Element 2.2 of ICAO’s requirements is for you to develop and maintain a process to:
While just one requirement, ICAO provides quite a bit of guidance on what this process should look like. There are many considerations in this step, and while ICAO doesn’t explicitly say, “Do it this way,” they provide a lot of meaningful guidance on what a best practice would look like.
In other words, you don’t HAVE to do it as ICAO recommends, but you would probably benefit from creating an assessment/mitigation process that is on par with their guidance recommendations.
Let’s go through each of ICAO’s safety risk assessment and mitigation recommendations.
First, ICAO gives an overview of what your assessment/mitigation process should look like from start to finish if the assessment of the issue is found to be tolerable – i.e. “acceptable.”:
This part of the process should be fairly simple. Just ensure that you have:
So long as you have a mechanism to do this, you should be within compliance for acceptable assessments.
Then ICAO moves on to consider if assessments indicate a problem that is not “tolerable” or “acceptable.” The important considerations are:
If risks cannot be mitigated, applicable operations should not continue. This is risk elimination through total avoidance of activity. If the risk can be eliminated completely, then you will take action to mitigate it.
It’s good to document that these questions are considered during your risk assessment process. For example, you might actually document your answer to these questions!
ICAO briefly points out what a risk assessment actually is:
It’s good that ICAO points out exactly what they mean by “risk assessment” because it gives you a benchmark for ensuring that what you are assessing is in line with what ICAO expects you to consider.
This leads to their recommendation that you use a risk matrix to capture this assessment. You could document a risk assessment via some other tool, but it's an industry standard to use a risk matrix.
Next, ICAO outlines how a risk matrix should be used:
It’s enough information to figure out:
This section provides guidance on how you should use your assessments. ICAO’s guidance is fairly limited here:
Basically, this is simply ICAO saying that once you assess, the next step is to create needed corrective actions (i.e., risk mitigation strategy).
ICAO outlines what three strategies your corrective actions can have. Implemented strategies should have at least one of the following goals:
The point of this guidance is to make it clear that your CPAs need to have a clear, specific goal(s). As a good practice, you might even use the keywords bolded when documenting the purpose/goal of specific CPAs.
ICAO specifically states that before a risk mitigation strategy is implemented, you need to evaluate it with specific criteria. These criteria are your justifications for why your strategy is a worthwhile way to mitigate risk. The purpose is to ensure that you don’t waste time implementing low-quality risk controls.
ICAO says that you should evaluate the control from EACH of the following perspectives:
A good example is implanting a new runway monitoring software, which may be very effective, with many benefits, is available (practical) within budget, but will introduce many other unexpected consequences.
This is kind of a weird section of guidance regarding assessment and monitoring, as it doesn’t seem to offer any actual guidance. What they seem to be getting at is that you have some means of getting feedback on risk control performance for mitigating risk.
To put it simply, ICAO seems to be mandating that you can actually monitor the effectiveness of your implemented control.
Finally, ICAO points out what hopefully is a rather obvious fact: document your risk controls! These documented risk controls should be:
You can document these controls/reviews/approvals in an aviation safety management software, point solution, or spreadsheet.
Last updated March 2024.