Perform Risk Analysis to Meet Oversight Compliance Expectations

It hardly needs to be said that performing risk analysis in aviation safety management systems (SMS) is absolutely essential. There are many opportunities in the aviation SMS' risk management processes for safety professionals and operational department heads to determine whether the potential consequences of conducting operations in the presence of hazards remain either:

• acceptable; or
• acceptable with additional mitigation strategies applied; or
• unacceptable, requiring operations to cease.

However, performing an accurate risk analysis is not easy. Safety professionals constantly operate in theaters where complete access to information is lacking.

Related Risk Analysis Articles

• What Is Process for Risk Analysis in Aviation SMS
• Top Charts and Tools to Help With Risk Analysis in Aviation SMS
• Everything You Need to Know About Risk Analysis in Aviation SMS

Assuring Validity of Risk Analysis in Aviation Operations

Many factors can easily confound the validity of a risk analysis. For one, risk analysis needs to comply with the expectations of your oversight agency, which can sometimes feel like putting a round peg in a square hole. Moreover, real-world situations are messy, and breaking them down into a logical analysis is an imprecise art due to the lack of complete information.

A perfect illustration of how real-world messiness and oversight expectations collide is this all too common scenario:

• You are inspected by two different aviation safety auditors in a short amount of time;
• One auditor is satisfied with the outcomes of your risk analysis activities; and
• The other auditor hits you with a finding (or concern) for those same outcomes.

These above points imply that performing risk analysis is a two-part process:

• Knowing how to reduce messy, real-life safety issues into clearly identifiable parts; and
• Ensuring that these “identifiable parts” are the kind that oversight agencies will agree with.

The key word here is that risk analysis is a process, with multiple activities. Here are 5 steps needed to perform the risk analysis process.

1 - Know Compliance Expectations Are for Risk Analysis Outcomes

As already touched upon, knowing what kind of outcomes your oversight agency expects from your aviation SMS risk management processes is the very first thing you need to understand. It will influence every risk analysis activity you perform.

However, risk analysis is no less messy for oversight agencies than it is for you. They have the guidance material that they need to interpret and then assess whether or not your risk management activities are coherent and aligned with expectations. As shown, this can be confusing for aviation service providers who:

• Receive an “all good” from one auditor; and
• A finding or concern from another auditor.

This seems like an inescapable paradox

The silver lining that allows you to perform a risk analysis with some freedom is that if you know the aviation SMS's objectives and requirements, you can make a logical, data-based argument for your analysis findings. As long as you can show that you know what you’re doing (and it makes sense based on the available data) then you should have a little problem with audit findings in the risk analysis department.

Related Risk Analysis Articles

• Difference Between Hazard Risk Assessment and Hazard Risk Analysis
• 5 Core Rules for Risk Analysis in Aviation SMS
• FAA Part 5 Compliance | Safety Risk Management Risk Analysis Requirement

2 - Data Mine for Similar Issues

Once a safety issue is reported, the formal risk management process begins. The safety team will need to perform a risk analysis on the underlying issue. At this point, an important question is, “How much analysis needs to be done?” Not all issues are created equal. An experienced safety manager should intuitively understand how critical an issue is.

To fully assess how severe an issue is, the first thing a manager might do is search for similar issues to the current issue. To do this, having an aviation safety database is a major advantage. You can search for similar issues with “keywords” in the title or conduct a quick analysis based on how the safety issue was classified.

For example, if a runway incursion is reported, you might search for runway incursions and evaluate:

• The trend in risk assessments;
• Past findings for similar hazards, root causes, etc.;
• Effectiveness of implemented risk controls designed to mitigate the risk; and
• How those issues were analyzed and treated.

Reviewing historical data for similar issues and developing trends should clarify “what hazards you’re dealing with,” as well as learn what kinds of classifications and risk management activities you may be expected to treat the issue.

