Feature topic - Risk assessment and management
payroll until something goes wrong’ is true,” says Gimes. “In times past we defined ‘goes wrong’ as an incorrect payment or non-payment of an employee’s wages. Today however, the concept of an employee data security breach is perhaps the more topical issue as the results of a breach can be extremely serious.” So, what does effective risk assessment look like in the world of payroll? Northover believes the key is having well-documented procedures that accurately reflect the day-to-day payroll process. This, she says, should be “in conjunction with a proven continuous improvement culture where once problems are identified and rectified, they are then analytically evaluated to provide a solution, where necessary, to reduce the possibility of the same problem occurring again”. As Gimes observes, risk assessments can take many forms, but he recommends one area for special attention. As a payroll product manager who has been designing software solutions for over twenty years, he insists you would always start with talking to and discussing a risk assessment with your software solution provider. Gimes explains: “One of the areas that companies frequently overlook is assessing whether or not the security levels within their solution are set correctly for the appropriate users. I have often found that a company’s payroll clerks have access to the payroll system’s full functionality and access too to all the personal information held on employees. Sometimes this is for convenience. But most the time it is due to the solution administrators not knowing, or not setting, the full security options within their payroll solution.” At Thomson’s organisation, Armstrong Watson, there is a dedicated IT team to assess all aspects of risk, who in turn ensure the payroll systems and data are secure. However, she also takes a personal interest. “I am keen to understand, particularly if cloud-based software, what servers are used,” she says. “Are they based in the UK or EU, or further afield? Are they reliable should retrieval be needed? How robust is the security from hackers? Who is responsible should a cyber-attack happen – the supplier of the software or the end user? If operating in a service environment and a payroll couldn’t be run
due to a cyber-attack, who will pay the compensation to the client?” A thorough understanding throughout the organisation of the business processes and being able to clearly comprehend where the risks lie is both essential and efficient, says Dutton. He insists that senior management need to have a clear understanding of the business process and their purpose in order to be able to risk- assess the operation. “They need to know, for instance, where the risk of error exists and where the main touch points are. They should also be able to pinpoint the key people involved, as human error will ...pinpoint the key people involved, as human error will typically be the biggest risk... typically be the biggest risk to any process.” Nevertheless, the onus falls on the payroll function itself, insists Scott McClymont, risk and compliance director for SD Worx UK & Ireland. “Payroll professionals not only have to be experts in legislation but increasingly need to be aware of the process and security behind their payroll solutions,” he says. Gimes adds that it is important within payroll systems to have double-checks and to match a payroll worker’s access authorisations to the needs that go with their duties and responsibilities. As with every arm of an organisation – and, indeed, every organisation, regardless of size – data awareness is more important than ever. That includes knowing where it is processed, held and
stored. As organisations mature in their risk assessment and management approach, tracking the errors and issues that occur delivers qualitative and quantitative data which can then be ‘mapped’ to the business process, Dutton advises. This in turn ensures that the higher risks (in terms of likelihood and impact) can be prioritised for action. “Payroll management needs to be focused on processes and continual improvements to these as evolution in applications will bring greater controls and tools to mitigate risks,” says Dutton. “Individuals should be analytical, great problem-solvers. Gone are the days of manually processing payroll and needing hard workers who can get through mounds of paper for processing. Management should be about mapping and controlling the inputs and outputs to minimise risk, ensure effectiveness and deliver a great experience for the organisation.” What’s more, every payroll department needs to align its processes and technology to simplify and automate as much as is possible, as this is the route to operational excellence. Of course, no discussion about data can be complete without reference to the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. This, says Northover, added an “extra onerous” layer of complexity to risk assessment and management in payroll. “While the biggest impact affected appraise all processes affecting personal data,” she observes. “Our EU exit is a prime example of a changing landscape affecting cross-border data processing that any organisation affected will have to organisations in 2018, there is an ongoing requirement to continually
27
| Professional in Payroll, Pensions and Reward |
Issue 58 | March 2020
Made with FlippingBook - Online magazine maker