No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Governance

New Challenges Arise as Workers Return to the Office — or Don’t

Fraud, erosion of compliance practices among biggest risks amid workplace revolution

by Chris Hoyle and Ksenia Ioffe
November 7, 2023
in Governance, Risk
man bringing plants to his office

Office occupancy rates are on the rise. But so are hybrid work arrangements. The past three years have been marked by widespread restructuring of how work gets done. And as white-collar workers shift to a new normal, a whole new set of risks and compliance challenges arise. Chris Hoyle and Ksenia Ioffe of StoneTurn explain the steps organizations must take to ensure their compliance programs change with the times to remain adaptable and sustainable for the future.

Does your life look the same as it did three years ago? For most of us, the answer is no, including businesses. Since early 2020, the world has experienced a series of whiplash moments — from reeling over the effects of a global pandemic, hiring surges coupled with the Great Resignation, regulatory shifts and new reporting requirements, and global geopolitical conflict.

One of the biggest changes we’ve seen has been the shift to a remote workplace. Although organizations are calling for a return to office, many are still allowing for a hybrid work model, leaving them potentially vulnerable to a heightened risk of fraud. In the last year, the Association of Certified Fraud Examiners estimates, total global losses due to fraud are nearly $5 trillion with fraud committed by an executive or employee responsible for approximately 40% of the total amount.

Much as we have adapted our habits and processes to address the new normal, entities also must adapt their compliance policies, processes and functions to meet a unique convergence of new and existing risks confronting their organizations.

New risks also yield cultural change, compounded by new working methods, including remote and hybrid work, reliance on new team members who lack historic organizational knowledge and evolving technology, such as ephemeral messaging and artificial intelligence.

New misconduct risks also come due to this fluidity, including blurred lines between work and life and shifts in team balance. Boards of directors, alongside compliance, risk management and business leaders, must ensure the organization’s compliance programs remain agile and top of mind. This includes examining outdated risk management methods and controls to prevent and detect misconduct.

Here, we present critical steps organizations must take to ensure compliance programs evolve with changing business practices and remain effective, adaptable, and sustainable for the future.

graphic parodying evolution of work
Featured

The Evolution of Work: How Can Companies Prepare for What’s to Come?

by Jim DeLoach
October 25, 2023

Analysts predict the AI revolution could disrupt the jobs of 70% of the global workforce. Companies need to adapt to a world of flexibility, agility and accelerated upskilling, says Protiviti’s Jim DeLoach.

Read moreDetails

Governance and oversight

Executive and board oversight is critical for proper risk management. Boards and executives should challenge senior management about what steps the organization has taken to identify, assess and mitigate heightened and emerging risks, including the remote and hybrid work environment.

Boards and executives should also ensure there are sufficient and qualified compliance resources with proper stature within the organization (e.g., involvement in business decisions, members of senior leadership governance forums) and direct access to the board and audit committee. Additionally, they must confirm there is adequate employee communication and training on the compliance program and the corporation’s commitment to it.

Leadership, including the board, should re-evaluate the quality and frequency of reporting senior management provides to confirm there is appropriate information and detail to maintain proper oversight and assess whether the compliance and ethics program is working in practice. The reporting should provide visibility into:

  1. Heightened or emerging risks.
  2. Portfolio of whistleblower reporting and investigations (including nature, region, volume, status, and trends and hotspots).
  3. Potential gaps or weaknesses in the compliance program (e.g., risk assessments, controls, other broader compliance, culture plans).
  4. Impact of such possible shortcomings.
  5. Status of corrective actions or enhancements to address any potential weaknesses or gaps.

Culture & tone at the top

Organizational culture will remain a key business driver and element of an effective compliance program. Building a culture of compliance is more challenging, but not impossible, with new faces on the team in a remote or hybrid working environment. What started as posters on office walls with reminders to “speak up” and encouraging use of ethics helplines should be expanded to intranets, email newsletters or other multi-media campaigns.

