Payroll data is critical, and the consequences of losing it are steep. Learn how to create a strong payroll disaster recovery plan to protect employee data.
IT assets and physical infrastructure are high priority for disaster recovery planning, which should address an all-important source of critical business data: payroll.
Keeping employee payments consistent, accurate and on time is critical, especially in times of crisis. A disruption in payroll systems has the potential to damage trust in the company, cause operational delays, leak sensitive personnel data and violate compliance regulations.
A payroll DR plan can help make sure that the payroll function is safe from unplanned disruptions. This article will outline what a payroll disaster recovery plan is, why it is necessary for business and how to build one. It also includes a payroll disaster recovery checklist to manage the process from start to finish.
Types of payroll systems
Payroll generally works in one of two ways: The company handles its own payroll using specialized payroll software, or it uses one of the many third-party payroll service providers. Hybrid arrangements are also possible.
Data protection and security management are critical activities for organizations to ensure that payroll data is less vulnerable to cyberattacks.
A payroll disaster recovery plan is essential if payroll is company-managed. The organization is responsible for capturing and processing all payroll-related data and storing it in secure databases for use by the payroll software. In this situation, the organization faces the same risks, threats and vulnerabilities as with any other IT-managed systems and applications.
Data protection and security management are critical activities for organizations to ensure that payroll data is less vulnerable to cyberattacks.
By contrast, a payroll service company handles nearly all aspects of the payroll process. The customer provides relevant data to the service company, which then securely stores it for future payroll processing. Third-party organizations that handle this type of data often have sophisticated DR plans in place as well as vast storage resources that can maintain virtually unlimited payroll records in secure locations.
Payroll service organizations also have extensive security infrastructures to prevent unauthorized access to payroll data from a large variety of malware attacks, such as phishing, DDoS and ransomware attacks. The biggest challenge in this type of arrangement is typically the loss of connectivity to the service provider, such as from the loss of internet access.
There are several types of payroll software that organizations might use.
Why a payroll DR plan is important
Most organizations, regardless of size, have some level of payroll activity. If the organization manages its own payroll, IT departments must make sure that the systems and data are protected from the effects of natural disasters, cyberattacks, human error, and equipment outages or failures.
Loss of payroll processing can be a serious event for an organization. Without payroll, employees will not be paid, state and federal taxes will not be processed, and benefits might be at risk.
Payroll systems also provide various reports for accounting and finance departments. Some of these reports might be required by government agencies, and failure to deliver them on time can result in fines or other penalties.
Elements of a payroll disaster recovery plan
A payroll disaster recovery plan is essentially the same as any other DR plan managed by an IT department. However, the sensitive nature of payroll data adds another level of complexity to the process. A payroll DR plan should include the following components.
Statement of intent
This describes the nature of the plan and why it is being developed.
Company policy
Assuming the company has a policy on payroll, it should be included in the DR plan.
Overview and objectives
This section outlines what is to be accomplished in the plan.
Contact information
Contact information for all DR plan team members, vendors, suppliers and other stakeholders should be included in a payroll DR plan. This ensures that the key players and interested parties can be contacted when a disruption occurs.
Roles and responsibilities
This section describes who is responsible for preparing and managing the DR plan. This might include technology teams responsible for managing the payroll application and databases, and emergency teams that handle the recovery and resumption of the payroll system and data after a disruption.
Emergency response procedures
These procedures specify what is performed when a disruption in the payroll system is identified. They can include specific diagnostics available in the payroll software to pinpoint the issue.
System recovery procedures
These steps are followed to recover the application and return it to normal operations. These procedures can be especially important if the payroll system and databases are running in a cloud infrastructure instead of an on-site installation.
Network recovery procedures
These procedures will vary depending on how the payroll system uses network technologies to operate. In cloud-based applications, network technology is essential when communicating with the payroll system.
Data backup procedures
Protection of payroll data is essential, and anytime the payroll database is changed, the changes should be backed up to a secure location.
Data recovery procedures
These steps should specify how to recover payroll data so that the payroll process can be resumed. To ensure that employees are paid, it might be necessary to launch a basic payroll run and make any adjustments in a subsequent payroll cycle.
Awareness and training activities
Employees who handle the payroll system must be trained on potential disruptions and how to initiate emergency recovery procedures. It is also important to inform employees and senior management who are not directly involved that the payroll DR plan is in effect.
Plan testing and updating
Tests and updates are essential to make sure that employees can recover and restart the payroll system and perform ancillary tasks in advance of an actual event. If changes are necessary, implement them as soon as possible and make sure to test that they work.
A payroll DR plan is a living document. Establish a schedule of periodic reviews and tests to make sure that the plan is current and fully actionable.
Steps to develop a payroll DR plan
When creating a disaster recovery plan for payroll, first determine if the payroll system is included in an overall corporate technology DR plan or if it is a standalone plan. In the former, the payroll system, database and network recovery activities should be a section in the main DR plan.
In the latter, the standalone plan would include the same procedures for recovering the payroll system and databases, except that all the relevant activities are assembled into a unique plan.
Steps to take when developing a payroll DR plan include the following:
Secure management approval and funding to develop the plan.
Establish a plan development team.
Create a project plan to provide oversight to the process.
Perform a risk assessment to identify the risks, threats and vulnerabilities to the payroll system and its database.
Develop strategies to facilitate payroll recovery and resumption in a disruptive event. These typically include payroll data backups, backup copies of payroll systems and network service resilience.
Develop incident response procedures that specify the initial steps to take when a payroll system interruption is detected.
Develop recovery procedures to address the payroll system, databases used for payroll and network services. If the organization is using a cloud-based system, it must coordinate with the cloud vendor, which likely has its own disaster recovery process.
Develop procedures to validate the successful recovery and resumption of payroll processing.
Test the plan to validate that the payroll system and its database are recoverable.
Review the plan with payroll application vendors, cloud vendors and other relevant parties.
Set up a continuous improvement schedule of tests, reviews, audits and other activities to ensure that the plan is up to date and actionable.
Payroll disaster recovery checklist
Once an organization has implemented a payroll disaster recovery plan, the time might eventually come to use it. When faced with a potential payroll system disruption, consider the following steps before, during and after an incident:
This article has focused mostly on customer-managed DR plans or cloud-based DR implementations. In situations where a reputable and experienced payroll service company is used, determine how it approaches disaster recovery. Pay particular attention to payroll data protection, payroll system recovery and network recovery.
While DR might no longer seem to be an issue, assuming the payroll company's expertise, be sure to regularly check in with the vendor to verify that payroll processing is being performed successfully. It might be useful to have a service-level agreement that specifically addresses disaster recovery, or perhaps DR can be part of a larger and more inclusive SLA.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
Dig Deeper on Disaster recovery planning and management
