Most BGV-related incidents are described, after the fact, as a vendor failure. A senior hire turned out to have a conduct history. A finance leader turned out to have hidden debt. The screening company "missed it." A new vendor is selected and the cycle resets. This framing is operationally satisfying because it locates the problem outside the hiring organisation. It is also wrong almost every time.
The two case studies that follow are anonymised but real in the operationally important detail. Both companies had screening programmes. Both companies ran the standard package on every senior hire. Both companies experienced material post-hire incidents. In neither case did the screening vendor fail to deliver what they had been asked to deliver. In both cases the data that would have surfaced the risk existed pre-hire, was accessible to the vendor's operational capability, and was not in the scope of work. The incident was the visible event. The structural failure preceded it by months.
Case study 1: The VP Finance and the gambling debt
The credit history search that surfaced the gambling activity and the delinquencies during the investigation was a check that existed and was available pre-hire. The company's screening contract did not include it for any role, because the standard package did not include credit checks for any role, because the programme had never been redesigned to be role-calibrated. The vendor did exactly what they had been asked to do. The scope did not include the question that would have surfaced the risk.
Case study 2: The senior people-leader and the POSH history
The structured behavioural references that surfaced the conduct pattern during the investigation were references calibrated to the role's risk profile, executed by analysts who knew how to ask specific framework-anchored questions and how to interpret the resulting answer patterns. Those references were available pre-hire but were not part of the standard package. The original reference checks were standard performance-focused conversations; "would you rehire" got a "yes" from references who would have answered "prefer not to comment" to a specific conduct question. The vendor delivered the package they were contracted to deliver. The package did not include the questions that would have surfaced the risk.
The shared structural pattern
Reading the two timelines side by side, the surface details differ but the structure is identical:
- The risk existed before the hire. In the first case, the gambling activity, the delinquencies, and the loan-shark pressure were all in place. In the second, the POSH complaint history was on record at a previous employer. In neither case did the candidate suddenly develop the risk after onboarding.
- The data was findable. Credit history records are accessible in the relevant jurisdiction. Previous-employer conduct history is reachable through structured behavioural references. Both required operational capability that the screening vendor possessed.
- The scope did not include the question. The contracted scope was the standard package. The standard package does not include credit checks for finance roles or structured behavioural references for people-leader roles. The vendor was not asked.
- Peer reporting surfaced the eventual signal. In both cases, the trigger was a colleague observing behaviour out of pattern. This is the typical path: the incident does not surface from BGV monitoring; it surfaces from the team.
- Investigation revealed what pre-hire screening could have revealed. The investigation costs of finding the truth post-hire dwarf the cost of running the right checks pre-hire. This is the cost asymmetry made concrete.
The pattern repeats across BGV incidents that destroy company value. The incident is the visible event. The programme failure happens months earlier, when the scope was specified and the budget was approved and the standard package was treated as the programme.
The diagnostic test for a compliance-only programme
Most operating leaders cannot easily tell whether their organisation's BGV programme is risk-discovery-capable or compliance-only. The vendor relationship is opaque; the metrics reported up are "100 percent of hires screened"; the incident, when it comes, is presented as a surprise. There is a reliable three-question diagnostic that surfaces the programme posture in any conversation with the programme owner:
- Question 1: For a VP-level hire in a critical role, what specific checks run beyond the standard package? If the answer is "the same package as everyone else" or "we add a credit check sometimes," the programme is compliance-only. A risk-discovery-capable programme has a documented role taxonomy with defined additive scope per role family (covered in role-calibrated screening).
- Question 2: When a reference responds "prefer not to comment" to a behavioural question, what's the protocol? If the answer is "we record it and move on" or "we don't ask behavioural questions," the programme does not extract conduct signal. A capable programme has structured reference questions, codes the answers, and pattern-matches across multiple references (covered in behavioural references).
- Question 3: When was the programme scope last reviewed against the role taxonomy? If the answer is "we have a standard package" or "we haven't changed it in years," the scope has not been calibrated. A capable programme reviews scope at least annually, ideally after every incident or near-miss.
Three "compliance-only" answers indicates a programme structurally exposed to the incident class described in this article. It does not mean an incident is inevitable. It does mean the programme is running on luck. Eventually, luck runs out.
For PE operating partners: the audit you should commission
Across a portfolio of investments, the three-question diagnostic above can be operationalised as a portfolio-wide audit. Each portfolio company's CHRO is asked the three questions in the next routine review. The answers are coded against a simple traffic light: three green answers means the programme is risk-discovery-capable; one or two compliance-only answers means the programme is exposed; three compliance-only answers means the portfolio company is structurally one incident away from the conversation you don't want.
The result of this audit is usually uncomfortable. Most portfolio companies score one or zero green answers because role calibration, structured behavioural references, and active scope review are not part of the typical BGV vendor relationship. The audit's value is not in scoring; it is in giving the operating partner a structured conversation with each portfolio CHRO about what specifically would have to change to move the answer to green. That conversation is the operationalisation. The dashboard in the next article in this series shows how to track it across the portfolio.
Run the three-question diagnostic on your programme.
Request a structured briefing that walks your programme owner through the diagnostic, scores the programme posture, and produces a remediation roadmap. Available for individual programmes or portfolio-wide.