• Marketing

The 6-Step Social Media Risk Management Plan

by Khoros staff | Jun 19, 2018

No brand wants to be involved in a reputation management crisis due to an employee error on social media or, even worse, an employee who intends to publish something that has a negative brand impact.

As organizations build their presence across platforms to engage and serve customers where they’re at, the scale and complexity of their social media operations will continue to grow. With this growth, there is also a greater inherent risk of something going wrong due to the increased amount of information being managed and the number of people involved. One error could lead to unauthorized communication going viral, hurting your brand’s reputation among consumers.

To prevent this scenario, it’s important to have a social media risk management plan as part of your digital marketing strategy. In this post, we’ll provide a six-step plan to help you ensure your success in protecting and enforcing the security you’ve identified as important for your business. For even more risk management strategies, read our guide: How to Protect your Brand on Social Media.

How to protect your brand on social media

What is a social media risk management plan?

A social media risk management plan is a series of processes to ensure an organization maintains control over its social media communications with consumers. This includes knowing who has access to accounts, who’s allowed to publish posts or message consumers, and what are the rules when representing the brand online. The goal of a social media risk management plan is to prevent unauthorized communication from misrepresenting the brand through inaccurate or inappropriate messaging.

What social media risks should brands be concerned with?

Social media gives brands the tools to easily communicate with a global audience, but there are a few ways things can go wrong leading to unauthorized brand communication:

User authorization

User authorization refers to what a user is able to do on a platform, essentially a permission level that dictates if someone can view or make changes (and to what extent). On social media, it’s important to make sure each individual with account access has the right authorization level. Letting everyone have admin privileges could enable someone to accidentally or maliciously edit the brand page, or publish an unauthorized communication in the form of a post or message.


Phishing occurs when a malicious third-party attempts to impersonate a brand and communicate with customers to get them to reveal sensitive personal information. On social media, some individuals will create fake brand accounts and publish posts designed to look like promotional offers using the same language used by the actual organization. By clicking on the link, the consumer may enable to impersonator to access sensitive information such as passwords and credit card numbers. Even if your brand accounts are secure, you should be using social media monitoring tools to identify and address these occurrences as soon as they come up.

Non-secure password

LMG Security notes that an 8-character password can be cracked in under 8 hours, a 10-character password takes 8 years, and a 12-character password takes 77,000 years. The firm notes that organizations often opt for efficiency over security, choosing short and easy-to-remember passwords which make them vulnerable to hackers. Organizations may be tempted to use a simple password for social media accounts that will be shared with many users, but a few extra characters can add a lot more security. Keep in mind that getting your account hacked also means you’re putting sensitive customer information from private messages at risk.

How to develop and implement a social media risk management plan

There’s no one-size-fits-all plan that will work for every organization, as each will have unique circumstances such as the number of platforms the brand has a presence on and how many people are involved in these processes. Still, nearly every brand can follow these best practices when they’re creating their own social media risk management plan, catered to their unique circumstances.

1. Develop a social media risk management policy committee

Social media is a huge part of how brands operate and often requires collaboration between multiple departments such as marketing, customer service, HR, PR, legal, and IT, among others. Thus, your risk management plan should bring together individuals from all relevant departments to create a well-rounded strategy. The full committee will be responsible for developing the plan, but oversight and implementation may be relegated to a smaller group of individuals.

Once you have the policy committee in place…

2. Formalize the policy objective and communicate it to everyone company-wide

Ensure everyone understands the goal and perceived value. The better people understand, the more prone they are to evangelizing your message, so ensure the language is clear and concise. The goal should closely mirror your objective for your web security; in fact, often they are tied together and part of a broader, formally documented IT security strategy.

The objective should clearly outline how your organization is proactively mitigating risks associated with social media, including content publishing breaches, user access, and disparate credentialing documents living in various areas that pose a security risk. Importantly, you will want to formally outline what everyone in the organization’s role is, their corporate responsibility, and what is expected of them.

Now that you’ve formulated the security committee and its goals…

3. Perform an audit of all social media accounts and identify all users with past or present access credentials

Ideally, you will also have user credential data. Often, credentials are siloed on an employee’s computer in an Excel document, which is all the more reason you need a governance tool and security strategy in place. Remember to also include your agencies and each agency user that has access to your social accounts. This is key to the assessment: make sure every credentialed user is accounted for.

It can be a difficult process to hunt down all this information in various locations throughout your organization, but it’s a necessary step in establishing a complete security policy. At this point, you will have the foundational information for a successful social media security policy.

4. Formally outline how often you will provide a formal audit of your organization's social media accounts and users

The best practice is to perform a quarterly audit, especially if you have a lot of agency engagement with your social channels. Some organizations do this twice a year; it really depends on how large your organization is and how many users you have globally. You should also always factor in the internal changes that occur within your organization. The goal of the tool should be to update administrator rights as needed, but a formal audit is important because it also tells you if anyone is working natively.

It’s also a good idea to do a social media risk assessment at least once a year. This involves reviewing your plan and identifying any new vulnerabilities so they can be promptly addressed. Remember that you’ll have to modify your plan over time as your organization expands to new platforms and existing platforms change.

At this point, you have the governance tool in place, a committee has been formed, and you’re developing a policy that defines governance around usage, which essentially means the committee is deciding who, why, and when various users need access to specific social media accounts. This is a huge step forward, and you’re well on your way to achieving success.

5. Develop the internal rules which will allow users access to specific accounts

Going back to user authorization, you’ll need to decide who has access to which accounts and what access level is appropriate for each individual. Depending on what you decide, you may be able to limit permissions within the platform or social media management software, or you may have to set additional organizational rules if there are technological limitations. For example, granting a marketing employee access to publish posts may also enable them to respond to private messages, even if you only want your care team to handle these interactions. Make the guidelines clear so that each person knows exactly what they are and are not allowed to do on social media.

At this stage, your policy framework should be in place.

6. Educate each user on which networks they have access to and the timeline to access associated

Beyond platform access and permission levels, make sure each employee is educated on the broader social media risk management plan so they understand the big picture and reasoning behind these precautions. Doing this will ensure nobody takes a shortcut when it’s time to create a new password or share access through an unsecured method.

It's important that everyone in your organization knows they have a responsibility and role to play in keeping the brand safe on social media. Quality social media management software is a crucial piece of this, but it’s only part of the solution. It's just as crucial that you have the policies and processes in place that we've outlined here.

To learn more about how to protect your brand on social media, download our free, comprehensive whitepaper: How to Protect your Brand on Social Media.

Would you like to learn more about Khoros?

Sign up for our newsletter

Stay up-to-date with the latest news, trends, and tips from the customer engagement experts at Khoros.

By clicking Stay Informed, I am requesting that Khoros send me newsletters and updates to this email address. I agree to the Privacy Policy and Terms of Use.