Accepting or Rejecting Risks
Accepting or rejecting risks is a fundamental principle in a successful safety management system (SMS). A person managing the safety management system is expected to maintain a process for identifying hazards to aviation safety and for evaluating and managing the associated risks and ensuring that personnel are trained and competent to perform their duties as they apply to the safety management system. This includes training for both the accountable executive and SMS manager, in addition to other airport and airline operations personnel.
A level of risk is an inherent element of aviation safety and there are several types of risks to consider when accepting or rejecting risks. One type of risk may take precedence over another type even if it is not directly associated with operations. Risk control strategies are beyond accepting or rejecting a risk, it is to justify control actions based on defined criteria. There are five categories of risks. The total risk is the sum of identified and unidentified risks. Identified risks are risks which has been determined through various analysis techniques. A task for the SMS manger is to identify all possible risks. Unidentified risks are risk not yet identified. Some unidentified risks are identified by occurrences, and some risk will never be known. Unacceptable risks are risks that are beyond a limit to what is acceptable to an SMS enterprise. Unacceptable risks may be controlled or eliminated. Acceptable risks are identified risks that is allowed by the SMS enterprise to persist without further engineering actions. Residual risks are the left-over risks after all other options has been fully explored. The residual risk is the sum of acceptable risks and unidentified risks and integrated in airport or airline operations.
Conventional wisdom is that the safety management system is about safety, while the fact is that the SMS is about processes, and how things are done. The expected output of these processes is to eliminate harm and create prosperity. When decisions are based on emotional safety principles, rather than data points of facts, the end result may change risk levels to unknown risk level, or unmanageable risk levels.
The AE is the final decisionmaker to accept or reject risks, system analyses or predictive SMS operations plans. Accepting or rejecting risk is not an authority to deviate from any of safety risk management (SRM) processed, or to base accepting or rejecting on common sense and prior practices. In the past, several practices which were acceptable for an airport operator are unacceptable today within an SMS environment. Airport operators has a responsibility for their airport operations to be compatible with aircraft operations, which is the purpose of an airport. In the past, a NOTAM that a runway was covered with ice or snow contaminants were a sufficient action. However, today within an SMS-world, an airport operator must comply with the airport standards, which includes a friction index requirement, or close the runway. An AE may be the final authority, but when risk acceptances are based on prior practices, both safety in operations, and certificate compliance are jeopardized. Risk acceptance based on prior practices, with the justification that it was done before without incidents doesn’t hold water. In addition, data from prior practices applied to hazard classifications and risks may be outdated.
An easy trap for an AE to fall into is to believe that they have the authority to change a risk level by the stroke of a pen. Nothing can be further from the truth. When an AE wishes to change a risk level, they must follow established processes for root cause analysis, risk assessment and system analysis, which include a signature page that they rejected a risk level advise from the SMS manager. In most organizations, an AE is the President of the company and the business management expert. An AE is not the data analysis expert but is still the person with final authority to change a risk level. Should an AE reject a recommended risk level, operations affected by the hazard in question is paused until an acceptable risk decision is made. On the other hand, an accountable executive has the prerogative to manipulate risk decisions after reviewing other apparent risks, or identified residual risks, and combined exceeds the effect of proposed risk control.
The role of an SMS manager is not to lower a risk level due to pressure, but to assess mitigation options for assigned risk level, and options for processes to conform to regulatory requirements and acceptable to the AE. A trap for an SMS manager to fall into, is to change the risk level to the demand of an accountable executive. When an SMS manager is a non-employee at a remote location, temptations to manipulate risk levels are reduced. In a just culture there is no personal liability associated with the position of an AE as this individual represents the certificate holder. The certificate holder retains all liability for non-compliance with the regulations. It is crucial to the success of an SMS that an AE works within the just-culture principles of trust, learning, accountability and information sharing when considering recommended risks controls.
A purpose of regulations is to establish operational limits acceptable to the interest of public safety as determined by the regulatory authority. Public safety may be a floating object and change with circumstances. In the aviation industry this became evident during the pandemic period, where regulatory aviation limits were changed to justify the cause of a greater threat to public safety. This makes risk control measures only applicable under the regulatory jurisdiction. Unless there are international agreements, a just culture, or non-punitive policy is not applicable beyond the regulatory jurisdiction. For airlines, an acceptable risk control within its own borders my be acceptable, while the same risk control internationally may be rejected, or in worst case a criminal action. A recent event occurred when a charter flight crew discovered an indication in the cockpit that something was wrong in the avionics bay. During an inspection of the bay, a duffel bags with illegal substances were discovered, and the flight crew reported this to the authorities. Since the crew was outside of the jurisdiction of their safety management system they were detained for seven months.
Accepting or rejecting risks is therefore more than just organizational related, it is also related to areas of operations, wherever that might take you. A principle of a successful SMS is that hazards are locally identified.