Investing in access for HR

On the cusp of implementing a Workday transformation, the human resources organization of a U.S. financial services firm had the opportunity to jump-start a broader enterprise role-based access program that could reduce risk, streamline access, and provide a better user experience. Wary of giving up too much control to the Workday cloud solution, HR wanted to maintain the same rigorous security standards it already had but take full advantage of a whole new category of technology.

The organization also wanted to avoid additional complexity in what could easily be the biggest HR system implementation the company would undergo for the next 20 years.

In designing the Workday system for the company's human resources organization, KPMG considered the impact of roles from an end-to-end enterprise perspective and created a consistent, common framework that allows HR to:

• streamline the access request process by job function rather than by individual user and automate provisioning

• improve the user experience by providing access within a day or less, rather than weeks, and lay the foundation for future automated capabilities

• reduce the risk of unauthorized disclosures by eliminating access to sensitive data and high-risk processes

• standardize access to key HR business processes and data and better comply with evolving regulations

• make managers more effective by giving them secure, mobile-enabled tools and a level of interface designed for those who are not experts in HR transactions.

Having just worked with the firm on an engagement related to mapping and improving enterprise access, we could accelerate the design of application roles within the new Workday platform because we knew which applications and systems needed to be consolidated into Workday. Even if the firm wanted to follow the full road map we developed, there weren’t nearly as many systems for which the firm needed to manage access, but it still needed to link all those systems together for maximum efficiency.

Working against an ambitious time line, we quickly convened resources from KPMG cyber security services and from our HR transformation team to drive towards a stronger, better access structure inside Workday and the surrounding HR technologies while reducing the burden on the resources of the financial services firm.

Using the KPMG Powered Enterprise suite, we bypassed the months it can take to tweak access for different HR roles and created a set of standard roles for Workday that encompassed 80 to 90 percent of what clients typically need. For the remaining HR roles, the KPMG Powered Enterprise suite modeled them to apply to the applications not being replaced by Workday. That meant the firm no longer had to manually provision access. One system— automatically providing access to Workday and non-Workday systems—could be managed by the firm’s existing cyber processes and tools, further reducing risk.

In less than six months we:

• determined who was involved in each in-scope process, analyzing 20 business processes and identifying more than 60 process improvements

• defined 26 enterprise roles where none were defined before and identified which roles required different security access, producing a trackable, auditable way to identify and govern access

• classified more than 35,000 users (70 percent of the workforce) as needing standardized access

• ranked risk access in each of 16 HR applications, identifying 500 application roles and concluding that 44 percent should be considered high risk

• mapped specific application access to job roles, discovering that 164 application roles could be consolidated or removed and that 40 percent of users had access to sensitive data.

As a result of our work, the firm has a stable and secure platform that supports human capital, digital enablement, expanded privacy laws, and improved efficiency.

Improving security is an opportunity to improve the business as a whole

Implementing a role-based access control project has a significant impact on managerial effectiveness and operational efficiency. Focusing on business outcomes can help determine the right access, data and tools to give employees.

The HR and security organizations can collaborate more closely

When HR captures the data necessary to assign roles to employees—rather than basing access on each individual user’s needs—access management becomes easier for security organizations.

Workday is an excellent proxy for broader cloud transformation efforts

Many of the activities and processes necessary to implement Workday are patterns that can be adopted for other cloud technologies.