the journey to world-class data management, reporting and compliance best practices presented to:...

The Journey to World-Class

Data Management, Reporting and ComplianceBest Practices

Presented to: Lawson Software, Inc. / City of Columbus, Ohio

William Bacote

Manager

The Hackett Group

April 9, 2008

Document Name – Click on top-level Slide Master to change© 2008 The Hackett Group. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited.

Statement of Confidentiality and Usage Restrictions

This document contains trade secrets and other information that is company sensitive, proprietary, and confidential, the disclosure of which would provide a competitive advantage to others. As a result, the reproduction, copying, or redistribution of this document or the contents contained herein, in whole or in part, for any purpose is strictly prohibited without the prior written consent of The Hackett Group.

Copyright © 2007 The Hackett Group, World-Class Defined. All rights reserved.


Objectives and Expectations

Examine current process efficiency, effectiveness, and structure Understand current gaps to best practices, and service delivery model considerations

through examination of Hackett Best Practices Begin the development of a best practices scorecard


Aligns with strategy Reduces costs Improves productivity Promotes timely execution Enables better decision making Leverages existing and exploits emerging

technologies Ensures acceptable levels of control and

risk management Optimizes skills/capabilities of the

organization Promotes collaboration across the extended

enterprise

Hackett’s Best Practices are certified when there is a correlation with world-Hackett’s Best Practices are certified when there is a correlation with world-class performance metricsclass performance metrics

Best Practices Defined:A Hackett-Certified Practice is a proven technique that delivers measurable value


Best Practice Current PracticeUsage

Now | Future

End-State Vision

Applicability | Coverage Comments

A description of each Hackett best practice for this process

A description of current utilization of this best practice

CoverageHigh Widespread impact on the enterprise and/or significant value-addMedium Impacts multiple areas, value-add is significant but less relative to

processes ranked as HighLow Impacts a single area of has limited span of adoption throughout the

enterprise

CoverageHigh Widespread impact on the enterprise and/or significant value-addMedium Impacts multiple areas, value-add is significant but less relative to

processes ranked as HighLow Impacts a single area of has limited span of adoption throughout the

enterprise

ApplicableYes Adoption of the best practice is in line with current/future business needsNo Best practice does not fit the current business needs

ApplicableYes Adoption of the best practice is in line with current/future business needsNo Best practice does not fit the current business needs

CommentsStatements pertaining to the technology enablement, policy enactment and other challenges and/or prerequisites associated with improving the utilization of the Best Practice

CommentsStatements pertaining to the technology enablement, policy enactment and other challenges and/or prerequisites associated with improving the utilization of the Best Practice

No Usage Strong Usage

Best Practice Scorecard


Best Practice Session


The capture, management, and reporting of employee and non-employee (including contractors, retirees, and other former employees) data in accordance with organizational policies and government regulations including the development and maintenance of the following:

– data ownership guidelines and governance; – data structures and definitions, – data privacy strategy and compliance activities; – data security guidelines and procedures; – data retention policy and procedures; – disaster recovery and/or business continuity strategy and procedures; – input, verification and maintenance of employee and non-employee information; – recurring and ad-hoc management reporting; – recurring and ad-hoc regulatory and other compliance reporting.

Data Management, Reporting and Compliance Best Practices

Process Definition


Data Management, Reporting and Compliance Best Practice Review – Summary Results

Item Count % of Total Comments

Best Practices Reviewed 34 N/A

Best Practices Deemed “Applicable”

32 94%

Best Practices Fully or Mostly In Use at City of Columbus

3 9% or

Best Practices Partially in Use at City of Columbus

17 53% or

Best Practices Seldom or Not In Use at City of Columbus

12 38%




Now | Future

End-State Vision


One integrated HCM system is utilized to all employee and non-employee information. *HREI001

Pay/Per system is integrated. However, the following are separate systems that use Pay/Per info:Training, injury tracking, time & attendance, position control (EPC), dept. systems, Performance mgmt, grievance tracking, military DB, and OSHA

Yes H Eliminate use of secondary systems by incorporating into CHRIS.Applicant system feeding HRMS for hires subject to review.Interface to EPC and Performance Mgmt.Capture life beneficiaries accurately & consistently.

One HCM system application instance is utilized as the system of record, to support all business units, globally. HREI026

N/A No




Now | Future

End-State Vision


Role-based security is utilized to determine access to and utilization of HCM system. *HREI017

Security groups exist and access can be set to City, Department wide or Division specific. Add, update, inquiry, delete (limited transactions), and some correction but is not a security role.Enterprise hierarchy: City, Dept, Div, Payroll number (section), Work Location. Access may go down to Division.

