Risk management is not about absolutes, it is about using a consistent analysis framework for balancing risk and cost on a common basis across the enterprise. Yesterday’s announcement by the Transportation Security Administration (TSA) of their adoption of a risk-based approach is a long awaited practical application of enterprise risk management to security.
As April 25, 2013, the TSA will allow small pocketknives and an array of sporting equipment — banned from aircraft cabins in the wake of the September 11, 2001 terrorist attacks to be once again allowed in U.S. planes. This is simply a security risk assessment that has quantified the threats across all areas of air travel and concluded that an acceptable level of risks from onboard carry-ons have been achieved through mitigation efforts such as reinforced cockpit doors and better intelligence. Although these items still do present some risk, the acceptance of this risk allows TSA to focus their personnel in other areas of airport security that are more vulnerable in terms of impact, likelihood of occurrence and the effectiveness of controls.
There are always those that are against a risk based approach, in this case the Coalition of Flight Attendant Unions, but clearly they have a short-sighted backwards looking view of threats to their personnel’s safety. No one is disputing that pen knives are a risk; however, there is no such thing as zero risk either. Airline personnel are at risk on every flight from higher risks such as bombs in cargo, airport intrusions, weaponized viruses and other threats. Coincidently, this news story broke on the same day of TSA announcement, “Passenger accidentally gets on airport tarmac,” emphasizing the urgent and timely need for TSA to use an ERM approach to reallocate resources according the residual risk, meaning the remaining threat after taking controls into consideration. Given two equal risks, the threat from the risk with poor controls will be higher.
Being in compliance does not necessarily bring security and safety. When technology and business processes change, compliance programs need to be risk based in their evaluation of the impact those changes bring and adjust their compliance requirements accordingly. Over allocation of resources to risks of the past that have been mitigated sufficiently explicitly leaves less resources looking forward at the next point of vulnerability. Risks assessments must be connected to goals and activities within a risk taxonomy to give purpose and measurement of effectiveness. Without it, compliance becomes a senseless box-checking exercise. With risk management, compliance becomes an effective control that delivers business value.
The TSA ERM program is a recognition that “they can’t do it all” and they have dropped traditional rigid absolutism for a balanced quantitative approach in their risk management program. According to Jeff Spivey, former President of ASIS, “So many companies are still confused by the terminology that’s being used. They hear ‘enterprise risk management’ and say, ‘Well, we have a risk manager so we’re doing that already.’ But in fact, they’re just doing the old traditional approach—transferring of some risks by purchasing insurance. They may be involved in some risk identification at a high level or some claims analysis, but they really don’t know the full scope of ERM.”
Only by quantifying risks and tolerances at the front line and using a common framework, can allocation of resources be applied to the controls that manage them effectively. Simply stated, money can be better spent in other areas where poor controls over risks much larger than pen knives are a disaster waiting to happen.