Risk management is an incredibly important discipline in business, yet it is sometimes overlooked within organization’s Social Media strategy. Some companies have social media as a line item within their risk management plan. Many companies have a defined a social media policy and some even have an escalation process. Given how fast and unpredictable Social Media is – are these steps enough? Only you can answer that.

If you want a more thorough social media risk management plan for your company – these 5 steps will help you create a rock solid plan.

risk-definition1. Identify as many social media risks as possible

The key to successfully identifying the social media risks is to take a cross-functional approach. It is important to have participation from the various parts of your company. In my experience, having solid cross-functional participation in this process enables the identification of the most likely risks and the best mitigation plans.

Participation can be an in-person meeting, through an on-line collaboration session or via email.  As the leader of social media risk management plan – you want to ask the cross-functional participants to brainstorm all of the possible events (positive or negative) that could occur via social media. You want those risks and opportunities to be defined in a very specific way – so be sure to give them those instructions.  For example, provide them with a couple of formats of how you want the events stated – below are a couple of my favorites.

(insert risk/opportunity) may occur during (insert event) thereby causing an impact to (insert what will get impacted).

If (insert risk/opportunity) occurs, then an impact to (insert what will get impacted) will occur.

Be clear that this exercise is not an opportunity for people to start asking questions or putting forward action items. Instead, they need to be thoughtful about the risk they are identifying by stating the event as specifically as they can and detailing the area(s) of the impact of the event. As well, they need to think about the ability to quantify the event and the impact in terms of probability of occurring and significant of the impact.

2. Compile and sort the identified risks

Once all of the events have been identified, they need to be compiled into on document. My preferred way of compiling the events is to use an excel sheet or table with 8 columns. The headings for the columns are 1) Category 2) Risk/Event/Threat 3) Probability 4) Impact 5) Overall Rating 6) Priority Ranking 7) Response Strategy 8) Back-up Response Strategy. Take all of the risks that have been identified and copy and paste them into Column 2. If the participant provided a quantification of the probability and impact – try and translate that into a 1 to 5 rating in column 3 and 4. Sort the events by Category in column 1. As well, I have found it helpful to have two different tabs or documents, one for risks and another for opportunities. It is important to remember that these events can both be negative and positive. Once you have done this, your team will be ready to qualify and quantify each event.

3. Qualify and quantify each event

This part of the process almost always needs to happen within a facilitated meeting. It is helpful if it is a face-to-face meeting, however, an on-line collaboration type meeting would work as well. The important part is that participants have visibility to the document and the changes that will be made to it during the meeting.

The purpose of this meeting is for the team to:
1) view all of the possible events that have been identified.
2) qualify and quantify each event.
3) allow new events to be identified.
4) prioritize the events.

During the meeting, each event is discussed. Sometimes the event will be re-worded based on the discussion. Then the team needs to give the event a rating in terms of probability of it occurring. I use a 1 to 5 scale with 1 meaning it has a very low probability of occurring and 5 meaning it is very likely to occur. In terms of rating impact – this is where the discussion will likely get deep with your team. The impact part is complicated because it can be defined in a number of different ways. One strategy is to have a discussion with the team at the beginning of the meeting to gain alignment on a maximum of 3 to 5 types of impact. Reputation or Brand is usually one that comes up frequently, A second one might be money related and a third may be legal in nature. These are just examples and very widely based on industry. Regardless of the impact – it needs to be quantified on a 1 to 5 scale. Once the probability and impact have been quantified, as a team you can provide each with a priority rating. This is typically a bit of a math exercise (probability X impact) – but it is smart to review them and make an adjustment based on known business considerations.

4. Develop response strategies

Once you have a prioritized list – the next step is to develop response strategies for each event. In terms of event response strategies, they take the form of 4 approaches namely avoidance, mitigation, transference, and acceptance.

Avoidance is an approach which involves eliminating the potential eventuality. In terms of Social Media, this sometimes mean that the social media policies need to be updated and or expanded. It might also mean that social media strategies will proactively consider these risks and aim to ensure that they do not trigger the event.

Mitigation is an approach whereby there is a strategy that is executed to reduce the effects. If an event that you identified as a risk or opportunity, what immediate next steps will be executed?

Transference is a traditional risk management response approach that involves a contractual or legal shifting of the risk from one party to another. In Social Media, this particular approach is incredibly tricky. But it is still is a possible response that can be considered.

Acceptance means that the severity of the risk is low enough that you will do nothing if the risk occurs.  This is not the same as not planning for that event. But proactively planning that as the event comes to fruition, there is an active and conscious decision to do nothing or respond to the event directly with no attempt to avoid, mitigate or transfer in your response. Remember that a risk is positive or negative. If the impact of an event is positive in nature, you would want an acceptance type response planned to be able to positively benefit and amplify the impact.

For traditional project management risk management activities, choosing one of the 4 strategies is enough. For Social Media purposes, I recommend having an initial event response strategy and a second one should the first strategy not adequately manage the event.

5. Monitor, respond, and update

The final step is not really final at all. It is a Social Media Risk Management program that is alive and well. Ensure that you social monitoring team, process, and systems are always reflecting the Risk Management plan that was developed. Respond as planned and update the plan based on lessons learned.

Found this helpful? Please share. Think I missed something? Please let me know or comment below.

follow me @greefkes or @maygreefkes on most social sites.

Photo credit: © Skypixel | Dreamstime.com – Risk Opportunity Photo