Prevention is better than cure.
On average, it costs over £4,000 to recruit someone (source: CIPD). And The Association of Chief Police Officers (ACPO) estimates that fraud costs the UK £20 billion every year. It’s estimated that the majority of fraud-related crime is now perpetrated – or at the very least enabled – by organisations’ own employees. It’s far easier, to know who you’re dealing with before you recruit, and during your employees’ tenure.
Use a risk-based approach.
Recognise that screening is a part of (albeit, an important part of) insider threat management. A holistic view of risk will require regular audits, enforced annual leave, managed access to systems and facilities, segregation of duties, easy disclosure (“whistleblowing”) procedures, etc.
Identity is the most important check.
Failure to check someone's identity renders any further checks based on uncorroborated identity less than worthless.
Use a number of sources to ensure reliability.
Don't rely on only one check. Reliability is significantly improved by checking several factors.
Know the source of any reference.
Don't rely on employment, professional, academic references from uncorroborated individuals or organisations.
Check the authenticity of official documents and numbers.
Don't rely on a document or number, such as a National Insurance Number, without checking its authenticity with the source.
Use the right Criminal Record Checks where appropriate.
All employers have the right to ask candidates about unspent convictions for employment purposes. More detailed information about criminal history is required for (and restricted to) specific occupations and work environments.
Share information about former employees lawfully.
Don't use so-called "blacklists". Instead, consider using controlled, transparent, consensual, and secure registers to check candidates' previous conduct. And respond to reference requests from former candidates' new employers quickly too.
Use readily available research tools.
Internet searches often uncover information about individuals. Remember that this information isn't always reliable, but it can expose otherwise unreported allegations and clues prompting further, consensual checks.
Check existing employees, contactors and temporary workers regularly.
Employees' circumstances change over time, so renew checks at appropriately regular intervals, and apply relevant checks to specific risks rather than a purely hierarchical approach.
Common misconceptions
The Data Protection Act requires written consent to undertake screening.
The best information isn't publically available.
Criminal record checks aren't permitted for all applicants.
Credit checks are only relevant to financial roles.
Regulators always specify the checks that ensure compliance.
