I echo the Chairman’s thanks to you for coming.
I would like to ask the question that I kicked off with this morning with the airports about views on the potential benefits of transferring responsibility for regulating security from the Department for Transport to the Civil Aviation Authority. What can we do in relation to our complementary efforts at reform to move to an outcomes-focused, risk-based approach to security?
Ricky Fiander: I am glad you raised that difficult mouthful of outcomes-focused, risk-based solutions, because it is quite dear to our hearts. I believe that it will give the industry some flexibility. Perhaps an example of that would be that if we are training an X-ray operator, the outcome is that the X-ray operator can detect prohibited articles. A lot of the training that they have to do is not only about focusing on prohibited articles; they need to know what the European Commission, the European Civil Aviation Conference and the International Civil Aviation Organisation do. For us, given a freehand at that, the outcome could be improved by focusing directly on what is needed in their jobs.
Gaynor McLaughlin: I work with smaller companies and some remote locations. The one-size-fits-all approach, particularly when applied as the standard for Heathrow, does not work. Introducing flexibility via a risk-based regime would certainly allow more appropriate measures, and certainly more appropriate measures for the consumer, not only the operators.
Obviously, the CAA has a very strong safety record in securing very high levels of aviation safety, and it has done so on the basis of a safety management regime not dissimilar to the approach that we are now proposing for security. In terms of bringing the regulatory functions together, do you think that the CAA’s experience in safety might help it to deliver the sort of approach that you would like to see for security?
Gaynor McLaughlin: I sincerely hope so, because we are banking on it doing that. The CAA has a lot of expertise, particularly in investigation, which it can bring to looking at the causes of particular problems, and it is much more likely to produce the right solutions. At the moment, with the current regulatory approach, we have this “direct and inspect”. We are finding symptoms and we are treating symptoms, but the underlying causes just carry on.
Your main expertise and the focus of your evidence here is on security, but it would be useful to hear your thoughts on the approach to economic regulation in the Bill generally and whether you feel that it would improve on the current regime for the economic regulation of airports.
Ms McLaughlin, in the papers that we have received, two points that you have raised about the Bill are about how the arrangements will be applied to foreign airlines and the sanctions for poor management exceeding the costs without impacting the consumer. Could you elaborate on those two points? You said in your answer to the Minister that you are focusing on security as your area of expertise. Do you have any expertise on whether the Bill will have any detrimental effect on freight airlines as opposed to commercial passenger airlines?
Gaynor McLaughlin: Ricky is the freight person, but in answer to your question about foreign-registered airlines, the UK-registered airlines have been part of this process and they understand. There is a will to do something differently and to take some of that responsibility. I am not sure that the foreign carriers, particularly the non-EU carriers, are quite ready for it.
There has been a tendency, particularly with how the Department for Transport has behaved over recent years, to wait to be told what to do. They would just say, “Just tell me what it is that you want to do.” Very little effort is put into being proactive, looking at the risk and doing anything differently. My concern is that if the cost of compliance is greater than the cost of non-compliance and not putting the effort in, what will change? They will just wait to be told.
Can I ask about freight? We are aware that freight has been identified as a growing security challenge—as we saw, for example, in the East Midlands airport situation with the printer toner recently. At the heart of the Bill is an idea that we are moving towards outcome-based solutions. Is that a fair description of where the industry is right now? Presumably, politicians will want to get involved when there are high-profile events anyway. Does the Bill change that situation?
Building on the last point, we live in an ever-changing world when it comes to security, risks and compliance factors. That is just a fact of life. Do you both have a view on whether the CAA will have the capacity—that is probably the best word to use—to take on any real changes? Dare I say it, if our security situation changes, et cetera—one could argue that that is inevitable because of the world we live in—are we able to move quickly with new compliance, for example?
Gaynor McLaughlin: I actually think that it will improve with the CAA. If the CAA’s approach to aviation security compliance mirrors its approach to aviation safety, where the responsibility to demonstrate and provide evidence for compliance rests with the industry, we will get a greater level of compliance and more information. At the moment, there are too few inspectors, who are far too into the detail.
