According to The Advance Legal Trends Report 2023/24, managing hybrid working remains one of the biggest challenges for law firms.
A well thought out strategy and implementation of hybrid working is paramount to reducing the risks and challenges currently being faced, and helping firms to succeed in their growth ambitions. We discuss some of the main areas firms need to consider below.
Employee wellbeing and company culture
One of the key benefits that hybrid working has provided, for many, is a better work life balance. However, some employees can feel isolated and lose confidence in their interactions when working remotely. It’s not always easy to see when someone is struggling at home. Staff need to remain confident about being able to communicate any difficulties they have, whether this be workload pressures, work problems or mistakes made.
From a risk perspective, negligence claims have been directly linked to fee earners feeling overwhelmed or experiencing stress and a mistake, problem or issue left unreported is more likely to end up as a professional indemnity claim. Communication with hybrid workers is essential and closer attention may need to be paid to employees’ wellbeing when they are not always in the office.
Alongside staff wellbeing, maintaining a company culture and attitude to risk in a hybrid-working model comes with its challenges. If staff are physically distanced from an organisation, is there a chance they might also feel distanced from its ethics and values? With the SRA’s increased focus on cultural and ethical values, firms should set theirs out clearly and have a sound strategy for implementation, ensuring that remote working does not lead to short cuts being taken or standards slipping.
Communication and collaboration
Hybrid working and the flexibility for staff to choose which days they are in the office can lead to a lack of teams spending time together and collaboration. Building working relationships can be trickier, particularly for more junior team members and new colleagues, with learning opportunities reduced.
Providing greater structure and formalised team time as part of your hybrid working model can ensure people remain connected and that learning continues. Consider introducing a regular office day when all team members come in and pre-planned times when staff can specifically focus on learning from each other. Formalising collaboration and team work on cases and establishing online hubs with resources, training materials and mentoring programmes can also help to keep such activity at the forefront.
Supervision, file reviews and systems
Supervision remains high on both insurers’ and the SRA’s radar. They expect firms to monitor the work being undertaken and this becomes more difficult when staff and supervisors are working remotely. Simply by working in close proximity with each other, in-office working provides a significant degree of informal supervision, and, equally importantly, support. Ensuring that your supervision arrangements are as effective for remote and hybrid workers as they are in-office is critical. A person being left to their own devices may be failing to adopt the firm’s policies and procedures correctly, going ‘off-piste’ in terms of the work they are taking on, or simply not using colleagues as a sounding-board. Firms that have a high proportion of remote workers have to work harder to counter these risk factors.
Systems and process will need to be updated to ensure remote supervision and file audits are possible, managed effectively and that evidence can be recorded. Firms should review their compliance policies and procedures to bring them in line with remote working requirements, ensuring AML, client on boarding, client due diligence and GDPR policies and processes all work in the remote world. System generated flags and reports are useful, but not sufficient on their own. Firms should consider how they allocate time and resource to supervising matters on a risk-assessed basis. Hybrid working doesn’t lend itself well to ad hoc supervision, therefore managing a dispersed workforce needs a more formalised focus for 1-to-1s and file audits.
Cyber risks & information security
Remote working has undoubtedly bought new cybersecurity challenges for law firms. If you allow staff to access any work systems on their own devices, there is always a greater degree of risk that they will be lost, stolen or compromised. Even where using work-supplied devices, their usage outside of an office environment (whether travelling or in the home) makes it that bit more difficult to ensure they are being used in a way that does not expose the firm, and your clients, to information security breaches or wider cyber threats.
Any use of personal devices should be subject to (at minimum) an annual declaration that those devices have appropriate anti-virus/malware software installed, and that they are used in accordance with a set of appropriate use protocols. Better still is to require the devices to have relevant approved software installed on them by your IT department.
All staff when away from the office, whether working from home or travelling should sign-up to a ‘remote working code of conduct’ (or similar). This would address:
- Use of approved devices for work purposes (if personal devices are permitted, then it should be in accordance with your BYOD (bring your own device) policy
- Wifi connections:
- Home wifi set-up requirements
- No use of public wifi/use of secured wifi hotspot from your mobile device only
- Business VPN connection
- Never leave devices unattended in public places
- Use privacy screens if working on confidential or sensitive matters
- Do not reveal any client details or confidential information on calls in public places
- Not saving client or confidential data onto your computer
- Password security, multi-factor authentication and bitlocker encryption
- Installation of updates
- Remote device wiping
- Immediate reporting of devices lost or stolen
- Immediate reporting of potential security breaches (e.g. phishing links clicked)
Any such declaration should also refer (and link) to your acceptable use policy (updated to consider social media and AI usage), data retention and destruction policy, and ongoing engagement with cyber security training updates.
It is incumbent on firms to monitor adherence to these policies and ‘codes of conduct’ in practice. While systems-based monitoring can play an important role in flagging problematic behaviours, how you design your work processes is equally important. For example, you can restrict the ability of staff to download documents onto USB stick, making it more difficult for them to work off-system. Actively engaging to ensure that staff have the assistance they need to set up their wifi securely, know how to use and connect to a wifi hotspot from a mobile device, etc. will help ensure compliant behaviours in practice. An annual IT audit can also check that devices have the appropriate updates installed, and are operating securely.
Refresher training
It is easy to fall into bad habits, especially if working remotely for much of the time. Training on policies and procedures is not a ‘once and for all’ thing, but needs to be reinforced regularly. This is even more true of anything to do with information security and cyber threats.
Law firms of all sizes remain a prime target for phishing and social engineering attacks designed to gain access to secure systems. Comprehensive cyber security training should be provided at least annually (much better to provide a regular drip feed of practical tips, case-studies and new threats) to all staff to help ingrain behaviours and keep cyber security front of mind.
Conclusion
A firm’s attitude to hybrid working is likely to be dependent upon the type of work it undertakes, its clients and culture. Whatever the approach, clear policies and guidance on processes and expectations need to be established and upheld by all staff to ensure a solid risk mitigation strategy is in place.
For further guidance on the following, contact us at solicitors@miller-insurance.com
- Evolving your remote working policies and procedures
- Combatting cyber risks
- Information security management
- Business continuity planning