AVIATION

Part 1: Unpredictable and

Malicious Threats
 on...

DISRUPTION
MANAGING STRATEGIC RISK
IN AVIATION

Part 1: Unpredictable and

Malicious Threats
 su
es
pr
rd s
wa pres
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 3

wn
consequences of hard-to-identify, high-impact threats
evolving economic conditions and shifting consumer

more confidently evaluate the organization’s capacity

do ard ss
challenges, and a marketplace that continues to be

that can erode strategic value. Or present new and

understand the true nature of these risks, they can

re•
compelling opportunities. Once airline executives
That’s enough to keep most leaders busy without
All airlines face a distinct set of business risks and

w
Not all Risks are Equal

reshaped by new entrants, state-owned carriers,

e
su wn pr
es o
considering the disruption and the potential

pr re•d ard s
rd su nw pres
wa res ow d
wn rd p d
re• nwa
r
es
do a su pr
re• w es w
ard
es
su wn pr •do
pr e •do ard s ure w nw pres
r w es
rd su wn pr •do ard
wa res ure
to respond to them.

wn rd p • do a rd s nw pres
do a s ure nw p res do
w
rd
re• nw es ow e • a
preferences.

su r rd su
r w es
es ow dp re•
d wa es wn pr
pr re•
d
wa
r
ssu o wn pr e •do ard s
rd su n re • d rd u r nw es
wa res do
w
rd
p
ure nw
a
res
s
ow pr
wn p • a s s w p • d d
do ard ure nw p re do rd re a r s
re• w es
s w e • a s u w es
su wn pr •do ard su
r nw res wn pr
pr
es d o rd re nw re s ow p •do a rd
re
• wa ssu ow p e•d ard ure n w pr
es
ard su wn pr
e • d ward ssur wnw ress ow rd
nw pres •d
o
ard re
wn pr
e
•do
p
re•
d a
re w es
su o e rd u nw res
ard su wn pr •d ard su
r wa es
s ow rd p
nw res do rd re nw res wn pr re•d a
p • wa ssu ow p •do ard su nw es
ard re e d e s w pr
su wn pr e•
d
wa
r
su
r nw pre •do rd
nw res do rd r n e s w d re wa ess
p
re
• wa ssu o w pr •do a r su n
pr
ard su wn pr
e •d ard su
re nw pres do
w
rd
nw pres •d
o
ard re
nw res •do
w
ure
•
wa
su ard es
ard su
re nw pres •dow p
ard ssu
r e w e s s wn rd pr
nw res ow e wn pr do
p •d ard s u r nw p re
• do a rd re• nwa ess
ard s ure w nw p res • d ow a rd s ure nw e ssu ow pr
nw res do rd ure nw res ow d pr re•
d
ard s
p
re
• wa es
s ow dp • d a r
ssu nw pres
ard su n pr e • d war re w
pr
e w
nw pres ow
ard sur
su wn do rd
•d wn res do ard re• wa ssu
ard re w es o p •
nw s u wn pre
su wn pr •d rd ure es
nw res do rd u re wa e s s ow p r •do rd
p • a s s n p r • d rd re a su
ard re
wn
w e o w e a s u w es
su pr •d ard su
r nw res wn pr
nw pres • do ard u re nw res ow dp •do ard
e w s w p • d a r re w su
ard sur wn res •d
o
ard re nw ssu wn es
nw pres do rd
p
re w ssu dow d pre e•do pr
d e• wa su wn pre r ard
Not all Risks are Equal Not all Risks are Equal

Whether executives are concerned about potential hacking What’s more, the emerging nature, complexity, and sources
and security breaches, insider actions from bad actors of risk demonstrate that not all risks are created equal.
bent on wreaking havoc, or supply-chain or third-party
disruptions, one fact remains clear: aviation’s risk wheel That’s why traditional, broad-based risk management
is turning, and the way airlines manage and mitigate risk strategies must be reconsidered to devise a more strategic
needs to evolve, too. perspective that is industry-centric, cost-effective, and
targeted. Done correctly, a well-articulated risk management
Historically, the aviation
Airline Industry Key Financials1 approach, based on return on investment and supported
industry has done a by a proactive infrastructure, can be a winning differentiator
$18.7B Total Profits
phenomenal job of for airlines. To be effective, this modern approach to risk
managing operational risk management should be a high priority on the C-suite
$2.51% Profit Margin
by keeping a sharp focus on agenda and be driven top-down.
$5.65 Profit per
Passenger
safety and security. Traveler
confidence in air travel
remains high. But the risk postures facing the airline industry
today have changed rapidly, and in several dimensions.

