By Nathalie Herbelles, Senior Director, Security and Facilitation, ACI World and Stacey Peel, Global Aviation Security Lead, Arup
Beyond their horror, the attacks of 11 September 2001 (9/11) triggered a seismic change in aviation security around the world. International aviation has faced other major crises since then, but none of them as detrimental as the COVID-19 pandemic.
The aviation security community is familiar with the cycle of response to crises, from the activation of emergency plans to the tendency for knee-jerk and one-size-fits all measures prescribed by authorities, all the way to the resumption of regular operations and the long-term, usually adverse, impacts of new measures on facilitation. This is slowly changing to an intelligence-driven, risk-based, outcome-focused approach to security.
The risk-based approach empowers airports to make decisions and investments that achieve security outcomes sought by authorities while also meeting other business objectives such as passenger experience, whole-of-life cost management, aesthetics, and staff well-being. It also leads to better security outcomes as limited resources are appropriately targeted and measures are commensurate to the risk.
Despite these lessons learnt in security, the response to the COVID-19 pandemic has been the same as that triggered by 9/11 – the imposition of prescribed, disproportionate to risk, one-size fits all measures with adverse impacts on operations. Industry leaders including ACI have been calling for a risk-based approach to the response since early 2020. As the industry recovers, it is imperative that the shift to a risk-based approach is made now before measures with adverse operational impacts become embedded and rules become fixed in legislation.
Together ACI and Arup have identified the top ten lessons learnt from the security experience that can be directly applied to manage health risks in aviation. They are being shared in a two-part series with the first exploring lessons learned for airports and the second identifying the lessons learned for regulators.
Probably the most important lesson is that security decisions must be risk-based. In a world where threats evolve and change constantly and resources are limited, security measures must be prioritized and proportionate to the risk. Threats and risk are different: a threat represents any plausible scenario of attack, while risk is about determining how likely this scenario is (likelihood) and how serious it would be (consequence). In aviation, as in daily life, there is never zero risk.
Seeing events through the lens of risk allows us to take better decisions and, importantly, to justify them to others. What is the likelihood and consequence of something happening? Are existing measures enough to address the risk? If not, what are our options?
It has taken security more than twenty years to reach a point where there is broad adoption of a risk-based approach to determining aviation security measures. And although we still have some way to go, we already see the benefits of a risk-based approach, including:
Airports should have a risk team that monitors all risks to the business, but every team, including senior management, regardless of the threat, should speak the basic language of risk.
What this means for airport health:
Major crises tend to see the involvement of top government levels, which leads to a tendency for decisions to be taken far beyond the airport’s control, with a high degree of risk aversion. We saw this during the COVID-19 pandemic when governments required quarantines in addition to multiple PCR testing as well as vaccination.
While over-reaction may be accepted (initially) as part of the cycle of crisis, airports must continue to communicate the necessity of a risk-based approach. Not every risk can or should be mitigated. High risks must be addressed as a matter of priority, but low residual risks may well be accepted without the need for further mitigations. For instance, airports should consider adjusting inbound health measures depending on what is driving the risk for specific flights. This avoids the deployment of measures that provide no significant mitigation value. Arup also provides a Pandemic Intervention Exploration Tool to help airports decide which mitigation measures are most appropriate for your airport based on transmission of risk and other business imperatives such as minimizing capital cost and high-profile interventions.
The ACI Airport Security Risk Assessment Handbook, First Edition 2020 researched during the current crisis, addresses the need for a better understanding of the threat environment, and the associated risks.
Before the WHO declared COVID-19 a Public Health Emergency of International Concern, many airports had already activated their Aerodrome Emergency Plans (AEP) to start planning for the management of the growing health crisis. These plans were instrumental for airports to mobilize and coordinate all stakeholders on the ground, including health authorities, and to respond to a rapidly changing situation. Airports were thus quick to act with a focus on protecting passengers and staff and maintaining essential operations.
AEPs are required under ICAO’s Annex 14 – Aerodromes and they require thorough planning, strict protocols, training, exercises, and training – covering a wide range of emergencies. Airports should be prepared for accidents and security incidents, but the pandemic shows that a range of events can deeply affect an airport. It is expected, for instance, that extreme weather events will happen with more regularity.
There have been calls recently for standalone emergency plans to be developed for different types of incidents, such as pandemics. This is problematic because responders should not have to refer to multiple documents in time of crises. It is also problematic because there may be discrepancies between different documents. Eventually, everything must circle back to one comprehensive document, and this should be the AEP.
What this means for airport health:
Airports should review their AEP and make sure that all stakeholders and all agencies are aware of it. If airports do not have one, we recommend that they prioritize this activity. The plan should be sufficiently broad to respond to a wide range of emergencies. Airports should also conduct exercises to monitor any discrepancies in the execution of the plan, allow for corrections and keep the plan up to date. This should include full-scale exercises, table-top exercises, and modular tests (focusing on specific components of the plan).
The ACI Emergency Preparedness and Contingency Planning Handbook, can assist aerodrome operators to develop and implement a robust aerodrome emergency plan, including restoration of operations after an emergency. It also deals with business continuity planning.
Safety and security are priorities, yet decisions should be taken with consideration for other imperatives as well. Often, various options present themselves which all mitigate the risk in one way or another. Some of these options might ensure an optimal balance between risk mitigation and the passenger experience. Decision-makers often fail to consider alternatives and only contemplate one solution to one problem. We believe that this is short-sighted and a failure of imagination. For example, the initial response to the 2006 plot (which intended to detonate liquid explosives on board aircraft across the Atlantic) was to ban all hand baggage on board – only allowing passengers to carry travel documents and wallets. It soon appeared that this approach was not reasonable as it had a strong impact on passenger comfort and baggage operations. A few weeks later, measures were relaxed to allow cabin baggage with small quantities of liquids.
