The fundamental nature of work has been radically and perhaps irreversibly altered. The traditional concept of an office, a centralized hub where employees gather, collaborate, and are supervised, has been disrupted by a global-scale shift to remote operations. This transition, accelerated by unprecedented crises, has unlocked new avenues for flexibility and business continuity. However, it has also torn open a new frontier of vulnerabilities. Risks that have always been present in the business world, such as fraud, bribery, and corruption, have not only persisted but have found fertile new ground in this distributed, low-visibility environment. The pressure for organizations to take preventative measures is rising exponentially, as the old methods of oversight are no longer sufficient.
This new era of workforce risk is defined by a “perfect storm” of factors. Employees are grappling with new and intense personal pressures, from financial instability to health concerns. At the same time, the physical separation from their managers and colleagues makes them harder to support and more difficult to supervise. The digital infrastructure that connects this distributed workforce is itself a new attack vector, with home networks and personal devices representing a softer underbelly for external threats. For internal threats, the lackof direct oversight can weaken an employee’s adherence to controls, making misconduct a more tempting or seemingly necessary option. Understanding this new landscape is the first and most critical step for any organization that hopes to navigate it safely.
Deconstructing the Fraud Triangle
To understand why these new risks are so potent, it is essential to use a framework. For decades, criminologists and fraud examiners have relied on a model known as the “fraud triangle.” This model posits that for fraud or significant misconduct to occur, three specific factors must align. The first factor is motivation, which is also referred to as pressure. This is the “why” behind the act, the unmet need or driving force that compels an individual to consider committing fraud. The second factor is rationalization, which is the psychological component. This is the internal monologue or justification that allows the individual to view their actions as acceptable, or at least necessary, under the circumstances.
The third and most critical factor from an organizational perspective is opportunity. Opportunity is the “how,” the specific gap in controls, lack of oversight, or abuse of a trusted position that allows the individual to put their fraudulent plan into action. The fraud triangle is a powerful diagnostic tool because it explains why misconduct is not evenly distributed. An individual can be highly motivated and adept at rationalization, but without an opportunity, they cannot act. Conversely, an organization can have a weak control environment full of opportunities, but if its employees are not motivated or cannot rationalize the act, fraud may not occur. The current crisis is alarming because it is actively and intensely amplifying all three factors simultaneously.
The Motivation Factor in a Crisis
Motivation, or pressure, is the catalyst for the fraud triangle. It is the fire that starts the process. In a stable economic environment, these pressures are often personal and specific: a gambling addiction, a secret high-cost lifestyle, or a personal vendetta against the company. However, a systemic crisis, such as a global pandemic or a severe economic downturn, democratizes this motivation. Suddenly, vast swathes of the population are under a level of financial and personal stress they have never before experienced. This creates a tinderbox of motivation for fraud.
Consider the new pressures. Individuals may be facing staggering medical bills related to the crisis. They or another primary earner in their household may have been furloughed or laid off, dramatically reducing their income. Their investments or retirement savings may have evaporated, leaving them with a sense of desperation about their future. At the same time, companies themselves are under intense pressure to make up for lost profits. This pressure is often passed down to employees in the form of unrealistic sales targets, reduced bonuses, or staffing cuts that leave the remaining employees overworked. This dual-pronged pressure, personal and professional, creates a powerful motivation to “find” money, either from the company through expense fraud or by “cooking the books” to meet impossible targets.
The Psychology of Rationalization
The second leg of the triangle, rationalization, is arguably the most human. Few people view themselves as “the villain.” To commit fraud, an individual must first find a way to justify the act to themselves, to square it with their own code of ethics. A crisis provides a powerful and readily available set of rationalizations. An employee who would never have dreamed of stealing in normal times can now tell themselves, “I am not stealing; I am just borrowing this money to pay for my child’s medical treatment. I will pay it back when things get better.” This justification, rooted in a perceived noble cause like protecting one’s family, is a powerful psychological tool.
Other rationalizations are born from dissatisfaction. An employee who survived a round of layoffs may be shouldering the work of three people with no increase in pay. They may begin to feel exploited or under-appreciated. This can lead to a rationalization like, “The company owes me for all this extra work. They are making record profits (or taking government aid) while I suffer. This bonus I’m faking is just the company paying me what I truly deserve.” The shift to remote work also aids this. The company becomes a more abstract concept, a logo on a laptop, rather than a physical place with colleagues. This psychological distance makes it easier to justify actions that harm an abstract entity, especially when the employee believes the company will not even notice the activity.
Opportunity: The Catalyst for Misconduct
Motivation and rationalization are internal states. Opportunity is the external factor, the one element that organizations have the most direct control over. Unfortunately, the mass shift to remote work has been a catastrophic failure in terms of control, blowing open new opportunities that did not previously exist. The home environment is, by its very nature, far less secure and less monitored than a structured office. In an office, a supervisor might be within eyeshot. Access to sensitive files or programs might be limited to office hours or specific, monitored terminals. The simple presence of colleagues and managers acts as a powerful deterrent.
