DON'T LET THE STARs FADE OR THE RAGs GET DIRTY ⭐

Security Threat and Risk Groups (STARs), often referred to as Risk Advisory Groups (RAGs), are a key feature of robust Security Management Systems (SeMS). With COVID-19 restrictions impacting the number of people who can meet in person, Andy Blackwell, a Senior Risk and Security Advisor with ISARR, explores how organisations can best manage these groups during the pandemic to ensure they remain effective.

Following COVID-19’s devastating impact on the civil aviation sector it is easy to fall into the trap of thinking that as demand for air travel has plummeted, the accompanying threats and risks have decreased in equal measure, and the work of the sector’s security and risk professionals has lessened. Unfortunately, things aren’t as straightforward as that, and the situation remains complex and dynamic. The threat and risk landscape may be quite different from the pre-pandemic state and still needs to be kept under constant review. Human factors, employee behaviours and organisational culture will all have a bearing on how businesses will manage going forward, and there will be considerable pressures on Accountable Managers for Security, and those tasked with managing the organisation’s threats and risks, to support business growth, whilst maintaining appropriate levels of safety and security. Adopting a SeMS approach will help organisations achieve the appropriate balance.

The importance of maintaining STAR/RAG activities

Risk creates danger and opportunity, and organisations who understand and are adept at managing the risk/opportunity balance will be exploiting this to the maximum, as they strive to make their businesses profitable. The risk appetites of organisations may change amid the significant commercial pressures. Unfortunately there will be those who lose focus, causing their threat and risk management activities to wane, as organisations get consumed with time-sensitive tactical activities and getting to grips with an operational environment and organisational mindset completely different from the one they may be accustomed to. For these reasons, the importance of maintaining STAR/RAG activities cannot be overstated, and any desire to halt them or delay them unnecessarily should be strongly resisted. Organisations with a mature Security Management System (SeMS) will understand the importance of aligning security and resilience with the organisation’s strategic direction so it effectively becomes an enabler not constrainer of the business.

Video conferencing services: security guidance for organisations

STAR/RAG Membership: Still fit for purpose?

There are a number of questions that entities should ask themselves following any significant organisational change or restructuring:

1. Will the Chair be able to maintain continuity of the STAR/RAG?

2. Does the membership of the STAR/RAG reflect the restructured organisation?

3. Are there any gaps in representation on the STAR/RAG e.g. are frontline personnel included in the membership?

4. Is the membership of the STAR/RAG diverse and inclusive enough to enable the group to make informed decisions about threat and risk?

5. Are there training/briefing requirements for new STAR/RAG members?

6. Does the risk register provide an accurate and current record of the threats and risks faced by the organisation, together with the ‘risk owner’ and agreed mitigation?

7. Is the STAR/RAG meeting frequency and duration still fit for purpose?

8. Is sufficient time being allocated to STAR/RAG meetings including prior preparation and document review?

COVID Secure Aspects

Entities with a STAR/RAG membership which exceed the number of people legally able to meet due to the pandemic restrictions have no option but to conduct their meetings virtually, whilst those below the limit have to conduct their own risk assessment to identify whether the meeting can still be held ‘face to face’, with social distancing measures in place, or be conducted in a virtual capacity. For the purpose of this paper we will focus on the virtual STAR/RAG.

Technology to the rescue: Security Considerations

In view of the sensitivity of discussions at the STAR/RAG meetings and confidentiality of materials shared, the first and key consideration is the security of the platform you will be using to host the meeting. Recent headlines such as Zoom Boss Apologises for Security Issues and Promises Fixes highlight the challenges when going virtual. The security, regulatory and reputational risks of improper disclosure of some of your company’s most sensitive information requires a risk assessment in itself. Initial security considerations should include but not be limited to:

1. Is the platform you are proposing to use secure enough for the security classification of the material/topics the group will be discussing?

