An FAA inspector general report outlined how Southwest Airlines failed to prioritize safety, and the Federal Aviation Administration (FAA) did not properly conduct oversight of the airline. The criticizes the agency’s oversight of the carrier as lax, ineffective, and inconsistent, according to a WSJ article.
Beyond Southwest, the findings raise more systemic questions about a central part of the FAA’s oversight approach that depends on data provided by the airlines to make judgements about whether the airlines are complaint with established aviation industry standards. The Southwest case and the Boeing 737 MAX cases appear to illustrate the inherent flaws in this approach.
Twenty years after the Wright Brothers’ first fight, aviation industry leaders recognized that safety standards were needed if the commercial aviation sector was to reach its full potential. They were right, and an early precursor to the FAA was created, along with a series of rules that standardized safety across the sector. Since then, safety regulations continued to evolve, the U. S. aviation sector went several years without a fatality, and reported incidents for most years could be counted on one hand (FAA Accident and Incident Data). As a result, the sector has experienced exponential growth, and most passengers accept the reality that flying is the safest form of transportation available. The U. S. government struck the right balance between regulation and creating the necessary market incentives to enable the sector to prosper.
The sector now faces multiple crises, including the Boeing 737 MAX, the FAA’s role as regulator, and now Southwest. But, the fact that the Southwest story is even a story is in part a credit to the fact that uniform safety standards exist. Based on the report, the troubles at Southwest appear to stem from problems with corporate governance and safety culture.
As highlighted in a note on Boeing, though digital technology is now the most valuable asset an airline has, there is no uniform standard for assessing good or bad management of this asset. Unlike safety, the lack of standards around cyber governance and transparency thereof mean there is no basis from which to have a discussion about elevated risks to the company, consumers, or investors until after an event has materialized.
Standard performance metrics on cyber would provide company executives with an understanding of how well or poorly they are managing the risk, just like a safety audit would provide an airline with a clear picture of safety performance. Public disclosure of that assessment—what we term ‘cyber governance transparency’—provides investors, regulators, and the broader market with a similar picture. Without these metrics and transparency, company executives and investors do not have visibility into problems and cannot make the necessary adjustments until it is too late—a significant public breach, potential business disruption, and lasting loss of shareholder value—or, in the case of Boeing, much worse.
In the case of Southwest and the FAA, the shortcomings have become known and adjustments can be made before they result in a significant accident or loss of life, thanks in part to the existence of common safety standards that have kept people much safer, while allowing the industry to grow and prosper. The same is now needed for cybersecurity.