Is it possible to determine the true risk landscape of your organisation? Ask safety managers this question and their answer may well be: “Of course we can as we have a risk register that indicates all known hazards and they have been mitigated to an acceptable level.” However, is this a true picture of the total risk faced at a corporate level and have all hazards been identified? Are there any latent issues lurking in the background just waiting to manifest as something more serious?
Additionally, is it possible to collate risk registers from all departments into a meaningful risk metric that can be used by the C suite to make informed risk-based decisions? Equally, have all types of risk been evaluated e.g. What are the financial or reputational risks faced by the organisation or, has there been a disproportionate number of controls / mitigations implemented that are having a detrimental effect on your limited resources?
Such questions are asked frequently in the financial sector but are something of a ‘thorny’ subject in the aviation industry. Risk is a state of uncertainty surrounding the consequences and likelihood of a hazard resulting in an incident. This has troubled the industry for quite a long time and various working groups have tried to provide a reliable methodology for the assessment of risk.
Risk Assessment Considerations
Most operators now use risk matrices of various descriptions to make a numeric assessment of each identified hazard in terms of its potential consequence and likelihood. The most common of these is the 5 by 5 matrix as shown below:
This matrix provides a numerical value that can be attached to any risk and which, over time, can be easily re-assessed.
Consistency of risk assessment
However, consistency of assessment is key which means that staff training is essential to ensure that the same criteria is used throughout the organisation. Issues will arise if individuals apply different interpretations. This can, in part, be addressed by the provision of suitable definitions as shown below:
Whatever method is used, and training provided, it is important that definitions remain consistent so that the risk trends can be monitored over time.
Changes in the overall risk picture are perhaps the most important items because they form a vital element of the assurance process. The actual value of risk (as taken from the matrix) is not that useful because it is highly subjective. Whilst it will indicate where a risk has potential to escalate into a serious incident and where immediate management action is required, it only provides a relative and single context risk. For example, seasonality has an enormous impact upon the likelihood of a passenger being injured by slipping on the dispersal. Risk is scenario based and all assessments need to consider not just a single event but also include other variables i.e. season, location etc.
Risk as a variable term
With the above in mind, it might be more realistic to present risk as a variable term depending on the scenario in which it manifests. For example, windshear events are more likely to occur in the winter months due to inclement weather conditions. By using a seasonal factor, the effects of changing risk due to windshear will be smoothed over the year, and reflect the fact that crews are not flying differently, but the environment has altered. Thus, if a sudden increase in a particular event type is noted, it should not cause management alarm because it has already been factored into the risk picture.
In all risk picture situations assessment should also take into account the knock-on effects of mitigations as they may impact upon an organisation’ financial, reputational or environmental risk rating. In short, risk is not confined to the overall safety of flight category but is an organisation-wide issue.
Aggregation of Risk
Considering the many sources of hazards and the number of risk assessments that will need to be accomplished, coupled with scenario-based risk assessments across multiple departments, the development of a true corporate risk landscape is very difficult. In effect, there is a need to evaluate the safety, financial, reputational and environmental risks and then factor them all for scenario variations throughout the year.
On top of this we need to combine all of these disparate assessments across all the departments in order to obtain our corporate risk landscape. In addition, there is a need to monitor the implementation and efficacy of the controls that have been implemented to mitigate risks to an acceptable level as part of our assurance processes.
A simple risk register that contains perhaps 1000 risk assessments will not achieve this task with any degree of effectiveness. The answer is possibly in the use of software and the design of a useable and consistent metric that can be formulated to present the true corporate risk picture in a manner that allows senior management to make defensible risk-based safety decisions.
Look out for the next risk management blog in which we will discuss how risk aggregation can be utilised in an effective manner.