Whitepaper The Case For Integrated Risk & Compliance Management Platforms In The Aviation Sector Final
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Whitepaper The Case For Integrated Risk & Compliance Management Platforms In The Aviation Sector Final

on

  • 2,368 views

 

Statistics

Views

Total Views
2,368
Views on SlideShare
2,363
Embed Views
5

Actions

Likes
1
Downloads
72
Comments
1

2 Embeds 5

http://www.linkedin.com 3
http://www.lmodules.com 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Whitepaper The Case For Integrated Risk & Compliance Management Platforms In The Aviation Sector Final Document Transcript

  • 1. Industry Whitepaper The Case for Integrated Risk and Compliance Management Platforms in the Aviation Sector
  • 2. ______________________________________________________________ © 2010 WatchTower Risk Consulting Ltd Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Disclaimer The material in this Whitepaper is provided for general information only, and heavily references the source information identified in the bibliography, many of which are quoted or re-published verbatim. Before any action or decision is taken on the basis of the material the user should obtain appropriate independent professional advice, reviewing their specific operating environment. WTI Aviation Office Tel: +64 (03) 374-9664 Aarron Spinley, Executive Director Brett Watson, Executive Director Web site: www.watchtowerservices.com First Edition
  • 3. Contents Contents ..................................................................................................................................... 2 Report Objectives....................................................................................................................... 4 Introduction ............................................................................................................................. 4 A Definition of Systemic Risk .................................................................................................. 4 Industry Terms & Acronyms ................................................................................................... 5 Executive Summary ................................................................................................................... 7 A Snapshot of the Aviation Sector ............................................................................................. 8 Airports & Infrastructure .......................................................................................................... 8 Airline & High Capacity Operations ........................................................................................ 9 Management – Availability & Experience ............................................................................... 9 Management – Standards ...................................................................................................... 9 Global Risk Profile.................................................................................................................... 10 Global Governance & Impacts.............................................................................................. 10 Interdependencies - Example ............................................................................................... 11 Translating this to an internal application ............................................................................. 11 Corporate Governance............................................................................................................. 12 General ................................................................................................................................. 12 The Aviation Sector............................................................................................................... 13 Governance Failure Though Poor Risk Management: Example ............................................ 1 Establishing a Risk Management Framework ...................................................................... 13 Integrating ERM & Audit ....................................................................................................... 15 Dynamic Risk-Based Audit ................................................................................................... 15 More Time for Analysis ......................................................................................................... 15 Directors Liability................................................................................................................... 16 Return on Investment (ROI) on ERM.................................................................................... 17 Summary............................................................................................................................... 18 Safety Management Systems .................................................................................................. 19 Achieving Lead Indicator Environments ............................................................................... 20 The Evolution of Safety......................................................................................................... 21 No-Where to Hide ................................................................................................................. 22 Civil Aviation Regulation .......................................................................................................... 23 A Risk Based Approach ........................................................................................................ 23 Conclusion................................................................................................................................ 24 Areas of Focus...................................................................................................................... 25 Bibliography ............................................................................................................................. 26 About Watchtower International ............................................................................................... 27
