Communication about Value

Before an SWP initiative can get off the ground, it has to have support from stakeholders. This means communication is the first step. HR must be able to give executives, managers, and employees all a reason to cooperate or the whole thing will fall apart. Each of these groups will value different aspects of SWP. For example, leaders will want to know how this approach will affect operations over the long term and what edge it gives the business over industry competitors. Managers will need to understand how SWP serves their needs by consistently and rapidly delivering high-value new hires to fill their departments’ requirements. Workers will be most interested in how ongoing employee development will impact their earning potential and career opportunities.

Your company’s stakeholder groups can be mined for feedback that will be used in analyzing the best way to approach SWP. This step is essential since there is no one-size-fits-all approach. If you start out focusing on goals that have low value to your stakeholders, you will quickly lose both momentum and support.

Build a Team

SWP is not something that one person can do alone. One mistake employers sometimes make is handing complete responsibility for the program to the Recruiting specialist. Although hiring/staffing is a vital aspect of SWP, the scope is actually much bigger and requires a broader perspective. This is an initiative that should be sponsored by the highest level of HR (VP or Director) and supported by the full HR team. Ideally, managers in key positions in other departments will collaborate as team members as well. Cross-departmental input helps ensure that SWP goals are fully aligned with business goals.

Next week, we’ll look at what your team needs to know before they start making any decisions regarding workforce planning. Here at Emerald Software Group, we want to help you to get it right!

The guide starts by defining SWP in the following way:

SWP is a systematic process – It involves the entire organization and takes into account the impact of workforce planning in every area, it follows specific procedures, and it is continuously practiced, updated, and improved.

SWP identifies the human capital required to meet agency goals – This entails not just deciding how many workers will be required, but identifying the specific skills needed, how the new employees will fit into the existing organizational structure, and the expected timeline during which they will need to be recruited and onboarded.

SWP develops the strategies to meet these requirements – The organization must pinpoint the actions required to recruit, develop, and retain the talent needed by the agency to carry out its work.

Why is Strategic Planning so Important Now?

The driving factors behind the decision to implement SWP at the state level are:

• A workforce that is aging and retiring – taking valuable knowledge with them
• A workforce that is becoming more diverse
• A need for workers with technical, problem solving, and informational skills and the need to compete with the private employment sector for this talent
• An expected upswing in the demand for state sponsored services leading to a need for more workers

State agencies expect to see the same benefits as private employers do from SWP. These benefits include greater HCM effectiveness, accurate budgeting capability, more productive training and development, far-reaching succession planning, etc. That’s the WHY of SWP. Next week, we’ll go into more detail about the HOW.

Keep your eyes peeled for news from Emerald Software Group. We’re gearing up to make a big splash in the SWP field with new services soon.

What Might Happen If Steps are Skipped?

KPA, a risk management and compliance consulting firm, tells a chilling tale of what can happen if managers fail to follow an employer’s own, internal policies in hiring. KPA was subpoenaed to testify against a client. This particular employer had used the firm to screen job applicants in the past but had overlooked this step with a new hire who turned out to be a habitual substance abuser with a long track record of auto accidents. The employer was on the hook for millions in damages when the employee caused a drunk-driving crash in a company vehicle.

How Did this Occur?

HR was unaware that the screening had even been skipped because a company supervisor hired the employee! There’s something enormously wrong with a company that does not have safeguards in place to ensure all hiring is done by the professionals in HR who are trained to keep the employer in compliance. KPA makes several good suggestions for how to limit this type of risk. Their first suggestion is to use software that enforces internal rules for screening every new hire. They go further to state that software should be used to automate the entire hiring/onboarding process. We agree.

Fortunately, Universal Onboarding is designed for precisely this type of situation. With this software enforcing proper forms completion, no new hire can slip through the cracks and end up sidestepping your company’s background check process. Plus, automating the transmission of new hire data to a screening partner cuts the administrative labor costs for HR to actually get background checks done.

• Make the most efficient use of existing human capital
• Ensure that recruiting infrastructure and processes can replace key workers as needed
• Project budget requirements for staffing
• Provide evidence that learning & development are producing desired outcomes
• Prepare for changes in workforce size or structure (downsizing, expansion, mergers, etc.)
• Promote diversity within the workforce

The newer version of truly strategic planning takes a longer and broader view. For example, comprehensive succession planning doesn’t rely simply on recruiting efforts to fill vacancies once they occur. Instead, an ecosystem of hiring vendors may be developed at the same time that internal talent is groomed to take over leadership positions. This provides a much greater safety net so an employer doesn’t have to make rushed decisions about filling important positions. At the same time, analytics can be used to identify core workers who are at high risk for attrition so that retention tactics can be launched in time to preserve the employment relationship. This network of strategies can mitigate the uncertainty inherent in managing human capital in a rapidly evolving labor market.

Where to Learn More

The Human Capital Institute is busy facilitating a many workgroups and discussion forums on this topic. Basic membership is free, so I’d recommend registering to get access to some helpful resources. For example, the HCI published an interesting blog post last month about why HR so often falls short in strategic planning. The author posits that HR professionals are often too risk averse to make these decisions alone. There may need to be a sea change in attitudes, practices, and skills training before HR can fully step into its role as a strategic partner.

