Office occupancy rates are on the rise. But so are hybrid work arrangements. The past three years have been marked by widespread restructuring of how work gets done. And as white-collar workers shift to a new normal, a whole new set of risks and compliance challenges arise. Chris Hoyle and Ksenia Ioffe of StoneTurn explain the steps organizations must take to ensure their compliance programs change with the times to remain adaptable and sustainable for the future.
Does your life look the same as it did three years ago? For most of us, the answer is no, including businesses. Since early 2020, the world has experienced a series of whiplash moments — from reeling over the effects of a global pandemic, hiring surges coupled with the Great Resignation, regulatory shifts and new reporting requirements, and global geopolitical conflict.
One of the biggest changes we’ve seen has been the shift to a remote workplace. Although organizations are calling for a return to office, many are still allowing for a hybrid work model, leaving them potentially vulnerable to a heightened risk of fraud. In the last year, the Association of Certified Fraud Examiners estimates, total global losses due to fraud are nearly $5 trillion with fraud committed by an executive or employee responsible for approximately 40% of the total amount.
Much as we have adapted our habits and processes to address the new normal, entities also must adapt their compliance policies, processes and functions to meet a unique convergence of new and existing risks confronting their organizations.
New risks also yield cultural change, compounded by new working methods, including remote and hybrid work, reliance on new team members who lack historic organizational knowledge and evolving technology, such as ephemeral messaging and artificial intelligence.
New misconduct risks also come due to this fluidity, including blurred lines between work and life and shifts in team balance. Boards of directors, alongside compliance, risk management and business leaders, must ensure the organization’s compliance programs remain agile and top of mind. This includes examining outdated risk management methods and controls to prevent and detect misconduct.
Here, we present critical steps organizations must take to ensure compliance programs evolve with changing business practices and remain effective, adaptable, and sustainable for the future.
Analysts predict the AI revolution could disrupt the jobs of 70% of the global workforce. Companies need to adapt to a world of flexibility, agility and accelerated upskilling, says Protiviti’s Jim DeLoach.Read more
Governance and oversight
Executive and board oversight is critical for proper risk management. Boards and executives should challenge senior management about what steps the organization has taken to identify, assess and mitigate heightened and emerging risks, including the remote and hybrid work environment.
Boards and executives should also ensure there are sufficient and qualified compliance resources with proper stature within the organization (e.g., involvement in business decisions, members of senior leadership governance forums) and direct access to the board and audit committee. Additionally, they must confirm there is adequate employee communication and training on the compliance program and the corporation’s commitment to it.
Leadership, including the board, should re-evaluate the quality and frequency of reporting senior management provides to confirm there is appropriate information and detail to maintain proper oversight and assess whether the compliance and ethics program is working in practice. The reporting should provide visibility into:
- Heightened or emerging risks.
- Portfolio of whistleblower reporting and investigations (including nature, region, volume, status, and trends and hotspots).
- Potential gaps or weaknesses in the compliance program (e.g., risk assessments, controls, other broader compliance, culture plans).
- Impact of such possible shortcomings.
- Status of corrective actions or enhancements to address any potential weaknesses or gaps.
Culture & tone at the top
Organizational culture will remain a key business driver and element of an effective compliance program. Building a culture of compliance is more challenging, but not impossible, with new faces on the team in a remote or hybrid working environment. What started as posters on office walls with reminders to “speak up” and encouraging use of ethics helplines should be expanded to intranets, email newsletters or other multi-media campaigns.
Return to office
Face-to-face interaction is generally considered essential to building company culture, making remote and hybrid working environments challenging to establish and maintain an environment where employees feel comfortable raising concerns and discussing compliance-related issues. Many organizations are addressing those concerns by requiring employees to be in the office at least two days a week.
Unsurprisingly, mandatory in-person office days can prove polarizing, creating challenges for many organizations. Therefore, it’s imperative that organizations enforcing in-office attendance ensure senior management is in the office at the same cadence as other employees, helping set the tone that adherence with all policies is expected of everyone.
It’s also essential for senior management to engage with colleagues while in the office to develop new relationships and nourish existing ones. These interactions can help employees feel part of the team and more comfortable contacting senior management when not in the office while also driving tangible cultural benefits.
Omni-channel and multi-level approach
Leadership should consider implementing virtual office hours, town halls or anonymous forums to account for fewer in-person touchpoints. These techniques will help develop and enhance working relationships and organically empower employees to speak up. This can be particularly helpful for new employees who have yet to foster relationships and are still navigating the organization.
Middle management should know the compliance and ethics program and reinforce the standards and senior leadership’s messaging. This includes reminders to teams about the importance of adhering to the code of conduct, corporate policies, laws and regulations and encouraging employees to speak up if they become aware of any potential misconduct.
