Risk assessments: Too complicated or just someone else’s business?
It is essential for companies to have the confidence to create, maintain and monitor their own personalised risk assessments. Mike Woodall, Assistant Director of Security Consulting and Capacity Development at IATA, presents IATA’s methodology and supporting toolkit to help risk assessment practitioners in this crucial task.
Risk assessments are not new; states, organisations and individuals have been identifying and analysing potential hazards for centuries. Some seem complex, others more simple. Many are so intuitive and obvious that we don’t even bother to document or register them. This is until something goes wrong – by which time it is invariably too late.
Risk and safety have always been important considerations in aviation
Risk assessments are widespread across all areas of the industry and in many cases are mandated by regulation, but they are also carried out unconsciously by individuals in their daily activities.
Yet for all the industry’s experience of conducting extensive risk assessments, many aviation personnel and organisations remain uncomfortable when it comes to carrying out or documenting a risk assessment in a ‘professional’ capacity.
The fear of scrutiny and judgement, time pressures and intimidating language all act as deterrents to conducting and documenting risk. People fear that post-event risk evaluation by their peers, bosses or even legal representatives may be less than complimentary. This perceived fear should be tempered by the knowledge that the lack of a documented evidence-based risk assessment is also a potential risk to be factored into account.
Another potential deterrent to documenting risk is the formal – and in some cases complex – language used in assessment documents. Terms such as ‘threat’, ‘vulnerability’, ‘consequence’, ‘mitigation’, ‘residual risk’ and ‘risk appetite’ can be daunting to new risk managers. Not least when individuals may be unsure whose terms, definitions or risk appetites they are looking to cater for: their own, the boss’s, the Board’s, the regulators or their clients. How much risk is too much risk – and who is drawing the line and ‘signing it off’?
Time constraints can be another impediment to risks remaining undocumented
In many cases individuals deem assessments to be too time consuming when adjudged against other priorities. A further challenge can be individuals believing that they are the expert – and their judgements and decisions are what they are paid for and thus there is no requirement to document them. Thus many decisions – and the associated risk assessments – remain largely undocumented and/or reside in the brains of just one individual.
The result can be that risk assessments sometimes remain little more than an aspiration and, even when conducted, can be far from robust and of an auditable quality. In some cases they may be little more than a guess as to the risks others may be prepared to accept or tolerate.
Many people fail to realise that the decision of whether or not to conduct or document a risk assessment is itself the result of a risk assessment – all be it a subconscious one. Failure to conduct or document a risk assessment in the final analysis can be far from desirable. In fact, it can be highly detrimental to the individual, the organisation and those whose safety and security rely on timely, proportionate and viable mitigation strategies.
We all have a ‘risk appetite’ which evolves as time and circumstances change. For example, we rarely apply the same level of mitigation to the security of our own homes when we visit a neighbour as we do when we more consciously look to secure exactly the same premises and personal possessions before departing for a holiday. Why is that?
We constantly evaluate potential threats, vulnerabilities, consequences and mitigation factors and decide, based upon the best available information at the time, whether we are comfortable with our decision(s). In effect, we are asking ourselves if we are happy living with the degree of ‘residual risk’ that remains, having taken into account all of the mitigation currently in force.
What we do next very much depends on our overall risk appetite
If we decide we are comfortable with the remaining residual risk, we are in effect deciding that it falls within the boundaries of our risk appetite. As such we do not believe any additional actions are required.
If we remain uncomfortable, our current risk appetite is being breached and something therefore needs to change. This involves amending one or more of the factors contributing to the risk assessment before repeating the assessment to ascertain if we are now comfortable with the new residual risk calculation.
Most of us in our private and professional capacities accept we are largely powerless to alter ‘threat’ – which is itself a combination of two factors; intent and capability. Given that it is rarely possible to alter the intentions or capabilities of those wishing to do us harm, we have little choice but to look at the other variables within our risk assessment; those we are more likely to have the ability to influence or change.
Through applying additional mitigation, amending, improving or increasing security measures, the level of risk and vulnerabilities can be lowered. The goal is to satisfy the individuals’ level of risk appetite. This only happens when assurance is reached, based upon all existing knowledge and considerations, that the level of security being applied is at an acceptable level.
However, every person has a different level of risk appetite
An adequate risk assessment for one person may be grossly insufficient for another. For example, following a burglary the police or an insurance company may question whether our risk assessment was adequate. Under pressured circumstances a verbal assurance may seem inadequate. Particularly if undocumented and if those who were also affected were not part of the risk assessment process, and had little or no say in deciding if the residual risk did or did not fit within their own risk appetite. This is why most insurance policies have a clause concerning ‘reasonable precautions’ – and it is often they (not you) that decide what constitutes ‘reasonable’ in the final analysis.
In aviation security who and how many make the decision as to whether an organisation is taking ‘reasonable precautions’ is key. It is important that organisations have well-crafted, evidence-based, widely circulated, inclusive, approved and signed-off risk assessments. These must accurately represent the current ‘as is’ situation. They must clearly identify who within the organisation is cognisant and supportive of the level of residual risk being carried. Security/risk managers must ensure the residual risks are known and understood and signed off and accepted by those who ultimately own the risk.
We have all been shocked by news of a terrorist attack – the recent incident in Brussels being one such example. As a consequence many of us have revisited our risk assessments and documented that review in light of the latest events.
But are the key questions being answered?
Does your organisation know what the current level of residual risk being carried in respect of landside security and blast mitigation is, for example? How many of us have re-evaluated the threat, vulnerabilities, consequences and mitigation processes and practices to calculate the residual risk in the light of another incident. If we have, to what extent did the new residual risk ‘score’ fall within our organisation’s risk appetite parameters? If not, what are our plans to address the situation? Assuming risk assessment metrics remain constant, maybe it is our risk appetite – or our perception of risk – that has changed.
Whatever term is used – risk register, risk assessment, threat assessment – the fact remains that in many cases the concept is well known, understood to a degree and in part supported. Not least by regulatory requirements, standards and/or recommended practice, for example, within the ICAO Aviation Security Manual.
Sadly, the regulatory texts frequently point towards the existence of a risk assessment process or document, but go no further. References or statements such as ‘following a risk assessment’, ‘educated by a risk assessment’, ‘periodic risk assessments should be carried out’ are common. However, they are seldom accompanied by any real practicable examples of what a risk assessment entails or how best to create, manage and review one.
The same documents that provide the above commentary often fail to provide even rudimentary definitions of the component parts of a risk assessment, let alone helpful ideas, suggestions, guidance or templates to support and encourage prospective risk assessment practitioners to begin the process in any meaningful sense. It is little wonder that many find the creation of a risk assessment a challenge.
IATA is not alone in believing risk assessments should be created, documented, populated and maintained in a timely, effective and evidence-based fashion. Equally, IATA is not alone in believing that a clear, well-crafted and well maintained risk assessment that is visible to, and supported and signed-off by, senior management is a powerful tool when seeking to identify, deploy and gain best advantage from limited security resources, personnel and funding.
IATA asserts that organisations and risk managers should have the ability, confidence and associated supportive tools to effectively evidence, record, evaluate and review the threats, vulnerabilities, consequences, mitigation actions and ultimately residual risks that affect their business.
A documented and evidence-based risk assessment, endorsed by senior management, not only provides a degree of auditable assurance that the business is effectively identifying and addressing risks in a sensible, pragmatic and proportionate fashion to the best of its ability. It also provides assurance to those individuals tasked with implementing and overseeing the security mitigation that the residual risks are being managed to the satisfaction of those who, ultimately, decide the level of risk appetite that is acceptable to the organisation as a whole.
To that end IATA has developed, and continues to refine with the industry and regulators, a risk assessment methodology and supporting toolkit that will better enable risk assessment practitioners to carry out this important task.
The IATA Threat and Risk Audit Matrix (TRAM) is specifically designed to provide existing and future risk assessment practitioners with the tools, templates and confidence to create, populate, evaluate, maintain and track the individual components of their own personalised risk assessments – resulting in individual residual risk scores that better educate the overall risk management decision making process.
The objective is to ensure individuals and organisations are increasingly ‘self-sufficient’ in respect of risk assessments. They will be better equipped to more effectively and efficiently allocate and manage the limited security resources available to them in a timely, proportionate and cost effective fashion.
Mike Woodall is Assistant Director of Security Consulting and Capacity Development at the International Air Transport Association (IATA). He has worked for the UK Government for over 30 years and has focused on aviation security for the past 16 years. Mike is currently on secondment to IATA as the Assistant Director of Security Consulting and Capacity Development.