Compliance No Guarantee of Security

    The announcement last week that the TSA would begin to allow passengers to carry small pen knives onto commercial flights received mostly negative reactions from the public and from aviation professionals who staff those flights. As the spouse of one of those aviation professionals who could potentially be directly – and very negatively – affected by such a change, I’m inclined at first thought to agree with the majority.

    However, in the big picture, I know that more serious, more probable risks deserve the maximum resources possible from TSA, and that assessing risk is an ongoing process that includes discontinuing controls on certain threats that have been identified as lower priority.

    Is the question of flight crews being stabbed a low priority? No, it most certainly is not. It is A priority, among many, that may move up or down the list, depending on other changes in the risk assessment landscape.

    Saying it more eloquently, if not from such close proximity, Steven Minsky, CEO of LogicManager, wrote on ebizQ that the move is part of TSA’s progression to an enterprise risk management stance:

    “Being in compliance does not necessarily bring security and safety. When technology and business processes change, compliance programs need to be risk based in their evaluation of the impact those changes bring and adjust their compliance requirements accordingly. Over allocation of resources to risks of the past that have been mitigated sufficiently explicitly leaves less resources looking forward at the next point of vulnerability.”

    So, I’d venture to say that some of the folks who complained last week about the pen knife policy change have also at some point complained that they were unfairly singled out for a pat-down, or that going through the security lines takes too long, or that they’re not sure the TSA agents are up to the task at hand. Do we feel safer being told that everything is being taken care of we are perfectly safe, or do we feel safer being told that we’re not perfectly safe, and we all darned well know it?

    Has your organization been lulled into complacency and a false sense of security because you have a “risk manager,” or perhaps a legal department, who will take care of everything? And can you live with the consequences when the falsity of that belief is demonstrated in some dramatic way? Are you focused on the knife in the purse — or the oddly wrapped package back in the cargo hold?

    Okay, I’m asking a lot of questions here, but the time is now to do so, for all of us.

    The ongoing procedural changes at the TSA, including altering the list of approved items for carrying on flight, and their goals, are described by the department this way:

    “TSA will continue to take steps to further enhance its layered approach to security through new state-of-the-art technologies, expanded use of existing and proven technologies, better passenger identification techniques and other developments that will continue to strengthen the agency’s capabilities to keep terrorists off commercial aircraft. … If the individual pilots prove successful, these changes could allow officers to better focus their efforts on other passengers who are more likely to pose a risk to transportation. Additional changes to the security screening process may be implemented in the future as TSA continues to analyze the best approaches to security.”

    TSA’s responsibility is to help keep millions of traveling American citizens safe every day. Its constant updating of its policies, procedures and its assessment of risks should make you feel good about how easy it will be to follow suit in your company.

    Latest Articles