SeMS – Supporting the aviation recovery
Di Lintott, a SeMS Auditor with the UK Civil Aviation Authority, examines the role SeMS will play as the aviation industry recovery begins, and what the future will hold for SeMS as the CAA continues to push forward in modernising its oversight approach.
The role of SeMS during the pandemic
The COVID-19 pandemic has required us all to adapt to significant change, learning to work in different ways within very challenging and uncertain environments. One of the most striking changes has been the growing acceptance that we must acknowledge the human element within aviation security, much more than we have in the past. The pandemic has taught us that human beings are vulnerable to a wider range of threats – physical, emotional and psychological – and it is clear that the relevance of the discussion around security culture, human factors and insider threat will continue to grow. With sustainability also now a key element, it’s evident that change, and how to manage it successfully, remains high on the aviation agenda.
Throughout the pandemic, we have heard from many UK and International organisations who have a SeMS in place, and we have been encouraged to receive feedback on how their SeMS has functioned. It is fair to say that the feedback from those entities with a mature SeMS has been hugely positive. Organisations have frequently told us that the governance processes have proved to have an enormous practical benefit in dealing with the challenges they faced, including fast paced change, the risks arising from that change, and the need to maintain a resilient security operation, albeit in much altered circumstances.
We have noted that many organisations have been very quick to adapt and have already reflected on what they have learned from the pandemic, turning the ‘lessons learned’ into action, such as Insider Threat awareness activities, or finding new ways to heighten general security awareness among the wider aviation community. We have seen some highly creative examples of this, including a board game highlighting positive and poor security practice, complete with dice bearing the company logo, as well as virtual Q&A sessions that are run on a weekly basis.
All indications are that SeMS has proved its mettle; it has demonstrated it is flexible to remain relevant during periods of significant disruption, and that the emphasis on good governance and risk management has provided organisations with greater insight into the resilience of their security operation and greater confidence in their overall security performance.
Why a SeMS to support the current environment?
The aviation industry is rightfully focused on recovery, albeit facing further uncertainty, and businesses operating with reduced employee numbers may understandably feel that there is no spare capacity to think about a SeMS. However, I believe that now is the right time, indeed the best time, to consider how to embed the key operating principles of a Security Management System within your operation and exploit the advantages that this brings. Incorporating these principles will help to facilitate a resilient security operation – one that is robust enough to weather future uncertainty, and flexible enough to adapt when required.
Senior Managers have a pivotal role to play in embedding strong messages regarding security behaviours and indeed modelling these behaviours themselves. As new organisational structures emerge, it’s vital that senior managers lead the way confidently with clear vision and expectations.
Now more than ever, it is essential that businesses are fully sighted on their risks, and SeMS can ensure that your security risks are not just identified, but also mitigated and managed in a proactive and systematic way.
SeMS enables an organisation to manage change more effectively and efficiently, with a systematic approach to change management that ensures the security department’s voice is heard, and security remains a high priority as change is implemented.
With many organisations now recruiting additional staff to deal with increasing passenger numbers, organisations should ensure that quality is maintained in the areas of recruitment, training, and assessment; they will want, and need, assurance that the new members of the workforce, including third party security providers, are recruited compliantly, and receive high quality training and on the job supervision. This will enable them to develop the skills, behaviours, and attitudes that will actively support industry recovery and form the basis for future growth. Robust internal quality assurance and performance monitoring as part of a SeMS will provide insight into these crucial areas and provide ongoing assurance that security standards are maintained.
Security culture is the key
A conversation about SeMS would not be complete without the mention of security culture – what it is and how to nurture it. Security culture is the bedrock to a SeMS, purposely placed at its heart. SeMS encourages organisations to assess their security culture so that they understand what their people believe and feel about security, and by logical extension this means they also need to consider what a positive security culture would look like to them, and what the indicator(s) of this might be. It also encourages organisations to use those insights to shape future learning and development activity and promote better understanding of the threats faced by their organisation. Thus, creating a deeper appreciation of the shared security responsibilities of all employees. This will be further complemented by regulation that from 1 January 2022 it will be a requirement that all regulated organisations are to develop an internal security policy, one that will educate their people about security culture. This policy is aimed at enhancing staff awareness, and promotion of a positive security culture, to address Insider Threat.
The true value in developing a positive security culture can at first seem difficult to quantify, however it has been done very successfully in several ways through surveys, walk the floor sessions by Senior Managers, workshops and forums. Analysis of other carefully selected indicators, such as reporting or overt testing, can further provide helpful insights for understanding more about employees’ beliefs or attitudes towards security. However, an organisation chooses to describe its security culture, the values, and attitudes it aspires to develop among its people, and the level of maturity its security culture achieves will play a pivotal role in successfully embedding its SeMS and preparing its workforce to embrace the future of aviation security with confidence and clarity of purpose.
How is the regulatory landscape changing for UK civil aviation?
While it’s true to say that the UK CAA had already embarked on a programme of modernisation before the pandemic began, it is also the case that the CAA is more than ever firmly convinced that our approach to oversight needs to be able to flex to meet the future demands placed on us the regulator, just as industry will need to adapt to new regulatory and business environments over the coming years.
The CAA has embarked on the development of a few new ways of working within key areas and will continue to work alongside organisations, as they take greater responsibility for identifying and managing their risks.
As the UK Civil Aviation regulator, we must adapt our approach and consider how we might direct our efforts ever more efficiently and effectively, just as the aviation community has done to better utilise their limited resources. We are consciously moving away from the ‘direct and inspect’ approach and embracing a more collaborative and agile way of working. We are actively promoting open, ongoing conversation with our industry partners and the sharing of best practice. While compliance monitoring will remain an integral part of our role, we recognise that working alongside organisations, and supporting them as they transform their assurance and risk management practices, will bring significant advantages to the entire aviation community, and beyond.
The CAA continues to encourage industry to develop a SeMS on a voluntary basis. Therefore, throughout the pandemic we have continued to work with new entities opting to commence their SeMS journey or progress their SeMS to a new phase of maturity. SeMS remains a UK CAA priority within our strategic plan, and we continue to aspire to see SeMS become a regulatory requirement.
SeMS is a prerequisite for the development of a more agile approach to conducting oversight, an enabler for what was formerly known as performance-based oversight; one that enables the regulator to identify industry wide strengths, as well as vulnerabilities, and provides verifiable assurance that entities are proactively and consistently identifying and managing their own risks.
Risk Based Oversight is nothing new. The UK CAA is embarking on risk-based oversight development with other areas within the CAA, such as safety. We have moved away from the terminology Performance Based Oversight, as we recognise that an oversight regime, one that encompasses a variety of contributing factors, is much more than performance alone. The aspiration for a risk-based approach looks at risk profiles, how risk is managed internally by the organisation, as well as specific performance indicators all relating to security. The UK CAA is encouraged by the aviation industry response to this approach, and the years ahead will see this positively be developed, with both the regulator and industry in mind.
Further Information on Security Management Systems and our future Risk Based Oversight developments can all be found at: www.caa.co.uk/SeMS.
Di Lintott has held a variety of roles within the UK CAA, including within our CAA International directorate, and currently works as a SeMS auditor within a dedicated team rolling out SeMS across the UK’s directed organisations.