Planning | |
As for any other program, it all starts with a planning phase. Here, there is inevitably the risk that budgets are not respected, and that the recruitment doesn’t align with the company strategy. As a result, I believe that this is where a risk identification and assessment, but more importantly, an ongoing risk monitoring would best support the process. Once the risks have been documented, the Risk Owner – typically the recruiting manager, could then select relevant indicators that would notify them, or the HR team, should there be a mismatch in budget or timeline for recruiting. This would help prevent finalizing any recruitment if they do not support the objectives set. But budget and delays are not all. Indicators could also alert in case critical missing skills are not being fulfilled – especially those skills necessary to deliver the company’s objectives. Here, HR could leverage the risk catalogue in place and also the Key Risk Indicators already defined – especially on budget tracking. If some HR risks are missing, then it’s a perfect opportunity to add them to the universe and track them over time. |
Staffing | |
This phase is the most critical one to attract talents. This is when a candidate will transform into an employee. A sound internal control process will help ensure that no discriminatory practices are in place and that no wrongful promises are made. But also, that there is a contract in place signed by the relevant stakeholders. In some cases, background checks can also be mandatory – depending on the industry and the role of course. By automating them before candidates are even interviewed could help both parties gain time. Why interview a candidate if there is then the realization that – for whatever background reason – they are not able to be selected? Putting in place these controls ensures that the local legislation is applied, but also sends a message to the new colleague joining: they are in a safe and ethical workplace. Interestingly, most of these controls will already exist in the internal control repository – especially the ones relating to regulatory requirements. Similarly, instead of implementing a separate procedure for background checks, why not leverage the 3rd party screening that is most likely already in place for contractors? By simply adding new rules and checks, it could even improve the 3rd party screening by applying the same exigence to all employees, full-time, part-time or contractors. |
Onboarding | |
Before onboarding, all the paperwork has to be completed of course. And this also usually includes signing the relevant policies. And here is another part of the process that GRC can support: the acknowledgement and understanding of the policies. Whereas just before onboarding or during the onboarding process, the new colleague will need to agree to codes of conducts, undertake regulatory training (especially if they join a role in sales!) and so on. These policies are most likely already stored and tracked in the organization’s GRC program. The next step is to provide the new employee access to the right IT systems. And here again, a very common GRC process takes place: identity and access management. By embedding access governance within HR, the employee will be granted the right access to the right systems without delays and this therefore creates a double benefit:
|
Working | |
The previous remark about ensuring that the employee is adequately trained and has acknowledged the policies of course continues to apply during this phase – with regular reviews to ensure that it is still the case. But another sensitive process also needs monitoring: expense management. Since travel is (somewhat) back on the cards now, employees will be lodging travel expenses for reimbursement. Instead of manually reviewing the expense reports, what if these were automated by the GRC tools in place in the company? This includes data analytics tools to ensure that any anomaly is detected before a payment is processed for instance. Not only does this mean less manual work for the HR team, but it also means a systematic and more consistent application of the reimbursement policy. Another critical aspect here is monitoring of the workplace culture and safety. Having a hotline type approach helps employees report any misconduct or unfair treatment and investigate any allegations. But, instead of creating a new HR hotline, why not align it with a whistleblowing one if there is already one in place to report fraudulent behaviours? Once again, this prevents duplication but also helps audit get an overall picture of any issue that has been raised. This can also be supplemented by internal controls. For instance, automatically identifying the employees with a great amount of outstanding days of vacation. They may be saving them, but it could also indicate a case of harassment or workplace bullying if requests systematically declined because a manager systematically rejects any vacation request. It could also indicate a heavy workload for a certain department, in which case it could also raise a notification to the Risk Owners back in the “Planning” phase as this could indicate that a particular skill is still missing or in low availability for instance. |
Paying | |
There are 3 aspects here that I think could be supported by GRC: 1. Handling of sensitive employee data Any good internal control framework should have relevant controls to ensure that employee data is protected and only accessed with appropriate user rights. There should also be controls in place to confirm that personnel files contain accurate, valid and complete information. Any anomaly should be automatically identified, logged, and reported to the right level of authority. Indeed, it might be worse than an internal issue: if sensitive data have been breached and accessed by an external party, it could require a notification to the local regulator. 2. Monitoring payroll payments Before even the financial transaction itself, changes to the payroll posting configuration or unauthorized changes to the payroll master should also automatically be flagged and raised for review. Similarly, if there is a policy requiring approval of a supervisor before overtime occurs, then this could be enforced by a proactive control and, if this control failed, then the payment would de facto be blocked until the issue is reviewed. These proactive measures would help prevent wrong transactions from being performed. 3. Monitoring employee benefits In most internal control frameworks, there are already checks defined to ensure that the HR benefits module is configured to limit contributions to retirement plans in accordance with revenue services guidelines, and these checks are regularly reviewed by Internal Audit. HR could therefore leverage them directly once again as a preventative measure. |
Closing | |
Here again, there are multiple aspects of this HR subprocess that GRC can support. The first one relates to the process itself. Controls should be in place to ensure that employee terminations are verified by the HR manager, that they are entered in a timely manner, and are coordinated with Payroll so no payments can be made after final termination payment. This could be achieved by combining 2 controls for instance: “Insufficient employee notice on termination” and “Unauthorized changes to payroll master”. The first one is a perfect example of a procedural control and the second one, a perfect example of an automated check on configuration and master data. Any deficiency in these controls would need to be reviewed first. Finally, and once the offboarding has been planned, access governance will once again kick-in. With an automated deprovisioning, the company will be assured that all active users have been removed and that the now ex-employee can no longer has access to the company resources. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |