Perspectives

Managing the digital risks of a remote workforce

With remote working now necessitated by the COVID-19 pandemic, organisations (including us) are rapidly adopting or extending their processes, and in turn their controls to mitigate digital risks, and ensure remote working of employees is safe and secure. The significant increase in the number of people working from home at the same time and for extended periods of time accentuates existing challenges, whilst new types of roles previously not able to be performed remotely introduce new risks.

Client scenario one

As more and more of its people began to work remotely, one client started experiencing connectivity issues leading to intermittent access for employees connecting via their remote working channels. They ultimately identified they had insufficient licences for a workforce of c.10,000 leading to dropped connections and the inability to serve customers during peak hours.

Client scenario two

Another client has an obligation to perform trader surveillance. Traders, previously forbidden from working remotely are having to work remotely – a scenario the surveillance toolsets are not equipped to handle. This is compounded by being in an un-controlled home environment where the use of traders’ mobile devices cannot be stopped or monitored. This client would usually be in breach of their regulatory1 requirements, and whilst the regulator has relaxed some requirements the regulator still expects surveillance to be resumed quickly and mitigating controls to be implemented.

____________________________________________________

1 https://www.esma.europa.eu/press-news/esma-news/esma-clarifies-position-call-taping-under-mifid-ii

Security, capacity and regulatory concerns are still paramount, but the evolving nature of the current situation means that digital risk management needs to be at the fore-front of the response. The extent of ‘control compromise’ should be proportionate in order to balance over-control with ability to rapidly serve critical customer needs, whilst not exposing the organisation or its customers to unacceptable risks. We have discussed prioritising the most critical Digital Channels in our blog post Digital dependence: How to balance speed with control?

Common digital risks you should consider include:

  • Have you got enough licences and/or the capacity to support your workforce remotely? 
  • What policy and procedures do you have to maintain privacy and confidentiality when working outside of a secure office environment for extended periods of time?
  • How can you continue to operate existing digital controls (e.g. recording of telephone conversations) in order to still meet regulatory obligations from remote locations?
  • Are your employees embracing a culture of connectivity and collaboration virtually?
  • How can you safely fast-track adoption of new tools and technologies (e.g. video conferencing software) to improve remote working capabilities and capacity?
  • Are you prepared to defend against new cyber threats including an uptick in socially engineered cyber-attacks, and increasingly sophisticated COVID-19 themed phishing and malware attacks?
  • How can you minimise supply-chain down-time but maintain the same level of controls around new suppliers?
     

Practical steps to address the digital risks of remote working

  1. Maintain governance and controls across Recover and Respond
    Irrespective of the role of the remote workers there are some fundamental steps you can take:
    • Device security: For users that are not normally allowed to work from home there are additional steps that you can enforce, such as disabling printing, print screen functionality and deactivating removable drives to minimise the risk of data leakage.
    • Virtual meeting rooms: Whilst the accelerated use of legitimate platforms and tools have been roundly adopted, there remain digital risks to privacy and confidentiality around using unauthorised virtual meeting rooms or collaboration tools which can be joined by anyone. Remind employees that it is essential to only use approved preferred suppliers and solutions that meet the organisation’s standards.
    • Employee privacy: understand your obligations to employee privacy and monitoring and ensure tools don’t breach these obligations or trust.
    • Attestations: Implement attestations to serve as a reminder of policy commitments that cannot be physically enforced when working from home. For example reminding employees handling sensitive data to not have mobile phones in the working environment.
    • Behaviours: Staff should be reminded that even at home data privacy and security are important. They should find private spaces for conducting calls and not leave confidential information on unlocked PCs or in physical form.
  2. Prioritise limited resources and critical digital channels
    You need to ensure you continue to prioritise and efficiently deploy limited resources, both human and digital. This may mean:
    • Prioritising resources and capacity for key customer journeys and critical digital channels (e.g. processing of online shopping channels over foreign exchange services).
    • Curtailing activities by diverting resources or limiting non-critical activities to off-peak working hours.
    • Stopping the deployment of non-critical services or products in the short term or delaying new initiatives.
    • You are able to accelerate some programmes (e.g. automation programmes that will deliver in order to increase capacity.
    • Prioritising the capacity of a digital workforce to prioritise bot licence capacity to the most critical processes.
  3. Maintaining culture in a remote working environment
    For many organisations their most valuable asset is their workforce – continued engagement with employees maintaining culture is key. This may include:
    • Awareness programmes to maintain awareness within the organisation of internal policies and procedures. For example new guidelines on remote working including security and flexible working around primary carer commitments.
    • External environment – awareness should extend to the external environment; be that competitor or regulatory changes impacting the business. This may be as simple as reiterating regulatory or policy commitments under pressure.
    • Productivity risk – applying agile ways of working, underpinned by digital tools, can help focus the workforce on outcomes and keep the team connected despite being remote.
       

Responding in the short term can help digital confidence for the future

The importance of building an organisation and workforce that is confident in ‘being digital’ has hit a new precedent. You must adapt to the requirements of your most pressing demands, but do so in a sustainable and controlled way that allows immediate priorities. Those organisation’s that thrive will be those that take steps to adapt quickly within risk appetite in the short and medium term, and turn these challenges into a digital advantage into the longer term.

Even under normal circumstances, moving to digital impacts a number of risk areas across the organisation including implications for cyber, regulatory compliance and conduct risk, which require a joined up approach to risk management. Explore more in our Digital Risk framework.

Did you find this useful?