  • 4. Report Objectives Introduction Across the globe, the International Civil Aviation Organization (ICAO) and the International Air Transport Authority (IATA) are leading a program of change, explicitly guiding industry operators to apply risk management principles to their operations and to safety management systems (SMS). The signatory states, countries and regulation territories of ICAO – through their own local civil aviation authority – are tasked to incorporate these requirements into their audits of Part 139 for airports and aerodromes, and Part 125/121 for airlines. This is likely to become an intrinsic part of these audits by circa 2015, leaving aviation sector operators a few short years in which to implement an effective strategy for their organisation. This whitepaper discusses the governance, risk, and compliance (GRC) profile of the sector, and draws on industry and external references. It is intended to support the decision making process of aviation executives, faced with two distinct management approaches to these issues: Continue with existing silo’s, adding some post-consolidation A single integrated platform The paper concludes in supporting the adoption of single, enterprise wide, integrated management platforms by operators. Why a single integrated platform? ICAO and all industry bodies and participants are aware that the greatest threat to the industry, and to single operators within it, is that of ‘systemic risk’. A Definition of Systemic Risk A systemic risk is the potential loss or damage to an entire system as contrasted with the loss to a single unit of that system. Systemic risks are exacerbated by inter-dependencies among the units often because of weak links in the system. These risks can be triggered by sudden events or built up over time with the impact often being large and possibly 1 catastrophic . We hope this paper is both informative and useful, and that ultimately sets your organisation on a path to a single, integrated platform for aviation risk and compliance. 1 The World Economic Forum, Global Risk Report 2010 Page 4
  • 5. Industry Terms & Acronyms When reviewing this document and those that it references, the following provides an explanation of acronyms used, relevant industry bodies tasked with driving standards in general or within specialist aviation fields, and relevant aspects of the industry recommended to incorporate a risk based approach. Industry Bodies ASECNA Agency for Air Navigation Safety in Africa and Madagascar ATA Air Transport Association of America ATSB Australian Transport Safety Bureau BASIS British Airways Safety Information System DGAC Direction Générale de l’Aviation Civile (France) EASA European Aviation Safety Agency DASS Directorate of Aerodromes Standards and Safety EBAA European Business Aviation Association ECCAIRS European Co-ordination Centre for Aviation Incident Reporting Systems EUROCONTROL European Organisation for the Safety of Air Navigation FAA Federal Aviation Administration (U.S.) IATA International Air Transport Association IBAC International Business Aviation Council, Ltd. ICAO International Civil Aviation Organization IFALPA International Federation of Air Line Pilots’ Associations IFATCA International Federation of Air Traffic Controllers’ Associations ISASI International Society of Air Safety Investigators ISO International Organization for Standardization JAA Joint Aviation Authorities NASA National Aeronautics and Space Administration (U.S.) NBAA National Business Aviation Association, Inc. NTSB National Transportation Safety Board (U.S.) TP Transport Publication (Canada) FSF Flight Safety Foundation CANSO Civil Air Navigation Services Organisation CAA Civil Aviation Authority (in each territory, jurisdiction, state) Industry Risk & Safety Related Terms ADREP Accident/Incident Data Reporting (ICAO) AEP Aerodrome Emergency Plan AIRS Aircrew Incident Reporting System ALARP As Low As Reasonably Practicable ASR Air Safety Report ASRS Aviation Safety Reporting System (U.S.) CAST Commercial Aviation Safety Team CHIRP Confidential Human Factors Incident Reporting Programme CMC Crisis Management Centre ERP Emergency Response Plan FOQA Flight Operations Quality Assurance FSO Flight Safety Officer GASP Global Aviation Safety Plan (ICAO) GRC Governance Risk & Compliance HAZid Hazard Identification ISIM Integrated Safety Investigation Methodology LOSA Line Operations Safety Audit NOSS Normal Operations Safety Survey OFSH Operator’s Flight Safety Handbook OIRAS Operational Incident Reporting & Analysis Systems OSH Occupational Safety & Health QAS Quality Assurance System SDR Safety Data Request SDCPS Safety Data Collection and Processing Systems Page 5
  • 6. SIL Safety Issues List SM Safety Manager SMM Safety Management Manual SMS Safety Management System(s) TEM Threat and Error Management TOR Tolerability of Risk USOAP Universal Safety Oversight Audit Programme (ICAO) General Industry ACI Airports Council International AME Aircraft Maintenance Engineer AMJ Advisory Material Joint AMO Approved Maintenance Organization TC Air Traffic Control ATCO Air Traffic Controller ATM Air Traffic Management ATS Air Traffic Service(s) CNS Communications, Navigation and Surveillance CRM Crew Resource Management DME Distance Measuring Equipment EGPWS Enhanced Ground Proximity Warning System FCO Flight Crew Order FDA Flight Data Analysis FDM Flight Data Monitoring FDR Flight Data Recorder FIR Flight Information Region FMEA Failure Modes and Effects Analysis FMS Flight Management System FOD Foreign Object Damage FPD FDA Programme Database GAIN Global Aviation Information Network GPS Global Positioning System GPWS Ground Proximity Warning System ILS Instrument Landing System INDICATE Identifying Needed Defences in the Civil Aviation Transport Environment JAR Joint Aviation Requirement(s) (JAA) MEDA Maintenance Error Decision Aid (The Boeing Company) MNPS Minimum Navigation Performance Specifications MRM Maintenance Resource Management MSAW Minimum Safe Altitude Warning PANS Procedures for Air Navigation Services PANS-ATM Procedures for Air Navigation Services — Air Traffic Management PANS-OPS Procedures for Air Navigation Services — Aircraft Operations SARPs Standards and Recommended Practices (ICAO) SHEL Software/Hardware/Environment/Liveware SID Standard Instrument Departure SIN Standing Instruction Number SOPs Standard Operating Procedures STAR Standard Instrument Arrival STCA Short-term Conflict Alert TCAS Traffic Alert and Collision Avoidance System TRM Team Resource Management Page 6
  • 7. Executive Summary The global aviation sector faces a demanding Governance, Risk, and Compliance (GRC) profile; unmatched by most other industries for its technical nature, and its diversity and change. This whitepaper outlines the four areas of the overall profile, and draws the conclusion, as has the International Civil Aviation Organisation (ICAO) – that operators must apply a single, enterprise wide, management approach to fundamental risk and performance issues. The distinct, and yet entirely interdependent elements of the aviation sector GRC profile are: Commercial and corporate enterprise risk Legislative (common and company law) compliance Civil aviation regulation Safety management systems This paper demonstrates the requirement that the sector adopt: Single platform, enterprise wide approaches and management application(s) are required to break down departmental silos and information black-holes That Board of Directors and their Management are entirely responsible for the effective execution of the management of their risks and regulatory obligations’ A risk based approach to the adherence to civil aviation regulation; given the dynamic environment of the sector (e.g. static regulation presumes static environment) Page 7
