Embed Size (px)
Citation preview
Industry Whitepaper The Case for Integrated Risk and Compliance Management Platforms in the Aviation Sector
______________________________________________________________
© 2010 WatchTower Risk Consulting Ltd Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Disclaimer The material in this Whitepaper is provided for general information only, and heavily references the source information identified in the bibliography, many of which are quoted or re-published verbatim. Before any action or decision is taken on the basis of the material the user should obtain appropriate independent professional advice, reviewing their specific operating environment.
WTI Aviation Office Tel: +64 (03) 374-9664 Aarron Spinley, Executive Director Brett Watson, Executive Director Web site: www.watchtowerservices.com First Edition
Contents
Contents ..................................................................................................................................... 2
Report Objectives....................................................................................................................... 4
Introduction ............................................................................................................................. 4
A Definition of Systemic Risk.................................................................................................. 4
Industry Terms & Acronyms ................................................................................................... 5
Executive Summary ................................................................................................................... 7
A Snapshot of the Aviation Sector ............................................................................................. 8
Airports & Infrastructure.......................................................................................................... 8
Airline & High Capacity Operations ........................................................................................ 9
Management – Availability & Experience ............................................................................... 9
Management – Standards ...................................................................................................... 9
Global Risk Profile.................................................................................................................... 10
Global Governance & Impacts.............................................................................................. 10
Interdependencies - Example ............................................................................................... 11
Translating this to an internal application ............................................................................. 11
Corporate Governance............................................................................................................. 12
General ................................................................................................................................. 12
The Aviation Sector............................................................................................................... 13
Governance Failure Though Poor Risk Management: Example ............................................ 1
Establishing a Risk Management Framework ...................................................................... 13
Integrating ERM & Audit ....................................................................................................... 15
Dynamic Risk-Based Audit ................................................................................................... 15
More Time for Analysis ......................................................................................................... 15
Directors Liability................................................................................................................... 16
Return on Investment (ROI) on ERM.................................................................................... 17
Summary............................................................................................................................... 18
Safety Management Systems .................................................................................................. 19
Achieving Lead Indicator Environments ............................................................................... 20
The Evolution of Safety......................................................................................................... 21
No-Where to Hide ................................................................................................................. 22
Civil Aviation Regulation .......................................................................................................... 23
A Risk Based Approach........................................................................................................ 23
Conclusion................................................................................................................................ 24
Areas of Focus...................................................................................................................... 25
Bibliography ............................................................................................................................. 26
About Watchtower International ............................................................................................... 27
Page 4
Report Objectives
Introduction
Across the globe, the International Civil Aviation Organization (ICAO) and the International Air Transport Authority (IATA) are leading a program of change, explicitly guiding industry operators to apply risk management principles to their operations and to safety management systems (SMS). The signatory states, countries and regulation territories of ICAO – through their own local civil aviation authority – are tasked to incorporate these requirements into their audits of Part 139 for airports and aerodromes, and Part 125/121 for airlines. This is likely to become an intrinsic part of these audits by circa 2015, leaving aviation sector operators a few short years in which to implement an effective strategy for their organisation. This whitepaper discusses the governance, risk, and compliance (GRC) profile of the sector, and draws on industry and external references. It is intended to support the decision making process of aviation executives, faced with two distinct management approaches to these issues:
� Continue with existing silo’s, adding some post-consolidation � A single integrated platform
The paper concludes in supporting the adoption of single, enterprise wide, integrated management platforms by operators. Why a single integrated platform? ICAO and all industry bodies and participants are aware that the greatest threat to the industry, and to single operators within it, is that of ‘systemic risk’.
A Definition of Systemic Risk
A systemic risk is the potential loss or damage to an entire system as contrasted with the loss to a single unit of that system. Systemic risks are exacerbated by inter-dependencies among the units often because of weak links in the system. These risks can be triggered by sudden events or built up over time with the impact often being large and possibly catastrophic
1.
We hope this paper is both informative and useful, and that ultimately sets your organisation on a path to a single, integrated platform for aviation risk and compliance.
