In recent months, the airwaves have once again been full of recriminations after a man in a trusted position grossly betrayed that trust. David Carrick, of the Metropolitan Police Service of London, an armed member of the Parliamentary and Diplomatic Protection Command turned out to be a serial rapist and abuser of women. This follows hot on the heels of the murder of Sarah Everard by Met Police officer Wayne Couzens and a raft of cases of abusive and bigoted behaviour by Police officers. Met Police Commissioner Mark Rowley has warned that ‘hundreds’ of officers need to be got rid of.
Understandably, such events result in a clamour to identify failings and to learn lessons. Detailed inquiries are commissioned. And in every case, the spotlight turns to vetting and screening checks. Surely if vetting had been done properly, the clues would have been identified and this would never have happened. But is that true, or are we missing other ways to kick gross misconduct out of the workforce?
What is vetting?
Vetting means different things to different organisations. For many it is a series of fairly basic checks: is the job applicant who they say they are? Do they have the right to work? Have they told too many egregious fibs on their CV? In other settings, vetting constitutes a detailed investigation, with database checks, interviews, psychological assessments, and an in-depth review of online profile. It could even involve being put through a lie detector test.
For most organisations vetting is conducted once – on arrival, and never again, but in Government and the Police it is repeated periodically. So why do we still have such major incidents of misconduct and abuse of position in these highly vetted settings?
Does vetting work?
Actually, unless somebody has a live conviction for a crime, the chances of vetting picking up a propensity to commit one later is vanishingly small. Probably the most thorough vetting in the world was applied to Edward Snowden the NSA contractor who hit the headlines in 2013 when he ran off with over a million classified documents. This was a person who, in hindsight, displayed a full set of risk factors, yet he passed his clearance repeatedly even as he prepared to disappear with a bag full of secrets.
The HMICFRS report of November 2022 into vetting, misogyny and corruption in policing which took place in the aftermath of the Couzens conviction looked at vetting decisions in policing. It made a range of sensible recommendations but concluded that: “Even the most thorough and complete vetting regime could never guarantee that an applicant would not go on to become corrupt or become a risk to the police service”. I would agree that pre-entry vetting is no guarantee of an employee’s reliability, and I am constantly alarmed at how much faith leaders place in it.
So, is the answer more vetting, better vetting or something else?
Whenever there is an incident, people demand more vetting more often. As soon as the interest dies down, complaints about the cost of vetting and the time it takes invariably return. Having led vetting teams in several government departments, my biggest challenge was fending off those who wanted it faster and cheaper, not more thorough. And then there is the question of proportionality. How long should a youthful criminal conviction bar you from being trusted? How much personal data is it OK to look at – and does that extend to family and friends? In the end, most organisations do something that is less than comprehensive but better than nothing.
Vetting and screening checks can be effective
There is value in post-entry vetting and screening if it includes a review of workplace behaviour. This can serve as a deterrent and a reminder of the high standards expected of the employee. Once people are in employment, employers need to consider how they can most effectively collect, share and act upon information about workplace behaviour, which is often held in different silos. And of course, this must all happen in a way that is ethical and proportionate, so careful planning and access to sound legal advice are essential components of any vetting and behaviour monitoring process.
What about organisational culture?
In most cases, a strong and positive organisational culture is the key to ensuring that people behave legally, ethically and respectfully. This applies to employee fraud, data misuse and IT policy violations as much as it does to the more extreme violations that we have seen in the Met. In Blacksmiths, I have had the opportunity to witness many different cultures and management styles in both the public and private sectors. It has been the work we have done on security culture and employee lifecycle interventions (from hire to fire) which has REALLY made the difference.
About the author
Malcolm Sparkes is head of the insider risk consultancy in Blacksmiths group. He previously held a number of senior security roles within UK Government, including running vetting within the FCDO.