What is a Risk Assessment
Airport SMS programs and Airline SMS programs need use a formal process for ranking various risks. Risk assessments satisfy this need and, based on your Acceptable Level of Safety policy, allow you to know which actions to take next on the issue you are assessing.
The risk assessment process in aviation SMS starts with discovery, which usually happens via:
- Hazard identification and reporting;
- SMS audit;
- Safety inspections;
- Trend analysis;
- Safety cases;
- Change management; and
- Other types of safety reviews.
Once reported, aviation safety managers will assess the risk in terms of the following:
- Probability of most likely negative outcome actually happening; and
- Severity of most likely negative outcomes.
Probability and severity should take into account existing risk controls. Based on the risk assessment, managers will know whether or not the safety concern is acceptable. If the issue is not acceptable, further mitigation actions will be needed.
When to Assess Risk
A common practice is to perform risk assessments in the following way:
- Initial risk assessment, to establish whether or not the issue is acceptable;
- (If issue was not acceptable) Reassessment after each corrective action is completed;
- Closing risk assessment after all corrective actions are completed and the issue is ready to close; and
- Review reassessment when the issue is being reviewed/audited at a later date.
How to Assess Using Risk Matrix
A risk matrix is an aviation industry standard grid used to perform risk assessments. Using this grid allows you to:
- Have consistent criteria for performing risk assessments;
- Rank risks;
- Use a consistent process for performing risk assessments; and
- Have user friendly guidance for delegating risk assessments to less experience employees.
The elements of a risk matrix are:
- Usually in a 5x5 grid, though it can be larger or smaller by 1;
- Generally organized by colors (usually three) to indicate Acceptable Level of Safety;
- Specific criteria for each level of severity;
- Specific criteria for each level of probability; and
- A composite for the chosen combination of severity/likelihood – such as 5C, 2B, etc. – that ranks exposure for an issue.
For a full details about risk matrix, refer to our article about what is a risk matrix and how to use it for risk assessments.
How to Perform Initial Risk Assessment
What is an initial risk assessment: once you identify a safety issue (i.e., “discover”) through hazard identification, audit, inspection, etc., the first thing you need to do is perform an initial risk assessment. In an initial risk assessment, you should:
- Take into account existing risk controls and how they affect risk;
- Take into account any existing examples of this issue in your company or in the industry; and
- Try to understand the context of this issue, and whether or not this issue is part of a current trend.
Purpose of initial risk assessment: the main questions you are trying to answer with an initial risk assessment are:
- Is this issue acceptable without any further actions? or
- Are corrective actions required to make this issue acceptable?
What to do after initial risk assessment: if the risk assessment result indicates that the issue is acceptable, you can perform whatever classification or investigatory actions necessary on the issue and then performing a closing assessment. Otherwise, it’s a good idea to perform one or more reassessments as you implement corrective actions.
When and How to Reassess Risk
What is reassessing risk: if your initial risk assessment found that the issue was outside of an acceptable level of safety, you will need to implement one or more corrective actions such as additional risk controls.
We recommend that for each corrective action, you reassess risk once the action is completed. This will help you:
- Save time and resources by avoiding implementing irrelevant or extraneous controls; and
- Understand the impact of each risk control on the issue’s risk level.
Purpose of reassessing risk: the main questions you are trying to answer when reassessing risk are:
- At what point does the issue become acceptable when implementing corrective actions? and
- How does each new control positively affect risk?
What to do after initial risk assessment: after reassessing risk, you might continue to reassess risk for each additional corrective action. Once all corrective actions are implemented, you should performing closing actions on the issue and then perform a closing risk assessment.
How and Why to Perform Closing Risk Assessment
What is a closing risk assessment: a closing risk assessment is your final assessment of an issue. It should take into account all risk controls, whether they already existed or you just implemented them with corrective actions.
Purpose of a closing risk assessment: the main point of a closing risk assessment is to document that:
- Your issue is within an acceptable level of safety; and
- No further actions are required.
What to do after a closing risk assessment: after a closing risk assessment, you may or may not reassess the issue at a later date commiserate with your issue review/validation schedule (Review reassessment). Often, issues that needed new controls should enter your review/validation schedule. Very low risk issues usually are not included in issue review schedules.
What is Review Risk Assessment Risk During Issue Review
What is a review risk reassessment: each time you review an issue during your standard issue review/validation process, you should perform another risk assessment.
Purpose of reassessing risk during issue review: the main purpose of these assessments are to ensure that:
- Implemented risk controls are still functioning as designed; and
- The issue is still within an acceptable level.
What to do after review reassessment: each time you review an issue, you should review assess it so long as the issue remains on your issue validation schedule. Once an issue is taken off of your review schedule, no further assessments are required.