How Do You Practice Due Diligence
Without questions, the biggest concern of top safety managers should be how due diligence is practiced.
Due diligence involves ensuring that:
- The SMS is functioning as designed;
- There is evidence and data to justify decisions; and
- Risks are actively being controlled.
An SMS is implemented to, ideally, ensure due diligence of operational safety. You should be concerned with how your SMS is helping you practice due diligence, such as:
- How are you documenting your system processes?
- How are you gathering data?
- How are you mitigating safety concerns?
- How are you collecting evidence that safety concerns are being mitigated?
- How do you define safety performance?
There are other questions like this, but knowing how you practice due diligence is a matter of having detailed knowledge of how your SMS enacts safety oversite.
Evidence That Risks Are Being Controlled
Most safety programs place utmost emphasis on safety metrics as proof that risks are being controlled. In reality, metrics are poor proof that risks are being controlled. Perhaps your organization has been lucky, and your metrics do not reflect actual performance. Perhaps metrics are conflated to reflect better than actual performance.
Evidence that risk are being controlled involves having:
- Concrete examples of events that involved specific risks; and
- Tangible proof that risk controls helped mitigate the event.
So, while metrics help provide a rough sketch of performance, real evidence for risk controls involves having a handful examples of exemplary safety events that show how your safety controls respond to safety events. These examples should reflect what your metrics indicate as well.
In other words, the importance of metrics is to provide a loose indication of performance and add additional support for empirical evidence of how the program is performing.
Evidence That Proves Effectiveness of Crucial Systems
Crucial systems are systems in your safety management system that are very important for mitigating risk. Do you know what the crucial systems in your organization are?
One reason why many providers won’t be able to answer this, or will not have a good answer for it, are because they are not clear on points like:
- What is a system?
- What makes a system “crucial”?
- What makes a system effective/ineffective?
First of all, a system is simply a logical, separate part or “entity” within the overall scope of your company that includes things like:
- Its own set of procedures, tasks, etc.
- Its own set of requirements, roles, personnel; and
- Its own set of risk controls, identified hazards, and identified risks.
Your company will have many systems. For example, an airline might have systems for: Flight Ops; Ground Ops; Maintenance; and so on. Each of these are separate, distinct entities within the airline. Knowing this, crucial systems are parts of a system that have the most direct bearing on risk level.
Evidence that proves the effectiveness of these systems is evidence such as:
- Paper trail that proves that systems function in practice as they are designed;
- Empirical evidence that risks are being controlled; and
- Metrics that reinforce empirical evidence.
How Your Organization Defines “Normal”
Having a strong understanding of what “normal” means in your operations is critical. Being able to distinguish “normal” from “abnormal” is an intimate part of understanding:
- What an Acceptable Level of Safety is in your organization;
- What are identified hazards and other concerns; and
- What proper safety behavior looks like in your organization.
You should include as much documentation as is effective for reinforcing what is normal and expected in your organization.
Actual Practice vs. Expectations of Process
When organizations are audited or come under legal fire, one of the main areas of interrogation is always how closely the paper trail matches what was actually supposed to happen given the design of the system.
Where organizations get into trouble is where what actually happened does not match what was supposed to happen, as outlines in process/procedures.
When performing self-audits, it is absolutely crucial that you evaluate how closely your SMS design and actual safety operations align.
Understand Real Purpose of Risk Assessments
Risk assessments are not used as the sole justification for making safety decisions. This is a common misconception.
The purpose of a risk assessment is:
- An internal tool for prioritizing safety concerns; and
- A way of understanding whether or not a concerns falls within Acceptable Level of Safety.
In other words, safety decisions should be justified with tangible things within your safety operations, such as a risk already being properly controlled, and NOT simply in response to a risk assessment.
The difference is subtle but profound. Consider the following scenario during an audit, whereby a hazard occurred and an auditor is drilling you about why you didn’t take further action for the hazard previously:
- (Bad) “Because our risk assessment indicated that the hazard was within an acceptable level of safety the last time we reviewed it”
- (Better) “Because in three previous incidents risk control X successfully prevented this hazard from actually occurring, giving us every indication that the risk control was working as designed”
The takeaway here is that risk assessments are an internal tool to be justified – not as a justification tool for making decisions.