David Carrick – Learning from the Insider Risk missed opportunities
In light of Met Police officer David Carrick admitting to being a serial rapist, Sarah Austerberry, Insider Risk specialist, outlines the missed opportunities in his recruitment and management and the implications for all organisations.
Roles that bring opportunities to exploit the vulnerable
Work environments where there are power imbalances can provide the opportunity for specific types of insider activity to occur and flourish (particularly self-initiated acts). In areas where engagement with the public is for law enforcement, social care, education purposes, there are opportunities to exploit the vulnerable. These can often have an abusive and sexual element. The means by which this type of insider activity can be carried out is through their legitimate day-to day activities, the power that the insider holds: a warrant card; a uniform; a position of authority. The culture within the environment can for many be the motivating factor (in addition to personal pre-dispositions); knowing that you can get away with certain behaviour can spur you on to more serious and significant insider acts.
David Carrick and the abuse of power
Last year Dr David BaMaung and I wrote an article about the damage to policing by consent by insider activity. An abuse of power resulting in the tragic death of Sarah Everard. Fast forward a year and we see a further case of insiders abusing their powers, this time Metropolitan Police officer David Carrick, who admitted to multiple rapes, unlawful imprisonment, and indecent assault between 2003 and 2020.
The Met’s lead for professionalism, Assistant Commissioner Barbara Gray, said, “We should have spotted his abusive behaviour and because we didn’t, we missed opportunities to remove him from the organisation.” This despite it emerging that Carrick had “come to the attention of police over nine times between 2000 and 2021”. What is particularly interesting about this case is that concerns/allegations about Carrick’s behaviour were raised before he was a police officer.
Red flags missed at pre-employment screening
Carrick applied to join the police force despite allegations of malicious communications and burglary against an ex-partner. This should have raised flags at the vetting stage to consider whether further investigation and risk assessment should be put in place. Vetting, as part of pre-employment screening needs to be more than a tick box activity. Job roles need to be assessed for the type of opportunity and means that a potential insider could exploit (the risk). This then needs to be looked at against the information collected as part of vetting procedures and a proper assessment made as to employ and what aftercare mitigations should be put in place during probation and longer term to manage any identified risk. Evidence suggests that Carrick was accused of harassment and assault, against an ex-partner, whilst he was on probation. Why was this information not linked up with his vetting file, or referred to professional standards? Did his working environment allow Carrick to continue a path of abuse? A report from 2021 by the Her Majesty’s Independent Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS) noted that a culture of misogyny, sexism, and predatory behaviour towards members of the public and female colleagues persists across many UK police forces. It’s likely that the strength of the culture in the environment impacted on policy, procedure and process being implemented effectively.
Disjointed management action and siloed information
This environment and culture appear to have absorbed additional complaints from members of the public regarding Carrick’s behaviour, and investigations by other police constabularies. Although some were dealt with by “management action”, clearly this didn’t result in all dots being joined up across different business areas to indicate behaviours of concern that should have been investigated. This unfortunately is not uncommon: almost all insider acts when investigated show the organisation had lots of information about the individual that they could have acted on earlier to potentially prevent further actions, it but it was all held in siloes rather than being joined up.
How can you address similar risks in your organisation?
There is no sticking plaster to fix this; real change that stops counterproductive workplace behaviours takes time and continuous risk management. It requires honest discussion and reflection of our organisations’ (and our individual actions) current landscape. It requires people to listen and act, to make difficult decisions. It means talking to offenders to understand how the organisation’s environment and culture encouraged their behaviour.
Understanding the extent of the problem is key – having multiple different names for insider risk, dealt with by multiple different teams (fraud investigation, anti-corruption, poor performance) makes the siloes deeper, and provides more opportunity for insiders to exploit. Below are some initial areas to consider:
Assessing the insider risk factors
Insider risk professionals assessing risk must of course think about the external threat actors that use insiders: state actors, serious organised crime etc. They must also consider the following internal threat factors:
- Does the work environment create lots of opportunity and means for self-initiated insider activities?
- Does the current culture of the organisation have the potential to motivate insider activity?
From a recruitment perspective, consider:
- Whether the current environment and culture acts as a beacon to prospective employees with unsuitable motivations, and
- Whether it actively puts off good candidates from applying
From an HR perspective, consider:
- How personal data is shared securely to prevent siloes
- How we track and follow up on those who have been assessed as carrying risk
- How we train and support managers to deal with poor performance and misconduct
From a training perspective:
- Secure by design – building in the right messages from day one about what is expected and the consequences
From a governance and senior leadership perspective, the considerations should be:
- The cost of investigating (time, financial consequences)
- The reputation of the organisation and its leaders
- Impact on day-to-day delivery of services if you continue to do nothing but react to these types of insider activities
- Recognition that increased reporting is not a bad thing (the press may see it differently) but instead it shows that culture and the environment is shifting, and staff (and the public) feel empowered and confident that the appropriate actions are being taken.
We are fortunate in the UK that most of our public servants, those that hold a position of power do so with the utmost respect and due diligence required to carry out their functions in a lawful manner for the wider good of our society. They should not have to be tarnished by the few that actively seek to abuse those powers, because a work environment and culture actively supports this type of behaviour.
Au Security Consulting