Background
Office workers have all got used to working virtually, but now many people are working in a hybrid arrangement. Banks have adopted a variety of approaches. One firm’s CEO was quoted as describing working from home as an "aberration" as their culture is about "collaboration, innovation and entrepreneurship". As of Autumn 2021, other banks have adopted a hybrid approach where staff return to the office in a variety of patterns.
Is there a problem with hybrid working?
Hybrid working could create a number of control issues leading to operational risks and financial losses. Reasons for this include:
- There are fewer physical controls at home, and staff may not be in the office in consistent patterns.
- Staff may be using their own devices.
- Staff are no longer in proximity to colleagues and the positive behavioural reinforcement they provide.
The environment created could enable staff to act in a way that is not consistent with their firm’s values or culture without detection. The focus from many firms has been on staff well-being and retention and less so the control environment so this could be a dormant risk. (NB, staff well-being does have an impact on control culture – see "big four" below)
Examples
- If a couple or flatmates are both working from home at the same time this could lead to poor information controls and conflicts of interest arising. If one person is the lawyer for a corporate finance deal and the other is another lawyer acting for a competitor this could lead to problems. Each may be exposed to information they should not be. When people are at home the absence of separate workspaces could lead to poor information controls. It could also be that individuals from a household work for rival banks, risking information leaks.
- Risks could occur at the individual staff level, as well as through interaction with others. What if staff need to print something off urgently for an important and imminent meeting? However, their work laptop for some reason does not connect with their home printer. Some may then send the document to their home email account and print the document on their home printer. This creates issues about information security and data protection.
- At many investment banks traders are banned from carrying their personal mobile phone on the trading floor. This follows the Libor and FX scandals. It is a lot more difficult, if not impossible, to ensure staff are not using personal mobile phones when they are working at home. There is the risk that traders could once again make inappropriate and illegal side deals through Whatsapp groups, for example.
- The control environment may weaken in general and non-specific ways as each bank and each department make tactical decisions. In response there is a strong push from regulators for traders to return to the office as soon as possible. There has been less emphasis on risk, compliance and internal audit teams returning as quickly, and this could have a consequent impact on the control environment.
These may seem like small things in and of themselves but if they were to take place in an office environment, they would all be matters of gross misconduct and most likely lead to a dismissal.
What is driving these risks?
There are four key aspects that are different in a hybrid working environment compared to a home environment. We call these the "big four".
1. Supervision
Supervision in an office is very different to being at home. In the office many staff were typically sitting next to their line manager and they were watching their staff to make sure they were doing their jobs and behaving as expected. More subtly it was easier to transmit the firm’s values when everyone was sitting in proximity. Coaching and on-boarding for new employees was again more consistent when sat close to your manager. In a home environment that ‘supervision’ cannot happen in the same way. But sitting next to your manager is only one type of ‘hard’ supervision.
Staff typically sit next to their team and colleagues and use them to bounce ideas off - ‘this strange person has just come in with a briefcase full of money saying they want me to help them open a bank account very quickly. Should I help?’ The interaction with team members and colleagues is what we might call ‘soft supervision’ and will generally be absent if not greatly reduced in a home environment.
The experience of auditors with hybrid working has seen a mixed picture. In some respects ‘wakthrough’ might be more straightforward if staff from a global business can all be on the same video call, screen sharing is also a lot more readily achieved. However, over the same period we have also seen that simple things like checking, inspecting documents and having conversations have taken longer and been more difficult in a hybrid working environment so it is perhaps inevitable that supervision will require more work.
2. Well-being/tiredness
How staff treat each other and how staff respond to working at home can also have an impact on the control environment. Many may have gained time through the absence of a commute but for many, those hours have been filled up with more work and the working day has lengthened. This means people are tired and behavioural science shows that when people are exhausted, they may make poor ethical decisions. For example, people are most likely to not to stick to their diet late at night, when they are tired or have had a particularly gruelling day.
3. Reminders
In a typical office you will see posters on the walls reminding staff of the firm’s values and the behaviours they want people to embody. You might even see posters saying ‘do not launder money’. This sounds silly but is effective from behavioural perspective. At home, staff have fewer reminders and nudges to support the right behaviours and this, all other things being equal, could lead to a weaker control environment.
4. Rationalisation
As much as there are a few "bad eggs" who may commit acts of misconduct, some good people will do bad things when they are under pressure and perhaps more importantly when they can rationalise the particular act or misdemeanour. Rationalisation is a very important factor when we look at misconduct.
This is currently a more acute risk as some people may find themselves concerned about their firm, its cashflow and its profitability. In such circumstances it can be easy for people to make slightly unusual ethical decisions where they may think they're trying to help their bank or firm. They may "bend a few rules" think "it's a grey area" anyway or if their act was really bad – "compliance or internal audit would pick them up".
In the unprecedented circumstances we find ourselves in, it can be easier for people to justify "bending" a rule or two. In the aftermath of a global pandemic or other stress event we can more easily rationalise making exceptional decisions, in exceptional circumstances.
What can firms, boards and managers do about the risks from hybrid working?
The potential driver of risks and issues, "big four" as we describe them above give us ideas about what actions we could take to reduce the risk of misconduct or losses.
| Who | Action | S/R/Z/W |
|---|---|---|
| Boards | Ask the executive what they are doing about the "big four" – Reminders, Supervision, Rationalisation and staff Well-being. Make them accountable for the steps they are taking. | S, R, Z & W |
| Boards | Reassess your assurance map if management is making tactical but siloed decisions which systematically weaken your control functions - Risk, Compliance and Internal Audit being left at home. What do all of those individual tactical decisions mean for your holistic control environment? | S |
| Boards | Look at data to understand the adequacy of your control environment (eg, SARs, policy breaches, staff warnings, limit excesses etc). | S |
| Management | Do a staff survey to understand the wellbeing of your staff. Give managers the tools to effectively support their teams with the challenges of hybrid working. | W |
| Management | Consider the use of Artificial intelligence tools to "supervise" and monitor your staff. | S |
| Management | Provide staff with the technology to do their job in a compliant way eg, printers. | S |
| Management | Monitor staff – where the risk is warranted (eg, proprietary trading), install webcams in staff homes, with due consideration of safeguards. | S |
| Managers | You can’t sit next to your staff but perhaps put in a regular video call to talk about their wellbeing and any ideas they want to bounce off you. You should also role model the right behaviours and try to meet them when you are both in the office. | S & W |
| Managers | Train your staff to understand and mitigate the risks of WFH and hybrid working. | R |
| Managers | Roll out training which uses the staff’s own name. This is more effective because staff will identify and understand they are responsible for the choices they make. | R |
| Managers | Consider measures such as "no screen Fridays" that will alleviate tiredness and reduce the risk of staff making ethical errors. | W |
Further reading
ICAEW – Culture and purpose in financial services
IIA – Cyber risks of remote working
FCA – Market abuse during Covid
World Economic Forum – Future of Work
Financial Services Culture Board – 2020 Survey
Cybercrime Awareness Month 2022
ICAEW marks the global Cyber Security Awareness month with a series of webinars, videos, podcast, a panel discussion and other resources addressing cybercrime and how to protect your business. We will focus on the latest trend as well as supply chain risks and concerns.
Related content
ICAEW Community
Data Analytics
Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.
Find out moreCharity Fraud Awareness Week
Charity Fraud Awareness Week 2021
Charity Fraud Awareness Week will raise awareness of fraud and cybercrime affecting the sector to create a safe space for charities and their supporters to talk about fraud and share good practice.
Resources
Technology
Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.
Read more