DON’T FORGET ABOUT HR: Using Archer Incident for Employee Relations Incidents

1 WHAT GOT US HERE?

2 OUR PREVIOUS TOOL . Homegrown system − Inconsistent usage − Limited reporting capabilities − Fewer security measures

3 HOW WE MET

OUR ARCHER STORY

4 ARCHER USE AT GM FINANCIAL

U S E C A S E S APPS

. Incident Management . Incidents . Compliance Management . Investigations . Legal Matters . Contacts . License Management . Facilities . Issues Management . Hierarchy . Business Continuity Management . Task Management . Policy Management . . Risk Assessments

5 ARCHER PROFILE

HR SWIPED RIGHT . HR module implemented in version 5.5 − May 2017 for pilot group − June 2017 rollout to full HR Business Partner Team . Upgrade to 6.3, February 2018 . Hosted On-Premise . Leverage Corporate Security Incident Management module . Approximately 30 HR users

6 EXPERT PARTNER

PWC’S GRC ENABLEMENT METHODOLOGY . PwC began their relationship with us by performing a GRC health check in Fall 2016. . We engaged PwC: − Assist us in addressing developing a GRC governance model − Expanding the use of Incident Management by our Corporate Security, Cyber Security and departments − Create use cases to enable risk assessments for internal technology partners and third party providers − Configure Compliance Management to support IT Compliance workflow − Extend use of Compliance Management to support Corporate Compliance − Upgrade our hosted version from 5.5 to 6.3 and provide user acceptance and training

7 EXPERT PARTNER Our approach is more than just implementation, its about understanding processes and how to best automate them. Our methodology helps move companies through the implementation lifecycle, including designing a Data model/Taxonomy to provide consistency, creating a comprehensive Roadmap approach for implementation, and a Governance Structure to manage the tool. GRC Technology Enablement Methodology Data Model & Governance Structure Roadmap Implementation Taxonomy

• Define data elements • Determine stakeholder • Process to Technology • Design/ Requirements for common language involvement solution map gathering (e.g., applications or • Standardized approach • Implementation • Build/Configure forms used) for changes schedule prioritization • CRP Sessions • Determine • 4 main areas of • Identification of • UAT Shared/Non-Shared governance: dependencies and data elements • Move to Production • Governance integration points • Opportunities for Structure • Analyze stakeholder Integration • SDLC business processes • Aggregation of data for • Data Change • High level tool Enterprise view architecture design • Configuration Change • Provide future considerations

8 INCIDENT MANAGEMENT

Corporate Security Human Resources Cybersecurity

. Management of incidents reported . Manage employee-related incidents, . Document all medium – high severity by employees including all organizational levels of the incidents for future reference and Company, including executives management reporting − 40+ Facilities . Restricted access with Human . Share any incidents requiring − 6,000+ Employees Resources for confidential incident information from Human Resources . Workflow management including management or Corporate Security reporting & approvals . Created reporting and key performance . For employee-related incidents work with indicators for management Human Resources . Reporting for stakeholders in Internal . Flexible management reporting Audit & parent company

. By enabling these 3 different departments in Incident Management they were able to share incidents that historically would be managed independently and often in an uncoordinated manner. . Additional stakeholder access provided to Legal Department and Internal Audit.

9 INCIDENT MANAGEMENT SOLUTION

HIGH - LEVEL INTERDEPARTMENTAL WORKFLOW

Corporate Security Human Resources Cybersecurity

New Incident New Incident New Incident

Corporate Employee Yes Yes Yes Employee Security Involved? Involved? Involved?

No No No

Process for completion Process for Completion Corporate and approval and approval Security Involved?

Yes No

Process for Completion and approval Reporting Reporting

Reporting

10 THE RSA ARCHER USE CASE

WHAT WE SOLD TO THE BOSS

11 CONFIDENTIALITY / ACCESS

AN APPLE A DAY KEEPS AUDIT AWAY . Controlled access − Access is built into job roles • Provisioned at hire • Change in job would change or remove access • Different access levels: • HR Contact Center • HR Business Partners • Super User • Executive User . Confidentiality − Incident information cannot be seen by employees outside of HR − Utilizing Task functionality eliminates need to send information through email

12 SYSTEM CAPABILITIES

WE COULDN’T DO THIS BEFORE . Quarterly CHRO signoff − Number of incidents • Compare Quarter to Quarter trend • Compare Year vs Previous Year • Category/Subcategory trend . Dashboards − HR Dashboard • Customized to show open incidents by division • Increased visibility for HRBP team − Executive Dashboard • Real-time reporting for CHRO and SVP HRBP . One System of Record − Syncs with Legal, Cyber Security, Corporate Security • Sharing of incident information using a secure system

13 Q1, 2017 VS Q1, 2018 COMPARISON . Filter results or build custom reports to compare any quarter to any quarter . Shows increase in incidents, but we see increased usage from 6/25/17 implementation

14 NUMBER OF INCIDENTS BY MONTH

15 CURRENT YTD VS 2017

16 LEGAL I-VIEW

17 HOW IT WORKS

WHAT WE SOLD TO THE TEAM

18 SOLVE FOR HR PAIN POINTS . Enterprise Management − Pulls in employee data, including terminated employees . Transparency − All HR Business Partners can view all incidents − Related incidents can be linked together . HR Contact Center − Can enter and assign incidents − Once saved, incident is not visible or searchable by HR Contact Center . Task Management − More secure-no email required − Attachments sent/stored in Archer

19 HR DASHBOARD

20 NEW INCIDENT FORM

21 TASK MANAGEMENT

22 FURTHERING THE RSA ARCHER USE CASE

WHAT ELSE CAN WE DO WITH THIS?

23 POSSIBLE USE IN OTHER HR AREAS . Leave of Absence Department − Part of HR Incident Management Module − Controlled access − Visibility of Interactive Process between LOA and HRBP teams − Documentation storage − Dashboards and reporting capabilities . HR Contact Center − Replace homegrown ticket system − Allow for additional metrics and reporting − Ability to interact with other HR teams utilizing Incident Management Module

24 THANK YOU!!

Kevin Housing, SHRM-CP, PHR, GPHR AVP Human Resources, GM Financial [email protected]

Patrick Bernardy Director, GRC Technology, PwC [email protected]

25