What is risk and how do we avoid it?
By Patrick Kinane
Risk, according to the dictionary, is a situation involving exposure to danger. Danger can be fictional or real and can emanate internally or externally. A fictional danger could be a phobia. I have acrophobia (fear of heights) but I have no fear of flying small airplanes. I see pictures of high-rise steel workers from the early 20th century standing on steel beams without tether, hundreds of feet above ground and I cringe. Put some of those same people into a small plane where I am comfortable and they might be scared. What does this have to do with risk? Each individual defines what a danger is and isn’t. We will be less cautious of what we don’t see as a danger than of what we do perceive as a danger.
The Role of Reason
Reason has less of an impact on our personal assessment of risk. If we feel that there’s danger to standing on a three-foot ladder, then it’s real risk to us. If we don’t feel danger standing and walking on a steel beam 12 inches wide and hundreds of feet in the air, then there is little risk to us. Add reason to these scenarios, and standing on a three-foot ladder has low risk and walking on a steel beam hundreds of feet in the air is high risk. Our personal risk assessment is immaterial. Reasona dictates that robust measures must be in place to reduce the risk for the high-risk steel worker and much less stringent measures for the three-foot ladder.
Reason is also reflective of the reality of the risk and the direction to reduce it. Notice that I never said eliminate it — although that is the ultimate goal we work toward continuously, it is not achievable. There is a real risk for the steel workers and measures can be taken to reduce the risk level. Acrophobia is a real risk for the individual, but not a reality for others. Different measures must be taken if it becomes detrimental to your daily function.
We assess risk all the time but have become conditioned to accept some risk. We drive to work without taking into consideration the risk involved. When our sons and daughters reach driving age and go out for the first time alone, our risk assessment and concern goes up. We assess risk on skill and experience.
Applying risk to your business
As a mechanic, would you be apt to disregard a torn armrest cover or a crack in the fuselage? Given the choice, the crack in the fuselage is clearly more important and detrimental to safety. However, the ultimate correct answer is neither, but we are under constraints to make those kinds of decisions. We are also prone to escalating our assessment of risk taking.
If we know that the speed limit is 55 mph and notice that we can zoom through the speed trap at 58 mph without the cops chasing us, we will try it again at 60 mph. If they still don’t come after us, we will push it to 62 mph — but now the cops give us a traffic ticket. We have learned that we can go five over the speed limit without getting a ticket and we settle in to driving at 60 mph. This is called escalation of deviance. It occurs in our work as well but it is an odds game. The chances of getting a ticket at 60 mph is lower than at 62 mph. We have assessed that we will accept the risk at those lower odds and drive 60 mph. If you stood on the top step of a ladder 50 times without getting hurt, what do you think you will do the next time on a ladder without thinking of the risk? You have lured yourself into a more hazardous situation and become oblivious to the inherent risk.
Now we have to consider risk by FAA decree with the introduction of Safety Management Systems (SMS). If your business is ISO9100 or any of the series of associated AS standards, you are well aware of risk because it is enhanced with the revision to the standards. If you are not subject the ISO or AS standards, there is still value in their application.
Risk as defined in AC120-92A “Safety Management Systems for Aviation Service Providers” is in reference to safety of personnel and equipment. The FAA has focused on things that are hazardous and lead to physical risk. Is that all there is? What about harm to the business? The AS 9100 series of quality standards defines risk as “An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence,” (SAE, 2009, page eight). This broadens the scope of risk.
Risk affects everything. It can be real or it can be imagined. Let’s deal with reality, as imagined risk requires another type of analysis. Risk can affect financial, strategic, regulatory and compliance, effectiveness, political and human factors, as well as ethics. Risk can be apparent or imminent. In other words, we are reactive or proactive in its management. The best companies do both but we wind up being so caught up firefighting in a reactive state that we don’t have time to devote to proactive measures.
We cannot eliminate risk but we can control its frequency and severity through risk management. Risk management is a “process to identify, assess, reduce, accept and control risks in a systematic, proactive, comprehensive and cost-effective manner, taking into account the business, costs, technical, quality and schedule programmatic constraints” (IAQG, 2009, page two). Wow — that’s a mouthful. What it boils down to is that you have to look at risk as unavoidable but controllable.