• If you had the opportunity to begin SWP today, would you jump at it?
• What types of consulting support would you find most helpful?
• What business analysis tools would you need to make smart decisions?

Let’s talk in the comments.

“This position supports the new teammate onboarding process and schedules drug tests and background checks, coordinates completion of I-9 and other paperwork, and monitors the processes to completion. This position provides information and answers questions from candidates, teammates, and management to facilitate the onboarding processes and completion of required employment documents.” 

In the future of greater new hire onboarding automation, would a full-time position need to be devoted specifically to these tasks?

Universal Onboarding would certainly make the process much easier to complete. First, there would be little or no “coordination” required to facilitate forms completion. The new hire is provided with a login on their first Monday and the wizard-like module walks them through each piece of paperwork. HR doesn’t have to follow up about missing or incorrectly completed forms since the software prevents these problems. The process takes less than 25% of the traditional time for filling out paper forms making it easy to hit compliance deadlines for forms completion.

The system can be interfaced directly with third party background check and drug screening partners. This means there’s little or no need to have telephone calls back and forth to arrange screening and check on results for each new employee. Compliance with state new hire reporting is automatically ensured with electronic filing.

On the other hand, employers will still need to designate an I9 administrator. That’s because there are components of I9 compliance (such as spotting fake identification documents) that have to be handled in person. Of course, Universal Onboarding is well suited to supporting best practices in I9 administration as well. It makes I9s readily accessible for self audits and can be interfaced with e-Verify if desired.

Federal Workplace Privacy Law

The only Federal law addressing workplace privacy for both public and private sector employers is the Electronic Communications Privacy Act of 1986 (ECPA). This Act prohibits employers from intentionally intercepting electronic communications. Basically, if the government can’t wiretap someone without a warrant, then it’s not OK for employers to do it.

However, this privacy law doesn’t provide much protection in practice. Employers do have the prerogative to read emails or listen to conversations for legitimate business reasons. One such reason might be a simple suspicion that the employee is violating a workplace policy regarding appropriate use of technology. This kind of case can go either way if it winds up in court – as we’ve seen in recent years.

The other big loophole is based on the idea of implied consent. If an employee is advised that communications may be monitored, it may be implied that he or she consented to even highly intrusive monitoring by the employer. This is not a guarantee that simply notifying the worker will make the monitoring legal. However, most employers who have an information technology policy signed during new hire onboarding do include a notification clause about monitoring of all company equipment.

What Might the Future Hold?

So far, efforts to pass more stringent protections for workplace privacy have failed to make it out of various Senate committees. Ironically, it may be the judicial branch of the government that sets things in motion for the next phase of workplace data privacy. In 2001, several federal court judges became very agitated when they discovered that their internet communications were being monitored by staff responsible for maintaining the computer system. You can imagine how well that went over!

As always, Emerald Software Group will be “monitoring” any regulations as they develop. Our goal is to ensure that Universal Onboarding and our other applications are in compliance with the law and promote best practices for both public and private employers.

Courts Often Side with Employees about Data Privacy

In 2010, the New Jersey Supreme Court determined that an employee’s attorney-client privilege was violated when her employer read private emails transmitted on a company laptop. The worker was using a password-protected account on a web-based email service (not the employer’s internal email platform) and so had a reasonable expectation of privacy.

In 2009, a federal appeals court determined that police officers had their privacy violated when personal text messages sent via employer-provided pagers were examined by the City. The employer in this case was making an effort to enforce a policy against personal use of City equipment and this unfortunately backfired.

Many court cases involving employers monitoring social media postings and other personal online activities have led to defeat for businesses. These decisions are an indication that although employers may notify workers that all communications could be monitored, this does not mean such policies will always be supported by the courts.

How Much Data is Too Much?

It is important for employers to take into consideration not just data privacy standards, but also the purpose behind these policies. One beneficial guiding principle might be to protect the worker’s private information while enabling the company to collect necessary data for effective and compliant workforce management (such as the information typically collected using Universal Onboarding software). When this approach is followed both in letter and spirit, there is likely to be little conflict between employers and employees regarding how data is collected and used.

What about the wealth of information available about workers by searching the net? Although more knowledge may lead to better decision making in some cases, overreaching in the collection of private employee information also tends to lead to litigation for discrimination. This is definitely an area where legal counsel coupled with common sense (putting yourself in the average worker’s shoes) is needed for good decision making.

Notice & Choice – Employers must notify job candidates, new hires, and employees when data is being collected and inform them of how it will be used. Individuals have the right to opt out of having their personal information collected and refuse to permit it to be forwarded to third parties. Obviously, there are situations where this would mean the employment relationship could not move forward; but the choice must still be presented.

Security & Distribution – Employers must take responsibility for implementing secure infrastructure, appropriate tools (such as software), and administrative processes to prevent the loss or theft of collected data. Employers must ensure that data transferred to a third party is handled following Safe Harbor data privacy principles as well.

