Risk managers should adapt their toolkits for social media shocks

Risks arising from or amplified by social media, such as negative sentiment, fraud or deepfakes, should prompt risk managers to adapt their toolkits to manage any fallout, said Elena Pykhova, director and founder of the OpRisk Company in London.

“This is a new space, but our tools are fixed, they are quite rigid. It is up to us as risk professionals to acknowledge our tools are rigid, and include social media,” she said.

Risk professionals participating in Pykhova’s operational risk best practice forum met with Compliance Corylated earlier this month to discuss social media as a risk. A poll of participants revealed that few risk managers believe social media to be a risk in its own right (5%), but many consider it to be a cause or an amplifier of risks. A poll of operational risk managers at the forum showed some 30% of risk managers do not include social media in their risk frameworks, however.

Amplifier

While many firms now use social media monitoring to track reputational risk, few participants at the event had added it to their frameworks. That is partly because social media does not appear in operational risk frameworks but is viewed as a reputational issue largely outside operational risk, or as a cause or amplifier of other risks.

“Traditionally the view on operational risk implies a monetary loss and classes social media partially as an impact. That’s a reputational impact, which is the national or international coverage in the newspaper, negative press was seen as an impact event,” Pykhova said.

More firms should develop their understanding of the effects of social media and the change it has already made in finance and their businesses. Firms do not seem completely confident they have this risk covered, she added.

“This meeting has shown that risk changing, the change is already there. The train has left the station, but we havenʼt yet moved from the original, traditional firm definition and taxonomy. One way to adapt is when you run scenarios. You take your traditional scenario, then add on top of that the social media [amplification]. You don’t need to create an extra risk or extra impact, but at least you run the scenarios.”

One forum participant noted their firm had run a scenario where a deepfake video appeared online featuring its chief financial officer announcing the bank was bust. This is an example of what firms should be doing, Pykhova said.

Social media effects grow

Social media’s effect on financial services has grown since 2021. In January that year, meme stock trading revealed the power that “finfluencers” wield in financial markets, causing fintech Robinhood to stop trading shares in GameStop, AMC and Nokia. The firm blamed market volatility.

Meanwhile, March 2023 saw what US banking officials called the first social media-fuelled bank run, when Silicon Valley Bank failed. The bank was in trouble, tried to raise funds through a share sale, and then when word got out and spread on social media, its customers withdrew $40 billion in a few hours — or a fifth of the bank’s deposits. The bank went bust a few days later.

“If a bank has an overwhelming run that’s spurred by social media so that it is seeing deposits flee at that pace, the bank can be put in danger of failing,” said then-US Treasury Secretary Janet Yellen.

More recently, banks have had to contend with social media-provoked theft from cash machines, when for example, people posted on TikTok that free money was available due to IT outages.

Misinformation

Since 2023, misinformation spread online has become a matter for compliance and risk professionals, said Alan Jagolinzer at the University of Cambridge’s Judge Business School. “Bad information amplifies and accelerates all other systemic risks. It also makes it significantly harder to understand the core problems or to coordinate efforts to fix any problems,” Jagolinzer said last year.  

“Efforts to undermine trust in audit, market regulation, and the judicial systems affect your portfolios because they undermine trust in contracts. Can you rely on contractual counterparties when there is little — or, more likely, asymmetrically applied — enforcement and accountability? How much more due diligence will you need and at what cost, if the US or other market regulatory systems get neutered or corrupted?” he said.

Information and disinformation travels at a much greater pace and that can cause panic. Risk professionals should work with investor relations or other public facing departments to collaborate and devise a plan to meet misinformation and deepfakes at speed, and firms need to get creative to stay on top of these risk factors.

“The important thought for risk professionals is donʼt become stuck in our taxonomy definition: ‘this fits, this doesnʼt’ . Horizon scanning, understanding the environment, and adapting our tools to be always in line or ahead rather than sticking to the tools is crucial,” Pykhova said.