W ith regulatory requirements proliferating and data-gathering protocols overlapping, many corporations are streamlining compliance. CEOs and chief compliance officers are forming committees to guarantee that standards are met. Committee members may include representatives from finance, internal and external audit, risk management, the legal and safety departments, the board of directors--and human resources. With its expertise in organizational structure, training and people-oriented information systems, human resources is in a position to help other departments align compliance processes with corporate goals ranging from operational efficiency to high ethical standards.
Whether they’re recruiting compliance staff, consulting to other departments on how to train workers on new regulations, or tweaking reporting relationships to avoid conflicts of interest, human resources managers are in the thick of efforts to keep their employees’ behavior in compliance with Sarbanes-Oxley, HIPAA, the USA Patriot Act and the EU data-privacy directive. By integrating compliance efforts and deploying the core competence of human resources in multiple corporate divisions, companies reap efficiencies that help keep regulations from dragging them into red ink.
"This is all happening because companies don’t want to be the next Enron or Adelphia," says Monica Barron, until recently a research director at AMR Research Inc. in Boston. Failure to comply with laws and regulations can be very expensive for corporations, resulting in penalties, destruction of shareholder value and loss of workers’ trust. So when human resources joins efforts to upgrade compliance, "HR is all of a sudden a business partner because they’re focusing on a business goal," Barron says.
"Now HR people are being seen as the missing link to organizations’ being compliant," says Jason Averbook, director of HCM Global Product Marketing at PeopleSoft Inc. in Pleasanton, California.
Experts acknowledge that when human resources becomes more deeply involved in compliance--beyond its traditional portfolio of EEOC and ADA requirements--something’s got to give. The human resources department may shift its emphasis away from meeting traditional metrics such as time to hire, for example. Instead, "HR may focus on getting the right hires to accomplish compliance goals," Barron says.
In many companies, human resources executives who volunteer to add value to corporate compliance efforts will encounter resistance from other divisions. "The corporate governance staff generally has disdain for HR," says Lawrence Lorber, a partner in the Washington, D.C., office of Proskauer Rose LLP.
But those who don’t get caught up in corporate culture wars are apt to see things differently. "It’s essential that there’s strong cooperation between legal and HR, or the compliance effort is going to be disconnected and ineffective," says Garry Mathiason, a partner with Littler Mendelson in San Francisco. Executives who spend their days in the compliance trenches tend to have strong feelings about the role of human resources. "If you do have a compliance committee, HR has to be on it," says Patrick Gnazzo, vice president of business practices at United Technologies Corp., a Hartford, Connecticut, manufacturer. At the nucleus of UTC’s compliance efforts are representatives of the business practices group, legal, financial controls, internal audit, environmental health and safety--and human resources. Gnazzo goes to human resources for advice on many compliance-related issues. In the case of an ethics breach, for example, he might ask human resources if the company would be able to defend a dismissal of the culpable employee.
The first involvement of human resources with new realms of compliance often comes when a seemingly unrelated rule touches its own data. One such case is the provision of Sarbanes-Oxley that protects whistle-blowers.
Ignorance of this law could get human resources executives in trouble in unexpected ways. According to pre-Sarbanes industry practice, "performance records could be destroyed as they aged off," says Mathiason. But if you destroy those records now, "you could potentially be prosecuted under Sarbanes’ record-retention provision," which is intended to protect whistle-blowers against employers that falsely claim to be terminating an employee for poor performance.
Human resources managers may notice that "many employees are not up to speed on Sarbanes-Oxley, and don’t have the level of understanding they need to remain compliant," says DJ Chhabra, vice president of HRMS for Oracle Corp. in Redwood City, California. To raise the standard within its own organization, "Oracle has delivered ethics training to all its employees around the world," Chhabra says. Employee self-service technologies make it possible to deliver ethics and compliance training online at a fraction of the cost of face-to-face instruction.
As the chief repositories of employee data, HRMS systems are sometimes the logical place to integrate compliance-related data from across the enterprise. Using information already in a human resources database can help companies avoid the extra costs and the possibility of introducing errors that goes with re-entering data in a new compliance tracking system. However, there is tension between the cost-savings of integrated databases and the need to protect the privacy of sensitive data. "There are lots of laws that say you’ve got to segregate the flow of information," Lorber says. For example, ADA-related information on the disabilities of individual employees must be kept separate from other medical information on those workers, he notes.
Human resources brings its expertise to bear in setting up appropriate organizational structures and reporting relationships, a key to maintaining the integrity of corporate governance. Human resources can help to ensure that there are organizational firewalls between the people who administer compensation and those who run payroll, for example. "Corporations need to create a complete separation of these powers," says Averbook of PeopleSoft.
Human resources can also help business and financial divisions by advising them on how to document the roles and responsibilities associated with compliance and corporate governance, and who in the organization is fit to carry out those duties. HRMS systems streamline the assignment of security levels to individual employees. Taking the concept a step further, a forthcoming version of Oracle’s HRMS will enable automatic management of security, and will check employees’ security level when they change jobs, adding or revoking rights as appropriate, Chhabra says. Automation of these processes helps employers save on administrative labor.
Under the rubric of performance management, human resources also plays a key role in evaluating whether employees are actually carrying out the activities that are required by regulations or company ethics. Human resources can analyze work flows and help to ensure that they are auditable and repeatable, essential qualities for many compliance processes.
Human resources can extend its traditional role as the leader in training to domains of compliance beyond the basic requirements such as those created by EEOC and OSHA. Sometimes HR’s involvement in compliance training is a modest extension of its core competence in handling employee information. "We get involved with HIPAA to certify that people who need to handle health data do get the training," says Susan Bundgard, vice president of human resources for MPC Computers in Nampa, Idaho.
There are two key parts for human resources to play in compliance training. First, the compliance committee may turn to human resources to keep track of which employees have received training in specific compliance domains. "At the end of the day, HR somehow gets on the hook for tracking all employee data," says Kimberly M. Woodward, vice president of product strategy for Trifus, a Chicago maker of software that tracks employee training. Second, human resources can lend its expertise to another department or line of business to help it determine what training best fits specific compliance domains. "We work with HR on which training courses a particular business unit might take in a given year," says Gnazzo of UTC. The human resources department also helps UTC’s business practices organization to decide which instructional media will be the most effective and economical.
Most corporations are in the early stages of extending the reach of human resources into new domains of compliance. In tracking mandated training, for example, "people are just trying to get their arms around the requirements and define the process and data they need," Woodward says. But the more that compliance requirements proliferate and overlap, the more value human resources will be able to add to the effort.
Human resources professionals aren’t usually experts on European privacy law or on the minute details of Sarbanes-Oxley sections 302, 404 and 409. In collaborating with legal counsel, risk managers and subject-matter specialists, "human resources may be challenged to speak the language," Averbook says, "but there’s no one that knows where to get the data better than HR."
Workforce Management, July 2004, pp. 74-76 -- Subscribe Now!