The analogy I would use is that it is a little bit like putting your car into a garage for an MOT. The Government inspects the MOT stations and ensures that the engineers are accredited, but they do not get under the car and inspect the exhaust, which feels like what we have at the moment. Government inspectors are looking for holes in fences and are looking at whether the actual measures are being done properly.
Your example of garages is really interesting, but, obviously, you are dealing with a very different level of risk. The risk may be minute, but the potential effects are catastrophic. It is a safe assumption that that is what drove the blanket, very tough approach that was adopted in response to clear threats in the past. In light of that, could you give us any more specific examples that you can see of ways in which a risk-based approach can save money? What things are being done now that do not need to be done?
Ricky Fiander: I can give some examples. European aviation security legislation allows for a far larger amount of screening methods. As a company, in other countries we use different screening methods. An outcome-focused and risk-based solution might mean that we would be able to use different screening methods more quickly. As a company we already do that outside of the legislation, over and above what is required.
Gaynor McLaughlin: Another aspect would be the frequencies with which certain things have to occur. The European regulations are much more generous than the United Kingdom frequencies, which are more restrictive. I am not suggesting that we should move straight to the European frequencies, but that would allow flexibility. Different locations and different operators at different levels of risk could apply different frequencies.
Just to develop those responses, how would you compare the handling of security in Britain with the handling of security elsewhere in the world? Are we more effective but more onerous, or are we worse? How do you see it?
Ricky Fiander: That is a very difficult question. There are almost diametrically opposed solutions to aviation security. In Europe, although there is an overall piece of legislation providing minimum standards, the member states choose to implement it very differently. In the UK more stringent measures are applied, which the European legislation allows for. I guess you have to ask whether the UK is perceived as a higher risk than Portugal. The answer is probably yes. Those extra measures reflect that.
Gaynor McLaughlin: I think, as well, that there is a general perception that the UK has a tendency to gold-plate the regulation. The interpretation by the inspectorate is often more onerous, restrictive and much more prescriptive than we see in other countries. The operator is given more freedom to determine how to achieve the outcome, whereas in the UK the means of compliance are generally prescribed and quite restrictive.
I asked this question of the panel of airport operators who came in this morning. As the Bill currently stands, do you feel that the CAA will operate in an efficient manner, keeping down potential costs on airports, and more specifically for you both, cost to passengers and air freight shippers? This morning we kept hearing, interestingly, about costs and implications that the regulations might bring.
Ricky Fiander: There has been some emotion about costs, quite rightly in the present climate. What is not often known is that cargo operators such as us have always paid for our screening staff, technology, training and vetting. The difference in the transferring of costs is about the writing of policy and compliance. I have made a rough calculation of what that means to us. It is down to four decimal points of our operating costs. Any additional cost is not good, but as long as it is proportionate, I do not think it is an issue.
Gaynor McLaughlin: The other bit of the equation we should look at is not necessarily cost-reduction but better value for money. There is potential for the Government to get better value for money from their inspection regimes and compliance processes. My company offers industry quality assurance, so we are part of collecting a lot of the evidence. The current processes are quite expensive and you don’t get much information. The way the CAA will do it—the way it does aviation security—the Government will be able to have much more confidence for no greater expenditure.
I want to pick up on another point raised by Airlock Aviation Ltd: the issue of sanctions for poor management, how they might be implemented and how they should exceed the cost of compliance. Could you talk a bit more about that, and also whether there are any specific parts of the Bill, perhaps in relation to the penalties process, that might concern you?
Gaynor McLaughlin: As I said earlier, if the cost of doing it right outweighs the cost of doing it wrong, there is very little incentive. We need to get that equation right. Any sanction needs to make the operator put in more effort, but it should not punish the consumer. Adding extra security measures because somebody has done something wrong punishes the consumer as well. If an operator is required to pay a penalty by having more security, searching more people or searching people to a higher level, that punishes the consumer. Consideration could be given to sanctions developing more quality assurance, so that the operator has to provide more evidence, has to provide evidence more frequently, or has to provide evidence of compliance—not necessarily a financial, monetary sanction.
