I recently attended an interesting educational session held by the Vancouver Chapter of ISACA. At that talk, one of the presenters likened social media to cocktail parties on steroids. As with cocktail parties, social media sites offer the good and the bad. On the plus side, there is information sharing, resource evaluation and service rating and on the bad side there is the too much information phenomenon, narcissistic posturing, and sometimes creepy stalking. For better or worse, social media is here to stay and organizations, including financial institutions, recognize that they need to learn how to maximize the benefits and manage the risks in the brave new world of Enterprise 2.0 or face being left behind the pack as an Enterprise 1.0.

Some of the business benefits of using social media include: recruitment of new employees through sites such as People.com, Zoominfo or Linked In; employee retention, especially of the so-called Millenials who are said to thrive on using social media technology; crowdsourcing initiatives such as Starbucks Coffee that uses social media to ask customers what they think about everything from service to advertising; creation of connections internally to leverage in-house knowledge and talent; creation of a collaborative, continuous and connected learning environment.Many excellent examples of how social media can be used to good effect within the Enterprise 2.0 can be found on www.Socialmedia.org.

But what of the risks? Fans of social media will tell you there are risks in not adopting social media – of remaining an Enterprise 1.0 in a Web 2.0 world.  Frustrated employees can end up creating skunk works social media projects; loss of brand control in a Web 2.0 world leading to reputational damage; loss of market share to competitors who are using social media to gain market share; and low employee morale and high employee turnover.  These opportunity costs all add up to a compelling case for most organizations to jump on the Enterprise 2.0 band wagon.

Even the biggest fans of social media do not advise adopting it in an uncontrolled manner, however. The key to successfully mitigating the risks associated with adoption of social media is governance. For the Enterprise 2.0, governance includes:a clear social media business strategy; a clear social media policy or set of guidelines for employees outlining appropriate use; developing the right infrastructure (e.g., several different social media platforms in one organization on which employees must maintain profiles and keep up-to-date will only add more work and create frustration, not help retain and enable good people) ; active sentiment monitoring of the organization’s brand in the “blogosphere” and on social media sites; a proactive organizational protocol for responding to negative sentiments or social media “incidents”; adequate privay and security policies and controls.

What I am not hearing about from many firms yet is recognition of the need to ensure that business communications exchanged using social media are captured and controlled in a manner that is consistent with the management of other business communications, such as email, and that policies, procedures and plans are in place to ensure that the way in which these communcations are handled meets legal, regulatory and e-discovery requirements. Financial institutons, along with other orgnizations, should be incorporating social media archival retention/preservation plans into their existing archival plans. Those who don’t risk the kinds of stiff penalties that have, in the past, accompanied failures to properly manage and preserve emails.  Just last week, FINRA, the US Financial Industry Regulatory Authority issued  an advisory notice (http://www.finra.org/Industry/Regulation/ Notices/2010/P120760) requiring that Brokerages must record employees’ business-related postings on Web sites such as Facebook, Twitter and LinkedIn to ensure brokers don’t skirt internal controls.  The advisory note also said that Firms that archive client communications including e-mails need to adopt similar policies for social networking sites and may use software to automatically log brokers’ Web messages.  Some technology providers are developing systems that are intended to enable firms to retain records of communications made through social networking sites.  CiFER will continue to monitor develops and provide updates through future postings.

Dr. Victoria Lemieux, Director, CiFER

It seems everywhere I look these days, there’s a conversation about systemic risk.  There are three main ways in which I think records intersect with systemic risk: (1) as an exacerbating factor during times of systemic stress; (2) as a barrier to transparency and accountability post failure and (3) as a means of monitoring levels of systemic risk. 

 We need only look as far as the recent collapse of Lehman Brother’s for a case study of how records both exacerbate other risks under stressed conditions and complicate the work out of risk issues.  Transparency of products was a significant contributor to recent financial turmoil.  Back in 2007, the former Governor of the Bank of Canada, David Dodge observed that increasingly complex structured products were being developed in response to the demand for higher returns. And as these securities became more complex and opaque, in many cases, it became harder to assemble and understand all the information needed to determine what kinds of assets were backing the securities, the quality of those assets, and the counterparty risk involved.  The Governor’s observations predicted the set of circumstances that would contribute to the spectacular collapse of Lehman Brothers in September of 2008, and the reason why so many other banks were affected by the Lehman Brothers’ collapse. 

 At the recent the AKJ Associates’ Electronic Evidence and E-Discovery Forum in London (UK), Jon Hayton, Director of Forensic Technology Solutions at PwC, noted that as part of PwC’s work as the UK administrators for the Lehman Brother’s UK operations his team needed to capture and preserve all data after the collapse.  This process was particularly challenging due to the complex global operations of the firm, but also because of the over 3,000 different IT systems – from spreadsheets, to complex Sybase databases, to bespoke databases – that produced and held the firm’s financial records.  The PwC team has said that Lehman’s faced more risk and cost through poor information management.  This sentiment is echoed in the report on the Lehman’s collapse by the Committee of European Securities Regulators, which notes that maintaining adequate documentation of investments is an essential part of firms’ systems and controls, and is particularly important in stressed conditions.  The report doesn’t mince words on the records issue: bluntly stating that those firms with good records were best placed to assess their exposure to Lehman Brothers as the bank entered administration.

In terms of the third area of the records/risk nexus, the regulatory response to apparent information failures during the global financial crisis is the focus of a recent report on systemic risk out of JWG-IT, a UK financial services think-tank, in the words of PJ DiGiammarino, CEO of JWG-IT, the regulatory response to the global financial crisis has been “to require investment firms to report to the regulators more data from more sources on an ad hoc and periodic basis that must be scrutinised with more care, retained for longer periods of time and shared more widely, possibly being used for additional purposes which have not yet been made clear.”  “This is a very dangerous place to be.” concludes DiGiammarino.  Much as they are often overlooked, records contribute to, and complicate recovery from, market information failures.  If we understand this we are better placed to mitigate risks, whether those risks are internal to a financial institution, or of a systemic nature.

Dr. Victoria Lemieux, Director, CiFER