1 The World Economic Forum, Global Risk Report 2010
Page 5
Industry Terms & Acronyms
When reviewing this document and those that it references, the following provides an explanation of acronyms used, relevant industry bodies tasked with driving standards in general or within specialist aviation fields, and relevant aspects of the industry recommended to incorporate a risk based approach. Industry Bodies
ASECNA Agency for Air Navigation Safety in Africa and Madagascar ATA Air Transport Association of America ATSB Australian Transport Safety Bureau BASIS British Airways Safety Information System DGAC Direction Générale de l’Aviation Civile (France) EASA European Aviation Safety Agency DASS Directorate of Aerodromes Standards and Safety EBAA European Business Aviation Association ECCAIRS European Co-ordination Centre for Aviation Incident Reporting
Systems EUROCONTROL European Organisation for the Safety of Air Navigation FAA Federal Aviation Administration (U.S.) IATA International Air Transport Association IBAC International Business Aviation Council, Ltd. ICAO International Civil Aviation Organization IFALPA International Federation of Air Line Pilots’ Associations IFATCA International Federation of Air Traffic Controllers’ Associations ISASI International Society of Air Safety Investigators ISO International Organization for Standardization JAA Joint Aviation Authorities NASA National Aeronautics and Space Administration (U.S.) NBAA National Business Aviation Association, Inc. NTSB National Transportation Safety Board (U.S.) TP Transport Publication (Canada) FSF Flight Safety Foundation CANSO Civil Air Navigation Services Organisation CAA Civil Aviation Authority (in each territory, jurisdiction, state) Industry Risk & Safety Related Terms
ADREP Accident/Incident Data Reporting (ICAO) AEP Aerodrome Emergency Plan AIRS Aircrew Incident Reporting System ALARP As Low As Reasonably Practicable ASR Air Safety Report ASRS Aviation Safety Reporting System (U.S.) CAST Commercial Aviation Safety Team CHIRP Confidential Human Factors Incident Reporting Programme CMC Crisis Management Centre ERP Emergency Response Plan FOQA Flight Operations Quality Assurance FSO Flight Safety Officer GASP Global Aviation Safety Plan (ICAO) GRC Governance Risk & Compliance HAZid Hazard Identification ISIM Integrated Safety Investigation Methodology LOSA Line Operations Safety Audit NOSS Normal Operations Safety Survey OFSH Operator’s Flight Safety Handbook OIRAS Operational Incident Reporting & Analysis Systems OSH Occupational Safety & Health QAS Quality Assurance System SDR Safety Data Request SDCPS Safety Data Collection and Processing Systems
Page 6
SIL Safety Issues List SM Safety Manager SMM Safety Management Manual SMS Safety Management System(s) TEM Threat and Error Management TOR Tolerability of Risk USOAP Universal Safety Oversight Audit Programme (ICAO) General Industry
ACI Airports Council International AME Aircraft Maintenance Engineer AMJ Advisory Material Joint AMO Approved Maintenance Organization TC Air Traffic Control ATCO Air Traffic Controller ATM Air Traffic Management ATS Air Traffic Service(s) CNS Communications, Navigation and Surveillance CRM Crew Resource Management DME Distance Measuring Equipment EGPWS Enhanced Ground Proximity Warning System FCO Flight Crew Order FDA Flight Data Analysis FDM Flight Data Monitoring FDR Flight Data Recorder FIR Flight Information Region FMEA Failure Modes and Effects Analysis FMS Flight Management System FOD Foreign Object Damage FPD FDA Programme Database GAIN Global Aviation Information Network GPS Global Positioning System GPWS Ground Proximity Warning System ILS Instrument Landing System INDICATE Identifying Needed Defences in the Civil Aviation Transport
Environment JAR Joint Aviation Requirement(s) (JAA) MEDA Maintenance Error Decision Aid (The Boeing Company) MNPS Minimum Navigation Performance Specifications MRM Maintenance Resource Management MSAW Minimum Safe Altitude Warning PANS Procedures for Air Navigation Services PANS-ATM Procedures for Air Navigation Services — Air Traffic Management PANS-OPS Procedures for Air Navigation Services — Aircraft Operations SARPs Standards and Recommended Practices (ICAO) SHEL Software/Hardware/Environment/Liveware SID Standard Instrument Departure SIN Standing Instruction Number SOPs Standard Operating Procedures STAR Standard Instrument Arrival STCA Short-term Conflict Alert TCAS Traffic Alert and Collision Avoidance System TRM Team Resource Management
Page 7
Executive Summary
The global aviation sector faces a demanding Governance, Risk, and Compliance (GRC) profile; unmatched by most other industries for its technical nature, and its diversity and change. This whitepaper outlines the four areas of the overall profile, and draws the conclusion, as has the International Civil Aviation Organisation (ICAO) – that operators must apply a single, enterprise wide, management approach to fundamental risk and performance issues. The distinct, and yet entirely interdependent elements of the aviation sector GRC profile are:
� Commercial and corporate enterprise risk � Legislative (common and company law) compliance � Civil aviation regulation � Safety management systems
This paper demonstrates the requirement that the sector adopt:
� Single platform, enterprise wide approaches and management application(s) are required to break down departmental silos and information black-holes
� That Board of Directors and their Management are entirely responsible for the effective execution of the management of their risks and regulatory obligations’
� A risk based approach to the adherence to civil aviation regulation; given the dynamic environment of the sector (e.g. static regulation presumes static environment)
Page 8
A Snapshot of the Aviation Sector
As the sector seeks to recover from the economic conditions that pervade global economies following global financial crisis, along with issues of regional security – and most recently the Icelandic volcanoes – they are also faced with the need to improve their general risk and compliance performance. In context of this, we believe that there are six general trends impacting on the aviation industry and expected to remain key influences into the future
2.
� Global demand for aviation services is returning;
� Increased environmental awareness, driven by global concerns about global warming (the “greening” of business practice);
� Climate change;
� Developments in aircraft manufacture, systems and technologies which offer potential safety solutions while simultaneously adding complexity and change;
� International instability and increased security and compliance-related costs;
� Tightening corporate governance regimes are effecting all public entities and corporate entities the world-over, regardless of industry
These trends generate complexity and implications for specific aviation operations and safety support systems. The areas of aviation expected to be affected by these larger influences include new and ageing aircraft, airports and infrastructure, airspace and air traffic management, aviation personnel, regulators and administrators. Some of the solutions will require an industry-wide approach.