Yes H Define data owners.Document and publish procedures.Additional levels of security (hierarchy).Review who has correction access. Better validation that role is appropriate.

HCM system security is incorporated with existing corporate security architecture and is compliant with all data privacy laws. HREI027

Pay/Per system security is incorporated with corporate security.

Yes M Systematically evaluate security risks and address each

The internal, corporate LDAP provides the HCM system and other critical systems with password authentications. *HREI028

LDAP is not used. Yes H Consider LDAP; single sign on where possible. Have some systems in separate domains.




Now | Future

End-State Vision


Key data fields are standardized to enable efficient transaction processing and consolidated global and regional reporting. *HREI018

Generally keys fields are standard; BU, dept, EEID, job classification. There may be differences in some date usages.No tableset control (sets of table values) for tables.System allows incorrect pay for BU.Working on standardizing table values (format and naming convention).

Yes H Tableset control for tables.Better edits Review current tables to determine what data is still applicable.Standardization of date fields.Standard formatting for fields.Separate name fields instead of one field.Documentation & training

relating to standards.

The set of data and process standards includes the approaches to solving global requirements using available international standards. HREI020

N/A No




Now | Future

End-State Vision


HCM system makes use of field level validation at point of data capture to maintain accuracy and integrity of data. *HREI004

Limited front-end editing. Most transactions subject to batch update edits.

Yes M More online editing.Improved control tables for online validation; tableset control for showing only appropriate values. System applies business

rules as data entered.One-time data capture of all life and career event changes automatically routed to all impacted functions / affected applications and databases. *HREI003

No automatic routing. Life event changes transmitted to providers: Some electronic file transfers via secure website access, some data copied to CD, some paper reporting. Also, floppy disk.

Yes M Workflow. Interface where possible.

Workforce records updated automatically following completion of transactions. *HREI008

Records are not automatically updated. Training is a separate system.

Yes H Training should be integrated with CHRIS or have bi-directional interfaces. Include other systems such as injury, military, grievance.




Now | Future

End-State Vision


Employees and non-employees are responsible for updating and held accountable for the accuracy of personal data via self-service. *HREI002

Self-service is not available. Yes H Implement Employee Self-Service (employees only)and train employees on updating information and the process.

Employee and manager self-service capabilities are browser-based and accessible via a personalized, internet-enabled employee portal. *HREI012

Employee and manager self-service is not available.

Yes H Implement Employee and Manager Self-Service. Train as part of new hire orientation.Train all employees as part of implementation.

Self-Service tools provide automatic prompts relating to life or career data changes that may impact other process areas. *HREI005

Self-service is not available. Yes M Employee and Manager Self-service with automated workflow. Integration/interface with other systems such as PEP and Training.




Now | Future

End-State Vision


Electronic signatures used with automated workflow for distributing and approving information changes where and when legally permissible. *HREI009

No automated workflow or electronic signatures are in use.

Yes M Implement Employee and Manager Self-Service with automated workflow and approvals.

Multi-tiered service delivery model in place, utilizing self-service, call centers to provide support to inquiries and transactions. *HREI021

Current model is for dept / division HR to be 1st line of support with backup from central payroll/benefits/CSC. Process is not always followed. No self-service or call centers but there is a # to call for support.

Yes H Establish call centers (consider Shared Service Center (SSC)) with workflow functionality and integrated with email system. Implement employee and manager self-service.

At least eighty percent of inquiries made into shared service center are resolved upon first contact. *HREI015

No SSC is in place and there is no tracking of inquiries or resolutions.

Yes M Establish SSC that includes needed system infrastructure.Requires trained representatives & managers.




Now | Future

End-State Vision


Strong governance is in place relating to core HCM system enhancements, table maintenance, security administration, and role-based access. *HREI022

DOT/ Central Payroll/CSC/HR work together to provide governance. Guidelines for enhancements are not clear with no formal process to evaluate or fund. A formal project request form with detailed requirements exists. For large changes (no definition of large projects), project mgmt techniques are used. DOT is in process of defining criteria for project definition.

Yes M Complete definition of project criteriaCommunicate and implementDefine process for the evaluation/determination of what projects get funded and worked on.

The HCM system supports the organizational reporting structure. *HREI019

No reports to functionality and no ad-hoc reporting. Data resides in EPC (does not include PT, all sworn officers, fire) but data is not always current and does not provide org chart.HR is sometimes notified timely if entire dept/division moves but not for just reporting relationships. Communications sometimes does not trickle down to the needed levels.

Yes H Better communication of org changes to include reporting relationships.Get all employees into EPC.Integration between HRMS and EPC.




