In business aviation, operators often have a vast network of third-party vendors, most of whom touch on the operator’s own safety and compliance. How can you manage risk that you’re responsible for, but don’t have direct control over? It’s one of the most persistent challenges in the industry, and nobody has fully solved it. What this article offers is some practical steps to make sure third-party risk is properly considered and managed by your organization.
First things first: the regulations
For those bound by Part 5 SMS requirements, 14 CFR § 5.57 requires operators to notify individuals or companies of hazards when that outside party is in the best position to address them. Meanwhile, 14 CFR § 5.71 specifically mandates that operators must also investigate hazard notifications received from external sources, in addition to internally generated ones like employee reports or internal audits.
What this means practically is that you must have a mechanism to notify third-party vendors about hazards you’ve identified that affect your safety. It doesn’t have to be complicated, but it does have to be documented. You must also investigate the safety reports that vendors send to you. It expands your internal safety loop into a two-way, external one, and it means you are responsible for ensuring risk is mitigated in either direction.
If a vendor flags a hazard to you, you must address it in your operation. If you flag a hazard to a vendor, you can’t send and forget. You must track it to ensure the risk to your operation is brought to an acceptable level, even if that means changing how you work with that vendor.
For those not bound by Part 5 requirements, this is still best practice.
You can’t outsource safety (or compliance)
A certificate holder is responsible for their own safety and compliance. Outsourcing functions does not mean outsourcing safety and compliance, and that has to be considered when deciding to use a third party. It also needs to be reflected not only in your SMS, but in your vendor management processes in the operating environment. How is vendor safety performance managed? What paths for remedy exist? What contractual obligations do you require? These aren’t hypothetical questions. They need answers before something goes wrong.
Set expectations, not just contracts
Contract language that clearly spells out vendor safety responsibilities, how they interface with the operator, and their obligation to cooperate with investigations is a strong starting point. It is not the finish line.
For high-risk or high-use vendors, operators should lay out clear expectations for how to execute those requirements practically. Make sure the vendor understands the requirements you are under, their role in helping you meet them, and what acceptable performance looks like day to day. Make sure they understand how they are being evaluated. A simple example: if you expect a vendor to notify you within 24 hours of any incident involving your aircraft or passengers, say so explicitly, not just in the contract, but in the working relationship.
However you manage vendor relationships, this should be a standing piece of that ongoing conversation. Requirements that exist but are impractical or difficult to comply with don’t advance aviation safety, they get ignored.
Assign it internally, or it belongs to no one
We’ve established that the operator is responsible. Inside the organization, that can mean many different things, and this is a common point of breakdown. It is necessary to identify an individual internally, by vendor or vendor function, who owns the safety performance of that third party. This is the key link between the two entities. The company holds the internal employee accountable. The employee holds the third party accountable.
This also shouldn’t be performative. If it is part of an individual’s role to manage a vendor’s safety performance, they should have a seat at the table to determine if that vendor is suitable for continued use, should that discussion arise. This chain of accountability ensures that deficient safety performance is identified at its source, mitigated, and checked.
Measuring performance
There’s no need to reinvent the wheel here. Chances are, you already measure performance for your internal operation. Extend that same effort to your third-party vendors. Look at performance both at the functional level (how is this type of vendor performing across the board) and at the individual vendor level (how is this individual vendor performing to standards). Include that analysis in whatever safety decision-making process your organization already has in place.
Ideally, third-party risk isn’t treated as a separate workstream from how you manage first-party risk. Because at the end of the day, it is first-party risk.
Third-party risk management isn’t a separate discipline. It’s just risk management. Your certificate, your passengers, your risk. The vendors in your operation are extensions of it, not exceptions to it. You already have the tools. Apply the same rigor, build the right accountability structures, and close the loop.
