A Guide to ISO 31000 for Aviation: Developing Effective Safety Risk Management

Formalizing safety management to maintain compliance, maximize benefits, and harmonize standards

Nowadays, aviation service providers resemble cities in miniature. Like municipalities, they oversee police forces, emergency services, security personnel, parking facilities, and commercial tenants, among other third-party entities. Their statutory responsibilities cover public safety, environmental health and safety, and the protective security of critical infrastructure assets. That’s why airports and airlines face a dizzying number of regulations, doled out by local, state, federal, even international enforcement agencies. Case in point: since 2006 the International Civil Aviation Organization (ICAO) has required the industry to implement formal safety management systems (SMS)ⁱ.

In turn, national regulators have put teeth into those mandates, rightly noting that the SMS is the most effective system for limiting accident rates. For instance, the U.S. Federal Aviation Administration (FAA) has proposed SMS implementation compliance as the price of continued Part 139-certification, a move that would affect aviation services providers (1) classified as small, medium, or large airport hubs according to the national plan of integrated airport systems; (2) identified by Customs and Border Protection as a port of entry, designated international airport, landing rights airport, or user-fee airport; or (3) identified as having more than 100,000 total annual operationsⁱⁱ.

What do the SMS requirements entail, specifically? Traditional definitions describe a safety management system as a management system for integrating safety activities into everyday business practices. Another way to think of it is that the SMS offers a formal, systematic approach to identify hazards and control risks, such that a formalized policy of proactive hazard mitigation would enhance safety (before an incident happens) and to lead to better learnings (should an accident or incident takes place)ⁱⁱⁱ. To be compliant, an aviation service provider’s SMS must include four core components – safety policy, safety risk management, safety assurance, and safety promotion: 

• Safety policy.
  Formalizes management’s commitment to safety and expresses the organization’s safety philosophy. The safety policy itself should adumbrate the methods and processes the organization will implement in order to reach desired safety outcomes. A typical policy will contain the following commitments by senior leadership: implement and appropriately resource the SMS, ensure continual safety improvement, and make safety the highest priority. Another aspect of safety policy involves the encouragement of employees to report their safety issues without fear of reprisal.
  
  And of course, written within the larger safety policy should be guidance about the responsibilities of all key personnel, including the Safety Manager. 
• Safety risk management.
  The fundamental component of SMS (more below).
• Safety assurance.
  A means to systematically assess how well the organization is meeting its safety objectives. Safety assurance includes the rudiments of an effective audit program, consisting of self- and external auditing, as well as safety oversight.
  
  The program itself should have developed safety indicators and targets, as well as the ability to monitor adherence to safety policy through self-auditing – these components help validate the overall SMS, with safety performance monitoring, in particular, enabling management to pursue continuous improvements in safety management.
  
  Further, the Safety or Risk teams should solicit input through a non-punitive safety reporting system. Included in that system will be all available feedback from daily self inspections, assessments, reports, safety risk analysis, and safety audits. Finally, a key objective of safety assurance is to communicate safety findings to staff and implement mitigation strategies once they are agreed upon. 
• Safety promotion.
  Includes safety training and education, communication, competency, and continuous improvement. Safety training, the responsibility of the Safety Manager, exemplifies management’s commitment to the safety function. Best-practice training programs (always recurrent, never one-and-done) will include a documented process to identify training requirements and a mechanism by which the effectiveness of the program can be measured. What’s more, the training should be job- and site-specific (i.e. fits the needs and complexities of the aviation service provider), combining human and organizational factors, and incorporating the SMS.
  
  Communication is another key component of safety promotion. Facilities operators and safety managers should broadly disseminate safety goals and procedures. The SMS itself should be readily apparent throughout the operation, with bulletins, briefings, and trainings reinforcing the health of the SMS. Nor should the dissemination of lessons learned (both internal and external) be neglected. Along those lines, staff should be actively encouraged to identify potential safety hazards and propose solutions. 

How Noggin for Aviation supports your Safety Management System, keeps you in compliance

Ensure your airport or airline is safe, secure, and operating smoothly, using the world’s leading platform for integrated safety and security management. Noggin for Aviation provides all the information and tools that you need to effectively manage safety, security, or business continuity, from the smallest incident to a major crisis or emergency.

Specific functionality to support your safety management system includes:

• Bolsters safety policy. Incorporates methods and processes to implement safety policy. Enables organizations to define their safety management system in the context of their organizational structure. Records safety related goals and objectives.
• Improves safety risk management. Supports an integrated Safety Risk Management Module, which follows the ISO 31001 risk management standard with user-defined risks and controls. Includes all types of airside and landside risks. Helps airports to perform a continuous review of all risks and controls across the organization.
• Ensures safety assurance. Risk and control library that simplifies the identification of new hazards based on industry best practices. Helps aviation service providers to monitor the effectiveness of risk controls.
• Enables safety promotion. Enables easy communication with all ecosystem partners. Integration with the safety system to promote a positive safety culture. For airlines, specifically, integration with passenger manifests and other information systems to facilitate communication should an incident occur. 