Airports & Infrastructure
Investment in airports and associated infrastructure is currently at a high level, fuelled by renewed growth in airline activity. Despite this investment, some airports will be stretched to accommodate demand due to lag times in approvals, design, building and infrastructure construction, and their AEP will struggle to keep pace. The privatisation of major airports has opened up a range of new practices designed to generate revenue. Aside from competition to attract new entrants, airport operators now also look to non-aviation returns on investments. Increasingly this means using land at airports for shopping centres, retail warehouses, outlets and office complexes. These developments concentrate large populations in areas of potential heightened risk and exacerbate the established trend of new suburbs progressively encroaching on airports and their ATM and ATC functions. As a result, it is possible that the risks associated with a runway excursion type of accident are increasing, due to the increasing potential consequences. Other substantial challenges facing the airports and infrastructure sectors include:
� Requirements to upgrade facilities and terminals to support new generation, high capacity aircraft;
� Upgrading navigation aids, procedures and approach facilities (particularly at regional airports) to support technologically advanced aircraft systems and regional jet activities;
� Implementing and upgrading security and passenger handling initiatives;
� Increased complexity, resources and costs associated with security requirements.
2 CASA: An Assessment of Trends & Risk Factors in Passenger Air Transport, 2007
Page 9
In particular, regions such as India are experiencing significant growth, which is turn requires a greater focus on quality of systems to satisfy international standards and customer demand.
Airline & High Capacity Operations
Prior to the global financial crisis, the airline sector was reaping the reward of expansive economic conditions, and as confidence in both the economic conditions and regional security returns, so too does that expansion and increase of services. This will be challenging for airlines and create risks that need to be managed including:
� Personnel shortages
� New carriers
� New aircraft, systems and technology
� Inter-organisation information sharing
The heightened profitability of the high capacity sector means that resources should be available to invest in new strategies to control and mitigate associated risks. Regardless, airlines need to improve their understanding of external risk sources and their interdependencies. An obvious example of this was the recent Icelandic volcanoes which, whilst over Europe, still caused losses of USD $21 million a day to airlines while UK airports where closed under the EASA’s understandably cautious watch.
Management – Availability & Experience
With increasing emphasis placed on outcome-based regulation and safety systems, the role of operational and administrative management has assumed greater significance in contributing to the overall safety of an organisation. This is particularly important during periods of sustained commercial and operational instability or growth, as the aviation industry is currently experiencing.
Management – Standards
Aligned to availability and experience of quality management personnel, is the increased adoption of professional and industry standards, such as:
� ISO 9001: 2008 – Quality Management Systems (QMS)
� ISO31000: 2009 – Risk Management Standard
Page 10
Global Risk Profile
Every organisation, industry, and country must begin to fathom the importance of understanding its ‘inter-connectedness’ with the world around it. Furthermore it must consider the impact of multiple factors to itself, and contemplate the preparedness that there stakeholders might reasonably expect them to have in place.
Global Governance & Impacts
In many ways, we are all at the mercy of global governance and the prevailing attitudes to risk. Most often they are only ‘united’ by singular events, e.g. climate change and the financial crisis.
The World Risk Report, annually published by the World Economic Forum, maps these interdependencies and asks searching questions of government and industry.
Page 11
Interdependencies - Example
For example, the sudden rise in jobless figures seen in developed economies in 2009 was in part cyclical, as a response to the decline in demand and these jobs should therefore return, albeit slowly, as demand increases. However, the crisis also hastened structural changes. Certain industries, such as the automobile sector, were already in decline in regions where labour costs made them uncompetitive.
One of the major conclusions from the analysis of the results of the 2010
Global Risks Expert Perception Survey is the marked increase in
interconnectedness among the risks covered by the Global Risk Network…
This year’s survey shows that both the number and strength of
interconnections among risks have increased notably.
World Economic Forum, 2010
In other industries such as airlines, consolidation and new business models mean an overall decrease in the numbers employed. The question will be how to compensate for these structural changes as growth returns.
Translating this to an internal application
Of course industry executives can not be expected to monitor all potential eventualities; many of which are uncontrollable. However, just as these interdependencies exist in the external, so too is there a myriad of reliance and connectedness between internal elements:
� Corporate risk (liability, credit, liquidity, governance, legislative)
� Civil aviation regulation reporting
� Terminal / flight operations
� Airside operations
� Safety management systems
It is these areas that aviation industry boards and executives must address, a single and integrated platform being the only viable option to do so across all elements and their relative impact to one another. This can only be achieved through a properly constructed risk management framework.