  • 8. A Snapshot of the Aviation Sector As the sector seeks to recover from the economic conditions that pervade global economies following global financial crisis, along with issues of regional security – and most recently the Icelandic volcanoes – they are also faced with the need to improve their general risk and compliance performance. In context of this, we believe that there are six general trends impacting on the aviation 2 industry and expected to remain key influences into the future . Global demand for aviation services is returning; Increased environmental awareness, driven by global concerns about global warming (the “greening” of business practice); Climate change; Developments in aircraft manufacture, systems and technologies which offer potential safety solutions while simultaneously adding complexity and change; International instability and increased security and compliance-related costs; Tightening corporate governance regimes are effecting all public entities and corporate entities the world-over, regardless of industry These trends generate complexity and implications for specific aviation operations and safety support systems. The areas of aviation expected to be affected by these larger influences include new and ageing aircraft, airports and infrastructure, airspace and air traffic management, aviation personnel, regulators and administrators. Some of the solutions will require an industry-wide approach. Airports & Infrastructure Investment in airports and associated infrastructure is currently at a high level, fuelled by renewed growth in airline activity. Despite this investment, some airports will be stretched to accommodate demand due to lag times in approvals, design, building and infrastructure construction, and their AEP will struggle to keep pace. The privatisation of major airports has opened up a range of new practices designed to generate revenue. Aside from competition to attract new entrants, airport operators now also look to non-aviation returns on investments. Increasingly this means using land at airports for shopping centres, retail warehouses, outlets and office complexes. These developments concentrate large populations in areas of potential heightened risk and exacerbate the established trend of new suburbs progressively encroaching on airports and their ATM and ATC functions. As a result, it is possible that the risks associated with a runway excursion type of accident are increasing, due to the increasing potential consequences. Other substantial challenges facing the airports and infrastructure sectors include: Requirements to upgrade facilities and terminals to support new generation, high capacity aircraft; Upgrading navigation aids, procedures and approach facilities (particularly at regional airports) to support technologically advanced aircraft systems and regional jet activities; Implementing and upgrading security and passenger handling initiatives; Increased complexity, resources and costs associated with security requirements. 2 CASA: An Assessment of Trends & Risk Factors in Passenger Air Transport, 2007 Page 8
  • 9. In particular, regions such as India are experiencing significant growth, which is turn requires a greater focus on quality of systems to satisfy international standards and customer demand. Airline & High Capacity Operations Prior to the global financial crisis, the airline sector was reaping the reward of expansive economic conditions, and as confidence in both the economic conditions and regional security returns, so too does that expansion and increase of services. This will be challenging for airlines and create risks that need to be managed including: Personnel shortages New carriers New aircraft, systems and technology Inter-organisation information sharing The heightened profitability of the high capacity sector means that resources should be available to invest in new strategies to control and mitigate associated risks. Regardless, airlines need to improve their understanding of external risk sources and their interdependencies. An obvious example of this was the recent Icelandic volcanoes which, whilst over Europe, still caused losses of USD $21 million a day to airlines while UK airports where closed under the EASA’s understandably cautious watch. Management – Availability & Experience With increasing emphasis placed on outcome-based regulation and safety systems, the role of operational and administrative management has assumed greater significance in contributing to the overall safety of an organisation. This is particularly important during periods of sustained commercial and operational instability or growth, as the aviation industry is currently experiencing. Management – Standards Aligned to availability and experience of quality management personnel, is the increased adoption of professional and industry standards, such as: ISO 9001: 2008 – Quality Management Systems (QMS) ISO31000: 2009 – Risk Management Standard Page 9
  • 10. Global Risk Profile Every organisation, industry, and country must begin to fathom the importance of understanding its ‘inter-connectedness’ with the world around it. Furthermore it must consider the impact of multiple factors to itself, and contemplate the preparedness that there stakeholders might reasonably expect them to have in place. Global Governance & Impacts In many ways, we are all at the mercy of global governance and the prevailing attitudes to risk. Most often they are only ‘united’ by singular events, e.g. climate change and the financial crisis. The World Risk Report, annually published by the World Economic Forum, maps these interdependencies and asks searching questions of government and industry. Page 10
