By Al Park, FTI Technology
Up until recently, many financial services firms maintained the view that the massive shift to remote work was a temporary anomaly. While most in the industry have or are in the process of bringing the majority of their employees back to the office, a subset of employees will remain fully remote permanently and many will follow a hybrid model. With these new workplace realities having solidified for the long-term, financial services organizations that had not previously allowed remote work as a standard practice will need to make changes in their policies, programs, workflows and collaboration around technical and operational risks.
Unfortunately, many organizations are underprepared for the future of work. A recent survey reported that only one in four organizations say they are very prepared for hybrid working. Meanwhile, at least 60% of employees say they want (and expect) to work from home indefinitely. Adapting to this landscape will require financial services institutions to uphold business continuity and collaboration among remote teams, increased visibility of compliance leadership to communicate expectations and stronger policies and controls that enable robust protection and compliance across all endpoints, in office and remote.
Several top risk areas have emerged in the hybrid work environment. These include:
- Increased employee departures. Employees have been leaving their organizations at unprecedented rates, with millions of people in the U.S. taking part in the Great Resignation or the Great Reshuffling. This is prompting the need for new processes and controls that address the subsequent increased risk of data loss, IP theft and compliance violations.
- Insider Threats. An extension of the massive movement of people away from and between employers is the increased incidence of insider threats, which may include well-meaning employees who inadvertently share sensitive company information, as well as malicious actors who are disgruntled or seeking personal gain by exposing or stealing company data. According to a Ponemon study, the frequency of insider incidents rose by 44% this year and cost of addressing them rose by 34% between 2020 and 2022.
- Emerging Data. Employees are communicating in new and constantly evolving forums, many of which are not known to the organization. It’s not uncommon for any given organization to have dozens or hundreds of different collaboration, file sharing and cloud-based applications in use, whether they are sanctioned within company policies or not.
The expectation that employees would eventually, fully return to in-person work has left many organizations either avoiding these issues or falling back on temporary solutions. Now, it’s time to begin shoring up policies that mitigate risk in a way that’s fit for the future. To do so, organizations can take the following initial steps:
- Evaluate how the organization views risk. Identify the full scope of activities and process that may introduce or exacerbate risk. This includes working with cross-functional stakeholders to address how sensitive information is handled and processed among employees working away from the office. Conducting a detailed risk assessment that compares exposures against the company’s risk tolerance as well as applicable regulatory obligations is a key first step to informing where improvements or new procedures are needed.
- Implement analytics-powered workflows. These should have the capability to monitor and flag problems — such as unauthorized sharing of data, compliance violations and suspicious insider behaviors — automatically. Legal and compliance teams are often already working with tight resources, which may not have capacity for extensive, manual risk monitoring across a hybrid workforce and new collaboration systems. With analytics, technical capabilities can be enhanced to predict and model issues. These systems enable data-driven decision making that will scale the organization’s ability to minimize, remediate and respond to technical operational, financial and regulatory risks as they arise.
- Create a data map. How is the use of new tools, personal devices and collaboration applications impacting retention and legal hold policies? Legal and IT should work closely to ensure legal holds and retention policies are accounted for and upheld across all platforms used for communications and core business activities. Teams will need to evaluate what they need to change or strengthen within policies and practices across governance, compliance monitoring, investigations methodologies, security and e-discovery in order to address the implications of increasing use of emerging data sources.
- Establish robust access controls. Security mechanisms must be set up to ensure hybrid and remote employees handle, transfer and store information in a secure and compliant manner.
- Be proactive about “exit” investigations. As employees depart, analytics tools can enable an examination of patterns in communications that may indicate risky activity prior to an employee’s departure. This will help reduce the risk of data leakage, IP theft, trade secret misappropriation and other data-related risks.
- Establish compliance and security training and awareness programs. These programs help to keep employees engaged as participants in risk management.
Even in industries that have long been stalwarts of in-office policies, the workplace is forever changed. Likewise, risk management must also change. To maintain resilience in this environment, organizations will need to first acknowledge that they are facing a new risk landscape that includes an array of issues, including, hybrid work, emerging data sources, increased employee turnover, technology advancements and more. Then, teams can set to work assessing the specific implications and solutions for their industry and unique business needs.
Al Park, a Senior Managing Director within FTI Consulting’s Technology segment, specializes in the oversight of technology solutions to address risk and compliance for global corporations and firms. He brings more than 20 years of experience leading organizations in heavily regulated sectors in emerging technologies, data and digital trends, with a specialization in industries including financial services, energy, life sciences and technology.