Safety risk management a keysafety management system pillar

Indeed, the SMS is central to maximizing safety benefits. However, simply promoting safety (through the context of the SMS) isn’t enough to maintain compliance. Aviation service providers also have to manage a broad array of strategic and operational risks, including safety and security, environmental, financial, IT, reputational, etc. As the sector changes, those risks will only become more apparent.

And change it will. The sector is set to double in size over the next two decades. The number of employees affiliated with the industry alone will increase from 65 million to nearly 100 million^iv. The number of passenger and freighter aircraft is also projected to double from 23,000 to 48,000 by 2038^v. To top it off: in 2018, 4.4 billion people flew; by 2037, 8.2 billion people will be flying^vi.

The aviation industry can’t ensure a safe, secure, and seamless passenger experience, let alone maintain compliance with existing regulations, by simply holding the existing level of safety constant. Instead, aviation service providers must look to a new way to drive operational efficiencies and meet safety KPIs. Any approach must begin with safety risk management, the primary operational component of the SMS. Indeed, the very success of the SMS depends on properly identifying potential hazards and deciding the likelihood of accidents occurring. That’s the essence of safety risk management; so is using information generated through early phases of the safety risk management lifecycle to make informed decisions to mitigate unacceptable risk.

The lifecycle itself spans five phases: describe the system, identify hazards, determine risk, assess and analyze risk, and treat (or control) risk. Here’s what each means: 

1. Describe the system. Safety risk management isn’t distinct from existing safety functions. In fact, those functions help focus risk management analysis and inform potential mitigation strategies. 
2. Identify the hazards. In an aviation environment, operations, equipment, people, and procedures can all pose hazards to the system. These hazards must be identified in a systematic way, leaning on existing operational expertise and hazard analysis tools, as well as safety management training and adequate documentation.
   
   Further, the substance of the identification effort depends on the aviation service provider’s structure and complexity. For instance, smaller airports might only need a single manager to undertake hazard identification, provided that person has the requisite expertise, experience, and training. 
3. Determine the risk. At this point, identified hazards are documented, in advance of determining their possible severity, i.e. whether the hazard is a risk. 
4. Assess and analyze the risk. Indeed, that process is constitutive of this phase of the safety risk management lifecycle. Like in risk management more broadly, risk, here, is a function of predicted severity and likelihood of occurrence. As such, the risk assessment depends on first independently determining severity (the worst credible potential outcome) and probability. These will likely be subjective or qualitative determinations.
   
   Once assessed, the risk is analyzed, scored using a matrix of severity and likelihood. Most risk matrices include the following levels: high (or unacceptable level of risk), medium (or acceptable level of risk), and low (or acceptable level of risk without restriction or limitation). Low risk is the target level of risk, since eliminating risk altogether is not always practicable or advisable. 
5. Treat the risk. The risk matrix determines the priority in which risks are treated. High risk items must be dealt with first. Here, typical risk management activities include avoidance, assumption, control, or transfer. 
   
   Mitigation strategies themselves must be validated and verified before implemented. Part of that verification entails measuring the effect of the proposed course on the underlying risk; this process can be repeated until it yields a measure (or combination of measures) that reduce risk to an acceptable level. 
   
   Finally, implementing a risk mitigation strategy will often require approval, cost-effective funding, and scheduling. But implementation isn’t the end of the story. Hazard tracking remains key, until the risk is mitigated to an acceptable level. Still, the record of the hazard must be maintained.

Figure 1. Five phases of the safety risk management process

Safety risk management with ISO 31000

Aviation safety risk management is emerging alongside a broader reconceptualization of risk management. Practitioners now want to link key risks and risk management processes to an organization’s on-the-ground strategic objectives (e.g. regulatory compliance and enhancing passenger and staff safety in the face of increased air travel), since various factors can impede the attainment of those objectives, introducing uncertainty in the process^vii.

That uncertainty – more specifically, the effect uncertainty has on an organization’s strategic objectives – is now being classified as risk. In turn, the industry is rolling out best practice standards for aviation service providers looking to identify and control a broader cross-section of these risks, including safety, reputational, and financial risks. The best of those standards is ISO 31000, the international standard for the practice of risk management, applicable to all organizations in all vertical markets, irrespective of size

The standard, a framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring, and communicating risk, prioritizes executive buy-in. After all, only a proactive stance on part of senior leadership can ensure that best-practice risk processes are fully integrated across all levels of the organization. Senior leaders also ensure that those processes, custom-fit to the organization’s risk profile, culture, and risk appetite, are strongly aligned with top-line business objectives, strategy, and culture.

The standard also calls on individual business process owners to identify and consider risks in their business decisions. What’s more, the business is urged to integrate risk management in all other key aspects of decision making, e.g. business continuity, compliance, crisis management, organizational resilience, etc.  

