Risk in the aviation industry is most commonly associated with threat to life and limb. But events like the ValuJet accident in the Florida Everglades and the loss of the TWA B747 off Long Island merely represent the most tragic end of a wide spectrum of risk which the airline business faces. Yet business risks, as opposed to flight safety risks, may not be receiving adequate management attention.
These risks can have a serious commercial impact on the business and, at worst, can result in an airline's demise. Five years ago, a fire at Cathay Pacific's Warwick House computer centre resulted in a power failure which knocked out more than 90 'mission critical' applications for more than 13 hours. In the mid-1980s, Lufthansa and Japan Airlines engaged in highly costly currency hedges against the US dollar. Poor forecasting and fleet purchase decisions have led a number of major airlines into serious financial circumstances and, often, drastic loss of competitive position.
These high-profile experiences represent the tip of the iceberg. Conventional risk theory suggests that for every 'fatality', the multiples in terms of risks taken are enormous, with 10 major incidents, 30 minor incidents and 600 near misses.
Today's heavy emphasis on cost reduction brings the inherent danger that costs are lowered in individual areas with no accompanying change to working practices. Cost cuts can remove the organisational safety nets which management layers have hitherto provided. Less resource and less time can lead to 'firefighting': over-reliance on the few workable procedures which deliver the operational result within economic constraints but, perhaps unwittingly, significantly increase the risk profile of the business.
The implications for the industry are wide-ranging. The management of risk by airlines is frequently too narrow - reactive rather than pre-emptive. Can the boards of most airlines rest assured that their management processes are sufficiently comprehensive to respond to the dynamics of the business in which they operate? In too many instances risk management is focused on recovery from disaster - damage limitation after the event rather than avoidance of costly mistakes before they occur.
An Iata sponsored survey of risk procedures in 24 airlines indicates that many do not operate recovery plans to help them cope with disasters other than crashes (see Table 1). While 13 operate a risk management department, many of these departments deal only with aircraft and other forms of insurance rather than the wider spectrum of business risk in areas such as human resources, marketing, product distribution, technology and innovation. Even when the functional scope is wider, management emphasis has traditionally focussed on contingency planning for recovery, rather than management systems and processes to minimise the risk. In many cases, the study reveals that recovery plans are not regularly tested.
Because of the geographical range and complexity of 'real-time' operations, the nature of the risk profile in the airline industry is far wider than in most businesses, as the limited list in Table 2 suggests.
Minimising these risks relies upon a complex interaction across virtually all departments. The paradox for most airlines is that bringing all facets of risk within the scope of a single risk management department may itself be limiting. The gain from a single functional responsibility may be less attractive than building appropriate procedures into all aspects of management.
The directors of any airline want to foster the public perception of low risk. But risk is expensive to eliminate completely. Management systems and processes tend, therefore, to be designed around operation within acceptable parameters. However, who determines what is acceptable?
For a company's board, there are inherent dangers in specifying what is acceptable. Delegating responsibility to lower levels of management might be unreasonable, limiting in scope, and evidence of omission.
The classical response is to specify compliance criteria and, when there is concern that the risk of failure is unacceptable, to lift compliance levels, say from 95 per cent to 99 per cent. However, it is difficult for any board to condone the concept of failure - even at only 1 per cent - in the face of high customer expectations. Furthermore, establishing compliance criteria tends to create a focus upon a few main parameters, rather than setting standards across the business and at all levels. Also, this approach often misses the impact which individual decisions can have upon the integrated risk of failure.
But over-compliance is expensive, so there is a tension between the two strategic goals of quality and cost. In an era of constant downward pressure on costs, it is essential to be able to quantify the cost of lifting compliance and consciously to decide on change. But this is a tall order if not all risk areas are properly identified, there is no overarching responsibility, and there is no process which builds risk into daily functions.
The problem is not unique to the airline industry. It took the grounding of the Exxon Valdez and the subsequent environmental catastrophe for Exxon to review its risk management procedures across the corporation, and to follow up with a comprehensive change to all management processes.
Similar lessons can be drawn from other 'high risk' industries, such as nuclear power or chemicals, but there are also good examples of the management response to the problem in industries where the public perception of risk is generally low but the impact of failure can have dire consequences, especially for the chief executive and his board.
In a survey of over 20 companies in risk-sensitive industries, including an in-depth study of six businesses in the rail, gas, oil, tobacco and water supply sectors, Beddows & Co assessed the comparative approach to risk management across a range of elements. These included risk assessment (how risk areas are identified, measured and prioritised); the extent of established management procedures; training competency; asset management (procurement, installation, operation and maintenance); incident reporting (data management and follow-up systems); and how culture impacts on effectiveness.
The results emphasised five areas as having significant impact on the effectiveness of risk management:
1 The quality of reporting systems and databases;
2 Internal communications and the role of culture (recognition and transmission of best practice);
3 Management and understanding of assets;
4 Training, personnel selection and assessment;
5 Review procedures, auditing and internal discipline.
Those organisations with a formalised and integrated approach to management of risk across these areas were generally better at responding to the issues which lie at the root of the dilemma. Any organisation needs to ask four questions:
* Which failures should the company concentrate on avoiding? In other words, which disasters would be critical to system performance, public perception and economics, and what the operational and investment implications of failure would be.
* How can the firm develop a realistic outlook on failure? There needs to be a practical definition of 'no failure' events and a positive attitude to reporting failures and 'near-misses', and learning from them.
* How much failure can be avoided by reorienting or increasing investment? Better hard, factual data on asset operating performance will help, as will more 'system' thinking and physical networking.
* What operational improvements will help avoid failures? These can be identified through better responsibility and accountability for both non-failure and failure; introducing a different mentality and culture for dealing with budgetary pressures; and increasing training and standardisation.
A response to these questions needs to address the reality of the organisation and the strong probability that the management of risk will be disintegrated and uneven in approach. For the board to be satisfied that procedures are adequate, comprehensive, cost-effective and proactive, existing practices need to be measured against a 'blueprint' which acknowledges the risks the organisation faces and provides an explicit mechanism for dealing with them on an ongoing basis.
The objective of the blueprint is to provide an overall structure and outline of content which clearly identifies where alternative courses exist, and then leads management to choose the correct action. Implementation relies upon four basic tenets:
1 Risk management is a line responsibility and has applications across all functional areas;
2 Risk prevention, action and relevant procedures need to be integrated into the objectives, tasks and processes of the business;
3 Risk management is delegated across the vertical hierarchy and horizontal processes to the points where decisions with risk impact are made;
4 A risk management department is an explicit element of the organisation structure and its scope is widely defined.
To support these 'structural' elements of the blueprint, key processes for risk management need to be established in the human resources, training, asset management, information systems and communications departments.
Finally, the blueprint must receive board level attention to ensure that risk management is not merely a process but becomes ingrained in the culture of the organisation, kept alive and constantly reinforced.
It is too easy to assume that existing procedures and practices cover the risks which an organisation is running on a daily basis. This is less a sign of complacency than a natural conclusion when a complex, often global, operation continues to function consistently on a day-to-day basis. Unfortunately, risk is an inconsistent phenomenon. The fact that something has not happened is no guarantee that it will not. The danger is that inadequate preventative procedures increase the likelihood that it will.
The inevitable tension between quality and cost means that no board can afford to rely upon the systems and procedures which were put in place to manage yesterday's risks. Risk management must, of necessity, be forward looking, integrated with all other management processes, and deliberate. Managing risk well actually reduces operating costs because there is less fire-fighting, less fixing after the event and less organisational pressure to 'absorb' costly errors.
Source: Airline Business
