Is Payroll at the Corporate Core of Data Risk?
Payroll teams are sitting at the centre of the greatest level of manual processing of personal data within the organisation today. They are hampered by disconnected systems, face a lack of end-to-end processes and subjected to constant deadline pressures to ensure that employees are paid accurately and on time. Against this backdrop, the organisation is bearing unnecessarily high risks.
Myriad of Data Sources
Anyone who has had an introduction to payroll operations within a company realises that the payroll specialists are in a race to get every employee paid correctly and on time and they are battling with a myriad of disconnected data sources:
- Starters and leavers from the HR system
- Time data tracked in a TLM system or time sheets
- Changes in salary and bonus information generated from a compensation review system
- Changes in health insurance premiums that flow in from the provider’s portal
- Pension and retirement savings decisions from employees through paper-based election forms
- Benefits premiums based on employee selections from different local benefits systems (e.g. health care plans, company cars, lunch vouchers, etc.)
- Commission in spreadsheets or commission system
These sources of data come from a collection of systems, spreadsheets and emails from within the organisation and need to be modified to meet the formats of external payroll outsourcing providers or transformed to be suited for upload into their in-house payroll system.
Once loaded into an in-house payroll system or send to the outsourced providers the checking process starts. This involves reports and spreadsheets being emailed and downloaded to ensure changes have been made to the correct employee, variance analysis performed and more reports, spreadsheets and emails flow around the organisation to support approval. If issues are found – and they often are – corrections need to be made which starts the process of payroll calculation again, with the attendant data transformation and communication with external teams. Each cycle represents a risk to Information Security.
Bring Back Steam: The Spreadsheet and Email Industry
The manual data transformation industry does not stop at payroll being correctly calculated: payment files containing bank details, communications containing benefits, retirement contributions, health insurance information and garnishments are being sent to and fro once payroll has been approved, all in different formats and systems with different levels of sophistication. Email, spreadsheets, FTP servers, macros, file shares, online collaboration tools are all in use, some with enforced usernames and passwords, some with two-factor authentication and some secured with the hope that a spreadsheet has been password protected with more than “Password123”.
Each of these micro transactions creates a risk point
- Are spreadsheets of employee data always password protected, are the passwords strong and do they always conform to the businesses password guidelines or under time pressure is there the occasional lapse?
- Are email recipients always authorised to see the data or from time to time does an unintended person receive data?
- Is the data always deleted from laptops and desktops?
- Are data retention rules applied assiduously to this data, or are there times when we do not know where to look to truly know that data was purged correctly?
- Are near misses reported to support root cause analysis and to learn from it for the future?
Appropriate Organisation Response to GDPR
In response to GDPR, which went into effect almost a year ago, many organisation have been working to straighten out this web of manual data manipulation against a deadline. Policies and procedures are being put in place which has the effect of slowing the payroll teams down which is just plain bad, the behavioural implications are severe which you will see below. Were the right tools chosen, was ease of use considered, were there any efficiency gains made to support the payroll team, or was there kneejerk reaction to slap in controls that ignored the realities of payroll operations?
The Stark Reality: Risking a Data Breach Versus Not Making Pay Day
Every day the payroll team is balancing the “risk” of a data breach against the “hell to pay” if something goes wrong with payroll. The immediacy of the problem if payroll goes wrong or is late will always trump the risk of a potential data breach, so when timelines are tight old habits of getting things done will re-emerge long after the GDPR Transformation team members have left and the posters about “Being the Change” have been taken down from work spaces. It is like living on the San Andreas fault, the risk is building all of the time that there will be an incident, but maybe it will not be this month or this year, and it is pushed to the back of our minds. Some day the house will come tumbling down in a catastrophic way.
What Can Be Done About All of This?
In the rush to reduce the risk of a data breach, those driving the GDPR / Information Security Initiatives need to understand human behaviour and in particular when looking at the payroll organisation, they need to be empathetic to the pressure that the payroll teams are under with benchmarks of doing their job being 100% right, on time and every time. Any controls that were put in place need to support the payroll team to do this job, speed up the process, drive accuracy, support timeliness and in doing so will support the organisations need for Information Security. Otherwise, the data breach risk in Payroll will remain stubbornly high.
Improve the User Experience
Modern, easy-to-use communication and document management tools that encapsulate communication of payroll data between in-house teams and payroll providers are a key element to reducing the massive data risks that organisations are facing. These are collaboration tools that are secure, and manage structured and unstructured messaging between players in this time-sensitive process. They provide stringent access control to data on an authorized-to-know basis where only pre-authorized, properly authenticated personnel can access the workspace where sensitive data is being exchanged and stored. They have been designed with payroll operations and ease of adoption in mind, reducing the chances that the industry of email and spreadsheets re-emerges. These environments are workflow-driven so that different participants in the payroll process have easy, yet secure access to the information that they need to play their part in the overall execution of the payroll. That is a key starting point.
In all of this, it is very important to have a holistic, global perspective across the entire organisation. While many organisations have started to shore up their processes and tools in their larger hub countries, it is typically the smaller countries that remain a bit of “Wild West” when it comes to secure communication, data protection, and management controls. That can be due to local culture, a lack of infrastructure as well as a lack of resources given the smaller country scope.
This is where having a global collaboration and data management platform like Payzaar that can be readily deployed with any existing local payroll backend systems can really help to ensure a globally consistent and trusted way of managing sensitive data.
Enhance Data Connectivity
Minimizing manual intervention and human touch points with sensitive data is another way to reduce the risk of data being compromised. Review and reduce the data sources that require manual intervention. This is far more difficult and akin to open heart surgery: you have to plug in and out systems while keeping payroll going. Choosing platforms like Payzaar that help in automating workflows and data flows and that can work with different data sources – for example, by automatically aggregating local payroll data into consolidated payroll reports for HR and Finance analysts rather than manually creating the reports in Excel – can significantly reduce time and risk involved in otherwise manual activities.
It is often said that culture (i.e. “the way we do things around here”) will always trump strategy. Many of the deep thinkers about these topics have concluded that for a strategy to be successful it needs to integrate the organisational culture. The culture of the payroll team is driven by the timeliness and accuracy imperatives that influences “how they do things around here”. For the Information Security strategy to be successful in payroll, it needs to be executed with the Payroll benchmarks to the fore. Which means providing payroll teams with convenient, easy-to-use tools and platforms that will help them to secure communication processes and reduce the need for manual interventions as much as possible. Otherwise, the risks of data breach in payroll will remain stubbornly high.