It’s a process with plenty of road left to run, according to David Rubens, who has a masters degree in terrorism, security and policing and a pedigree in the industry stretching back to the early nineties.
Now CEO of Deltar Training Solutions, he is a recognised authority on the strategic management of complex events, particularly within a multi-agency crisis management framework. Deltar Training Solutions, which Rubens founded in 2015, is a full-service training consultancy that specialises in corporate risk and crisis management.
IFSEC Global: Hi, David. Please tell us a bit about your career up to this point…
David Rubens: I started in the UK security industry in 1992.
I’d been travelling for about 15 years before coming back to London, where I grew up. Westminster Council were setting up their first charm school for bouncers or door supervisors. I was on their first list of accredited door supervisor trainers in October 1992.
Of course, nobody knew what they were doing back then. I was part of the first wave looking to professionalise [the industry].
In the late 90s I got involved in close protection training. By 2006 I had one of the three largest security training companies in the UK. That was when the SIA came in and opened everything up.
But that created problems. People came in who didn’t know what they were doing and they weren’t getting licensed.
I was a great supporter of the SIA at the beginning; I thought it would create a professional private security sector. What it did was create an entry-level qualification – but nothing else.
So once you were in you were in – and there was no professional development or structure.
Although I still think the SIA has overall been good for the sector, it could have been so much better. With clear-sighted leadership and a structured developmental framework it could have created a genuinely professional private security sector.
“We have a licensed and accredited sector – not a truly professionalised security sector”
We have a licensed and accredited sector – not a truly professionalised security sector.
IG: What steps need to be taken to realise a truly professionalised sector?
DR: Well, we have it now to a certain extent. We now have level 2/3/4/5 programmes. But unless they’re integrated into a national framework they’re purely voluntary.
We need a recognised career progression. The Security Institute is doing that, but it’s ad hoc, not part of a national framework.
IG: Tell me about your current company, Deltar Training Solutions?
DR: Prior to that I’d been headhunted and was MD of a US security technology company that wanted to set up in West Africa.
That was going well but then in March 2015 oil prices dropped off the cliff and Nigeria basically closed down as the oil base.
I came back to the UK to do a professional doctorate at the University of Portsmouth, before setting up Deltar in about June 2015.
We started running what we call level four accredited training programmes in strategic risk and crisis management. And then over the last couple of years, we developed a level five and level six. Level five is three days, and level six is a diploma, a 12-month distance learning programme. Both are offqual regulated.
Actually they are the only two crisis management courses on the offqual register of qualifications. Everything else is self-certification.
We now run the level five programme across the world – running 11 courses in 10 countries.
We have partners in Latin America, East and West Africa, Southeast Asia, UAE, Southern Europe and Greece.
There’s a real understanding that most people given responsibility for corporate or governmental risk or crisis management, business continuity or resilience actually haven’t been given the skills to do it.
Whatever sector you’re working in – whether that’s government agencies, emergency responses, financial, telecoms, infrastructure – what you’re talking about at a certain level is the integration of complexity: complex operations working within complex environments and creating complex solutions to complex programmes.
We can give them a methodology there. That’s why we’re so busy: people know what we do and invite us back.
We’re developing that in the UK as well. And developing secondary consultancy projects with organisations in the UK, Africa, South America and in the UAE, where we’re very busy.
Beyond that we have the level six programme, which allows people to do masters level research within one year on high level strategic risk and crisis management.
The level five is designed for corporate risk managers and security managers. Level six is designed for people who want to be in policy development and need a perspective on what strategic risk and crisis management looks like and how you approach it from a policy development perspective. That’s also gained quite a lot of interest.
IG: So what kind of people take the courses?
DR: Recently we’ve had a Detective Chief Inspector, running a specialist crime unit, a senior military trainer, someone involved in the London Olympics, a former director of a global financial consultancy, a specialist in airport consultancy, the senior risk and crisis manager from Rio Tinto, senior risk and crisis manager from Schneider electrics….
It’s very much designed for senior and experienced practitioners who have been given responsibility for increasingly complex operations.
We know that they come on the course, go back to their organisations and say “this is something we need to know about”. We’re getting more follow-up engagement from their organisations.
“Problems are increasingly high impact, disruptive and destructive”
The world is a pretty challenging place at the moment. Problems are increasingly high impact, disruptive and destructive.
They’re demanding a level of organisational capability that requires a high level of understanding and preparation. You can’t bluff it now. You can’t get by on a smile and goodwill; you really need to know what you’re doing. We can help people prepare for that.
IG: In what ways are getting things more complex and high impact?
