ESG Investors Target Facebook for Repeat Failures in Risk Management

Steven Minsky | March 23, 2018

Facebook’s market capitalization dropped as much as $60 billion after reports emerged that Cambridge Analytica, the data consulting firm used by the Trump Campaign, was given the data of around 50 million Facebook users without their consent.

The Cambridge Analytica scandal is the latest in a series of risk management failures that have plagued the social networking company, which has been grappling with its role in the dissemination of fake news propaganda during the 2016 U.S. presidential election.

The fallout from these repeated risk management failures is compounded by what I call the see-through economy: a fast-paced, ultra-transparent age of ever-increasing interconnectivity and technological innovation where consumers and investors can speak out when companies and brands fall afoul.

Facebook is rapidly losing its reputation in the see-through economy. This means that the Facebook brand is tarnished. When a company’s brand does not meet the expectations of privacy and accountability, their users are more likely to choose an alternative product to make a statement. In Facebook’s case, users have organized themselves into a movement using the #deleteFacebook hashtag.

There is a increasing trend of Environmental, Social, and Governance (ESG) investing which is a parallel outcropping of the see-through economy. ESG investors are sending a message that they’re tired of negligence and the mishandling of corporate scandals. Already, shareholders are speaking up about their expectations not being met in a corporation’s risk management programs.

Trillium Asset Management, on behalf of the Park Foundation (which owns Facebook shares), has called on the company to establish a risk oversight committee that would “better review Facebook’s impact on society and how to mitigate risks.”

In January, I told Tony Chapelle of The Financial Time’s Agenda Week, it’s clear to me that Facebook hasn’t taken a risk-based approach to solving this problem because the Facebook board declined to put critical pieces of the risk management process in place. Risk oversight committees with appropriate infrastructure, software, processes, and governance have been proven to be effective.

A risk oversight committee is responsible for the risk management process effectiveness that includes setting a risk tolerance that creates a balance between an adequate level of governance over third-party access. The risk tolerance should be based upon the risk-reward tradeoff of selling data or making it available to third parties versus the protection of the privacy rights of their user community. The risk tolerance framework is both measurable and enforceable.

All corporate scandals are preventable. These scandals are buried deep in the operations of the company, often known for six months to several years ahead of time and typically reported to supervisors and mid-level managers. The problem is that these individuals often can’t identify the root-cause of these incidents, and do not have the means to connect with employees across the silos of their work groups to understand how related risks transpire in other areas of the business. This means systemic risks aren’t addressed, and managers aren’t able to engage the right resources to fix the heart of the problem.

These days, companies seem to be in constant fear of the see-through economy. At LogicManager, we find our customers embrace it. Companies can use enterprise risk management to empower employees, making everyone a process improvement specialist. Instead of treating scandals, such as the one Facebook is embroiled in, as reactive one-off incidents, companies should be using enterprise risk management to identify the root causes of their concerns and address them.

If you’re a company like Facebook with countless third-party apps and partners that are using your data, there’s no way to manage all of those relationships effectively without enterprise risk management. In vendor management, the primary concern is prioritizing high-risk vendors, while ensuring that all vendors are held to the same standards. The capabilities of traditional audits, by the nature of their mandate, are limited, and can only adequately cover between 5% and 10% of operations at best with an in-depth independent investigation.

Implementing an enterprise risk management program is a complementary cost-effective and efficient means of prioritizing and managing all types of risks, including third-party relationship risk, something Facebook failed to do with Cambridge Analytica. This risk-based approach decentralizes the risk identification and monitoring process, allowing front-line employees to bring attention to the vendors and partners they know their company relies on most, and score relationship risks objectively. ERM systems then find the connections between risks, controls, policies, and outcomes and escalate the gaps to the right level.

The truth is, it’s not enough to give your employees the power to escalate incidents, although this is an important step that most companies aren’t doing. You must take it further and connect incidents to root cause risks that can be evaluated, prioritized, and addressed accordingly. The effect of doing this brings attention to the root cause of problems and eliminate 100s if not 1000s or more of symptomatic effects, as seen in the case study we did with Winona Health.

When this type of governance is put in place, you are crowdsourcing process improvement to specialist doing the job every day who are dedicated to accelerating the mission and success of their company.

Enterprise risk management is not only about preventing corporate scandals but will help organizations to build an operational culture designed around making processes and operations better; it gives all employees a voice and empowers them to initiate change at the right level with the right priority.

Have you checked what information you’re sharing and how your data is used by third-party Facebook applications?

Third-party apps still collect limited information on users’ friends, and it’s likely you and your friends have no idea it’s happening. Here’s how to revoke Facebook app permissions and adjust privacy settings:

1. Once logged onto Facebook, click the down arrow in the upper right corner and select “settings.”
2. Click “apps” on the left menu.
3. Hover over apps and click the “x” to remove permissions from any app you want to revoke permission from or the pencil icon to edit app permissions.

To prevent unauthorized leaks at work, review application permissions and access settings for password length, complexity, and enforcement. Also, review user access, permissions, and feature access controls.