It all starts at the global headquarters of a Fortune 500 technology company. Three individuals, including the head of Accounts Payable, are indicted for fraudulent acts leading to $11.5 million in losses — and immeasurable impacts on the company’s brand and reputation. In the aftermath, the company’s leadership took a hard look at their background investigation procedures. They discovered that, other than the standard criminal checks upon initial hire, they had no procedures that would have warned corporate leadership of the perpetrators’ potential inclination for fraud, including several large tax liens that came to light during the trial.
Hindsight was painful. With the C-Suite and General Counsel looking for answers, senior leaders knew they needed to take a more comprehensive approach going forward for both current and future employees, especially those who would have access to sensitive and critical information. As this company quickly learned, thorough due diligence investigations require
more than just routine background checks at hiring.
While executives across industries widely acknowledge the importance of due diligence, their companies and third-party investigators do not always take the most thoughtful approach to this critical process. Due diligence investigations require more than a one-time, quick public records search — they require:
+Targeted, deep dives into someone’s professional and personal background
+ Regular updating as employees rise through the company
+ Analysis from experts who are capable of spotting red flags amid a vast sea of information
+ The right corporate policies and security practices to support them
COMMON ERRORS THAT UNDERMINE THE EFFECTIVENESS OF CORPORATE DUE DILIGENCE
+ Due diligence investigations of senior-level personnel and those who are responsible for sensitive, risk-influencing duties are not regularly and effectively conducted. Instead, one-off screening takes its place, usually only upon initial hire, which is often little more than standard criminal history checks and employment verification.
+ Due diligence investigations are not conducted on or required for vendor personnel with equally strategic roles, access to information or potential impacts on company reputation and decision-making.
+ Internal functional gaps or roadblocks undermine proper risk management through due diligence, as various decision centers across the enterprise — such as HR, Legal, Security, Compliance and Risk Management — own the process. This risks duplicated efforts and lack of accountability.
+ Information that due diligence investigations uncover is not reported up, nor do any decision-makers consider how the information could impact the enterprise. Often, due diligence investigative findings are not integrated with other risk management or security-related strategies — such as user risk classification systems — or are handled without regard for the legal restrictions on their use and access, such as the Fair Credit Reporting Act (FCRA) or state and federal privacy laws.
+ Unfamiliarity with how to vet and validate a due diligence investigations provider opens the company to new areas of risk. Common yet flawed rationales for justifying a current investigation functions’ work include: “because we’ve been with them for years,” “because we haven’t had a problem yet” and — most dangerously — “because they just give us what we ask for.”
ACKNOWLEDGE THE COMPLEXITIES IN GETTING DUE DILIGENCE INVESTIGATIONS RIGHT — AND TAKE THE TIME TO DO SO
Whether you’re a Human Resources Director overseeing the hiring process or an investigator yourself, it’s important to know and recognize the common and not-so-common complexities that accompany due diligence investigations. Here’s a sampling of the scenarios companies struggle with:
+ An arrest is not the same as conviction. Failure to develop screening policies that acknowledge this difference can be costly. Be careful what you ask your investigations company to provide, and only engage experienced due diligence providers who have established policies on accessing and disseminating information
+ Do not trust everything you read on the internet. It is always best practice to verify findings if possible — which is what the most reputable due diligence investigations firms do best. They know which public records to search and how to do it — and they will flag when information cannot be validated for accuracy.
+ Though the U.S. tends to have far more records available to the public, investigators can still find information about subjects who have international personal and professional backgrounds. Be sure to employ a firm that has the capacity to conduct investigations across the globe and never ignore time spent abroad.
+ A crime in one state can be a minor misdemeanor in another and a civil citation in a third. Wide variations in state criminal laws can raise multiple issues. Evaluating the seriousness of an identified issue will often require determining how specific locales charge and resolve potentially criminal activity.
+ Hiring decisions can impact insurance protections. If you uncover evidence that an employee has conducted illegal acts, investigate whether that knowledge impacts your insurance coverage.
+ Several states — including California, New York and Massachusetts — are tightening restrictions on screening practices, a trend that will likely expand to other states.
+ Tailor your due diligence approach to the employee’s prospective position and potential access to sensitive internal and client and customer data. Due diligence conducted on staff restocking the vending machines in the break room should be materially different than for the newly promoted Head of Finance.
COMPLIANCE IS POSING NEW RISKS FOR DUE DILIGENCE
While due diligence is a crucial part of the hiring, promotion and management process, no one should make personnel decisions based solely on due diligence reports. Rarely are these reports’ findings totally black and white, a history of financial misfortune does not necessarily mean that a potential hire is off the table. An experienced due diligence provider with a its own robust internal compliance processes can help guide you through the constellation of considerations that may spell trouble.
Company stakeholders, like attorneys and compliance experts, need to collaborate and give clear guidance on how and when personnel decisions can be supported by due diligence research. For example, the obligations and limits set forth in the Fair Credit Reporting Act (FCRA) are just one area to consider when deciding how to utilize a due diligence report to evaluate a candidate’s potential as an employee.
Practical Tips for Execution
1. Review and update your due diligence strategy and policy
Continue to carefully realign it with your broader risk management, compliance and operational objectives. Pay special attention to privacy laws related to issues such as consent, information storage and confidentiality. Insist that your policy authors determine if, where, when and how external vendors and partners should be asked to meet or exceed these guidelines.
2. Determine the skills and experience that should be resident on your in-house team
Then supplement these with external advisors in the most strategic and cost-effective manner.
3. If you decide to engage a due diligence investigations team, know which characteristics the most reliable teams possess
Start a conversation with a potential vendor with insisting on demonstrated expertise in data sources and access, case management processing, risk evaluation and reporting, and efficiencies in search, retrieval and reporting. Then, take an even closer look at how the vendor addresses areas such as: (1) data validation through on-site court checks of actual files; (2) adjudication when information of concern surfaces; (3) strategies for managing compliance-sensitive decisions and when risk-related judgment calls are required; and (4) developing and managing relationships with international due diligence investigators. And do not be fooled by size. Scale is never a proxy for excellence.