27 Jan Working From Home: The Risks of the new Normal
Boards’ immediate concerns about the risk and control implications of Working From Home have been calmed and hybrid working is set to become the norm. So temporary fixes to control need to be replaced by permanent thought-through solutions. There are also wider implications, such as how to train new joiners in the corporate culture now staff welfare needs are changing. |
Boards in financial services businesses in particular need to be on the case. The UK Financial Conduct Authority (FCA) have issued requirements which every regulated entity (and its directors) must look at closely. But other Boards too may well face the same risks, regardless of whether they are regulated. So, a rigorous check-up should become a standard part of risk management oversight. Here we’ve taken the FCA’s statement and drawn out some generic advice and pitfalls for all Boards to think through.
Good practices to consider…
Understand the steps management are taking to get specific plans in place for any shift to a more permanent “hybrid working” model.
Things to avoid…
Thinking that this is simply an operational question for management. It isn’t. The risks are quite extensive so, at the very least, the Board needs assurance that a risk mitigation plan is in place alongside the operational and HR plans.
Good practices to consider…
Rethink the approach to risk management oversight so that it is sufficiently rigorous for the risks in the new working model. On the regulatory front, the FCA has highlighted to firms that it has the powers to visit “any location where work is performed…including residential addresses…”. How would your organisational and control practices be judged if “home offices” were visited? Such visits might be a rarely used tool, but for any organisation, it could be a good standard to adopt in assessing the new control environment.
Things to avoid…
Failing to recognise that the control and risk management game has changed permanently. The regulators know that a shift has happened and need to see consequent changes to controls. Boards need to make sure that management are not behind the curve on this. Simply trusting employees without adequate monitoring will not be enough and won’t be a good defence when something goes wrong. It’s part of the Board’s role to highlight these risks and make sure that an effective response is in place.
Good practices to consider…
Understand the way management control is being adapted. For regulated entities, that means making sure the Senior Managers Regime processes continue to operate fully. If not, both directors and management are exposed. But it’s a much wider question of management control which affects all organisations.
Things to avoid…
Downplaying the importance of soft controls. It might well be the case that systems controls continue to operate and can be monitored. However, Board oversight also has to rely on solid soft controls that come from management oversight and the control culture. Does the Board understand how these have been affected and what is being done – and how well – to maintain them?
Good practices to consider…
Make sure questions about the continuing quality of controls and risk management are being covered by the Second and Third Lines of Defence – especially by independent assurance activity. IT controls and data protection processes come top of the list. Your IT function might be well tuned in, but ultimately it all depends on individual behaviours in the new working environments (shared spaces, kitchen tables, phones on hands-free with only a hedge to protect the neighbours…).
Things to avoid…
Relying only on verbal assurances. That’s not to doubt management judgement and reporting, but with such a major change to working practices, independent assurance is going to be needed too. That means making sure internal audit plans cover the new risks – and now, not just in the audit universe to be covered over the next few cycles.
Good practices to consider…
Assess the potential impact on customers. Regulated entities have very specific obligations around conduct which must not be diluted through home working. But other organisations, for example those depending on call centres or co-ordinated team responses to customer complaints, face risks too.
Things to avoid…
Looking at the customer angle too narrowly. It’s not just about whether ultimately the customer gets what they have contracted to receive. It’s about how it’s delivered and responsiveness. There’s obvious legal exposure (inability to claim refunds, delayed responses to complaints etc). But the strategic and reputational risks around poor customer service are potentially even more significant. Are you sure the established systems and controls are maintaining required standards?
Good practices to consider…
Discuss how the core ability of the organisation to deliver on its strategy might be weakened over time. That will mean thinking through the impact of the dispersed working model on the culture, communication, leadership, induction, training… The list is long and, added together, means new demands on management. And possibly even a strategic challenge.
Things to avoid…
Thinking that being successful in adapting business as usual activity means that the switch has been managed. That’s unlikely to turn out to be the case in the longer term. And thinking that “back to the office” is the simple solution won’t work either: for a significant number of employees, expectations and practices have most likely been changed irreversibly.
Good practices to consider…
Challenge management on the risk of inequitable opportunities or treatment impacting morale and employee turnover. A strategy might be needed for managing and compensating those who simply can’t work from home and might be feeling disadvantaged.
Things to avoid…
Failing to recognise the unintended consequences. Yes, this is an operational risk to be managed at management level. But there are signs emerging that it might become an issue for Board level strategic risk discussion where it is further complicating an already tight labour market.
Good practices to consider…
Understand how standard checks involving call recordings and surveillance (of trades, response, selling techniques etc) need to change to achieve the same standards and coverage as before. Use of mobile devices and home wifi and phone lines might be opening up unacceptable gaps or blind spots. Having confidential or personal data at home will demand new standards of behaviour and physical security.
Things to avoid…
Failing to revisit assumptions about the operation of core controls and compliance procedures. Board oversight should not be at the operational level. It is not, however, unreasonable for a Board committee to check how basic controls are being maintained. It doesn’t take long for an embarrassing and costly data loss to become a Board level issue so it’s better to check on the prevention measures before that happens.
Good practices to consider…
Check that financial crime policies and procedures continue to be sufficient. Also, check whether “sufficient” is judged on what the policies and procedures actually achieve, rather than just the thickness of the compliance file.
Things to avoid…
Assuming that policies and procedures just carry on being implemented as before. Are the behaviours needed to support rigorous checks still holding? And does judging potential customers become more difficult when “working from home” rather than verifiable corporate addresses is seen as unexceptional?
Good practices to consider…
Keep asking about the welfare impact. It’s becoming clearer that, if imposed for prolonged and unpredictable periods, the emotional cost of not being able to work in an office can become serious. The duty of care angle might make this fall into Board responsibilities as part of exercising oversight on health & safety issues.
Things to avoid…
Limiting the questions to enforced home working because of restrictions. A shift to more home working as part of normal practice might also be a risk, even if voluntary and planned. Research is beginning to suggest that, for some, the mental health risks of home working have been underestimated.
Good practices to consider…
Ask about the impact on Diversity & Inclusion. Are some socio-economic groups being disadvantaged under the new working model? Are these practices helping or hindering gender diversity and promotion prospects?
Things to avoid…
Failing to factor in the potential impact of WFH on the different elements of the D&I strategy. Boards need to ask management about their concerns and mitigation approaches. Also, challenge management on whether the picture they present actually represents the views of a diverse cross-section of opinion!
Good practices to consider…
Keep an eye on the legal and tax risks. It usually matters which country someone is sitting in when they perform their duties, especially if they are managers. A taxable presence might be developing for both the business and the individual. And regulators too are highly sensitive to where business is being done.
Things to avoid…
Thinking it’s all temporary and so won’t be attracting the attention of the authorities. Some compromises and exceptions were made for the crisis period, but they should not be expected to hold for something that’s beginning to look permanent.
Download This Post
To download a PDF of this post, please enter your email address into the form below and we will send it to you straight away.