Social media governance: guidelines for companies
In 2023, an uncontrolled social media post by an employee cost a DAX company tens of millions in reputational damage and crisis management. Social media governance is not a compliance issue for lawyers – it is a business risk issue that belongs in every company management.
Governance does not mean forbidding employees to speak or channelling every mail through three departments. It means clear rules about who is allowed to do what, clear processes for approvals and crises, and clear responsibilities. Well-established governance structures make social media faster and safer – not slower and more bureaucratic. The goal is freedom within clear guidelines, not control at all costs.
A functioning social media policy includes: Who speaks officially for the company (and on which channels)? What are employees allowed to post about the company on private accounts? Which topics are taboo (trade secrets, ongoing legal disputes, unpublished financial figures)? How does the company deal with criticism? What is the escalation path in the event of a crisis? The policy should be understandable – not legalese. Employees need to read and understand it, not archive it.
Release processes without paralysis
The most common governance mistake: Approval processes that take 5 days for content that is outdated in 5 hours. Sensible approval structure: Standard content (editorial plan, scheduled posts) with 24h SLA, 1 approval level. Campaign content with 48-72h SLA, 2 approval levels. Reactive content (trends, breaking news) with 2-4h SLA, 1 approval level. Crisis communication: prepared templates that are ready for immediate use. Companies that put all content types through the same 5-stage process miss out on every trend opportunity.
Crisis management: What to do when there is a fire
Every company that is active on social media will sooner or later be confronted with a crisis – a viral negative post, an employee faux pas, a shitstorm. Those who are not prepared will react slowly, incorrectly or not at all. Crisis preparation means: crisis playbook with prepared statement templates for the most common scenarios, clear decision-making chain (who approves crisis communication in 30 minutes?), social listening setup to recognize crises early, and regular crisis simulations. In an emergency, the following applies: react quickly, take responsibility, communicate concrete actions – don’t remain silent and hope it will go away.
Governance for international teams
Global companies face the governance question: centralized vs. decentralized. Centralized control ensures brand consistency but stifles local relevance. A purely decentralized structure risks brand inconsistency and uncontrolled communication. The solution: global-local governance. Central: Brand voice, banned topics, crisis process, visual identity. Local: content topics, community management, local trends. Clear role definition between global hub and local teams is key.
Frequently asked questions
From the moment that more than one person communicates on social media on behalf of the company. This can be the case with as few as 10 employees. The earlier clear rules are established, the easier it is to implement them.
At least once a year and after every major platform update or crisis event. Social media changes too quickly for static documents that are created once and then forgotten.
Crisis scenarios with prepared templates, decision tree (when is it a crisis?), contact list of decision-makers (also outside office hours), approval channels for crisis communication, and post-mortem process after the crisis has been overcome.
Social media governance consulting with Social Media One
Social media governance checklist: What every company needs
68% of social media crises in companies are not caused by external attacks, but by a lack of internal processes and unclear responsibilities. (Source: Crisp Thinking, Enterprise Social Risk Report)
- ☐ Usage policy: As an employee, am I allowed to post about the company? What is allowed, what is not? Clear, written guidelines – no company secrets passed on verbally.
- ☐ Channel managers: Who administers which account? What happens in the event of vacation, illness or termination? Access data must never be tied to individual persons.
- Password management: Central tool (1Password, Bitwarden), no private accounts for company pages.
- ☐ Approval workflow: Who has to approve which content? Response time SLA: max. 4 hours for regular content, 1 hour for crisis-relevant posts.
- ☐ Crisis protocol: Responsibilities, escalation path, response times, prepared statement templates for common crisis types.
- ☐ Data protection guidelines: Can customers be shown without consent? How are competitions carried out in compliance with the GDPR?
- ☐ Archive policy: How long are posts and comments stored? Recommended: 3 years for legal protection.
Social media and the GDPR create specific legal obligations for companies that go beyond the obvious legal notice:
- Joint responsibility (Art. 26 GDPR): Anyone who operates a Facebook page is jointly responsible with Meta for the data processing of visitors. The addendum with Meta is mandatory – not optional.
- Competitions: Participant data may not be used for marketing purposes without express consent. Comments under competition posts are not opt-in.
- Employee photos: Every employee needs a documented declaration of consent for photos on social media – also for group photos at events.
- Reshare customer posts: Positive customer posts may only be shared if the person has given their recognizable consent. A simple tag is not enough.
The first 3 hours after a social media incident will determine whether it escalates or defuses. The four most important steps:
- No hasty answers – clarify internally what has happened. Incorrect initial information makes every crisis worse and cannot be taken back.
- Do not delete comments unless they are clearly illegal. Deletion is considered an admission of guilt and experience has shown that it escalates the incident further.
- First statement within 3 hours: Even if it only says: “We are informed and are looking into the situation.” Silence is interpreted as disinterest or guilt.
- Brief employees internally: Before the company reacts publicly, employees need to know what they can and cannot comment on.
What costs are incurred for professional social media management including crisis monitoring and which models pay off for different company sizes.
Related articles
Social media strategy for large companies: Guide - Building a social media team: Roles and responsibilities
- Social media reporting for managers
- Social media KPIs for companies: Metrics that count
- Request social media governance consulting
Meta Ads agency: Professional Facebook and Instagram advertising
Hire an advertising agency: services, costs and what you should look out for
Communications agency: What it does and how it strengthens brands
Content agency: What it does and when it pays off
TV advertising: agency, spot production, booking, prices
Webpush notifications: Agency, store & more sales + remarketing
4.9 / 5.0