How to reduce risk around hybrid and remote working
According to The Advance Legal Trends report 2023/24, managing hybrid working remains one of the biggest challenges for law firms.
A well thought out strategy, and implementation, of hybrid working is paramount to reducing the risks and challenges currently faced, and helping firms to succeed in their growth ambitions. We discuss some of the main areas firms need to consider below.
Employee wellbeing and company culture
One of the key benefits hybrid working has provided for many is a better work-life balance. However, some employees can feel isolated and lose confidence in their interactions when working remotely. It’s not always easy to see when someone is struggling at home. Staff need to remain confident about being able to communicate any difficulties they have, whether workload pressures, work problems or mistakes made.
From a risk perspective, negligence claims have been directly linked to fee earners feeling overwhelmed or experiencing stress — and a mistake, problem or issue left unreported is more likely to end up as a professional indemnity claim. Communication with hybrid workers is essential and closer attention may need to be paid to employee wellbeing when they are not always in the office.
Alongside staff wellbeing, maintaining a company culture and attitude to risk in a hybrid-working model comes with its challenges. If staff are physically distanced from an organisation, is there a chance they might also feel distanced from its ethics and values? With the SRA’s increased focus on cultural and ethical values, firms should set theirs out clearly, with a sound strategy for implementation, ensuring that remote working does not lead to shortcuts being taken or standards slipping.
Communication and collaboration
Hybrid working, and the flexibility for staff to choose which days they are in the office. can lead to teams spending less time together collaborating. Building working relationships can be trickier, particularly for more junior team members and new colleagues, and learning opportunities reduced.
Providing greater structure and formalised team time as part of your hybrid working model can ensure people remain connected and learning continues. Consider introducing a regular office day when all team members come in and pre-planned times when staff can specifically focus on learning from one another. Formalising collaboration and team work on cases, and establishing online hubs with resources, training materials and mentoring programmes, can also help to keep such activity at the forefront.
Supervision, file reviews and systems
Supervision remains high on both insurers’ and the SRA’s radar. They expect firms to monitor the work undertaken and this becomes more difficult when staff and supervisors are working remotely. Simply by working in close proximity with one another, in-office working provides a significant degree of informal supervision, and just as important, support. Ensuring that your supervision arrangements are as effective for remote and hybrid workers as they are in-office is critical. A person left to their own devices may be failing to adopt the firm’s policies and procedures correctly, going ‘off-piste’ in terms of the work they are taking on, or simply not using colleagues as a sounding-board. Firms that have a high proportion of remote workers have to work harder to counter these risk factors.
Systems and process will need to be updated to ensure remote supervision and file audits are possible, managed effectively, and that evidence can be recorded. Firms should review their compliance policies and procedures to bring them in line with remote working requirements, ensuring AML, client onboarding, client due diligence and GDPR policies and processes all work in the remote world. System-generated flags and reports are useful, but not sufficient on their own, and firms should consider how they allocate time and resource to supervising matters on a risk-assessed basis. Hybrid working doesn’t lend itself well to ad hoc supervision, therefore managing a dispersed workforce needs a more formalised focus for one-to-ones and file audits.
Cyber risks and information security
Remote working has undoubtedly bought new cybersecurity challenges for law firms. If you allow staff to access any work systems on their own devices, there’s always a greater risk they will be lost, stolen or compromised. Even where using work-supplied devices, use outside of an office environment (whether travelling or in the home) makes it that bit more difficult to ensure they are being used in a way that does not expose the firm, and your clients, to information security breaches or wider cyber threats.
Any use of personal devices should be subject to (at minimum) an annual declaration that the devices have appropriate anti-virus/malware software installed, and that they are used in accordance with a set of appropriate use protocols. Better still, require the devices to have relevant approved software installed on them by your IT department.
All staff when away from the office, whether working from home or travelling, should sign-up to a ‘remote working code of conduct’ (or similar). This would address:
- Use of approved devices for work purposes (if personal devices are permitted, then it should be in accordance with your BYOD (bring your own device) policy.
- Wi-fi connections:
- Home wi-fi setup requirements
- No use of public wi-fi/use of secured wi-fi hotspot from your mobile device only
- Business VPN connection
- Never leave devices unattended in public places
- Use privacy screens if working on confidential or sensitive matters
- Don’t reveal any client details or confidential information on calls in public places
- Don’t save client or confidential data onto your computer
- Password security, multi-factor authentication and Bitlocker encryption
- Installation of updates
- Remote device wiping
- Immediate reporting of devices lost or stolen
- Immediate reporting of potential security breaches (eg phishing links clicked).
Any such declaration should also refer (and link) to your acceptable use policy (updated to consider social media and AI use), data retention and destruction policy, and ongoing engagement with cybersecurity training updates.
It is incumbent on firms to monitor adherence to these policies and ‘codes of conduct’ in practice. While systems-based monitoring can play an important role in flagging problematic behaviours, how you design your work processes is equally important. For example, you can restrict the ability of staff to download documents onto USB sticks; you can make it more difficult to work off-system. Actively engaging to ensure staff have the assistance they need to set up their wi-fi securely, know how to use and connect to a wi-fi hotspot from a mobile device, and so on, will also help to ensure compliant behaviours in practice. An annual IT audit can also check that devices have the appropriate updates installed and are operating securely.
Refresher training
It is easy to fall into bad habits, especially if working remotely for much of the time. Training on policies and procedures is not a ‘once and for all’ thing, but needs to be reinforced regularly. This is even more true when anything connected to information security and cyber threats.
Law firms of all sizes remain a prime target for phishing and social engineering attacks designed to gain access to secure systems. Comprehensive cybersecurity training should be provided at least annually (much better to provide a regular drip feed of practical tips, case studies, and new threats) to all staff to help engrain behaviours and keep cybersecurity front of mind.
Conclusion
A firm’s attitude to hybrid working is likely to be dependent upon the type of work it undertakes, its clients and culture. Whatever the approach, clear policies and guidance on processes and expectations need to be established and upheld by all staff to ensure a solid risk mitigation strategy is in place.
For further guidance on the following, contact us at solicitors@miller-insurance.com
- Evolving your remote working policies and procedures
- Combating cyber risks
- Information security management
- Business continuity planning.