Return to the Office – Governance
In the previous Lights-On Consulting Return to the Office articles, we covered ‘People and Workplaces’, ‘IT Service’ and ‘Technology’ to help law firms address some of the key considerations in their post-lockdown planning.
In this, our penultimate article in the series, Steve Whitwham considers the governance issues that may need to be addressed as part of a firm’s ‘return to office’ planning and sets out some important recommendations.
Just as Spring gives way to Summer, lockdown measures will give way to economic pressures as governments strive to re-start the economy and save those sectors facing economic challenges.
Return to office-based business is inevitable and firms will be keen to re-establish a presence in the office but it is unlikely that the professional services sector will revert to how things were before COVID-19. New ways of working will require new operating models and those in turn will need new governance measures.
These new operating models and the move from a fully in-office set-up prior to the pandemic to a hybrid or even virtual firm will require radical changes to employment contracts, service methods, performance management and governance models. Much of this will have to be supported by IT.
In the immediate response to COVID-19, many law firms had to severely prune the governance layers to fast-track delivery of “make-do” or MVP (minimum viable product) technology set-ups to allow people to remain productive in a dramatically changed working environment. For many firms, this has all happened at year-end – often the busiest time of the year. Fee-earners and support staff have used a wide array of technologies to get on with their work. Now, however, as we emerge from lockdown, compliance, governance and legislation needs must be met as government, legislators and large clients start to recover their foot-hold and re-focus on their supply chains or sectors they manage. How do we re-embed the adopted technologies and strike the balance between delivery and governance?
Governance considerations for post-lockdown law firms – four key areas
There are many things to consider so we have tried to bring focus on them from a number of lenses. These are:
- Regulatory compliance
- Security accreditations
- Large clients – ability to meet their previously defined demands / obligations
- Good working practice
- Regulators– Regulators appear to have remained quiet recently, but firms are keeping a watch on risks and issues emerging and how regulators will react. It appears regulators are still considering risks regarding the likes of video conferencing tools and it may fall to the Data Controller to decide on appropriate risk mitigation. We advise that firms stay vigilant on developments and IT Directors follow matters carefully given many mitigations may be technical in nature and fall to IT.
- ICO Declarations– With billion-pound class actions against Easyjet being recently reported, data breaches are again a hot topic. In the rush to deliver service, some firms have purchased computers and had them shipped out or even allowed staff to procure them. If the equipment issued or purchased is not fully managed, where is data being put? If laptops and other devices carry client or personal data and go missing, this may need to be reported to the ICO. To be able to manage this fully, inventory and asset management will be required. If you already keep records and have let them slip, then a retrospective audit against purchases made may be required.
Security and accreditations
- Accreditations and Standards – Governing bodies of standards organisations may well be looking at the impact of home-working and new ways of working on their standards. Standards organisations like the ISO and Lexcel, governing bodies such as the ICO, and auditors are likely to be looking at how recent changes may impact on their “jurisdiction”. Obtaining a standard or accreditation is hard and losing it after publicising you have it is very damaging. It is equally damaging to be on the sharp-end of regulators so these areas must be addressed before auditors call or re-accreditation assessments begin. You should look at your changes in working practices and the evidenced governance you have wrapped around them and how it will all live up to the expectations of the accreditation provider or regulator. Work with them to ensure that what you are doing will achieve a positive outcome on re-assessment or audit.
- New suppliers – You may have brought in new suppliers to cope with lockdown and have done so at a very busy time. Has the full Data Protection Impact Assessment or supplier due diligence taken place on any new solutions? Where is your data now being processed? Are your new suppliers ISO accredited? Now is the time to revisit new suppliers and retro-fit the due diligence you would normally have followed in less chaotic times.
- Home-working security impact – Home-working has increased your number of threat vectors from a few to perhaps a few hundred or a few thousand as individuals’ home broadband is used to access your firm’s locations. Many of these broadband connections allow the public to connect to the carrier network as well as the broadband user. Security is of course in place to separate your employees’ network from the public network, but firms have gone to great lengths having physically separate guest and corporate networks and now many employees’ networks have both on one router. You may have strong VPNs and controls in place with multi-factor authentication (“MFA”) but some firms may have had to cut corners. Remember the smart kettle and smart fridge are now sharing your extended network and these devices are the easiest of targets for cyber criminals. With passwords on the dark web and phishing on the increase, multi-factor authentication is surely the lowest bar for remote access. If you don’t have it, accelerate your MFA plans and check the position of public access on your employees’ home routers.
Client commitments and attestations
- Audits and attestations– We reference regulators and accreditation bodies above but as well as these there are client attestations and client audits to contend with. Has extensive use of remote access affected anything you have attested previously to clients (especially banks, sensitive volume work providers etc.)? If so, you will need to prepare your responses for the inevitable queries that we are aware banks and the like are already preparing.
