When COVID-19 erupted into our lives, we had to adapt quickly, working from home despite what our digital policies might say about security and personal devices.
I’ve taken that opportunity to address other events that should trigger a close review of digital policies -- so far, natural disasters and changes in technology. This post will address the type of digital policies organizations should review when they’re facing significant business changes, such as looking for an investment of venture capital, seeking a buyer, making your first foray into the global market, or buying or merging with another company.
I’ve always presented digital policies in light of risk vs. opportunity. Some companies are more open to taking risks than others, and their digital policies reflect that. They may give individual employees more freedom when it comes to posting on social media, for example. Other risks run deeper, such as when companies focus on time-to-market, assuming they’ll go back later to properly document things like processes, product specs, coding, etc.
The bottom line, though, is that no one wants to invest in, buy, or merge with a company whose digital activities present a huge risk. Think of it in terms of the GDPR. The penalties for violations are so high that no company in their right mind would legally bind themselves to an organization that doesn’t have a good grasp on consumer privacy. And that’s just one example. A smart buyer or investor is going to be digging through every aspect of our business, looking for areas of risk. Hopefully, everyone involved in digital policies will be given a heads-up before the C-suite puts the wheels in motion, giving you time to comb through your own digital policies with the intent of moving toward a position of greater safety.
Your mission in this scenario is to rein in risks -- whether calculated risks or things that slipped through the cracks. Let’s take a look at some of the things that should be on that list.
Review your social media policies and make sure they reflect your new “safety first” mode. You may need to rewrite some digital policies, retrain employees, or implement new work processes to reduce the possibility of someone posting something that damages the company.
It’s not just the front-line employees you need to worry about, as the recent headlines about Elon Musk’s social media misadventures -- including Tweeting that he thought the company’s stock was overpriced -- illustrate.
Not only can such ramblings cause employees, customers, and potential buyers or investors to question leadership abilities, there are legal issues as well. In 2018, for example, Musk Tweeted that he had “funding secured” for a private takeover of Tesla at $420 per share. The SEC filed a complaint, claiming that Musk had committed securities fraud.
Musk and Tesla made a settlement with the SEC -- a settlement that put a number of restrictions on Musk’s activities with the company, one of them being that Musk couldn’t Tweet about certain topics and that Tesla had to come up with a way to monitor any Tweets he did post (something that obviously wasn’t implemented very well).
As another example, think back to last October, when Daryl Morey, GM of the Houston Rockets, Tweeted his support of Hong Kong protestors pushing for more freedom from mainland China. It started quite the chain reaction, with China taking great offense to what they considered an internal political matter, and fans in the U.S. becoming upset at what they saw as a U.S. company “caving in” to pressure from China. (It’s worth noting that American basketball is big business in China.)
You can read more about the details in the link (and the story is resurfacing now that the NBA has announced that it’s considering plans for reopening after the coronavirus pandemic). The point is that, when an executive’s personal post could be perceived as the position of the company, it should be treated as such. And that’s almost always the case.
Coming up with digital policies that effectively govern what C-suite employees can and can’t do on social media can be difficult (especially when you have a CEO who thinks the rules don’t apply). One way to address that is through executive employment contracts. Otherwise, it will be up to the board and the rest of the executive leadership team to hold each other accountable, and your digital policies should specify that doing so is part of their fiduciary responsibilities.
However, when it comes to offensive posts that go viral, it doesn’t matter much (in the public’s eyes, anyway) if it was an officer of the company or a front-line employee. Check your social media policies -- and your means of enforcement -- for things like this:
I could go on forever listing specific policies, but the bottom line is this: If you’ve had lax policies regarding who posts on your social media accounts, or what employees can post about the company on their personal accounts, it’s time to tighten them up. If you already have strict policies, it’s time to make sure they’re actually being enforced.
When it comes to financial risks, data security ranks near the top. Here are some things to think about:
Again, I’m not trying to cover everything related to data security -- just to give you some food for thought!
Compliance is another area where the risks pack a punch. Lack of compliance with the GDPR, for example, can result in fines of almost $25 million or 4% of the organization’s worldwide revenue from the previous year, whichever is higher -- so you can be sure that any company considering investing in or buying your organization will take a close look at your compliance with privacy laws.
Another potentially expensive compliance problem often shows up when a company is involved in litigation. During one wrongful termination suit, for example, employees deleted emails relevant to the case even after the company had been instructed not to. When the case went to trial, the judge allowed the jurors to infer that the deleted emails supported the plaintiff’s claims. They ended up awarding her $29 million!
Today, though, the word “compliance” usually refers to regulatory requirements, such as:
And, if you’re in an industry that has regulations with digital implications, make sure you’re in complete compliance.
Taking your company global is a big step for any company, full of both risks and opportunities. The most important advice I can give you is to make sure you know and follow all laws pertaining to your digital activities. Here are a few examples:
And that barely scratches the surface. So the main takeaway here is to do your homework and develop both your digital policies and your means of enforcing them before beginning to do business in another country -- even one you think you know well.
Things are a little different when you’re the one considering an investment in or partnership with another company. In that case, you want to examine their digital policies just as closely as you’d examine your own if the situation were reversed. (And if your executive team doesn’t realize the magnitude of risk involved, give them a heads-up and request permission to examine the target company’s digital policies.)
Here are a few additional things to consider:
Reading through all of those examples can make your head spin, no matter how long you’ve been involved in digital governance. But the important thing to remember is that, if you’re facing a major change in your business, it’s time to batten down the hatches and play it safe, whether that means changing policies that intentionally embraced risks or making sure existing policies are being followed. After all, risk is money, regardless of which side of the table you’re on. That’s why it’s so important to examine digital policies for risks and to eliminate them as soon as possible.
Want more practical advice on digital policies? Read other articles in “Shifts in Technology” series:
Part 1: Do your digital policies address natural disasters?
Part 2: Digital policies are no good if they’re static
Part 4: How to set your digital policies up for continuous improvement
Need a hand getting your policies in order? Get in touch to schedule a workshop or discuss a consulting engagement.
Photo by Danting Zhu
Sign up and stay up to date by getting insights like this delivered to your mailbox.