GRC Tuesdays: Governance, Risk and Compliance securing the Recruit-to-Retire process
At SAP we tend to talk about 4 key ERP processes for the Intelligent Enterprise:
This blog looks at the second of these, Recruit-to-Retire, and is in fact a follow-on companion blog to Governance, Risk and Compliance securing the Source-to-Pay process that my colleague Thomas Frenehard wrote a couple of weeks ago.
What is Recruit-to-Retire?
SAP visualises the Recruit-to-Retire process as comprising of 6 major steps: Planning, Staffing, Onboarding, Working, Travel, Paying and Closing. Different groupings of these steps make up frequently used industry subprocesses, for example: hire to retire, travel to reimburse, external workforce management. SAP has a number of foundational cloud solutions covering these steps and subprocesses.
While discussing this topic with SAP Human Experience Management SME colleagues internally we reached a conclusion that while HR departments understand HR risk well, they seldom look outside their line of business to for example assess the overall enterprise risk or business consequence of an HR risk becoming an event.
The above mentioned Thomas wrote about these steps in some detail his great blog Human Resources and Governance, Risk, and Compliance Working Together earlier this year. In this blog I will be more solution-specific and drill into how GRC can help secure the six steps with some examples, and in so doing, help the business secure the overall Recruit-to-Retire process. And potentially more importantly, help secure the company’s enterprise risk and resilience capability.
The organisation generates a plan by modelling the demand for talent, and budgeting. Includes formalised project planning where individual planners identify more detailed future and current talent needs.
HR risks include not accounting for keyman and leadership succession planning (recent study showed 43% of UK companies had unexpected leadership changes), global skills shortages (remember shortage of data protection officers when GDPR was ramping up?), and bad hires. The cost to a business of a bad hire includes their hiring cost, low productivity as they ramp up, potential costs if they are ineffective or make mistakes and maybe damage the business (or even a country if it’s the senior position….), and time delays on the projects they were supposed to deliver on.
Identify internal talent: search for existing resources with the required skills. Recruit new hires: open requisitions, find candidates, make offers.
The process of identifying the right talent through the avalanche of CV’s – and who (or what) actually wrote them – going through the recruitment process with various types and stages of interview and evaluation techniques, use recruitment agencies or your own staff, the growing complexity of types of employment contract, and options for full time vs part time, employees vs contingent labour, is complex, time-consuming and fraught with risk. One risk to highlight with all the personal information moving around is that of data privacy and protection, and the duties of a data controller vs data processor.
Complete the paperwork, employee receives equipment, user/role provisioning, take required training, meet team members, etc.
Having secured your delightful talent you want them to have sign their contracts with the correct legal localisations, follow a well-planned and organised onboarding process, have them work through all the corporate policies, be operational as soon as possible – and not waiting for equipment or access to policy, training, and business systems. There is also the Transfer of Undertakings (Protection of Employment) regulations (TUPE) risk during a merger or acquisition, where employment terms have to be aligned. A little appreciated risk is the speed with which you can allocate your new joiner an email account and user id(s), and provision them to the systems they need access to with authorizations appropriate to their role as defined in the HR system. We have had cases where some companies can take up to 3 weeks for a joiner to receive their computer and get access to the systems to do their job.
Aside from performing their role duties there are ongoing development, skills management, performance management, time and cost management, role/location change, regulatory compliance, and wellness programs to consider.
It sounds trivial to say that you need to have the correctly skilled people in the locations where the work demands it. It’s true that post pandemic we have all learned some roles, and some aspects of roles, can be done remotely. But there are many roles where this is not possible, others where productivity is greatly improved by teamworking, and with more junior roles sometimes a situational leadership approach is required – a lot of supervision initially. Also with current rapid and large scale changes in global politics impacting practicalities of out of country hires, import/export duties & supply chain challenges resulting in selection of different suppliers who are maybe no longer close to your ‘follow on process’ high skills centres, talent poaching and churn, having the right people in the right place at the right time is far more complex and volatile than it was. Consequences can impact goods and service delivery, growth, time to market, revenue, cash flow. Anticipating this and having risk-based contingency plans adds to your resilience but also agility.
