Management: Assessing Aerospace Risk Management
Realize the benefits of an aerospace risk management process and why it should be part of every organization’s culture.
Risk is an undesirable situation or circumstance that has both the likelihood of occurring and a potentially negative consequence. Risks are present throughout an organization and can be internal or external.
Internal areas in an organization where risk could present a significant impact can include contracts, design, supply chain, planning and production. Internal risks have a high probability that they can be controlled.
Conversely, external risks, such as natural disasters and economic, political and social risks, are generally difficult to predict or control.
Risk management is a repetitive process to identify, assess, reduce, accept and control risk. The process should be systematic, proactive, comprehensive and cost effective while taking into account the business, cost, technical, quality and schedule constraints. Each key process owner should identify risk and mitigate appropriately.
Why have a risk management process?
Organizations need a risk management process in order to reduce the odds of something harmful happening to the business. This involves focusing on risk to meet customer requirements and preventing product nonconformity escapes.
The absence of an aerospace risk management process can result in known, unknown and unknowable/unforeseen problems for the customer and stakeholder concerning cost, schedule and technical performance of programs, in particular for programs concerning the quality and delivery performance of products and services.
Increase the likelihood of achieving objectives
Encourage proactive management
Raise awareness of the need to identify and treat risk throughout the organization
Improve the identification of threats
Comply with relevant legal and regulatory requirements
Improve financial reporting and governance
Develop stakeholder confidence and trust
Establish a reliable basis for decision making and planning
Improve organizational controls
Effectively allocate and use resources for risk treatment/handling
Improve operational effectiveness and efficiency
Cost of risk management is typically less than the cost of issue management
Enhance health and safety performance, as well as environmental protection
Improve organizational learning and resilience
Product and service benefits of the organizational management of risk
Reduce the likelihood of delivering nonconforming product or services to customers
Reduce the likelihood of delivering late product or services to customers
Increase the likelihood of business success, for example, meeting schedules and budgets
Reduce the probability and consequences of potential failures
Purpose of the program
A formal aerospace risk management program describes the organization’s attitude and approach toward risk, how it conducts risk management and the level of risk it is prepared to accept.
A risk management program:
Helps an organization identify risk
Helps an organization reduce occurrences and impacts of risk
Helps an organization understand significance and severity of risk
Promotes organizational behavior focused on risk management
Increases effectiveness of product delivery to customers
Creates a process for who, what, when, where, how and how much
Helps organization bring out hidden risk knowledge so it can be managed
Risk management should encompass all areas of business performance and should be exerted at all levels of an organization.
Relating to AS 9100 How does risk management relate to the AS 9100 quality standard? Risk management is a requirement of the AS 9100 quality standard. The standard requires an aerospace quality management system that takes into account the identification of various risk related to organizational circumstances in regard to its needs, business objectives, product range, applied processes and the size of the organization.
There are several sections in the AS 9100 standard where risk and risk management are identified:
3.2 Special Requirements: Those requirements identified by the organization or its customer(s) that have high importance in being achieved, thus requiring their inclusion in the risk management process. Factors used in the determination of special requirements include product or process complexity, past experience and product/process maturity.
3.3 Critical Items: These include such things as safety critical items, fracture critical items, mission critical items, etc. A risk management process must be implemented to control these matters.
3.4 (7.2.1, 7.2.2, 7.3.3) Key Characteristics: These are attributes or features which may create a risk to product fit, form function, performance, service life or produce ability and use of the product throughout the product life. The risk associated with key characteristics needs to be managed through the risk management process.
7.1.1 Risk Management Link to Project Management: The standard says: “The organization shall plan and manage product realization in a structured and controlled manner to meet requirements at acceptable risk, within resource and schedule constraints.” Any project management program must include risk management.
7.1.2 Risk Management: The standard says: “The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, as appropriate to the organization and the product.”
This should include:
Assignment of responsibilities for risk management
Definition of risk criteria, for example, likelihood, consequences, risk acceptance
Identification, assessment and communication of risk throughout product realization
Identification, implementation and management of actions to mitigate risk that exceed the defined risk criteria
Acceptance of risk remaining after implementation of mitigating actions
7.2.2 Product Risk: The organization has to ensure that risks have been properly identified, such as new technology, short delivery time frame, resources and change in source of supply.
Supply Chain Risk: The organization has to manage risk when selecting and using suppliers.
Preventive Actions: The organization must establish preventive actions including risk management, such as error proofing, failure mode effect analysis and product problems by external sources.
What should we do now?
Organizations should develop and implement a process defining how risk management will be accomplished. A methodology must be developed by which risk management tools and documentation can be managed. Most importantly, the organization must ensure all personnel are aware of and use the system.
The organization must begin by formalizing objectives and policies, as well as establishing a risk management plan supported by top management.
The following are basic components of an aerospace risk management process:
Risk Identification. Identify and define the problem or opportunity, as well as risk issues-decide on the people, expertise, tools and techniques needed to work the issue-perform a stakeholder analysis-indentify using risk ID checklist and document risk.
Risk identification should be performed by a cross functional team representing all affected functions of the organization. Risk identification should be a continuous process and included in the organization’s decision making processes.
Risk Assessment. Analyze the content of the issue from an overall organizational perspective and ensure the entire issue is understood. The analysis should include the likelihood, consequence, severity and customer impact. Risk criteria needs to be established at this point so the organization can determine what risk must be mitigated and what risk the organization can live with.
Risk Management Process. Once risks that fall outside of the acceptance criteria are identified, mitigation actions should be implemented. The organization should set desired results for the mitigation actions and select a strategy to address the situation. Maintain status of action items until the actions are complete. Verify that objective evidence of completion of the actions exist, and monitor for effectiveness. If the actions prove to be ineffective, define and execute new actions.
Risk Management Culture. The organization must foster a culture of risk management. To do this, risk management processes and actions should be communicated throughout the organization. The focus on risk management needs to be a top down approach, supported by top management. Organizations should:
Promote risk management learning by employees
Promote learning by experience from issues that arise
Include risk management in demonstrating management leadership
Support innovation in a structured risk management environment.