Platt Perspective on Business and Technology

Meshing Human Resources processes with business complexity 4: due diligence and risk management evaluations 2

Posted in HR and personnel by Timothy Platt on January 3, 2014

This is my fourth installment to a series on the new and emerging workplace, and developing personnel policy and practices to better meet the needs of a 21st century business (see HR and Personnel, postings 190 and following for Parts 1-3.)

I began a discussion of taking a risk/benefits approach to developing and evaluating Human Resources policy, as it sets the terms of engagement in which employees work in Part 3. My primary focus there was on the benefits side of this and with a specific attention placed on worker productivity and on benchmarking employee work performance for flex-time, job sharing, telecommuting and other terms of engagement that might be considered non-traditional.

I then began a discussion of the risk management side of this set of issues, and more specifically on the potential risk of loss of control over sensitive business-held information, depending on when, how and where employees perform their work for their employer, and under what terms. This, I add becomes particularly important when employees who need to use sensitive and potentially sensitive business information work outside of the business and its directly managed information and other security systems. My goal for this installment is to at least begin to more fully discuss that:

• And from the perspectives of both Human Resources and Information Technology,
• And how those often disconnected and even disparate perspectives need to be coordinately developed and managed here,
• As a fundamental part of the business’ overall strategic planning and its operational systems.

I begin examining this from the Human Resources side and by citing a relevant posting to a separate but related series that I have been listing on my Business Strategy and Operations – 3 directory page: Information Policy Best Practices 4: the Finance and Human Resources departments’ perspectives. (And also see that same series’ Part 2: the Information Technology Department perspective.)

I wrote in that about the Human Resources side of a business’ overall information policy per se, but primarily from the perspective of how HR personnel collect, access and use sensitive and confidential information that would be required specifically for their own work.

• I expand its discussion here to address Human Resources policies and procedures for managing terms of employment impact on overall information policy in place, as employees managed under HR personnel policy collectively access and use the full range of business information that their employer holds. And it is going to become increasingly common for employees who pursue non-traditional terms of employment career tracks to need to access and use larger and larger amounts of more and more types of business-held information.
• And this can become particularly important from an HR policy perspective, when employees enter into non-traditional terms of employment that specifically require that they be able to access, use and store business information outside of their employer’s in-house firewall and other information security resources in place.

Human Resources manages ongoing employee training, and even when specific training modules are hands-on taught by personnel from other departments (e.g. Information Technology and the Risk Management or Due Diligence office personnel for information policy best practices training.) HR keeps track of who is required to receive what training in safe information use and management practices, and with that determined by employee title and position held and where necessary by specific work responsibilities assigned. And it is, or at least should be HR’s responsibility, working with the managers of these employees, to get them scheduled for appropriate training and to monitor when they take it and how they perform in it – and with all of this entered into their permanent personnel records.

If it is found that an employee has violated mandated secure information practices, this should be brought to the attention of their direct manager, and appropriate personnel from Human Resources and Information Technology so they can come together to hold a hearing on this matter, and with other stakeholders brought in if and as necessary for the specific case. And the fact of this hearing and who has participated in it and any outcome determined from it and follow-up action should also go into this employee’s personnel records too.

Information Technology holds the expertise from a technology perspective, required to develop best practices for employees to follow here. Human Resources holds the expertise on terms of employment and how they do and do not connect into and support the business and its overall operations. Together, they can develop and manage information policy that can address the challenges of outside access to in-house business intelligence, and for how best to secure it safely when off-site from the business and as a matter of basic enforced employee practice.

I wrote in my series: Information Policy Best Practices as cited above, of how the full range of departments and services in a closely integrated, effective business need to participate in and be involved in developing overall information policy. And here, simply considering information management and coordination between HR and Information Technology:

• Precise determination of who is to be offered what non-traditional, or even more traditional terms of employment should be developed with a goal of reinforcing overall information policy in place.
• And the precise terms and requirements for any given accepted and supported terms of employment should be spelled out with effective information security one of their core due diligence goals.
• So if, for example, Information Technology determines as a matter of departmental policy that certain types of out-of-office work can only be done where employees who are performing it can connect into the business’ networks and computers through a virtual private network (VPN) then this should go into their description of telecommuting or business-travel terms of employment. And use of this type of resource should be added into the required training that off-site employees would take. (Note that any such technology selection-based decision is going to be predicated on the current cost-effectively available and implementable state of the art, which constantly changes, so policy predicated on this has to be updated on an ongoing basis too.)

I am going to continue this discussion in a next series installment where I will more explicitly review and explore these issues from an Information Technology perspective. Meanwhile, you can find this and related postings at HR and Personnel.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: