Earlier this week I moderated a webinar about the compliance challenges businesses will face as they strive for a post-pandemic to return to work, when I realized: we should stop saying “return to work.” That’s not quite what companies will do in 2021, and compliance officers need a better understanding of what lies ahead.
Start with the phrase itself. It conjures up images of life returning to those halcyon days of 2019: people working in offices, going on business trips, striking deals over lunch, brainstorming IT projects on white boards. It also conjures up images of returning to a physical location: office buildings; conference centers; job fairs; sales calls.
Well, we already know that replicating the pre-pandemic experience won’t happen, because many businesses and workers have endured the pandemic reasonably well. The first few months were scary, but plenty of businesses are now asking, “What changes did we make in the pandemic have gone so well that we should make them permanent?”
Compliance and audit executives tell me this all the time. It was one of the first statements I heard on our return to work webinar.
Which means that we’ll never “return to work” as it was before the pandemic. We will arrive at a new form of work after the pandemic — and for all our fumblings over vaccination policy right now, that day is approaching rapidly.
So what executive teams should be doing right now is reviewing how their business operations will look in the new world of work. Lots of policies and procedures could revert to the way they were, but many others won’t. Many changes we implemented in 2020 might as well be permanent.
And in that case, what are the implications for compliance programs?
That’s what we should be talking about when we discuss the “return to work,” and the compliance officer’s role therein: how she or he can identify those permanent changes to the business, and redesign the ethics and compliance program to keep pace.
Exhibit A: The Permanently Distributed Workforce
The best example of what I mean here is the remote workforce so many businesses had to embrace in 2020. Now, so many Zoom meetings and Slack conversations later, lots of companies have discovered that letting employees work remotely isn’t that bad. Moreover, you can expand your geographic range for hiring new employees to pretty much anywhere with reliable Internet access.
What are the compliance implications of a permanent move toward more remote working? Plenty.
Supervision. How can managers supervise employees who aren’t physically present? One way would be to surveil their electronic communications and monitor their online activity (and for financial firms, that’s already a common practice to comply with FINRA rules on supervision). Surveillance and monitoring, however, raise questions about compliance with privacy rules, especially if employees might be using their personal devices.
Underperforming employees. If you have an employee failing to meet expectations, how will managers counsel that person to some sort of resolution? Underperforming employees can be a delicate matter, since they may misinterpret management’s actions and you end up with a wrongful termination or retaliation lawsuit. So what policies, procedures, and management training are necessary when all this happens remotely?
Tax, fair labor, and harassment issues. With employees working everywhere, you now face more state and local regulations about these other employment issues. (My favorite: Massachusetts trying to impose income taxes on New Hampshire residents who previously commuted into Massachusetts, and who now don’t set foot here.) So how do you track such a diverse range of regulatory requirements.
Cybersecurity. If everyone is working remotely — on their own networks, perhaps with their own devices, which also have their own software apps next to your company’s systems — how do you govern the security risks? How can you assure that breach detection and disclosure still works well? How do you enforce policies against installing cloud-based apps that employees find from lord knows where?
New Era, New Compliance Questions
Yes, most organizations are already aware of risks like these. We stumbled into those issues in 2020 and applied whatever short-term policies and controls that management could improvise.
Our questions for 2021, however, are these:
- How do we embed and automate compliance solutions to those 2020 problems, now that we understand what they are and that they’re not going away?
- How do we combine that set of compliance policies and controls for remote work with the second, parallel set of compliance policies and controls for in-person work?
That is, an enterprise-wide compliance program in 2021 and beyond will need to straddle both types of working environment. How do you ensure consistency between the two? How do you pull together all relevant data in such a bifurcated work environment, to stay sharp with risk assessments, regulatory reports, or board briefings?
Those are difficult, complicated questions. I also worry that as executive management teams develop their “return to work” strategies, they won’t include the compliance officer in those deliberations. So you could be stuck trying to answer those difficult questions without any advanced notice that new plans were coming.
Those are my concerns about returning to work, at least — and they’re quite different from what I expected them to be.
Let me know what you think at [email protected].