4 | Deloitte on... Disruption | Managing Strategic Risk in Aviation Deloitte on... Disruption | Managing Strategic Risk in Aviation | 5
Not all Risks are Equal Not all Risks are Equal

This report—the first in a series

from Deloitte Advisory that
specifically highlights aviation
risk—begins the dialogue by
discussing unpredictable and
malicious threats facing airlines
today. Future reports in the series
will explore the disruptive effect
of changing global demographics
and evolving business models,
the impact of changing airline
regulations, and how war gaming
can be leveraged to better
prepare for uncertainty.

6 | Deloitte on... Disruption | Managing Strategic Risk in Aviation

High-Impact Threats
Unpredictable and Malicious Acts

Running an airline requires many human and

technical touch points, leaving airlines especially
vulnerable to bad actors with intent to do harm.
These bad actors can embed themselves in the
normal flow of business operations, both locally
or across vast integrated systems and processes.

Deloitte on... Disruption | Managing Strategic Risk in Aviation | 9

High-Impact Threats
Let’s take a look at three areas of unpredictable and
malicious threats, all of which can potentially inflict damage
on the airline industry:
1. Cyber incidents and data breaches
2. Insider threats and the risk from within
3. Supply chain disruption (third-party and vendor threats)
Mitigating these threats requires a significant investment
in risk sensing and control technology, processes, and
protocols. But when constrained by limited resources, how
does an executive team choose how much to invest in each
area? And how can executives better predict and address
threat scenarios?
How vulnerable are you to cyber theft and data
breaches?
The airline industry is overflowing with data and often-
interlocking data sets, including passenger data—which
extends from booking to handling baggage to soliciting
post-flight feedback—and operational data—which ranges
from aircraft sensors to weather agencies to GPS systems.
New digital aircraft (also called e-enabled aircraft), which
are now rolling off the production lines, allow carriers to
leverage connected devices to increase efficiency along
10 | Deloitte on... Disruption | Managing Strategic Risk in Aviation
High-Impact Threats
the supply chain, from optimizing flight performance to
managing drink orders. Not only do aircraft engines now
allow for remote monitoring and use-based billing models,
the biometrics of every passenger soon may be collected,
stored, ranked, analyzed, and repackaged to increase
profitability. This data can help form the backbone of a
company’s growth, efficiency, and business performance.
A
T
D
A
!
Yet with lots of data comes lots of risk. From reservations to
maintenance to flight management, commercial aviation
depends on secure information technology systems.
Recent events demand that security professionals treat the
possibility of hacking into a live flight management system
not as a question of “if,” but “when.” As the nature, scope and
timing of such events become less predictable, passengers’
concerns over privacy and safety likely will increase.
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 11
High-Impact Threats
Therefore, when evaluating future technology investments,
airline industry security professionals and executives should
consider all forms of cyber security threats that inevitably
come with such innovation. From this vantage point,
they will be better prepared to incorporate risk mitigation
strategies early in the planning and design cycle.
“It won’t happen here”
These are four of the most dangerous words that
management can utter. Insider threats by employees,
contractors, or vendors can result in potentially serious harm
to an organization’s staff, customers, information, material,
or facilities. Airline insiders may engage in a range of acts
that include workplace violence, exfiltration of information,
physical security compromise, sabotage, terrorism, and
physical property theft—all of which can challenge an
airline’s core mission and viability.
Identifying anomalies where insider threats may emerge
requires a comprehensive data-driven, real-time monitoring
capability. Such monitoring needs to look at the virtual
and non-virtual business space, as well as the critical roles
employees play across an airline’s operations. When used
proactively and configured properly, sense and control
12 | Deloitte on... Disruption | Managing Strategic Risk in Aviation
High-Impact Threats
mechanisms can identify potential insider threats early and
interrupt what might develop into a malicious act.
Digital data–including video and access-device data–can
be used to detect some insider threat activities, as well as
help identify which employees may be at risk of committing
or abetting an insider attack. However, data analysis and
detection cannot do it all. Sensible detection solutions
combine data collection and analysis with a significant level
of human attention. This analysis and associated response
must be better coordinated across increasingly complex
operations and systems.
To effectively manage potential threats triggered by
malevolent insiders, airlines should prioritize the ones that
are likely to have the greatest impact on their business
strategy or competitive advantage without preconceived
notions of their likelihood of occurrence.
Equal-opportunity malevolence
Insiders are not the only potential bad actors. Outsourcing
key services and personnel requires that airline executives
lessen the potential for insider threats through a
comprehensive and holistic threat program.
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 13
High-Impact Threats High-Impact Threats

