CHAPTER 6: WHO DO YOU THINK THEY ARE?
What is an ABMS?
An ABMS can help an organisation achieve accurate information on the people employed in the organisation, from the most senior to the most junior.
ISO 37001 assumes that an organisation risk assesses new staff and new roles, including how documentation is used to help achieve this goal. Even if fully attaining ISO 37001 is not a goal, an ABMS needs to consider the processes in place to verify what may just be assumed about new staff.
The following example shows the implications behind an ABMS that can have a wider risk management perspective than just preventing bribes, and also indicates the importance of risk assessments within all aspects of an ABMS.
An organisation needs an approach to ensure all new staff can meet the requirements of ISO 37001. This is typically risk based. One way to minimise risk is to require that all new staff prove their identities. There has been much in the media about the ‘hijacking’ of identities, usually for financial crimes.
Other scams include individuals obtaining false identities, normally supported by a passport and other documents, and people owning more than one identity (the author has seen an individual with three concurrent identities for different business and personal aspects of their lives). One other option might be where an individual abuses the identities of those with a similar name, e.g. if another Alan Field is about my age and is a qualified doctor, then I might be able to get a job in a foreign hospital, purporting to be this other Alan Field, assuming I got hold of his necessary documentation or falsified it.
Many of these scams are operated and serviced by organised crime gangs. They may later use blackmail or inducements to get their ‘customers’ for these documents and services to commit criminal acts for them – and their current employer would be one likely victim. This could be a high risk to any current employer of that individual or their immediate family, e.g. an employee buying a false identity for a ‘mail-order bride’ so as to ‘give’ them an EC member state passport might then become the victim of blackmail.
The following pre- and post-employment practices should be adopted:
1. Checking passports or other identity documents, including NI numbers and tax codings (although an NI number may not be genuine). These checks might include making sure that all identity and qualification certificates show consistent spellings of the applicant’s names, dates and place of birth. Inconsistencies should be queried.
If you are not familiar with passports or other immigration documents for a particular country, then always check these out because a number of EC member states have been targeted by criminal gangs, either for excellent forgeries of the real thing, or documents that simply purport to be them (hoping that an employer won’t know what the real thing looks like). Lost or stolen genuine passports may be doctored – one of the reasons for checking dates of birth and spelling of names on all documents. Fantasy or camouflage passports – legitimately offered for sale and then bought for novelty purposes or, supposedly, disguising one’s true nationality from kidnappers or hijackers – may be presented as genuine immigration documents.
For example, ‘passports’ for ‘Netherlands Guiana’ or ‘Dutch Guiana’ (broadly what is now Suriname today) might be presented to an employer with the suggestion that the person is a Dutch citizen. There are many other fantasy examples relating to names that might be broadly construed as being part of modern-day France or Germany.
If you are not certain about a passport, always make enquiries. After all, the potential employee may even erroneously believe that they had been sold a ‘genuine’ EC citizenship. Therefore, in good faith, you will be told this with the same genuine honesty from that individual’s perspective.
2. References should be checked and preferably obtained before the new staff member starts work. If the role involves any other security checks, e.g. CRB or credit reference checks, then the results should be compared with the information provided by referees. Unsatisfactory or inconclusive references should always be investigated.
Where references cannot be obtained for whatever reason, alternative referees should be sought. References should be obtained for all new employees, even for senior roles or those who might be known to existing staff – false or multiple identities can be carried on for many years.
3. Check qualifications. A false CV or a genuine CV with exaggerations may be presented. Postgraduate or professional qualifications that are important to a role might be claimed that haven’t been achieved, so insist on seeing the original certificates. Even better is to request the candidate to have the institution send a copy or other document confirming that the claimed credential is valid directly to you, without having the candidate as an intermediary as they could alter the documents. Many universities have forms for graduates to fill in that give consent to allow a potential employer to directly receive copies of degrees or academic transcripts. If you are not certain whether a university or college is recognised then this should be checked.
Certificates from legitimate universities in troubled areas of the world – where making enquires may now be practically difficult – should be discussed with the new employee and perhaps with referees, to see if they checked the qualifications in more stable times.
Some organisations also have a probationary period that is used to test whether the qualifications presented align with practical experience demonstrated. This should be flagged to the line management concerned. The author has seen several instances where line management have queried a new employee’s CV after seeing their professional work in the first few months of employment. Such awareness from line management should be encouraged.
Arguably, none of the above points make a person more prone to bribery than another more honest individual, but they all help support sound risk management principles and an ABMS approach.