Incident serves as reminder for internal auditors to assess customer facing processes

United Airlines is no stranger to viral videos and social media kerfuffles that cast the company in a poor light. A video uploaded to You Tube in 2009 called "United Breaks Guitars" has more than 17 million views and its own Wikipedia page. Just last month, a Twitter-storm erupted over how United treated two young girls, after a gate agent objected to the leggings they were wearing and barred them from boarding the plane until they changed.

Yet when fellow passengers filmed a man being violently dragged off a plane, screaming with blood dripping down his face, and it quickly circulated on Facebook, Twitter, and Chinese social media site Weibo earlier this week, it was immediately clear that this was different. There was no humorous song to write or much of a moral principle to debate, this was just wrong. Horrible, actually, for United, as well as its victimized customer, who ended up in a Chicago-area hospital.

The consequences came fast. During the two days after the incident, United's stock dropped 7 percent. Negative headlines ran on the front page of the Wall Street Journal for days, and social media posters and late night comedians compared United employees to members of Fight Club, never mind that the disturbing actions were actually taken by Chicago Department of Aviation officers. The incident caused such an uproar that members of the press were asking White House press secretary, Sean Spicer, if the Trump administration was considering taking any action.

In addition to coverage of the viral video on nearly every news outlet, it was viewed more than 300 million times on Weibo, a Chinese social media site similar to Twitter. Since early reports noted that the man was of Chinese decent, (for the record, he was born in Vietnam) the conversation there quickly turned to the idea that United had targeted him for his ethnicity and called for a boycott of United in China and other countries in Asia.

Bungled statements from United CEO Oscar Munoz, first internally to United employees blaming the passenger for being "belligerent" and later in a widely panned "apology" stating that he was "re-accommodated," only made matters worse.

The episode is chock full of important business lessons and ethical ponderings, and serves as a reminder to all companies to be kind to paying customers regardless of the situation. It's almost certain to be an instant business school case study of what not to do from a customer service and public relations viewpoint.

For internal auditors, who are concerned with processes, policies, and risks, there are plenty of lessons to sift through as well. Below are four lessons for internal audit from the United Airlines incident that led to a man being violently dragged off one of its planes.

Unhappy Customer Risk
Lesson One: Customer service processes are a great place for internal audit to provide added value. Internal audit can provide independent assurance that policies are in place where they need to be, that they are updated, would stand up to public scrutiny, and employees who handle customers are following those policies.

On the other side of the spectrum, are employees empowered to make decisions that could deviate from the letter of the law on those policies when it makes sense to? Should they be? For example, when fellow passengers chastised United on social media last month for taking issue with the clothing choices of two young girls, the United employee involved was following a dress code for family members of traveling United employees. Given the rise in popularity of the yoga pants the girls were wearing, its possible the policy was out of date, or not much thought was given to the age of children that it should apply to. Testing by internal audit could have raised these questions and spurred the airline to create better policies and training programs on how to handle difficult situations.

Customer service practices are just the type of function that forward-thinking internal audit departments are adding to their audit plans as they stretch beyond traditional internal audit areas, such as accounts payable and travel & expense reporting. CEOs are worried sick that a bad customer experience—and one that captures the attention of the public—could do great harm to the company. Internal audit should be too.

Anything that can make customers unhappy presents a big risk for companies to lose money and hurt future revenues. In fact, many of the problems that resulted in the incident were foreseeable, and would have likely been exposed by an audit of the customer service functions and processes involved.

I Always Feel Like Somebody's Watching Me
Lesson two: Everything is public. There may be a tendency here to see social media as the problem or that social media is a risk to be managed. Social media is the messenger that can expose underlying reputational risks, bad policies, or poorly behaving employees, but it's difficult or impossible to control and shouldn't be treated as the primary risk in and of itself.

Indeed, the assumption should be that everything is on camera all the time and will be shared with thousands or even millions of people. That means every policy, employee action (customer facing or not) needs to stand up to public scrutiny and internal audit should treat it that way. With the ubiquity of camera phones, there is no back stage, no "behind closed doors." The common line on ethics used to be, "don't do anything you wouldn't want to see reported on the front page of the Journal or New York Times." The day is here where just about everything you do is reported on the front page of the newspaper, or at least its digital equivalent, Twitter.

Know Who 'Touches' Your Customers
Lesson three: Expand your definition of third party risk and pay special attention to where third parties interact with customers. One of the not-so-minor details of the United fiasco, and one that has been somewhat lost in the hoopla, is that the unsettling actions were actually taken by law-enforcement officials, not United employees. But since it happened to a paying United customer on a United plane and those actions were set in motion by poor decisions or policies by United, few are willing to give the airline a pass. What is internal audit doing to ensure that third parties that, ahem, touch customers have their own processes in order and that those processes and policies are tested and are sound?

Law enforcement officials routinely interact with airline customers, whether it is Transportation Security Administration officials at security checks, Federal Air Marshals, or others. I'm sure that airlines go to great lengths to assess and audit the services of third parties that provide food on their planes. Should they put any less care into ensuring that those who provide something as vital as security services, even if some of those are government entities, are doing a good job? Now the ability to conduct an actual audit may not be there, but someone needs to be asking the right questions.

Does It Play in Pingdingshan?
Lesson Four: Everything is global. Reputational risks need to be viewed through a global lens. The reaction to the incident on social media in Asia is, perhaps, the most shocking aspect of this incident. It's hard to imagine the scale of more than 300 million individuals who have seen your company at its worst. This means that—given lesson two, everything is public—incidents that were purely domestic issues in the past have the potential to go viral globally in an instant. Does that mean policies need to be culturally sensitive even to communities they aren't intended to address? You bet it does.

The world is a smaller, more connected and public place. It may be difficult to consider all the things that could be offensive to cultures around the world, but they are watching, so it doesn't mean we shouldn't try. Treating all people with dignity and respect, whether they are customers, employees, or other stakeholders is a good start and will go a long way to keeping international boycotts to a minimum.

It's clear that United and its CEO made some big mistakes in how they handled the situation. What's less clear is the policies and guidelines that were in place to handle some fairly routine occurrences for an airline: the need to bump people off for oversold flights and the process for incentivizing them to volunteer, how to involve law enforcement when a passenger is not cooperating, and the need to get pilots and attendants in position for other trips. Reports suggest that United employees seemed unclear on those policies or that the policies themselves were untested in various scenarios. Sounds like a job for internal audit to me.