DON’T FORGET ABOUT HR: Using Archer Incident Management for Employee Relations Incidents
1 WHAT GOT US HERE?
2 OUR PREVIOUS TOOL . Homegrown system − Inconsistent usage − Limited reporting capabilities − Fewer security measures
3 HOW WE MET
OUR ARCHER STORY
4 ARCHER USE AT GM FINANCIAL
U S E C A S E S APPS
. Incident Management . Incidents . Compliance Management . Investigations . Legal Matters . Contacts . License Management . Facilities . Issues Management . Business Hierarchy . Business Continuity Management . Task Management . Policy Management . Risk Management . Risk Assessments
5 ARCHER PROFILE
HR SWIPED RIGHT . HR module implemented in version 5.5 − May 2017 for pilot group − June 2017 rollout to full HR Business Partner Team . Upgrade to 6.3, February 2018 . Hosted On-Premise . Leverage Corporate Security Incident Management module . Approximately 30 HR users
6 EXPERT PARTNER
PWC’S GRC ENABLEMENT METHODOLOGY . PwC began their relationship with us by performing a GRC health check in Fall 2016. . We engaged PwC: − Assist us in addressing developing a GRC governance model − Expanding the use of Incident Management by our Corporate Security, Cyber Security and Human Resources departments − Create use cases to enable risk assessments for internal technology partners and third party providers − Configure Compliance Management to support IT Compliance workflow − Extend use of Compliance Management to support Corporate Compliance − Upgrade our hosted version from 5.5 to 6.3 and provide user acceptance and training
7 EXPERT PARTNER Our approach is more than just implementation, its about understanding processes and how to best automate them. Our methodology helps move companies through the implementation lifecycle, including designing a Data model/Taxonomy to provide consistency, creating a comprehensive Roadmap approach for implementation, and a Governance Structure to manage the tool. GRC Technology Enablement Methodology Data Model & Governance Structure Roadmap Implementation Taxonomy
• Define data elements • Determine stakeholder • Process to Technology • Design/ Requirements for common language involvement solution map gathering (e.g., applications or • Standardized approach • Implementation • Build/Configure forms used) for changes schedule prioritization • CRP Sessions • Determine • 4 main areas of • Identification of • UAT Shared/Non-Shared governance: dependencies and data elements • Move to Production • Governance integration points • Opportunities for Structure • Analyze stakeholder Integration • SDLC business processes • Aggregation of data for • Data Change • High level tool Enterprise view architecture design • Configuration Change • Provide future considerations
8 INCIDENT MANAGEMENT
Corporate Security Human Resources Cybersecurity
. Management of incidents reported . Manage employee-related incidents, . Document all medium – high severity by employees including all organizational levels of the incidents for future reference and Company, including executives management reporting − 40+ Facilities . Restricted access with Human . Share any incidents requiring − 6,000+ Employees Resources for confidential incident information from Human Resources . Workflow management including management or Corporate Security reporting & approvals . Created reporting and key performance . For employee-related incidents work with indicators for management Human Resources . Reporting for stakeholders in Internal . Flexible management reporting Audit & parent company
. By enabling these 3 different departments in Incident Management they were able to share incidents that historically would be managed independently and often in an uncoordinated manner. . Additional stakeholder access provided to Legal Department and Internal Audit.
9 INCIDENT MANAGEMENT SOLUTION
HIGH - LEVEL INTERDEPARTMENTAL WORKFLOW
Corporate Security Human Resources Cybersecurity
New Incident New Incident New Incident
Corporate Employee Yes Yes Yes Employee Security Involved? Involved? Involved?
No No No
Process for completion Process for Completion Corporate and approval and approval Security Involved?
Yes No
Process for Completion and approval Reporting Reporting
Reporting
10 THE RSA ARCHER USE CASE
WHAT WE SOLD TO THE BOSS
11 CONFIDENTIALITY / ACCESS
AN APPLE A DAY KEEPS AUDIT AWAY . Controlled access − Access is built into job roles • Provisioned at hire • Change in job would change or remove access • Different access levels: • HR Contact Center • HR Business Partners • Super User • Executive User . Confidentiality − Incident information cannot be seen by employees outside of HR − Utilizing Task functionality eliminates need to send information through email
12 SYSTEM CAPABILITIES
WE COULDN’T DO THIS BEFORE . Quarterly CHRO signoff − Number of incidents • Compare Quarter to Quarter trend • Compare Year vs Previous Year • Category/Subcategory trend . Dashboards − HR Dashboard • Customized to show open incidents by division • Increased visibility for HRBP team − Executive Dashboard • Real-time reporting for CHRO and SVP HRBP . One System of Record − Syncs with Legal, Cyber Security, Corporate Security • Sharing of incident information using a secure system
13 Q1, 2017 VS Q1, 2018 COMPARISON . Filter results or build custom reports to compare any quarter to any quarter . Shows increase in incidents, but we see increased usage from 6/25/17 implementation
14 NUMBER OF INCIDENTS BY MONTH
15 CURRENT YTD VS 2017
16 LEGAL I-VIEW
17 HOW IT WORKS
WHAT WE SOLD TO THE TEAM
18 SOLVE FOR HR PAIN POINTS . Enterprise Management − Pulls in employee data, including terminated employees . Transparency − All HR Business Partners can view all incidents − Related incidents can be linked together . HR Contact Center − Can enter and assign incidents − Once saved, incident is not visible or searchable by HR Contact Center . Task Management − More secure-no email required − Attachments sent/stored in Archer
19 HR DASHBOARD
20 NEW INCIDENT FORM
21 TASK MANAGEMENT
22 FURTHERING THE RSA ARCHER USE CASE
WHAT ELSE CAN WE DO WITH THIS?
23 POSSIBLE USE IN OTHER HR AREAS . Leave of Absence Department − Part of HR Incident Management Module − Controlled access − Visibility of Interactive Process between LOA and HRBP teams − Documentation storage − Dashboards and reporting capabilities . HR Contact Center − Replace homegrown ticket system − Allow for additional metrics and reporting − Ability to interact with other HR teams utilizing Incident Management Module
24 THANK YOU!!
Kevin Housing, SHRM-CP, PHR, GPHR AVP Human Resources, GM Financial [email protected]
Patrick Bernardy Director, GRC Technology, PwC [email protected]
25