I am just curious to know if you are able to inform me. You had very strict security arrangements here in the United Kingdom and they worked well, but other countries may not do them so well. I was in Kenya and there were no security checks in relation to liquids and so on. I thought that was unusual, but that is just an example. Can you influence security in other countries through your aviation contacts to ensure that they can lift their levels of security? Do those measures have to be done by Governments, or can they be done business-to-business? I am curious to know how we can ensure that security levels increase. Make all the effort here and not elsewhere, and there is a gap.
Ricky Fiander: I cannot comment publicly on the exact data, but I can say that that concern has been addressed by European policy. There are now, particularly in cargo, pieces of legislation that came into force on the first of this month for a list of countries where a high level of security is required. As I say, that was implemented a few weeks ago.
Gaynor McLaughlin: I think it is important as well that the international obligations from the Chicago convention recognise host state responsibility. I think that the UK has always followed that, unlike the Americans who perhaps have acted more extra-territorially with their carriers, so that would be a fundamental change.
I am quite attracted by this process-based security checking, rather than checking for holes in fences, as you put it. If you move to that, how do you handle the risk of having a huge queue and airlines moaning that passengers are delayed, and thinking, “Well, we’ll just let a few go through without the random checks and we will stop making them taking their belts and shoes off”? Do you not risk having a process in place that looks perfect on paper, but in practice, under pressure, is overlooked? That is quite hard to check on a process base, rather than a spot check.
Gaynor McLaughlin: I hear what you are saying. Certainly my understanding of the outcome focus risk-based was not that it is flexible on a daily basis, but that it would be a risk assessment for that location or that operator. Once that risk assessment is done, then that is what you apply, not that you do one thing today and something else tomorrow. That is very much the same with safety. The CAA would audit that process and the operator would be required to quality assure it and to produce evidence that the process was consistent.
My point was not that the process should be different day to day, or that the standards on paper would not be different, but it is that problem of, “We’ve got a queue and people are screaming and moaning, can we relax it a bit because it will get them through?” Is that a risk that you ever see happening, or would that be such complete madness that you do not think any operator would ever behave like that?
Ricky Fiander: I do not want us to go away thinking that this outcome-focused, risk-based solution—I wish we had another name for this—will be a dip in the water. There are systematic checks—they are daily checks—and there are minimum standards. As I understand it, even going forward, the European standard will be the minimum and the UK will add in its more stringent measures. There are, certainly in the cargo business, system-driven daily measures that can give you that assurance as part of a security management system.
Is there a risk that different processes will be in operation at different airports, and even within airports, if airlines are taking responsibility, confusing the passenger over what they can do and what they cannot do at different airports? If it is outcome-driven and if the inputs are different, would it be that in one place you could take your water through and in another place you could not and so on?
Gaynor McLaughlin: No, I think that that is something that we all strongly feel needs to be avoided. We should always have a standard procedure for the customer to follow. If a customer is packing a cabin bag, they should know what size cabin bag they can take. It cannot be that this one is okay at one airport and then at another airport the same bag is not okay. Within the system, the things that are done to the customers can vary. For example, at the moment, certain things are done to a percentage. They are not done to 100%. Customers are currently treated differently, because one will be selected for a process while another one is not. Within the system we can have that flexibility, provided that we are not asking the customer to behave differently.
There are two parts to this. First, is there a risk that, at some airports where the risk is thought to be less, we could have an issue where security was less? At the moment, trans-Atlantic flights are perhaps most at risk, but terrorists will always look for any opportunity, so is there that risk? The other part that goes alongside that is: if it based on profiling and so on, is there more risk that Asian people, for instance, will be targeted more than white people or particular groups of people for that additional surge in security? How do we ensure that it is not discriminatory?
Gaynor McLaughlin: Yes, you are absolutely right: we do. Therefore, any sort of selection or targeting should be based on behaviour and not on appearance. The behaviour is one way of doing it. It certainly should not be done in any way that is discriminatory. I take your point about creating weaknesses. Given that it is a network operation, we need to be absolutely clear how we feed operations that may have been deemed a lower level of risk into the network. We need to be clear whether it can feed seamlessly or whether there needs to be another layer of security before they go on to the network at another airport. That then becomes an operational decision, rather than a security decision.
