2. Key considerations around compliance, risk management, and data security
Data security is perhaps even more important now than at any other time, with so much going on. Ambiguity is something we always look to avoid at SD Worx. We purposely look to make things more clearcut. But when you're faced with a fast-moving environment like this, where there are so many changes going on, you can't anticipate every possible scenario, every possible set of circumstances.
“Compliance, data security and risk management are table stakes. For us, they are non-negotiable, and how we structure our frameworks is based upon them. For me, the biggest thing is having a process to identify them and creating a level of structure around what you do in this space.” – Helen Bailey
- The key considerations are ‘What are legal and regulatory obligations? How are you going to identify them and make sure you comply?
- “If you can't outsource your compliance obligations, you have to own and be accountable for that yourself.” It’s important to build frameworks around making sure that we can test processes are working as they should be.
- Create a structure that allows you to lean on experts and gather insights from the right people, allowing you to put in place proportionate risk management practices and controls to make sure that we can assure compliance moving forward.
- It’s important to adhere to industry-standard type obligations and have controls, and tests of those controls in place to see that they're fit and proper.
Know your risks, understand them, and ensure you build adequate controls to monitor and mitigate them. You must have a level of structure that allows you to capture and do something meaningful. Knowing something is one thing, but it doesn't help you if you don't take action.
3. How to hold third-party providers to the same standards and controls expected of your industry
We've already introduced this idea of a ‘partner’. So, when we're working with partners, while we can't outsource your compliance obligations, how could we hold third-party providers to the same standards and controls that we expect of ourselves and our industry? So how can we measure the performance and hold them accountable for those standards and controls?
- We need to know partners are meeting their obligations, and we're meeting our obligations at the same time. We need a level of structure and control around this which starts with the onboarding of third-parties.
- This means having good third-party arrangements and contracts set up where clear expectations are set in the contract for what you expect around compliance or risk management, or contingency. Onboarding is a critical part of being able to hold a third party to account within that contract.
- Upfront contracting, clear, ongoing monitoring frameworks in place, and maintaining healthy effective relationships with our suppliers are key.
“We're open and honest in what a partnership really is. It’s a partnership to deliver success for businesses. And we believe we’re a great partner for that.” – Simon Parsons
“We at Capital One pay SD Worx to understand tax and HMRC. That’s a skill we don’t have. We’re a credit card provider. That’s why we’re seeking that skill out. And it’s a difficult balance between not being able to outsource compliance but actually buying a service that has the skill to ensure we comply, which is why I pay SD Worx to do it.” – Helen Bailey
The word ‘trust’ came up several times. Trust often means that there's an expectation, such as those set by organisations and legislators – a commonly agreed standard or a deliverable that we all want. But then there's the delivering it pragmatically, consistently, legally, and reliably.
4. What a best of breed payroll looks like for Financial Services
What does the best of breed payroll system look like for financial services? How would you define that? What's the best we can expect?
“Best of breed means, to me, are they financially sound or could they disappear next week? You're trusting a lot of personal information to them. Do they have appropriate processing and quotations in place? Is it a true partnership arrangement?” – Simon Parsons
- Look at their systems and the credibility and professionalism of the qualifications of their staff – are they at an appropriate level? Is your advisor qualified? And do they know what they're saying?
- Best of breed is based on stability, history, their adaption of new technology, and how responsive they can be to change.
- Look at the credibility and the associated risk because you don't want to fall foul of legislation. An organisation that keeps abreast of government and employment change that applies to you as a client is paramount.
- Working with true experts in their fields, and building systems, processes and relationships that can respond to constant change is critical.
“SD Worx are payroll legislation experts, so why wouldn't I use them and their services as part of that relationship? True, deep subject-matter expertise and trusted partners are key to helping us manage our risk exposure. Payroll is a process that involves transferring money and involves personal data, so it must be effectively managed and controlled. A partner willing to engage with you on that and build adequate controls is key.” – Helen Bailey
- A keenness to develop and grow and evolve is key. The world around us is changing and providers are continually scanning the external environment, picking up on new ways of doing things, from processes to skills.