The environment in which we are working has changed. This will change how you previously assessed risks. The FCA has been reminding us recently of the need to review your risk assessments in light of the new operating environment. But what should you focus on?
Here are our top ten risks that have changed
1. Client communication
The loss of personal connection from face to face meetings will be influencing your clients. Overlay that with the uncertainty and disruption from the current environment and you will understand how clients’ needs are changing.
Maintaining more regular contact be that video, voice or written contact will help preserve and deepen your client relationships. Remember to keep your clients informed about your plans for all the possible scenarios at the end of the Brexit transition.
2. Use of personal devices
There was a discipline in the office about using personal devices. This was not just for individuals in certain roles, but for everyone. Not using your personal device in the office was a common courtesy. It also served a purpose: keeping what related to the job on company systems, so protecting that data.
The prevalence of bring your own device brings challenges. Strong firewalls can prevent company property from being shared through personal systems such as email and social media.
Consider if the firewall on personal devices be relied upon such that you would never need access to the device in the event of an investigation. If it wasn’t a law enforcement agency certainly could obtain a court order to seize the device.
3. Recorded lines
The FCA has been quite clear that their rules about recorded lines do not change when an individual moves from an office to their home. Recording on personal devices is extremely challenging so most recorded lines are still on company devices. What about the prevalence of video calls? These would be huge data files to store and the visual is unlikely to add value to surveillance activities. However, recording the voice and any associated chat messages are essential inputs to your efforts to counter market abuse.
4. PA dealing
For some time now the FCA has been concerned about personal account dealing. Their concerns relate to breaches of company policies which FCA becomes aware of when they are looking into potentially suspicious trading.
Training and awareness go some way to ensuring people understand what is expected of them. You should be more concerned that not declaring an account under your company PAD policy is suspicious.
The challenge now is when to start treating that suspicious behaviour as a potential financial crime.
5. Nature of confidential information
The new operating environment has brought about new and higher incidence of businesses stopping or restarting activities. Some businesses have taken up state funded financial support, others have not.
This is a new form of information that should be kept confidential. Your public \ private side controls may need refreshing in light of this.
6. Protecting confidential information
For those of us lucky enough to have jobs where working from home is possible the environment in which we physically work has changed. That environment will vary greatly.
The minority will be fortunate enough to have offices or spare rooms. The majority will be in communal rooms such as kitchens. Not being overheard or hiding the contents of the screen or printed materials is exceptionally difficult.
Yet the rules have not changed, and that confidential information must remain confidential. This requires discipline on the part of the individual concerned, closing doors during calls, locking the terminal when away, avoiding printed material and shredding it as soon as it not needed.
7. Supplier business continuity
Businesses of all sizes use third parties. As we know businesses of all sizes are facing unprecedented challenges across the globe. If you haven’t already you should be reconsidering your business continuity assessment of your suppliers.
The regulators expect you to have easy access, inhouse or externally, to the technical knowledge and skills in case of material disruption. The closer your relationship with your third parties the greater the likelihood of getting early warnings of material disruption.
Take the time to review your governance and oversight of third parties. Consider how you stay informed about changes to one another’s business needs and can act when issues arise.
8. Supervision and oversight
Supervision and oversight of individuals working within your business is fundamental to a healthy environment. As our places of work have become fragmented, so has the supervision and oversight.
You can still oversee, supervise, train, support, and coach your people remotely it just requires a shift in approach. Consider regular video catch ups with your team or individuals. Use these both as a general catch up but also to discuss and share issues and problems. This is good for the business and good for the mental health of everyone.
If you have a new joiner or someone who is still learning on the job then consider allocating regular periods when the whole team is working with their video call running in the background. This facilitates the quick question, the conversation about that difficult issue and enables team working.
9. Cyber security
We are operating in an environment in which technology is changing rapidly, particularly for video calling. Those businesses which hold non-public information can be more attractive to criminals.
Cyber incidences can cause serious damage to your business, and it hits firms especially hard where they are relied upon by their clients.
You should review and potentially enhance your company’s resilience to cyber-attacks, and preparedness for a cyber incident.
10. Increased privacy risks
The loss of the structured office environment can mean that individuals feel their actions are less visible. For example, discussing other members of staff on instant messenger, or sharing information about a member of staff’s home life with a colleague who does not need that information for their role. This creates privacy risks.
Remember that all data which is personal to an individual should only be disclosed in certain situations such as performance of a contract or with the individuals’ consent. When responding to a Data Subject Access Request those instant messages must be shared with the individual. Consider raising the awareness of privacy obligations and how to protect personal data within your business.
The FCA is expecting you to have refreshed your risk assessment and associated risk mitigation plans. We supply ready-made risk assessments that you can download from our online shop and use immediately. You can contact us to find out more about our expertise in drafting new controls such as policies and procedures that are tailored to your business.