Source: This article was first published in Human Resources Online.
The rise of remote and hybrid workplaces
Whilst the pandemic and its associated restrictions seem to be behind us, its impact on the way in which we do work is lasting. It seems that remote and hybrid work is here to stay, and to that end, employers need to be prepared to deal with the associated misconduct risks that such working practices generate.
The same types of misconduct that occur in the physical workplace can also take place in the remote workplace. However, one type of misconduct that is more specific to remote working due to the lack of visible supervision is that of ‘time theft’. There happens where, for example, an employee working from home uses work hours for personal activities, or an employee doesn’t take his/her annual leave entitlements as they can hold themselves out to be ‘online’ and / or working.
Remote working can also present a range of other unique security risks including data leaks and online hacking if employers do not have sufficient network security and monitoring programs in place; and / or if employees working remotely are not provided with sufficient training and / or resources particularly if remote employees are allowed to work ‘anywhere’, as opposed to only from one location or from home.
Another of the challenges an employer may face is the maintenance of a cohesive company culture and employee engagement – particularly as it relates to a culture of compliance. As employees work from different locations and schedules, it becomes increasingly difficult to create the required unified team atmosphere to foster compliance values. Without the fundamental bedrock of integrity, the overall systemic risk to the organisation rises through a variety of potential issues - including from employee fraud, harassment, conflicts of interest or other misconduct.
Identifying misconduct in a remote or hybrid context
Whether in a physical or remote setting, employers should regularly assess and identify trending misconduct issues within their organisations and examine existing policies to determine whether they adequately address these issues. These may be industry specific, function specific or more general.
Understanding the employer’s values and remote working policies is key to minimising the risk of employee misconduct. The types of conduct that constitute misconduct should be clearly defined to employees, and employers should create a consistent, easy to use reporting process for employees to report misconduct.
Employers should also be flexible where possible and mindful when implementing tracking and / or surveillance software in order to create a culture of trust, which studies have shown to be the essential factor in encouraging employee accountability.
Notwithstanding the above, it is best practice to have regular internal audits/reviews to ensure that policies, procedures and controls are functioning effectively and up-to-date. Without this type of more regular review, it may be harder to identify issues of employee malfeasance.
Successfully conducting remote investigations
It is unfortunately inevitable that there will be incidents of employee misfeasance, so being able to mount an effective response is critical for employers.
In general, the same best practice rules apply whether in an office or remote work environment. However, there are specific challenges for remote investigations, particularly with regards to protecting employee privacy and ensuring the confidentiality and security of information / evidence gathered or shared during the course of the investigation.
From the remote investigator’s perspective, they must keep investigation records confidential and should therefore ensure that they have a confidential space to work from. Remote investigators working from home should be mindful when using personal devices (e.g. home printer, smart speakers such as Siri), disposing of documents and when in the presence of other members of the household to avoid inadvertent disclosure of any private and / or confidential information.
When conducting remote interviews, remote investigators should also be mindful not to conduct interviews at home or in public spaces where their conversations with a witness could be overheard. Witnesses should also be asked to set up a confidential space, and be asked to confirm their location and set up at the start of the interview. The policy on filming or recording of the interview should be clearly stated, and consent should be obtained by the parties accordingly.
A few other recommendations when conducting remote investigations are:
- Any evidence that is gathered should be stored safely and / or shared using encryption secure technology;
- Witnesses / interviewees should sign non-disclosure agreements prior to any interview and appropriate safeguards against collusion are implemented;
- Employers should work closely with Forensic IT service providers at every stage of the investigation to ensure that security systems and IT settings are updated and robust to allow for investigations;
- Employers should pay extra attention to data privacy and security issues in relation to the handling of information and evidence;
- If an employer decides to suspend an employee during an investigation and / or suspend his/her access to the company’s systems, they should ideally inform the employee that it is a temporary and non-punitive measure for the purposes of investigation to avoid any allegation of constructive dismissal;
Recommendations for effectively investigating and terminating employees in a remote/hybrid environment
When it comes to looking at the specific employee that is the target of an investigation, it will be important to make sure all the ramifications of the investigation and termination are considered. Things to consider include:
- Reviewing the investigated employee’s employment agreement to ascertain what contractual rights to suspension have been agreed in the employment agreement, if any;
- The potential need to terminate access of the investigated employee to all company systems and sensitive information but ensuring that the company has a means to communicate with the investigated employee (e.g. via personal email or phone);
- Consideration of key person/information/system access back-up plans to ensure business continuity during the course of an investigation or termination;
- Forward planning if data may have to be remotely collected by forensic experts; and
- Identification of cross-border data transfer requirements with external counsel to ensure compliance with local data privacy laws.