Enterprise 2.0, Policies and Compliance

Mike Gotta asked me to join him on a panel about the policy and compliance issues at the Enterprise 2.0 Conference in Boston. This was my fifth Enterprise 2.0 conference: 2007, 2008, 2009, 2009 San Francisco.

That the audience was interested in compliance and regulatory issues is an indication of the industry maturing.

“Policy formation, governance and risk management programs are a critical requirement as organizations assess implications to the enterprise (e.g., identity assurance, data loss, compliance, e-Discovery, security), arising from internal and external use of social networking and social media. This panel of social media and Enterprise 2.0 practitioners will discuss real-life approaches that address management concerns.”

The panel consisted of:

  • Mike Gotta, Principal Analyst, Gartner
  • Bruce Galinsky, IT Director, Global Insurance Company
  • Abha Kumar, Principal, Information Technology, Vanguard
  • Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners LLC
  • Alice Wang, Director, Gartner Inc.

I took the opportunity in my introduction to set the stage for the view of most compliance and in house lawyers:

“I’m the “NO” guy in your organization and most likely the person to bring your enterprise 2.0 or web 2.0 project to a grinding halt. People in my position do not want to hear about being social. I don’t care what you had for lunch or what your kids did last night. I don’t want to endanger the multi-million dollar value of this company so that you can play with Facebook inside the office. “Now get out of my office before I sic my flying monkeys on you.”

We were unsure when planning the session whether the audience would be interested in issues related to external or internal policies. Overwhelmingly, the audience voted for a focus on internal.

One of the initial questions was whether you even need a policy. We were largely in agreement that you may not need a new separate policy. However, I pointed out, your compliance/legal department is going to want one.

Largely, the risks with enterprise 2.0 are not new risks. The big difference is that the bad stuff is now findable. Most of evangelists proclaim the benefit of finding the good stuff you need to do your job better and to encourage innovation. The downside is exposing the bad stuff and opening the enterprise up to liability.

We eventually got to the point in the discussion about if you let personal issue community to form internally. Should you allow an employee to set up a wiki or discussion forum on religious, race or political issues?  Generally it will take some action to create a new community on the enterprise 2.0 platform. Undoubtedly, there will be some need to control the creation of communities and therefore a need for a policy.

There was some discussion about content, control of the content and fixing mistakes. Personally, I have less concern about that. You need to encourage the team to keep the information current and correct. If someone is operating with the wrong information it is better you know about it and can fix the problem. The alternative is not knowing about the problem because it lives in an email silo, allowing the bad information to continue uncorrected.

When trying to draft a policy it is very useful to look to external policies for ideas and approaches. My social media policies database is a good place to start looking for precedents.  The public web 2.0 industry is well ahead of the slower enterprise 2.0 industry.

Some other issues:

  • FTC and the disclosure of “Material Connection”  (see FTC and Bloggers.)
  • EU Data Privacy
  • Records Management
  • Discovery and Law suits
  • First Amendment
  • Human Resources Issues
    • Labor relations
    • Recommendations
    • Overtime
    • Retiree and alumni involvement
  • Hiring Discrimination
  • Off-Duty activities
  • Company IP, logos and trademarks
  • Monitoring – if you have a policy you need to enforce it.

Each company has a different set of issues they are worried about. Each company also has a unique corporate culture. So there is no right way to drafting a policy. You really need to pick and chose finding the different elements that will work in your enterprise.