Implementing SMS

Practical Risk Management

Risk management is used systematically to help us identify the threats, exposure of an activity and place the necessary controls for it. Through this process we also balance the benefits and costs (safety management dilemma). Risk management should be applied during the development of a system/ process, but also during the operational use. Risk management is a sustainable way of business conduct, as it minimises and reduces mishaps, preserves assets and safeguards health and welfare, in a proactive manner, prior an irresponsible and wasteful accident. Effective risk management and implementation of controls, requires a strong support by the management and a solid leadership determination. Safety culture is communicated from top down and if the top management is not supportive, safety will only be seen as a burden to the operations.

Application: Risk management is to be applied at every stage; design, operation and whenever there is a change in the system

Procedure: In order to effectively perform the process of risk management, we need a starting point. This point is the awareness of our hazards. Prior to performing a full hazard identification process, we can look into past events and issues, and identify the obvious and already exposed threats of our operations. A list of possible sources for hazards include: brainstorming, hazard reporting, historical data, safety reviews and audits, monitoring of activities, surveys and questionnaires and generally any other mean suitable for understanding the threats of the operation. Then we can proceed with the main steps as described in Risk Management section; that is Identify Hazards, Asses Risk, Analyse Controls, Take Decisions, Implement Actions, Supervise and Review.

General Guidelines:

  • Hazards can be controlled – don’t panic
  • Problems should be kept in perspective – think your own operations and experience
  • Judge based on knowledge, experience, skills, mission requirement etc
  • Encourage participation from other members, departments and experts
  • Establish clear objectives and parameters before initiating the process
  • No best solution exists
  • Start small and tackle an issue at a time
  • Don’t overcomplicate things
  • Use the pareto (80/20) rule (80% of the effects come from 20% of the causes). Tackle the worst causes first (even if they take longer), instead of addressing many small and minor issues
  • Risk management must be simple – practical – consistent

Common Problems encountered and Reactions during Risk Management Implementation:

One of the biggest problems encountered during the risk management process is the availability and validity of data. As the aviation industry is already at a high safety standard, data are not easily found in actual operations. The safety department must look for data from other sources (other operators, common databases), or create data from observations in the simulators or laboratories. An additional problem we then face is suitability of the data, as the conditions, circumstances, nature and environment of each kind of operation cannot be 100% matched (e.g. when planning a new route). The most awkward problem though, is the feasibility of the numbers. The failure rates are so rare that during the risk assessment we almost always end up discussing a catastrophic event! However, this should not be considered wrong and the process should be carried out based on these assumptions. One needs to remember, that some basic numbers (data) are still better than no numbers at all.

Other problems and reactions include:

  • Take decisions and place controls inappropriate for the problem (e.g. change engineering process when more training is adequate)
  • Operators (or operations department) do not like the solution implemented
  • Management dislikes the solution due to high cost, or restriction to other revenue areas (e.g. unable to perform a specific route)
  • Cost is too high
  • Implementation process is overmatched by other priorities, reducing the effectiveness
  • Decision and implemented controls are misunderstood (e.g. extra training seen as incompetence problem)
  • Progress of the implementation and the effectiveness of the controls is not measured
  • Decision and controls are not suitable for the current culture (e.g. reporting being misunderstood, or control seen as pinpointing specific person/ department)

Levels of user involvement during risk management

During the placement of risk controls there are 7 levels of involvement, based on the action taken to implement the control. These levels of user involvement are a very strong indication of the safety culture of the organisation. Ranging from weaker means to the stronger these levels are:

  1. Robot: operators are ordered to apply the risk control
  2. Comment and Feedback: Operators are given the opportunity to express their ideas and comments
  3. Coordination: Operators are allowed to coordinate on an already developed idea and request modifications
  4. Input: Operators are invited to comment and provide their inputs during development and prior implementation of the risk control
  5. Team Member: Operators are invited and are actively engaged as part of the development team
  6. Co-Ownership: Operators share part leadership of the development and implementation team
  7. User Ownership: Operators are empowered to develop the risk control and take appropriate decisions

An important element of an effective risk management is the use of the proper tools. Sustainable safety means a preservation of resources and maximise of their use. Always have in mind the range of cost and try to optimise the gains for each control. During decisions always keep in mind the employees and the productivity. Consideration must be given to business continuation and smooth operation (do not put tight training timeframes or engineering controls that require grounding of the fleet).

Risk management is a closed loop process. The final step is to supervise and review of the progress made. This includes requires a strategy that includes the documentation of the progress, but also importantly the communication of the effectiveness both to the management and to the employees. Therefore, always try to close the loop, even if the targeted results have not yet been attained. Revise and review at a later stage but do not let the loop open for too long.

An effective safety team, will incorporate into the risk management strategy as many automations as possible, using the existing organisation means and infrastructure. These automations would include the communication part of the controls, the corrective actions and also the documentation of the controls. Automated procedures mean better efficiency and less waste of resources.

Finally, a serious issue to be addressed in the risk management process, is the data integration. All the data gathered before, during and after the process, including the hazard identification, controls etc, must be incorporated into the company policies, manuals, procedures and training. This is the proper way for risk management to become a part of the business and not an ad-hoc, alienated and isolated activity.