Perform Risk Analysis to Meet Oversight Compliance Expectations
It hardly need be said that performing risk analysis in aviation SMS programs is absolutely essential. However, performing quality risk analysis is not easy. For one, risk analysis needs to comply with expectations of the oversight agency, which can sometimes feel like putting a round peg in a square hole. Moreover, real-world situations are messy, and breaking them down into a logical analysis is an imprecise art.
A perfect illustration of how real-world-messiness and oversight expectations collide is this all too common scenario:
- You are inspected by two different aviation safety auditors in a short amount of time;
- One auditor is satisfied with the outcomes of your risk analysis activities; and
- The other auditor hits you with a finding (or concern) for those same outcomes.
The implications of these above points is that performing risk analysis is a two part process:
- Knowing how to reduce messy, real life safety issues into clearly identifiable parts; and
- Ensuring that these “identifiable parts” are the kind that oversight agencies will agree with.
The key word here is that risk analysis is a process, with multiple activities. Here are 5 steps needed to perform the risk analysis Process.
1 - Know Compliance Expectations are for Risk Analysis Outcomes
As already touched upon, knowing what kind of outcomes your oversight agency wants is the very first thing you need to understand. It will inform every risk analysis activity you perform.
However, risk analysis is no less messy for oversight agencies than it is for you. They have their guidance material that they need to interpret and then assess whether or not your activities align. As shown, this can be confusing for aviation service providers who:
- Receive an “all good” from one auditor; and
- A finding or concern from another auditor.
This seems like an inescapable paradox
The silver lining that allows you to perform risk analysis with some freedom is that if you know the SMS requirements, you can make an argument for your analysis findings. As long as you can show that you know what you’re doing (and it makes sense) then you should have little problem with findings in the risk analysis department.
2 - Data Mine for Similar Issues
Once a safety issue is reported, you will need to perform risk analysis on it. At this point, an important question is, “How much analysis needs to be done?” Not all issues are created equal. An experienced safety manager should intuitively understand how critical an issue is.
To fully assess how severe an issue is, the first thing a manager might do is search for similar issues to the current issue. To do this, having an aviation safety database is a major advantage. You can search for similar issues with “key words” in the title.
For example, if a runway incursion is reported, you might search for runway incursions and evaluate:
- The trend in risk assessments;
- Past findings for hazards, root causes, etc.; and
- How those issues were analyzed.
Reviewing past data for similar issues should clarify “what you’re dealing with,” as well as what kinds of classifications and activities to expect.
3 - Perform Initial Risk Assessment
After data mining and reviewing the facts of the current issue, you will need to perform an initial risk assessment to know "what you're dealing with." An initial risk assessment is very important for a couple of reasons:
- It will be the deciding factor as to whether or not the issue falls within the Acceptable Level of Safety range;
- It will inform what risk analysis steps you will take next; and
- It will be your litmus test for how effective risk analysis efforts (and subsequent management) are.
The standard in the aviation industry, and safety management systems in general, is to perform a risk assessment with a risk matrix. These assessments evaluate the overall risk of an issue based on likelihood and severity.
- The higher the risk, the more in depth analysis needed; and
- The lower the risk, the less complex analysis needed.
Your company should have different ways of dealing with high and low risk issues, such as with different risk analysis models.
4 - Choose Risk Analysis Model and Understand Risk
Risk analysis models are frameworks used to understand a safety issue. These models help break down and organize safety issues into logical parts. You might also call them risk analysis tools or methods. The three most important elements of models for your aviation SMS program are:
- Be consistent by choosing a model(s) and using it for all relevant safety issues;
- Use different risk analysis models for high and low risk issues; and
- Document all activities with your model, including your findings and how you made those findings.
Some common risk analysis models are:
There are other models or course, but these are some of the most widely used ones. Many organizations will create their own model to use, such as a custom investigatory process. What important is that your model establishes and organizes 5 things:
- The primary hazard, sometimes called a Risk Event or Top Event, as well as secondary hazards;
- The root causes of the issue, also sometimes called threats;
- Role of human factors in mitigating/increasing exposure;
- Role of control measures in mitigating/increasing exposure; and
- Mechanisms that brought issue from causes >> hazard/top event >> consequences.
Each model has its own way of organizing the safety issue into these outcomes, but every analysis activity should have these 5 outcomes.
5 - Classify Issue and Review
Based on findings from your risk model, you can classify the issue based on:
- Type of issue;
- Root causes;
- Human factors; and
- Other relevant classifications such as parts, vendors, policies, etc.
Creating classifications are an important part of risk analysis because it allows you to compare the current issue with past similar issues:
- Are your findings consistent?
- Are there classifications that seem out of place? (indicating that this issue has some new element or that risk analysis was misguided)
- Are there too few/many classifications?
Long story short, classifications summarize and organize your risk analysis activities. Issues should be classified with great care and consideration, as they will also be used for future reference and data mining.
Final Thought: Follow Up Activities for Managing Risk
Once analysis actions have been performed, common follow up activities are:
- Creation of corrective-preventative actions;
- Issue investigation and follow up review (validation);
- Generating reports of issue; and
- Establishing lessons learned from issue.
Some resources that may greatly aid you in your risk analysis efforts are the following free content: