Understanding Aviation Security Regulations

aviation_154607207By Steve Lawson.

For some time I have wanted to write an article about the various regulatory regimes and contrast and compare them, yet it just never seemed the right time for me to do it. However, with the recent change to Australia’s threat environment, now may be a good time to look at the various types of regulatory regimes. I intend to make this a discussion about the different models, not a criticism of any particular regulator.

Two countries can have the same regulatory regime, in one it works but in the other, it does not. I will include in this discussion some of the reasons that one regime fails but another succeeds. This discussion will take place over this and the next article.

I am only going to propose five models although I can think of variations to each model.

The first question that should arise is to ask if we even need a government aviation security regulator.

I can already hear people shouting “Because it is a requirement of the International Civil Aviation Organisation (ICAO)”.

Is it?

Annex 17 to the Convention on International Civil Aviation: Security – Safeguarding International Civil Aviation against Acts of Unlawful Interference only says:

“Each Contracting State shall establish an organization and develop and implement regulations, practices and procedures to safeguard civil aviation against acts of unlawful interference taking into account the safety, regularity and efficiency of flights.”

Further, Annex 17 says:

“Each Contracting State shall designate and specify to ICAO an appropriate authority within its administration to be responsible for the development, implementation and maintenance of the national civil aviation security programme.”

and

“Each Contracting State shall require the appropriate authority to define and allocate tasks and coordinate activities between the departments, agencies and other organizations of the State, airport and aircraft operators, air traffic service providers and other entities concerned with or responsible for the implementation of various aspects of the national civil aviation security programme.”

The obligations of the “appropriate authority” include that it shall:

  1. Ensure the development and implementation of a national training programme.
  2. Arrange for the supporting resources and facilities required by the aviation security services to be available at each airport serving civil aviation.
  3. Develop, implement and maintain a national civil aviation security quality control programme to determine compliance with and validate the effectiveness of its national civil aviation security programme.
  4. Re-evaluate security controls and procedures and in a timely fashion take action necessary to remedy weaknesses so as to prevent recurrence. These actions shall be shared with ICAO.
  5. Ensure that operators do not accept cargo or mail for carriage on an aircraft engaged in commercial air transport operations unless the application of screening or other security controls is confirmed and accounted for by a regulated agent, or an entity that is approved by an appropriate authority.

Annex 17 does not say that the appropriate authority needs to be a government body, just that it is established by the government.

There is also some confusion between the obligations of the appropriate authority and the contracting state. Many governments place all of the obligations under Annex 17 into a single organisation, while others will place the training and quality control into another organisation.

I would suggest that there is a difference between the “Regulator” and the quality control or audit organisation.

Annex 17 does not preclude any of the models I propose here. Remember I am not advocating any model in this first article, simply having a discussion about models.

So for the first model, why not an industry body?

Model 1:

The Regulator is an industry group established by legislation and answerable to a Minister or similar position within the government. This industry group does not have direct control of the quality control or training. The requirement to “maintain a national civil aviation security quality control programme” is devolved to another operational organisation with responsibility to report to the Regulator.

There is nothing in the obligations of the appropriate authority that is beyond an industry body and nowhere does it say that the appropriate authority must be a government body, just that it needs to be within its administration. I suggest that a self-regulating industry group could be established that would fulfil all of the ICAO requirements.

What are the consequences of this model?
Is it possible to provide the authority to a Regulator made up of industry members to allocate tasks to “departments, agencies and other organizations of the State”?

As the regulator is operated by the industry, there is a rather large pool of industry knowledge held by the decision makers.

I am unsure how practical such an arrangement would be. It may be as simple as the industry group making recommendations to the National Aviation Security Committee, which is also required by ICAO, and it then issues directions to those “departments, agencies and other organizations of the State”.

It could be argued that there could be huge cost savings with this model. However, most of those savings are likely to be in general revenue. There would be some additional cost to industry since I would gather that membership of a Model 1 Regulator would require at least one full-time position, if not more. You could argue that the costs to industry would be more than offset by reducing unnecessary regulation and red-tape.

