay attention to the opportunities and risks of social media for meeting the organizational goals. This is in line with the literature review because the literature review recommends mentioning the goals and behavior aspects of social media use (Mergel & Greeves, 2012). The rules and guidelines in the social media policies are on the one hand about how the organization should use social media to aim these goals. Social media is seen as a tool to achieve the organizational goal. The rules and guidelines are in line with, and a broadening to, the existing policies such as the general communication policies and online strategic policies. Public organizations focus primarily on the use of social media for information purposes. Where examples, guidelines on how to respond in specific situations, including the responsible department, is included in the social media policy. The response of the organization to social media posts helps in controlling reputation risk caused by external parties. Semi-public organizations focus next to the information purpose on their marketing purposes.
The other kind of rules is about social media behavior. All organizations have rules about this topic, however, the depth and style differ per policy, just like the rules concerning achieving organizational goals. All policies refer to the organizational core values with a translation on how these rules are expressed on social media. The literature recommends this linkage structure as well (Scott & Jacka, 2011; Mergel & Greeves, 2012). In addition, this translation is accompanied by examples concerning how to react in specific situations. Next to this, most organizations refer to their policies to the social media rules set by the trade union and national expertise centrum. This helps in preventing reputation risks caused by employees and data leakage risks.