Good working practice
- Policy review– You may have adhered to good practice and carried out a lot of work producing compliant, strong policies and training your staff on how to adhere to these policies. Some firms’ policies are however rather lacking or ill-maintained. Reviews of these policies are now required due to the significant changes to your environment and to accommodate those you may have to make in the future.
- Equipment inventory – Did staff take equipment home from the office to help them work more efficiently at home? These include large monitors, screen stands, mice, keyboards, microphones, headsets and foot pedals and, when totted up, can represent sizeable financial value. We do not yet know the path that an exit from lockdown will take or whether we will have to return to lockdown repeatedly, so we will need to make a call on whether we recover the now home-based assets or double the amount of equipment to have working stations for the laptops for both home and office use. We may need to consider use of 2nd life equipment to make this financially viable but this could affect your PC / laptop build and increase IT admin overhead.
- Asset management– With the rush to provide equipment to enable home-working, do you have a true picture of what IT assets you have and where they all are? Some firms mass purchased laptops, webcams and all manner of peripherals. Were all the purchases and moves recorded in your asset management system? Do you have an adequate asset management system? With such amounts of change, spreadsheets rarely cut it. Many smaller firms do not have the resource to manage this well, but it will be of increasing importance for operational efficiency and for information provision to the likes of insurers. All of this will require increased governance and asset tracking and some firms don’t have the processes or systems in place to do this well. A split for responsibility between IT and the facilities team can make things more complicated. If you did not track assets, it may be worth carrying out a survey to ask your staff what they took home and get a handle on the position before return to office starts.
Mixed location management – How will your business cope with managing a mixture of offsite and onsite workers?
- ‘The Forgotten’ – If in-office workers return to being the majority, there may come a point when they “forget” those working at home and processes will need to be in place to treat remote workers the same as team members in the office. Whilst the current climate is very collegiate, in the long-term it is not unrealistic to see firms being sued if homeworkers feel excluded, discriminated against or are not given the same opportunities as staff in the office. Do you need greater governance controls to ensure this doesn’t happen and equal opportunities remain?
- Inclusivity – Governance may be required around inclusivity and tools may be required to manage work location and availability with greater attention than at present on setting “status presence” correctly, so home and office workers alike can see when someone is “on-line” for work and contactable. Tools like Zoom or Teams are being used but many staff appear as permanently “busy” or “away from the office”. Greater governance and attention will be required to make “presence” work well and embed it in the culture of your firm.
- Pastoral care – This is far easier in the office where you bump into people and it reminds you to check out about x or enquire about y, but the prompts are less so in remote workers. Managers may need to set aside time and implement procedures to replace the lost “water cooler time” and informal chats. This will have to be carefully managed or the whole day could be consumed by calls to “see how people are”, and some form of agile / scrum management principles used in IT development may be required to have short, sweet and meaningful engagement with staff, but still ensure opportunity for pastoral care.
Update your Business Continuity Plan (“BCP”) – You may have learned a lot from the last two months. A pandemic might be a new dimension for your plan so ensure your BCP is reviewed whilst memories are fresh to be able to fully incorporate all learning. This is not just for the long term but the present day as suppliers’ performance is currently depleted too due to the furlough of staff and supply chain issues increasing current risks.
New joiners – Whilst recruitment may not be something high on the agenda, the traditional new September trainee intake looms. You should review the governance surrounding new joiners, how the standard checks and procedures will be conducted if people are not in the office including induction and issue of physical equipment. Supervision needs may compete with your desking plans so review them in light of trainees now and explore how video technology, e-learning and recording of briefings and training courses can assist.
New technology – Video conferencing has increased dramatically and with VC tools can come a raft of other collaboration tools such as chat, presence, file exchange etc. What governance is there around the use of them and is it fit for prolonged use embedded in the working culture? Law firms have strived hard to control documents and enforce governance around files and document management systems (DMS), yet some firms may have paid little attention to locking down features in these tools or developing policies in the rush to get lawyers on-line remotely.
There is work to be done to look at this again with less urgent eyes, and this work can be divided into “corrective” and “future”. The corrective work is in understanding what access was granted during lockdown that could have been used and so needs properly recording and filing. The “future” work is defining your corporate policy on use of such tools or features and defining what technology integrations (e.g. with the DMS), governance, guidance and training will be required. This must be looked at through many lenses including Data Service Access Requests, GDPR (especially in relation to data residency and video recording consent) and good matter management.
Working hours – In our article on IT service we discussed the change to working hours for some people to account for caring and home-schooling responsibilities, staggered working times for those commuting to the office and the impact this may all have on the IT Service Desk. When making decisions about your return to the office and new ways of working, be cognisant of the overall impact on support departments and especially on IT, as IT will also have to support the other support departments. Whilst some firms are considering their new working models, we must also consider the possibility that this pandemic will trigger a sizeable demand for flexible working and a growing thought in the public of not wanting it to go back to the way it was. Change may be forced upon a firm even if it does not want it.