Return to office

Face-to-face interaction is generally considered essential to building company culture, making remote and hybrid working environments challenging to establish and maintain an environment where employees feel comfortable raising concerns and discussing compliance-related issues. Many organizations are addressing those concerns by requiring employees to be in the office at least two days a week.

Unsurprisingly, mandatory in-person office days can prove polarizing, creating challenges for many organizations. Therefore, it’s imperative that organizations enforcing in-office attendance ensure senior management is in the office at the same cadence as other employees, helping set the tone that adherence with all policies is expected of everyone.

It’s also essential for senior management to engage with colleagues while in the office to develop new relationships and nourish existing ones. These interactions can help employees feel part of the team and more comfortable contacting senior management when not in the office while also driving tangible cultural benefits.

Omni-channel and multi-level approach

Leadership should consider implementing virtual office hours, town halls or anonymous forums to account for fewer in-person touchpoints. These techniques will help develop and enhance working relationships and organically empower employees to speak up. This can be particularly helpful for new employees who have yet to foster relationships and are still navigating the organization.

Middle management should know the compliance and ethics program and reinforce the standards and senior leadership’s messaging. This includes reminders to teams about the importance of adhering to the code of conduct, corporate policies, laws and regulations and encouraging employees to speak up if they become aware of any potential misconduct.

Risk assessments

Traditional risk assessments typically consider the likelihood and impact of a risk event occurring. They are often completed annually (sometimes less frequently depending on the program’s maturity and the organization’s size) and tend to roll forward, at least as a starting point, with the same information year-over-year.

New realities, new risks

Given the range of complicating factors over the last few years, now is a great time for senior management to take a step back and re-evaluate if the existing risk assessment process is appropriately identifying and assessing the impact of recent operational, cultural and geopolitical events on the organization’s risk profile.

As a starting point, senior management should consider the frequency and timing of the most recent risk assessments and whether they: capture relevant risk events; evidence the consideration of risk event occurrence to be more or less likely under new working models (e.g., remote, hybrid); contemplate the impact of recent regulations and economic distress; and provide the representative residual risks rating (i.e., the likelihood and impact rating of the risks after considering the effectiveness of relevant control activities to reduce the inherent risks) in the current environment.

Consider the “work from anywhere” scenario pre- and post-pandemic. Many organizations have adapted to increase system access beyond the office walls. They should ensure their risk assessment considers potential misconduct opportunities (e.g., schemes and scenarios) related to employees accessing sensitive information outside the organization’s offices and appropriately update the ratings to account for the increased likelihood of previously identified risk events and other identified risk events.

Control activities implementation

Organizations should take stock of the new working environment’s impact on the organization’s processes and control environment, including employee incentives, pressures and opportunities.

For example, financial institutions often utilize clean desk reviews, physical access limitations and personal cell phone bans on trading floors as key control activities to protect confidential and deal-sensitive information and mitigate risks, including insider trading. Under a remote or hybrid working environment, those control activities will not be effective when employees work remotely. Discussions around potential mergers and acquisitions might occur in a busy cafe where competitors or others may overhear. While avoiding this conversation in public can feel obvious, it might be overlooked because it’s new territory.

In this example, financial institutions should (1) ensure policies are updated to make it clear that discussing sensitive documents in public spaces such as trains, airports, or cafes is prohibited and (2) re-evaluate their process flows and control points to determine if there are any potential weaknesses or gaps which require modification to existing controls or implementation of new controls. This example could include issuing corporate devices with pre-loaded apps or installing apps on personal devices to capture communications on authorized channels and enhanced surveillance activities.

The most recent updates to the DOJ’s “Evaluation of Corporate Compliance Programs” guidance stresses the importance of policies and procedures for using personal devices, communication platforms and third-party messaging applications.