Page 12
Corporate Governance
General
Of course, whilst risk management is almost exclusively delegated to management it is irrevocably, a governance issue. Every corporate governance regime in the developed world prescribes a system of internal control, and in every critical field this relies on a two pronged approach. It is the fundamental responsibility of the board of directors to ensure the: Performance of the function
� Performance of the function
� Audit of the effect, integrity and process of that function
Risk management programs, are critical across the operational and compliance profile of the entity, often underpinning its ability to meeting fundamental standards and obligations, including:
� Governance Codes (UK Revised Code, ASX, NZX, LSE, NYSE, SecCom, etc,)
� Sarbanes-Oxley Act
� Professional standards: PMI, COBIT, ISO etc
� Legislative Compliance Management
� Safety Management System (SMS)
� Capital Projects
� Mergers & Acquisitions
� Civil Aviation Regulation Part 139 (airports) / 121/125 (airlines)
� Duties of Disclosure
Following the events of the 1990’s with major corporate failures (Enron, HIH, etc); and the subsequent global financial crisis toward the end of the first full decade of the new millennium; the regulatory response of world governments has been consistent, its message clear. Most recently (at the time of writing), a substantively sharper focus on the proper management of risk has been included in the revised UK Corporate Governance Code published in June 2010. In particular, the Code is explicit that the board of a company must maintain sound risk management and internal control systems. Some of these themes are not new and have existed in other corporate governance regimes around the world for some time. However the days of governments and their regulators tolerating non-performance in this area are numbered. And it’s not just regulators that are demanding improvement. The credit rating agencies around the world – led initially by Standards and Poors – are now incorporating “ERM assessments” as part of the credit ratings process; with direct and immediate impact on company values and access to capital.
The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.
Page 13
The Aviation Sector
The issues of corporate governance and risk management apply to all sectors and
internationally trading organisations. There is no escape.
From a purely business context in the aviation context; it does an airport or airline little good
if it can manage and control its terminal, airside, and flight operations to world class
standard; only to suffer major or even catastrophic loss due to failings in its corporate
governance arrangements.
The days of only auditing ones accounts, and publishing the same “cut and paste” disclosure
about risk management in the annual report are gone. Indeed the consequences of
misleading statements in the annual report being bought to light by risk events are
heightening.
Governance Failure Though Poor Risk Management: Example
The most recent corporate disaster to highlight this is BP’s
catastrophic environmental (and balance sheet) failure
resulting from the oil spill in the Gulf of Mexico:
In addition, a subsequent UK investors meeting revealed
that the same paragraph assessing BP's policy on risk and
insurance had appeared 20 years running in BP's annual
report3.
Establishing a Risk Management Framework
A critical part of your overall governance program is the
implementation and maintenance of a risk management
framework.
Many readers will automatically consider that they have one, and begin to skim read this
section, however the term ‘risk management framework’ is often hijacked by those who do
not understand it and are happy to use the term interchangeably with other management
terms with little regard for the confusion this causes. So what is a risk management
framework? Well, it is best defined by what it delivers
Outcomes
� A framework which is responsive to the specific needs and objectives of the organisation.
� The establishment therein, or confirmation of, your risk tolerance and risk appetite thresholds (organisationally, project wide, and/or specific aspects)
� A mechanism to inspire confidence in current and potential stakeholders, and support management decision making at the organisation
� An auditable program designed on a professional, measurable standard
3 Article from The Guardian - UK Company Risk Management Left to Chance
In stark contrast to the standards of corporate governance, BP chief executive Tony Hayward told the US Congress committee that he had not had ‘any involvement in or prior knowledge of safety decisions’. This was mounted as a form of defense, when in fact it only served to uncover a failing in the governance arrangements at BP
Page 14
The risk management framework should:
� Be transparent to managers, directors and key stakeholders (or representative stakeholder organisations).
� Establish and articulate the organisation’s tolerance to the various consequences of risk within its strategic planning processes.
� Identify, analyse, assess, prioritise, manage and report on risks in a comprehensive and consistent manner.
� Require relevant managers and staff, along with contractors and 3rd parties to understand and manage risks to the organisation that are within their ability to control and to report upwards on risks that they are unable to control.
� Inform the organisation’s Board of Directors of risks that could impact it in a strategic sense, together with:
� Assurance that these risks are reliably controlled where this is the case, or
� Advice on actions that are planned or in progress to control these risks, noting responsibilities where these have been assigned, or
� Confirmation that the organisation cannot control or directly influence the risks in question.
Objectives
� All material risks to be identified, understood and quantified in order to ensure a common approach and level of resources for management of risks across the organisation;
� Appropriate risk management action objectives are identified and understood for all ‘strategic’ risks (overseen by the board);
� Accountabilities across the organisation for ownership of risks and the management of actions to mitigate/control/transfer are clearly identified and are appropriate;
� Agreed risk management actions across the organisation are systematically and regularly monitored, measured and reported; and
� The risk management framework links to the core business processes of business planning, budgeting, and performance management.
Audit & Assurance
All aspects of corporate governance must be subject to
audit. However one significant and common failing of
governance arrangements is the use of internal auditors
to provide the risk management function. There is only
one exception to this rule. Where IA extends its
involvement in ERM:
Internal audit cannot also give objective assurance on
any part of the ERM framework for which it is
responsible. Such assurance should be provided by
other suitably qualified parties4.
This is a critical issue. Many of the corporate failings
during the financial crisis post-2007 were characterised
by the use of their IA to provide their risk management
function leaving a critical piece of their governance
4 The Institute of Internal Auditors
Roles internal auditing should NOT undertake:
� Setting the risk appetite
� Imposing risk management processes
� Management assurance on risks
� Taking decisions on risk responses
� Implementing risk responses on management's behalf
� Accountability for risk management
Page 15
devoid of any independent quality assurance and review whatsoever. However, readers
should not surmise that the role of IA is in any way regarded to be unimportant. In fact,
nothing could be further from the truth.