At home, these deterrents are gone. An employee may have 24-hour-a-day access to sensitive company systems without any physical monitoring. The ability to track an employee’s comings and goings, or even their active work hours, becomes incredibly difficult. This immediately increases the risk of time entry and payroll fraud, as an employee can inflate their hours with little chance of being discovered. The home is a private space, which complicates oversight and provides a perfect staging ground for fraudulent activity. This new landscape of opportunity is forcing companies to completely re-evaluate where their vulnerabilities lie and how they can possibly reimpose controls in such a distributed environment.
The Pandemic as a “Perfect Storm” for Fraud
When you combine the three legs of the fraud triangle, the impact of the recent global crisis becomes terrifyingly clear. We have a workforce that is more motivated than ever by unprecedented personal and financial stress. We have a workforce that is armed with a new and powerful set of rationalizations, rooted in everything from personal survival to perceived corporate injustice. And most critically, we have provided this motivated and rationalizing workforce with a sudden and massive increase in opportunity by sending them home to work in unmonit-ored, insecure environments. It is, without exaggeration, a perfect storm for fraud, waste, and abuse.
The good news is that these risks, while new in their scale and location, are not unmanageable. The solutions, however, require a new way of thinking. Companies must shift their focus from physical-based controls to data-driven, digital controls. They must become more empathetic and aware, looking for signs of burnout and dissatisfaction that can be precursors to misconduct. They must find ways to monitor operations for common fraud schemes, like inflated time reports, inappropriate invoicing, or misuse of company assets. And they must clearly communicate the importance of compliance, even and especially in a crisis, to ensure employees know that even though they are out of sight, they are not outside the bounds of the company’s ethical standards.
The Erosion of Traditional Oversight
The most immediate and obvious change in the shift to remote work is the complete erosion of traditional, physical oversight. In a conventional office environment, managers, colleagues, and compliance professionals rely on a multitude of informal cues. The “management by walking around” (MBWA) approach, while a simple concept, is a powerful, passive control. A manager can physically see who is at their desk, who seems overwhelmed, and who is collaborating. This day-to-day visibility provides a baseline for normal behavior, making it easier to spot deviations that could signal wrongdoing or simple burnout. This entire layer of informal oversight vanished overnight.
Without this visibility, it becomes exponentially more difficult to identify potential wrongdoing in its early stages. A manager cannot see if an employee is struggling with a new, complex responsibility that was added to their plate after staffing cuts. This employee, now isolated and under pressure, might be more inclined to cut corners or falsify results to appear competent. The lack of visibility also makes it harder to detect simple payroll fraud; it is far more challenging to verify that an employee is working their reported hours when they are not physically present. This vacuum of oversight is a significant new risk that organizations must now actively work to counteract with new, data-driven methods of monitoring.
Communication Breakdown: The Loss of Informal Controls
Beyond simple oversight, remote work has fractured the informal communication networks that are vital to a healthy corporate culture. Compliance is not just about policies and training; it is about culture. That culture is built and reinforced in countless, small, in-person interactions. It happens in the quick chat by the coffee machine where a junior employee can ask a senior colleague a “dumb question” about an expense report. It happens in the office visit where a compliance professional can engage with employees, answer questions, and build the personal trust that is essential for an effective “Speak Up” culture. These informal touchpoints make compliance a human, collaborative effort.
With a remote workforce, these interactions disappear. Communication becomes transactional, scheduled, and formal. Video conferences and online chats, while functional for tasks, are poor substitutes for the nuanced, face-to-face interactions that build trust and reinforce cultural norms. This breakdown can lead to a loss of connection, making employees feel more like isolated contractors than part of a team. This isolation can make it harder for employees to seek support when they are struggling and, in turn, more difficult for compliance professionals to provide it. The result is a workforce that is less engaged with the company’s ethical culture, which can lead to a higher risk of misconduct.
Home Networks: The New Unsecured Border
The technical challenges of a remote workforce are just as significant as the cultural ones. An organization’s compliance and security perimeter was once clearly defined by the office walls. Corporate networks are, ideally, hardened environments, protected by enterprise-grade firewalls, intrusion detection systems, and a professional IT team that monitors traffic 24/7. The employee’s home network, however, is the digital equivalent of the Wild West. It is an unsecured border that is now directly connected to the corporate “mainland” via a VPN, and it introduces a level of risk that many companies were unprepared to manage.
Research has shown that home networks are dramatically more likely to be infected with malware than corporate networks. The average home network is a tangle of personal laptops, insecure “smart” devices, and routers that are often running on default passwords and outdated, unpatched firmware. An attacker who compromises a single insecure device on an employee’s home network, such as a smart-TV or a child’s gaming console, can potentially “sniff” network traffic or use that foothold to attack the employee’s corporate laptop, which shares the same network. This makes the employee a perfect vector for phishing, smishing, and other attacks designed to breach the corporate defenses.