  • 11. Interdependencies - Example For example, the sudden rise in jobless figures seen in developed economies in 2009 was in part cyclical, as a response to the decline in demand and these jobs should therefore return, albeit slowly, as demand increases. However, the crisis also hastened structural changes. Certain industries, such as the automobile sector, were already in decline in regions where labour costs made them uncompetitive. One of the major conclusions from the analysis of the results of the 2010 Global Risks Expert Perception Survey is the marked increase in interconnectedness among the risks covered by the Global Risk Network… This year’s survey shows that both the number and strength of interconnections among risks have increased notably. World Economic Forum, 2010 In other industries such as airlines, consolidation and new business models mean an overall decrease in the numbers employed. The question will be how to compensate for these structural changes as growth returns. Translating this to an internal application Of course industry executives can not be expected to monitor all potential eventualities; many of which are uncontrollable. However, just as these interdependencies exist in the external, so too is there a myriad of reliance and connectedness between internal elements: Corporate risk (liability, credit, liquidity, governance, legislative) Civil aviation regulation reporting Terminal / flight operations Airside operations Safety management systems It is these areas that aviation industry boards and executives must address, a single and integrated platform being the only viable option to do so across all elements and their relative impact to one another. This can only be achieved through a properly constructed risk management framework. Page 11
  • 12. Corporate Governance General Of course, whilst risk management is almost exclusively delegated to management it is irrevocably, a governance issue. Every corporate governance regime in the developed world prescribes a system of internal control, and in every critical field this relies on a two pronged approach. It is the fundamental responsibility of the board of directors to ensure the: Performance of the function Performance of the function Audit of the effect, integrity and process of that function Risk management programs, are critical across the operational and compliance profile of the entity, often underpinning its ability to meeting fundamental standards and obligations, including: Governance Codes (UK Revised Code, ASX, NZX, LSE, NYSE, SecCom, etc,) Sarbanes-Oxley Act Professional standards: PMI, COBIT, ISO etc Legislative Compliance Management Safety Management System (SMS) Capital Projects Mergers & Acquisitions Civil Aviation Regulation Part 139 (airports) / 121/125 (airlines) Duties of Disclosure Following the events of the 1990’s with major corporate failures (Enron, HIH, etc); and the subsequent global financial crisis toward the end of the first full decade of the new millennium; the regulatory response of world governments has been consistent, its message clear. Most recently (at the time of writing), a substantively sharper focus on the proper management of risk has been included in the revised UK Corporate Governance Code published in June 2010. In particular, the Code is explicit that the board of a company must maintain sound risk management and The board is responsible internal control systems. for determining the nature and extent of the significant Some of these themes are not new and have existed in risks it is willing to take in other corporate governance regimes around the world achieving its strategic for some time. However the days of governments and objectives. their regulators tolerating non-performance in this area are numbered. And it’s not just regulators that are demanding improvement. The credit rating agencies around the world – led initially by Standards and Poors – are now incorporating “ERM assessments” as part of the credit ratings process; with direct and immediate impact on company values and access to capital. Page 12
  • 13. The Aviation Sector The issues of corporate governance and risk management apply to all sectors and internationally trading organisations. There is no escape. From a purely business context in the aviation context; it does an airport or airline little good if it can manage and control its terminal, airside, and flight operations to world class standard; only to suffer major or even catastrophic loss due to failings in its corporate governance arrangements. The days of only auditing ones accounts, and publishing the same “cut and paste” disclosure about risk management in the annual report are gone. Indeed the consequences of misleading statements in the annual report being bought to light by risk events are heightening. Governance Failure Though Poor Risk Management: Example The most recent corporate disaster to highlight this is BP’s In stark contrast to the catastrophic environmental (and balance sheet) failure standards of corporate resulting from the oil spill in the Gulf of Mexico: governance, BP chief executive Tony Hayward In addition, a subsequent UK investors meeting revealed told the US Congress that the same paragraph assessing BP's policy on risk and committee that he had not had ‘any involvement in or insurance had appeared 20 years running in BP's annual 3 prior knowledge of safety report . decisions’. This was mounted as a form of Establishing a Risk Management Framework defense, when in fact it only served to uncover a A critical part of your overall governance program is the failing in the governance implementation and maintenance of a risk management arrangements at BP framework. Many readers will automatically consider that they have one, and begin to skim read this section, however the term ‘risk management framework’ is often hijacked by those who do not understand it and are happy to use the term interchangeably with other management terms with little regard for the confusion this causes. So what is a risk management framework? Well, it is best defined by what it delivers Outcomes A framework which is responsive to the specific needs and objectives of the organisation. The establishment therein, or confirmation of, your risk tolerance and risk appetite thresholds (organisationally, project wide, and/or specific aspects) A mechanism to inspire confidence in current and potential stakeholders, and support management decision making at the organisation An auditable program designed on a professional, measurable standard 3 Article from The Guardian - UK Company Risk Management Left to Chance Page 13
  • 14. The risk management framework should: Be transparent to managers, directors and key stakeholders (or representative stakeholder organisations). Establish and articulate the organisation’s tolerance to the various consequences of risk within its strategic planning processes. Identify, analyse, assess, prioritise, manage and report on risks in a comprehensive and consistent manner. Require relevant managers and staff, along with contractors and 3rd parties to understand and manage risks to the organisation that are within their ability to control and to report upwards on risks that they are unable to control. Inform the organisation’s Board of Directors of risks that could impact it in a strategic sense, together with: Assurance that these risks are reliably controlled where this is the case, or Advice on actions that are planned or in progress to control these risks, noting responsibilities where these have been assigned, or Confirmation that the organisation cannot control or directly influence the risks in question. Objectives All material risks to be identified, understood