Enterprise risk management enables strategic decision-making and supports resource allocation within CATSA, thereby allowing the organization to make informed decisions at the corporate and operational levels.
CATSA’s risk attitude and risk culture allow the organization to accept certain levels of risk, enabling the organization and its workforce to respond to the changing environment in innovative ways.
Mandated Services Risk
Detection capabilities and maintaining care and control of screening checkpoints
Due to the evolving, unpredictable nature of the aviation security threat environment, there is a risk that CATSA may not have the technology, threat and risk information, processes or human factor capability to detect all high risk threat items or new and emerging threats, and prevent screening circumventions at operating screening checkpoints. This may result in substantial consequences to the civil aviation system.
Risk Mitigation and Controls:
CATSA has established programs, processes, procedures and systems to ensure compliance with Transport Canada’s regulations. CATSA only deploys screening technologies that meet detection standards and screening procedures that fall within the security screening measures established by Transport Canada. The organization monitors the effectiveness of its operational programs on a continuous basis through the use of testing, oversight programs and performance measurement. The organization also ensures that it remains apprised of Transport Canada regulations, and any aviation security equivalency requirements stemming from its national and international counterparts.
Service Delivery through Third Party Risk
Legal and Illegal labour disruption
Given CATSA’s third party service provider model, there is a risk that the organization may have limited influence to prevent a legal labour disruption event or to maintain service levels during an illegal labour disruption event initiated by the unionized screening officer workforce. Labour disruptions of this nature may result in longer wait times, increased passenger complaints and harm to CATSA’s reputation with its stakeholders.
Dependence on outsourced screening services, equipment maintenance services or major suppliers
In the event that a contractor may no longer be able or willing to provide the agreed upon contracted services or goods, there is a risk that CATSA’s dependence on outsourced screening services, equipment maintenance services, or major suppliers may result in negative service delivery impacts.
Risk Mitigation and Controls:
CATSA conducts continuous monitoring of labour market conditions in all of its regions in order to identify potential labour disruption events. The organization also has existing policies and procedures related to procurement and contracting that provide it with recourse should a contractor or service provider become unable to provide the agreed-upon services. CATSA also continually monitors for any potential impacts related to vulnerabilities to the organization’s supply chain, industry consolidation of key vendors or key contractors, or for transition risk related to the new maintenance service provider contract.
Capacity Risk
CATSA staff capacity
There is a risk that CATSA’s current staff capacity, in certain areas, may be inadequate to sustain workloads and to support a healthy work environment resulting in employee dissatisfaction and a decrease in corporate performance over time.
Risk Mitigation and Controls:
CATSA monitors employee satisfaction through regular surveys and closely monitors vacancy levels, attrition, and turnover rates.
Traveller and Stakeholder Relations Risk
Reputational risk
There is a risk that CATSA may encounter events that the organization is not able to effectively manage, which may cause damage to its reputation with its stakeholders, resulting in loss of public trust in CATSA and/or confidence in air transportation security.
Risk Mitigation and Controls:
CATSA conducts regular passenger surveys in order to respond to the needs of the travellers across the country, and has ongoing proactive engagement with Transport Canada and stakeholders. These mechanisms help the organization to ensure that it maintains public trust and confidence as it conducts its mandated activities. At the Class 1 airports, CATSA has developed preparedness plans, which document operational readiness in anticipation of the busier travel periods such as spring break and the summer and winter holiday seasons. CATSA continues to work with industry partners and Transport Canada to find solutions to industry-wide challenges.
Human Resources Risk
Employee recruitment and retention
Due to labour market conditions for talent, or due to CATSA’s overall corporate human resources strategies, there is a risk that the organization may experience challenges in regards to recruitment and retention, resulting in a potential loss of corporate memory or a decrease in overall corporate performance.
Risk Mitigation and Controls:
CATSA’s human resources policies, frameworks and programs allow the organization to ensure that current and potential employees have all the tools and resources required to promote overall employee satisfaction, such as the Performance Management Program, Succession Plan, respectful workplace program, leadership excellence program and the flexible workplace model. CATSA also promotes enrolment in professional development training programs, hosts a social committee, and conducts employee surveys on a regular basis.
IT Risk
Cyber Attacks on IT Infrastructure
Due to the evolving nature of the cyber threat environment, there is a risk that cyber threats and/or attacks may negatively impact CATSA’s information technology infrastructure and/or compromise organizationally sensitive information resulting in a loss of public confidence and potential damage to the organization’s reputation.
Risk Mitigation and Controls:
CATSA’s IT Security Program implements tools, controls, policies, processes, and security practices to protect its IT infrastructure, systems and digital assets. As part of the program, the organization remains abreast of emerging threats by conducting daily reviews of security system alerts, by monitoring newscasts and bulletins on security breaches and threats, and by collaborating with other federal partners through the Canadian Centre for Cyber Security.