Protecting the “Crown Jewels” in a Distributed Environment
The problem of securing confidential information and trade secrets becomes infinitely more complex when the “office” is scattered across thousands of homes. In a secure facility, access to sensitive materials can be strictly controlled. Confidential documents can be kept in locked cabinets, printing can be monitored, and access to sensitive data on the network can be restricted to specific on-premise terminals. In a home office, these physical controls are non-existent. An employee might be printing a sensitive client list on a personal printer, with the documents left in the open for family members or visitors to see.
The transport of materials between the home and the office, if the employee ever visits, creates another point of risk. Furthermore, the reliance on virtual workplaces and cloud storage means that sensitive data is being accessed and stored in new ways. An employee, frustrated by a slow VPN, might be tempted to download a sensitive file to their personal, unsecured computer “just for a minute” to work on it, creating an unauthorized and unmonit-ored copy of confidential data. This accidental or negligent misuse of documents, compounded by the increased risk of a data breach from an insecure network, complicates the protective measures for a company’s most valuable information.
The Rise of Time and Expense Fraud
The new working model has created a fertile environment for some of the oldest and most common types of fraud: time theft and expense reimbursement fraud. Without the physical check-in of a badge swipe or the visual confirmation of a manager, it is extremely difficult for a company to verify that an employee is working the hours they claim. An employee could report a full eight-hour day while spending half their time on personal matters. While this may seem like a minor issue, when multiplied across a large workforce, this payroll fraud can add up to a significant financial loss. The pressure to make up for staffing cuts also creates a perverse incentive for managers to approve inflated time reports to keep their remaining team members from quitting.
Expense fraud also finds new opportunities. With no one to question receipts in person, an employee might feel emboldened to submit inappropriate or inflated invoices. A “team lunch” for one becomes a common cheat. More complex schemes, suchMain as invoicing for non-existent services or colluding with a third-party vendor, are also easier to orchestrate without the day-to-day oversight of a centralized finance department. The controls that a company relies on, such as multi-level approvals, are often weakened when the approvers are also remote, overwhelmed, and just trying to get through a mountain of digital paperwork.
Misuse of Company Assets in the Home Office
When an organization issues a laptop, a phone, or other equipment to an employee, it is entrusting them with a valuable company asset. The assumption is that this asset will be used primarily for business purposes, in a secure environment, and in accordance with company policy. When that asset is moved into a home, all of these assumptions become questionable. Without the deterrent of direct oversight, a bad actor may feel emboldened to use a company computer for inappropriate purposes. This could include running a personal side business, which may create a conflict of interest, or it could be for more nefarious activities, such as accessing illegal content or committing fraud.
This misuse creates enormous risk. If an employee uses their company laptop for fraudulent activity, the company itself could be implicated or, at the very least, forced to cooperate with a costly investigation. Furthermore, personal use dramatically increases the security risk. An employee using their work computer for personal browsing, downloading unvetted software, or allowing family members to use the device, can easily lead to a malware infection that compromises the entire corporate network. This misuse of assets, whether intentional or negligent, is a significant new vulnerability that stems directly from the new work-from-home paradigm.
The Strain on Speak Up Culture
A strong “Speak Up” culture is one of the most effective fraud detection tools an organization can have. Anonymous reporting hotlines and clear, non-retaliation policies encourage employees to report compliance issues they observe. In fact, whistleblower reports are consistently the number one way that occupational fraud is identified. However, this culture is incredibly difficult to create and maintain, as it relies on a deep-seated trust that the company will take reports seriously and protect the reporter. This trust is built through in-person, human interactions.
Remote work puts an immense strain on this fragile culture. In-person meetings, lunches, and even informal social activities are all part of the social glue that creates and maintains a company’s shared values. An employee who is physically isolated may be less likely to observe misconduct in the first place. If they do, they may feel less connected to the company and less inclined to report it. More importantly, they may find it more difficult to seek support or advice. It is one thing to pull a compliance officer aside for a quiet, confidential chat; it is another to schedule a formal video call, which can feel more intimidating and less secure. Companies must now think creatively about how to sustain their culture and keep these critical reporting channels open.
The Paradox of Cutting Compliance in a Crisis
In the face of an economic downturn, it is a near-universal reflex for companies to seek cost-saving measures. Budgets are scrutinized, hiring is frozen, and non-revenue-generating departments are often the first to face cuts. This frequently and mistakenly includes the compliance function. This is the single most common and dangerous mistake a business can make during a crisis. The decision to reduce compliance-focused resources and staffing is a perfect example of being “penny wise and pound foolish.” Past downturns have provided a clear and painful lesson: significant reductions in compliance efforts almost invariably lead to major compliance or government enforcement issues down the line.