Integrating ERM & Audit
Equally, it is very important to ensure that there is independent review and audit of the ERM program. In order to understand how they should work together, it is worth first reviewing what they do, so as to avoid any confusion
5:
Dynamic Risk-Based Audit
Your business changes all the time. So when was the last time your standard audit checklist changed? This should be guided by the changing risk profile of the business, thus ensuring that the part of your business that derive the greatest sources of risk, and the key controls, are the focus on the internal audit function. This targets the areas of assurance that the business most critically needs. By doing so, it takes the risk assessments that have already been performed one step further, adds more value, and not only improves the effectiveness of both functions; but their return on investment as well
6.
More Time for Analysis
The beauty of a centralised assurance model is that key data points are shared. Through a
single repository, the business can look at recent assessments, review trends and dig
deeper with the data it already has; rather than ask the same questions of a business unit
that answered them last month.
This process also assists with developing and maintaining a risk aware culture as it will
mitigate the “assessment fatigue” of the audit department’s internal customers, and therefore
enabling the department to spend more time adding value to the business and less time
digging through filing cabinets.
However, as consistent with the overall finding of this paper, this is only possible where
there is a single, enterprise wide risk and compliance management platform.
5 The Smart Money: Integrating ERM & Internal Audit, 2010 6 Internal Audit ERA Methodware, April 2010
Audit (The Assurance)
� Looks into past
� Based on controls and deviations
� Covers operational and compliance matters
� To be done by Audit department
Risk Management (The Doing)
� Looks into the Future
� Based on probability and impact
� Covers strategic, operational, and compliance matters
� To be done by all departments
Page 16
Directors Liability
For organisations that continue fail in their risk management and audit obligations, directors
can expect to suffer direct consequences in the event that a major failing occurs.
For example, the directors of many failed firms resulting from the global financial crisis were
regarded to be liable under the law. In 2008 alone, there were 225 Federal Securities Class
Action Lawsuits against directors, directly resulting form this7. In addition, a variety of high
exposure shareholder class actions have specifically charged management with
misconduct8. Subsequently Directors & Officers insurance prices for S&P financial sector
rose by over 50% in the last quarter of 2008 alone9.
To underline the lack of performance in this area, a study found that only 54% of Fortune
100 directors understood their company’s risk tolerance10. Since nearly half of the directors
did not know, shareholders are entitled to conclude that these board members were
uninformed of a key foundation piece of governance in that organisation, and therefore
derelict in their duty.
One can only speculate that if a fully understood risk tolerance level had been
imposed by all financial institutions on their respective mortgage securities
exposures and the marketing of collateralized debt obligations (regardless of
probability metrics), the current crisis may have been mitigated to a large
extent, if not prevented altogether
RIMS Executive Report - The Risk Perspective
This is an essential component of the aviation sector governance profile which it must
ensure is well executed.
Nevertheless, merely implementing a risk management process across an enterprise clearly
is not enough. Organizations seeking better performance need to broaden and deepen their
(ERM) programs to mature in the competency drivers that support front-line risk ownership,
linkage and governance oversight11
.
7 Business Insurance, Lou Ann Layton, Marsh 8 Global Financial Restructuring, Barker & McKenzie 9 Aon Global 10 CEO Challenge 2006: Top Ten Challenges, The Conference Board, 2006 11 RIMS State of ERM Report 2008
Page 17
Return on Investment (ROI) on ERM
The very core of Enterprise Risk Management, when implemented properly, is about the
protection of the organisation, and enhancing its corporate decision making. However these
are difficult to apply metrics against.
How do you measure the savings of the organisation against risk events that
did not occur, of fines not imposed, or of unforeseeable major corporate
losses unrealised due to elements of the program serving the business?
The obsession with Value over Obligation, 2010
The concept of a ‘return’ on this investment in the same context as some kind of dividend is
not well placed. In fact, if the business case for an ERM program is based on this mentality,
there are already fundamental short-comings in governance
However that established, as with many other corporate activities in difficult economic
climates, there are often calls for organisations to indeed calculate their return on investment
related to their ERM programs. And the good news, is that the “because you are required to”
and the intangible values aside, if we think about what ERM delivers, there are actually a
number of quantifiable outputs.
Decreased variability in financial results for example, as well as reduced hedging, insurance
and capital costs. These equate directly to improved cash flow which, when coupled with a
reduced discount rate (arising from reduced earnings volatility and an improved reputation
within the investment community), results in enhanced company value. The metrics are
there; it’s just a question of turning them into a final assessment which quantifies that all-
important return on investment.
Looking at those metrics more closely – with rating agencies paying increasing attention to
companies’ ERM frameworks, deficiencies or over-performance in this area can be equated
to a quantifiable impact on a company’s ability to access capital and on the cost of capital.
Secondly, hard cost savings can be delivered by an ERM program which streamlines
existing risk efforts and highlights redundant and inefficient risk activities (e.g. identification /
assessment, aggregation and validation processes). Again, another quantifiable metric…
Insurance and hedging costs can be the most tangible
cost elements in managing specific risks. ERM can
help to optimize and reduce these costs by more
clearly identifying underlying risk exposures, existing
offsets and potential redundancies and inefficiencies.
