Enterprise risk management, BCM and CM have all been affected by growing numbers of off-site workers.
Enterprise risk management (ERM), business continuity management (BCM) and crisis management (CM) have all been affected by the growing numbers of employees working from home. This trend has been rising steadily over the last decade, facilitated by increasing digitization within the workplace. Following the outbreak of COVID-19 and governmental lockdowns forcing companies to close their offices, however, this trend shifted from steady growth to an explosion.
A shift in attitude to employees working from home
Remote working is now essential to business operations, and this will continue to be the case for the foreseeable future. Indeed, in a Gartner survey conducted in 2020, 53 percent of respondents said they wanted to continue working remotely after COVID-19 (Figure 1).
This trend has also been observed in Sweden — one of the most liberal Western countries with respect to COVID-19 restrictions. According to one survey, 42 per cent of the nation’s workforce was working from home in November 2020, with 88 per cent of those people wanting to continue working remotely at least one day per week. The survey also showed that more people thought working from home had increased rather than decreased their productivity.
A notable example of the shift in attitude to remote working is the well-known company Spotify. Before COVID-19, Spotify required all software developers to work on company premises, and requests to work remotely were routinely denied. When COVID-19 hit, Spotify quickly revised its company policy to forbid employees from coming into the office, instead requiring all developers to work remotely from home. Since then, the company has revised its policy once more to give its developers the freedom to work from wherever they are most comfortable.
Remote working lead to new challenges in business operations as some were alleviated
The disconnect between one’s registered office address and the location where one is actually working has never been greater. Indeed, in 2021 some people have worked for their employer for over a year without ever setting foot in their office.
As working from home shifts from an obscure practice to business as usual, companies find themselves having to define their policies for remote work. In a survey of 300 companies conducted in 2020, PricewaterhouseCoopers found that 46 percent of the companies surveyed had no remote worker policy in place; of these companies, 55 percent were planning to implement a policy.
As corporate governance is the largest common (60 percent), key driver of BCM adoption,4 an increased focus on remote worker policies will most likely lead to an increased focus on the aspects of remote work relating to ERM, BCM and CM. Simply put: while the trend for remote work reduces certain risks, other risks — previously not worth addressing — have increased in priority, and new tools are required to manage them.
Business impact analysis (BIA) and Risk Assessments (RAs) must be reassessed
The most glaring example of how remote workers change things is with business impact analyses (BIAs) and risk assessments (RAs), which have long used offices and facilities as their starting point — the traditional assumption being that during office hours, the office will be full of employees. This is no longer necessarily the case, and BIA/RAs must be updated accordingly.
Where once a vacant desk used to mean that an employee was out of the office and (unless on a business trip) not working, employers were exposed to minimal risk, at most. Today’s employers, by contrast, must consider various factors relating to compliance.
Certain risks, such as physical security or local tax compliance processes, are mitigated for office-based employees. This is not the case for remote workers as their employer has no oversight over where the work is being done. The most effective way to address this is by reframing how the company views how many offices it has, as for all intents and purposes it now has as many locations as it has employees working remotely.
When responding to a crisis, traditional CM solutions, such as simple mass communication tools, may no longer be effective. For example, if a disaster hits close to a company property, determining who is in the office on that day is now harder than ever. Sending out e-mails and SMS messages to all employees to check on their wellbeing is an administrative nightmare.
Employees in different locations may take a long time to answer any such requests or even ignore them if they are sufficiently distant to consider them irrelevant — after all, employees based in New York are largely insulated from events in Los Angeles.
The same applies when a disaster hits a location where the company has no offices per se but does have employees working there. Reaching such employees can be a complicated process.
Workers off site and possible tax issues
Remote working can also expose an organisation to risks without its knowledge. For example, if the company has employees on its payroll from one country working remotely in a different country where it has customers but no local legal entity, the local tax authorities may assume that it is attempting to avoid paying tax.
Global workforce mobility exposes companies to significant tax compliance issues that carry both financial and compliance risks for companies. Tax compliance risk can even occur when working remotely within a country like the USA, where employers must file tax registrations in different states.
In the next part of the article
In the next part of the article we will look at how in practice one can manage and mitigate the negative impacts that remote works have on business continuity, risk, and crisis management. The article will also include implementation examples and description of type of tools that can be used.
- Gartner®, ‘Remote Work Rates Before, During and After the COVID-19 Pandemic’, Human Resources Team , Refreshed 11 May 2021, Published 4 June 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Accessed 2 December 2021, available at: https://www.gartner.com/document/3985972.
- Randstad (2020) ‘nio av tio vill fortsätta arbeta hemifrån i framtiden’, available at: https://www.randstad.se/om-oss/press/nio-av-tio-vill-fortsatta-arbeta-hemifran-i-framtiden/ (accessed 2nd December, 2021)
- PricewaterhouseCoopers (2020) ‘The future of remote work’, available at: https://explore.pwc.com/remotework (accessed 2nd December, 2021).
- Woodman, P. (2008) ‘Business Continuity Management 2008’, available at: https://continuitycentral.com/BCMReport2008.pdf (accessed 2nd December, 2021).
- Goldsmith, M. (2021) ‘How remote workers can create business risk’, available at: https://www.ey.com/en_us/tax/how-remote-workers-can-create-business-risk (accessed 2nd December, 2021).
- HP Wolf Security (2021) ‘Blurred lines and blindspots’, available at: https://threatresearch.ext.hp.com/wp-content/uploads/2021/05/BPS_Wolf-Security-Blurred-Lines-Report.pdf (accessed 2nd December, 2021).
- Gartner®, ‘Market guide for business continuity management program solutions’, Gregory, D. and Witty, R. (2021). GARTNER is a registered.
trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Accessed 2 December 2021, available at: https://www.gartner.com/document/3994760?ref=lib
Andreas Rodman is the co-founder of Safeture AB. For most of his career he has been building IT companies for new types of markets. He has a background in engineering and a Master of Science degree in computer science and engineering.