and quantified in order to ensure a common approach and level of resources for management of risks across the organisation; Appropriate risk management action objectives are identified and understood for all ‘strategic’ risks (overseen by the board); Accountabilities across the organisation for ownership of risks and the management of actions to mitigate/control/transfer are clearly identified and are appropriate; Agreed risk management actions across the organisation are systematically and regularly monitored, measured and reported; and The risk management framework links to the core business processes of business planning, budgeting, and performance management. Audit & Assurance All aspects of corporate governance must be subject to Roles internal auditing audit. However one significant and common failing of should NOT undertake: governance arrangements is the use of internal auditors Setting the risk to provide the risk management function. There is only appetite Imposing risk one exception to this rule. Where IA extends its management involvement in ERM: processes Management Internal audit cannot also give objective assurance on assurance on risks Taking decisions any part of the ERM framework for which it is on risk responses responsible. Such assurance should be provided by 4 Implementing risk other suitably qualified parties . responses on management's This is a critical issue. Many of the corporate failings behalf Accountability for during the financial crisis post-2007 were characterised risk management by the use of their IA to provide their risk management function leaving a critical piece of their governance 4 The Institute of Internal Auditors Page 14
  • 15. devoid of any independent quality assurance and review whatsoever. However, readers should not surmise that the role of IA is in any way regarded to be unimportant. In fact, nothing could be further from the truth. Integrating ERM & Audit Equally, it is very important to ensure that there is independent review and audit of the ERM program. In order to understand how they should work together, it is worth first reviewing 5 what they do, so as to avoid any confusion : Audit (The Assurance) Risk Management (The Doing) Looks into past Looks into the Future Based on controls and deviations Based on probability and impact Covers operational and Covers strategic, operational, compliance matters and compliance matters To be done by Audit department To be done by all departments Dynamic Risk-Based Audit Your business changes all the time. So when was the last time your standard audit checklist changed? This should be guided by the changing risk profile of the business, thus ensuring that the part of your business that derive the greatest sources of risk, and the key controls, are the focus on the internal audit function. This targets the areas of assurance that the business most critically needs. By doing so, it takes the risk assessments that have already been performed one step further, adds more value, and not only improves the effectiveness 6 of both functions; but their return on investment as well . More Time for Analysis The beauty of a centralised assurance model is that key data points are shared. Through a single repository, the business can look at recent assessments, review trends and dig deeper with the data it already has; rather than ask the same questions of a business unit that answered them last month. This process also assists with developing and maintaining a risk aware culture as it will mitigate the “assessment fatigue” of the audit department’s internal customers, and therefore enabling the department to spend more time adding value to the business and less time digging through filing cabinets. However, as consistent with the overall finding of this paper, this is only possible where there is a single, enterprise wide risk and compliance management platform. 5 The Smart Money: Integrating ERM & Internal Audit, 2010 6 Internal Audit ERA Methodware, April 2010 Page 15
  • 16. Directors Liability For organisations that continue fail in their risk management and audit obligations, directors can expect to suffer direct consequences in the event that a major failing occurs. For example, the directors of many failed firms resulting from the global financial crisis were regarded to be liable under the law. In 2008 alone, there were 225 Federal Securities Class Action Lawsuits against directors, directly resulting form this7. In addition, a variety of high exposure shareholder class actions have specifically charged management with misconduct8. Subsequently Directors & Officers insurance prices for S&P financial sector 9 rose by over 50% in the last quarter of 2008 alone . To underline the lack of performance in this area, a study found that only 54% of Fortune 100 directors understood their company’s risk tolerance10. Since nearly half of the directors did not know, shareholders are entitled to conclude that these board members were uninformed of a key foundation piece of governance in that organisation, and therefore derelict in their duty. One can only speculate that if a fully understood risk tolerance level had been imposed by all financial institutions on their respective mortgage securities exposures and the marketing of collateralized debt obligations (regardless of probability metrics), the current crisis may have been mitigated to a large extent, if not prevented altogether RIMS Executive Report - The Risk Perspective This is an essential component of the aviation sector governance profile which it must ensure is well executed. Nevertheless, merely implementing a risk management process across an enterprise clearly is not enough. Organizations seeking better performance need to broaden and deepen their (ERM) programs to mature in the competency drivers that support front-line risk ownership, 11 linkage and governance oversight . 7 Business Insurance, Lou Ann Layton, Marsh 8 Global Financial Restructuring, Barker & McKenzie 9 Aon Global 10 CEO Challenge 2006: Top Ten Challenges, The Conference Board, 2006 11 RIMS State of ERM Report 2008 Page 16
