Workforce Assurance for Existing Workers: Managing Insider Risk

In today’s security environment, organisations that operate critical infrastructure cannot afford to treat workforce screening as a transactional HR activity. Workforce assurance is the structured, risk-based process of understanding, governing and continuously reviewing trust in people with access to critical assets, data and operations. It must be embedded as a long-term organisational capability.

For many critical infrastructure entities in Australia, this means moving beyond outsourced checks and compliance-only exercises toward a Trusted Workforce Program: a system that integrates enterprise security risk, role-based risk, individual suitability, governance, insider threat mitigation, and organisational culture into how people are recruited, monitored and offboarded. A Trusted Workforce Program should be tailored to mitigate the personnel security threats present in the organisation’s operating context.

Importantly, workforce assurance cannot be introduced only at the hiring stage of the employee lifecycle. A core challenge, and opportunity, is the structured integration of screening for existing workers, especially those in critical positions. This article explains why and how to do this in a way that manages insider risk, preserves trust, and strengthens resilience.

Why Workforce Assurance Must Be Systemic, Not Episodic

For decades, organisations have responded to personnel security risk with police checks, reference calls, and sometimes government-sponsored vetting. In Australia’s critical infrastructure sectors, background checks, including those facilitated by AusCheck, have been available under the Security of Critical Infrastructure Act 2018 legislative framework. These checks can include criminal history and national security assessments and are designed to reduce the likelihood that individuals with known security concerns are granted access to critical infrastructure.

Similarly, security clearances under the Australian Government Security Vetting Agency (AGSVA) are used when personnel need access to Australian Government classified resources (information, people, and assets) or high-trust roles. These clearances involve multi-level vetting to determine suitability for exposure to sensitive government resources.

Yet both AusCheck background check and AGSVA clearances are point-in-time tools, not programs. An AusCheck background check may satisfy a statutory or compliance requirement, but on its own it does not provide comprehensive assurance about a person’s ongoing suitability for a critical role. A security clearance provides greater depth of vetting, but it applies to specific access requirements and is not designed to manage all aspects of organisational risk.

A Trusted Workforce Program treats screening as part of a continuum, one that starts with role risk and extends through pre-employment, induction, ongoing suitability, behavioural awareness, governance and secure offboarding. Pre-employment checks and government-sponsored assessments are inputs into a larger system of assurance, not endpoints in themselves.

The Central Logic of Workforce Assurance: Risk, Roles and People

Workforce assurance begins with understanding enterprise security risk: the hazards that could materially impact an organisation’s ability to safeguard operations, assets, reputation and public safety. In critical infrastructure sectors subject to the SOCI Act, these risks are explicitly recognised, and obligations to maintain critical infrastructure risk management programs are mandated by law.

From enterprise security risk flows role risk: not all roles carry equal exposure. Access to operational technology, control systems, financial authority, or incident-management functions amplifies consequence if something goes wrong.

Only after role risk is established can organisations determine what level of assurance is required and what screening activities make sense.

Finally, screening yields information about a person that organisations can interpret in context. A robust Trusted Workforce Program integrates all three levels:

Enterprise risk — what hazards exist at the organisational level
Role risk — how specific positions contribute to or mitigate those hazards
Individual suitability — how a person’s history, behaviour and context interact with the risk associated with the role.

Once organisations think in this layered way, workforce assurance becomes defensible, proportionate and actionable rather than reactive or bureaucratic.

Why Insider Risk Increases During Organisational Change

Organisational change, such as introducing a Trusted Workforce Program, can paradoxically increase insider risk if not handled carefully. Research shows that insider threat is not limited to malicious actors; it can develop through negative employee perceptions and experiences, particularly during periods of uncertainty.

Change disrupts routines, reshapes roles and alters expectations. If people feel confused, unfairly treated, or excluded, then trust erodes. Deteriorating trust can trigger counterproductive work behaviours, which themselves are precursors to insider risk: employees who feel disenfranchised or disrespected may disengage, withhold effort, or create vulnerabilities through inattention or deliberate non-compliance.

A related line of research developed by the UK Centre for Research and Evidence on Security Threats (CREST) describes how different emotional and behavioural responses to organisational change, such as the “Angry Distruster”, can escalate risk. This group, whose personal goals are thwarted by change, may react in ways that hurt the organisation, even if not done maliciously.