In the security world, we have seen a “pendulum” swing between security and facilitation. When new threats require an immediate response, the pendulum moves towards more stringent security measures. As we move away from the crisis over time, the pendulum moves towards the incorporation of relaxations and a greater focus on facilitation. Experts now agree that security and facilitation are two sides of the same coin and that they do not need to be at opposite ends of a spectrum. We would even venture to say that they can be the same side of a coin because smart measures can achieve both security and facilitation. One example is the use of stand off distance and landscape architecture to mitigate hostile vehicle measures.
What this means for airport health:
Health measures should not be seen in isolation, and they should be taken with consideration for unintended consequences. For example, the need to physically distance passengers at various touchpoints risks creating bottlenecks as traffic resumes. These bottlenecks could create not only an additional health vulnerability, but also a security vulnerability as new queues become a target for attack in unscreened portions of the airport terminal. Another example is the impact of face masks on persons with disabilities, some of whom rely on lipreading for communication. Airports should consider carrying out impact assessments before significant health measures are introduced. Even when these measures are regulated, an impact assessment can help build a structured business case for alternatives. Ideally, impact assessments should form part of a consultative framework between regulators and regulated bodies (including airports).
Good decision-making requires an understanding not just of threat and risk, but also of the impact that different measures will have on passengers, operations, other States, and industry. This requires extensive consultations with the industry, foreign partners, and stakeholder groups. In the aviation security world, organizations such as ACI represented airports’ interests before 9/11 – but they played an important role after 9/11 when new consultative groups and structures were formed to shape aviation security policy. For example, the European Commission created the Stakeholder Advisory Group for Aviation Security (SAGAS) to advise EU Member States every 6 weeks as they created a harmonized European aviation security framework in 2003. Industry organizations are also contributing “observers” to every ICAO Aviation Security Panel.
Industry consultation should be structured and pro-active – meetings should be interactive and not just a mechanism for one-way announcements of decisions already taken. This requires buy-in from decision-makers, but also a positive attitude from stakeholders. After 9/11, the aviation industry often used the opportunity of consultation to voice concerns and push back on proposals for new security measures. Over time, the process has matured towards a more solution-finding mindset. This requires good sharing of (usually desensitized) intelligence from regulators, and a positive attitude from industry to make suggestions instead of just pushing back.
Formal consultation structures are essential, but informal communication channels also help. Knowing someone and having their mobile phone number can go a long way in ensuring that the right decisions are taken and that all stakeholders are on board. Over the years, the global aviation security community has become somewhat of a family, with long-standing friendships and mutual respect.
What this means for airport health:
The aviation health ecosystem (regulators, organizations, industry and suppliers) still needs to establish consultation structures and regular engagement processes. Their absence may be due to a perception that COVID-19 is a temporary event, a perception which is perhaps flawed. Some successful examples of collaborative structures include the ICAO Council Aviation Recovery Task Force (CART), but few similar structures have been put in place at national or regional level. ICAO’s Annex 9 – Facilitation requires the creation of Airport Facilitation Committees which are competent to review health matters. However, these Committees are often more informative than truly consultative. The situation is complicated by the fact that competent health authorities sit outside of transport ministries and Civil Aviation Authorities. Aviation is an industry with unique challenges and specificities. Our advice is that specific aviation health advisory groups be created at national and at airport level.
Aviation is proud of its safety record. In the period 2016-2020, according to IATA, there was less than 1 accident for every million flights. This is due in high part to its strong safety culture, where one accident is one too many. The importance of culture also applies to security, which is everyone’s responsibility. Airports run security culture campaigns and emphasize the importance of security through awareness trainings, constant communications and reporting mechanisms for incidents or suspicious behavior. This year was the ICAO Year of Security Culture, leading to a range of initiatives being adopted around the world.
Culture is made up of norms, beliefs, values, attitudes and assumptions. Therefore, it goes beyond a company’s actions and becomes part of its fabric. At some airports, staff are encouraged to challenge security measures and to have a conversation with airport management about improvements and areas of challenge. This results in a greater understanding and more buy-in than when security measures are imposed from the top and written prescriptively.
What this means for airport health:
Several airports have branded themselves as “healthy” since last year to re-establish passenger and staff confidence and prioritize health-related measures. However, a healthy culture should not be separated from safety and security culture: all of them are about protecting people from harm. In many ways, this is an area where having a robust healthy culture may be easier than a having a robust security culture, because people are more familiar with the risk. Most people understand that they are likely to get sick if they are in contact with pathogens – and that the consequences with COVID-19 may be hospitalization and dying. In the case of aviation security, the risk is harder to grasp: the likelihood of a terrorist attack happening on a given day are low, but the consequences would be catastrophic and probably involve mass casualties. Managing the risk requires constant vigilance and a recognition that terrorists are actively looking for vulnerabilities in the system. The chain is as strong as its weakest link.
Global Leader for Aviation Security, Arup
Stacey’s passion for bringing the design and security communities together to deliver risk based, security-by-design is rooted in her background and experience in regulation and government/national policy, risk management and security operations working in the Asia-Pacific, Europe, Middle East and North Americas regions. Prior to joining Arup she worked for ICAO and the Australian and Indonesian Governments in aviation security specialist roles.