Traditional risk assessments typically consider the likelihood and impact of a risk event occurring. They are often completed annually (sometimes less frequently depending on the program’s maturity and the organization’s size) and tend to roll forward, at least as a starting point, with the same information year-over-year.
New realities, new risks
Given the range of complicating factors over the last few years, now is a great time for senior management to take a step back and re-evaluate if the existing risk assessment process is appropriately identifying and assessing the impact of recent operational, cultural and geopolitical events on the organization’s risk profile.
As a starting point, senior management should consider the frequency and timing of the most recent risk assessments and whether they: capture relevant risk events; evidence the consideration of risk event occurrence to be more or less likely under new working models (e.g., remote, hybrid); contemplate the impact of recent regulations and economic distress; and provide the representative residual risks rating (i.e., the likelihood and impact rating of the risks after considering the effectiveness of relevant control activities to reduce the inherent risks) in the current environment.
Consider the “work from anywhere” scenario pre- and post-pandemic. Many organizations have adapted to increase system access beyond the office walls. They should ensure their risk assessment considers potential misconduct opportunities (e.g., schemes and scenarios) related to employees accessing sensitive information outside the organization’s offices and appropriately update the ratings to account for the increased likelihood of previously identified risk events and other identified risk events.
Control activities implementation
Organizations should take stock of the new working environment’s impact on the organization’s processes and control environment, including employee incentives, pressures and opportunities.
For example, financial institutions often utilize clean desk reviews, physical access limitations and personal cell phone bans on trading floors as key control activities to protect confidential and deal-sensitive information and mitigate risks, including insider trading. Under a remote or hybrid working environment, those control activities will not be effective when employees work remotely. Discussions around potential mergers and acquisitions might occur in a busy cafe where competitors or others may overhear. While avoiding this conversation in public can feel obvious, it might be overlooked because it’s new territory.
In this example, financial institutions should (1) ensure policies are updated to make it clear that discussing sensitive documents in public spaces such as trains, airports, or cafes is prohibited and (2) re-evaluate their process flows and control points to determine if there are any potential weaknesses or gaps which require modification to existing controls or implementation of new controls. This example could include issuing corporate devices with pre-loaded apps or installing apps on personal devices to capture communications on authorized channels and enhanced surveillance activities.
The most recent updates to the DOJ’s “Evaluation of Corporate Compliance Programs” guidance stresses the importance of policies and procedures for using personal devices, communication platforms and third-party messaging applications.
Business communications on personal devices and third-party messaging applications are not new concepts. However, the work-from-home and hybrid environment significantly heightens the likelihood and impact of employees using alternative, unauthorized communication channels and requires substantially more attention, as highlighted by the guidance.
Training must extend beyond the information an employee receives annually or on their first day. It must be implemented in a way that is ongoing to reinforce expectations and changes in policies and procedures.
Additionally, organizations must have comprehensive tracking of such training for completion and effectiveness. This can help leadership understand what is working and what is falling short and identify hotspot or areas where additional training may be required. As much as training should be an ongoing process, so should efforts to improve it.
Training can include formal online modules and in-person workshops to encourage awareness and enhance skillsets among teams. However, it also must include real-world examples tailored to roles and levels. For example, a manager will need different training on personal devices and messaging apps than that of a staff member, as managers will have to enforce the policy with their teams.
Testing and ongoing monitoring
As noted in the DOJ’s updated guidance, a hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. Without effective testing and ongoing monitoring, organizations cannot determine if the existing control activities are implemented and operating effectively in the new working environment.
Data also plays an important role in an organization’s compliance program. Information such as VPN connections, email patterns, instant messaging data and more can give critical insight into the new normal for organizations and the behavior of their people. Organizations must take a 360-degree view of risk and controls related to these technologies and platforms to inform testing coverage and monitoring activities.
Although the nature and frequency of ongoing testing and monitoring will vary depending on the size and nature of an organization, senior management should ensure that the organization has recently tested the control environment and analyzed the results to determine if control enhancements are required.
At the same time, organizations should assess the impact the significant working environment changes have on the effectiveness of their ongoing testing and monitoring mechanisms and ensure necessary adjustments to maintain a dynamic and agile program.
There is no one-size-fits-all approach to compliance and risk management. Organizations, leaders and boards should continue to assess their risks, policies, procedures and controls to keep up with recent and future changes. Taking a step back now and examining an organization’s new reality and the effectiveness of its compliance program to evolve with ongoing changes can save the board, executive leadership and broader teams from significant complexities and challenges, including financial and reputational damage, in the future.