So, overall, is there not a worry that, if things are outcome-led rather than input-led, there is a potential flaw in the system? Currently, as I understand it, everybody has to have the same input to achieve the result. Going forward, it would be the outcome that is important, but the terrorist only has to get through once.
Gaynor McLaughlin: Quite, but one thing terrorists rely on is planning. They do not just turn up and think, “Today’s a nice day. I’ll attack.” They plan in great detail, and one thing that makes it difficult for them to plan is unpredictability. At the moment, we are very predictable in what we do, because we do the same to everybody at every airport. Introducing flexibility and unpredictability will confuse that planning and improve the overall level of security.
Following on from Julie Hilling’s point, potential terrorist attacks involve people who are trained to get through systems. If your checks are based on behaviour, how do you avoid an increased risk of people who would always be checked as part of a blanket check being trained not to show risky behaviour so that they can get through?
Gaynor McLaughlin: Sorry, I was not suggesting that we should check people based only on behaviour; I was using behaviour as an opposite to appearance to say that we should not discriminate. We cannot avoid the fact that there should always be a baseline level of security. How we flex that, we still need to work out.
Just a moment ago, you pretty much took the words out of my mouth. I was about to ask you about the impact of an outcome-focused approach. Obviously, the imperative issue for the Government is that they will not compromise on today’s high levels of security. The reform is about delivering security in a more effective and efficient way. There is a strong case for saying that giving the people who deliver security on the ground more responsibility for how they achieve the outcomes they are set by the regulator could lead to higher levels of security and even more effective means of keeping passengers secure. Do you agree? Do you have any further examples of how we can involve people who actually deliver services on the ground and give them responsibility? That has happened in the area of safety, and it has improved safety levels. Can we expect that to happen with security as well?
Gaynor McLaughlin: I certainly think that we can. We can move towards the more mature approach that the CAA takes on aviation safety, which did not come about overnight; it took a while to achieve. That involves a relationship based on mutual trust between the regulator and the operators—certainly with the airlines. That will take time to develop on aviation security. If we move towards that approach, where the onus is on the operator to demonstrate that they are meeting the outcomes, we will improve things. At the moment, we have this checklist-based approach; it is very tick box and almost about finding the trivia. It is too close to the subject, and it is not looking at the overall security aim and whether it is achieved.
One of the complaints about the current system from some airport operators is that it does not enable them to deliver security in as passenger-friendly a way as they would like. It would be useful if you could share with us how you think an outcome-based approach might address that concern about the way the rules work.
Finally, I would like your view on the degree of engagement between the Government and the various sectors of industry, in terms of taking forward the reform in the Bill and the wider outcome-focused reform that we have been talking about.
Ricky Fiander: We have certainly responded to a pre-consultation document and a consultation document, so we are quite comfortable moving forward. We have got statistics and figures in there. We have already started moving down this line, because again, one of things that I believe an outcome-focused, risk-based solution does is enable companies to approach it how they want, rather than being prescriptive—in fairness, most responsible companies already do that. A lot of the measures, checks and balances are already in place. In terms of pulling them together in a security management system, I do not see that being very onerous at all. We are a long way towards reaching that already.
Ricky, perhaps you can help me out. At Heathrow and Gatwick, what proportion of flights is freight-related at those dominant airports?
Ricky Fiander: I could not give you an exact answer. In our company, we use up to 160 flights a day. Those are commercial airliners, but they are fairly small amounts of cargo, representing only about 7% of the cargo that we send out. The vast majority of what we send is on our own cargo aircraft, flying out of East Midlands airport.
Okay. Is there tension between the competing needs and capacity, particularly at those dominant airports, and between freight and passenger travel as well?
One role of the legislation would be to allow the CAA to have more flexible conditions about how it sets prices, for example, at those dominant airports. Does that introduce risk into your business? Is it something that you view fundamentally as a good or bad thing?