Workforce Screening Programs should include your suppliers

Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.

Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.

Many businesses are complex ecosystems with different parties - employees, contractors, suppliers, visitors - constantly interacting.
Photo by Ralph Chang on

We need to recognise that suppliers also pose trusted insider risks

Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:

  • Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
  • Outsourced IT managed services
  • Managed data centres
  • Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
  • Outsourced Clinical Trials Managers
  • Distribution Centres for order fulfilment
  • Repackaging and relabelling services
  • Recruitment, accounting, audit, consulting and law firms and insurance brokers
  • Corporate catering, cleaning services

Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.

Suppliers, as outsourced service providers, often have direct and unsupervised access to a business' most critical assets without us realising.

Existing practices often fail to properly assess supplier-insider risks

Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.

Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.

The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.

Suppliers should be contracted to implement your Workforce Screening program

Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.

It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:

  • Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
  • Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
  • As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
  • Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
  • Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them

These practices could also be incorporated into your Supplier Integrity Framework.

checking information in documents
Photo by Alexander Suhorucov on

Workforce Screening should be incorporated into ongoing Supplier Assurance

Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.

Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline (standard) to ensure supplier practices correspond to your inherent risks and risk appetite.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Designing your workforce screening program

Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

  • Employment Policies
  • Corporate Security and Integrity frameworks and associated programs
  • Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

Graphic illustrating the various inputs to the Workforce Screening Program and the supporting Guideline and SOPs.

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

  1. During recruitment – ideally prior to the letter of offer being issued; and,
  2. Periodically throughout employment; and,
  3. In response to an incident; and,
  4. Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Screening is a legal requirement for some industries

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

  • Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
  • Aviation – Aviation Transport Security Act 2004 and Regulations
  • Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
  • Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
  • Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules
Having the right team is critical to success in the workplace
Photo by fauxels on

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

  • Identity verification
  • Citizenship and / or work rights
  • Credit rating and bankruptcy status
  • Education and occupational licences / trade certificates
  • Criminal history (National Police Check)
  • Sanctions and Adverse Media
  • Psychometric testing (in accordance with applicable employment policies)
  • Litigation history
  • Regulatory Actions pertaining to their profession
  • Internal employer database and record checks (for ongoing employees)
  • Candidate interview
  • Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

Example of an educational qualification

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

  • Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
  • Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

  • Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
  • The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

a mobile phone near the documents and laptop on the table
Photo by Leeloo Thefirst on

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.