We have identified four threats.

● Fragging: Employees can intentionally try to harm their employer’s reputation. Take the case of HMV, the global entertainment retailer. In 2013, the social media team had been downsized and the 21-year old in control of the account had a field day, airing the company’s dirty laundry in public. By the time the company regained control of its Twitter account and deleted the messages, they had already gone viral.

● Leaks: Employees can also unintentionally hurt their employer. This can happen when they release information that is directly useful to adversaries. For example, information about your CFO vacation or IT procedures can also facilitate fraud by giving valuable operational information. Geotagging of pictures is particularly useful to understand executive travel patterns. A different risk occurs when employees and other stakeholders engage in activities that are damaging to the organisation’s reputation in their private time. When a wealth manager posted a picture of his son in a silver Porsche with the caption: “Normal service can resume, once I have washed the stench of public transport off me”, it triggered an immediate backlash in Singapore. His employer quickly distanced itself from the banker but not fast enough to avoid the guilt by association and the negative headlines.

● Hacking: Non-employees can intentionally hurt an organisation. For example, Facebook founder Mark Zuckerberg has been recently targeted by hackers who gained control of several of his social media accounts. However, the threat from outsiders is not limited to cyber crime. The American restaurant chain Applebee fired a waitress for posting a customer’s receipt (including his legible signature) online. The customer had sarcastically complained that the service charge was too high.

When the news became public, swarming began. Thousands of negative comments were posted on the company’s Facebook account, totally overloading the four person social media team and damaging the brand.

● Fumbling: Non-employees can also unintentionally cause harm. In 2008, the Italian tax authority made income data available online by accident and hurt a few reputations. A related situation occurs when someone wants to create a buzz by releasing controversial information. The goal is not to hurt anyone, even though this consequence may be easily foreseeable. Coca-Cola thought it would be a good idea to let people submit negative tweets that an algorithm would automatically transform into positive images on its corporate feed until US gossip blog Gawker managed to hijack the process. The soft drink company, egg on its face, quickly terminated the campaign.

To address this risk, we offer a four-pronged approach.

● Mark: Threats need to be identified and linked to your general risk management processes. The different accounts should be identified and their ownership clearly established.

● Measure: The risk materiality should be ascertained. For example, armed forces classify the degree of confidentiality associated with each document they produce (from freely available to a general audience to highly classified). This systematic approach is designed to reduce the risk when operations security is inadvertently compromised.

● Manage: The best way to deal with a social media crisis is to prevent it. A natural response may be to impose additional layers of control but naturally there is a trade-off between reactivity (the point of having a social media presence) and security. This may lead the firm to tolerate a certain degree of risk. Risks can also be treated to minimise their occurrences or their consequences. For example, embedded social media correspondents can be deployed through the organisation to diffuse good practises and to provide a better picture of real company practises to risk managers. The risks can also be transferred either by outsourcing the social media activity to an external provider (and the responsibility that goes with it) or by purchasing insurance in case something goes wrong. In rare cases, the risks can be terminated by closing down the social media channels entirely. This option may be worth considering for small organisations but is unlikely to be possible for larger ones.

● Monitor: Detecting emerging crises in matters of minutes can be critical as the AP case has shown. A quick response may even turn a problem into an opportunity. Interestingly, monitoring social media can also help you to detect a crisis in another part of your business. For example, companies such as Deutsche Telekom have deployed a technology in their “Situation Room” that can monitor social media activity around their company. This allows these organisations to detect emerging operational or IT issues as soon as they impact their customers.

Once these challenges have been better understood, the question becomes who is best positioned to manage them. Chief marketing officers, chief risk officers, chief information officers or a new type of executives (chief digital officers) can all lay a claim on this. What is clear though is that, irrespective of your position in the leadership team, your reputation is at stake. In an environment where social status is at a premium, this is not a trivial concern.

Gilles Hilary is the Mubadala chaired professor of corporate governance and strategy at INSEAD and a professor of accounting and control. Varun Mittal is the group head of partnership and marketing at helloPay