What Is an SMS Risk Control Process?
A risk control process for an aviation safety management system (SMS) entails a series of risk management tasks that are executed whenever:
- Hazards are identified;
- An event has occurred (accident, incident, irregularity); or
- An audit finding is uncovered (internal as well as external audits).
The risk control process offers a step of repeatable tasks to bring risk to ALARP (as low as reasonably practical). These risk management tasks may not always be sequential, meaning that some tasks may be worked on simultaneously or some tasks may have to be repeated.
What follows are some best practices to consider when developing or reviewing your aviation safety management systems risk control processes and optimizing the information flow to the rest of the organization.
Have you read...
- 20 Questions For Your Safety Risk Management Process [With Free Checklists]
- How to Document Your System Processes in Aviation SMS
- How to Implement SRM Process in Aviation SMS [With Free Checklist]
Understanding Structured Aviation SMS Risk Control Processes
Most safety managers that have attended aviation SMS training are familiar with risk control processes. A typical process is similar to the depiction at the right, which is what the U.S. Dept of Transportation uses for training risk management professionals.
This is a very succinct depiction but leaves very little information for aviation safety managers to optimize the information flow resulting from their risk control processes. We will walk through a variant of this model and offer suggestions how safety management professionals can enhance information flow resulting from risk management strategies.
Before we begin, it is important to note that each organization is different and may approach risk management differently. Just as there are many ways to travel to Mexico, the end result or objective remains the same: reduce risk to ALARP.
Now let's start analyzing a typical SMS risk control strategy and look for ways to optimize the information workflow.
1. Collecting Data
If your company still relies on paper-based hazard reporting forms, your aviation SMS program is not optimized for success. To optimize the "Identification" activity noted above, best practices dictate that a hazard reporting form is available to:
- All employees;
- Contractors, vendors or suppliers; and
Paper-based reporting forms assure that there will be NO accountability to safety. Paper-based forms end up in the "black hole," also known as the trash or a dust-covered file cabinet that only one or two people ever see and may open three to six times per year.
Electronic hazard/event reporting can be taken further, to include:
- Email reporting;
- Internal audit findings; and
- External audit findings.
Most electronic hazard reporting solutions today are configurable to send notifications (text messages and/or email) whenever a new hazard has been submitted by stakeholders. Better yet, these notifications should also instruct recipients of the next possible steps regarding the treatment of the reported hazard or event.
2. Analyze Reported Hazards or Events
Once the safety team is aware of the reported event, the next step typically is to perform a risk assessment to determine the impact on the organization.
The impact can be evaluated in relations to:
- The human risk of death, injury or other harm;
- Environmental impact;
- The reputation of the airline or airport; and
- Equipment or assets.
When assessing risk, consider both short term and long term risks.
Now that the risk has been identified, assess the risk. Risks are most commonly assessed by a risk matrix that identifies the probability of the event occurring and severity of the event. If a hazard was reported and there is only the potential of an event occurring, consider realistic scenarios should the hazard manifest itself.
A small percentage of airlines and airports also incorporate "exposure" as the third dimension in performing a risk assessment.
When performing a risk assessment, good database tools are incredibly helpful in logging risk assessments at varying stages of the risk control workflow, including:
- Initial assessment;
- Re-assessment (should additional information require a revision of the initial assessment);
- Closing assessment (once ALARP has been reached); and
- Review assessments (typically six to twelve months after the issue has been closed).
Have you read...
- What Good Hazard Reporting Process Look Like in Real SMS
- How Safety Managers Hurt Their Aviation Hazard Reporting Processes
- 4 Critical Elements of the Aviation Hazard Management Process
3. Prioritize Unsafe Conditions
Once safety managers understand the risk, it may be necessary to implement some short-term corrective actions to mitigate risk to
- equipment, and the
In short, let's put out the fire if it is still burning. Some aviation service providers call their short term corrective actions and preventive actions "initial mitigating actions."
