How HDFC Life identified loopholes in data security through HR audit
With an organizational size that is upwards of 14,000 and with over 400 offices across different states, HR audits bring about the required confidence to the processes
HR Audits is a proactive process that throws open possible risk areas. It allows HR professionals across the company to mitigate the risk by closing the loopholes. It also brings about control mechanisms to ensure that such risks are addressed for the future. At HDFC Life, there have been about five HR audits in the last five years. With an organizational size that is upwards of 14,000 and with over 400 offices across different states, HR audits bring about the required confidence to our processes. The approach has been to identify one area of HR, say for example between Payroll, HR Operations or Recruitment and audit it throughout the quarter. This way we ensure that all aspects of HR are audited throughout the four quarters. The levels at which the audit is conducted can be broadly categorized into three: One is a self-audit, which is at the level of the individual, for this we involve a business process management tool on the ARIS platform, which ensures that all the reviews mechanisms are adhered to. This is also reviewed by the HR functional heads and in the future, we would like to include reviews within the KRAs. The second level is the internal audit that is conducted by a team within the organization; and the third level is the statutory audit conducted by an external party.
The principal challenge for us in HR with respect to audits has been in getting the new employees up to speed with the number of methodologies that are followed in the organization. The other challenge has been around the gap between “resistance to change according to auditor’s recommendations” and “the need for change”. A leader in this situation needs to identify what is logical and fair with respect to recommendations. While at times, there would be a requirement of process improvements, it is not always required to implement every recommendation, and sometimes it is best to reserve the recommendation as an item to be checked for future.
Attrition and Data Security
At HDFC Life, timely audits enabled the detection of threats related to data security that were linked to high attrition rates. In the insurance sector, where there is a tendency to abscond from job responsibilities, the resultant attrition rates are at around 50 percent to 80 percent. And attrition by absconding work ranges around 20 - 25 percent of the total attrition. In case of employees absconding from work, the rule in the company had been that if the employee does not report for the job for 7 days consecutively, a notice is to be sent to the employee’s home. Thereafter 15 days of sending the notice, the services of the employee are terminated. However, this gap between the actual “last working day” and “date of termination” of 21 days opened the possibility of a data risk, whereby the employee has access to company accounts; and this was highlighted by the HR audit process. The HR department then took a call to treat the date of termination as the last working day since there was no effect on the payroll. This was because employees who were absent were not paid. In case of any data infringement during the ensuing period, action would be taken just like a regular employee. In re-framing the problem along with auditors, this issue was resolved.