Supply-related threats will remain front-and-center as long

as airlines procure critical products and services from third-
party vendors. While third-party baggage handling, check-
in, catering, cleaning, maintenance, fueling, and regional
flying services offer operational efficiencies that lower costs,
outsourcing can increase the risk of supply-chain disruption.
This makes it imperative that third-party risk management
and due diligence activities receive the appropriate level of
management attention.

Traditional approaches to managing third-party risks—

typically spot audits and routine inspections—may no
longer be adequate. Augmenting these activities with data-
centric continuous monitoring of key supply-chain activities
can help stave off potential disruptions. For example, the
use of forward-looking, event-tree analysis techniques can
help identify breakdowns in existing control measures and
improve the airlines’ and vendors’ collaborative oversight.

14 | Deloitte on... Disruption | Managing Strategic Risk in Aviation Deloitte on... Disruption | Managing Strategic Risk in Aviation | 15
High-Impact Threats

Business is soaring. Why worry now?

Following years of sustained downward pressure on margins,
the US airline industry has finally sloughed off the effects
of the Great Recession, which can be seen in rebounding
revenue, higher load factors, expanding disposable income,
loosening business travel budgets, and lower oil prices.
Between 2009 and 2014, US domestic airline revenue
increased by a 3.6 percent compound annual growth rate
(CAGR), while jet fuel prices are trading at their lowest level
in nearly six years. 2

Many believe that, at least in the near term, the industry

will continue to prosper thanks to continuing economic
growth in the US, consolidation, and management’s focus on
running more efficient operations.

So, what’s the key to maintaining competitive advantage?

Implementing innovative, effective, and efficient risk
management techniques and strategies.

Our relatively stable business climate presents a good time

to invest and to consider intelligent risk taking for future
growth. This is the time for forward-thinking airlines to create
a competitive advantage by implementing thoughtful
strategies to mitigate known and unknown future risks.

16 | Deloitte on... Disruption | Managing Strategic Risk in Aviation Deloitte on... Disruption | Managing Strategic Risk in Aviation | 19
High-Impact Threats
View risk through a lens — not a rear-view mirror
The aviation industry’s future continues to be reshaped by
new competitors such as ultra-low-cost passenger carriers,
and state-owned carriers coupled with evolving industry
structures and evolving economic conditions. Customer
preferences are shifting, demographics are changing, and
the industry is facing technology-driven supply-chain
disruption.
In the past, organizations have relied on efforts to combine
disparate risk programs into an “enterprise” view of risk with
varying degrees of success. Risk management organizations
have a tendency to look in the rear-view mirror—
often failing to consider disruption and the potential
consequences of hard-to-identify risks and emerging threats
that can either erode strategic value or, conversely, present
new revenue opportunities.
Given the significant costs invested by airlines to manage
risk (e.g., life cycle management and insurance), a more
targeted and forward-looking approach toward identifying
strategic risk drivers that consider the unique nature of the
industry should be considered, developed, and deployed. An
18 | Deloitte on... Disruption | Managing Strategic Risk in Aviation
High-Impact Threats
approach that not only requires sensing mechanisms that
prepare for surprises, but an integrated program that gives
executive leadership a broader view of latent risks that may
have been buried or stored in silos within the organization.
The thin ice of disruptive environments
With cyber threats and insider and third-party malevolence
posing greater risks, executive teams should advocate for
more proactive assessment of and response to unpredictable
and malicious threats. Traditional risk management
approaches rarely focus on unknown and emerging events
that do not conform to existing assumptions and safeguards
(what one might call simply surprises or black swan events).
The potential consequences of “unknown unknowns” are
major disruptions in business operations and future growth.
Airlines can prepare for disruptive events by moving beyond
traditional probability-based risk management approaches
and toward innovative and integrated models. These
models rely heavily on forward-looking analyses of threat
intelligence, as well as simulation of various plausible events
that test the organization’s ability to detect, mitigate, quickly
recover, and learn from such events.
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 19
 Strategic Risk
Capability –
Getting It Right
So far in this report, we have highlighted the
challenge of detecting cyber intrusions, spotting
bad actors and uncovering supplier threats. These
are three highly vivid examples of a larger class
of less visible potential surprises that executive
leadership needs to be able to scan and prepare
for in order to improve the resiliency of the
business.

