By Sharon C. Tayfield, MCIPP
Rising inflation and the increasing need to lower production costs has moved businesses to set up service centres in locations that have a lower cost structure than the one from which they are providing service. It is no surprise then that global payroll has joined this growing trend. Payroll leaders need to be prepared for these conversations and prepared to add value to the debate.
What follows are the considerations as one evaluates the location for an offshore shared service centre (SSC) as well as the ownership of the SSC.
First Step - Macro Assessment
The first decision to consider when looking at an offshore SSC is around the location and ownership of the SSC. If the organisation already has a footprint in a lower cost jurisdiction, then growing the headcount there by adding a service line for payroll may provide an easier option than finding an independent organisation to provide payroll services.
If your organisation (or “parent” organisation) already has an established legal entity (“child”) in the region, it is still critical to evaluate several macro and micro points to determine whether it would be a good fit for your payroll service line.
The following are some macro items that would be required if an independent organisation was used or whether you use a “child” entity:
- Ownership: Recheck and verify the ultimate ownership and shareholding of the “child” entity. Are all shareholders natural persons, and do any of the shareholders have a leadership role within the entity?
- Leadership: Confirm the leadership and the day-to-day operational leaders and evaluate whether placing the payroll services into this “child” entity would be a challenge and whether the current leadership have the skillset to take on managing a team who would provide the payroll statement of work. Does the current leadership want to take on the additional responsibility and support it properly? What do the service level agreements (SLAs) and key performance indicators (KPIs) for existing service lines look like? Can you speak to current “customers” to get a better idea of how services are being delivered? If you know that service is below par for existing services, you may need to gather more information to support any proposal to go “external.”
- Governance: Review the governance structures already existing within the “child” entity and the reporting mechanism currently in place for reporting into the “parent” entity. One should also consider whether any changes need to be made or any extra reporting put in place to cover payroll governance. (GPMI has published several articles covering governance.)
- Financial stability of the region and the entity/trading stability: Consider whether the current “child” entity is financially profitable and stable. Is the entity within a region with economic stability? This is particularly important in today’s climate of inflation. What is the growth strategy for the region as well as for the proposed SSC and your own organisation? What is the competition like in that location for the resources you are looking for and what effect does this have on costs?
- Cultural alignment: Are values and cultural aspects in the “child” location aligned with the “parent” location? Would growth in headcount be able to take place in the current location? An important consideration is whether there is a pool of resources in the location and whether the skill set matches the required skills. Is there a support structure in place for new headcount from an HR perspective or can that be put in place very quickly?
As indicated, all the macro points covered above would also be required to be completed for assessing the suitability of a third-party provider.
Next Steps - Micro-Level Assessment
Once an assessment has been made of these macro points and the outcome is favourable, then the next steps would be to proceed to a due diligence of some micro-level aspects of providing a payroll service from an offshore centre.
The following are some micro items to consider:
- Data security: Ensuring data security and adhering to the General Data Protection Regulation (GDPR) are fundamental cornerstones to any global payroll service. In assessing the suitability of a remote location to provide support in delivering global payroll operations, a review of whether the existing management structure has a sound understanding of GDPR requirements should be undertaken. Your research should include whether there is legislation of a similar nature in place in the region or if the contractual relationship exists to provide assurance that data will be “safe” and can be shared for work to be undertaken. This assessment is critical. Without it, data cannot be shared, and no data means no service centre. This assessment should also include your contracts with your own customers—if you provide services to third parties—to ensure data can be shared appropriately.
- Access control/building security: An assessment should be undertaken of the physical security of the premises. Is there access control or biometrics in place? Will the workspace allocated to the team supporting the workstream be segregated and secure? It is important to remember that payroll by nature has significant amounts of PI (personal information) data under its control and therefore the controls in place to restrict access to the workplace should not be overlooked. Whether there is biometric access control, a card reader system, or a keypad (pin code), there should be evidence that a report is being reviewed by the senior management against their current staff list. There should also be evidence that a visitor’s log is maintained and regularly reviewed by senior management. In addition, visit the location and find out for yourself if the security staff leaves the door open while taking a break. Are you challenged on entry, or do they treat you differently as a VIP?
- IT physical security and control: Alongside the physical access to the workplace, the controls in place around IT equipment and the control over this should be thoroughly reviewed. All computer equipment should have password controls in place for system inactivity. Password settings should be reviewed to ensure they meet your organisation’s minimum requirements (e.g., at least eight characters with a mix of alpha and numeric). For access to a local server, account inactivity parameters should be set so that the user ID automatically expires if not used for a period. The common standard is 45 days or more. Password change parameters should require the passwords to be changed at least every 90 days. If any payroll software will be stored on a local server, checks should be undertaken to see whether local management have existing controls in place to review access to specific software. Where possible, there should be specific folders set up for different sectors of the business. A control should be in place for starters and leavers with regards to access to the servers and IT software. This should also be reviewed, and evidence of the review should be available for examination.
- IT security certification and compliance (including ISO 27001): IT security should never be underestimated. It is imperative to check IT security certification, as having this indicates certain controls are in place. Should the location not have any certification in place, then further checks may need to be considered and/or undertaken. If you are looking at an external provider, or if the “child” is not wholly owned by your organisation, you may be required to submit to an IT due diligence exercise—be clear of your procurement and IT security policies.
- Contracting: This is less important if the site is already part of the group, but if this is a “child site,” a detailed statement of work (SOW) should be put in place to ensure that the scope of work is clearly understood. The SOW should include SLAs and KPIs. If a third party/independent organisation has been identified as a service provider, then an assessment should be undertaken of the ease of concluding contracts with that location and should cover which legal jurisdiction will be used in the event of any disputes.
- Employment of staff/team members: Discussions and a review should be undertaken of the current process in the location for recruiting and onboarding new staff. Does the process meet the requirements and are the experience and skills required—both technical and non-technical—clearly understood? Are the external job advertisements correctly reflecting the skills set and job specifications? Does the recruitment team fully understand how/when/where the team will be working? For example, what are the hours of working and what time zone? Where will the team be based—office, home, or hybrid? A further consideration is whether your involvement is needed initially in either the interview or onboarding phases to ensure correct standards or whether a second review should always be undertaken. If your direct involvement is required, how do you get them to be self-sufficient?
- Business continuity plans: Following the past two years of dealing with COVID-19, no business should overlook business continuity plans (BCP) in any due diligence they undertake. Evidence should be available of an actual plan as well as whether the plan is amended after any requirement to activate a BCP and whether it has been tested.
The BCP plan should identity the lines of communication and authority in declaring a BCP event and cover each of the payroll processes and procedures and what steps would be taken for each of those in a BCP situation. In addition, it should identify the point of failures that could occur with the processes linked to those points and then categorise the impact of the failure as well as the action to be taken (see the table as an example template).
BCP Process Points of Failure, Impact, Action Examples
It is important to include an in-case-of-emergency break glass process that should be used if all other plans are unable to be invoked. This might involve making payments to the employees according to a three-month rolling average. This data would need to be kept up to date and should ideally be housed in more than one location.
There are clearly additional points to evaluate in the process of reaching a decision on whether an offshore SSC is the correct business model to take and whether the locations being considered are the best fit for the organisation, but these form the start of that process.
Whatever evaluation is undertaken, peer review of the evidence is highly recommended as the investment (both time and money) in setting up an offshore SSC should not be underestimated and will help the overall decision-making process. The key is to get the critical stakeholders and decision makers aligned for success.