The roll-out of risk-based security measures has stalled at TSA, and we urgently need to get things back on track. My physician friends would say, the patient is in “serious condition”—very ill with vital signs that are abnormal and unstable. TSA doesn’t deserve all of the blame here. Congressional intolerance for risk and an American public conditioned to expect fool-proof security exert just enough pressure on the agency to make choosing a risk-based measure the riskier career move.
In the future, rather than judging the effectiveness of security on the heft of the regulation book or amount of fines collected, we should be focused on achieving specific security outcomes. Why? Because, every airport, airline, train station, and train is different, so one-size-fits-all regulations doesn’t make any sense. That’s where outcome focused risk based security (OFRB) shines.
In the preceding three parts of this series, I’ve discussed the need for restructuring the screening organization and the synergy between strategy and innovation, three pillars of advancing the Transportation Security Administration (TSA) towards a more effective 21st century counterterrorism organization (i.e., TSA 2.0). The fourth pillar of TSA 2.0 is OFRB.
OFRB measures are tailored to a defined objective and the specific place where the threat may be encountered. So, within boundaries, if your goal is to make sure bombs stay off planes, passengers don’t carry prohibited items, and employees don’t compromise security, then how you get there can be defined locally and not from Washington, DC. OFRB creates a security system adaptable to new and emerging threats and one that scales to growing passenger numbers.
Last year, 896 million passengers traveled to, from and within the United States by air, with that number growing at 2.1% per year. By 2024, 1.125 billion passengers will pass through our airports. With all of these people and operations, we’ll need to figure out where to focus our limited security resources. The same issue applies to the millions of tons of air freight as well. With more than a billion passengers and countless millions of boxes that have no nexus to terrorism, how do we find the “bad apples?”
The current answer is to screen everyone and everything the same way. But just as the summer of 2016 shows, the system has a limit as to how well that works, and it looks like we have reached the system’s limit. One answer is that we screen unknown things more and the known things less. But that involves risks and tradeoffs.
Let’s talk about risk for a minute. Every activity comes with risk, and air transport is no different. One of the biggest challenges today for TSA is striking the correct balance between risk and regulation. We cannot accept 100% risk, and any regulation that completely eliminates risk would shut down the industry. A pragmatic approach is needed to balance the two.
Many regulators, including TSA, continue to focus on audits rather than outcomes. Regulations and laws proscribe a certain way of doing things and then an onsite auditor observes an operation to see if measures are carried out as written. In these regulatory schemes, risk is managed by changing the auditor’s schedule, varying the specific procedures that are observed, and rotating the auditor that appears onsite. Such a focus on audits necessarily results in static security measures that are more (rather than less) predictable. This does not provide the necessary balance between risk and regulation.
It took visionaries on the other side of the Atlantic to define this balance. In 2011, the UK Department for Transport (DfT) put forward a framework that embraced a regulator’s obligation to maintain public safety while promoting dynamic security measures tailored to the operational realities of each airport or airline—OFRB.
The related landmark consultation document set out principles to: govern security culture from the ramp to the boardroom; promote innovation and efficiency; and improve the passenger screening process. In OFRB, regulations propose desired outcomes, and operators are able to tailor security systems to achieve those outcomes. OFRB signaled the beginning of the end of one-size-fits-all security measures.
While the UK DfT remains ahead of the game, understandably a great many regulators remain reluctant to go down this road. That’s because OFRB frowns on the knee-jerk regulatory actions that often serve as a response to tragedies in the modern world. Legislative bodies and the public often just want something to be done. OFRB doesn’t offer such instant gratification.
There is another unspoken aspect of an audit-based system. Such frameworks offer the illusion of leveling the economic playing field among participants. If your competitor is doing the exact same thing you are doing, then you know that no one is getting the upper hand. Essentially, the cost of security remains the same among participants. In OFRB, your security costs become a function of the measures you chose to implement. The practical result is that security departments now have to self-justify all costs. For some, it’s easier to tell the boss, “that’s what the government wants” and move on.
If you look at one-size-fits-all security as practiced since 9/11 and think all has gone well, there’s no need for OFRB. I am on the side of the fence that says we’ve developed a static security system that cannot adapt to growing passenger numbers. OFRB will allow us to channel resources to higher risk activities, allow more flexible screening systems that can deal with a higher volume of passengers, and promote more creative ways to eliminate threats to transportation systems.
That is TSA 2.0’s road to scalability and flexibility in the aviation security system. Next up: customer service.