22 | Deloitte on... Disruption Managing Strategic Risk in Aviation Deloitte on... Disruption | Managing Strategic Risk in Aviation | 21
Strategic Risk Capability – Getting It Right
As airlines seek to modernize their risk management
programs, they should address the fundamental risks
that threaten the long-term viability of the enterprise by
embracing the tenets of strategic risk capability. This involves
understanding, in an integrated, programmatic way, the
interconnectedness or interdependency of a risk, the speed
of onset of the risk event, the level of preparedness to detect
and manage the risk, and building capabilities to navigate
these emerging malicious threats with greater confidence.
Quantifying and simulating various risk scenarios add
important dimensions to strategic risk capability.
Even if the majority of established or emerging airlines are
doing everything right by traditional standards, strategic risks
can still surprise. The challenge facing many airlines now is
how to anticipate, adapt, make decisions, and change course
in the face of these ever-evolving threats.
But there is an upside, too. Spotted early and handled well,
strategic risks can point the way to game-changing moves
that reorder the playing field.
22 | Deloitte on... Disruption | Managing Strategic Risk in Aviation
Strategic Risk Capability – Getting It Right
When is strategic risk capability most effective?
The most successful airlines will recognize that unpredictable
events will inevitably reshape their businesses. They will
understand the value of implementing strategic risk
management, applying fresh thinking, and leveraging expert
partners at the appropriate organizational level. Finally, their
strategic risk programs will:
• Align strategic objectives, intent, and risk measures
• Gain an enterprise view that resonates across the
organization
• Implement governance and oversight that link into the
board
• Understand that risks are internal and external—and that
blind spots and biases can hinder insights
• Make use of simulation techniques that look for
disruptions from unexpected places
• Maintain active and ongoing data gathering, analytics,
and visualization
• “Connect the dots” that lead to better decision making
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 23
Focus • Recognize • Detect • Growth • Breach • Risk • Cost •
Threats • Hacking • Supply Chain • Focus • Recognize • Detect
• Growth • Breach • Risk • Cost • Threats • Hacking • Supply
Chain• Focus • Recognize • Detect • Growth • Breach • Risk •
Cost • Threats • Hacking • Supply Chain • Focus • Recognize
• Detect • Growth • Breach • Risk • Cost • Threats • Hacking •
Supply Chain • Focus • Recognize
ZOOM
DIGITAL • Detect • Growth • Breach
Final Thoughts:
14-
• Risk • Cost • Threats • Hacking • Supply 42m Chain• • Focus •
Recognize • Detect • Growth • Breach • Risk • Cost
m
1: • Threats •
Benefits of Adopting
Hacking • Supply Chain• • Focus • Recognize • Detect • Growth Strategic Risk Capability