  • 17. Return on Investment (ROI) on ERM The very core of Enterprise Risk Management, when implemented properly, is about the protection of the organisation, and enhancing its corporate decision making. However these are difficult to apply metrics against. How do you measure the savings of the organisation against risk events that did not occur, of fines not imposed, or of unforeseeable major corporate losses unrealised due to elements of the program serving the business? The obsession with Value over Obligation, 2010 The concept of a ‘return’ on this investment in the same context as some kind of dividend is not well placed. In fact, if the business case for an ERM program is based on this mentality, there are already fundamental short-comings in governance However that established, as with many other corporate activities in difficult economic climates, there are often calls for organisations to indeed calculate their return on investment related to their ERM programs. And the good news, is that the “because you are required to” and the intangible values aside, if we think about what ERM delivers, there are actually a number of quantifiable outputs. Decreased variability in financial results for example, as well as reduced hedging, insurance and capital costs. These equate directly to improved cash flow which, when coupled with a reduced discount rate (arising from reduced earnings volatility and an improved reputation within the investment community), results in enhanced company value. The metrics are there; it’s just a question of turning them into a final assessment which quantifies that all- important return on investment. Looking at those metrics more closely – with rating agencies paying increasing attention to companies’ ERM frameworks, deficiencies or over-performance in this area can be equated to a quantifiable impact on a company’s ability to access capital and on the cost of capital. Secondly, hard cost savings can be delivered by an ERM program which streamlines existing risk efforts and highlights redundant and inefficient risk activities (e.g. identification / assessment, aggregation and validation processes). Again, another quantifiable metric… Insurance and hedging costs can be the most tangible Estimating earnings cost elements in managing specific risks. ERM can variability may be a help to optimize and reduce these costs by more complex task but can clearly identifying underlying risk exposures, existing feasibly be undertaken offsets and potential redundancies and inefficiencies. both before and after ERM risk mitigation activities in order to demonstrate the Harder to quantify are the investment opportunities impact and value of the which can arise from ERM implementation but this ERM program. does not mean the potential ‘up-side’ of ERM should simply be ignored. ERM enables companies to make smarter, proactive decisions, based on a better understanding of their current risk profile and their appetite for taking onboard more risk in pursuit of competitive advantage. Page 17
  • 18. ERM is about optimizing risk in accordance with your risk tolerances and setting limits; not simply minimizing risk. Applying a risk lens and risk metrics to a business opportunity, in addition to the growth metric analysis, is likely to result in improved investment decisions. ERM can assist in identifying opportunistic areas of your business that would benefit from investment. Summary In summary, the value of ERM certainly has significant quantifiable elements. There is no simple formula for generating that final value but overall, there should be an aggregate of performance in the areas mentioned above12. 12 “Demonstrating a return on investment in ERM”, KPMG 2010 Page 18
  • 19. Safety Management Systems The development of safety management systems (SMS) in the industry has taken on renewed focus in the last few years. The Definition of “Safety” from the International Civil Aviation Organization (ICAO) is: Safety is the state in which the risk of harm to persons or of property damage is reduced to, and maintained at or below, an acceptable level through a continuing process of hazard identification and risk management. 13 The following are exerts and summarisation of the ICAO Safety Management Manual . Need for Safety Management Although major air disasters are rare events, less catastrophic accidents and a whole range of incidents occur more frequently. These lesser safety events may be harbingers of underlying safety problems. Ignoring these underlying safety hazards could pave the way for an increase in the number of more serious accidents. Accidents & Incidents Cost Money Although purchasing “insurance” can spread the costs of an accident over time, accidents make bad business sense. While insurance may cover specified risks, there are many uninsured costs. In addition, there are less tangible (but no less important) costs such as the loss of confidence of the travelling public. An understanding of the total costs of an accident is fundamental to understanding the economics of safety. The air transportation industry’s future viability may well be predicated on its ability to sustain the public’s perceived safety while travelling. The management of safety is therefore a prerequisite for a sustainable aviation business. ICAO requirements Safety has always been the overriding consideration in all aviation activities. This is reflected in the aims and objectives of ICAO as stated in Article 44 of the Convention on International Civil Aviation (Doc 7300), commonly known as the Chicago Convention, which charges ICAO with ensuring the safe and orderly growth of international civil aviation throughout the world. In establishing States’ requirements for the management of safety, ICAO differentiates between safety programmes and safety management systems (SMS) as follows: A safety programme is an integrated set of regulations and activities aimed at improving safety. A safety management system (SMS) is an organized approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures. A safety programme will be broad in scope, including many safety activities aimed at fulfilling the programme’s objectives. 13 Safety Management Manual (SMM) Doc 9859 AN/460 Page 19
  • 20. As a minimum, an SMS shall: Identify safety hazards; Ensure that remedial actions necessary to mitigate the risks/hazards are implemented; and Provide for continuous monitoring and regular assessment of the safety level achieved. A State’s safety programme embraces those regulations and directives for the conduct of safe operations from the perspective of aircraft operators and those providing air traffic services (ATS), aerodromes and aircraft maintenance. The safety programme may include provisions for such diverse activities as incident reporting, safety investigations, safety audits and safety promotion. To implement such safety activities in an integrated manner requires a coherent SMS. An organisation’s SMS shall clearly define lines of safety accountability, including a direct accountability for safety on the part of senior management. ICAO has been specific in its guidance on SMS: Airline Operator SMS. An oversight authority and an airline operator agree on an acceptable level of safety to be achieved by the operator SMS, one measure of which — but not the only one — is 0.5 fatal accidents per 100 000 departures (safety indicator); a 40 per cent reduction in five years (safety target) and — among others — the development of GPS approaches for airfields without ILS approaches (safety requirement). Service Provider & Aerodrome Operator SMS. An oversight authority, an AT provider and an aerodrome operator agree on an acceptable level of safety to be achieved by the provider and operator SMS, one element of which — but not the only one — is no more than one runway incursion per 40 000 aircraft movements (safety indicator); a 40 per cent reduction in a 12-month period (safety target) and — among others — the establishment of low visibility taxi procedures (safety requirement). As you can see, the three minimum requirements of an SMS are very much in alignment – or indeed a subset – of overall risk management framework. Achieving Lead Indicator Environments ICAO has recognised the need to drive more proactive, risk-based, systems that offer early warning systems as part of the aviation management response. In its study of SMS, it has chartered the evolution of risk and safety management in the industry. Page 20
