From our April 2003 magazine.
Alan Beazley is the director of business development at Zephon, consultancy The Risk Advisory Group’s employee screening business. He has a human resources (HR) and personnel management in investment banking background.
Bob Fletcher joined The Risk Advisory Group in August 2000 as Director, Cyber Risk Management. He was previously the Head of Group Security Services at the National Westminster Bank. He holds a masters degree in computer science and is a chartered engineer.
Two men from a risk consultancy with differing backgrounds discuss the need for a holistic view of security; and the costs of employment screening – and the costs of not screening. That’s against a threat profile for British industry that has changed colossally – but will it take a catastrophe to highlight that for managers?
Bob Fletcher: Too many companies partition the security process. Personnel screening in HR; insurance in risk management; electronic security in IT; physical security in property, sometimes. No-one, quite often, takes the holistic view. If it is not taken that [holistic] way, too many issues fall through the gap. There’s duplication of spend. Those who shout loudest for one budget get the funds, maybe the IT people don’t. There’s a whole range of issues. Too often we see structural problems militating against that holistic view. It’s changing quite slowly. Is sweeping rooms for bugs [the responsibility of] property services or technology? Probably both – and often isn’t done.We see frequently cases in which surveillance has been conducted against a target company and their structrual deficiencies have led to a failure to spot when they are being monitored.
Professional Security: Assuming that there is a trinity of security measures – physical, electronic and personnel/screening – is staff screening the Cinderella?
BF: You are right when you say it might be a Cinderella. I believe that has to change, quite quickly. Because the vast majority of issues we see on behalf of our clients happen from the inside, whether it’s fraud, robbery or whatever. Eighty per cent of what we see involved an insider in some shape.
Alan Beazley: HR are the worst offenders – speaking as someone who has spent most of his working life within HR. It comes down to a point of cost. It seems ironic to me that so many organisations spend an absolute fortune without really questioning on the whole recruitment process – where typically you are paying anything between 15 to 30 per cent of first year salary on recruiting somebody into the organisation – which is going to be several thousand pounds – and yet are reluctant to go the extra mile to have surety with the person you believe to be the right candidate is first of all who he or she claims to be; is qualified in the ay they claim to be; and thirdly doesn’t have anything in their background which might be a conflict of interest, financial pressure, whatever, which might be potentially harmful to the organisation. Much of our work is within financial services where fortunately mostly because of regulatory pressure there is an acceptance that nowadays it is important to verify the credentials and background of people you are appointing to sensitive positions. But nonetheless HR people regard it as something of a slight upon their professionalism that anybody would question the fact that producing an appropraite person for an organisation. So I think screening is in some ways the Cinderella, as you say. The reason for that is particularly in the current economic climate, firms just don’t want to spend the money. It takes either an incident or somebody at the top of the organisation to set a climate that this is an important part of the culture. We recently got a client who is a small private equity firm where the MD has a fundamental belief that this should be part of the culture of the organisation … But if you are sitting their in an organsaition trying to produce a programme against resistance, it is very difficult to do.
BF: I deal with investigations in the main. We see problems after they have happened. There is a remarkable correlation between those who will defraud and damage their employer and lies in their original CV, We had a case recently in which a lady employee of a major firm based in central Europe appointed to their IT area, a director level person, actually used the CV of her husband. She claimed a PhD and she wasn’t, but she had the brass neck to carry it off and later after they had lost a significant amount of money her background was discovered. By then it was too late. So for the sake of a bit of screening they could have saved a huge amount of damage – $200m lost to this firm because of this particular person. Like so many cases she was never disciplined, never prosecuted, she just went, because it was just too embarrassing for the firm to deal with.
There is a general belief [in retail,banking] that CCTV has some major role to play in deterrence of crime, and I think that is highly misplaced. There is a lot of evidence to support the assertion that existence of CCTV and explicit monitors has no impact whatsoever on crime. It has a minor effect in my view and tends to get a disproportionate amoung of management visibility. But really there are so much more important things to concentrate on, such as staff procedures and awareness.
AB: Having a screening programme in place, not something sprung upon [people] but conducted from the outset, is a powerful deterrent.
PS: What sort of people should you screen – given that not necessarily the employees at the top are the ones who can (and in daily work must) access sensitive customers and other information?
AB: Our view is that if you are going to do it [screening] you should certainly screen everybody to an adequate base level of comfort, if you like. Going beyond that: I had a debate with an organisation the other day who were saying, well, our view was we should apply a one size fits all screening process. And I really tried to counter that by saying, well, you should have a sensible base line but there are obviously going to be positions in the organisation which are higher risk and you should be adopting other additional measures. Certainly the evidence from most surveys [like the KPMG fraud barometer] is that fraud involving management is four times as costly as involving employees at large.
Plenty of organisations put on blinkers and don’t see the wider picture. There are plenty of people working in organisations, not necessarily as employees but you need to pay attention to: IT contractors. We screen for a number of organisations in this category and tend to find there are more discrepancies in their background than employees generally: they have quite frequently chequered pasts in terms of their credit history, they tend to have potential conflicts of interest because they have outside company interests or associated companies. If you take the growth of call centres, whether in the UK or increasingly as you move them aborad, you are giving people access to a the very data haert of the organisation, and sensitive customer information. But in practice it’s very difficult to put recruitment screening in for that group. There’s high turnover of staff and they will want someone interviewed to start on Monday. That’s a small window to exercise any sensible screening. But there shouldbe at least credit checking as an absolute minimum.
PS: Where does the division of responsibility lie between the HR manager and security manager? On what does it depend?
AB: In my opinion it is normally the security manager who has got the clout to do it [screening], rather than the HR person: either they [security] can engender greater fear ; they have better access to the ears that count – and probably it isn’t their budget. But with our clients in terms of getting a programme under way in thee first place, it tends to be the security manager who is championing the cause.
BF: I would just like to add a rider. The situation in most larger companies today is that the responsibility for risks to a component business within a larger business lie within the remit of the head of that component business. Within an overall panoply usually set by Group; often a very light touch. The buck stops with the MD of the busines concerned, and the people who facilitate things are HR, security and line managers, and there are tensions there all the time. It rather depends on how influential the security manager can be. Organisations across the UK have spent the last 20 years on stripping away layers and layers of middle management. Everybody is empowered to do everything. In a committee culture, it only takes one person to put a hand up and not think screening is a good idea – it doesn’t happen.