The irony is that these reactive, post-incident costs are almost always orders of magnitude greater than the cost of proactive compliance. The savings from cutting a few compliance officers’ salaries are dwarfed by the potential for multi-million dollar fines, crippling legal fees, and the catastrophic loss of reputation that follows a major scandal. When resources are removed from compliance functions, compliance issues do not just happen; they are invited. The “corporate police” are off the beat, and this message is not lost on employees who are motivated and rationalizing misconduct. This budget-cutting paradox creates the very vulnerabilities it is meant to help the company survive.
The “Set It and Forget It” Program: Why Static Compliance Fails
Another common pitfall, one that is particularly tempting during a crisis, is the failure to evaluate and update current compliance programs. Many organizations treat their compliance program like a smoke detector: they install it once during onboarding and assume it will work forever. This “set it and forget it” mentality is a recipe for disaster, especially when the fundamental nature of the business’s operations has been radically transformed. A compliance program designed for an in-office workforce is fundamentally unequipped to manage the risks of a remote workforce.
Key elements of the program, such as training, oversight, and reporting, must be re-examined. Is the annual, click-through training module on data security still relevant when employees are on insecure home networks? Does the company’s oversight program, which was based on in-person supervision, have any meaningful way to monitor for remote payroll fraud? Is the “Speak Up” hotline, which was advertised on posters in the breakroom, even visible to employees who have not been in that breakroom for months? In times of crisis, companies must actively review their compliance programs to ensure they meet not only the new operational realities but also the evolving expectations of the government and industry best practices.
Gap 1: The Failure to Conduct Proactive Risk Assessments
One of the most pervasive gaps in compliance programs, even in the best of times, is the lack of a sophisticated, proactive risk assessment process. Far too often, companies either fail to conduct risk assessments altogether or they perform a superficial “check-the-box” exercise that fails to identify real-world vulnerabilities. A risk assessment is the foundational document of a compliance program. It is the diagnostic tool that allows an organization to identify its unique risks, prioritize them based on likelihood and impact, and then design a program of controls that is tailored to addressing those specific risks. Without a risk assessment, a compliance program is just guessing.
This process is challenging even in normal times, but the pandemic has made it even more so. With travel restrictions, a lackof day-to-day visibility, and all resources focused on the immediate crisis, conducting a thorough risk assessment seems like an impossible task. It may be tempting to cut or freeze the budget for this initiative, but that would be a profound mistake. Organizations must find ways to work creatively, even remotely, to conduct these assessments. They need to analyze new risks associated with remote work, government aid programs, and fractured supply chains. To effectively identify and address compliance risks, organizations must continue to review and update their risk profiles, with a particular focus on high-risk jurisdictions where visibility has been completely lost.
Gap 2: Training That Fails to Engage
The second common gap is in compliance training and communication. For many employees, the word “training” conjures images of a mandatory, mind-numbingly boring, hour-long video they must watch once a year. This “check-the-box” approach to training serves a single purpose: to provide a legal defense for the company. It does not, however, do anything to actually change employee behavior or build a strong compliance culture. An effective compliance program understands that communication cannot stop at onboarding. It must be a continuous, multi-channel effort.
Effective programs include recurring compliance messaging in a wide variety of formats. This could include targeted email campaigns about a new phishing scam, in-person (or in this case, live virtual) discussions about ethical dilemmas, compliance-focused newsletters, and quick-hit video messages from senior leadership. Training, too, should be conducted regularly and in a format that is engaging and relevant. Instead of a single annual training, perhaps shorter, quarterly micro-trainings on specific topics are more effective. The goal is to ensure that key compliance areas, such as data privacy or anti-bribery policies, are kept top-of-mind and are well-understood by a workforce that is no longer congregated in a single physical location.
Gap 3: The Silence of a Broken Reporting System
The third critical gap is the failure to implement and support ongoing oversight and reporting mechanisms. The most important of these is a robust, anonymous reporting hotline. Companies that lack such a hotline, or that have one but fail to train their employees on its existence and its non-retaliation policy, are missing out on the single most effective mechanism for identifying compliance issues. Whistleblower reports are the number one way fraud is detected, far outpacing internal audits or external reviews. An organization without a functional hotline is, in effect, choosing to be blind to its most significant problems.
Simply having a hotline is not enough. The company must actively cultivate a “Speak Up” culture. This means training employees on how to raise concerns, what to expect when they do, and, most importantly, instilling a deep-seated, credible belief that they will be protected from retaliation. This is where many programs fail. If employees believe that reporting misconduct will get them labeled as a “snitch” or will lead to them being subtly, or overtly, pushed out of the company, they will not speak up. This is even more true in a remote environment where employees feel isolated and vulnerable. A silent hotline is not a sign of a clean company; it is a sign of a broken culture.