Harder to quantify are the investment opportunities
which can arise from ERM implementation but this
does not mean the potential ‘up-side’ of ERM should
simply be ignored.
ERM enables companies to make smarter, proactive decisions, based on a better
understanding of their current risk profile and their appetite for taking onboard more risk in
pursuit of competitive advantage.
Estimating earnings variability may be a complex task but can feasibly be undertaken both before and after ERM risk mitigation activities in order to demonstrate the impact and value of the ERM program.
Page 18
ERM is about optimizing risk in accordance with your risk tolerances and setting limits; not
simply minimizing risk. Applying a risk lens and risk metrics to a business opportunity, in
addition to the growth metric analysis, is likely to result in improved investment decisions.
ERM can assist in identifying opportunistic areas of your business that would benefit from
investment.
Summary
In summary, the value of ERM certainly has significant quantifiable elements. There is no
simple formula for generating that final value but overall, there should be an aggregate of
performance in the areas mentioned above12.
12
“Demonstrating a return on investment in ERM”, KPMG 2010
Page 19
Safety Management Systems
The development of safety management systems (SMS) in the industry has taken on
renewed focus in the last few years. The Definition of “Safety” from the International Civil
Aviation Organization (ICAO) is:
Safety is the state in which the risk of harm to persons or of property damage is reduced to,
and maintained at or below, an acceptable level through a continuing process of hazard
identification and risk management.
The following are exerts and summarisation of the ICAO Safety Management Manual13
.
Need for Safety Management
Although major air disasters are rare events, less catastrophic accidents and a whole range
of incidents occur more frequently. These lesser safety events may be harbingers of
underlying safety problems. Ignoring these underlying safety hazards could pave the way for
an increase in the number of more serious accidents.
Accidents & Incidents Cost Money
Although purchasing “insurance” can spread the costs of an accident over time, accidents
make bad business sense. While insurance may cover specified risks, there are many
uninsured costs. In addition, there are less tangible (but no less important) costs such as the
loss of confidence of the travelling public. An understanding of the total costs of an accident
is fundamental to understanding the economics of safety. The air transportation industry’s
future viability may well be predicated on its ability to sustain the public’s perceived safety
while travelling. The management of safety is therefore a prerequisite for a sustainable
aviation business.
ICAO requirements
Safety has always been the overriding consideration in all aviation activities. This is reflected
in the aims and objectives of ICAO as stated in Article 44 of the Convention on International
Civil Aviation (Doc 7300), commonly known as the Chicago Convention, which charges
ICAO with ensuring the safe and orderly growth of international civil aviation throughout the
world.
In establishing States’ requirements for the management of safety, ICAO differentiates
between safety programmes and safety management systems (SMS) as follows:
� A safety programme is an integrated set of regulations and activities aimed at improving safety.
� A safety management system (SMS) is an organized approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures.
A safety programme will be broad in scope, including many safety activities aimed at fulfilling
the programme’s objectives.
13 Safety Management Manual (SMM) Doc 9859 AN/460
Page 20
A State’s safety programme embraces those regulations and directives for the conduct of
safe operations from the perspective of aircraft operators and those providing air traffic
services (ATS), aerodromes and aircraft maintenance.
The safety programme may include provisions for such diverse activities as incident
reporting, safety investigations, safety audits and safety promotion. To implement such
safety activities in an integrated manner requires a coherent SMS.
An organisation’s SMS shall clearly define lines of safety accountability, including a direct accountability for safety on the part of senior management.
ICAO has been specific in its guidance on SMS:
Airline Operator SMS. An oversight authority and an airline operator agree on an acceptable
level of safety to be achieved by the operator SMS, one measure of which — but not the
only one — is 0.5 fatal accidents per 100 000 departures (safety indicator); a 40 per cent
reduction in five years (safety target) and — among others — the development of GPS
approaches for airfields without ILS approaches (safety requirement).
Service Provider & Aerodrome Operator SMS. An oversight authority, an AT provider and an
aerodrome operator agree on an acceptable level of safety to be achieved by the provider
and operator SMS, one element of which — but not the only one — is no more than one
runway incursion per 40 000 aircraft movements (safety indicator); a 40 per cent reduction in
a 12-month period (safety target) and — among others — the establishment of low visibility
taxi procedures (safety requirement).
As you can see, the three minimum requirements of an SMS are very much in alignment –
or indeed a subset – of overall risk management framework.
Achieving Lead Indicator Environments
ICAO has recognised the need to drive more proactive, risk-based, systems that offer early
warning systems as part of the aviation management response. In its study of SMS, it has
chartered the evolution of risk and safety management in the industry.
As a minimum, an SMS shall:
� Identify safety hazards;
� Ensure that remedial actions necessary to mitigate the risks/hazards are implemented; and
� Provide for continuous monitoring and regular assessment of the safety level achieved.
Page 21
The Evolution of Safety
In its own text provided below, it makes the distinction between the “Traditional Approach”
and its targeted approach, which it describes as a “Modern Perspective”:
Traditional Perspective
Historically, aviation safety focused on compliance with increasingly complex regulatory
requirements. This approach worked well up until the late 1970s when the accident rate
levelled off.
