FINRA, FDA, HIPAA, SARBOX and ITAR, are regarded as curse words in social media and workforce collaboration circles. People don’t want to say them. They don’t want to hear them and they really really don’t want the regulators to swing by for a “chat.” The outcomes created by this mentality are predictable: hesitancy when approaching new technology, over-engineered solutions that inhibit adoption and the pursuit of risky grassroots experimentation.

These approaches are born out of hard-learned lessons, because let’s face it: collaborating in a regulated industry is hard. Regulations change, are enforced with different points of emphasis and are frequently incomprehensible to everyone except their authors. Our colleague Dion Hinchcliffe (@dhinchcliffe) has a great phrase for this: regulatory quicksand. Nonetheless, we can’t ignore the value that social technologies can bring to regulated industries. So, what’s the answer to regulated collaboration and social media implementation? Plan better and execute smarter.

The rest of this blog post will focus on a high-level methodology for the strategic implementation of social technologies in regulated environments.  The aim is to provide a framework within which regulated businesses can maximize social media and workforce collaboration tools in a compliant way*.

Framework Overview

The goal here is to create a simple, repeatable strategic process.  In a nutshell: start by building your business case, then identify your lowest compliant denominator, don’t miss the last responsible moment, and finally roll out to your workforce.

Build a Business Case

The first step is to establish a collaboration pilot in a controlled environment. Before you get antsy – this is not the same old advice to start with a ‘small pilot.’ The key difference here is the realization that even the most highly regulated business has processes that are just not that risky, but do offer high value returns on collaboration. The implication is that by identifying an internal area where risk of external data leakage is minimal and the fruits of collaboration would be valuable, an enterprise can initiate a much larger and more meaningful ‘pilot’ than otherwise possible.

For example, a financial services firm might identify expertise location as a key challenge in their trading operations. Knowing that the regulatory expectations are the same across the whole of the ‘trader’ job role and that information would be bounded by that department’s lines it becomes feasible to pilot ad-hoc information seeking tools like enterprise micro-blogging to aid in expertise and knowledge location.

Find the Lowest Compliant Denominator

The second step is to synthesize all the data captured from the pilot (you were capturing data right?) into a collection of requirements and outcomes for broader implementation. One of the odd nuances of social software is that the best use cases are frequently only discovered once the users actually have their hands on the tools. The key insights you are scanning for are lowest common denominators for compliance or, “lowest compliant denominators.” Say to yourself: “What is the lowest barrier we can set while facilitating collaborative outcome X?”

For example, the financial services firm we discussed earlier might find that their pilot revealed a mass of associate level employees asking questions that only more senior colleagues could answer with any confidence. This manual process might be a blessing in terms of knowledge transfer, but a curse because senior employees have better things to do with their time. The answer would be to maintain the emergent Q&A culture while also instating a better system for capturing and sharing institutional knowledge – perhaps a wiki. This need and solution might never have surfaced and been synthesized if not for the advanced ‘pilot.’

The Last Responsible Moment

There’s not a bad time to begin to plan for compliance, but there is a point where it is too late not to have done so.  Now that you’ve run your pilot and with metrics, survey results and anecdotes created a business case, you are no doubt postulating how the benefits of collaboration multiply across your company.  With the momentum and demand you created in the pilot, if you haven’t done so yet, now is the time to partner with HR & Legal to create a compliance map.

Employees and artifacts in your business have characteristics.  Characteristics are things like: geographic location, security training, department, job title, or government clearance.  A compliance map simply details which combinations of characteristics are off-limits.  As an example, US-defense industry employees have to abide by International Traffic in Arms Regulations (ITAR).  Employees without ITAR training (characteristic) should not have access to ITAR protected artifacts.  So, when an employee without ITAR training uses their company’s search engine, no ITAR protected artifacts should be returned.

Scale and Train

Once you have developed a compliance map, you can identify your boundaries and then roll out your solution as far as those boundaries allow.  Of course, sufficient technology will be necessary to scale as well, but you’ve likely charted that course before.  Linking departments together is technologically nothing new, understanding whether or not you can link them from a compliance stand point is.   Your compliance map gives you the advantage of scaling accurately and aggressively.

But, just as spell check doesn’t turn you into Hemingway, having a compliance map won’t turn every employee into a compliance officer.  Training employees on compliance issues is the ultimate fail-safe.  Where technology fails, humans should know better.

Conclusion

Regulated companies can be collaborative, but they must plan better and execute smarter than others.  For many companies looking to become more collaborative FINRA, HIPAA, SARBOX and ITAR represent reality checks.  However, these reality checks are not blanket cease and desist orders.  You can remain in the good graces of your legal and HR departments AND still bring effective and beneficial collaboration to your company by following the framework outlined above.  Of course, this framework will need to be customized for your company.  Reach out to us if you’d like some help.

For additional reading on this topic, check out Ellen Reynolds‘ case study on Managing Risk in Regulated Industries.

*One caveat to keep in mind is that this methodology presupposes a strategic executive commitment to adopting social tools and while it could work for a grassroots implementation the entry points into the process would be quite different.

Put another way, Intuit treats their customer community as a strategic asset and not some strange non-core element of their business.  Like all other business assets, social initiatives must have a role in strategic planning and ultimately contribute measurable value to the business. Intuit has succeeded by framing social media in the context of existing business functions like customer research and product development. In doing so they’ve not only wrapped their arms around social media, they’ve also accomplished something rather unique – they can prove social is good for their business.

Christine’s presentation traced the evolution of Intuit’s product and customer research efforts from a program of visits to customer homes and businesses (called a “follow me home”) to a world of online community and embedded social functionality. Positioning social inside this framework accomplishes two things. First, it places social media on the leading edge of an existing continuum of tried and true customer research methods. Second, it allows Intuit to measure the outcome of social initiatives with existing metrics. The result is a targeted approach to social business that fits naturally into an existing way of looking at business assets.

The outcomes speak for themselves:

• Members of the Intuit community offer effective customer service at almost no cost to the company (the most active community member has addressed more than 50,000 tax questions).
• Calls-to-action are broadcast to users’ social graphs, but originating inside Intuit software, drive 30% more conversions than traditional advertising.
• A private customer community has generated more than $10 million in new revenue for the company.

Measurable wins like these illustrate that true business value is realized when customer community is treated as a business asset and not an experimental campaign.

One of our alliance partners, Socialware, has been tackling this issue with technology solutions, and starting today is offering free products. Social Marketer renders a new toolbar in the page that allows users to choose if their messages are public, or internal to the enterprise. Internal status updates will get search optimized and put into a unified stream, while personal ones may have different retention rules . Another product, Risk Manager, allows for rules-based moderation of tweets, posts, and updates.

Here is a screenshot (click it for a larger image) of the administration console for managing the social network traffic. It provides for some pretty interesting and granular control of which types of messages and events are allowed, disallowed, and moderated. You could, for instance, block Facebook chat and all the Facebook applications (which may typically be games) while encrypting or moderating status updates. A rule can be created that could moderate or block any message that contains something with the format of a social security number, or credit card number.

While all of this is taking place, all the message traffic is being retained and archived to support retention policies and regulatory requirements.

A comprehensive solution to the issue of managing the public social networks in the enterprise would address the people issues, contain process modifications, and utilize technology like Socialware. Considering that these are the places where employees already congregate, it makes sense to leverage them rather than attempting to drive adoption of look-a-like tools that could be run on-premise.

Socialware is providing an important piece of the puzzle that enables employees to use these new tools, while mitigating risk at the same time.