In any functional safety system, the key component is effectively managing risk. We talk a lot about identifying hazards, mitigating them, and following up to ensure those mitigations hold. Simple enough in concept.
But there’s one conversation that needs to happen before any of that work is meaningful, and it’s the one most organizations skip.
What is your organization’s risk tolerance? What level of uncertainty are your operational leaders and executives willing to accept in pursuit of the company’s mission? Has your organization had that discussion, and did the results make it into your risk matrix?
For most, the honest answer is no. And here’s the kicker: risk tolerance is a moving target.
The Starting Line
It’s easy to take a risk matrix off the shelf, plug it in, and manage risk. It’s just not effective. Every organization has a different risk tolerance in different categories: operational, financial, reputational, regulatory, etc. What one organization sees as acceptable, another won’t. An organization’s baseline level of acceptable risk, defined category by category, is the foundation on which all other risk decisions should be built.
Without that foundation, risk management becomes guesswork. Decisions get made at the wrong level, by the wrong people, with no shared understanding of where the organization draws the line.
It’s also worth distinguishing between two terms that often get used interchangeably. Risk appetite is a strategic, high-level position on how much uncertainty an organization is willing to accept in pursuit of its goals. Risk tolerance is more specific. It is the hard limits that ensure the organization doesn’t stray beyond what it has determined is acceptable. One informs strategy. The other governs operations.
Where Does It Live?
Your organization’s risk tolerances are, ideally, contained in your risk matrix. However, if you are using a boilerplate risk matrix, it’s based on someone else’s tolerance. So where is it in that case? It’s in conversations. It’s in leadership’s reaction to adverse events. In some cases, it’s in the regulations which prescribe a floor for activity, but don’t supply a ceiling. It does, however, need to be uncovered.
Without written tolerance, it’s left up to individuals to determine what is and is not acceptable. This causes wild inconsistencies in how risk management is done, and as we all know, an inconsistent system is an unstable system. Your organization’s tolerance exists, it just may not be formalized or discussed. Organizations should get these conversations out in the open and start to document the results. But how?
Turn Theory Into Action
A conversation with your Accountable Executive is a great starting point. Work side by side to determine how to proceed. Get an understanding of the organization’s risk appetite and craft a plan to build the risk tolerance from there.
You also will need to determine which categories to include and identify who the highest-level functional leader is for each category. Who is responsible for outcomes in that area? Some operators get very granular and include non-safety related categories, which is good practice. Others keep it high level and only include safety-related events.
Create a baseline and work from the top down to identify the risk tolerance within each category. Your baseline can be imperfect; it is just a conversation starter. Your existing risk matrix is probably fine. Let the individual leaders determine where the dividing line is between a high and moderate risk, as an example.
When you work with your leaders, you (and your AE, ultimately) are the keepers of the strategy. You’ll need to ensure that risk tolerances reflect the risk appetite. As an example, zero tolerance. Zero tolerance, in most cases, is impractical. It’s one thing to memorialize that you have no tolerance for hull loss accidents. That makes sense and is prudent. Zero minor altitude deviations? Less prudent, and practically infeasible.
Memorialize It!
Once all this hard work is completed, it needs to be agreed to, and it needs to be codified. It helps to put the entire picture together and brief the leaders you spoke to as a group, just to be sure that there are no cross functional concerns that pop up later. Once there is operational agreement, the Accountable Executive should sign off on the plan.
Now that everyone’s on board, dust off that risk matrix! Ensure that the categories and the risk levels that everyone has agreed to are added, and that the matrix is available to all employees. This leaves no doubt as to what the organization sees as acceptable versus unacceptable risk. Consider including this in your SMS training at all levels, and possibly adding language to your AE-signed Safety Policy Statement that covers risk tolerance.
One thing to not forget at this point: document the process and procedures for reviewing this in your SMS Manual. Future you will be thankful, and now you have a template should you need to do this again.
When Do You Revisit?
For starters, annually (if nothing else triggers a review). Make a review of this information part of an annual management review or add it to a meeting once a year. This will help ensure that nothing has changed that hasn’t bubbled up to the surface.
There are some triggers that should be no-brainers. A senior leadership or Accountable Executive change should absolutely result in a review. They, as the new risk owners, should have an opportunity to make changes. Large organizational structure changes should be considered as well; when reporting lines change, so does process ownership. Other large changes such as a new fleet type or mergers and acquisitions can also affect risk tolerance.
More tactically, if you notice that the organization is either overreacting or underreacting to events, and it isn’t aligned with your understanding of the risk levels, that may be a sign that it isn’t quite dialed in. Iterative, incremental changes aren’t a bad thing, they’re how these things stick long-term.
Remember: your risk tolerance exists whether you’ve defined it or not. The only question is whether you’re managing it deliberately or by accident.