3,
5-
• Breach • Risk • Cost • Threats • Hacking • Supply Chain• • Focus

5,
A

in Aviation

6
ER

• Recognize • Detect • Growth • Breach • Risk • Cost • Threats •

CAM

Hacking • Supply Chain• • Focus • Recognize • Detect • Growth

• Breach • Risk • Cost • Threats • Hacking • Supply Chain• • Focus Not all risks are created equal, and not all threats have the

67mm
• Recognize • Detect • Growth • Breach • Risk • Cost • Threats •
Hacking • Supply Chain• • Focus • Recognize • Detect • Growth
• Breach • Risk • Cost • Threats • Hacking • Supply Chain• • Focus
• Recognize • Detect • Growth • Breach • Risk • Cost • Threats •
Hacking • Supply Chain• • Focus • Recognize • Detect • Growth
• Breach • Risk • Cost
28F • Threats • Hacking • Supply Chain• • Focus
-14
M actions, and supply chain disruptions. Furthermore, through
• Recognize • Detect • Growth • Breach • Risk • Cost • Threats •
Hacking • Supply Chain• • Focus • Recognize • Detect • Growth
• Breach • Risk • Cost • Threats • Hacking • Supply Chain• •
Focus • Recognize • Detect • Growth • Breach • Risk • Cost •
Threats • Hacking • Supply Chain• • Focus • Recognize • Detect •
Growth • Breach • Risk • Cost • Threats • Hacking • Supply Chain
• Focus • Recognize • Detect • Growth • Breach • Risk • Cost •
same capacity to debilitate a business. By adopting strategic
risk capability, the aviation industry can focus the risk lens
on a broader range of new and emerging threats and
opportunities. Strategic risk capability can provide better
early sensing and response mechanisms that allow airlines to
get in front of malicious and unexpected threats, specifically
in the areas of hacking and security breaches, insider
simulations that test the organization’s ability to detect,
mitigate, quickly recover, and learn from risk events, strategic
risk capability can reduce the realization of threats that could
otherwise bring down the enterprise. Ultimately, the goal of
strategic risk capability is to protect and enhance the airline’s
reputation, brand, and future growth potential.
Deloitte on... Disruption | Managing Strategic Risk in Aviation | 25

Threats • Hacking • Supply Chain • Focus • Recognize • Detect •

Growth • Breach • Risk • Cost • Threats • Hacking • Supply Chain•
Want more?

1
Zack’s Investment Research, “Airline Industry Stock Outlook 2014”,
Interested? Join the conversation. http://wwwzacks.com/commentary/31988/airline-industry-stock-outlook-april 2014.

2
U.S. Energy Information Administration, Independent Statistics & Analysis. Jet fuel
prices refer to U.S. Gulf Coast Kerosene-Type Jet Fuel Spot Price FOB
(Dollars per Gallon). http://www.eia.gov/dnav/pet/hist/LeafHandler.ashx?n=PET&s=EER_
EPJK_PF4_RGC_DPG&f=M Graper, Prema Mirwani (US - Arlington) <pgraper@deloitte.com>
In person
LORI WARD
ACKNOWLEDGEMENTS
Deloitte Advisory Principal
The following individuals have contributed to this paper:
Deloitte & Touche LLP
Don Dixon, Prema Graper, Jonathan Holdowsky, Shane
+1 214 840 7188
Negangard, and Elton Parker.
loriward@deloitte.com

ANDREW BLAU
Deloitte Advisory Managing Director,
Strategic Risk
Deloitte & Touche LLP
+1 415 932 5416 As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides
audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides
ablau@deloitte.com
forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and
Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte
Online Transactions and Business Analytics LLP is not a certified public accounting firm. These entities
are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed
Twitter: Follow us @DeloitteRisks description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be
#strategicrisk available to attest clients under the rules and regulations of public accounting.
#disruption
This publication contains general information only and Deloitte is not, by means of this
#airlinestrategicrisk publication, rendering accounting, business, financial, investment, legal, tax, or other professional
advice or services. This publication is not a substitute for such professional advice or services,
nor should it be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should consult a
qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on
this publication.

Copyright © 2015 Deloitte Development LLC. All rights reserved.

26 | Deloitte on... Disruption | Managing Strategic Risk in Aviation Member of Deloitte Touche Tohmatsu Limited