By this point, safety managers have determined which managers are best equipped to deal with the reported issue. These managers are commonly department heads that have authority to assign personnel or direct funds to mitigate the risk. Best practices will assure us that a manager with risk acceptance authority is either the responsible manager or at the bare minimum, the manager must review and accept the risk managed by the implemented corrective and preventive actions.
Modern SMS database programs include email notifications that track when a department head was notified and when the department head acknowledged that he is aware of the situation. A pain point for many aviation SMS solutions is when safety managers must draft lengthy emails to brief department head of the issue details. An optimized risk management process will manage these notifications with only a couple of mouse clicks.
4. Develop Strategies to Manage Long-Term Risk
Now that department heads are in charge of this issue, they will have their own risk management tasks to complete, including:
- Developing short term and long term strategies (corrective/preventive actions or CPAs);
- Approving CPAs (occasionally requiring committee review);
- Assigning responsibility to complete the CPAs; and
- Implementing CPAs.
Most modern aviation risk management solutions that don't rely upon MS Word and MS Excel have excellent features to streamline task management.
Organizations label these tasks in different manners, such as:
- Work orders;
- Corrective Action Reports (CARs);
- Corrective Action Preventive Actions (CAPA);
- Corrective Preventive Actions (CPA); or
- Simply "Tasks."
Optimized risk management processes will include tools that track corrective actions, including:
- Assigned to;
- Due date;
- Status (in progress, closed, overdue); and
- Costs (parts, labor, risk management).
Once all the corrective actions have been implemented, it is time for the safety manager to step in to determine whether ALARP has been reached. In larger airlines and airports, issues are reviewed by a safety committee before being closed.
Regardless of whether an individual safety manager has the authority to close an issue, or the issue must be reviewed by a safety committee, the steps remain the same:
- Review implemented corrective actions;
- Classify issue for future reporting;
- Ensure all relevant investigations are completed and closed;
- Document risk treatment;
- Conduct a final risk assessment to ensure risk is ALARP;
- Close the issue; and
- Set a "next review date" (six to twelve months out).
Trying to remember when to review the issue is a common problem. When safety teams review past issues, they are validating the risk control performance of implemented corrective actions. If you don't have software to remind you of this future task, place the review date in your calendar. The shortcoming here is that when a safety manager either transfers to another job or leaves the company, this issue falls through the cracks.
To optimize this risk control process, we recommend that the risk review process is managed by an automated notification system that is tied to a user's role, and not to their personal account. As you can see, aviation risk management software is required to ensure that risk is continuously monitored.
Most aviation SMS programs today have SMS software to assist in their risk management processes.
Final Thoughts on Aviation SMS Risk Control Processes
As we have seen, there is a workflow or process for managing risk in aviation safety programs. For best results, your risk management processes should be documented and repeatable.
Don't be afraid to change your risk control strategies when they become unwieldy or ineffective. We have seen aviation service providers become slaves to processes that are inefficient or too time-consuming.
Processes fail when they:
- Are not structured;
- Are not enforced in practice;
- Are not communicated (training); or
- Are too complicated.
Aviation SMS programs should be reviewed to ensure your processes are not crippling your operation. One way to do this is to review the organization's SMS implementation. Below are some tools to assist.
Are you wanting to review your risk control processes?
Developing Repeatable Risk Control Processes for Your SMS
Technology benefits us all by providing tools that assure us that our process is repeatable and easily followed. Aviation SMS database software has proven benefits. If your SMS software is not performing to your standards, it may be time to switch horses.
SMS Pro has well-developed and tested workflows that have been developed specifically for the aviation industry. End users and subject matter experts continue to hone processes that will save you time and give your accountable manager the necessary assurance that the SMS is functioning as designed.
In short, aviation SMS database software is key to enforcing your risk control processes. Learn how SMS Pro can help.
Post originally published in August 2015. Last updated November 2018.