Accidents continued to occur in spite of all the rules and regulations.
Safety Management Manual (SMM) Doc 9859 AN/460
This approach to safety reacted to undesirable events by prescribing measures to prevent
recurrence. Rather than defining best practices or desired standards, such an approach
aimed at ensuring that only minimum standards were met.
Modern Perspective
In order to keep safety risks at an acceptable level with the increasing levels of activity,
modern safety management practices are shifting from a purely reactive to a more proactive
mode. In addition to a solid framework of legislation and regulatory requirements based on
ICAO SARPs, and the enforcement of those requirements, a number of other factors, some
of which are listed below, are considered to be effective in managing safety.
Components of a mature and effective risk and compliance (& safety) program are:
� Application of scientifically-based risk management methods;
� Senior management’s commitment to the management of safety;
� A corporate safety culture that fosters safe practices, encourages safety communications and actively manages safety with the same attention to results as financial management;
� Effective implementation of standard operating procedures (SOPs), including the use of checklists and briefings;
Page 22
� A non-punitive environment (or just culture) to foster effective incident and hazard reporting;
� Systems to collect, analyse and share safety-related data arising from normal operations;
� Competent investigation of accidents and serious incidents identifying systemic safety deficiencies (rather than just targets for blame);
� Integration of safety training (including Human Factors) for operational personnel;
� Sharing safety lessons learned and best practices through the active exchange of safety information (among companies and States); and
� Systematic safety oversight and performance monitoring aimed at assessing safety performance and reducing or eliminating emerging problem areas.
No single element will meet today’s expectations for risk management.
Rather, “an integrated application” of most of these elements will increase the
aviation system’s resistance to unsafe acts and conditions.
Safety Management Manual (SMM) Doc 9859 AN/460
No-Where to Hide
In order to manage the operator’s risk and compliance profile, and to keep safety risks at an
acceptable level with the increasing levels of industry activity management needs to
establish safety as a core value of the organisation.
It can accomplish this by setting objectives and risk management & safety goals, then
holding managers and employees accountable for achieving those goals.
Staff looks to management for:
� Clear direction in the form of credible policies, objectives, goals, standards, etc.;
� Adequate resources, including sufficient time, to fulfil assigned tasks safely and efficiently; and
� Expertise in terms of access to experience through safety literature, training, seminars, etc.
This onus on management applies regardless of the size or type of
organization providing the aviation service. The role of management in
managing safety is a recurring theme throughout . . .
Safety Management Manual (SMM) Doc 9859 AN/460
Page 23
Civil Aviation Regulation
The basis of operator standards, are addressed within the parameters of the relevant Civil
Aviation Regulation.
Part 139 (Airports)
Subpart A – General
Subpart B – Certification Requirements
Subpart C – Operating Requirements
Subpart D – Aerodrome Security
Subpart E – Reserved
Subpart F – UNICOM and AWIB Services
Part 121 (Airlines)
Subpart A – General
Subpart B – Flight Operations
Subpart C – Operating Limitations and Weather Requirements
Subpart D – Performance
Subpart E – Weight and Balance
Subpart F – Instruments and Equipment
Subpart G – Maintenance
Subpart H – Crew Member Requirements
Subpart I – Training
Subpart J – Crew Member Competency Requirements
Subpart K – Fatigue of Flight Crew
Subpart L – Manuals, Logs, and Records
Subpart M – Advance Qualification Programme
A Risk Based Approach
Recognising that regulation is most effective in a
static (non-change) environment, and that this is not a
description that is apt in the aviation context, ICAO
have provided clear direction that the use of a risk
based approach to regulatory compliance is required.
The very nature of risk based process optimises
performance in a dynamic and fluid operating
environment; ala the aviation sector. This has many
titles, but one often used by ICAO is Data Driven
Safety, explained as: Through extensive coordination
of the internal and external safety data sources available to it, ICAO begins to emphasize a
more targeted, proactive and operational approach to global aviation’s most fundamental
objective.
Through extensive coordination of the internal and external safety data sources available to it, ICAO begins to emphasize a more targeted, proactive and operational approach to global aviation’s most fundamental objective
Page 24
Conclusion
When reviewing the components of the overall GRC profile facing the aviation sector and its
participants, there is no escaping the fact that only a truly holistic management programme
can offer the potential to meet, if not exceed, the industries important objectives.
The stakeholders of the sector are many and varied, and extend to the travelling public in
the farthest reaches of the globe. Indeed, their vested interest is their very lives; even more
compelling than that of the institutional shareholder.
However corporate governance must and does remain a central theme. Each
operator, regardless of its airside operations and safety targets, is a business.
The owners of airports and aerodromes, and of airlines; are also varied. From local
government and community councils, to federal/central governments, to private equity
groups and publically listed companies; they all share a common goal: The pursuit of profit,
of viable long-term sustainable business models. Add to this the pressures of local body law,
CAA application of industry regulation, standard “common-law” legislation, the economic
climate, terrorism, travel trends, and regional security. And lest we forget perhaps the
defining issue of this generation; climate change.