Business communications on personal devices and third-party messaging applications are not new concepts. However, the work-from-home and hybrid environment significantly heightens the likelihood and impact of employees using alternative, unauthorized communication channels and requires substantially more attention, as highlighted by the guidance.

Training

Training must extend beyond the information an employee receives annually or on their first day. It must be implemented in a way that is ongoing to reinforce expectations and changes in policies and procedures.

Additionally, organizations must have comprehensive tracking of such training for completion and effectiveness. This can help leadership understand what is working and what is falling short and identify hotspot or areas where additional training may be required. As much as training should be an ongoing process, so should efforts to improve it.

Training can include formal online modules and in-person workshops to encourage awareness and enhance skillsets among teams. However, it also must include real-world examples tailored to roles and levels. For example, a manager will need different training on personal devices and messaging apps than that of a staff member, as managers will have to enforce the policy with their teams.

Testing and ongoing monitoring

As noted in the DOJ’s updated guidance, a hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. Without effective testing and ongoing monitoring, organizations cannot determine if the existing control activities are implemented and operating effectively in the new working environment.

Data also plays an important role in an organization’s compliance program. Information such as VPN connections, email patterns, instant messaging data and more can give critical insight into the new normal for organizations and the behavior of their people. Organizations must take a 360-degree view of risk and controls related to these technologies and platforms to inform testing coverage and monitoring activities.

Although the nature and frequency of ongoing testing and monitoring will vary depending on the size and nature of an organization, senior management should ensure that the organization has recently tested the control environment and analyzed the results to determine if control enhancements are required.

At the same time, organizations should assess the impact the significant working environment changes have on the effectiveness of their ongoing testing and monitoring mechanisms and ensure necessary adjustments to maintain a dynamic and agile program.

Conclusion

There is no one-size-fits-all approach to compliance and risk management. Organizations, leaders and boards should continue to assess their risks, policies, procedures and controls to keep up with recent and future changes. Taking a step back now and examining an organization’s new reality and the effectiveness of its compliance program to evolve with ongoing changes can save the board, executive leadership and broader teams from significant complexities and challenges, including financial and reputational damage, in the future.


Tags: Corporate CultureTone at the Top
Previous Post

Illinois’ Unique Biometric Privacy Law Presents Lessons for Businesses Everywhere

Next Post

Going Overboard: How Many Seats Is Too Many?

Chris Hoyle and Ksenia Ioffe

Chris Hoyle and Ksenia Ioffe

Chris Hoyle, a partner at StoneTurn, has more than 15 years of professional experience as an accountant and risk and remediation expert. He specializes in independent monitor engagements, forensic investigations and dispute consulting matters.
Ksenia Ioffe is a managing director with StoneTurn, has expertise in compliance and monitoring, forensic accounting and auditing. Ksenia’s experience includes assessing corporate compliance programs and internal controls and advising companies on how to remediate and enhance compliance programs to prevent and detect fraud.

Related Posts

LRN 2025 Program Maturity Global Study

2025 Global Study on Ethics & Compliance Program Maturity

by Corporate Compliance Insights
May 16, 2025

How does your ethics and compliance program measure up? Global study Ethics & Compliance Program Maturity What’s in this global...

check engine light

What Gets Measured Gets Managed, but What Actually Matters in Compliance?

by Keshonda Walker
May 16, 2025

Looking beyond standard measurements to identify the quiet signals that help compliance teams address issues before they become crises

hidden value abstract

CCO Insights: How to Articulate the True Value of Your Compliance Program

by Kenneth Koch and Phillip Ostwalt
May 14, 2025

Benefits of robust programs aren’t always obvious, but buy-in remains critical

seeing outside the box

Disrupters See the World Differently — and Act Accordingly

by Jim DeLoach
May 13, 2025

Critical differences in culture, technology adoption and talent strategies determine which organizations shape markets and which scramble to respond

Next Post
a bunch of chairs piled up

Going Overboard: How Many Seats Is Too Many?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights