Do organizations use a formalized risk management process to address social media risk?

Social media use within the workplace is widespread; however, little is known about how organizations actually manage social media risk. We use the Committee of Sponsoring Organization's Enterprise Risk Management Integrated Framework (COSO, 2004) to develop a social media risk management model (SM-RMM) that includes four components: (i) social media use, (ii) perceived risk of use, (iii) policy implementation, and (iv) training and technical controls. We utilize the model to examine whether the manner in which organizations address social media risk is consistent with a formalized risk management process. Survey data from 98 risk management, audit, and finance professionals shows that the extent of organizations' social media use increases the perceived risk of social media use. In addition, the effect of the extent of use on the implementation of social media policies is greater for organizations with higher levels of perceived risk of use. Finally, organizations with more extensive social media policies have more extensive training and technical controls. The study's findings indicate that organizations are adopting social media policies and controls in a reactive fashion, as opposed to using a formalized risk management process. This may unduly expose organizations to social media risks. Our model provides a framework for future research on social media risk management.