What is ICAO’s Requirement for Risk Assessment and Mitigation
Element 2.2 of ICAO’s requirements is for you to develop and maintain a process to:
- Analyze risk;
- Assess risk; and
- Control risk.
While just one requirement, ICAO provides quite a bit of guidance on what this process should look like. There are many considerations in this step, and while ICAO doesn’t explicitly say, “Do it this way,” they provide a lot of meaningful guidance on what a best practice would look like.
In other words, you don’t HAVE to do it like ICAO recommends, but you would probably benefit from creating an assessment/mitigation process that is on par with their guidance recommendations.
Let’s go through each of ICAO’s safety risk assessment and mitigation recommendations.
(5.3.53) The Assessment and Mitigation Process
First, ICAO gives an overview of what your assessment/mitigation process should look like from start to finish if the assessment of the issue is found to be tolerable – i.e. “acceptable.”:
- Identify hazards and associated risks;
- Assess identified problem with likelihood/severity;
- (acceptable assessment) Let operations continue, and document that assessment is approved and appropriate.
This part of the process should be fairly simple. Just ensure that you have:
- Ability to document acceptability; and
- Ability to document assessments.
So long as you have a mechanism to do this, you should be within compliance for acceptable assessments.
(5.3.54) Important Concerns of Intolerable Risks
Then ICAO move on to what consider if assessments indicate a problem that is not “tolerable” or “acceptable.” The important consideration are:
- Can the risk be eliminated completely?
- Can the risk be reduced to a tolerable level?
If risks cannot be mitigated, applicable operations should not continue. This is risk elimination through total avoidance of activity. If the risk can be eliminated completely, then you will take action to mitigate it.
It’s good to document that these questions are considered during your risk assessment process. For example, you might actually document your answer to these questions!
(5.3.55) What is Risk Assessment
ICAO briefly points out what a risk assessment actually is:
- Severity of most likely outcome; and
- Probability that this most likely outcome will occur if the hazard occurs.
It’s good that ICAO points out exactly what they mean by “risk assessment” because it gives you a benchmark for ensuring that what you are assessing is in line with ICAO expects you to consider.
This leads into their recommendation that you use a risk matrix to capture this assessment. You could document a risk assessment via some other tool, but its an industry standard to use a risk matrix.
(5.3.56) How to Use Risk Matrix
Next ICAO outlines how a risk matrix should be used:
- The purpose of risk matrix is to categorize risk (rank it);
- You can customize your risk matrix; and
- Items in the yellow and red zone of the matrix should be considered unacceptable and therefore mitigated.
It’s enough information to figure out:
- Why you use a risk matrix;
- What you can do with it; and
- How you should use your matrix (the goal, namely to rank risk and identify acceptability).
(5.3.57) How to Use Risk Assessment
This section provides guidance on how you should use your assessments. ICAO’s guidance is fairly limited here:
- Implement mitigation measures (where needed).
Basically, this is simply ICAO saying that once you assess, the next step is to create needed corrective actions (i.e., risk mitigation strategy).
(5.3.58) How to Adopt Risk Mitigation Strategy
ICAO outlines what three strategies your corrective actions can have. Implemented strategies should have at least one of the following goals:
- Avoid the risk by suspending activities that cannot be mitigated tolerability;
- Reduce the risk with new/updated risk controls; and
- Separate the hazard from the risk(s).
The point of this guidance is to make it clear that your CPAs need to have a clear, specific goal(s). As a good practice, you might even use the keywords bolded when documenting the purpose/goal of specific CPAs.
(5.3.59) Signs of Effective Risk Control Strategy
ICAO specifically states that before a risk mitigation strategy is implemented, you need to evaluate it with specific criteria. These criteria are your justifications for why your strategy is a worthwhile way to mitigate risk. The purpose is to ensure that you don’t waste time implementing low quality risk controls.
ICAO says that you should evaluate the control from EACH of the following perspectives:
- Effectiveness in reducing risk vs alternative controls;
- Cost/Benefit of implementing this strategy (benefits should outweigh costs);
- How practical it is to implement and maintain this strategy given available technology, financial resources, regulation, etc.;
- How acceptable will this control be to employees and other stakeholders given existing norms;
- Residual risk that will remain after this risk control is implemented – i.e., will this control need additional controls to remain effective?
- Consequences of new hazard/risks being introduced by this control.
A good example is implanting a new runway monitoring software, which may be very effective, with many benefits, is available (practical) within budget, but will introduce many other unexpected consequences.
(5.3.60) Ensure Risk Control Strategy Will be Monitored
This is kind of a weird section of guidance regarding assessment and monitoring, as it doesn’t seem to offer any actual guidance. What they seem to be getting at is that you have some means of getting feedback on risk control performance for mitigating risk.
To put it simply, ICAO seems to be mandating that you can actually monitor the effectiveness of your implemented control.
(5.3.61) Document Risk Mitigation
Finally, ICAO points out what hopefully is a rather obvious fact: document your risk controls! These documented risk controls should be:
- Approved; and
- Signed off my approving managers.
You can document these controls/review/approvals in an aviation safety management software, point solution, or spreadsheet.