There is also an argument that an Industry group would tend to be self-serving when making decisions. However, self-serving is not necessarily a bad thing. Self-serving also means that the effect of regulation has a business and operational ruler passed over before anything is implemented. It should also be remembered that most first world airlines and airports do not wish to be associated with a terrorist incident.

Most of the obligations would require a rather large administrative staff. Who these people are and where they are sourced would probably be the most difficult issue of this model.

Model 2:

The Regulator is a mixture of government and industry. I would suggest that this model is, again, a small body as Model 1 would be, but in this model the government is included in the management committee and provides the staff for the organisation. As with Model 1, the requirement to “maintain a national civil aviation security quality control programme” is devolved to another operational organisation with responsibility to report to the Regulator.

What are the consequences of this model?
In this model it would be easier to allocate tasks to “departments, agencies and other organizations of the State”.

As with Model 1, the inclusion of industry provides a large pool of industry knowledge for the decision makers.

Again, like Model 1, there could be cost savings with this model. Similarly, most of the saving would be to general revenue. But there would be additional cost to industry as I would again expect that membership would require at least one full-time position, if not more for each member. You could again argue that the costs to industry would be more than offset by the reduction in unnecessary regulation and red-tape.

Although current arrangements for many regulators already includes industry consultation, the difference with this model is that industry input would have more authority.

Model 3:

The Regulator is established and staffed by the public service. Like Model 1 and 2, the requirement to “maintain a national civil aviation security quality control programme” is devolved to another operational organisation with responsibility to report to the Regulator.

What are the consequences of this model?
In this model, it would be easier to allocate tasks to “departments, agencies and other organizations of the State”

Like in Model 1, there could be cost savings with this model. Less would be from general revenue. But there would still be additional cost to industry as I would again expect that membership would require at least one full-time position for each member, if not more. Once more, you could argue that the costs to industry would be more than offset by the reduction in unnecessary regulation and red-tape.

Current arrangements for many regulators already include industry consultation but with this model the industry input is more advisory than an executive role.

One issue that can arise with organisations staffed only by public servants is that public servants tend to move from department to department as part of their career progression. Consequently, there can often be a lack of industry or corporate knowledge, and exposure to the unintended consequences of decisions made by government.

Model 4:

The Regulator is established and staffed by the public service. Unlike the previous models, the requirement to “maintain a national civil aviation security quality control programme” is maintained by the Regulator.

What are the consequences of this model?
It can, and often does, include an industry advisory group.

Like Model 3, this one is staffed only by public servants and the public servants tend to move from department to department as part of their career progression, consequently there can be a lack of industry knowledge or exposure to the unintended consequences of decisions made by government.

Model 5:

The Regulator is established and staffed by the public service. Unlike Model 4, the Regulator takes responsibility for all aspects of aviation security, including implementation (e.g. screening).

What are the consequences of this model?
This is probably the most expensive and bureaucratic system.

It can, and often does, include an industry advisory group.

Like Models 3 and 4, this one is staffed only by public servants and the public servants tend to move from department to department as part of their career progression, consequently there can be a lack of industry knowledge or exposure to the unintended consequences of decisions made by government.

Next Article

In the next article, I intend to look at regulators around the world and classify them as one of these models – including my opinion of which is the best.

Steve Lawson has over 20 years of experience in aviation security. As a Security Executive with Qantas Airways, Steve held a number of senior management roles covering all aspects of aviation security from policy development to airport operations. He was sent to New York immediately following the 9/11 attacks to manage the Qantas response and undertook a similar role following the 2002 Bali Bombings. On his return to Australia, he was appointed Security Manager Freight for the Qantas Group. Since 2007 he has been a Director of AvSec Consulting in partnership with Bill Dent, a fellow former Qantas Security Exec. Today Avsec Consulting provides consultants from the US, NZ, ME, Israel and Europe. Steve can be contacted on 0404 685 103 or slawson@avsecconsulting.com

 

%d bloggers like this: