We last met consultant David Rubens in our January 2014 issue; he’d taken up a job with a multi-national in Nigeria. He’s back, and he’s just finished writing his doctorate. We meet him in a trendy (is there any other sort?!) London cafe.
As David appreciates, he’s come a long way, just as the work of security management has. He was a doorman trainer in the 1990s, the era when some councils, before the SIA, began badging door staff, as some cities sought to regulate who was doing door work. That requiring ID and training to some standard. He’s developed as the security industry has, as a trainer and consultant; he’s a Chartered Security Professional; he has a masters degree in security and risk management from the University of Leicester. His doctorate ‘basically,’ he opens by saying, with an espresso on the table in front of him ‘is crisis management at the extremities of organisational complexity’.
We’re in the right place to talk about it – the cafe is down the road from Victoria station in central London and we’re beside the pavement. Shops, buses, who knows what cabling under the ground, people, all coming together, all day and near all night also. He quotes a couple of thinkers on the subject – the American Louise Comfort, that crisis management itself is not fit for purpose – every time there’s a problem, it fails; think of Hurricane Katrina, for instance. And the Frenchman, Patrick Lagadec, who argues that crises are real; and they’re multiplying. He talks of ‘hyper-complexity, when systems go beyond any known level of modelling, and fall into chaos. Because our world is so complex, and inter-connected, the failures when they come have cascading consequences. David has spoken about this before, at industry events and to Professional Security. One time was in the summer of 2011; the London and then England-wide riots erupted only days later. They showed police and business struggling to cope with large groups of looters. After three or four days it stopped; society had coped. What if the riots hadn’t stopped? What if people couldn’t (or didn’t dare) report for work; cash in transit vans couldn’t make their deliveries; shops ran short of cash; perishable goods perished without being sold; trade slumped; business lost further confidence? But to return to David at the cafe table. Complex systems – such as that make public transport run – are connected with other, also complex, systems. Command and control systems allow decisions to be made and acted on. It’s taken him four years of writing and studying many hundreds of books and articles. David’s among the first cohort of University of Portsmouth students to go for a doctorate in security and risk management. We’re well behind the (admittedly far larger) United States in academic study of security management, and indeed much of the work David cites is American. In the US homeland security has boomed since 9-11 and the associated subjects of risk and emergency management have sprung up likewise. Masters degrees have become entry level for security management jobs. David believes this will have an impact on how security and risk management is received by policy-makers at the highest levels in organisations and government. All very well; but what’s the relevance to your average security manager?
One of the things about hyper-complex crises is that they aren’t limited in terms of geography. Say the electricity system in London failed; it’s hard to say what the consequences would be, and where. What if (as has happened in India) hundreds of thousands of people are without electricity for several weeks. If an international bank’s systems fail, what if you can’t use that bank’s ATMs. A breakdown in railways, for example, would go beyond the railways’ problem, to become society’s. Most security managers – most Professional Security readers – first have to make sure that they have excellence in their own departments, to deliver a service, David says: “And most will be able to do that. But the other thing they will be doing is they will be creating collaborative relationships. These relationships can be on many, many levels.” But come a crisis situation, you need to take those relationships (with executives and other departments in your business, police and fire, the media?) and build solutions, ‘under a huge amount of pressure, to allow an organisation to respond more or less effectively. And when it comes down to the actual crisis, it’s almost always in the inter-agency collaboration that failures happen. Now one of the reasons that happens is because we still have a command and control culture. The language we use, the concepts we use, the structural, organisational frameworks are all based on centralised, military-style hierarchical command systems; but the reality is, that is not how the world works. You can say to an extent all crises are local. And when those crises are local, it’s groups of people in the area, working together to put solutions together, who make things happen.’ David’s doctoral thesis, then, is: why do managers fail in a crisis, and what can we do to make it work again? At an operational level, he suggests, the way is to move from a ‘command and control’ structure to ‘support and adapt, ‘so the role of the central command system is to find out what they need, to allow them to do their job’. So you do need a high-level, integrated management system; ‘but its role is to support people on the ground, not to tell them what to do’. Again, all very well, but how to apply that in your company or building?
