“Culture eats strategy for breakfast” is the often-cited refrain attributed to management consultant and writer Peter Drucker. What Drucker and many others have observed is that without the buy-in and commitment of an organisation’s people at all levels, the best strategies, plans and procedures are unlikely to succeed.
By Kevin Sawyer, Senior Manager – Aviation Security Development (CAAi), and Phil Dykins, Head of Aviation Security Regulation (UK CAA)
Security as a core business value
As the ICAO Global Aviation Security Plan (GASeP) makes clear, the promotion of effective security culture is critical to achieve good security outcomes. A key challenge for States and entities is not only ensuring a positive security culture is present within the aviation security community but, perhaps more importantly, that those who are not directly engaged in security activities think and act in a security conscious manner. It is only by embedding security as a core business value that this can be achieved.
Lessons from safety
It is with this in mind that the UK CAA has been exploring how safety practitioners have successfully embedded safety as a core tenet of aviation, and have in turn, developed a positive safety culture within the sector.
The history of aviation safety is punctuated with mercifully few but significant examples of a lack of safety culture leading to, or contributing to, accidents and incidents. These tragic events have not only acted as important reminders of what is at stake, but more importantly have provided the aviation safety community with the opportunity to take stock, to review and most significantly to implement the lessons learnt.
As the GASeP identifies, our collective ambition is for a strong security culture to be developed from the top management level and applied across and within every organisation. What many aviation safety practitioners have achieved is to engender safety culture (i.e. the way people think, feel and act in relation to safety), not only at an individual level, but also at an organisational level, where safety is built into the fabric or DNA of the company and considered a core business value influencing all actions and decisions. If the ambition for security is to be regarded as core business value, rather than as an obligation or burdensome expense, then it stands to reason that we should explore how a similar evolution and level of maturity has been achieved in the aviation safety sphere.
The link between Safety and Security Management Systems
The Security Management System (SeMS) approach has been influenced and informed by the Safety Management System (SMS) approach now widely adopted in aviation safety. ICAO Annex 19 defines a Safety Management System as a systematic approach to managing safety, including the necessary organisational structures, accountability, responsibilities, policies and procedures.
It is within this context that the United Kingdom Civil Aviation Authority (UK CAA) SMS guidance places risk management activities at the heart of SMS, including the identification of safety issues, risk assessments and risk mitigation. The guidance goes on to emphasise the need for a strong quality assurance function that monitors compliance and performance, as well as managing change. To be effective, the SMS needs both the right policies, processes and procedures in place, and to the leadership to ensure they are implemented effectively. Training also plays a key role in implementing effective safety management systems. Training not only maintains personnel competencies, it also facilitates the sharing of information across the organisation, and with external organisations where there is a safety interface. An effective safety management system is woven into the fabric of an organisation and its culture.
The work that safety colleagues have done provides regulators, airports, airlines and others involved in protecting the security of aviation with the opportunity to examine and extract some of the good practice, templates and frameworks that have been developed. Whilst safety and security risks are fundamentally different, there are sufficient similarities for some SMS best practices and principles to be adopted into the delivery of effective aviation security.
The key components of a SeMS can be summarised in the diagram below. This is taken from the UK CAA SeMS framework¹ which provides one example of how an effective SeMS can be implemented – with an effective security culture at its heart. To be effective, the security management system must be implemented, assessed and reviewed continuously and the UK CAA is currently developing and trialling a number of processes to support companies in assessing and assuring the individual SeMS components as well as their overall security culture.
Understand, Assess and Enhance
Key to the measurement and enhancement of aviation safety culture is the three-stage approach of: Understand, Assess and Enhance. Stages which are transferrable to developing security culture.
In the ‘Understand’ phase we should define what we mean by security culture and identify the components that go to making it. The ICAO Security Culture Toolkit provides a useful starting point for achieving this.
The toolkit describes security culture as a set of norms, beliefs, values, attitudes and assumptions that are inherent in the daily operation of an organisation, and are reflected by the actions and behaviours of all entities and personnel within the organization. It notes that security should be everyone’s responsibility, from the ground up and top down.
The toolkit goes onto describe the key components and outcomes of an effective security culture, to enable practitioners to understand both what a positive security culture is and the constituent parts. The UK CAA summarises these components as:
- Positive Work Environment
- Understanding the Threat
- Reporting Systems
- Incident Response
- Information Security
- Measures of Effectiveness
Looking at the safety experience, it may be useful for us to consider those components in terms of: Psychological aspects (How people feel); Behavioural aspects (What people do); and Situational aspects (What an organisation has). Thinking about the components in these terms makes it easier for us to then move on to the ‘Assess’ phase.
In the Assess phase we can evaluate how well each of the indicators is currently being delivered within an organisation, by selecting the most appropriate evaluation method for each component. For example, indicators which relate to how employees feel about security at work could be measured by through interviews or surveys. Indicators that relate to what people do at work, could be measured by observations. And indicators relating to what an organisation has by way of policy and procedures, could reasonably be measured by document audit. What is important is choosing the most appropriate method based on the nature of the indicator.
Because culture exists somewhere on a continuum, rather than being ‘present’ or ‘absent’, it might be useful to plot the result of this assessment on a maturity model. This will help to reflect the ongoing journey that developing a positive security culture will be. The image below, taken from the UK CAA SMS guidance, gives an indication, borrowed from the world of safety, of what a future maturity model for security culture could look like.
It would be useful to develop such a model for aviation security that all parties – states and industry alike – could recognise and adopt as a basis for assessing where their own approach to security sits on this continuum.
Lastly, in the enhance stage, the ICAO Security Culture Toolkit and the ICAO Security Culture Campaign Starter Pack provide some practical ideas and templates for how performance against each of the indicators can be improved.
Having undertaken the assessment, we will have a better idea of where our efforts should be focussed. Having put changes in place, we should re-evaluate performance against the indicators to ensure our efforts have had the desired effect.
There are of course still areas where safety practitioners are seeking to do more, as part of their continuous improvement approach. But real progress has been made at the global level in promoting the idea that a positive safety culture must be woven into the fabric of the aviation sector at all levels from the boardroom downwards.
Much has been written about what security culture means, but the shorthand developed by Edgar Schein that culture is ‘the way we do things around here’ (Schein, 1996) perhaps encapsulates the concept best in this context. Just as for safety, effective security has to become part of the DNA of civil aviation, and developing a mindset that ‘security is the way we do things around here’ might be a simple way of describing where we hope the security culture journey will lead us to.
Download the PDF here.