Social Media Policy & Procedures

Social Media Policy & Procedures


With the widespread adoption of social media by employees and within business operations, risk management professionals continue to establish a set of policies and procedures to guide social media usage. Companies are at various stages of establishing training awareness programs to ensure that employees understand what constitutes legitimate activities and what would be deemed as violations. With the evolution of more sophisticated monitoring toolsets, companies now have an opportunity to evaluate employee social media usage both inside and outside the confines of corporate networks and infrastructure. However, a recent settlement in a high-profile case has sent companies back to the drawing board to reevaluate their social media and Internet policies and procedures.


A Connecticut-based corporation fired an employee for posting negative feedback about a supervisor on her Facebook page. The language in the policy established by the company prohibited employees “from making disparaging, discriminatory, or defamatory comments when discussing the company or the employee’s superiors, coworkers, and/or competitors.” The National Labor Relations Board (NLRB) filed a complaint saying that the employee’s firing violated federal labor law because she was engaged in protected activity when she posted the comments, and that the employee was illegally denied union representation during an investigation. Based on the NLRB’s actions, the company agreed to revise its corporate policies, which had been deemed by the NLRB to restrict employee rights and also to prevent the employee from discussing other topics such as wages, hours and working conditions.

Because of this action, companies are being challenged to evaluate whether their policies violate the rights of employees and potentially can be deemed as being in defiance of the National Labor Relations Act, which not only applies to organized labor, but also to all private employers in the United States.

Challenges and Opportunities

Companies need to take a step back and reevaluate what social media and Internet policies mean for their specific and unique business operations and culture. Some companies, in the process of putting in place a firmly established set of policies, have researched examples of other company policies and elected to establish these as their own, without giving thought to employee use ramifications and potentially without having necessary involvement from key company stakeholders such as corporate counsel, risk management and internal audit personnel. This is not a prudent approach. When seeking to establish effective, impactful and legal policies for social media and Internet usage, the adage “one size does not fit all” is highly applicable.
As organizations seek to find the right balance of language and direction in their policies, they also need to be transparent in how they will be monitoring for compliance and what constitutes a violation and potential recourse when such instances occur.

Finally, companies need to engage their employees in the process to better understand what social media capabilities may be used and the reasons why these capabilities may be desirable not only from an individual employee’s perspective, but also for the company’s overall benefit.

Our Point of View

The implementation of social media and Internet usage policies should be a managed lifecycle process that incorporates thoughtful use of key decision-makers within the company and ensures an ongoing review of adoption and potential violation situations concerning implemented guidance. More specifically, companies should consider the following:

  • Determine the goals and objectives of the social media capabilities as linked to corporate objectives and key initiatives.
    • Determine how employees may want to leverage social media to engage with customers and prospects.
    • Understand how social media capabilities will supplement other marketing capabilities.
    • Establish metrics for measuring the achievement of goals/objectives established for the social media capability.
  • Assess the risks of social media capabilities and ensure that this risk profile fits the corporate culture and overall control environment in place for the organization.
    • Review policies and procedures against existing labor laws and protected free speech rights.
    • Refine training and awareness programs to enable employee understanding and obtain feedback on potential issues with the advent of new capabilities.
    • Explore use of automated technologies to aid in monitoring employee and company activities, but make sure that such use is understood by employees. 
  • Create a governance and support framework that enables ongoing evaluation of the social media lifecycle and adherence to the defined policies.
    • Identify the policy custodians and empower them to implement changes quickly and as advised by company leaders.
    • Analyze gathered metrics information and determine changes in approach and usage, as needed.


How We Help Companies Succeed

We work with companies to implement social media policies and procedures and then evolve them as the organizations and their employees adopt new capabilities. We also help companies implement a governance process for rolling out social media capabilities and provide a structure that enables organizations to leverage social media to support corporate initiatives. In addition, our experts assist companies as they design, implement and execute awareness programs based on different technologies and capabilities so that their employees develop a clear and measurable understanding of policies and enable the organization to have transparency around monitoring practices.


Protiviti was engaged by a global financial services organization that was debating how to allow social media technologies to be used in its highly regulated brokerage environment. In our role as project manager, we ensured the variety of stakeholders (from marketing and communications to compliance) had a voice in articulating a set of prioritized requirements for the program. We worked with our client to define expectations for outcomes and establish meaningful metrics. We also evaluated social media tools for “rightness of fit” against the collective requirements, and reviewed business processes to ensure that the new tools could be integrated with existing procedures and established policies could be modified to align with the expectations of the enterprise.

We defined a pilot to test the completeness of the modified policies and practices. After making several procedural modifications based on the pilot, we worked with our client to define and execute an awareness and training program that would leverage the tools as the program scaled across the organization. Automated feedback systems and metrics reporting were established, which allowed both in-line monitoring and periodic auditing of the environment against internal and regulatory requirements.


Tom Andreesen
[email protected]
Cal Slemp
[email protected]
Jonathan Wyatt
[email protected]

Ready to work with us?