A human resources information system (HRIS) can be a huge boost to startups and compliance programs. But when is the right time to implement one?
For our team of all big4 trained auditors, it took some time to understand how many of our clients don’t have a HR function. Nobody would dispute the importance of Human Resources in any organisation; to ensure employees are well-managed, supported, and delivering the best outcomes for your business. But the reality for many startups, especially with less than 20 employees, it’s often not viable to have a dedicated HR function. That doesn’t remove the necessity of HR, or mean HR practices are poorly managed, it just means it’s another responsibility that falls into the founders or other team members as an addition to their other daily role(s).
HR is important in its own right, but it also plays a significant role in information security and compliance. From how you identify, attract and select employment candidates with the right ethical values and sound character, through to effective onboarding, training (including security awareness), performance reviews, clearly articulating and documenting the roles and responsibilities of individuals and teams, company policies and employment contracts, and the corporate governance that’s often grouped into HR as well.
Some businesses opt to outsource their HR in the early days, while others take the software route to reduce pressure on those that take on the HR responsibilities. Using a HR information system (HRIS) like Bamboo HR or Employment Hero, can both bolster your HR capability, and simplify and improve your compliance program as well. This software can track hiring and onboarding flows, acceptance of policies and employment contracts, performance reviews and training, documenting roles and responsibilities, and often have a flexible design to incorporate many other potential compliance activities that may be bespoke or tailored to the company.
When is the right time to implement a HRIS?
If you haven’t already built the business case for it, your compliance goals may get it over the line. It’s a big boost to helping you implement your compliance, especially in some of the more tricky topical areas. And when comparing to security and compliance platforms that are often used for the same purpose (albeit broader in scope than the HR controls), the fees are a lot lower and there’s value beyond compliance outcomes. So our recommendation is to implement a HRIS as one of your first steps to pursuing SOC 2, ISO 27001, CSA STAR, Consumer Data Right accreditation, HIPAA, or other similar standards.
How can you implement a HRIS to solve compliance and support a robust HR capability?
Most software companies provide onboarding support which can help you get set up with the practices mentioned above. Many of them are really straightforward, if your team has operated them “manually” before and can now replicate that in the HR system for central tracking and consistency of process.
Here’s a little checklist you may use to implement your compliance practices in your HRIS:
Step 1: Define the onboarding flow and steps. This ideally covers candidate recruitment activities, onboarding, and initial set up tasks in an interactive checklist that tracks completion and can assign owners and sign offs for the tasks.
Step 2: Add your policies, contracts and employee handbooks. These templates/policies should be stored in your HRIS and linked to onboarding steps for employee access and sign off.
Step 3: Implement performance reviews and security awareness training. These two standard compliance activities can be done in many different ways; your HRIS provider is likely to have templates or partners that can support these areas. In any case, set them up as recurring tasks and track their completion in your HRIS.
Step 4: Document an organisation chart. This may be in the software or upload one you’ve prepared separately, then update as part of the onboarding/off-boarding flow.
Step 5: Define the off-boarding flow. A checklist of items to remove access, return the laptop and IT equipment, conduct an exit interview, and any other steps.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.