The paper below was originally drafted in February 2020, hence the reference early on to the tragic event in Tehran. A fortnight after completing the text, the global aviation industry effectively shut down in response to the coronavirus pandemic. The draft lay dormant until July 2020, when airline and airport operations began to come back to life.
It therefore seems timely and appropriate to remind that threats and risks remain and should continue to attract due attention. Whilst the current focus for commercial aviation is understandably on protecting people’s health, security must remain one of the highest priorities. Those who wish the industry harm will today, perhaps more than ever, seek to exploit events that might indirectly dilute security measures.
The shooting down of Ukrainian International flight PS752 near Tehran on 8 January 2020 has regenerated the debate on the need for risk management in aviation and beyond.
Hindsight provides perfect clarity and resolution, of course, so care is needed to avoid assuming knowledge that was not available or easily foreseeable. Risk managing a sudden increase in regional tension, coupled with a fast escalation involving military strikes and counter-strikes, challenges the best of us. Nonetheless, the right modern tools for assessing and managing risk could potentially have averted such a disaster.
This paper should be seen as a contribution to that debate on the application by both the aviation sector and governments of modern risk management techniques. It explores the benefits of doing so, as well as the constraints that hitherto prevented such action. In particular, it emphasises how the latest data mining techniques now put effective risk management within easy reach for industry and government alike. It also argues that marrying threat intelligence to open-source data requires the former to be shared far more widely, in order to make global risk management as effective and efficient as possible. The benefits of such a management system include a more cost-effective approach by industry and a more confident level and depth of advice offered by governments.
Despite the onus for security being placed on the aviation industry, governments also have a role to play, assisting that industry to make better judgements on the risk inherent in aircraft operations.
Responsibility for the security of a commercial aircraft, its passengers and crew rests primarily with the operator, as does safety.
Many state regulators already require aircraft operators to deploy a Safety Management System (SMS). Increasingly, regulators are promoting – and may eventually require – a Security Management System (SeMS), underlining the primary role operators bear for security.
Despite the onus for security being placed on the aviation industry, governments also have a role to play, assisting that industry to make better judgements on the risk inherent in aircraft operations. Eliminating all risk is as impossible within the aviation sector as it is within any other. Achieving zero risk would require preventing any and all flights. Risk management is therefore essential. Done properly, with the right tools, it strikes the correct balance between what can otherwise be seen as competing priorities: strong security and effective commercial return.
Risk management should be a global effort, as the United Nations’ International Civil Aviation Organisation (ICAO) has repeatedly made clear. It should be seen as a co-operative endeavour between industry and the regulator, where the imposition of requirements by the latter should be minimal and proportionate. There is no “one size fits all” here: the world’s largest scheduled commercial operators have different needs from small charter operations, which in turn are different from those of the General Aviation sector. Yet all need to engage in risk management, even if the degree to which various sectors within the industry rely on government advice and action will vary considerably.
The following sections look at the background to threat and risk, the objectives for managing risk and how industry and governments alike can engage further in that management process.
Airlines that suffer a terrorist attack often struggle to survive commercially, if the public perception is that the carrier was singled out for attack.
THREAT AND RISK – THE BASICS
Threats against commercial civil aviation from terrorist organisations continue to evolve into ever-sophisticated attempts to bypass airport security measures and thereby destroy an aircraft in flight. Threats therefore represent the potential for an attack. Or they might represent the potential for collateral damage, for example and in particular when commercial aviation operates over a conflict zone, or from an airport in a country subject to recent hostile acts, or enacting reprisals for such acts.
Assuming the threat is being made by Violent Non-State Actors (VNSAs, i.e. terrorists), an assessment then has to be made as to the intention and capability of that VNSA to carry out such a threat. In other words, how credible is it? Separately but in a similar vein, how credible might the threat be from operating over a known conflict zone, or from a country recently embroiled in hostile acts? Such assessments allow for threats to be scored and rated, the highest being the most credible.
Risk represents the likelihood and consequences of a credible threat transforming itself into an actual attack. Each threat score can then be transformed into a risk and graded on a scale based on the two descriptors above of likelihood and consequences. Assigning numeric values to those descriptors produces a “risk score”, which is then modified by existing mitigation measures, i.e. the security measures already in place to defend against such a threat becoming an attempted attack. Mitigation can be assigned its own numeric value.
The key judgement is whether this “residual risk”, the risk score after existing mitigation has been factored in, is sufficient to deter or deflect an attack, or whether more mitigation is needed. Resources can be allocated based on the risk score, ensuring the residual risk is judged by the operator or government to be within acceptable bounds. If the residual score cannot be sufficiently mitigated, then the operation may well have to cease.
