Skip to main content

Firm Management

Developing a Social Media Crisis Communication Plan

When it comes to social media risk, you might think about hacking and incorrect/inaccurate company page posts. But, that’s not the only kind of social media risk. Here are some others.

social media rubix cube_10307242

When it comes to social media risk, you might think about hacking and incorrect/inaccurate company page posts. But, that’s not the only kind of social media risk. Here are some others.

  • Automated posts with a third-party tool gives hackers the ability to corrupt the automation and send out messages that look like yours. The remedy? Monitor the application(s) often.
  • Weak passwords are especially important for corporate accounts. The remedy? Use a combination of numbers and letters, both upper and lower cases, and change them every 90 days.
  • Who actually has access to your accounts? Be cautious about how you login to accounts, e.g., use my Google account, because if the third-party app is compromised, those credentials could also be compromised. The remedy? Quarterly, check admin authorization for any changes and avoid logging in with another account, e.g., Facebook, Google, etc.

Risk Management

It is hard to define risk, especially if you are a person who plays by the rules. I often recommend clients do the following activity with a group of people.

1.      Create a Risk Matrix Chart, where the left side represents the likelihood the event will occur. The top represents the severity or impact the action will have on the firm.

2.      Think about potential risks your firm faces and the measures to put in place to prevent it or address it when it happens. This is the fun part! Brainstorm ideas with other people. No idea is too trivial. Outline the list of threats or vulnerabilities.

3.      Identify the systems you have in place to address those threats or vulnerabilities.

4.      Define a measurement or likelihood (the left side bar in the chart) of the risk occurring.

5.      Choose the level of severity the threat’s impact has on your brand/company.


An employee accidentally releases a small number of client names on Facebook, but no other information was shared.

  • Likelihood is high since it already occurred. Vulnerability is lack of training.
  • The severity is negligible to marginal depending on your firm and/or if the clients are in a regulated industry, think medical or legal.
  • Actions to take could range from making note of the error and moving on, to contacting clients, and/or adjusting workflows as needed.

Now consider if that person released first name, last name, email, address, and/or personally-identifiable information (PII). Would that increase the risk’s severity? Would that have a greater impact on your firm? How would you remedy that situation?

When you’re drafting your risk assessment, try to imagine each of the potential variations. List them in the matrix, along with the controls, its likelihood, and the potential impact on the firm.


Once you’ve identified the risks, now’s the time to identify remedies. Consider remedy combinations to use in your plan.

For example, in the risk example an employee posted client names, the remedies might include items 4 and 6. But, if additional information was posted, including PII, then a more aggressive remedy is needed, such as 4, 6, 7, 9, 11, 13, 14, and/or 10 and 16.

Identify the remedies, including some of those below, and place them in a Crisis Response Grid.

1.      Stay silent (in some cases this is the right thing to do)

2.      Social media manager responds (vs. the posting / junior staff)

3.      Blocking the offender on the platform

4.      Removing the offending content

5.      Official statement is made.

6.      Compliance is notified and responds.

7.      Executive team is notified and responds.

8.      Blog post or a video is created addressing the issue.

9.      Creation of a dedicated phone number and/or email address for those impacted.

10.   A PR firm is consulted.

11.   Send an email blast to all customers notifying them of the incident.

12.   Issue a public apology.

13.   Create a crisis FAQ.

14.   Create a dedicated customer complaint page, forum, or phone number.

15.   Take the conversation offline.

16.   Pause all scheduled content.

Ways to Educate Staff

Now that you’ve identified risks, created an action plan, and written a process, now’s the time to share it with staff and consultants. Here are a several ways to accomplish that. 

1.      Host lunch-n-learns

2.      Post social media office hours

3.      Send social media “amplification” emails

4.      Create a social media channel within the company

5.      Send updates to employees & post on the intranet

6.      Develop training videos

In the end, your goal is to create a social media crisis communication plan that’s right for your firm. If you’d like a step-by-step plan, download the Risk Management Primer.


See inside March 2021

Stay 3 Steps Ahead: Actionable Tips to Help You Prepare for a Turbulent Tax Season

As you gear up for tax season, it’s also a good idea to assess your strengths and weaknesses organizationally. This year, perhaps to a greater degree than ever, I predict the demand for strong, experienced finance leaders who can navigate the C-suite...


Security for a Work-From-Home World

If you didn’t begin 2020 relying on cloud-based technology to allow you to work from anywhere, you almost certainly ended it that way. With a global pandemic forcing us to avoid group gatherings, some offices went remote for the whole of the year and ...