In short: introducing or expanding screening changes people’s relationship with the organisation. If not communicated and led deliberately, that change can disrupt the psychological contract (also known as quid pro quo), the unwritten set of reciprocal obligations employees believe exists between themselves and the organisation, undermine trust, and raise the very risks the program is meant to reduce.

Leadership and Communication: The Foundation of Trust

A Trusted Workforce Program is a governance transformation, not a compliance tick-box. Leadership sets the stage for whether the initiative is perceived as protection, punishment, or bureaucracy.

Executives must communicate clearly and early on:

Why the program is being introduced — tied to enterprise risk and responsibility to stakeholders
What it means in practice — including screening expectations, behavioural standards and ongoing suitability monitoring
How decisions will be made — including fairness, transparency, and appeal pathways
What the organisational supports are — training, reporting mechanisms, wellbeing access.

Communication must be consistent, frequent and empathetic. When people understand the rationale, that workforce assurance is intended to protect people as much as the organisation, they are more likely to engage constructively rather than retreat into suspicion or resistance.

Importantly, leaders should acknowledge that screening and suitability assessment can be sensitive for individuals. Clear articulation of fairness principles, privacy protections, and the governance mechanisms that apply can help maintain organisational cohesion and guard against perceptions of arbitrariness.

Introducing Screening for Existing Workers: A Deliberate Approach

Most established organisations have a legacy workforce. Many individuals in critical roles were hired before formal screening existed. Integrating them into a Trusted Workforce Program must be done thoughtfully.

Some key principles:

Frame the change as an evolution, not a retroactive audit: existing workers are not being “re-evaluated” in isolation; they are being included in a consistent governance framework that aligns with modern risk expectations and a dynamic threat environment.

Use proportionate methods: for existing workers, eligibility is usually already demonstrated by tenure, performance and organisational knowledge. Ongoing suitability reviews can focus on behavioural risk factors, changes in circumstances and role context rather than repeating full entry-style screening.

Support employees through the process: research into organisational change shows that individuals can react differently to change, with resentment or distrust emerging when expectations are violated or messages are unclear. Effective leaders listen, validate concerns, and co-design pathways forward wherever possible.

Build multidimensional assessment teams: screening existing workers should be multidisciplinary. This avoids siloed decisions and reinforces governance: security, HR, risk and business owners must collaborate on analysis, controls and communication.
Link decisions to role consequence and controls: if residual risk is identified, the goal should be management, not just exclusion. Probationary conditions, restricted access, retraining or modified responsibilities can be appropriate risk mitigants.

When introduced thoughtfully, screening existing workers can become a vehicle for trust-building rather than fear.

Seven Practical Steps to Introducing a Trusted Workforce Program

Below is a high-level roadmap to guide implementation:

Define the governance owner: Assign a single executive, typically the Chief Risk Officer or equivalent, with authority to balance security, HR, legal and operational priorities.
Conduct or update the enterprise security risk assessment: Ensure personnel security is integrated into the enterprise risk register.
Map critical roles and consequence: Identify roles with the highest impact on operations, security, and continuity.
Establish eligibility and suitability criteria: Criteria must be proportional, role-based, and defensible; separate eligibility (threshold, often binary, requirements) from suitability (contextual judgement).
Select screening tools with purpose: Understand where checks like AusCheck background checks or AGSVA clearances add value. AusCheck checks serve a specific compliance and national security function; AGSVA clearance addresses government-classified access. Both should be integrated into the broader assurance program where justified.
Communicate the program and expectations: Leadership should articulate purpose, protections and processes in clear, repeated messaging.
Monitor, review and refine: Trusted Workforce Programs are living continuous systems. They must adapt as roles, risks and environments evolve.

Conclusion: Workforce Assurance as Resilience Capability

Introducing a Trusted Workforce Program, including screening existing workers, is not merely a reaction to regulation or external guidance. It is an investment in organisational resilience and business continuity.

When done well, the Trusted Workforce Program reduces uncertainty, aligns role risk to assurance depth, and helps organisations manage human factors as reliably as they manage cyber, physical or technological risks. It also supports a culture where people understand security as a shared responsibility not a burden.

Most importantly, by grounding workforce assurance in security risk, governance and transparent leadership, organisations can avoid the paradoxical risk that change itself creates. By taking people along the journey, screening becomes not a source of anxiety, but a foundation of strong organisational culture and trust.