Former UK prosecutor: Work from home options trigger new internal compliance concerns

As the lockdown is slowly lifted, it’s becoming clear that workers aren’t going to rush back to their offices. Some will eventually return, but for others, working from home will be more or less permanent.

Google and Facebook, for example, have given employees the option to work from home until 2021. Amazon workers can stay home until at least October, according to the Washington Post. Twitter has no timeline for bringing workers back to the office, and Microsoft said it is moving “more slowly rather than quickly.”

Employees working from home create a new risk profile in at least three distinct but simultaneous ways — personal conflicts of interest, data protection, and compliance training regimes. The job of adapting compliance programs and practices to meet the challenges of the new employee risk profile will fall mainly to compliance personnel, working also with HR, IT support, and other groups.

Here’s a summary of three of the ways work from home options are changing the internal risk profile:

Side Hustle Syndrome. Remote working can stimulate an employee’s entrepreneurial streak, providing the opportunity to start or develop their side hustle. This is not problematic in itself. But unclear guidance or inconsistent application of the rules regarding personal conflicts are problematic and can be damaging for both the organization and the employee involved. Policy on personal conflicts should be unambiguous and the approvals process should be swift and transparent. If they are not, the risk of exploitation by some employees, in these times, increases and may expose your organization to significant reputational damage. An example appeared recently in an exposè published by the Guardian. The story featured a procurement manager in the UK’s National Health Service who allegedly set up a private company to sell personal protective equipment.

Bring Your Own Device (BYOD). Many organizations have adopted liberal Bring Your Own Device (BYOD) policies to encourage own-device use, due to the cost savings and increased flexibility. Concerns arise because use of own-devices in relation to data theft, data leaks, and overall network security, which may expose the company to third-party liability. There is also the risk of unauthorized use of company data for personal purposes. Another issue that arises from BYOD practices relates to access to personal (non-company) devices during internal reviews, including internal audits and investigations, and during reviews conducted by retained law firms and forensic professionals. Although this is a difficult area to anticipate and comprehensively plan for, BYOD policies should set out what companies expect of employees under various scenarios, and what rights the company has in those scenarios, possibly including the ability to immobilize (and take possession of) personal devices in the event of a serious breach or suspected criminality.

Remote training fatigue. Organizations that allow and promote working from home usually take a generous approach to training and professional development. They encourage employees to use available media resources. That’s a positive development. But as some companies consider deep cuts to in-person training, or abandoning it altogether, there’s is a danger of fatigue from the deluge of virtual learning. Compliance professionals should review their suite of online training resources to ensure there is an appropriate blend of methods available, especially for those working in high-risk roles. Organizations still have a responsibility to provide appropriate training and engagement for employees in roles that are most vulnerable to economic crime risks. The decisions the companies make about methods and means of compliance training may become highly significant should the organization be faced with a regulatory or law enforcement investigation.