Duty of care to home-workers – Firms may not have conducted work-station assessments in line with the HSE for those that had to quickly move to home-working as part of the pandemic response. This governance still stands and more robust, yet low overhead, processes will be required to manage a hybrid set-up.
Project delivery – Be prepared for people to compare your next project plan against what you managed to deliver in days during the prep for lockdown. You may need to highlight the 24/7 working that the IT team did, the pulling in of favours from suppliers, the blank cheques written to source laptops – i.e. extreme measures that had limited time to be risk assessed to pull this off. It was a sprint and we are returning to a marathon. Expectations will need to be managed.
Project governance – Project numbers and demand for resource are likely to be high. The key to this is managing the portfolio of work (a series of unrelated projects) and programmes of works (a series of related projects). Managing resources (people, time, cost) will be critical to ensure that the projects done deliver to agreed goals and not to who shouts loudest. Doing this remotely can be difficult and projects managers with limited experience may struggle in what is likely to be a scramble for resources early on.
Other project related items to consider are:
- Projects run during COVID-19 may need to be retro-fitted as very few IT Managers and Project Managers will have had time to build plans given the exceptional circumstances. A review against your project standards is required, particularly if you are ISO accredited. This track record is necessary and it will also allow a mechanism to clarify the corners cut, and enable positive lessons to be learnt.
- Review the portfolio to see what is actually going to be needed going forward as some things may now be obsolete. New things will have arisen – what are they and how do they rank against your previous list (e.g. a different lens is likely to be needed on security and possible business continuity / disaster recovery).
- We will need to find different ways to deliver projects (what control changes might be required on the delivery side, but also on the receipt side (i.e. training of users, service transition to the Service Desk etc). Some projects just need people onsite and working in close proximity. What if that is not possible? How will you handle this?
Budgets – IT budgets will need to be reviewed and continually re-written for a while. One point worth noting from our experience is, ‘if you don’t ask, you don’t get’! We are seeing a lot of suppliers and leasing companies offering flexible payment terms to assist with short and medium-term cashflow.
Governance can often be viewed as unexciting and feel like a chore. However, there are a number of opportunities for long-term change that stem from governance work:
- Business Continuity Planning improvements and embedding real testing – For many firms this has been the first real-life test of at least part of their BCP and, for a few, it may have forced the creation of the first real draft! COVID-19 has demonstrated the key role that IT plays in keeping a business moving and the importance of solid yet flexible infrastructure during unplanned disruption. Whether this involves simply formalising the adopted plan, dry run testing it with newly experienced eyes or identifying and implementing new infrastructure, it is important you set time aside to do this now and involve the owners of the firm. Now is the time that partners and owners will be most receptive to accepting their accountability and involvement in what can sometimes be seen as a support department’s domain.
- Asset management – A well-managed asset system is not just useful in a business continuity event, it can add value in helping with insurance quotes and in efficient operational managing of all equipment and software. If your Service Desk system does not have asset management, now may be the time to find a system that does and to convince the firm of the value of such modules. It is a lot of work but, well-managed, it will pay operational dividends and can improve governance, compliance with client demands and compliance with certifications.
- Sustainability and environment – With the changes imposed by governments around the world, both international and national travel for face-to-face meetings has been replaced by video conferencing tools (as discussed in our article on technology). If there has ever been a time for a firm to embrace sustained technology adoption and low carbon ways of working, it is now – but it will require drive from the top and governance around implementation and management in order for it to embed fully. Lights-On has heard repeatedly glib comments about removing floor printers and implementing strong governance over printing, but only the strongest and most determined firms will truly achieve this and head towards what should be the goal of all companies – to be carbon negative.
- Training – How do we continue to train and develop our fee earners, not just in IT tools, but in legal practice. Processes which have developed over hundreds of years may not be practical anymore and we need to think and define how we will achieve this. Technology will be an enabler, but the governance / thought / design is one for the legal teams and HR.
This pandemic has challenged law firm governance in an unprecedented way. Speed has been of the essence to allow people to quickly work at home with little preparation time whilst trying to manage the personal, legal and social issues of the pandemic. The urgency to work from home and maintain a presence with clients has, for some law firms, resulted in a pause on some usual governance procedures to accelerate change and allow for a ‘business as usual’ façade.
Now is the time to take stock of your governance processes and procedures before the inevitable client audits and accreditation assessments make their rounds but also to ensure they support possibly permanent new ways of working.
If you would like to receive subsequent articles direct to your inbox, please let Hannah Hagon know by email at Hannah.Hagon@lights-on.com. You can also follow the Lights-On Consulting LinkedIn page by clicking here.