Have you got a clear understanding of the risks in your payroll?

Global Payroll Control Framework
In these LinkedIn posts I highlight parts of the Global Payroll Control Framework (GPCF). The creation of a GPCF is a best practice method to help ensure compliance with internal policies and international payroll regulations. The GPCF is independent of industry and geographical spread and adapts to ever-changing control environments. Get started with your own and sign-up for this two-part webinar in cooperation with the Global Payroll Management Institute (GPMI) that's available on demand.

It seems like a no brainier, with in practice it rarely is. Without knowing your Global Payroll Objectives and laying those down in writing, you simply cannot identify, assess and describe risks. Risks are defined as ‘the possibility that an event occurs that adversely affects the achievement of objectives’. Once you have your risks properly identified, assessed and described you can start mitigating them with Control Activities (I will address this in later posts!). You should therefore first have the objectives in place. Let's assume you have done this and want to get started with your Risk Assessment process.

Identifying risks
You can find many publication on how to identify risks, and they will all hold truth in them. Having worked as Senior Consultant with international clients and as part of core audit teams, I have found that you can phase this 'risk identification phase' based on three questions, that you can either answer alone or (preferred!) together with internal and/or external advisers.

Question 1: What has happened?
Each Payroll Team will know what went wrong in the past. Customers and internal & external stakeholders will have provided a lot of feedback on your processes (and its failures). Together with meeting notes from your own payroll meeting notes you can start putting these risks in writing. Do make sure to link these risks to Global Payroll Objectives. Remember that a risk is only a risk if it has an adverse affect on objectives and that they can be present inside your own processed and outside of your processes.

Question 2: What is happening?
Once you have identified what has happened, you can start adding risks that are happening right now.

Question 3: What will happen?
Answering this question will require information on future events that will have an effect on your Control Environment and likely your Global Payroll Operating Model. Will this change your processes and thus make way for new risks to arise?

Assessing and describing risks
Once you and a team of internal and/or external advisers have identified risks, you can start laying them down in writing and ultimately assessing them. I found this is initially easier said then done, surely for payroll teams without any audit experience.  Let me share this 3-step plan as a best practice to get started.

Step 1: Risk header
This risk header is where you include the basic information on the risk, such as the unique reference (for instance RSK.PAY.###) and a description in wording 

Step 2: Risk classification
The identified risks are classified by the EU Payroll Team either as key or non-key based on their Risk Classification Score (RCS).

• Key risk
  Key risks have a medium to high adverse effect on the achievement of payroll objectives and always require mitigation by control activities.
• Non-key risk
  Non-key risks have a low adverse effect on the achievement of payroll objectives and don’t necessarily require the mitigation by control activities.

The RCS is the sum of the score of the risk on three discretionary items, namely: impact, likelihood and detection.

• Impact
  The impact the not mitigate risks would have if it for instance reaches the customers or stakeholders of the Global Payroll Payroll Team.
• Likelihood
  Best estimate of how often the activity will be performed in the sub-process or sub-processes of the GPCF its present in and the likelihood of the risk not being mitigated.
• Detection
  Probability that the defective condition causing the risk will be detected prior to the payroll output for instance reaching the customer or stakeholder of the Global Payroll Team and therefore being mitigated.

 
Step 3: Risks response
Each assessed risk requires one of the following responses by the Global Payroll Team: acceptance, avoidance, reduction or sharing. The choice for a certain risk response has an impact on the design of control activities and each risk can only have one response.

• Acceptance
  No action is taken to affect the risks’ impact or likelihood, for instance when the RCS is very low and no control activity has to be designed to mitigate it.
• Avoidance
  By exiting the activities in main or sub-processes giving rise to risk, avoids the risk of occurring in the first place. This response is not common, because it means the activity from the payroll processes should be performed by another support function within EU HQ.
• Reduction
  Reducing the risks’ likelihood and/or impact and increasing the chance of detecting the risk before it occurs, typically involves an everyday business decision (this is the most common response) or for instance an automated control in a utilized system.
• Sharing
  Reducing the risks’ likelihood and/or impact by transferring or otherwise sharing a portion of the risk, like outsourcing activities in certain sub-processes to ICPs.

You have now identified, assessed and described your risks. It's a great start, but now you should start mitigating those risks with Control Activities. Also a great time to stop performing Control Activities that apparently don;t mitigate any risks. And remember: identifying risks is not a one time effort, but the cycle of PDCA starts and is part of the monitoring activities! Fun has just started.

Identifying, assessing and describing your Risks is part of Section 2 of the GPCF: Global Payroll Control Components.