Data Integrity, Access, & Enforcement – Employers must make an effort to ensure the data requested is pertinent to the purpose for which it is collected and that it is current and accurate. Employees must have the opportunity to review the information upon request so they can make corrections to data that is inaccurate. Employers must also institute practices and policies that ensure Safe Harbor principles are adequately enforced.

What’s Wrong with That?

Using these principles as a guideline is actually not a bad idea. However, there are some potential downsides to pushing “Safe Harbor” compliance as a required standard if you aren’t actually doing business in the EU. Some companies are using the Safe Harbor agreement in ways it wasn’t intended. For example, an employer doing business only in the U.S. might insist that certain vendors be certified under the Safe Harbor program even though it’s not really required.

Since there is currently no follow up being done by the Commerce Department to ensure that certifications of compliance are actually valid, pretty much any company can advertise itself as being compliant whether they are or not. There is no set way of going about meeting the Safe Harbor compliance requirements which makes it easy for any company to self-certify. At the same time, if the U.S. government does decide to start enforcing compliance with audits and penalties, any business claiming to be certified that isn’t really up to speed could be placing itself at unnecessary risk.

Emerald Software’s Approach

At Emerald Software Group, we like to stay at the leading edge of compliance with all the best data privacy practices. However, we never claim to be compliant if we can’t back the statement up with assertion documents that demonstrate how we meet the security and privacy requirements of a particular standard. This means when you do business with us, you’re not just putting your trust in a label – you understand the steps we are taking to keep your employee data secure.

Old Standards Created Too Many Loopholes

One reason is that the previous standard is being used in ways its developers never intended. According to Mike Klein from Online Tech, the SAS 70 has long been used by data centers to provide assurance to customers that their facility and operating systems are secure and properly run. However, the standard is really meant to be used for evaluating financial reporting practices.

Data centers have apparently been making claims that they are “SAS 70 certified” when, in fact, no such certification exists. They might claim truthfully to be SAS 70 audited, but that doesn’t really tell you how well they fared in the audit process. A data center could simply set its own standards and meet them to claim that it is compliant.

The obvious solution to these problems was to create a set of standards that include more accurate assessments – and that can be used for highly targeted industries. The SSAE 16 will require auditors to collect a written statement from management at the facility being audited. This assertion document will outline the design and operational effectiveness of relevant controls. SOC 1 (Service Organization Control) reports will be issued in two tiers. Type 1 will simply offer the auditor’s opinion regarding the assertions provided by management. Type 2 will entail actual monitoring of the system over a time period of 6-12 months. However, companies that are audited in this way will still not be “certified” under SSAE 16.

New Standards Factor in Data Center Requirements

Data centers will be able to take an additional step toward achieving the highest standards of compliance. SOC 2 and 3 reports offer a way for data centers to be compared to actual industry benchmarking standards. An audit of this type would cover criteria such as availability, processing integrity, security, and privacy. With an SOC 3 report, a summary of a company’s audit will be available for the general public to increase credibility. The SysTrust seal can be used by service organizations that successfully complete the SOC 3 process. This is a boon for SaaS providers since they will now have a valid “seal of quality” to display to clients.

At Emerald Software Group, we’re evaluating the ISAE 3402 and are moving toward achieving this standard later this year. Stay tuned for more information as it becomes available.

Safe Harbor Applies to HR Data

One aspect of the Directive that’s of special interest to U.S. employers is the Safe Harbor provision. This regulatory standard is designed, in part, to ensure that American businesses with European subsidiaries handle all identifying employee data appropriately in accordance with the data protection laws that cover all EU citizens. Employers who fail to follow this standard for administering HR data for EU workers could face consequences up to and including not being permitted to operate in EU countries.

Most U.S. based multi-national corporations routinely transfer employee data into the U.S. for HR administration at a central location. This is becoming even more common with the use of web based applications like Universal Onboarding that allow collection of new hire data from any location in the U.S. and abroad. The transmission, storage, and use of such identifying information must be performed following Safe Harbor principles when EU workers are involved. However, there is no one set way of achieving these standards. Instead, the principles serve as minimum guidelines. Employers may combine any number of products, services, and procedures to address the privacy needs of their business in a way that complies with Safe Harbor rules.

Compliance is Sketchy

Participation by U.S. companies in Safe Harbor compliance is promoted by the Department of Commerce. However, the U.S. government does not force any business to participate. The regulatory purview of the DOC extends only as far as requiring that companies which claim to be Safe Harbor compliant are, in fact, following Safe Harbor privacy practices.

As of 2010, the Department is still facing resounding criticism for its failure to meaningfully enforce compliance by auditing participants and holding them accountable. This lack of follow through means that U.S. employer claims of Safe Harbor compliance are a little difficult for EU countries to take at face value. Businesses may want to consider providing assertion documents that outline exactly how their company complies with Safe Harbor principles in the event that this question is raised.

In the next post in this series, we’ll take a look at how Safe Harbor is being used and abused by U.S. companies that don’t do business in Europe.