How much risk can you live with? The Food and Drug Administration has guidelines that allow a certain amount of contaminants in our food. They recognize that, although zero is ideal, there is a safe and acceptable amount. Determine what amount of risk is acceptable, then analyze and work toward mitigating what is not acceptable.
The IAQG definition also recommends taking all the constraints into account. W. Edwards Deming said that all systems within an organization are interlinked. As in physics, where every action has an equal and opposite reaction, whatever you do to mitigate risk can have an effect somewhere else and there may be constraints that restrict or prevent you from doing what you want. (There is a whole system of thought on the Theory of Constraints — if you want an excellent introduction, read “The Goal” by Eliyahu M. Goldratt. It’s written as a story for easy reading while you learn.)
Risk management is a struggle of balance. Think interlinked systems — what are you willing to give up to mitigate risk? There is usually a trade-off. There is a cost, schedule and technical impact when managing risk. Pull on one and it affects the others.
The risk management process involves identifying and analyzing the risk, implementing the risk mitigation tactic, monitoring to determine if the plan is working, adjusting and solidifying the process, and then identifying and analyzing the remaining risk. It is a cycle without end. I’ve written of “plan, do, check, act” (PDCA), the same continuous improvement cycle in earlier articles.
Reaction and proaction
Where do we go with this? Simply saying “start here” would not help. This has to be a two-pronged approach, both reactive and proactive.
When you have a water leak in your house, the first thing you do is shut off the main water supply to prevent further damage (containment — reactive). Then you find the source of the leak and apply a repair (correction — reactive). Then you can turn the main water supply on and have running water. This is where many organizations stop and then wonder why the problem continues to recur. Analysis of why the leak occurred could show that water pipes are corroded. Implementation of measures to keep it from happening again could mean replacing the water pipes in the house (prevention — proactive). The idea is to start to shift from being predominantly reactive to being predominantly proactive. The more proactive an organization is, the less reactive crisis management firefighting takes place.
Here is the trade-off I mentioned earlier. Fixing the pipe could cost $50 — but replacement of all the water pipes could be $5,000 and damage from the leaking pipe could be $1,000. Do you replace the pipe in the house or take the chance that the leaks occur infrequently and just fix as you go? Here it is again: frequency versus severity. If the leaks are infrequent, we could live with springing a leak every two years or so. If it didn’t cause a lot of damage, we may decide to just fix the leak. A change in either of these categories (increase in leak frequency or potential for significant leak damage) could mean a need for more drastic action.
Awareness and mitigation
Risk is more than just the probability of cutting your finger or denting the fender on a piece of equipment. Personal and equipment damage in the aviation industry can be enormous and the FAA is working to initiate a process to lessen its effect and make our workplace safer (thus SMS).
The other side is the business end and we have to be aware that risk is more than physical. Risk assessment should occur anytime there is a change, like introduction of a new vendor, a new customer, a new product, a new process, a new piece of equipment or a change in a vendor/customer, regulation change or culture change. So it is anytime you have a shift in the organizational operational dynamic, but there are also latent risks that have not been analyzed that are affecting the organization on a daily basis.
We are surrounded by risk and we have to know what is acceptable. Mitigate the unacceptable risk and continue to work on alleviating the remaining acceptable risk.
As George S. Patton said, “Take calculated risks. That is quite different from being rash.”
Patrick Kinane joined the Air Force after high school and has worked in aviation since 1964. Kinane is a certified A&P with Inspection Authorization and also holds an FAA license and commercial pilot certificate with instrument rating. He earned a B.S. in aviation maintenance management, MBA in quantitative methods, M.S. in education and Ph.D. in organizational psychology. The majority of his aviation career has been involved with 121 carriers where he has held positions from aircraft mechanic to director of maintenance. Kinane currently works as Senior Quality Systems Auditor for AAR Corp. and adjunct professor for DeVry University instructing in Organizational Behavior, Total Quality Management (TQM) and Critical Thinking. PlaneQA is his consulting company that specializes in quality and safety system audits and training. Speaking engagements are available with subjects in Critical Thinking, Quality Systems and Organizational Behavior. For more information, visit www.PlaneQA.com.
IAQG, International Aerospace Quality Group, 2009, Risk Management Guidance Material.
Society of Automotive Engineers, 2009, Aerospace Standard AS9100C, Quality Management Systems – Requirements for Aviation, Space and Defense Organizations, SAE International, Warrendale, PA