Governance is the layer above any single approval. Approval decides whether one post ships; governance decides who is allowed to make that decision in the first place, what the rules are, who holds the passwords, and what happens when something goes wrong at 9pm on a Saturday. Most organisations only discover they lacked governance the day a junior posts from the wrong account or a departed contractor still has the keys.
This guide is the org-level view. It is not about the path a post takes, which is covered in the social media approval workflow . It is about roles, policy, access and accountability: the standing structure that makes every approval beneath it trustworthy.
Roles and accountability
The first failure of ungoverned social media is diffuse responsibility. Everyone contributes; no one is accountable. Fix it by naming roles explicitly, ideally in a simple responsibility map.
| Role | Owns |
|---|---|
| Executive sponsor | Strategy, budget, sign-off on the policy itself |
| Social lead | Day-to-day program, the calendar, final editorial call |
| Creators | Drafting posts to brief |
| Approvers | Brand, legal and channel sign-off within their lane |
| Account admin | Access, permissions, platform security |
| Crisis owner | Decision authority when something escalates |
The point is not bureaucracy. It is that for any post and any incident, one named person is accountable, with the rest clearly consulted or informed. When a question arises, nobody has to ask “whose call is this?”
A policy people actually read
A 40-page social media policy that lives in a shared drive governs nothing. A usable policy is short, specific and answers the questions employees and contributors really have:
- Who may post on the brand’s behalf, and who may not.
- What is always off-limits (unsubstantiated claims, client data, internal numbers, politics).
- How employees should handle their own accounts when identifying as staff.
- What to do when they spot a complaint, a crisis or a mistake.
- The disclosure rules for paid, partnered or employee-advocacy content.
Keep it to a few pages, write it in plain language, and make new contributors acknowledge it. The policy should reference, not duplicate, the deeper docs: your social media brand guidelines for voice, and your compliance rules for regulated claims.
Access control is governance you can lose your job over
The most concrete and most neglected part of governance is who can log in. Personal passwords shared over chat are how brands get hijacked and how a leaver keeps access for months. Tighten it:
- Use the platform’s business manager so access is granted by role, never by sharing a personal password.
- Apply least privilege: a creator drafts, they do not need publish rights or billing access.
- Mandate two-factor authentication on every account with access.
- Run a quarterly access review and revoke anyone who changed teams or left.
- Make offboarding a checklist item: access removal happens the day someone departs, not eventually.
This is the difference between governance on paper and governance that holds. An access list nobody audits is a breach waiting to happen.
Escalation: decide before the fire
Governance is tested in the bad moment, not the routine one. Define escalation paths in advance so the response is not improvised. A simple tiered model works:
- Routine (a critical comment, a typo) — the social lead handles it within hours.
- Sensitive (a viral complaint, a factual error live on the feed) — social lead plus the relevant approver, same day.
- Crisis (legal exposure, executive issue, security incident) — the crisis owner takes control and pauses scheduled content.
Write down who holds authority to pause the whole calendar, because in a crisis the wrong thing to do is keep auto-publishing cheerful promos. The mechanics of that moment are in crisis communication on social media .
Governance scales the program, it does not slow it
Teams resist governance because they imagine it as friction on every post. Done well, it is the opposite. By tiering decisions, most content flows freely under standing rules and only genuinely risky posts climb the hierarchy. Governance that forces every tweet past an executive is broken; governance that lets routine content self-publish while reserving human attention for real risk is what lets a program grow from one person to a team across many channels without losing control. This is why governance and a clean social media team workflow reinforce each other.
Signs your governance is working
You will not see governance in a dashboard, but you can feel its absence. Healthy signs: every account has a named admin and a current access list; new contributors are onboarded against a policy they acknowledged; no post in a sensitive category lacks a sign-off owner; and when something goes wrong, the response is a known path rather than a panicked group chat. If any of those is missing, that is your next governance project.
How Utin fits
Utin is being built so governance is enforced by the system rather than remembered by a person. Roles map to permissions, so a creator drafts and an approver signs off without sharing logins; risky categories route to the right owner automatically; and every action leaves a record. The aim is governance that runs quietly in the background while the team moves fast. You can register interest in an early pilot.
For the layers beneath governance, see the social media approval workflow for how posts move and social media compliance workflow for regulated record-keeping. For claims authority specifically, read legal approval for social media .