Having robust reporting systems and procedures in place is an important part of exposing security threats and risks to the aviation sector, and a positive reporting culture is inseparable from a positive security culture.

But the simple requirement for staff to report incidents of concern is not enough. The type of culture built around your reporting system is crucial to ensure that staff feel encouraged to make a report, are comfortable with how their report will be handled, and understand the role reporting plays in the improvement of security practices. This is all part of establishing a ‘just culture’, where staff are supported to report incidents, and understand that honest mistakes will be free from repercussions.

A ‘just culture’ approach to reporting

A reporting system is a fundamental aspect of your security culture. However, a reporting system that is punitive or retaliatory, will discourage reporting. This may lead to incidents that are covered up and gaps in the security system remaining unplugged. In a ‘just culture’ reporting environment, individuals are not blamed for honest mistakes and the root causes of an incident are investigated and corrected to prevent an incident from reoccurring. A ‘just culture’ focuses on learning from incidents through the sharing of information for the benefit of the entire security system. ‘Just culture’ requires a high level of trust and places the responsibility on senior managers to eliminate fear of punishment when things go wrong.

Implementing a just culture reporting approach:

  • Publicise your ‘just culture’ principles. By making it clear to staff upfront that security reports will be handled in this way, you can establish the trust needed to facilitate effective reporting and eliminate fear that staff may be punished for reporting simple human error.
  • Actively promote security reporting requirements and help staff know exactly what they need to report. Reporting requirements should be set as widely as possible to ensure nothing is missed and that staff have no doubts about whether they should be reporting a potentially significant issue.
  • Make reporting easy and convenient. Staff at all levels of your organisation should have access to the systems or tools to make a security-related incident report. Consider offering a range of reporting methods to maximise the chance a report will be made, whether in person, by phone, email, or a purpose-made reporting form.
  • Consider implementing a reporting education and awareness campaign for your organisation or region to regularly remind staff of their reporting responsibilities and the mechanisms (phone numbers, email addresses) through which they can make reports.
  • Incorporate reporting of security breaches and incidents into your induction training, along with training on the functioning of a ‘just culture’ system, and the roles and responsibilities of all your staff in the reporting process.

Rewards, recognition, and feedback to encourage reporting

While a positive security culture should drive staff to report because it is the right thing to do, it is also important to recognise staff who have gone above and beyond, or whose reporting of a breach or incident has had a positive impact on the security of your organisation and the sector. Small gestures can go a long way to incentivise continued engagement and build positive security culture around this crucial activity. By acknowledging the efforts of staff when they come forward, you can help to reinforce the importance of reporting, and gain greater trust that reports will be handled with confidence and care. Feedback is also crucial. There is an inherent desire from those who report incidents or breaches to know that something has been done with the information provided. A formal feedback loop is an important aspect to encourage ongoing reporting, reassuring staff where possible that they have been listened to, and that action has been taken.

Encourage staff to report security issues or incidents:

  • Implement a formal rewards programme with clear milestones and behaviour expectations linked to security reporting. Rewards do not have to be big, but small tokens to show staff their efforts are appreciated can grow the positive culture around reporting.
  • Recognise staff who have played a key role in reporting a security incident or breach in organisation newsletters or other publications. By dedicating space in internal communications to reporting, you can highlight its importance as well as the value the organisation places on staff who make reports.
  • Establish processes to formally provide feedback to those who have reported security concerns. Even if a follow-on investigation determined that nothing of concern occurred, it is important to feed this back to those who reported it, while communicating gratitude for them highlighting the issue. Where a report has led to a successful security outcome, share this feedback more widely so more staff understand their role to report security concerns and the impact it can have.

Clear and accessible response procedures

No matter the size of your organisation, response procedures are an important aspect of a security system. All staff need to be equipped and empowered to react in the event of a crisis. A crucial part of this is having clear processes and procedures that are accessible for all staff who might have a role in a security response. Response procedures might mean calling emergency services or another authority, and it is important staff are aware of this and know when and how they need to act. Responses should be considered in the short term and long term: immediate response procedures should be clear about what needs to happen to mitigate immediate issues or risks, whereas longer term processes should be used to reflect on a situation and learn valuable lessons for the future.

Have response procedures available:

  • Create an aide-memoire or other convenient means for staff to quickly identify the steps they need to take in an emergency or when responding to a threat. This could take the form of a set of instructions placed on a lanyard or wallet card issued to each employee to allow for easy retrieval and action. This should contain any phone numbers staff may need to call in an emergency, and any other immediate response procedures relevant for your organisation.
  • Review emergency responses to identify any lessons that could help improve procedures in the future. Consider what went wrong in a response to a security incident, and also focus on what went well. Focusing on positive aspects of a response can help to incentivise strong security behaviours, and highlight that security is a positive thing for your organisation.
  • Involve operational staff in any post-response reviews to feed their perspectives into an evaluation and assist them in improving their response next time.
  • Understand the root cause of factors that led to a security breach, incident, or response to identify indicators or warnings that could assist you in anticipating an issue ahead of time in the future.

Contingency planning

Contingency planning is a crucial element of your overall response procedures. Planning should consist of coordinated strategies, procedures, and response initiatives to undertake during and following a security event. Contingency planning provides assurance to staff that plans are in place to respond to a range of emergency scenarios. This level of preparation will be reflected in the overall security culture of the organisation, and the behaviours that your staff adopt. Contingency plans make sure your organisation remains agile to evolving threats, and ready to respond when required.

When writing your contingency plans:

  • Allocate responsibilities to senior staff to develop and implement effective contingency plans for your organisation. Ensure that these contingencies plans are communicated widely and effectively across all staff, so everyone understands their role.
  • Focus contingency plans on a range of realistic scenarios based off your organisation’s threat profile and risk assessments. Ensure the scenarios judged most likely to occur have comprehensive processes and procedures in place to keep personnel safe and secure.
  • Conduct regular practical and tabletop exercises to review and stress-test your contingency plans. Testing plans as comprehensively as possible is important to make sure they can adequately hold up in a realistic setting. Involving staff in your exercises will test their ability to respond to a situation and provide practical experience that can enhance wider security understanding. Ensure staff understand you are testing your processes, not them personally.

Assess your reporting systems and incident response [PDF 92 KB]


Previous page: Staff vigilance Next page: Information security