I was invited to do a brief talk about the changing risk environment in local government caused by the continuing impact of social media. What made the invitation particularly attractive was that I would be speaking to SLACIAG, which you now know is the Scottish Local Authorities Chief Internal Auditors group. Internal Auditors have an important role in shaping the risk management and control environment in Councils – so this was a chance to speak to around 30 people who can make a real difference.
I started by asking how many of the auditors had recently reviewed Corporate Communications in their councils. Lots of shuffling and avoided eye contact…
My aim was to give the auditors some background, and some arguments to allow them to move from risk avoidance (ie locking down all social media) to risk awareness and risk management.
You see my notes for my presentation in two formats:
- As a Storify item – it’s a bit long, but tries to bring everything together in one place (doesn’t work with MSIE8 or earlier, sorry)
- As a PDF handout: SLACIAG – Social Media Risks
Both are packed with interesting and useful links to Monmouthshire council who have open social media to all staff, example social media policies and risk check-lists, the US Military’s use of social media, some key Scottish practitioners, what can happen when things go wrong and much, much more. On the other hand, I managed to miss out a great example of the use of social media in Scotland: Tayside Police – with Gordon Scobbie (@DCCTayside), Deputy Chief Constable Tayside Police in the lead and MyPolice Tayside piloting public engagement.
Many of the themes I touched on have been excellently covered: Dan Slee and Carl Heggerty for example, and there is an active local government social media community in Scotland too of course (see spsdg.eventbrite.com for a list)
Social media as an IS Audit issue
“the use of social media is becoming a dominant force that has far-ranging implications for enterprises and individuals alike. … there are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks. There are also significant risks and potential opportunity costs for those who think that ignoring this revolution in communication is the appropriate way to avoid the risks it presents. The only viable approach is for each enterprise to engage all relevant stakeholders and to establish a strategy and associated policies that address the pertinent issues.”
But then, their suggested audit programme is massively detailed and prescriptive. At this stage an approach like that would only be used by management trying to close social media in their organisation down.
I would argue that in terms of capability maturity, most local governments are just starting up the ladder and it would be more effective to focus on a few key controls and use a bit of common sense, and allow for a lot of process improvement and lessons to be learned, making sure mitigation plans are in place. (One key control clearly is HR policies that make it clear what staff responsibilities are so action is possible if things go wrong, supported where possible by training – but not forgetting that staff can generally be trusted)
Three points, simply put:
Firstly: There is great pressure to use social media for work, in terms of citizen engagement as well as staff practice. It is better to manage the process than try to keep blocking it.
Secondly: this is a classic case where risk management not risk avoidance is the key to success.
Finally: auditors need to decide to what extent is social media still an IS Audit issue, if it ever was.
Communications staff – expect your auditors to start paying extra attention to what you do…