  • 21. The Evolution of Safety In its own text provided below, it makes the distinction between the “Traditional Approach” and its targeted approach, which it describes as a “Modern Perspective”: Traditional Perspective Historically, aviation safety focused on compliance with increasingly complex regulatory requirements. This approach worked well up until the late 1970s when the accident rate levelled off. Accidents continued to occur in spite of all the rules and regulations. Safety Management Manual (SMM) Doc 9859 AN/460 This approach to safety reacted to undesirable events by prescribing measures to prevent recurrence. Rather than defining best practices or desired standards, such an approach aimed at ensuring that only minimum standards were met. Modern Perspective In order to keep safety risks at an acceptable level with the increasing levels of activity, modern safety management practices are shifting from a purely reactive to a more proactive mode. In addition to a solid framework of legislation and regulatory requirements based on ICAO SARPs, and the enforcement of those requirements, a number of other factors, some of which are listed below, are considered to be effective in managing safety. Components of a mature and effective risk and compliance (& safety) program are: Application of scientifically-based risk management methods; Senior management’s commitment to the management of safety; A corporate safety culture that fosters safe practices, encourages safety communications and actively manages safety with the same attention to results as financial management; Effective implementation of standard operating procedures (SOPs), including the use of checklists and briefings; Page 21
  • 22. A non-punitive environment (or just culture) to foster effective incident and hazard reporting; Systems to collect, analyse and share safety-related data arising from normal operations; Competent investigation of accidents and serious incidents identifying systemic safety deficiencies (rather than just targets for blame); Integration of safety training (including Human Factors) for operational personnel; Sharing safety lessons learned and best practices through the active exchange of safety information (among companies and States); and Systematic safety oversight and performance monitoring aimed at assessing safety performance and reducing or eliminating emerging problem areas. No single element will meet today’s expectations for risk management. Rather, “an integrated application” of most of these elements will increase the aviation system’s resistance to unsafe acts and conditions. Safety Management Manual (SMM) Doc 9859 AN/460 No-Where to Hide In order to manage the operator’s risk and compliance profile, and to keep safety risks at an acceptable level with the increasing levels of industry activity management needs to establish safety as a core value of the organisation. It can accomplish this by setting objectives and risk management & safety goals, then holding managers and employees accountable for achieving those goals. Staff looks to management for: Clear direction in the form of credible policies, objectives, goals, standards, etc.; Adequate resources, including sufficient time, to fulfil assigned tasks safely and efficiently; and Expertise in terms of access to experience through safety literature, training, seminars, etc. This onus on management applies regardless of the size or type of organization providing the aviation service. The role of management in managing safety is a recurring theme throughout . . . Safety Management Manual (SMM) Doc 9859 AN/460 Page 22
  • 23. Civil Aviation Regulation The basis of operator standards, are addressed within the parameters of the relevant Civil Aviation Regulation. Part 139 (Airports) Subpart A – General Subpart B – Certification Requirements Subpart C – Operating Requirements Subpart D – Aerodrome Security Subpart E – Reserved Subpart F – UNICOM and AWIB Services Part 121 (Airlines) Subpart A – General Subpart B – Flight Operations Subpart C – Operating Limitations and Weather Requirements Subpart D – Performance Subpart E – Weight and Balance Subpart F – Instruments and Equipment Subpart G – Maintenance Subpart H – Crew Member Requirements Subpart I – Training Subpart J – Crew Member Competency Requirements Subpart K – Fatigue of Flight Crew Subpart L – Manuals, Logs, and Records Subpart M – Advance Qualification Programme A Risk Based Approach Recognising that regulation is most effective in a static (non-change) environment, and that this is not a Through extensive description that is apt in the aviation context, ICAO coordination of the internal and external have provided clear direction that the use of a risk safety data sources based approach to regulatory compliance is required. available to it, ICAO begins to emphasize a The very nature of risk based process optimises more targeted, proactive and operational approach performance in a dynamic and fluid operating to global aviation’s most environment; ala the aviation sector. This has many fundamental objective titles, but one often used by ICAO is Data Driven Safety, explained as: Through extensive coordination of the internal and external safety data sources available to it, ICAO begins to emphasize a more targeted, proactive and operational approach to global aviation’s most fundamental objective. Page 23