Many airline operators, governments and airports fail to conduct such a basic risk analysis. Some of the reasons for this are set out below, but can include the view that “we have no enemies and therefore face no threats”. That ignores the possibility of an attack on a foreign carrier at that airport, with all the security, reputational, economic and commercial implications for that airport, airline operator and government that inevitably flow from a successful or even an attempted attack. Airlines that suffer a terrorist attack often struggle to survive commercially, if the public perception is that the carrier was singled out for attack. Similarly, where an airport provides the venue for an attack, its future viability may be called into question, if carriers abandon it in significant numbers over a long period.
Terrorist organisations seeking to attack civil aviation look to identify weak links in the security chain of airports around the world served by airlines registered in states that terrorists often target. That might well lead to the identification of an airport where no risk analysis has taken place, since mitigation measures cannot be tailor-made in the absence of such an analysis and are therefore likely at best to be weak, at worst non-existent. Airline operators are often best placed to judge on an impartial basis whether the security at an airport from which it operates is sufficient, providing it has applied a risk management process to that location. So any operator seeking to operate to that airport should treat the absence of such a process by an airport as a ‘red flag’. Risk management is in everyone’s interest.
OBJECTIVES FOR RISK ANALYSIS AND MANAGEMENT
Better visibility of risk is the main objective. There are three main components to that visibility: a) the continuous assessment of risk and mitigation (resilience); b) real-time monitoring of any incident; and c) the provision of dedicated incident-response and business-continuity protocols. A complex risk analysis needs to be translated into a simple but rich view of overall and scored risk, so that senior management and other elements of the operation can appreciate quickly the broader picture, as well as the risk “hot spots”.
A proper risk analysis and management system can provide airline and airport operators with a commercial edge, allowing their appetite for risk to increase, based on access to regular, high-quality, open-source data and threat intelligence that feeds into their continuous assessment. From the airlines’ perspective, they want to know that the airports from which they operate – and the governments in those locations – have a robust risk analysis and management system in place. And they want to be part of it, for example through contributing to management of the risk via an Airport Operating Committee, as well as being part of a strong local Security Culture.
A word of caution: safety remains equally important and there is potential for security requirements to inadvertently trump safety, for example when placing laptop computers fitted with lithium batteries in aircraft holds, or through an over-abundance of caution e.g. the searching of each and every access panel on an aircraft. Security measures need to be proportionate to the threat and the duly assessed residual risk, but should not be allowed to compromise safety.
There is clearly a need to develop or hire appropriate tools to comb through online, open-source material and sort out, categorise, analyse and judge relevant data.
OPERATORS, REGULATORS AND RISK ASSESSMENT
Why is Risk Assessment important for industry and governments?
In addressing its Member States, ICAO constantly emphasises “…the need for effective, risk-based measures, assessed regularly to reflect the evolving threat picture”. (Global Aviation Security Plan [GASeP], November 2017 – author’s italics above). GASeP also points out that “…understanding risk is essential for policies that are effective, proportionate and sustainable…Risk assessment helps identify gaps and vulnerabilities…”.
In addition, GASeP tasks Member States “…to implement and review secure, systematic mechanisms to share threat and risk information at the national level…”. The priority actions within GASeP include “…the need to monitor and address emerging and evolving threats…[including] risks arising from conflict zones…”.
Regular and continuous risk assessment, whether conducted by a regulator, airline operator or airport (or all three), offers a high degree of assurance as to the robust nature of the operation in the face of threats.
Why should industry and governments do this?
The first duty of any government is the protection of its citizens. Airlines have as their primary role the safety and security of its passengers, crew and aircraft. It therefore follows that, for example, helping airlines registered in that government’s country – whose passenger manifests are likely to be largely comprised of that country’s citizens – is an important element of such a duty of care. In addition, there are political and legal undertakings on risk assessment for Member States, set out in ICAO’s agreements and treaties, such as GASeP (see examples above) and Annex 17 of the Chicago Convention. As noted earlier in this paper, the requirement on carriers to operate a SMS is likely to see a similar obligation emerge from regulators in the near future, at least for scheduled and charter carriers, to have a SeMS in place too.
Many operators are members of the International Air Transport Association (IATA). Membership of IATA requires operators to hold an IOSA Registration, the IATA Operational Standard Audit recognised by many regulators as evidence of compliance with ICAO’s Standards and Recommended Practices. IOSA requires operators to have a documented and implemented SMS and a SeMS.