When Leadership Fails to Set the Tone
Perhaps the most significant gap of all is not a specific program or control, but a cultural one: the failure of senior leadership to set a clear and unambiguous “tone at the top.” A compliance program, no matter how well-funded or well-designed, will fail if employees see that the rules do not apply to executives or high-performing “rainmakers.” If a star salesperson is known to bribe clients but is celebrated for “doing what it takes” to make their quota, that message is heard loud and clear by the entire organization. It says that the company’s code of conduct is just a piece of paper and that profit is the only thing that truly matters.
In a time of crisis, the tone from leadership is more critical than ever. Employees are looking to them for guidance, stability, and ethical leadership. If leaders are communicating a message of “we must hit our numbers at all costs,” they are implicitly encouraging employees to cut corners, falsify reports, and engage in unethical behavior. Conversely, a leader who sends a quick, clear message about the importance of ethical conduct, even when it is hard, can have a profound impact. This quick-hit communication from senior leadership, reinforcing that compliance is a core value, is one of the most effective and low-cost controls an organization can deploy.
The Many Faces of Employee Fraud
When people think of fraud, they often imagine a single, complex scheme. In reality, employee fraud is a diverse category of risks that can range from the trivial to the catastrophic. In a remote environment, some of the most common forms of fraud have become easier to commit. This includes misconduct related to payroll and expenses, where employees may feel emboldened by the lack of direct oversight. Inflated time entry reports, claiming overtime for hours not worked, or submitting expense reports for personal items are all forms of misconduct that can bleed a company dry through a thousand small cuts.
Beyond these, the risk of more complex financial fraud remains. An employee in accounting or finance, working from home, may have unsupervised access to company accounts. This could create an opportunity for misappropriation, such as creating “ghost vendors” and paying fraudulent invoices to an account the employee controls. Without the informal checks and balances of an office, where colleagues might question a strange transaction, these schemes can go undetected for longer. The economic pressure of the pandemic may also increase pressure on employees to perform, which can lead to fraud and compliance-related misconduct at all levels as they attempt to cover losses or meet unrealistic goals.
Executive Misconduct: When Pressure Corrupts from the Top
While junior employee fraud is a concern, the financial impact of executive-level misconduct is often far greater. In previous economic downturns, a consistent pattern emerged: a sharp increase in fraud, non-compliance, and failure to report issues, not just among rank-and-file employees but also among managers and senior executives. The pressure to perform is most acute at the top. Executives, facing intense demands from the board and shareholders to make up for lost profits, may feel a powerful motivation to “cook the books.” This financial statement fraud can involve improperly recognizing revenue, hiding liabilities, or manipulating reserves to present a misleadingly positive picture of the company’s health.
This type of misconduct is insidious because it is perpetrated by the very people who are supposed to be setting the ethical tone for the organization. Their actions send a clear message that the rules are flexible when it comes to profits. Furthermore, these individuals are in a position of power to override or circumvent the internal controls that are designed to prevent such fraud. They can pressure subordinates to “look the other way” or to make questionable accounting entries, creating a culture of complicity. This executive-level pressure is a significant risk that compliance programs must be equipped to monitor and challenge.
The Third-Party and Supply Chain Blind Spot
For many global organizations, the greatest risk of bribery and corruption comes not from their own employees, but from their network of third parties, agents, and supply chain partners. The risk of corruption, particularly in international operations, may increase dramatically as transparency and on-the-ground visibility decrease. It is one thing to conduct due diligence on a new partner when you can fly out, inspect their facilities, and meet their leadership face-to-face. It is another entirely when all you have is a video call and a set of documents that may or may not be authentic.
This lack of visibility creates a blind spot where bribery and corruption can flourish. A third-party agent in a high-risk jurisdiction, under pressure to secure a contract, might resort to paying a bribe to a government official. Without the regular, in-person oversight from the company, this agent may feel that they will not be caught. Similarly, supply chains, already strained by the pandemic, become vulnerable. A company desperate for raw materials might be tempted to use a new, unvetted supplier who may be engaged in illegal or unethical practices. This decrease in transparency makes it more difficult to detect and prevent corruption deep within the company’s global operations.
The Perils of Data Security in a Virtual Workplace
The shift to a remote workforce has created a data security nightmare. As employees rely more on virtual private networks (VPNs) or, in some cases, potentially insecure personal devices and home networks, the risk of data breaches has skyrocketed. Cybercriminals have seized on this opportunity, dramatically increasing the volume and sophistication of phishing and “smishing” (phishing via text message) attacks. These attacks are designed to exploit the fear and uncertainty of the crisis, tricking employees with messages about health updates or new remote work policies to steal their login credentials.
Beyond external attacks, the potential for individuals to misuse or accidentally disclose confidential documents increases substantially when they are working from home. A simple mistake, like sending an email with a sensitive attachment to the wrong recipient, is more likely when an employee is distracted by their home environment. The lack of physical security for documents and devices also creates new risks. The line between “work” and “personal” blurs, and employees may engage in less-secure behaviors, all of which increases the likelihood of an accidental data leak or a catastrophic, intentional data breach.