2. Are you able to rapidly detect ‘unknown’ visitors to the session and eject them from the meeting?

3. Do remote workers have the right level of cybersecurity training and tools, including a good understanding of the company’s policies and procedures?

4. Are the attendees fully aware of the need for security in the venues from which they are dialling in from?

The UK’s National Cyber Security Centre helpfully provides useful guidance on the topic, see Video conferencing services: security guidance for organisations

Technology: Not a silver bullet but there are potential benefits

Whilst face-to-face meetings cannot be replaced by technology, organisations are now having to integrate them with new meeting technologies. The STAR/RAG environments are no exception to this and whilst nothing can replace the water cooler discussions, there are potential benefits to increased use of technology platforms to help with risk analysis, information management and secure dissemination of data, to name just a few.

Human Factors: Who is going to put their head above the parapet now?

Whilst it is important not to underestimate the magnitude of existing threats and risks to the sector, there are also a number of human factors we need to be mindful of as these may change behaviours in the STAR/RAG group meetings and impact risk assessment integrity. The International Air Transport Association (IATA) has released data showing that some 25 million jobs within the sector are at risk of disappearing with plummeting demand for air travel amid the COVID-19 crisis. Thousands of staff have already been made redundant and others await their fate. Those who remain in the industry may be reluctant to challenge, or be seen to be going against the company line. In short, there is a hidden risk that employees will not want to ‘rock the boat’, even if the boat needs rocking.

There are many examples of catastrophic events occurring because people have been frightened to speak out, or challenge those higher in rank than themselves. The investigation into the Asiana Airlines accident in San Francisco on 6 July 2013 revealed that one of the co-pilots was afraid to warn his captain about the low-speed landing. He kept silent. The aircraft crashed short of the runway, killing 3 people and injuring 181 others. Whilst this and many of the other examples relate to an immediate operational context, the fact remains that challenging authority is difficult, particularly when the stakes are high and other factors are in play such as organisational restructuring and redundancy programmes. Protecting their employment status has never been a higher priority for many in the industry. Company culture will clearly influence how safe employees feel in challenging others, particularly those they feel could have an influence over their future.

Virtual STAR/RAG – Tips

1. Include a security reminder at the commencement of the meeting, especially important for those working from home.

2. Act transparently and encourage openness and honesty

3. Commend those who challenge the norm

4. Focus the meeting on getting the right balance to enable safe and secure delivery of business strategy.

5. Consider the non-obvious/ hidden threats such as disgruntled staff or former employees that may inadvertently be caused by inappropriate leadership behaviours, poor culture or other human factors.

Conclusion ?

Whilst the devastating impact of COVID-19 on the sector is obvious and operational activities have been significantly curtailed, any temptation to diminish the focus on security, risk and resilience based solely on the basis of reduced passenger numbers and demand for air services, should be resisted. Conventional threats haven’t gone away and terrorists retain their unhealthy interest in civil aviation. The Director General of MI5 recently warned that the UK was facing a nasty mix of threats. History shows us that threat actors are patient and will strike at a time that optimises attack lethality.

The significant job losses in the industry and potential for further reductions may create subtle behavioural changes in those remaining in the organisation who are tasked with managing threats and risks. This in its simplest form may result in a reluctance to speak out or challenge out for fear of jeopardising their jobs. Every opportunity should be taken to commend and be seen to support those who are willing to challenge the norm and take brave decisions.

One indicator of organisational resilience is the ability to work together collaboratively despite being in geographically separated environments. Using the right platform can help achieve this.

Don’t let your STAR fade or the RAG get dirty. Complacency in security, risk management and resilience is one of the biggest challenges the industry faces. Terrorists and threat actors will be searching for weaknesses to exploit, and our efforts to identify new threats and risk, and close any gaps must be as focused and dynamic as theirs.

More about Complacency in our blog article next month.

Location

85 Great Portland Street, First Floor, London W1W 7LT

Office Number 0203 4750 753

Subscribe to our newsletter to stay up to date with our most recent articles and updates.