“Security is about defining what you have got,” whether fences, guards, access control. Risk goes beyond that; risks are what we cannot control, whether a hurricane, that Icelandic volcanic ash that grounded aircraft, or internet or satellite links that go down suddenly. The question, David argues, is no longer, how we protect what we have; but ‘how do we deal with consequence management’. And can you teach a manager, and an organisation, to do that? “And my belief is yes, we can.” Everybody can be involved with the preparation for risks – cyber, terrorism – and crisis management, ‘but the truth of the matter is that even those who have crisis management in their titles don’t know how to do it.” And that, David adds, is because most crisis managers want to find a crisis they know how to deal with. And indeed, human nature does make it tempting to pretend that a crisis is not happening – whether you find excuses to stay at your desk when the fire bell rings, or you don’t go to the dentist when a tooth aches.
Professional Security asked about another ingredient that makes a crisis worse than in past times; the speed of life, of communications for example. David replies in terms of two ‘time gaps’: ‘the first time gap is between a potential crisis being triggered and an organisation being prepared to acknowledge there is a crisis; and of course the longer you take to make a decision, the crisis is not standing there.” We can insert examples here: the crushing of 96 football fans at Hillsborough in 1989; a fire; a cyber-breach. “So the longer you wait, the larger, the more complex and impactful and critical, the crisis is becoming. The second time gap is between acknowledging the fact you have a crisis, and triggering an effective response. Now we tend to believe a crisis is a very sudden event, but actually most crises are not sudden events: for example, we are going to have an energy crisis in this country over the winter.” Likewise the National Health Service has crises; computer users have cyber crises. Before most crises you can see warning events. Deal with them, and you may pre-empt the crisis. Resilience, as David notes, is one of those buzz-words of the last ten years; resilience is not only about bouncing back from a crisis, but it’s about preparing to be resilient; being a ‘learning organisation, and being open about risks’, and allowing people to share information.
David says: “My core belief is, we would not allow an engineer to build a bridge which falls down; we wouldn’t allow an architect to build a block of flats that fell down; we wouldn’t allow an aircraft designer to build an aircraft that crashes; why do we expect a crisis manager to build a crisis management framework that fails? Even when they build those frameworks, they know that they will fail. And that is where I am focusing my thesis on.” A regular question Professional Security asks is: what can you foresee? Perhaps a more unfair question than usual, as who could have spotted such crises as the civil war in Ukraine, or Syria, or the riots of August 2011? David agrees it’s going to get worse. “We can’t model the complexity we have already,” and just by making something more complex, you don’t make it necessarily better. If something looks too complex, David suggests, it’s almost certain that somebody is designing that, so that someone can evade responsibility.” Whether in railway or financial systems, when something goes wrong to a too-complex system, where complexity makes no sense, nobody is clearly responsible; ‘and that’s a sign of an organisation that’s heading for a crisis and nobody cares’. Professional Security asks; what should somebody in a complex-looking company or sector do?! As David says, the security manager’s executives may see security as a non-productive cost; but he adds that we are getting to the stage where people are realising that risk management is an intrinsic part of an organisation’s capability; ‘and if your risk management is weak as an organisation you are going to be ineffective. And by increasing your awareness of and openness to and understanding of risk management, you will generally gain a market advantage over those that don’t.’ As failures become more potentially catastrophic, expect risk management to become more a part of executives’ decision-making. A problem, David says, is that while security professionals have said that they ought to be more in the boardroom: “The truth has been that we haven’t had the skills to be there. And I have always said, if we are in the boardroom, we should be as good as the international tax adviser, the international brand management adviser, someone from EY and KPMG, and until now that has been very, very rare. I think there is a generation of people coming through who genuinely do belong at that high level, strategy making, policy making level, and I think that can only be good.” Having the viva voce to come, David can look forward to being Dr Rubens at the end of the year. He recalls in 1992 being on the very first list of Westminster City Council door supervisers. “I have ridden the wave,” as David puts it; the development of security management, serving the rapidly changing world. When you think of life in 1992 – few had heard of the internet, we were supposed to have a new era of peace after the fall of the Soviet Union – that wave is still roaring.
About David Rubens: His consultancy is Deltar-TS (Deltar Training Solutions). Visit http://deltar-ts.com/about_us_Deltar.html.
More reading on crisis management
By Louise Comfort:
http://www.cdm.pitt.edu/Portals/2/PDF/Publications/Cities_at_Risk_Katrina_NewOrleans.pdf
And by Patrick Lagadec, on crises as ‘our new reality’:
http://www.academia.edu/5099103/How_Crises_Model_the_Modern_World