The Hidden Dangers in Corporate Giving
In a time of global crisis, many companies have admirable-y stepped up their corporate social responsibility and charitable giving efforts. This surge in donations, while well-intentioned, has unfortunately been exploited by bad actors. Some have sought to take advantage of this corporate goodwill by creating fraudulent charities, sophisticated shell organizations designed to siphon off donations that are intended for legitimate COVID-19 relief or other causes. An organization that fails to properly vet a charity before making a large donation may not only lose its money but also face significant reputational damage for failing to perform basic due diligence.
An even more insidious risk is the use of charitable donations as a vehicle for bribery and kickbacks. This is a classic corruption scheme. A third-party agent or a government official may request that the company make a “donation” to a specific, and often obscure, charity as a condition of awarding a contract. In reality, that “charity” is controlled by the official or their family, and the donation is simply a disguised bribe. Without rigorous due diligence and clear approval processes for all corporate giving, a company’s own charitable program can be turned into a tool for corruption. All organizations must be thoroughly vetted before any donation is made.
Responding to New Government Programs and Scrutiny
The economic crisis prompted governments around the world to quickly roll out massive aid programs, such as the Payroll Protection Program (PPP) in the United States. These programs were a lifeline for many businesses, but their hasty implementation and the urgent need to get money out the door created a breeding ground for fraud and abuse. Companies, facing desperation, may have been tempted to misrepresent their eligibility or use the funds for non-approved purposes. This has, in turn, created a new and significant compliance risk: government enforcement.
While in the short run, enforcement was not a priority, a massive wave of enforcement activity is inevitable. Organizations should expect audits, reviews, and investigations related to these payments for years to come. This creates a new burden on compliance teams, who must now ensure they have meticulous records to justify their company’s receipt and use of these funds. Beyond direct enforcement, organizations may also face severe reputational impacts from being perceived as having taken advantage of government funding initiatives, especially if they were not in the intended “hardest-hit” category. This new scrutiny adds another complex layer to the modern risk landscape.
What is a Compliance Risk Assessment and Why is it Non-Negotiable?
A compliance risk assessment is a systematic process used by an organization to identify, analyze, and prioritize its compliance risks. These risks encompass a wide range of potential misconduct, including fraud, bribery, corruption, data privacy violations, and conflicts of interest. The assessment is not merely a legal or ethical exercise; it is a fundamental business-planning tool. It answers three critical questions: What are our most significant risks? How likely are they to occur? And what would be the impact on our business if they did? Without this analysis, a company’s compliance program is operating in the dark, potentially spending millions on low-risk issues while ignoring critical, high-impact vulnerabilities.
This process is non-negotiable because it is the cornerstone of any effective, or legally defensible, compliance program. Government regulators and enforcement agencies, such as the Department of Justice, explicitly state that they expect companies to conduct risk assessments on an ongoing basis. In the event of an investigation, one of the first questions prosecutors will ask is, “Did you have a risk assessment? Was it tailored to your specific business? And what did you do about the risks you found?” A company that cannot produce a thoughtful, dynamic risk assessment will be viewed as negligent, making it far more likely to face severe penalties.
The Return-to-Workplace Assessment Imperative
As organizations navigate the complex process of reopening physical locations, the need for a targeted risk assessment is paramount. This goes beyond the logistical challenges of desk spacing and sanitation; it is a critical compliance and employee-relations imperative. Companies should conduct risk assessments for each location to identify how best to mitigate the immediate employee health risks related to the crisis. This assessment must consider the myriad of new, often-conflicting government guidance and reopening requirements, which can vary by state and even by city. This may include a formal assessment of potential high-risk environments, like communal workspaces, cafeterias, and conference rooms, and a clear plan to mitigate those risks.
From a compliance and human resources standpoint, the goal is twofold. First, the organization must ensure that employees are, and feel, safe and comfortable with returning to work. A plan that is forced upon a fearful workforce will lead to low morale, high attrition, and potential legal action. Second, organizations must ensure that their “Speak Up” channels are fully operational. Employees must feel empowered to raise issues and concerns about safety protocols or other return-to-work issues without fear of retaliation. This assessment is a vital step in rebuilding trust and ensuring a safe, compliant transition back to any form of in-person operations.
Assembling Your Internal Risk Assessment Team
A common mistake is to view a risk assessment as a “legal problem” or an “audit problem.” In reality, a truly effective assessment must be a cross-functional, collaborative effort. It needs to involve personnel from all corners of the organization, as each department has a unique and valuable perspective on the company’s risk profile. The compliance or legal department will lead the effort, providing the framework and understanding the regulatory landscape. But their work is impossible without input from other key groups. Human resources is essential for understanding employee-related risks, such as payroll fraud, discrimination, or the impact of low morale.
