What is Risk Assessment in SMS
Risk Assessment in SMS programs are how you qualify, quantify, and rank exposure for reported safety issues. Risk assessments are absolutely central to decision making in airport SMS programs and airline SMS programs, as all actions performed on the safety issue depend on the initial and recurring risk assessments.
These assessments account for exposure by documenting:
- A number that corresponds to the Probability of negative outcomes;
- A letter that corresponds to the Severity of most likely negative outcomes; and
- A composite that combines probability and severity.
Risk assessments are generally performed by the responsible safety manger, but depending on the organization, they might be performed by:
- Safety team;
- Safety committee; or
- Subject matter expert.
Risk assessments will be performed initially, on issue closure, and during issue review. Issues may also be reassessed at various stages of issue management. Risk assessments are accounted for with risk matrices.
Here are the steps you need to take to assess safety issues in SMS programs.
1 - Understand What a Risk Matrix Is
A risk matrix is a grid used to document the probability/severity in a risk assessment. Here are the most important details about risk matrices:
- Usually in a 5x5 grid, though it can be larger or smaller by 1;
- Generally organized by colors (usually three), with some colors representing ALoS and some colors representing unacceptable level of safety:
- Green equals low risk;
- Yellow equals medium risk;
- Red equals high risk; and
- Some organizations will add additional gradients to further distinguish the level of exposure, such as orange, and light/dark red.
- Each level of probability and severity will have specific, identifiable markers for what constitute that level; and
- Selecting the appropriate severity/probability results in the composite – such as 5C, 2B, etc. – that ranks exposure for an issue.
Defining the identifiable markers for a given level of probability and a given level of severity is critical for a consistent/proper use of a risk matrix, as well as defining ALoS in your organization.
2 - Define Probability in Risk Matrix
Defining probability for a risk matrix means looking at each level of probability, such as probabilities 1 2 3 4 5, and listing the marker of each level. Markers can mean either:
- Frequency, such as 1/1000 operations; or
- Likelihood, such as, “Has happened in company in last year.”
Here’s something extremely important to note – when we are talking about Probability, we are talking about:
- Probability OF the hazard occurrence.
To assign a probability to a safety concern, you need to first identify the hazard.
3 - Define Severity in Risk Matrix
Defining Severity is the same process as defining Probability. You move through each level of severity, such as A B C D E, and indicate the markers of that represent a given level of severity.
Importantly, whereas Probability accounts for the likelihood or frequency of the hazard occurrence, Severity accounts for the:
- Severity OF the most likely risk occurrence outcomes of the Hazard.
In other words, given a hazard, what is the severity of likely outcomes.
For example, markers for a level 2 severity may be:
- Minor injury to one person; OR
- Minor degradation to current mission; OR
- Minor effect on local environment; OR
- Less than 100k in damages.
Any safety issue’s risk occurrence that falls into the above categories likely deserves a level 2 severity, unless there is an element of the safety issue that falls into a higher category.
4 - Define What Acceptable Level of Safety Is
Once you have defined Probability and Severity, you should be able to consistently perform risk assessments with strong justification for your assessment. You will define an Acceptable Level of Safety in the following way:
- Acceptable: any assessment composite (number/letter combo) or color that IS considered an acceptable level of exposure; and
- Unacceptable: any assessment composite (number/letter combo) or color that is NOT considered an acceptable level of exposure.
Defining an Acceptable Level of Safety simply involves documenting what is an acceptable risk assessment, and what is not. Once you have defined ALoS, you will know which process to follow for managing a safety issue, given its risk assessment.
5 - Analyze Safety Issue to Gather Details
Probability, Severity, and ALoS documentation out of the way, you can start to assess safety issues in SMS programs. This is a two-part process that begins with gathering data through analyzing the current safety issue.
There are many data analysis tools that you can use to establish all the facts you need to establish a probability and severity for the safety issue:
- Bowtie analysis;
- Fishbone diagrams;
- Decision trees;
- SMS Shortfall Analysis.
There are more tools than this, but basically you are looking for the following outcomes:
- What the hazard is;
- What the primary risk occurrence(s) is;
- What the root causes are;
- Any applicable locations, Human Factors; and
- Other applicable facts concerning effects/damages/consequences on operational environment, history of similar issues, etc.
Risk analysis is purely a discovery phase. Once you have all the facts, you can easily assess safety issues in SMS programs.
Assign Probability and Severity, and Document
To assess safety issues in SMS programs, you simply need to document a Probability/Severity of the issue. You will do this initially, on issue closure, on issue review, and perhaps during the issue management process (between initial/closing assessments).
With your facts you acquired during the analysis process, first review each level of severity and decide which severity level markers best match your current issue. Then repeat the process for probability.
Now you have your assessment. Make sure these numbers are stored in an easy to find place, where you can perform data mining. Having a pool of documented risk assessments are extremely valuable for monitoring SMS performance.
To see a top quality process for performing risk assessments, and all of the data mining and performance monitoring you can do with risk assessments, see the following demo videos: