Realize the benefits of an aerospace risk management process and why it should be part of every organization’s culture.

Source: Bombardier


Risk is an undesirable situation or circumstance that has both the likelihood of occurring and a potentially negative consequence. Risks are present throughout an organization and can be internal or external.

Internal areas in an organization where risk could present a significant impact can include contracts, design, supply chain, planning and production. Internal risks have a high probability that they can be controlled.

Conversely, external risks, such as natural disasters and economic, political and social risks, are generally difficult to predict or control.

Risk management is a repetitive process to identify, assess, reduce, accept and control risk. The process should be systematic, proactive, comprehensive and cost effective while taking into account the business, cost, technical, quality and schedule constraints. Each key process owner should identify risk and mitigate appropriately.


Why have a risk management process?

Risk management is now required by the AS 9100 standard. Let’s look at the benefits of an aerospace risk management process and why it should be part of every organizational culture.

Organizations need a risk management process in order to reduce the odds of something harmful happening to the business. This involves focusing on risk to meet customer requirements and preventing product nonconformity escapes.

The absence of an aerospace risk management process can result in known, unknown and unknowable/unforeseen problems for the customer and stakeholder concerning cost, schedule and technical performance of programs, in particular for programs concerning the quality and delivery performance of products and services.

What are the benefits of an aerospace risk management process? Process benefits of risk management can:

Increase the likelihood of achieving objectives

Encourage proactive management

Raise awareness of the need to identify and treat risk throughout the organization

Improve the identification of threats

Comply with relevant legal and regulatory requirements

Improve financial reporting and governance

Develop stakeholder confidence and trust

Establish a reliable basis for decision making and planning

Improve organizational controls

Effectively allocate and use resources for risk treatment/handling

Improve operational effectiveness and efficiency

Cost of risk management is typically less than the cost of issue management

Enhance health and safety performance, as well as environmental protection

Improve organizational learning and resilience

Product and service benefits of the organizational management of risk

Reduce the likelihood of delivering nonconforming product or services to customers

Reduce the likelihood of delivering late product or services to customers

Increase the likelihood of business success, for example, meeting schedules and budgets

Reduce the probability and consequences of potential failures

Purpose of the program

A formal aerospace risk management program describes the organization’s attitude and approach toward risk, how it conducts risk management and the level of risk it is prepared to accept.

A risk management program:

Helps an organization identify risk

Helps an organization reduce occurrences and impacts of risk

Helps an organization understand significance and severity of risk

Promotes organizational behavior focused on risk management

Increases effectiveness of product delivery to customers

Creates a process for who, what, when, where, how and how much

Helps organization bring out hidden risk knowledge so it can be managed

Risk management should encompass all areas of business performance and should be exerted at all levels of an organization.

Relating to AS 9100 How does risk management relate to the AS 9100 quality standard? Risk management is a requirement of the AS 9100 quality standard. The standard requires an aerospace quality management system that takes into account the identification of various risk related to organizational circumstances in regard to its needs, business objectives, product range, applied processes and the size of the organization.

There are several sections in the AS 9100 standard where risk and risk management are identified:

3.2 Special Requirements: Those requirements identified by the organization or its customer(s) that have high importance in being achieved, thus requiring their inclusion in the risk management process. Factors used in the determination of special requirements include product or process complexity, past experience and product/process maturity.

3.3 Critical Items: These include such things as safety critical items, fracture critical items, mission critical items, etc. A risk management process must be implemented to control these matters.

3.4 (7.2.1, 7.2.2, 7.3.3) Key Characteristics: These are attributes or features which may create a risk to product fit, form function, performance, service life or produce ability and use of the product throughout the product life. The risk associated with key characteristics needs to be managed through the risk management process.

7.1.1 Risk Management Link to Project Management: The standard says: “The organization shall plan and manage product realization in a structured and controlled manner to meet requirements at acceptable risk, within resource and schedule constraints.” Any project management program must include risk management.

7.1.2 Risk Management: The standard says: “The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, as appropriate to the organization and the product.”

This should include:

Assignment of responsibilities for risk management

Definition of risk criteria, for example, likelihood, consequences, risk acceptance

Identification, assessment and communication of risk throughout product realization

Identification, implementation and management of actions to mitigate risk that exceed the defined risk criteria

Acceptance of risk remaining after implementation of mitigating actions

7.2.2 Product Risk: The organization has to ensure that risks have been properly identified, such as new technology, short delivery time frame, resources and change in source of supply.

Supply Chain Risk: The organization has to manage risk when selecting and using suppliers.

Preventive Actions: The organization must establish preventive actions including risk management, such as error proofing, failure mode effect analysis and product problems by external sources.

What should we do now?

Organizations should develop and implement a process defining how risk management will be accomplished. A methodology must be developed by which risk management tools and documentation can be managed. Most importantly, the organization must ensure all personnel are aware of and use the system.

The organization must begin by formalizing objectives and policies, as well as establishing a risk management plan supported by top management.

The following are basic components of an aerospace risk management process:

Risk Identification. Identify and define the problem or opportunity, as well as risk issues-decide on the people, expertise, tools and techniques needed to work the issue-perform a stakeholder analysis-indentify using risk ID checklist and document risk.

Risk identification should be performed by a cross functional team representing all affected functions of the organization. Risk identification should be a continuous process and included in the organization’s decision making processes.

Risk Assessment. Analyze the content of the issue from an overall organizational perspective and ensure the entire issue is understood. The analysis should include the likelihood, consequence, severity and customer impact. Risk criteria needs to be established at this point so the organization can determine what risk must be mitigated and what risk the organization can live with.

Risk Management Process. Once risks that fall outside of the acceptance criteria are identified, mitigation actions should be implemented. The organization should set desired results for the mitigation actions and select a strategy to address the situation. Maintain status of action items until the actions are complete. Verify that objective evidence of completion of the actions exist, and monitor for effectiveness. If the actions prove to be ineffective, define and execute new actions.

Risk Management Culture. The organization must foster a culture of risk management. To do this, risk management processes and actions should be communicated throughout the organization. The focus on risk management needs to be a top down approach, supported by top management. Organizations should:

Promote risk management learning by employees

Promote learning by experience from issues that arise

Include risk management in demonstrating management leadership

Support innovation in a structured risk management environment.