DR: For example global weather patterns and climate change, natural disasters, are becoming much more frequent, much more high impact, much more destructive. They’re long tailed events.
Look at Costa Rica for example: that happened in October last year and they still don’t have power or water.
Look at ATM failures across the world, becoming more frequent. Infrastructure failures, total blackouts. Pandemics. Cyber. All these things are going way beyond what anyone 20 years ago was dealing with.
Most organisations understand risk management now. It’s not voodoo. So the normal operational structures they can manage.
When it goes up to a higher level of impact, involving what we call routine emergencies or major incidents, they’re probably able to respond and adapt to that to maintain functionality.
But in a genuine crisis, they say “that’s not what we were expecting or prepared for.”
Just look at Grenfell tower. The immediate response by emergency services was as good as one could expect, quite honestly. But the response from Kensington and Chelsea Council was an absolute failure of responsibility. They just collapsed and were never able to recover.
One thing we say is that you should not confuse the event with a crisis. The fire at Grenfell Tower was an event. The crisis was the failure of the council to respond effectively.
Hurricane Katrina was an event. The crisis was the failure of the Federal Emergency Management Agency to respond effectively. They put on the National Guard who went in with full military gear and weapons drawn. They saw themselves as having to take back New Orleans rather than going in to support.
That comes back to organisational responsibility and the responsibility of leadership at the top.
Just look at what’s happening with Oxfam. We always say if there’s a crisis it’s almost 99.9% certain there are embedded cultural issues, organisational management issues, that have created a rottenness at the centre of an organisation. It’s almost always down not to the external event, but a long-term management culture.
Look at Volkswagen. People have crossed their fingers. It’s not unknown or sudden; it’s known, accepted, ignored, then normalised. Like termites eating the inside of a house, it will collapse.
Oxfam is not a dysfunctional organisation. BP is not dysfunctional. NASA is not dysfunctional. And yet there was also something rotten in the management structure.
IG: Going back to the training, obviously these things are changing. How do you keep up to date?
DR: Almost on a monthly basis we integrate current case studies. We used Oxfam, almost predicting some of the issues that would come up.
Grenfell Tower was a case study. Puerto Rico was a case study. We’re very much aware of what’s going on.
There was a failure in southeast Asia last year of a national ATM system. The country was without money for six weeks. So we used that.
Look at Carillion. On the morning they went down I got emails from three people I know very well, who were owed between 15,000 and 35,000 pounds – enough to put them out of business.
Before the winter Olympics they had a norovirus outbreak. So we used that as a quick one. We asked what do you do? How do you manage it? You’re not just getting in another 2,000 people. It’s accreditation, safety, training, equipping them, knowing who they are. Then, would this be part of your contingency planning?
The world is not short of examples.
IG: I guess the globalised inter-connectedness of the world causes problems to cascade quickly…
DR: Those are the words. It’s systems dependency. It’s instant. It’s total. It’s cascading. It’s trans-boundary, trans-jurisdictional.
“One of the differences between a major incident and a crisis is that a crisis does not have a rational response”
Often, one of the differences between a major incident and a crisis is that a crisis does not have a rational response. If it has a rational response it shouldn’t be a crisis. If you’re Puerto Rico – no power, no infrastructure, no water – that’s not a rational response.
IG: Fukushima was probably a compelling case study…
DR: I spent five years in Japan and speak Japanese. I wrote a report about six weeks after [the event] that I believe was discussed in the Cabinet. The first line on the official report was taken from my report.
Earthquakes and tsunamis are not unknown in Japan. That’s part of your standard crisis management framework. But it came out that for 20 or 30 years Tepco, the Tokyo Power Company, had been fixing the figures, with the knowledge of the government and regulatory authority.
I said at the time I thought it would be shown there was collusion with the regulatory authority and standards were not kept up. I was absolutely castigated in public by a lot of people who said this is a national tragedy; you should not be saying that.
And I said: “but I know Japan, I bet that comes out – and it did.”
Then you have the failure of the Japanese government to respond. As often happens, in theory they had fantastic crisis management and earthquake management preparation, which collapsed the moment something happened.
I actually did a deep analysis of that as part of our three-day programme. There was so much to learn about the fact that just because you have a crisis management programme, it doesn’t mean you have a crisis management capability.
The plans were very detailed, but not adaptable. Agencies had very strong capabilities but not interoperability. Plans were unable to be shared. And decision-making was inflexible.
The ancient Greeks had it right 3,000 years ago: character is destiny. Character will always come out. The Japanese character is of not making decisions, not sharing information, not being agile, not questioning authority. That came out.
