Skip to content
Menu
menu

Risk Assessment

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex C

(informative)

C. Background Screening and Security Clearances

C.1 General

Risk assessments often contain some of the most sensitive information of an organization. Consistent with information protection requirements, privacy legislation, human resource management policies, and stakeholder needs, the risk manager and RTL should establish, document, and maintain a procedure for screening and vetting of all personnel involved in its risk assessment activities. Requirements and the conduct of background checks and security clearances vary significantly between the type of risk assessment and the management practices of the organization. For example, security risk assessments are typically considered high risk and the rigorous background and screening process is conducted by the Chief Security Officer or designee. On the other hand, strategic business risk assessment background checks and screening procedures are typically included as part of the general human resource employee background check and screening process. The risk manager and RTL should review the organization’s approach relative to the objectives and requirements of the type of risk assessment being conducted and ensure that all personnel involved in its risk assessment activities meet these requirements. The vetting and clearance process may include, but not be limited to, background checks, interviews and review of work history.

NOTE: The details provided below represent the more rigorous approach typically required of a security risk assessment. For other types of risk assessment, the level of rigor should be tailored to the objectives and requirements of the risk assessment taking into consideration information protection requirements, privacy legislation, human resource management policies, and stakeholder needs.

C.2 Background Checks

The risk manager and RTL should ensure the establishment of a documented procedure for background checks and vetting of individuals conducting risk assessments on behalf of the organization. The procedure for background checks and vetting should screen out personnel who do not meet minimum qualifications established for positions and select appropriately qualified personnel based on their knowledge, skills, abilities, and other attributes. The screening and selection procedures should be consistent with data protection, privacy legislation, human resource management policies, and client requirements. Where practicable, background checks may be conducted through national agencies or authorities. When this is not practicable, the risk manager and RTL should establish, document, and maintain a procedure to check suitability and integrity by an internal vetting process including records checks and interviews, overseen by the organization’s top management and aligned with general security and human resource policies.

Wherever possible, the screening and vetting process should include:

  • Identity verification;
  • Personal history verification; and
  • Credentialing.

Exclusions should be documented when information is unavailable, unreliable, or unsuitable.
Identity verification should include verification of the validity of personal history and should consider (but not be limited to):

  • Home addresses;
  • Employment records;
  • Electronic media;
  • Criminal and civil record history;
  • Records of human rights violations;
  • Military or law enforcement service records;
  • Motor vehicle records;
  • Credit reports;
  • Sexual offender indices;
  • Government and industry sanctions lists; and
  • Industry specific licensing records.

Credentialing involves verifying the experience and qualifications that are presented by the candidate. The organization should look for unexplained gaps. Credentialing provides information on (but is not limited to):

  • Education verification;
  • Employment verification;
  • Licensure/certification/registration verification;
  • Personal references;
  • Supervisor and coworker interviews; and
  • Military history verification.

Candidates should provide two work-related references, as well as one probity reference relevant to their work or local jurisdiction. The vetting process may also include a review of documented submissions by the candidate.

C.3 Interviews

The risk manager and RTL should establish an interview procedure, including the hierarchy of interviewers, which should be overseen by the risk manager. Top management should appoint a risk manager who has been verified by interview and vetted as trustworthy and having the necessary competence and judgment to vet personnel involved in its risk assessment activities. The responsible manager should assess through review of documentation, submitted by candidates, and interviews and on-going monitoring, the trustworthiness and appropriate behavioral characteristics of personnel involved in its risk assessment activities.

C.4 Privacy Protection

The privacy and confidentiality of information about individuals should be protected. Personal documents, such as passports, licenses, and original birth certificates should be returned to personnel within a reasonable timeframe.

Next: Annex D

Table of Contents

RA Standard Home

Introduction
  • General
  • Definition of Risk Assessment
  • Quantitative and Qualitative Analysis
  • Managing Organizational and Specific Risk Assessments
  • Plan-Do-Check-Act Model

Scope

  • Scope
  • Normative References
  • Terms and Definitions
Principles
  • General
  • Impartiality, Independence, and Objectivity
  • Trust, Competence, and Due Professional Care
  • Honest and Fair Representation
  • Responsibility and Authority
  • Consutative Approach
  • Fact-Based Approach
  • Confidentiality
  • Change Management
  • Continual Improvement
Managing A Risk Assessment Program
  • General
  • Understanding the Organization and Its Objectives
  • Establishing the Framework
  • Establishing the Program
  • Implementing the Risk Assessment Program
  • Monitoring the Risk Assessment Program
  • Review and Improvement
Performing Individual Risk Assessments
  • General
  • Commencing the Risk Assessment
  • Planning Risk Assessment Activities
  • Conducting Risk Assessment Activities
  • Post Risk Assessment Activities
  • General
  • Competence

Annex A: Risk Assessment Methods, Data Collection, and Sampling

  • General
  • Types of Interactions
  • Assessment Paths
  • Sampling

Annex B: Root Cause Analysis

  • General
  • Applying Root Cause Techniques
  • Ten Steps for Effective Root Cause Analysis

Annex C: Background Screening and Security Clearances

  • General
  • Background Checks
  • Interviews
  • Privacy Protection

Annex D: Contents of the Risk Assessment Report

Annex E: Confidentiality and Document Protection

Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization

  • General
  • Prevention and Mitigation Procedures
  • Response Procedures
  • Continuity Procedures
  • Recovery Procedures

Annex G: Business Impact Analysis

Annex H: Bibliography

arrow_upward