What currently prevents them from doing so?
A lack of access to accurate, reliable intelligence material on the threat can be a deterrent, undermining from the outset genuine attempts to engage in risk management. Despite repeated calls by ICAO and its Member States in Annex 17 and GASeP to share intelligence, those who have such access do little to actually share it. There are at times justifiable reasons why highly sensitive details cannot be shared. However, it should often prove possible to remove such details yet retain the core of the intelligence picture and the threat it depicts. In addition to the withholding of intelligence, the other deterrent is a lack of what would otherwise constitute corroborative information to support and complement the intelligence, where the latter can often provide an incomplete picture.
Even if such corroborating information is examined, there exists an understandable inability to make sense of the vast volume of open-source material available online. The absence (until now) of an ability to monitor, select, analyse and report on relevant material found online – and to do so across hundreds of thousands of sources on a continuous basis – has also acted as a deterrent.
For governments, there are also concerns about the legal implication of providing industry with a government-derived risk assessment, should an incident occur. With an emphasis emerging from regulators on the need for operators and airports alike to embrace a Security Culture and from there to go on and adopt a SeMS approach, one argument is that governments should step back from risk management. That would be a mistake and quite contrary to the more inclusive and co-operative approach emphasised elsewhere in this paper. Threats emerging from overflying conflict zones or operating from locations close to the scene of recent hostilities often prove very difficult for industry to risk assess, meaning it must rely on government guidance. Arguments based on legal concerns cut both ways: any government abrogating its duty of care surely risks a legal challenge and censure.
What more can and should industry and governments do?
In order to meet the expectation the global community has for the aviation sector and regulators to engage seriously in risk management best practice, there is clearly a need to develop or hire appropriate tools to comb through online, open-source material and sort out, categorise, analyse and judge relevant data. That in turn needs to be combined with whatever intelligence can be made available, directly or indirectly.
The amount of material available through open sources dwarfs any and all threat intelligence, in terms of quantity. However, it is also the case that, from that vast amount of data, kernels of real value on the threat picture can be gleaned from online material. Not just threat information by itself, but (with the tools to analyse and discern) the right system can be employed to predict where the next threat may lie. The possibility therefore exists today to use open-source material, even in isolation, to improve vastly the ability of an operator or regulator to manage risk.
Data-led management has the benefit of largely removing human assumptions from decisions on risk.
The recent development of computer software programmes using Artificial Intelligence (AI) and a machine-learning capability allows for open-source data mining to produce a constant stream of up-to-the-minute information on threats to aviation security. It allows, probably for the first time, for industry and government alike to have the confidence in their own risk management capabilities. Data-led management also has the benefit of largely removing human assumptions from decisions on risk. It is capable of identifying, analysing and corroborating relevant information on fight routes, airports, countries and regions and can be tailored to match the specific requirement and risk appetite of any operator or regulator.
The practical effect of such a development means that impediments to producing an effective and efficient risk management system no longer exist. This therefore provides a genuine opportunity for the obligations and undertakings made at ICAO on risk assessing to be realised and fulfilled.
Taking the debate forward could involve, for example, lobbying by industry to encourage governments to engage in data-led risk management. Those operators of commercial aircraft and airports also have the opportunity to take on risk analysis with a much higher degree of confidence, simply by contracting a supplier properly equipped with modern AI tools to produce the required results.
This paper has been produced at a time when the aviation sector is still reeling from the catastrophic loss of PS752 and the appalling human cost extracted. If anything good can emerge from such a tragic incident, perhaps it ought to be a real commitment by all to finally embrace risk management and so help avoid any repeat.
Clive Wright, Chair of the Aviation Risk Management Advisory Panel (ARMAP), coordinated with fellow Panel members in drafting this White Paper. Initially created in the aftermath of the tragic downing of Ukrainian International flight PS752, the paper sets out the need for more modern, effective risk management tools that governments and the aviation industry alike should employ.
The Aviation Risk Management Advisory Panel (ARMAP) is an independent structure set up with the support of Osprey Flight Solutions, the world’s foremost supplier of innovative and cutting edge data-led risk management systems for industry and governments involved in aviation.
The members of the panel are:
Navaid Ahsan, former Director of Operations, Airport Security Force, Pakistan
Ali Al-Harthy, former Vice President (Security), Oman Air
Tim Steeds, former Director of Safety and Security, British Airways
Taher Eldin Taher, former Assistant Secretary (Security), Civil Aviation Authority of Egypt
Clive Wright MBE, former Head of Global Risk, Aviation Security Division, Dept. for Transport, UK