Whilst many industries are starting to take small steps towards returning to the physical work premises, the pressure for accountancy firms to follow suit is less obvious. Anecdotal evidence suggests that many professional sector employees may continue to work from home after the restrictions are lifted and the threat of the coronavirus has lessened.
That said, the advantages of remote working are not felt across the whole profession and a return to the physical office is welcomed by many. As accountancy firms prepare to open their doors again after an extended period of remote working, the understandable focus will be on reviving business. Several issues will need to be addressed in tandem with the generation of work-flow, including the management of premises, privacy issues, technology and relationships.
Managing Premises, Privacy and Technology
The return to the workplace requires a clear balancing act between balancing public health and privacy rights. The Chartered Institute of Personnel and Development in the UK has published the General Workplace Safety Risk Assessment which provides some detailed guidelines.
Intended to be used as general guidance only, the essential points are to implement and update plans which: (1) are specific to your workplace; (2) identify all areas and job tasks with potential exposures to Covid-19; and (3) include control measures to eliminate or reduce such exposures.
Privacy issues deserve particular mention. Areas of consideration related to employee privacy include:
- Whether and when to conduct temperature scans.
- How to maintain records related to Covid-19 testing.
- Communication protocols regarding infected employees and/or clients.
- Use of contact tracing applications.
- Compliance with various legal requirements and best practices.
It will be vital to ensure that appropriate privacy and confidentiality considerations are maintained, with appropriate management of each individual's medical status and history. The balance between confidentiality and public health again comes into play when, for example, employers decide how and what to communicate regarding an infected employee.
The transition of employees back to physical work spaces also necessitates a consideration of cyber-security and its role in privacy protection. There are a multitude of privacy and regulatory factors, data protection measures and insurance implications that should be part of any organisation's return to work strategy.
As businesses return to the work site, they should review, and possibly update, their information governance practices and data security protocols and procedures. Some protocols and practices to consider, include:
Standard security procedures
- Limit employee use of personal computers and devices (tablets, mobile phones, etc.) on company networks.
- Create a safe way for employees to copy relevant files from personal devices.
- Implement and enforce USB device control to prohibit use of USB storage devices on company networks.
- Instruct employees to delete securely any company or customer information that may remain on personal computing equipment.
- Complete a software inventory (on personal or company computers) that may have been installed whilst employees were working from home, to determine the risks the software may present.
- Require passwords to be changed when employees return to the workplace.
- Review all individuals who have access to critical applications.
- Confirm all users still require access to those critical applications.
- Identify all remote access accounts to all systems and applications.
- Confirm all remote accounts still require access to systems and applications.
- Request an updated list of contractors from your vendors that are still employed.
- If any of your previous contractors are no longer with the vendor, revoke their access immediately.
- Revoke access for all remote accounts that are no longer needed
Training/education protocols
- After an extended period of working at home, employees should be refreshed on the company's cyber security policies and procedures.
- All employees need to be alert to phishing emails that concern return to work matters.
- Refresh and test your incident response program to include:
- Incident reporting protocols (how and to whom your workforce reports incidents).
- Incorporate your breach coach contact information within your incident response program.
- Disseminate incident response roles and responsibilities to leadership and key stakeholders.
- Identify the stakeholder ultimately responsible for decision-making in connection with the incident response including whether your business has sustained a data breach.
- Make use of the Information Commissioner's Office Data Protection and Coronavirus information hub available here.
Insurance implications
Actions taken, or not taken, as employees return to work may have a cost. They may also result in claims by regulators, employees, and/or third parties. Broadly speaking, cyber policies will likely cover privacy-related claims. The policies will likely also cover expenses incurred as a result of a cyber event, such as a data breach. Cyber policies will not cover the cost of implementing best practices and safeguards. However, cyber insurers often provide a variety of services that can help companies understand and mitigate their cyber risks. Now may be an excellent time for your firm to utilise such offerings.
Managing Relationships
Accounting is a very traditional profession. Many would argue that the Covid-19 pandemic has propelled firms to reassess the way they work. Working from home has forced businesses to take stock of processes and systems. For accountancy firms, lockdown may also have created the opportunity to make other long-term improvements, in communication skills, human resources management and superior technology.
Whilst your workforce settles down to a new 'normal' in managing the dynamic transition between the office and home, the challenge will be to maintain and build on the benefits gained in lockdown; ensuring that the improvements continue to evolve.
Flexibility and empathy will be crucial: the preparedness to work with your employees as they also find their new 'normal', will ensure maximum talent retention. (It should be noted that managing employee relationships may create challenges to the employment relationship. Such a discussion is outside the scope of this paper but considerable resources are available to you from ACCA, on this topic, and many other Covid-19-related issues).
It is not just the employment relationship that will have evolved during lockdown. Client relationships will likely have altered also. In many cases, the remote workplace may have allowed those relationships to develop more freely, without the limitations of geography and travel. It is possible that video conferencing has had the effect of reducing the formality of the adviser/client relationship. It will be important to manage these changes as we return to the physical office.
Finding Normal
A thorough assessment of the well-being of your 'people' - your workforce and clients - will set your business on a safe and responsible path to future growth. This means a critical analysis of both the physical safety of your people, and the safety of their information and privacy. Respecting these relationships post-lockdown, must go hand-in-hand with business generation.