3 - Perform Initial Risk Assessment

After data mining and reviewing the facts of the current issue, you will need to perform an initial risk assessment to know "what you're dealing with." An initial risk assessment is very important for a couple of reasons:

• It will be the deciding factor as to whether the issue falls within the Acceptable Level of Safety range;
• It will inform what risk analysis steps you will take next; and
• It will be your litmus test for how effective risk analysis efforts (and subsequent management) are.

The standard in the aviation industry, and safety management systems in general, is to perform a risk assessment using a risk matrix. A risk matrix is a risk management tool that provides safety professionals with an intuitive approach to calculating and communicating risk associated with a particular scenario. Risk matrices have an "x" and "y" axis that denote gradients of increasing "probability" and "severity."

These assessments evaluate the overall risk of an issue based on likelihood and severity.

• The higher the risk, the more in-depth analysis needed; and
• The lower the risk, the less complex analysis is needed.

Your company should have different ways of dealing with high and low-risk issues, such as with different risk analysis models.

Related Aviation SMS Risk Matrix Articles

• What Is a Risk Matrix and Risk Assessment in Aviation SMS
• How to Create Your Risk Matrix for Risk Assessments in Aviation SMS
• How to Define Severity and Likelihood Criteria on Your Risk Matrix

4 - Choose Risk Analysis Model and Understand Risk

Risk analysis models are frameworks used to understand a safety issue. These models help break down and organize safety issues into logical parts. You might also call them risk analysis tools or methods. The three most important elements of models for your aviation SMS are:

• Be consistent by choosing a model(s) and using it for all relevant safety issues;
• Use different risk analysis models for high and low-risk issues; and
• Document all activities with your model, including your findings and how you made those findings.

Some common risk analysis models are:

• Bowtie analysis;
• SMS Shortfalls analysis;
• Fishbone diagrams; and
• Decision trees.

The Five Risk Analysis Outcomes

There are other risk management models of course, but these are some of the most widely used ones. Many organizations will create their own model to use, such as a custom investigatory process. What's important is that your model establishes and organizes these five things:

1. The primary hazard, sometimes called a Risk Event or Top Event, as well as secondary hazards;
2. The root causes of the issue, also sometimes called threats;
3. Role of human factors in mitigating/increasing exposure;
4. Role of control measures in mitigating/increasing exposure; and
5. Mechanisms that brought issue from causes >> hazard/top event >> consequences.

Each model has its own way of organizing the safety issue into these outcomes, but every analysis activity should have these 5 outcomes.

Related Aviation Risk Management Articles

• Difference Between Reactive, Predictive and Proactive Risk Management in Aviation SMS
• What Is the Process of Risk Management in Aviation SMS
• 3 Main Components of Aviation Risk Management

5 - Classify Issue and Review

Based on findings from your risk model, you can classify the issue based on:

• Type of issue;
• Associated Hazard(s);
• Root causes;
• Human factors; and
• Other relevant classifications such as parts, vendors, policies, etc.

Creating and assigning classifications becomes an important part of the risk analysis process. Classifications, when properly used, allow safety professionals and operational department heads to compare the current issue with historical issues that share common elements.

• Are your findings consistent?
• Are there classifications that seem out of place? (indicating that this issue has some new element or the risk analysis was misguided)
• Are there too few/many classifications?

Long story short, classifications summarize and organize your risk analysis activities. Issues should be classified with great care and consideration, as they will also be used for future reference and data mining. The effectiveness of your predictive risk management activities will depend on your aviation SMS' data management capabilities.

Having tools to easily classify safety issues will reap many benefits in both the short term and the long term. When your aviation SMS has sufficient data to predict the types of events your operations can expect as well as the severity of these "expected safety events," then you know that your SMS has finally matured. This is where you want to be.

Final Thought: Follow-Up Activities for Managing Risk

Once analysis actions have been performed, common follow-up activities are:

• Creation of corrective-preventative actions;
• If warranted, conduct investigation and follow-up review (validation);
• Generating reports of safety issue; and
• Drafting and publishing lessons learned.

Some resources that may greatly aid you in your risk analysis efforts are the following free content.

Last updated April 2024.