When hearing about the sudden changes to security measures in airports around the world this summer, it occurred to me that organisations such as the Civil Aviation Authority must have some quite awesome processes in place to allow them to change security procedures almost instantly.
In addition to their ability to change their procedures so quickly, they must also have a thorough and robust risk control system in place, particularly when the stakes are so high. They will probably be conducting in-house risk and control assessments (RCA), both for ad hoc and planned checks.
The stakes are also high for businesses as failure can cause financial damage, as well as loss of reputation, and on occasion both.
Based on our experience of auditing facilities and building in control mechanisms, my recommendations for running RCAs that add value to the organisation are as follows:
- Clarity of task and purpose
- Quality assurance
- Good design and common language
- Adding value
Clarity of task and purpose
Be clear about the different role and tasks of each person carrying out the RCA – what does the person doing the assessment need to check and how does their supervisor/manager know that the assessment has been carried out effectively and thoroughly.
Allow for routine periodic assessments and also cater for ad hoc responses.
Build in quality assurance. This will start with an issue/risk, a resulting workflow, notifications/reminders, confirmation of completion, evidence of completion and closure.
Good design and common language
Make it easy to capture risk – questionnaires are often used, so design the questions well.
- Use language and terminology that is commonly understood by all for consistency
- Ensure escalation points are clear and not open to interpretation
- Provide additional guidance notes at key points within the process
Make them straightforward to complete, but at the same time, comprehensive and searching, then guide the user through the process.
Report on the outcomes of the RCAs and ensure you have an audit trail so you know what has been done, by whom and when. Look for frequently recurring issues and trends and address them at a higher level.
Tracking the closure of a risk is just as important and identifying the risk in the first place.
It should not be a “tick box” exercise – RCAs should be viewed as a valuable tool in the armoury of risk management. RCAs that generate actions which are closed out speedily and efficiently will all provide great value to the business.
Whilst the risk to airports is more newsworthy, this does not reduce the risks to business. I hope these recommendations will help with your RCAs.