Does your organization have an active program that conducts reference checking on employees before they are hired? Ownership of the pre-employment vetting process does not often reside with the security function within the organization. Some companies outsource background checks to third party organizations to share the task. Many of these policies are impacted by legislation, and limitations can be imposed on the use of various vetting methods.

Within the security community itself, there continues to be a lot of discussion on just how thoroughly this is accomplished. From the HR side, there can be questions regarding which background elements are relevant to the roles being hired, as well as cost and time affiliated with the processes.

 It’s generally accepted that if a candidate falsifies major elements of their employment (i.e. education, employment history, etc.) on their application they will be rejected. The areas in which this is less clear are those related to ethics, reputation, professional and operational skills. These less obvious attributes are really the key identifiers in most job descriptions, but validating them becomes very nebulous.

Due to regulations, many companies and managers may be reluctant to provide information regarding former employees beyond verifying title and dates of employment. To overcome this void of needed information, security executives are often asked to assist in ascertaining an individual’s reputation, ethics and “real reasons” for the candidate having departed a previous organization. While these inquiries may result in accurate facts being developed, they can also result in collecting inaccurate conclusions based on partial facts, rumors and/or individual personal conflicts.  The nature of today’s electronic communication and the sheer volume of non-validated information published on the Internet add to the issue.

We have heard public and private stories across the years involving corporate security professionals that were factually inaccurate, but that would – were they to be accepted as fact – have a very negative impact on those subjects’ future career potential. Conversely, there have been circumstances where discrete inquiries have resulted in discovery of significantly relevant facts, such as the candidate’s involvement in and dismissal for specific egregious acts committed against an employer, customer or client.

There are many reasons why this background information does not become public even if it involves criminal conduct, either criminally or civilly. Some examples are due to the organization making a business cost/benefit decision or not having the resources or expertise to take a case forward.

The potential for litigation associated with a wide variety of criminal and civil statutes across both domestic and international jurisdictions means that both the giving and collecting of information has the potential to be risky. The reluctance to share information can then result in an incomplete or inaccurate portrait of a candidate. Even some professional associations are hesitant to consider enforcement of their own ethics guidelines unless an issue involving one of their members is adjudicated in the courts. This means that even membership and/or certifications within professional organizations may not necessarily be a useful indicator of an individual’s integrity or professional reputation.

For the security professional who is trying diligently to protect his or her organization from risky hiring decisions, we offer the following suggestions for use during various phases of the hiring process:

  1. Clearly state within the position description what your organization’s expectation is regarding ethics and reputational issues that are relevant to the position.
  2. Develop and ask relevant competency and behavioral questions during the interview process.
  3. Obtain facts that can be substantiated.
  4. Do not violate your organization’s policy guidelines or the laws and regulations within the jurisdictions affected.
  5. Encourage your organization to have a risk-based referencing process in place that goes beyond the basic transactional verifications.
  6. Obtain the appropriate consents from the candidate.
  7. Have a plan in place for how your organization will react should serious derogatory information be obtained, and put in practice an assessment methodology.
  8. Make sure that your actions are ethically and legally defendable.

There are ample indications that past behavior is a strong predictor of how an individual will function within an organization. When dealing with “people issues,” however, we should not forget that we are often dealing with grey areas and not scientific facts.

Generally the most useful and actionable information has multiple reliable and verifiable sources. If reference checking or conducting due diligence places you in a position to make a decision or recommendation that impacts someone’s career – or potentially your organization’s reputation – be confident in the quality controls both you and any third party contractor have in place.