The training and development teams need to be involved to understand where the knowledge gaps are, so they can design effective training based on the assessment’s findings. The internal audit team plays a crucial role in testing the controls that are already in place. Finance and accounting are needed to identify risks in invoicing, payments, and financial reporting. Data analytics and IT teams are critical for understanding data security risks and for helping to pull the data needed to conduct the assessment. Finally, business units themselves, such as sales teams or government relations, must be consulted to identify the real-world, on-the-ground compliance risks they face every day.
The Risk Assessment Process: From Identification to Mitigation
A risk assessment is not a single event; it is a continuous, cyclical process. It begins with risk identification. The cross-functional team, through workshops, interviews, and data analysis, brainstorms all the potential compliance risks the company faces. This list is then analyzed and prioritized. Each risk is typically scored on two axes: its likelihood (how likely is it to happen?) and its impact (how much would it hurt if it did?). This scoring creates a “heat map,” allowing the organization to focus its limited resources on the most dangerous risks—those that are both likely and high-impact.
Once these key risks are identified and prioritized, the next step is to evaluate the existing controls. For a high-priority risk like “third-party bribery,” the team would ask, “What are we currently doing to prevent this?” This might include third-party due diligence, mandatory training, and audit rights in contracts. The team then assesses the effectiveness of these controls. Are they well-designed? Are they actually being followed in practice? The gap between the identified risk and the effectiveness of the current controls is the organization’s “residual risk.” The final step is to create a mitigation plan, which involves implementing new or enhanced controls to reduce that residual risk to an acceptable level.
Common Signs You Need an External Risk Assessment
While internal risk assessments are essential, there are times when an organization must bring in an external adviser. One of the most common signs is if the company has never conducted a formal, sophisticated risk assessment within its operations. In this case, the internal team simply lacks the baseline knowledge and expertise to know where to begin. An external expert can provide the methodology, structure, and guidance needed to get the process off theground and build a sustainable internal program.
Another clear sign is a lack of sufficient internal resources. A proper risk assessment is a time-consuming and resource-intensive process. If the internal compliance, legal, and audit teams are already stretched thin just managing day-to-day crises, they will not have the bandwidth to conduct a thorough assessment. Attempting to do so will result in a superficial, rushed product that fails to identify the real risks. In this scenario, retaining external advisers to assist with and review the process can provide the necessary bandwidth and ensure the assessment is robust and credible.
The Strategic Value of an Independent View
Even companies that have a mature, well-resourced internal program can benefit immensely from an external risk assessment. The primary value an outside third party provides is a fresh, independent, and objective perspective. Internal teams, no matter how skilled, are often too close to the operations. They can be afflicted by institutional “blind spots” or “groupthink,” and they may be hesitant to criticize or challenge powerful internal stakeholders. An external adviser has no such allegiances and can provide a candid, unbiased view of the organization’s compliance program.
Furthermore, external advisers see a wide range of organizations and industries. They have a broad view of industry best practices, emerging risk trends, and, most importantly, current government expectations. They can benchmark a company’s program against its peers and provide recommendations that are grounded in what regulators actually want to see. Hiring an outside firm to periodically review the internal risk assessment process provides a level of assurance and credibility. This independent validation can be invaluable in reducing risks, meeting government expectations, and ultimately, maximizing profitability by avoiding costly compliance failures.
Rolling Out New Policies to a Remote Workforce
Conducting a risk assessment is only the first step. The true value is realized when an organization acts on those findings. Often, this means rolling out new or updated policies to the workforce. This process, already challenging, is made exponentially more difficult with a remote workforce. You can noot simply post a new policy on an intranet and hope that employees will find it, read it, and understand it. Communication is the key to an effective rollout.
The policy rollout should include effective messaging from both the compliance team and, critically, senior leadership. The compliance team can explain the “what” and “how” of the new policy, but senior leadership must explain the “why.” A message from a business leader about how this new policy supports the company’s strategy and values is far more powerful than a dry, legalistic email. Depending on the significance of the change, training may be needed to ensure a deep understanding, particularly for key compliance areas like anti-bribery, conflicts of interest, or insider trading. This training must be engaging and, ideally, interactive, allowing for a virtual question-and-answer session.
The Critical Role of Attestations and Tracking
Just as important as the initial communication is the follow-up. An organization must ensure that its remote workers have access to the compliance team to ask questions and address any concerns they have about the new policy. But beyond that, for the best protection, the company must ensure that employees certify or attest to receiving, understanding, and complying with the new policies. This is not just a bureaucratic exercise; it is a critical component of a legally defensible compliance program.
Tracking these attestations is essential. An organization must have a system to monitor who has completed the certification and who has not, and then follow up with personnel as needed until all applicable employees have responded. This attestation serves two purposes. First, it forces the employee to affirmatively acknowledge the new policy, which significantly increases the likelihood that they will actually read it. Second, it provides the company with a documented, good-Ffaith effort to educate its workforce. In the event of an investigation, being able to show a prosecutor that the employee who engaged in misconduct had specifically attested to understanding the policy they violated can be a crucial factor in the company’s defense.