Now | Future

End-State Vision


Tools support multi-dimensional reporting and drill down. *HREI023

Tools do not support. Reports generally provide detail and summary derived from reports. Requires special request to get report in electronic format rather than on paper.

Yes M Provide reports in electronic format that supports analysis (drill-down).

HCM system reporting tools support forecasting and analysis needs of the organization. HREI025

The Pay/Per system does not support forecasting and analysis needs. Fiscal officers have some access through performance system.

Yes M Ability to produce analytical reporting for forecasting, trending, and time period changes from HCM system.

Report execution performance is monitored for continual improvements in report design, database tuning, and cross-functional data sharing. *HREI024

There is database tuning and report monitoring of run times but no monitoring report design.

Yes M Separate server for reporting.Research establishing data warehouse especially for cross-functional reporting.Train power users/report writers.




Now | Future

End-State Vision


Statutory regulations regarding life event data changes, data privacy and other issues related to personal data maintenance are available to employees. HREI013

Yes, currently in hard copy (Benefit Booklet) for life events, soon to be added to Intranet. However, all privacy/data maintenance regulations may not be available to employees. Documented regulations are current.

Yes M Establish a review process prior to releasing information.Educate employees on how to access via intranet.

Consistent communication of all policy requirements built into on-going manager education and other related programs. *HRCM001

No consistent communication of policy requirements with the exception of annual payroll conference updates. Changes are communicated at that time. Also monthly People Team meetings provide updates.

Yes H Establish on-going manager training and communication of policy/procedure changes.

Document management solution utilized to store and track regulatory compliance correspondence and related materials. *HRCM003

City has several document management systems but they are not centralized. Materials mostly stored in manila folders.

Yes H Put a process in place which identifies those documents which need to be centralized and procedures on how those documents should be moved to a centralized repository (imaged and paper-based)




Now | Future

End-State Vision


Statutory reports are standardized, produced automatically from the HCM system, and distributed electronically where possible. HRCM004

Payroll statutory reports (W-2, tax filing) are produced from PAY/PER. Pension, New Hire reporting is done from the system. Manual reporting for OSHA and possibly others (EEO).

Yes H Collect information in CHRIS so that statutory reports can be produced.

Management receives recurring education and progress/alert reporting concerning diversity programs and regulatory compliance. HRCM005

Made available through Citywide Training; People Team presentations, Columbus*Stat.Diversity, drug & ethics, sexual harassment training is mandatory for new hires. Depts. can request.

Yes H As part of an automated workflow, management would be notified of any regulatory requirements

Compliance, audit requirements and appropriate fiduciary responsibilities are stipulated in all third-party agreements. HRCM010

This is current practice. Yes L Continue best practice




Now | Future

End-State Vision


All relevant data privacy regulations are addressed through user education, preventative controls, and compliance reporting *HREI034

Role based security with userids and passwords for system access.

Yes M Better validation that role is appropriate.

Employment verifications are outsourced and/or automated. HREI035

Manually done in-houseCentral payroll will do basic information; active/separated, title, hire date. More detailed go to the depts. Does not seem to be an issue. (No need to outsource).

Yes H Review and document verification process.Train on what can be verified.Conduct outsourcing assessment.

Comprehensive data retention, disaster recovery, and business continuity strategies are in place and tested regularly

*HREI036

In process of putting in secondary data center. Not sure if DR site is available presently. Backups stored offsite. There is a retention strategy for backups.Business continuity planning needs to be completed.Original plans by dept. have been documented. No regular scheduled testing of strategies at the moment except for power fail.

Yes H Complete strategies/plans for disaster recovery, business continuity.Ensure processes have been documented.Obtain processing agreements with other 3rd parties where applicable.Periodic testing of all strategies.




Now | Future

End-State Vision


Employee access and rights is updated when ever their position or status changes. HRMR003

Process is not automated. Requires manual notification and update.

Yes H Automated notification of status changes that impact security.

The HRMS allows for ease of recurring and ad-hoc reporting (regulatory and management). HRMR004

Standard recurring reports are distributed but system has no ad-hoc reporting capability.

Yes M Provide ad-hoc reporting capability to trained users.

Manager self-service approvals have a defined time-out period and escalates after time-out period has expired. HRMR005

No manager self-service capabilities.

Yes H Implement Manager Self-Service with escalation notifications.

HR routinely reviews vendor performance, including SLA's, pricing, employee satisfaction levels as part of contract renewals and renegotiations. HRMR006

Vendor contracts are reviewed every 3 years prior to renewal. Contract performance is continually reviewed.

Yes L Not many vendors outside of benefits and drug testing.

the journey to world-class data management, reporting and compliance best practices presented to:...

Documents