Risk management is embedded into strategic decision-making and resource allocation within CATSA, thereby allowing the organization to make informed decisions at the corporate and operational levels.
CATSA manages its corporate risks through an Enterprise Risk Management (ERM) framework, and maintains a comprehensive overview of its risk profile, including descriptions of key operational and financial risks, risk ratings as measured by likelihood and impact of risk occurrence, and risk mitigation strategies.
CATSA’s overall risk attitude is conservative and flexible.
Conservative: The organization generally focuses effort more heavily on the active management of medium, medium-high and high risk and the acceptance of low risk.
Flexible: As a public sector organization, fully dependent on public funds to deliver a security mandate, CATSA’s environment is significantly influenced by two key partners, namely Transport Canada and the Government of Canada. From a risk management perspective, the nature of CATSA’s environment requires flexibility and discretion in the application of risk attitude.
CATSA’s Risk Profile as at September 2024
Mandated services risk
Detection capabilities and maintaining care and control of screening checkpoints
Due to the evolving nature of the aviation security threat environment, there is a risk that CATSA may not have the technology, threat and risk information, processes or human factor capability to detect all high-risk threat items or new and emerging threats and prevent screening circumventions at screening checkpoints. This may result in substantial consequences to the public and the aviation system.
Risk mitigation
CATSA monitors the effectiveness of operational programs through testing, oversight programs and performance measurement. Trials are conducted to determine if results demonstrate improved detection capability. The organization also ensures that it remains aligned with Transport Canada regulations, and any aviation security equivalency requirements stemming from national and international counterparts.
Capacity risk
Adequacy of government funding
There is a risk that the organization's funding envelope may be insufficient due to cost increases, new requirements and/or government cost cutting initiatives.
Risk mitigation
CATSA works closely with Transport Canada and Central Agencies to ensure adequate funding throughout the planning period. CATSA also conducts ongoing financial risk management, budgeting and forecasting activities, and requests supplemental funding as required.
Resource availability
There is a risk that resources may be insufficient or unavailable to achieve organizational goals while supporting a healthy work environment.
Risk mitigation
The organization is focused on activities and programs related to employee attraction, retention, engagement as well as succession planning. CATSA monitors employee satisfaction through regular touchpoint surveys as well as exit surveys, vacancy levels, and attrition rates.
Service delivery through third-party risk
Legal and illegal labour disruption
Given CATSA’s third party service provider model, there is a risk that CATSA may have limited influence to prevent a legal labour disruption event or to maintain service levels during an illegal labour disruption event initiated by the unionized screening officer workforce. Labour disruptions may result in longer wait times, increased passenger complaints and harm to CATSA’s reputation.
Dependence on outsourced screening services, equipment maintenance services or major suppliers
Due to a contractor no longer being able or willing to provide the agreed upon contracted services or goods, there is a risk that CATSA's dependence on outsourced screening services, equipment maintenance services, or major suppliers may result in negative service delivery impacts.
Risk mitigation
CATSA monitors labour market conditions in all its regions to identify potential labour disruption events. The organization also monitors and addresses any impacts to its supply chain and has contractual terms and conditions that provide recourse should a contractor become unable to provide the agreed-upon services.
Partner relations risk
Reputational risk
There is a risk that CATSA may encounter events that it is not able to manage effectively, which may cause damage to its reputation with travellers and/or partners, resulting in loss of public trust in CATSA and/or confidence in air transportation security.
Risk mitigation
CATSA provides proactive and timely communications with passengers and partners to address potential wait-time service level and other operational issues. Regular passenger surveys are conducted to gauge and improve the passenger experience. Regular engagements with Transport Canada and aviation industry partners occur to discuss various issues that may impact the aviation industry.
Information technology risk
Cyber attacks on IT infrastructure
Due to the evolving nature of the cyber threat environment, there is a risk that cyber threats and/or attacks may negatively impact CATSA's IT infrastructure and/or compromise organizationally sensitive or secret information resulting in a loss of public confidence and potential damage to CATSA's reputation.
Risk mitigation
CATSA continues to strengthen its cyber security posture with ongoing improvements to IT infrastructure and processes.