Operators in the aviation industry – be they domestic or international – are all buffeted by
these winds. The macro-risk profile is immense. The operational profile is as well and the
governance requirements both fluid and ever-demanding. There are no quick fire answers.
There will always be the challenge of new standards and regulation; but the real conclusion
of this document is the theme of interdependencies. The management – even where there is
outstanding performance – of all four aspects of the GRC profile is executed in silos. This is
perhaps understandable given the high level of expertise required for each but it poses a
significant problem.
Yet there is one undeniable, common thread, and it is here that a solution lies.
Risk management, and its intrinsic disciplines and methodologies can tie
each of the four elements together. However if risk management is
established and performed in yet another isolated department; the potential it
offers will be lost.
Therefore the fundamental conclusion of this review is that only a single, enterprise wide,
risk based platform can drive enhanced performance in each of the elements concurrently.
This encapsulates ALL aspects of the operator from its boardroom through its corporate
services (IT, finance, legal services, HR, OSH) to its operations and day to day functions.
Only in this context can there be sufficient data to meet the goals of ICAO and the wider
industry:
� To maintain robust and profitable industry’
� To achieve improved safety levels through lead indicator environments (modern approach)
� To capture and share information and standards across the globe
Page 25
Areas of Focus
This paper advocates that the sector focus on the following areas:
Local CAA & Regulators � To assert effective risk based lead indicator environments
� To seek demonstrable data based SMS
� To advocate and enforce high standards of risk based regulation management in their region
Airport & Airline Board of Directors � To seek genuine ERM across their enterprise;
� To go beyond asking for the “Top 10 risks”’
� To report honestly and forthrightly about their risks within annual reports;
� To drive their management to deliver and demonstrate a lead indicator environment
� To align the risk management and reporting framework with corporate governance guidance and legislation
Operator CEO � To encourage their boards in the pursuit of effective GRC programs
� To ensure single platform approach across the enterprise
� To drive the necessary culture and risk management awareness
Operator CFO, IT & Corporate Services � To contain costs by identifying single platforms which can replace multiple disparate systems
� To ensure quality technology integration and data integrity & security
Legal Counsels � To seek implement verifiable, auditable compliance information gathering
� To avoid practices that create “tick-box” compliance think
� To ensure compliance reporting offers genuine assurance to the board
Safety | Airside | Operations Management � Ensure a risk based approach
� Capture interdependencies at both the control and risk levels
� Automate early warning systems (lead indicator environments)
� Drive robust controls management
� Map the program against expositions agreed with the regulator
Page 26
Bibliography
The following documents and sources were referenced during the development of this White Paper. Human Factors Digest No. 16: Cross-Cultural Factors in Aviation Safety (Cir 302) – presents the safety case for cross-cultural factors in aviation Human Factors Guidelines for Safety Audits Manual (Doc 9806) – provides guidelines for preparing for, or conducting, a safety oversight audit that includes consideration of human performance and limitations Human Factors Training Manual (Doc 9683) – describes in greater detail much of the underlying approach to the human performance aspects of safety management Line Operations Safety Audit (LOSA) (Doc 9803) – presents information on the control and management of human error and the development of countermeasures to error in operational environments Manual on Certification of Aerodromes (Doc 9774) – which describes the salient features of an SMS to be included in the aerodromes manual for certified aerodromes Preparation of an Operations Manual (Doc 9376) – provides detailed guidance to operators in such areas as training and the supervision of operations, and includes direction on the need to maintain an accident prevention programme Safety Oversight Audit Manual (Doc 9735) – provides guidance and information on standard auditing procedures for the conduct of ICAO Safety Oversight audits ICAO Safety Management Manual, 2nd Edition, 2009 Civil Aviation Safety Authority (Australia) Risk Report, 2007 ISO31000:2009 Principles & Guidelines of Risk Management The Global Risks Expert Perception Survey, World Economic Forum, 2009 Global Risk Report,, World Economic Forum, 2010 The Role of Internal Auditing in Enterprise-wide Risk Management, Institute of Internal Auditors, September 2004 CEO Challenge 2006: Top Ten Challenges, The Conference Board, 2006 The Risk Perspective: The 2008 Financial Crisis, A Wake-up Call for Enterprise Risk Management, RIMS Executive Report State of ERM Report, RMIS, 2008 Business Insurance News (interview with Lou Ann Layton, Leader of the Marsh U.S. Financial and Professional Liability Practice)
Page 27
About Watchtower International
WatchTower International (WTI) is a boutique GRC firm providing services to clients across
the globe. In particular, WTI is a provider of advisory services and risk management systems
to the aviation sector through its WT-Navigator Program.
More information can be found at www.watchtowerservices.com
Queries and communications about this whitepaper can be directed to:
The Aviation Practice
WatchTower International (WTI)
www.watchtowerservices.com +64 3 374 9664
Page 28
Registered Office 9 Dinglebay Place
Harewood
Christchurch, New Zealand
WatchTower Risk Consulting Ltd
www.watchtowerservices.com
Postal Address PO Box 8554 Riccarton Christchurch 8440 New Zealand
Trading Names: WatchTower WatchTower International WTI
Service Brands: WT-Profiler, WT-Navigator, WT-PowerON, WT-Comply, WT-Tech
