AEROSPACE Risk management

Managing risk - back to basics?

In recovering from the disruption caused by the Covid-19 virus, in addition to a Brexit with a potential ‘no deal’, a key tool in the corporate toolkit will be effective risk management. RAeS Past-President LEE BALTHAZOR FRAeS explains.

In these unprecedented times of national emergency, some aerospace professionals remain busy, at their place of work or working from home. However, many others will have been furloughed. Such time of enforced absence from normal working may provide the opportunity for continuing professional development – the hallmark of an aerospace professional.

This article assumes that the reader is already familiar with risk management concepts and aims to provide an opportunity to improve capability in effective risk management by understanding some of the basic principles that may be deficient in current risk management strategy and processes. The author has experience of managing risk and of providing risk management training in industry and academia – some of which has revealed that, despite risk management strategies and plans being in place, some aerospace companies, and many small and medium enterprises, do not always fully apply the basics of effective risk management. The following points may seem common sense but they all come from real life examples of failure to apply key principles that resulted in very real problems.

Virgin Galactic

Corporate governance failures, financial failures (eg the 2008 global financial crisis) and continuing major project cost and time overruns have resulted in improved oversight of risks for business and organisations but risks still keep turning into problems. So – what may be going wrong?

We do not yet know enough about Covid-19 at the time of writing to understand how it may affect our future – and there will still be Brexit to manage, as the UK Government continues with policies which may result in a ‘no deal’ exit. Industry and commerce will have to ensure that future risk management plans can deal with the ongoing effects of both, as well as improving the management of the programmes already in place which have overrun and overspent and which are now subject to major disruption. So this might be a good opportunity to remind ourselves of some of the basic questions which should always be asked about our risk approach. Business continuity plans are a fundamental part of effective risk management and they will be playing a key part in any recovery. I will, however, focus on operational risk management processes.

Does the culture encourage everyone to raise risks?

In the bid phase of potential business, it is crucial to involve all functions in risk identification so that the risks throughout the life cycle of the project are understood – before commitment!

As with any enterprise management, leadership is key. Senior management must encourage everyone to have the responsibility of being ‘risk aware’, of identifying risks that they see in their own area or indeed elsewhere. Unless risks are visible for assessment, key risks may never appear on a risk register for management action. This should not mean a massive database but an initial review and assessment to determine whether it is a valid cause for concern, or indeed an opportunity which can be used to advantage (about which, more later). The principle here is to draw upon everyone’s experience of their work area and the uncertainties ahead by including in risk reviews all those personnel who might be able to contribute, whatever their level. Yes, it does take up human resources but even more so does ‘firefighting’ a problem that emerges later, which was known but not raised to a high enough level for action. This is a key area where leadership is important – structures should be firmly in place to help ensure that all views can be taken into account, not just those of dominant managers.

Concerns are often raised by junior staff that there are insufficient resources. This is usually countered by managers commenting that the allocated budget or time is all that is available. However, making visible the risk that continuing with limited resources could delay completion may help provide the justification for a change, or at least raise management awareness of the risk in the programme so that they can better judge where to apply limited resources. It was earlier noted that another dimension of risk is opportunity – this situation can also be seen as an opportunity to find a more efficient way to achieve the objective.

Risk ownership is also important: assigning a risk to a risk owner and giving them the resources to manage the risk, means that the risk is less likely to be overlooked as it is a personal objective to be managed. This principle is sometimes difficult to apply when a risk crosses departmental or organisational boundaries but focusing on this principle can help identify clear interfaces and handovers of responsibility.

How systematic are the risk processes? ​

For many years now, there has been a recognition that the key to effective risk management is a systematic process. Currently, the international standard ISO 31000:2018 Risk Management Guidelines provides a globally accepted systematic approach. The standard details the three key axes of Principles (centred on value creation and protection), Framework (leadership and commitment) and Process. However, rigidly adhering to the processes of a systematic approach without adding flexibility to rapidly respond to changing risk exposure may result in becoming mired in detail when the best business judgement may be a pragmatic approach. Indeed, the need for a dynamic system is a key element of value creation and protection.

Do you know the business and project critical success factors for all stakeholders?

Figure 1. A systematic risk management process.

Figure 1 shows a systematic process that starts with understanding the relationship between the business and project critical success factors for all the stakeholders before you start on the risk management process itself. Too often the risk focus is too narrow – if risks of other stakeholders are not understood, you may be unaware of how their risks may impact you later. Perhaps even more important is to start with a clear understanding of your own business and project critical success factors. If you know these, then there may well be the chance for you to identify opportunities to improve the business, as well as threats that may prejudice their achievement.

Are key assumptions visible?

There is always uncertainty ahead and different perspectives and responsibilities usually result in different assumptions about the future. It is absolutely vital therefore, to make key assumptions visible so that they may be challenged and agreed as the basis for risk analysis and action.

Does the assessment take a life cycle approach?

Never create a risk plan alone! Involve all functions across the whole life cycle of the project, not just your own. Different departments may see risks that you may be unaware of. ‘Brainstorming’ techniques are essential to help identify a range of potential risks. Some organisations ensure that they bring in people from other projects or organisations to enhance the opportunities for creative thinking about what may lie ahead.

How structured is the creation of the risk definition?

Risk may be defined as a potential problem or opportunity, a combination of probability and impact. To understand project timescale risk, critical path analysis is absolutely crucial. Risk management modelling software is available that can model risk variations to project critical path analyses and is used in some large and complex projects. Modelling can be very powerful in understanding risk but only if you have sufficient data to analyse. However, for any project, a tool from the Quality Assurance toolkit, the Ishikawa diagram, is a powerful and simple approach to help improve the understanding of risk probability and impact. Both Figures 2 and 3 illustrate how this might be used, by considering drivers which might influence a risk that has been identified in terms of causes and effects. The drivers ‘people’, ‘processes’, ‘money’ and ’material’ are common categories but any key driver affecting the risk could be used.