AT Think

3 risks you’re overlooking with return-to-work policies

In March 2020, many organizations realized too late that their business continuity plans were insufficient for a global pandemic with an extended work-from-home mandate. Now, just over a year since the first quarantine announcements, both employers and workers face a new challenge as the world begins the slow migration back to the office. Over the next two years, business continuity plans, specifically their return-to-work policies, will once again be put to the test.

Predictably, there are three risks you are probably not accounting for with your return-to-work policies:

  • Complying with employee health privacy laws;
  • Managing the technical and physical risks of a hybrid model; and,
  • Ensuring quality and quantity of risk assessment processes.

1. Complying with employee health privacy laws

In line with the Equal Employment Opportunity Commission’s guidance on allowing employees to return to work, employers may request that employees receive an FDA-approved vaccine or submit proof of vaccination. Pre-vaccination screening questions may elicit information about employee disabilities. The burden is on employers to "show that these disability-related screening inquiries are 'job-related and consistent with business necessity.'”

Employers also run the risk of discrimination against those with disabilities if the individual is unable to get vaccinated. The employer could choose to enforce the vaccination requirement while the organization is unable to provide reasonable accommodations. The situation leaves the employee unable to get the vaccine and unable to return to work. The person with a disability would not automatically qualify for termination in this scenario. Employers will need to determine if any other rights apply under the EEOC laws or other federal, state and local rules.

2. Managing the technical and physical risks of a hybrid model

As companies move back into the office, many are choosing a hybrid model. The company will require scalable infrastructure that supports a secure, compliant, distributed workforce built on multicloud technologies. The cloud technologies should also be tailorable to specific use cases or workloads, with sustainable and flexible consumption models. For example, a 50-person retail company needs different security provisions than a 1,000-person government agency.

Physical safety is another primary concern in a hybrid model. After years of pushing for an open-concept floor plan, offices will need to rethink the design to accommodate different team members rotating in and out of the office during the week and attending virtual conferences.

A hybrid office might include:

  • Setting aside permanent space for employees who must be in the office daily;
  • Creating video conference rooms for large meetings and quiet spaces for personal video conferencing to mitigate privacy and security concerns;
  • Establishing smaller hub offices near concentrations of employees who no longer live close to headquarters; and,
  • Building cubicles or similar partial enclosures for hybrid employees who are hoteling in the office.

As hybrid work models take hold, these will likely prove beneficial and challenging for different organizations. Especially in these early days, employees will need ongoing training to understand the changes to technology and policies, and the risks inherent in a hybrid office model.

3. Ensuring quality and quantity of risk assessment processes

Organizations will face emerging risks when returning to work. The presence of novel risks suggests that leaders must adapt their risk assessment strategies to encapsulate these new concerns. The first step would be to revisit the risk assessment processes already in place to determine if the quality and quantity of assessments are appropriate.

Key risk indicators underpin a high-quality risk assessment process. The KRIs should be linked to changes and act as an early warning sign. For example, a company might link a KRI to traffic entering the network from remote locations. If odd traffic patterns appear, this might suggest an impending security threat. Once an organization develops KRIs, it should build a plan for assessing, monitoring and reporting risk escalations to the appropriate individuals.

A strategy for increasing assessment quantity is adopting an agile assessment approach with at least a quarterly frequency. More frequent assessments will allow risk management to capture emerging risks and respond to KRIs before the risks have had a chance to impact the organization without proper mitigation.

Focus on improved communication

Focusing on improved communication may be the key to designing a response that addresses the three return-to-work risks discussed above. With open communication, we could find workable solutions and reasonable accommodations for employees with disabilities. As changes are made to the office’s physical and technical layout, improved communication and training will help the staff transition to the new work model. When risk management coordinates with the assurance teams and other departments to enhance the risk assessment process, strong communication skills will be critical to the initiative’s success.

With the benefit of hindsight, we can see the pre-pandemic gaps in our business continuity plans. Before rushing employees back into the office, slow down and assess the situation, design a return to work plan suited to your organization, and implement a policy that facilitates the best possible outcome.

For reprint and licensing requests for this article, click here.
Coronavirus Business continuity Work from home Risk management
MORE FROM ACCOUNTING TODAY