Creating a Culture of Compliance and Support
A “Speak Up” culture, which is so vital for fraud detection, is built on trust and accessibility. The lack of face-to-face interactions in a remote environment can severely damage both. Quick chats and office visits are the mechanisms by which compliance professionals build rapport, engage with employees, and make themselves approachable. When these are gone, employees may find it more difficult to seek support, and compliance professionals may find it harder to provide it. This is a significant cultural risk that must be actively managed.
Companies must be creative and think strategically about how to sustain their culture of compliance, particularly for new employees who are onboarded remotely and have never set foot in an office. This requires a deliberate and proactive outreach strategy. Compliance professionals should schedule regular, informal “virtual office hours” where employees can drop in with questions. They should engage with business units during their regular virtual team meetings, not to police them, but to offer support and ask what challenges they are facing. These proactive efforts are essential to keep compliance visible and to maintain the personal connections that underpin a strong ethical culture.
The Biggest Obstacles to Normalizing Operations
As organizations attempt to move from crisis-response to a more normal state of operations, they face two massive obstacles. The first is the one that has been present all along: a lack of transparency and visibility into global operations. A company cannot simply flip a switch and regain the oversight it once had. This loss of visibility creates a significant hurdle, as the company may be “flying blind” in high-risk jurisdictions, unaware of new risks or ongoing misconduct that took root during the crisis. This makes it difficult to make informed decisions about resource allocation or strategic direction.
The second and more immediate obstacle is resource limitation. The economic impact of the pandemic has been severe. Many companies have had to reallocate resources from proactive functions, like compliance, to reactive, business-critical functions just to keep the lights on. This creates a dangerous burden. Businesses are now facing the extra responsibilities of protecting their employees and customers as they return to work, all while trying to maintain their core compliance programs with a potentially reduced staff and budget. This resource constraint is a major vulnerability, and one potential option is to use external compliance advisers to temporarily augment these limited internal resources and bridge the gap.
Accountability for Non-Compliance: The Inevitable Reckoning
During the height of a crisis, immediate survival takes precedence over all else. Enforcement of certain regulations may seem to be a lower priority for government agencies that are also focused on the crisis. This, however, is a temporary illusion. Companies will absolutely be held accountable for non-compliance with applicable laws, whether that non-compliance was due to crisis-related oversight limitations or not. The laws against bribery, corruption, sanctions violations, and money laundering were not suspended. A reckoning is coming.
In the short run, enforcement may be focused on the most egregious and obvious forms of abuse, particularly around government aid programs. However, in the medium to long term, we will certainly see a significant increase in enforcement activity across the board. Regulators understand that a crisis is when the worst misconduct often happens, and they will be looking for it. Organizations that took shortcuts, cut their compliance budgets, or failed to adapt their programs to the new risk landscape will be exposed. The message is clear: the crisis is not an excuse for non-compliance, and accountability, while delayed, will be certain.
Reputational Impact: The Unquantifiable Cost of Non-Compliance
Beyond the direct, quantifiable costs of fines and legal fees, organizations face an even greater, and often permanent, cost: reputational impact. In the modern, transparent world, news of a compliance failure spreads instantly. An organization that is found to have engaged in corruption, or even one that is seen as taking advantage of government funding initiatives, can face a swift and brutal public backlash. This reputational damage can be far more costly than any fine. Customers, especially in the B2B space, are increasingly selective about who they do business with, and a compliance scandal can lead to lost contracts and a permanently damaged brand.
This reputational fallout is not just external. It also rots the company from within. A compliance failure signals to employees that the company’s stated values are a lie. This leads to cynicism, disengagement, and a collapse in morale. The best, most ethical employees will be the first to leave, as they will not want their own reputations tarnished by association. This leaves the company in a downward spiral, struggling to retain talent and rebuild the trust it has lost. This is why risk management is not just a legal or financial function; it is a critical pillar of a sustainable and resilient business.
Conclusion
The challenges of the past several years have provided a series of painful but valuable lessons. The most important of these is that risk management cannot be a reactive function. Organizations that waited for a problem to happen before investing in compliance were the ones that suffered the most. The path forward requires a proactive, dynamic, and data-driven approach to managing workforce risk. This begins with accepting that the world has changed and that the old models of oversight and control are no longer effective.
It requires a renewed commitment to funding and empowering the compliance function, not as a cost center, but as a strategic partner that protects the organization’s value. It means building a resilient culture that is anchored in trust, transparency, and a deeply embedded “Speak Up” mentality. And it means leveraging technology and data analytics to create new forms of oversight that are more effective and less intrusive than the physical supervision of the past. Risk management is not easy, but in this new environment, it is more critical to an organization’s survival than ever before.