risk-based pre-employment-screening · troubles, conceals identity … ? internal and external...
TRANSCRIPT
GSX, Las Vegas 25th Sept 2018
RISK-BASEDPRE-EMPLOYMENT-SCREENING
Bernhard Maier
2
What is Pre-Employment-Screening (PES)?
1 Also known as ‘Vetting’ or ‘Background Check’
4 No evaluation of the applicant‘s qualification (responsibitly of HR)
2 Systematic collection of information on an applicant
3 Riskevaluation of the applicant
3
Why conduct PES?How about ROSI (Return On Security Investment)?
5
6
7
Additional reasons
Duty of care
Compliance (international standards like
ISO37001)
Reduction of management liability
Reduction of Risk
1
2
3
4
Financial loss
Loss or damage of goods
Reputational harm
Physical injury
4
Classical Approach versus Risk based Approach
Risk based Approach
Risk assessement of the vacancy
Definition of a screening goal
Search for suitable sources in order to meet the
screening goal
Classical Approach
Checklist of searches
Clear instructions on sources and databases
Easy to handle (ticking boxes)
Limited to one jurisdiction Worldwide applicable
5
Challenge PES
Protection of privacy and personal data
Applicant
Comprehensive under-standing of the applicant
Employer
6
Solution: Squared Circle
Restriction to relevant information
(width of screening)
gathered in an appropriate way
(depth of screening).
7
Principles of Screenings
1 Transparency
4 Relevance and Appropriateness (Data Minimization)
2 Consent
3 Impartiality and Fairness
8
Four Steps of Screening
Prepare/Plan1
- Operational responsibility
- Management override
- Riskprofile of vacancy
- Width and depth of screening
- Definition of red flags
Search2
- Identity sources
- Investigation of information
Loop3
- Applicant‘s statement
- Expose fraudsters
Decide4
- Evaluate findings
- Recommend hiring or rejection
9
Prepare/Plan: getting started
1 Operational responsibility: who does the screening? Security-/fraud-management, HR, compliance, external service
provider?
2 General rule: no employment after negative screening. Fixed procedure for management override required (proof of
necessity and risk mitigation)
3 Definition of red flags (typical no-gos)
10
Prepare/Plan: the Applicant‘s Risk-DimensionsWhat makes an applicant potentially risky?
Political extremism, religiousfundamentalism
Financial turmoil
Concealement of identity orresidence
Misrepresentation in CV
Addiction
Lack of integrity
11
Prepare/Plan: Riskprofile-Matrix IHow to assess the vacancy‘s risk?
Identification of relevance
Is it risky to fill the vacancy with someone
who was extreme political views, financial
troubles, conceals identity … ?
Internal and external perspective
Who could be harmed? Employer,
coworkers, customers, non related third
parties?
Set the risk level
When internal and external views show
different risk levels, the higher of the two
counts.
Estimate extend of risk
Low, medium or high by considering the
highest possible damage.
RISK
12
Prepare/Plan: Riskprofile-Matrix II
3 high risk dimensions
2 low risk dimensions
1 medium risk dimension
relevance
of screening
13
Prepare/Plan: Choice of Screnning Depth
appropriate
screening
intensive
screening
regular
screening
no
screening
3 high risk dimensions(concealment,
addiction, integrity)
1 medium risk dimension(extremism)
2 low risk dimensions
(financials, misrepresentation)
14
Prepare/Plan: by the way…
1 Screening of dimension ‚Concealement of Identity/Residence‘ is obligatory (at least superficial check).
2 Use expertise from the department of vacancy for the risk assessement (COSO: handle risk at the place where it
occurs)
15
Checklist Risk Assessment
Is there access to assets or confidentialinformation?
1
Does the person work with a vulnerable group (children, elderly, disabled)?*
4
Does the job allow to control processes and alter them?
3
Is there decision-making-authority? What is thedistance to the board?
2
Would the position be difficult or costly toreplace in case of a bad hire?*
5
What degree of supervision is the workerunder?*
8
Does the position require the worker to enterprivate homes or facilities?*
7
Would a falsification of skills put the employerat risk?*
6
*Source: Lester Rosen, The Safe Hiring Manual, Tempe/AZ 2012, page 245
16
Prepare/Plan: Definition of Red Flags
1 Typical no-gos
2 Should be defined prior to the screening.
3 Recommended: zero tolerance with misrepresentation.
17
Search: Sources of Information
1OSINT (internet, media,
public records)
2HUMINT: references (former employer,
people named by the applicant)
school/university)
3Other sources: drug screening, psychological tests,
polygraphing.
18
Search: Regulating the Depth
1 Extending the period under review
4 Practical approach (deep = 3 sources, regular = 2 sources)
2 Multiple sources from the same category
3 Multiple sources from different categories
19
Search: by the way…
1 Always ask for the original diploma or a certified copy.
2 Otherwise check the date (usually no weekends or holidays) and ask the issuer for confirmation.
3 HUMINT: assess the credibility of the source (biased information).
20
Checklist Verification of DocumentsSource: Marco Löw, Falle Bewerbungsbetrug, Hohenlinden 2011, page 33
Year dates only can cover gaps in the CV.1
Deviation within the text (font, size of character, space between lines), in particularwith name and date of birth.
4
Document issued on a weekend or publicholiday.
3
Documents of different issuers are alike(format, font, wording, spelling mistakes).
2
Does the document bear the right companylogo according to the date (change of logo)?
5
21
Loop: Why ‘Loop’?
A looping allows you to look at things from various angles.
This is necessary as information is not always self-explanatory.
22
Loop: Interview with the applicant
1 Give the applicant a chance for disclosure (negative information) at the very beginning without losing face.
4 Expose fraudsters by using specific interview-techniques and looking for verbal or physical signals of lying.
2 Negative findings: ask applicant for explanation (principle of fairness).
3 Address gaps in the CV.
23
Loop: interview techniques to expose fraudsters
1 Ask for neglibities and side issues (regional food, local infrastructure, recommendations, local peculiarities)
4 Monitor response time behaviour
2 Insistant questioning
3 Repeat questions differently worded
24
Loop: Mnemonic Ted’s PieHow to make the applicant speak?
P
I
E
PIE
Precisely
In detail
Exactly
TED’S
T
E
D
S
Tell me
Explain to me
Describe to me
Show me
25
Loop: Clues of DeceptionSource: ACFE, The Fraud Examiner‘s Manual, digital international Edition 2016, page 3.349
5
6
7
Physical
Manipulators
Crossing arms / crossing feet under the chair
Hand over the mouth
Verbal
1
2
3
4
Change of speech pattern
Repetition of the question
Selective memory (detailed knowledge vs lacking
details)
Turning aggressive and answering with a question Fleeing position8
26
Decide: Evaluation of negative Findings
Frequency
How often did the applicant go astray?
Recency
How recent is the applicant‘s deviation?
Intensity
How serious are the applicant‘s deviations?
Frequency
Intensity
Recency
27
Decide: Recommendation
1 Recommend to hire
2 Recommend to reject
3 Management override must follow a specific procedure
28
Take AwaysWhat do I know now?
1 Get away from the checklist. Instead define screening goals.
2 There are 6 risk dimensions of an applicant. The riskprofile-matrix shows which of them are relevant.
3 Design operational screening (information gathering) according to the risk assessement.
Contact:
Thank youfor your kind attention!
facebook.com/bernhard.maier.90281www.bm-investigations.at [email protected]