Building control frameworks has always been my personal favourite focus area when I managed global payrolls. I still remember sitting beside the pool in Spain in July 2015. The family-in-law, my wife, and I were on holiday in a nice place with a refreshing pool. Sitting at the edge of the pool reading a book about tax control frameworks, made me think:

Shall I also write up my experience to date? Will people even be interested in reading it? 

Instead of diving into the pool, I decided to dive into this new adventure. So I submitted the article idea to the Global Payroll Management Institute (GPMI, now PAYO) and later in the year wrote a three-piece series of articles called “Take Charge with a Global Payroll Control Framework”.

I have been refining and fine-tuning the approach ever since in new articles, courses, and webinars. And I am now ready to share this experience with you. This article is the first of a series of 4; in this initial one I will outline the lay of the land and in the next three I will detail controls for pre-payroll, run payroll, and post-payroll, and link them to the platform I always wanted to have to operate my framework when I was a Global Payroll Manager; Payzaar.

Of course, let me first link this to the overall best practice around Global Payroll Management. While all components are truly interlinked, the GPCF focuses on the section Risk & Control as part of the component Global Payroll Governance and as it is so linked, also the section Objectives as part of the component Global Payroll Strategy.

Objectives

The main categories of objectives will vary between organisations. Having said that, it is a best practice to break down the objectives into these three categories:

• Payroll Efficiency. The efficiency refers to how well resources (e.g. such as people, time, budget, effort) are utilised to accomplish the north star; the purpose statement. It focuses on minimising unnecessary steps, shortening payroll calendars, and optimising processes to achieve results with the best possible balanced resources and the lowest Total Cost of Ownership (TCO) possible. In other words, efficiency is about doing things right and maximising results while minimising effort: the route to success. 
• Payroll Effectiveness. The effectiveness measures the extent to which a particular goal or objective is achieved, such as payroll accuracy and worker and stakeholder satisfaction. It focuses on whether the desired results are achieved and whether the intended outcomes are met. Effectiveness is about doing the right things and getting the desired result: achieving success.
• Payroll Compliance. The compliance position of global payroll is part of the licence to operate for a business, therefore serving as an object category in itself. Compliance is often about processing payroll changes (e.g. starters, leavers, movers), pay policies, and benefits in a compliant manner. This should result in timely, accurate, complete, and compliant statutory filings and subsequent payments. Getting this right, by measuring it, is challenging in a multi-country web of ever-changing rules and regulations.

Just to give you some examples, here are some objectives I have implemented.

This should get you started!

Risk & Control Management

Often, controls are designed and operated based on experience and gut feeling. While this is very valuable, it also creates a risk of operating controls that don’t actually mitigate or monitor a risk. This means we spend time and resources operating controls that add no value. I always argue that reviewing, designing, and operating controls should start with risk management first! Now, this is always in reverse which doesn’t really matter, as long as you acknowledge that a control should mitigate a risk. I always advocate that if a control doesn’t mitigate or monitor a risk, why do it? If you find yourself operating a lot of (local) controls, gather the details around those and then take a step back to start with risk management.

Risk management for global payroll refers to the ongoing process of identifying, assessing, and categorising potential risks that could adversely affect meeting the purpose statement, brand promise, and objectives. The goal of risk management is to proactively anticipate and address potential risks to ensure accurate, timely, and compliant payrolls. Here's an expanded explanation of risk management for global payroll:

1. Continuous Risk Identification. Global payroll risk management involves constantly scanning and monitoring the internal and external factors that could be a threat to the payroll function. This involves identifying internal risks such as process vulnerabilities, data security concerns, potential system issues, and key high-risk data points (manual upload, complex data orchestration) and events (e.g. starter, mover, leaver) for validation. Identifying risks is a crucial first step, and should be repeated continuously (at least every quarter). Once identified, this is the best way to describe the risk: [Event/activity that affects objectives] caused by [cause/s] resulting in [negative consequence/s].
2. Risk Assessment and Analysis. Once risks are identified, a thorough assessment and analysis are conducted to determine the potential impact and likelihood of occurrence for each risk. The impact can be assessed based on material ($ of fines, financial misstatements) exposure and immaterial exposure (hiring profile, employee satisfaction, reputation) for which the results can be tolerable, unacceptable, or intolerable. This impact mapping is not always an exact science and should be approached with a mix of data points, common sense, and stakeholder involvement. The likelihood is the risk of the event occurring, for instance improbable, possible, and probable, and requires an understanding of the maturity level of process, staff, and data handling. The risk assessment process best involves other more specialised functions, such as Finance & Audit, to ensure alignment with the overall risk assessment processes. This likelihood and impact will result in a risk score (e.g. likelihood is 3 and impact is 2 so the score is 6). By assessing risks this way, you can easily classify risks.
3. Classification of Risks. After assessing risks, they are classified based on their risk score (likelihood and impact). High-risk events are given top priority, as they have the potential for significant negative impact. Medium and low-risk events are also considered, but resources are allocated based on the likelihood and potential consequences.
4. Risk Responses. The risk responses vary from acceptance, to monitoring, to mitigating the risk. The responses have a direct impact on the design of fit-for-purpose controls, and help prioritise investment in developing these controls, assigning resources and possibly going to market to find the tools to do that.
5. Monitoring and Review. Risk management is an iterative process, and it requires the ongoing monitoring of identified risks and new risks. Global payroll should continuously review the effectiveness of the mitigation strategies (controls), update risk assessments as circumstances change, and adjust risk management plans accordingly. This ensures that the risk management approach remains relevant and responsive to evolving global payroll challenges.