Expense policy management and supervision, travel and expenses recording and submission, claims validation.
A well known risk is that of claims fraud, bribery and corruption using expenses, collusion leading to fraud, or accidental / deliberate breaching/abuse of travel and expenses policies. Managing this consistently, cost-effectively and quickly is not always as easy though, and is a risk to the business.
Pay & Close
Total compensation, payroll and tax, incentives and benefits payment, expenses reimbursement, severance/retirement agreement, update financial statements, off-boarding, deprovisioning.
Frequently labour cost is one of the highest costs for a business and errors with paying employees and contractors can lead to financial loss and employee disaffection. Fines can arise from incorrect employment paperwork for example incorrect employment and wage eligibility, under-insurance (recent study showed 15.6% of employers are unknowingly under-insured for employee liability), fines due to companies being unaware of regulatory changes (e.g. changes to anti-bribery and corruption law, duties under GDPR).
A specific risk to mention is employee payment errors during period close and year end close, which aside from the impact on employees can lead to financial statement errors, audit findings, costly remediation, reputational damage, and in the worst cases large-scale labor disputes and fines.
SAP Cloud solutions for GRC to the rescue!
Below is a representation of the examples of vulnerabilities and risks related to various steps in the Recruit-to-Retire process.
Individual risks can obviously lead to costs and delays in each step. The individual (or worse cumulative) impact can however lead to the end-to-end process being ineffective or even broken. Luckily there are cloud Governance, Risk, and Compliance & Cybersecurity and Data Protection solutions from SAP ready to be deployed, to help prevent these risks from becoming damaging events.
Companies can use these solutions to help develop a pro-active risk management approach to the Recruit-to-Retire process, thus safeguarding their employees, reputation, and financial viability.
In an alternative use of SAP Watch List Screening in the Plan step, employers can automatically screen the agencies they use to recruit employees in case they are sanctioned, and also independently assess the role candidates in case they are on a watch list, or for example associated with organisations supplying services to the public sector or on a sanction party list.
In the Staff step, SAP Privacy Governance helps companies document and manage the risk of improper processing of personal data during the staffing process, for example is ‘privacy by design’ in place for both your organisation and third parties involved in staffing, accountability duties of the data controller and data processor, data retention and deletion requirements, and which are lawful processing activities during staffing.
During Onboarding, SAP Identity Access Governance helps companies give their new employees the appropriate authorisations for their role – as defined in and read from their HR system – automatically, and rapidly. Ideally on or just before they start their first day of work. It will also help organisations ensure managed segregation of duties and also invisibility of data between sensitive LOB’s.
Once employed, i.e. during the Work, Travel and Pay & Close steps, SAP Financial Compliance Management helps automate internal controls over financial processes. Companies can minimize the risk of misstatements in their quarterly and annual reports and protect against fraud and bribery with a strong internal controls framework and system. The solution will help document the most important business processes and corporate exposure in cases where there is a risk of under skilled or under staffed operations. It will help achieve quicker and less error prone period end and year end close. Companies can also monitor and document inconsistencies in operating procedures and policy.
Underpinning the Recruit-to-Retire process is the Intelligent Enterprise, and how SAP supports this via Business Process Intelligence. At its core, HR processes are heavy users and processors of personal information, they increasingly use public cloud systems, and access/processing frequently crosses geographical and political boundaries. SAP Data Custodian enables companies to demonstrate and deliver controls over public cloud resources and applications. In parallel SAP Enterprise Threat Detection, a high volume real time security information and event management tool, helps companies proactively identify, analyse, and neutralize cyberattacks at a business level in their SAP applications – before for example serious breaches occur.
One final thing to take note of is that the same SAP cloud GRC solutions apply to both the Source-to-Pay and Recruit-to-Retire processes! In other words business and IT investment in these solutions will have multiple benefits within an organization:
- Improving the return-on-investment business case
- Reducing the overall IT footprint
- Reduced change management / user disruption as the number of solutions to be trained on is reduced
- Increasing simplicity and integration by adopting SAP solutions with a native SAP ERP integration