Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Former UK prosecutor: Work from home options trigger new internal compliance concerns

As the lockdown is slowly lifted, it’s becoming clear that workers aren’t going to rush back to their offices. Some will eventually return, but for others, working from home will be more or less permanent.

Google and Facebook, for example, have given employees the option to work from home until 2021. Amazon workers can stay home until at least October, according to the Washington Post. Twitter has no timeline for bringing workers back to the office, and Microsoft said it is moving “more slowly rather than quickly.”

Employees working from home create a new risk profile in at least three distinct but simultaneous ways — personal conflicts of interest, data protection, and compliance training regimes. The job of adapting compliance programs and practices to meet the challenges of the new employee risk profile will fall mainly to compliance personnel, working also with HR, IT support, and other groups.

Here’s a summary of three of the ways work from home options are changing the internal risk profile:

Side Hustle Syndrome. Remote working can stimulate an employee’s entrepreneurial streak, providing the opportunity to start or develop their side hustle. This is not problematic in itself. But unclear guidance or inconsistent application of the rules regarding personal conflicts are problematic and can be damaging for both the organization and the employee involved. Policy on personal conflicts should be unambiguous and the approvals process should be swift and transparent. If they are not, the risk of exploitation by some employees, in these times, increases and may expose your organization to significant reputational damage. An example appeared recently in an exposè published by the Guardian. The story featured a procurement manager in the UK’s National Health Service who allegedly set up a private company to sell personal protective equipment.

Bring Your Own Device (BYOD). Many organizations have adopted liberal Bring Your Own Device (BYOD) policies to encourage own-device use, due to the cost savings and increased flexibility. Concerns arise because use of own-devices in relation to data theft, data leaks, and overall network security, which may expose the company to third-party liability. There is also the risk of unauthorized use of company data for personal purposes. Another issue that arises from BYOD practices relates to access to personal (non-company) devices during internal reviews, including internal audits and investigations, and during reviews conducted by retained law firms and forensic professionals. Although this is a difficult area to anticipate and comprehensively plan for, BYOD policies should set out what companies expect of employees under various scenarios, and what rights the company has in those scenarios, possibly including the ability to immobilize (and take possession of) personal devices in the event of a serious breach or suspected criminality.

Remote training fatigue. Organizations that allow and promote working from home usually take a generous approach to training and professional development. They encourage employees to use available media resources. That’s a positive development. But as some companies consider deep cuts to in-person training, or abandoning it altogether, there’s is a danger of fatigue from the deluge of virtual learning. Compliance professionals should review their suite of online training resources to ensure there is an appropriate blend of methods available, especially for those working in high-risk roles. Organizations still have a responsibility to provide appropriate training and engagement for employees in roles that are most vulnerable to economic crime risks. The decisions the companies make about methods and means of compliance training may become highly significant should the organization be faced with a regulatory or law enforcement investigation.

Share this post



  1. Great article and love the insight! I enjoy the perspective of the former prosecutor.

    My comment is beyond the intended scope of the article, but having been involved in criminal cases as well as civil litigation of corporate investigations involving employee misconduct in the US (only), if at all possible, I would highly recommend employers not allow employees to use their own electronic devices for an employer’s business use. If fraud or any misconduct by an employee has been perpetrated on a device, the employer, with the right policies in place, is in a much stronger position to obtain evidence from its own device if it needs to prove harm by the employee. Perhaps more importantly, the employer may likely need to determine what risk of exposure they have on a number of possible fronts.

  2. Insightful and raises awareness. WFH/work from home opens up a pandora box. Compliance professionals need to keep an open-mind and as always, ask questions.

  3. Thank you. Your perception of this new reality for companies is really exciting, and it should draw the attention of compliance and risk professionals, at the very least.

Comments are closed for this article!