Why Evaluate and Justify Risk Controls in Aviation SMS
If there is one thing all aviation compliance authority guidelines (including ICAO) agree upon, it’s that your aviation safety mitigation controls need to be thoroughly analyzed BEFORE you implement them.
Safety mitigation controls are the bedrock of your risk mitigation strategy.
Safety mitigation controls are also commonly called:
- Control measures;
- Risk control measures;
- Safety control measures; and
- Corrective preventative actions, or CPAs.
While you might argue for one definition over others, for the purpose of this article we will simply say that all of these terms mean:
- Something in your company that helps reduce a risk(s); and
- Measures you take to reduce risk(s) in your company.
Either way, these terms refer to mitigating a problem. During issue management when you identify a problem, you need to figure out how to fix it. When you decide upon a solution, you MUST thoroughly review your intended plan to ensure that it will be viable and performant once implemented. A best practice is document that you have reviewed viability and document your justifications.
Here are six ways to evaluate and justify a risk control in aviation SMS.
What is Effectiveness of Risk Control
The effectiveness of a risk control is only one thing to take into account when evaluating and justifying a safety mitigation strategy.
- How well the control reduces risk;
- Whether or not the control brings risk into an Acceptable Level of Safety; and
- How it compares to other plausible controls in reducing risk.
You want to make sure that your control:
- Reduces risk to an ALoS; and
- Is at least on par or better than other alternatives in effectiveness.
It is a good practice to perform a hypothetical risk assessment on the issue in the scenario of this control already being implemented to prove that it is effective.
What is the Cost/Benefit of Risk Control
Every risk control you implement will have certain benefits and costs. They costs can be literal or figurative. Proposed risk control strategies should have benefits that outweigh the costs. It is a good practice to actually document these costs and benefits to prove that it provides more benefits than costs to your SMS.
For example, consider this hypothetical list of cost and benefits of implementing a new hazard reporting system to improve hazard reporting.
- More hazard reports;
- Better data from reports;
- More metadata from reports;
- Custom hazard reporting forms; and
- Better confidential reporting system.
- Retrain employees on new system time;
- Retrain employees on new system costs;
- Some resistance to change;
- Purchase new system costs.
When looking at this list, you can then provide a summary statement of:
- WHY the benefits outweigh the costs; or
- WHY the costs outweigh the benefits.
How Practical is the Risk Control
Hopefully, practicality is a pretty easy thing to access. Mostly, when analyzing practicality you should be looking for a control’s practicality in term of:
- Financial resources – does it make sense to implement and maintain given your budget?
- Available technology – is the control feasible given technological constraints in your company?
- Cultural climate – is this control something your organization will accept?
- Regulations – is there existing or foreseeable regulation that may conflict with this control?
The list goes on. You should have established means and questions for deciding how practical the control is.
How Acceptable is the Control Measure
In this case, “Acceptable” refers to your stakeholder. This is another way of saying, will this control conflict with existing norms? This kind of bleeds into “How practical is your risk control,” but is important enough to be require a separate evaluation and justification.
The long and short is that if you expect considerable resistance from stakeholders, the control likely is not acceptable. Ideally, you want a control that works well given your existing operations and safety culture.
Resource: Aviation Safety Culture Quiz
What is the Residual Risk Factor
Residual risk is simply risk that is left over once the control is implemented. In reality, this is just a complicated way of asking you to assess:
- Does your control completely mitigate the problem (to ALoS); or
- Are additional controls needed to bring the problem within ALoS?
Sometimes, one risk control by itself may be okay, but will perform substantially better in conjunction with another control.
Are there Any Unintended Consequences
Lastly, you need to evaluate whether or not the control will introduce any other hazards or risks into your operations. If implementing a new control will suddenly introduce two new risks, it doesn’t make a lot of sense to fix one risk and introduce two new ones.
It’s good to perform some predictive analysis activities on your risk control to assess whether or not new risks will be introduced.