To get a flavour of what some commonly identified, described, assessed and classified risks with appropriate responses look like in global payroll, here are some examples:

In short: risk management for global payroll is a systematic and proactive approach that enables them to anticipate, assess, and address potential challenges to getting payroll right.

Designing controls within global payroll is an art in itself. With the design principle in mind, we need standardised controls that allow local deployment to ensure compliance locally. This means the control should be flexible by design to satisfy that need. A way to do that is to design controls using these characteristics.

• Control Objective. The overall objective summarises the intent and purpose of this control. What is the desired outcome, why would we even spend time deploying and operating this control? 
• Control Guideline. This intends to aid management, internal audit, external audit, and other stakeholders in understanding the control activities and steps at a high level.
• Control Classification. Like risks, controls are also classified and now as key or non-key. Key controls mitigate and/or monitor key risks or a set of medium to low risks, demonstrating the importance of the design and operating effectiveness.
• Control Type. A control is either preventative and/or detective in nature and serves different purposes. Preventative controls aim to prevent risks from occurring, while detective controls focus on identifying risks or incidents after they have happened. Preventative controls are proactive, while detective controls are reactive. Both types of controls are crucial, ideally balanced to mitigate the same risk in separate controls.
• Control Method. Control methods are either manual, automated, or IT-dependent. Manual controls of course rely on human intervention and oversight to ensure proper execution, such as manual data entry verification, and manual review of documents and outputs. Automated controls are executed by systems or software without direct human involvement and are designed to perform repetitive tasks efficiently and accurately. Examples include automated backups, software updates, and automated access controls, and assignment of role-based profiles. IT-dependent controls leverage systems of software to monitor and manage risks but combine human involvement. Examples include automatic variance and threshold reports that then require review and validation by humans without the need to manipulate the report itself.
• Control Owner & Operator. This lists the position of the owner of the control, who is accountable for the deployment of the control and approval of results, and the operator of the control, who is responsible for the execution of the control.
• Control Frequency. The frequency typically follows the pay cycle (e.g. monthly, weekly, bi-monthly, semi-monthly, bi-weekly), for a set time period (e.g. quarterly, annually) or on occurrence (e.g. per transaction, file transfer, interface).
• Control Timing. This is often either tied to the payroll process (pre-payroll, run payroll, post-payroll) or to occurrence. Understanding the timing helps in planning the workload across each payroll cycle.
• Local Control Parameters. While all the above control characteristics are global in nature, this characteristic is local and allows for local nuances. For a variance control, for instance, this is where you would set the variance percentage for which a detailed clarification justifying the variance must be found. Or, for a threshold control from which amount a detailed clarification justifying the amount exceeding the threshold must be found. Another common local parameter is locally driven details around processing hires and leavers, or certain benefits (e.g. medical, sell to cover for equity), and their taxability.

So, what now?

I appreciate that was a lot of theory to digest, so let’s make a segway into what a GPCF should actually look lille. I summarised the GPCF in these easily digestible pictures:

This specifies controls in each stage of the end-to-end payroll process; pre-payroll, run payroll, post-payroll including process-independent controls. From now on, I’ll focus on those controls and how they can be implemented with the support of the Payzaar platform. Trust me, you’ll find that very interesting and you might even use this best practice for the rest of your career. Stay tuned!

I am a Global Payroll Professional and a passionate one too! After managing global payrolls across the world for about 20 years, I found there must be a better way of doing this. I joined Payzaar - the global payroll management platform everyone needs and can easily implement.

Oh yes, we are just fun to work with too - Let's chat about the Payzaar Experience!