There is a lot of noise in industry about Safety Risk Management (SRM) with many “buzz words” being thrown around; e.g. SRM, Risk Based Oversight, Safety Intelligence. Ultimately it’s all about supporting the continual challenge an organisation has, in particular the Safety Manager justifying to the accountable manager where to invest in safety versus operations.
- Where are the problems that make me vulnerable to risk exposure?
- How do I prioritise controls to invest in?
Over the past eight years I’ve worked with around 50 aviation customers across all domains globally and all tend to have the same problem in regards to data. SRM as a one off “study”, perhaps once per year, is common and a valid approved proactive practice within the SMS. Safety Assurance (SA) then takes over – auditing, voluntary and mandatory reporting, Safety Performance Indicators (SPI) – i.e. the “reality day to day practices”.
The difficulty for most organisations is in comparing the “study” versus the “reality”. Of course, following an audit finding or safety report, corrective action is taken to address an ineffective control - but this tends to remain within the SA process and the risk study is not reviewed again until the following year.
The SRM process is difficult and highly subjective and organisations use internal and external historical data and experience during the study, however aviation is dynamic and so waiting once a year to react to the potential natural drift of “assumed” practices could be too late. You could find that, a year down the line, you are investing excessive resource and time into a set of controls or threats that in reality aren’t really the high risk exposed areas of your business.
I’ve recently completed my Masters in 'Air Safety Management' at City University London and this issue was the topic of my thesis. I used a significant Regulator and Global Operator as my case studies and found similar results as to why both organisations have issues of aligning the SRM and SA processes.
The following three phased model based on the Bowtie methodology was produced in the conclusion;
- Phase I – SRM Process (proactive study of the organisation's risks)
- Phase II – SA Processes
- Reactive & Proactive Streams of DATA
- Event Path Mapping & Control Effectiveness
- Phase III – Real Time Risk Oversight (SRM & SA Integration)
The main barrier to success in this process is common taxonomy streams between the SRM and SA processes and normalisation of other critical data i.e. flight hours, a/c type, operational environment, etc .
I welcome discussion and debate on how your organisation aligns the data flow between SRM and SA.