If employees are the key asset of any organization, then Human Resources (HR) is the most important process within the company as it looks after them!
Many Governance, Risk, and Compliance (GRC) programs that I have encountered over the years though, focus primarily on the Finance and IT processes and HR sometimes creates their own risk and control silo. When I ask why, I often hear from GRC stakeholders that it is because Finance and IT processes are well defined so any process deficiency is (relatively) easy to identify and remediate, and what I hear from HR stakeholders is that they are not well aware of what is already available in the company’s Governance, Risk, and Compliance program.
In this blog, I’d like to suggest a few connections that HR can leverage from GRC in order to reduce the number of duplicated silos for risks, controls or checks that could have been created.
As a matter of fact, one of SAP’s Intelligent Enterprise end-to-end processes is Recruit to Retire to help companies “understand, manage, and optimise all aspects of the workforce (employees and external workers) in line with business objectives and with clear financial impact – facilitating exceptional workforce experiences and business transformation”:
As a result, I decided to see how we could align GRC to each of these steps of the Recruit to Hire process. Of course, below are just suggestions of a few areas that might be a good start, hence not a complete list!
Planning |
|
As for any other program, it all starts with a planning phase.
Here, there is inevitably the risk that budgets are not respected, and that the recruitment doesn’t align with the company strategy. As a result, I believe that this is where a risk identification and assessment, but more importantly, an ongoing risk monitoring would best support the process. Once the risks have been documented, the Risk Owner – typically the recruiting manager, could then select relevant indicators that would notify them, or the HR team, should there be a mismatch in budget or timeline for recruiting. This would help prevent finalizing any recruitment if they do not support the objectives set. But budget and delays are not all. Indicators could also alert in case critical missing skills are not being fulfilled – especially those skills necessary to deliver the company’s objectives. Here, HR could leverage the risk catalogue in place and also the Key Risk Indicators already defined – especially on budget tracking. If some HR risks are missing, then it’s a perfect opportunity to add them to the universe and track them over time. |
Staffing |
|
This phase is the most critical one to attract talents. This is when a candidate will transform into an employee.
A sound internal control process will help ensure that no discriminatory practices are in place and that no wrongful promises are made. But also, that there is a contract in place signed by the relevant stakeholders. In some cases, background checks can also be mandatory – depending on the industry and the role of course. By automating them before candidates are even interviewed could help both parties gain time. Why interview a candidate if there is then the realization that – for whatever background reason – they are not able to be selected? Putting in place these controls ensures that the local legislation is applied, but also sends a message to the new colleague joining: they are in a safe and ethical workplace. Interestingly, most of these controls will already exist in the internal control repository – especially the ones relating to regulatory requirements. Similarly, instead of implementing a separate procedure for background checks, why not leverage the 3rd party screening that is most likely already in place for contractors? By simply adding new rules and checks, it could even improve the 3rd party screening by applying the same exigence to all employees, full-time, part-time or contractors. |
Onboarding |
|
Before onboarding, all the paperwork has to be completed of course. And this also usually includes signing the relevant policies.
And here is another part of the process that GRC can support: the acknowledgement and understanding of the policies. Whereas just before onboarding or during the onboarding process, the new colleague will need to agree to codes of conducts, undertake regulatory training (especially if they join a role in sales!) and so on. These policies are most likely already stored and tracked in the organization’s GRC program. The next step is to provide the new employee access to the right IT systems. And here again, a very common GRC process takes place: identity and access management. By embedding access governance within HR, the employee will be granted the right access to the right systems without delays and this therefore creates a double benefit:
|
Working |
|
The previous remark about ensuring that the employee is adequately trained and has acknowledged the policies of course continues to apply during this phase – with regular reviews to ensure that it is still the case.
But another sensitive process also needs monitoring: expense management. Since travel is (somewhat) back on the cards now, employees will be lodging travel expenses for reimbursement. Instead of manually reviewing the expense reports, what if these were automated by the GRC tools in place in the company? This includes data analytics tools to ensure that any anomaly is detected before a payment is processed for instance. Not only does this mean less manual work for the HR team, but it also means a systematic and more consistent application of the reimbursement policy. Another critical aspect here is monitoring of the workplace culture and safety. Having a hotline type approach helps employees report any misconduct or unfair treatment and investigate any allegations. But, instead of creating a new HR hotline, why not align it with a whistleblowing one if there is already one in place to report fraudulent behaviours? Once again, this prevents duplication but also helps audit get an overall picture of any issue that has been raised. This can also be supplemented by internal controls. For instance, automatically identifying the employees with a great amount of outstanding days of vacation. They may be saving them, but it could also indicate a case of harassment or workplace bullying if requests systematically declined because a manager systematically rejects any vacation request. It could also indicate a heavy workload for a certain department, in which case it could also raise a notification to the Risk Owners back in the “Planning” phase as this could indicate that a particular skill is still missing or in low availability for instance. |
Paying |
|
There are 3 aspects here that I think could be supported by GRC:
1. Handling of sensitive employee data Any good internal control framework should have relevant controls to ensure that employee data is protected and only accessed with appropriate user rights. There should also be controls in place to confirm that personnel files contain accurate, valid and complete information. Any anomaly should be automatically identified, logged, and reported to the right level of authority. Indeed, it might be worse than an internal issue: if sensitive data have been breached and accessed by an external party, it could require a notification to the local regulator. 2. Monitoring payroll payments Before even the financial transaction itself, changes to the payroll posting configuration or unauthorized changes to the payroll master should also automatically be flagged and raised for review. Similarly, if there is a policy requiring approval of a supervisor before overtime occurs, then this could be enforced by a proactive control and, if this control failed, then the payment would de facto be blocked until the issue is reviewed. These proactive measures would help prevent wrong transactions from being performed. 3. Monitoring employee benefits In most internal control frameworks, there are already checks defined to ensure that the HR benefits module is configured to limit contributions to retirement plans in accordance with revenue services guidelines, and these checks are regularly reviewed by Internal Audit. HR could therefore leverage them directly once again as a preventative measure. |
Closing |
|
Here again, there are multiple aspects of this HR subprocess that GRC can support.
The first one relates to the process itself. Controls should be in place to ensure that employee terminations are verified by the HR manager, that they are entered in a timely manner, and are coordinated with Payroll so no payments can be made after final termination payment. This could be achieved by combining 2 controls for instance: “Insufficient employee notice on termination” and “Unauthorized changes to payroll master”. The first one is a perfect example of a procedural control and the second one, a perfect example of an automated check on configuration and master data. Any deficiency in these controls would need to be reviewed first. Finally, and once the offboarding has been planned, access governance will once again kick-in. With an automated deprovisioning, the company will be assured that all active users have been removed and that the now ex-employee can no longer has access to the company resources. |
With an intelligent Recruit to Retire process integrated across an Intelligent Enterprise and supported by an efficient Governance, Risk, and Compliance, I feel that companies can increase productivity across operations, and at the same time limit their risks. Should HR decide to leverage the existing GRC processes, HR managers might even be able to do so (nearly) effortlessly.
What about you, how does GRC support your HR process? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard