Skip to Content

Returning to Workplaces Will Be Risky: Roll Up Your Sleeves, Internal Audit

Blogs Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA May 11, 2020

​After weeks of uncertainty and anxiety over the COVID-19 pandemic, sporadic signs of normalcy are beginning to appear.

A growing number of jurisdictions are easing or lifting stay-at-home directives, and organizations are turning their focus to return-to-workplace strategies. Multitudes from all levels of the economy, from consumers to front-line workers to heads of industry, are eager to return to once-familiar settings and routine business activities.

But these signs of normalcy are only mirages. I am certainly not the first to note that business as we knew it before COVID-19 will likely never return. In less than six months, the pandemic has killed almost 300,000 people globally, wreaked havoc on economies, boosted unemployment to historic levels, and rewritten the rules for the workplace.

What is clear is that the direct and indirect impacts and risks created by this scourge will reverberate well into this new decade. As internal auditors, our understanding of risk and risk management will serve our organizations well. In particular, our ability to recognize new and emerging risks places us in an ideal position to offer great value as wave after wave of unexpected hazards batter our organizations.

The latest challenge is dealing with risks associated with returning to our normal places of work. The risks are many, including balancing employee health and safety with privacy concerns, adjusting operations to minimize the risk of outbreaks, reevaluating real estate needs in the short and long term, training management to deal fairly with pandemic-related employee needs and conflicts, assuring new processes and procedures are well-designed and working as intended, and more. In short, the issues in a return-to-workplace plan encompass a full portfolio of risks, including financial, operations, compliance, legal, health, and safety.

Internal auditors should be prepared to step up to provide informed assurance and advice on return-to-workplace plans, and resources to becoming informed are abundant. Governments around the world are providing guidance. For example, the European Union's European Agency for Safety and Health at Work offers a variety of resources on its COVID-19: Resources for the Workplace web page. In the U.S., the Occupational Safety and Health Administration (OSHA) also provides guidance for preparing workplaces. 

Additionally, the U.S. Centers for Disease Control and Prevention offers important information on cleaning and disinfecting, social distancing, and return-to-workplace strategies. The World Economic Forum published Workforce Principles for the COVID-19 Pandemic in March, which provided a well-rounded perspective on societal and workforce implications of the pandemic. The white paper includes a discussion on ensuring responsible workplace redesigns.

At a minimum, organizations should conduct a COVID-19-focused risk assessment in three key areas: preventing the spread of COVID-19, designing appropriate workplace controls, and establishing how to identify and isolate employees who may have the disease. The risk assessment also must consider potential legal vulnerabilities associated with treatment of employees, including potential claims of discrimination, privacy violations, retaliation, and whistleblower claims.

As always, it's not our job to design controls, formulate policies, or enforce compliance when it comes to return-to-workplace plans. Instead, we should offer our perspectives directly to management, human resources professionals, or the organization's legal experts. We can serve as part of task forces helping to formulate the return-to-workplace plans, but our focus should be on risk mitigation. The key questions we should be posing and answering include:

  • Has management adequately identified and assessed return-to-workplace related risks?
  • Do proposed return-to-workplace policies and controls address the key risks?
  • Are policies/controls effectively implemented (including communications)?
  • Is the overall program functioning as intended, or are improvements warranted?

Any discussion about return-to-workplace risks would not be complete without acknowledging the risks associated with how psychological biases can influence judgment and actions. Such biases can upset the efficacy of workplace health and safety rules.

  • Normalcy bias. This is the psychological state of denial, the tendency to believe that things will continue to go on the way they always have. It can erode the effectiveness of safety measures, such as hand washing, adherence to social distancing rules, and use of protective equipment including face masks.
  • Optimism bias. This cognitive bias causes people to believe that they themselves are less likely to experience a negative event. As with normalcy bias, optimism bias can work against adherence to the rules in the "new normal."
  • Conspiracy theories. While not a psychological bias, belief in conspiracy is a potentially powerful and dangerous threat to workplace safety and health. Why people believe in conspiracies has been studied extensively, and there have been many theories that posit explanations. For our purposes, it is important to understand that lack of trust breeds vulnerability to misinformation and conspiracy. This is why honest and open communication with employees should be a critical component of any return-to-workplace strategy.

It is important to realize that these biases and their deleterious effects are not limited to the organization's workforce. They also can influence the actions of those outside the workforce who interact with employees, including, customers, vendors, and family members.

It is clear the risks associated with emerging from mandated or voluntary isolation are complex, dynamic, and unprecedented in a modern workplace context. Taking steps to identify, understand, and mitigate those risks are critical to making that transition as safe and painless as possible.

As always, I look forward to your comments.

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA

Former president and CEO of The IIA, the global professional association and standard-setting body for internal auditors.