Risk and Controls Management - HR Employee Services
Any operation with material impact on financial reporting and regulatory compliance requirements must manage significant risk factors. An HR Employee Service function operates within such a risky environment. An effective and legally compliant focused internal risk and controls management strategy is the cornerstone of proactive mitigation of risks. This article will summarize an industry standard controls framework and examine key concepts applicable to the elements of this framework.
Most corporations have process controls embedded within their operations which mitigate standard business risks and meet basic internal standards. Risk and controls management is not only an internal business requirement, but has become the focus of intense regulatory scrutiny, the Sarbanes-Oxley Act of 2002 being a key example.
We are all aware of the impact of poor internal controls in the wake of Enron and WorldCom. A recent Compliance Week report highlighted 14 companies which disclosed internal control weaknesses, and CNBC recently reported on a publicly traded company which delayed reporting financial data due to "…internal control weaknesses". Not only are internal control issues publicly visible, but they can have serious consequences, leading to a decline in shareholder value or senior management shakeup.
HR Employee Services Risk Environment
A global Employee Services function operates under a plethora of compliance requirements and manages processes with significant fiduciary responsibility, resulting in significant inherent operational and external regulatory risk. Within the Payroll & Employee Reimbursement functions there are a myriad of fiduciary risks with potential impact on financial reporting processes, risk of financial loss, and significant regulatory compliance risk. Benefits Administration is impacted by legal compliance requirements as well as financial reporting and fiduciary risk impacts in areas of retirement and stock benefits management. Relocation is faced with compliance to immigration laws and complex tax regulation. Employee information services must manage risk related to data privacy and legal risk (liability) caused by potential dissemination of incorrect information.
A global organization’s risk profile is also inherently more complex due to differences in laws, regulation and culture. Within such a complex risk environment, effective risk and controls management is critical, in order to achievement operational objectives. Controls management is important to help meet key business goals:
- staying "legal;"
- anticipating and mitigating business risks;
- conducting business with uncompromising ethics;
- safeguarding assets and limiting liability/exposure.
A Structured Controls Framework
The key to controls management is a structured foundation which provides the building blocks for the implementation of effective operational, financial reporting and compliance risk mitigation objectives. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework provides an industry standard guideline for risk and control management. The framework is also supported within the SOX requirements; and has served as a solid foundation within the industry for many years, even before SOX1.
The key elements of the original COSO model are summarized below. The elements are reviewed in more detail in the main body of this article, specifically outlining practical tactics to implement the framework at an operational level.
The COSO framework consists of five key elements:
1. Controls Environment: This states management expectations of values, ethics and controls management. It defines infrastructure and review mechanisms.
2. Risk Assessment: the techniques and tools used to analyze business process risk and identify controls issues which could impact business objectives. This activity is the key to proactive risk mitigation.
3. Controls Activities: this refers to the specific risk mitigation process and procedures established to ensure that controls objectives are achieved.
4. Monitoring: management review of controls objectives supported by quantitative indicators.
5. Information and Communication: required to link all elements of the framework; assures that all stakeholders in the controls management process receive the proper and sufficient information in order to meet objectives.
Much of proactive risk mitigation activity is work that is completed in parallel to "Job-1": pay employees; manage benefits; move people, etc. Structured controls activities will require additional effort in order to succeed and to be embraced. It is imperative, therefore, that support of the controls environment is rolemodeled by management and supporting actions are required. For example:
- documented strategic and tactical controls objectives and behavioral expectations;
- formal senior management review committees, as well as controls updates required as agenda item at departmental reviews;
- funding of controls resources and infrastructure to support the execution of controls deliverables.
Risk Assessment Elements
Risk assessment is a proactive risk mitigation process, enabling the detection of new risks and verifying the effectiveness of existing control activities. Risk assessments, when executed properly, require time and resource investment. Therefore, risk assessments should be well-planned and prioritized in order to assure a focus on the "riskiest" areas, based on financial and legal compliance violation risk criteria. This part of the framework includes a number of activities. Risk mapping is a planning process. Risk assessment is a detailed analysis of existing processes as well as those within process & system improvement projects. Lastly, self-audits assure that key new controls derived from the risk assessments are working as designed, post implementation.
Risk mapping: The purpose of this analysis is to identify an organization’s "riskiest" areas/processes and prioritize these as candidates for a detailed risk assessment analysis. A generally higher level review of the operational environment, it takes into account management concerns, environmental changes, and recent audit and quality issues. The result of a risk mapping analysis should be a list of operational areas graded by level of potential risk impact to the organization’s objectives. This is often best depicted in a roadmap of planned risk assessment activity over a 6-12 month period.
Risk assessment (RA): This is a detailed analysis and assesses the effectiveness of controls. The purpose is to identify any controls weaknesses. The flow of analysis is as follows:
1. identify focus areas and scope;
2. identify the business objective;
3. understand the business processes;
4. identify and prioritize the business risk;
5. evaluated for effectiveness (or existence) of controls;
6. develop plans to close gaps – then execute the plan.
Risk assessments for process improvement & system implementation: new system implementation and process improvement projects will likely change risk profiles and control requirements. Effective RAs as a part of the project life cycle will mitigate both risk to the project and operational risk of the new process or system.
There are two key elements of RAs within the PLC:
- one is to assess the risks potentially impacting management of the project itself; in essence effective project contingency planning;
- a documented RA of the new process is the second element. The RA should be executed before implementation to ensure that controls are embedded into the final process design. Self-audits are initiated after the new controls improvements (or system change) have been in place for a 3-6 month period. This activity should involve a test of the actual controls in place, ensuring that the new process is working as designed and any controls gaps have been effectively mitigated.
Controls activities are the risk mitigation actions, processes and procedures implemented in support of business objectives. Existing activities should be reviewed through the risk assessment process. New activities will evolve as a result of gaps identified through the RA process and business process changes. There are four main types of control activities. Controls which are proactive and can stop a risk from occurring are termed "preventative," whereas controls executed after potential loss or problem could occur are "detective" type of controls. The method of controls execution is an additional consideration: system- or software-based controls are "automated;" people-dependent controls are termed "manual".
Monitoring supports a number of controls management objectives: communication, measure of control effectiveness and management review of control status. Some examples of measures which facilitate monitoring:
- framework scorecard: this measures the level of acceptance and use of the framework;
- training goals: measure progress to ethics training or general controls training objectives;
- performance against schedule: measures progress of risk mitigation plans and risk assessment actions;
- indicators: quality indicators, trending of reconciling items, tracking compliance reporting issues, or late report submissions are just some examples.
Information and Communication
Although a seemingly obvious requirement, flawless management of this element of the framework can make the difference between success and failure of an organization’s controls initiatives. Design of communication strategies and choice of information should take a number of factors into consideration:
- Controls framework maturity: if the framework is being newly implemented, "buy-in" and behavioral changes may be objectives. Communications with senior management and visible endorsement, which stress the framework’s benefit to achieving organizational objectives, will facilitate this goal.
- Organizational structure: within larger organizations, business processes of the HR life cycle (Hire-Pay-Change-Move-Term-Retire) will often cut horizontally across a number of autonomous departments. The resulting interdependencies require the inclusion of all key stakeholders in the communication process. Inter-departmental teams and controls working groups are an ideal method for information dissemination in such an environment.
In conclusion, risk and controls management is a critical element for business success. A progressive, legally compliant and competitive HR employee services organization requires a structured risk and controls management strategy. The COSO framework can serve as a guideline to developing a solid controls framework, facilitating risk mitigation of regulatory /compliance, financial and operational challenges. This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.