What Is Safety Risk Management
The most important things safety managers need to understand about what Safety Risk Management (SRM) is, is that SRM is a process. This process is cyclical, and is broken down into several stages.
Different oversight agencies account for these stages differently, but the international themes of SRM are:
- Hazard identification and risk identification;
- Evaluation of the SMS program, such as behavior, bureaucracy, and other safety elements; and
- Hazard mitigation efforts, such as creation of risk controls.
The above elements of SRM get much attention. However, there are other, more subtle elements of SRM that are either skimmed over or overlooked. These sub-components of SRM are extremely important because they determine the quality of your SRM process, and will influence how much “value” you get out of the above-mentioned bullet points.
These sub-elements of SRM are things like:
- Clarifying how your company is defining likelihood and severity;
- Where you draw the line for what risks are acceptable and unacceptable;
- Being able to show what your SRM process looks like; and
- How you will monitor your control measures.
These activities are perhaps the most important activities in Safety Risk Management (SRM), as they strongly influence all SRM operations.
Define Hazard, Risk, Likelihood, and Severity
Quite often, we see disagreement of differing opinions about what likelihood and severity are. This arises because of differing opinions about:
- About what hazards and risks are;
- What likelihood is addressing; and
- What severity is addressing.
The most commonly accepted opinions are:
- Hazard: dangerous condition that leads directly to accidents;
- Risks: potential accidents, mishaps, etc.;
- Risk: the overall likelihood/severity of a safety incident;
- Severity: the amount of damages that can occur from likely risks; and
- Likelihood: the probability that these risks will occur.
However, these definitions are not set in stone. Some companies accept hazards as being non-dangerous “things” that can become dangerous, and a risk as the dangerous condition. This definition tends to feel more natural and cause less confusion, but can be at odds with definitions of oversight agencies (such as the FAA).
Based on those definitions, your organization should decide what likelihood and severity are addressing.
Define What Constitutes Likelihood and Severity
Regardless, your organization needs to be crystal clear about what a hazard is and what a risk is. After doing that, you need to:
- Define what constitutes severity, such as how much damage, loss of life, financial loss, etc., for each level of severity; and
- Define what constitutes likelihood, such as how often the hazard/risk has been seen in the company/industry, expectations of happening again with current risk controls, etc., for each level of likelihood.
SMS programs use risk matrices – usually a 5x5 one. Each level of severity and likelihood should have specific “markers.” For example, level 3 severity might be defined by having:
- Major injury;
- < $250k damages;
- Localized environmental effects;
- And so on.
The goal is that based on how you define what constitutes severity/likelihood, you can easily perform risk assessments with each reported safety issue and be:
- Consistent; and
- Inherently justifiable.
Define Acceptable Level of Safety (ALoS)
The Safety Assurance (SA) process and Safety Risk Management (SRM) are intimately connected. When hazards and/or risks is adequately controlled, it will need to be monitored in the SA process. This sounds straightforward enough, however “adequately controlled” is a muddy and subjective thing.
By adequately controlled, what we are really talking about is whether the level of risk is “acceptable.” But what is acceptable? Oversight agencies and organizations handle this by requiring the organizations to define what acceptable is, based on the risk assessment.
This makes a lot more sense than making a “case by case” judgment about whether a particular issue is acceptably controlled. Assigning “acceptable” to a level of risk assessment:
- Formally defines what “acceptable” is; and
- Ensures that “acceptable” remains consistent and justifiable.
If your organization isn’t extremely clear about what ALoS is for your organization, you can count on an audit finding against any one of your SRM process elements.
Establish Hazard Identification Process
Where many organizations get their SRM process right is understanding the importance of identifying hazards. Where organizations go astray is not understanding that hazard identification is a process, not just a single activity. This process includes:
- Initial identification of hazards;
- Monitoring those hazards for changes; and
- Monitoring operations for new hazards.
Many different activities will inform this process, such as:
- Issue management;
- Management of change;
- Trend analysis; and
- Data mining.
What’s important is that you understand your hazard identification process well enough to:
- Diagram it;
- Outline it; or
- Clearly explain what activities are used for hazard identification.
Final Thought: Review Your Oversight Agencies SRM Guidance
Oversight agencies provide guidance on what their expectations are for the SRM process. If this guidance is vague or unclear, review ICAO’s Safety Management Manual for further SRM guidance.
Guidance aside, something we hear over and over is that above anything else, oversight agencies want:
- To see consistent activities;
- Strongly justified decisions; and
- Clear processes.
For information about the FAA’s SRM requirements, see our 30+ page eBook covering in great detail exactly what the FAA wants:
Need some help managing safety assurance and safety risk management activities? Good tools make you look like an SMS rock star.
Published April 2017. Last updated April 2019.