  • 24. Conclusion When reviewing the components of the overall GRC profile facing the aviation sector and its participants, there is no escaping the fact that only a truly holistic management programme can offer the potential to meet, if not exceed, the industries important objectives. The stakeholders of the sector are many and varied, and extend to the travelling public in the farthest reaches of the globe. Indeed, their vested interest is their very lives; even more compelling than that of the institutional shareholder. However corporate governance must and does remain a central theme. Each operator, regardless of its airside operations and safety targets, is a business. The owners of airports and aerodromes, and of airlines; are also varied. From local government and community councils, to federal/central governments, to private equity groups and publically listed companies; they all share a common goal: The pursuit of profit, of viable long-term sustainable business models. Add to this the pressures of local body law, CAA application of industry regulation, standard “common-law” legislation, the economic climate, terrorism, travel trends, and regional security. And lest we forget perhaps the defining issue of this generation; climate change. Operators in the aviation industry – be they domestic or international – are all buffeted by these winds. The macro-risk profile is immense. The operational profile is as well and the governance requirements both fluid and ever-demanding. There are no quick fire answers. There will always be the challenge of new standards and regulation; but the real conclusion of this document is the theme of interdependencies. The management – even where there is outstanding performance – of all four aspects of the GRC profile is executed in silos. This is perhaps understandable given the high level of expertise required for each but it poses a significant problem. Yet there is one undeniable, common thread, and it is here that a solution lies. Risk management, and its intrinsic disciplines and methodologies can tie each of the four elements together. However if risk management is established and performed in yet another isolated department; the potential it offers will be lost. Therefore the fundamental conclusion of this review is that only a single, enterprise wide, risk based platform can drive enhanced performance in each of the elements concurrently. This encapsulates ALL aspects of the operator from its boardroom through its corporate services (IT, finance, legal services, HR, OSH) to its operations and day to day functions. Only in this context can there be sufficient data to meet the goals of ICAO and the wider industry: To maintain robust and profitable industry’ To achieve improved safety levels through lead indicator environments (modern approach) To capture and share information and standards across the globe Page 24
  • 25. Areas of Focus This paper advocates that the sector focus on the following areas: Local CAA & Regulators To assert effective risk based lead indicator environments To seek demonstrable data based SMS To advocate and enforce high standards of risk based regulation management in their region Airport & Airline Board of Directors To seek genuine ERM across their enterprise; To go beyond asking for the “Top 10 risks”’ To report honestly and forthrightly about their risks within annual reports; To drive their management to deliver and demonstrate a lead indicator environment To align the risk management and reporting framework with corporate governance guidance and legislation Operator CEO To encourage their boards in the pursuit of effective GRC programs To ensure single platform approach across the enterprise To drive the necessary culture and risk management awareness Operator CFO, IT & Corporate Services To contain costs by identifying single platforms which can replace multiple disparate systems To ensure quality technology integration and data integrity & security Legal Counsels To seek implement verifiable, auditable compliance information gathering To avoid practices that create “tick-box” compliance think To ensure compliance reporting offers genuine assurance to the board Safety | Airside | Operations Management Ensure a risk based approach Capture interdependencies at both the control and risk levels Automate early warning systems (lead indicator environments) Drive robust controls management Map the program against expositions agreed with the regulator Page 25
  • 26. Bibliography The following documents and sources were referenced during the development of this White Paper. Human Factors Digest No. 16: Cross-Cultural Factors in Aviation Safety (Cir 302) – presents the safety case for cross-cultural factors in aviation Human Factors Guidelines for Safety Audits Manual (Doc 9806) – provides guidelines for preparing for, or conducting, a safety oversight audit that includes consideration of human performance and limitations Human Factors Training Manual (Doc 9683) – describes in greater detail much of the underlying approach to the human performance aspects of safety management Line Operations Safety Audit (LOSA) (Doc 9803) – presents information on the control and management of human error and the development of countermeasures to error in operational environments Manual on Certification of Aerodromes (Doc 9774) – which describes the salient features of an SMS to be included in the aerodromes manual for certified aerodromes Preparation of an Operations Manual (Doc 9376) – provides detailed guidance to operators in such areas as training and the supervision of operations, and includes direction on the need to maintain an accident prevention programme Safety Oversight Audit Manual (Doc 9735) – provides guidance and information on standard auditing procedures for the conduct of ICAO Safety Oversight audits ICAO Safety Management Manual, 2nd Edition, 2009 Civil Aviation Safety Authority (Australia) Risk Report, 2007 ISO31000:2009 Principles & Guidelines of Risk Management The Global Risks Expert Perception Survey, World Economic Forum, 2009 Global Risk Report,, World Economic Forum, 2010 The Role of Internal Auditing in Enterprise-wide Risk Management, Institute of Internal Auditors, September 2004 CEO Challenge 2006: Top Ten Challenges, The Conference Board, 2006 The Risk Perspective: The 2008 Financial Crisis, A Wake-up Call for Enterprise Risk Management, RIMS Executive Report State of ERM Report, RMIS, 2008 Business Insurance News (interview with Lou Ann Layton, Leader of the Marsh U.S. Financial and Professional Liability Practice) Page 26
  • 27. About Watchtower International WatchTower International (WTI) is a boutique GRC firm providing services to clients across the globe. In particular, WTI is a provider of advisory services and risk management systems to the aviation sector through its WT-Navigator Program. More information can be found at www.watchtowerservices.com Queries and communications about this whitepaper can be directed to: The Aviation Practice WatchTower International (WTI) www.watchtowerservices.com +64 3 374 9664 Page 27
  • 28. Registered Office 9 Dinglebay Place Harewood Christchurch, New Zealand Postal Address WatchTower Risk Consulting Ltd PO Box 8554 Riccarton www.watchtowerservices.com Christchurch 8440 New Zealand Trading Names: WatchTower WatchTower International WTI Service Brands: WT-Profiler, WT-Navigator, WT-PowerON, WT-Comply, WT-Tech Page 28