Risk management is embedded into strategic decision-making and resource allocation within CATSA, thereby allowing the organization to make informed decisions at the corporate and operational levels.
CATSA manages its corporate risks through an Enterprise Risk Management (ERM) framework, and maintains a comprehensive overview of its risk profile, including descriptions of key operational and financial risks, risk ratings as measured by likelihood and impact of risk occurrence, and risk mitigation strategies. An overview of CATSA’s ERM Profile can be found below.
CATSA recognizes the principle of risk-reward, and manages its risks knowing that:
- The complete elimination of risk is not possible;
- Risk aversion is not the same as risk management; and
- Acceptance of risk can lead to positive outcomes for the organization.
CATSA’s overall risk attitude can be described as conservative and flexible.
Conservative: The organization generally focuses effort more heavily on the active management of medium, medium-high, and high risk, and the acceptance of low risk.
Flexible: As a public sector organization, fully dependant on public funds to deliver a security mandate, CATSA’s environment is highly dynamic, and influenced by two key stakeholders, namely Transport Canada and the Government of Canada more broadly. From a risk management perspective, the unique nature of CATSA’s environment requires flexibility and discretion in the application of risk attitude.
CATSA’s Risk Profile (as of October 2023)
Mandated Services Risk
Risk: Detection capabilities and maintaining care and control of screening checkpoints
Due to the evolving nature of the aviation security threat environment, there is a risk that CATSA may not have the technology, threat and risk information, processes or human factor capability to detect all high risk threat items or new and emerging threats, and prevent screening circumventions at screening checkpoints. This may result in substantial consequences to the public and the civil aviation system.
Risk mitigation: CATSA monitors the effectiveness of operational programs on a continuous basis through the use of testing, oversight programs and performance measurement. The organization also ensures that it remains apprised of Transport Canada regulations, and any aviation security equivalency requirements stemming from national and international counterparts.
Capacity Risk
Risk: Adequacy of government funding
There is a risk that the organization's funding envelope may be insufficient due to cost increases, new requirements and/or government cost cutting initiatives.
Risk mitigation: CATSA works closely with Transport Canada and Central Agencies to ensure that the organization receives adequate funding throughout the planning period. CATSA also conducts ongoing financial risk management and forecasting activities, in addition to its budgeting processes and requests for supplemental funding as required.
Risk: CATSA staff capacity
There is a risk that CATSA's current staff capacity, in certain areas, may be inadequate to sustain workloads and to support a healthy work environment resulting in employee dissatisfaction and a decrease in corporate performance over time.
Risk mitigation: CATSA monitors employee satisfaction through regular touchpoint surveys and closely monitors vacancy levels, attrition, and turnover rates. The organization is focused on ongoing staffing actions for the additional eighty-four FTEs over three years, as well as the implementation of its human resources strategic plan.
Service Delivery Through Third Party Risk
Risk: Legal and Illegal labour disruption
Given CATSA’s third party service provider model, there is a risk that CATSA may have limited influence to prevent a legal labour disruption event, or to maintain service levels during an illegal labour disruption event initiated by the unionized screening officer workforce. Labour disruptions may result in longer wait times, increased passenger complaints and harm to CATSA’s reputation.
Risk: Dependence on outsourced screening services, equipment maintenance services or major suppliers
Due to a contractor no longer being able or willing to provide the agreed upon contracted services or goods, there is a risk that CATSA's dependence on outsourced screening services, equipment maintenance services, or major suppliers may result in negative service delivery impacts.
Risk mitigation: CATSA conducts continuous monitoring of labour market conditions in all of its regions in order to identify potential labour disruption events. The organization also has contractual terms and conditions that provide it with recourse should a contractor or service provider become unable to provide the agreed-upon services. CATSA also monitors and addresses any impacts to its supply chain, both in light of its recent transition to KPrime for the maintenance of most screening equipment, and the transition to new screening services contracts.
Stakeholder Relations Risk
Risk: Reputational risk
There is a risk that CATSA may encounter events that the organization is not able to effectively manage, which may cause damage to its reputation with travellers and/or its stakeholders, resulting in loss of public trust in CATSA and/or confidence in air transportation security.
Risk mitigation: CATSA’s website provides the public with important information related to its operations, wait time service levels and performance. The organization also conducts regular passenger surveys and develops external communications strategies to respond to various issues that may impact stakeholders. These mechanisms help the organization to ensure that it maintains public trust and confidence as it conducts its mandated activities.
Human Resources Risk
Risk: Employee Recruitment and Retention
Due to labour market conditions for talent or due to CATSA's overall corporate human resources strategies, there is a risk that CATSA may experience challenges in recruiting and/or retaining key and/or specialized talent resulting in a potential loss of corporate memory and/or decrease in overall corporate performance.
Risk mitigation: CATSA monitors and reports on attrition rates on a quarterly basis. In addition, the organization has implemented a flexible workplace model in order to meet the changing needs of the post-pandemic workforce. CATSA will continue to strive to attract, recruit and retain the best talent.
IT Risk
Risk: Cyber Attacks on IT Infrastructure
Due to the evolving nature of the cyber threat environment, there is a risk that cyber threats and/or attacks may negatively impact CATSA's IT infrastructure and/or compromise organizationally sensitive or secret information resulting in a loss of public confidence and potential damage to CATSA's reputation.
Risk mitigation: CATSA strengthens its cyber security defences with the ongoing development of the Security Incident and Event Management program along with the implementation of additional cyber controls.