So, what does ISO 31000 lay out explicitly? The early sections of the standard provide a glossary of relevant terms, while also establishing the standard’s scope, broad and all inclusive. Further, as a generic standard, ISO 31000 does not prescribe a one-size-fits-all risk management process. Instead of mandated uniformity, the design and implementation of risk management plans and frameworks should be contingent on specific organizational factors, such as the company’s objectives, context, structure, operations, processes, functions, projects, products, services, and assets.

Another innovation that the standard brings to risk practitioners is a redefinition of certain, key risk management principles. Successful risk management, according to the standard, is now predicated on compliance with these principles, described below: 

• Risk management creates and protects value.
  Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.
• Risk management is an integral part of all organizational processes.
  Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes. 
• Risk management is part of decision making.
  Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. 
• Risk management explicitly addresses uncertainty.
  Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
• Risk management is systematic, structured and timely.
  A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 
• Risk management is based on the best available information.
  The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
• Risk management is tailored.
  Risk management is aligned with the organization’s external and internal context and risk profile. 
• Risk management takes human and cultural factors into account.
  Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives. 
• Risk management is transparent and inclusive.
  Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up to date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. 
• Risk management is dynamic, iterative, and responsive to change.
  Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. 
• Risk management facilitates continual improvement of the organization. Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization. 

More ISO 31000: Risk management framework and process sections

A subsequent section devoted to risk management frameworks assists the certifying organization with integrating risk management into its existing management practices and processes. As detailed in ISO 31000, the actual framework for managing risk, like risk management principles more broadly, should be iterative, specifically processes for designing, implementing, monitoring, reviewing, and continually improving.

And as mentioned, the standard emphasizes the crucial role of sustained, senior management commitment in integrating risk management into all aspects of decision-making. Indeed, management holds the key to success.

What exactly should management do? The standard suggests the following:

• Define and endorse risk management policy
• Ensure that the organization’s culture and risk management policy are aligned
• Determine risk management performance indicators that align with performance indicators of the organization
• Align risk management objectives with the objectives and strategies of the organization
• Ensure legal and regulatory compliance
• Assign accountabilities and responsibilities at appropriate levels within the organization
• Ensure that the necessary resources are allocated to risk management
• Communicate the benefits or risk management to all stakeholders
• Ensure that the framework for managing risk continues to remain appropriate 

The inter-relationship between the varying components of the risk management framework is depicted below. 

That’s not all, though. The successful design and implementation of the risk management framework depends on several additional factors; a crucial one: in-depth evaluation of the organization’s context. And that context isn’t just internal (i.e. relating to organizational governance, organizational structure, roles, accountabilities, etc.), it’s also external, meaning social, cultural, political, legal, and economic factors should be accounted for, as well. Further risk framework design points include:

• Accountability.
  Risk owners should be identified and given the requisite authority to manage risks. That authority comes with accountability for the development, implementation, and maintenance of the framework for managing risk. 
• Integration.
  The risk management process can’t be distinct from all other organizational practices and processes. Instead, the risk management process should be embedded effectively and efficiently.
• Resources.
  Appropriate resources should be delegated to risk management, including people with relevant skills, experience, and competence.
• Communication and reporting.
  Well-functioning risk management processes depend on effective communication and reporting. Internal and external communication should be covered; specifically, plans should be made and implemented for communicating with external stakeholders.

Finally, the safety management system alone isn’t enough to maximize safety benefits and ensure compliance – not with such stark, forecasted increases in air travel. Instead, mitigating safety risk and making better informed safety decisions (should risks become incidents) require airports and airlines to develop best-practice safety risk management programs, in adherence with international standards like ISO 31000.

Don’t worry, integrated safety and security technology, purpose-built for the aviation sector, can help, too. Integration with passenger manifests and movement logs, safety risk management modules with user-defined risks and controls, risk and control libraries that simplify the identification of new hazards based on best practices, and countless other advanced capabilities can ensure compliance, keep aviation operations running smoothly, and ensure passengers and staff remain safe and secure.

Citations

i International Civil Aviation Organization. ICAO Journal: Safety Management: Global Approach Unlocks Potential of SMS. Available at https://www.icao.int/environmental protection/Documents/Publications/6106_en.pdf.

ii Federal Aviation Administration: External SMS Efforts – Part 139 Rulemaking. Available at https://www.faa.gov/airports/airport_safety/safety_management_systems/external/?action=rulemaking.

iii Federal Aviation Administration: Fact Sheet – Office of Airports Safety Management System Efforts. https://www.faa.gov/news/fact_sheets/news_story.cfm?newsId=20554.

iv International Air Transport Association: Air transport supports 65.5 million jobs and $2.7 trillion in economic activity. Available at https://www.iata.org/pressroom/pr/Pages/2018-10-02-01.aspx.

v Mark Caswell, Business Traveller: Airbus: world’s passenger fleet to double in 20 years. Available at https://www.businesstraveller.com/businesstravel/2018/07/10/airbus worlds passenger-fleet-to-double-in-20-years/.

vi International Air Transport Association, Airlines: Passenger numbers to hit 8.2bn by 2037 – IATA report. Available at https://www.airlines.iata.org/news/passenger-numbers-to hit-82bn-by-2037-iata-report.

vii Ibid.