|risk assessment and risk management require some work|
|risk assessment is the systematic determination of risk management priorities by evaluating and comparing the level of risk against predetermined standards, target risk levels or other criteria.|
|Assessing risk without factoring profit is like trying to tune up your car without knowing where the engine is.|
We have previousl discussed risk management issues, such as:SAS risk management – after 2 crashes we get damage control
But to avoid having to do damage control (meaning when it is too late and damage to the firm’s repuation has already been done), a combined risk assessment and risk management process must be used by the firm.
Let us first look at steps 1-3 that are part of the risk assessment process as described in the table below. Incidentally, these seps apply to any type of management function including managing financial or information security risks.
|risk assessment is the process of analyzing potential losses from a given hazard using a combination ofknown information about the situation,knowledge about the underlying process, andjudgment about the information that is not known or well understood.|
|by ensuring that potentially hazardous operations are carried out safely, risk assessment also provides some legal protection if an activity or process leads to an accident or disaster (e.g., data security breach, injury due to product use).|
|1||describing the problem(s)||can be accomplished more effectively if a few questions are posed and addressed amongst stakeholders, such as:Who must manage the problem (risk owner)? Who are the stakeholders?also, establish relationships among the problems and rely on stakeholders for problem identification and characterization.|
|2||performing the risk analysis||evaluate the risks in order to determine the hazards, the likelihood of these hazards occurring, and any uncertainties in the estimates.|
|3||defining the options||determine what can be done about the risk issue and the ways that it could be done.potential consequences, costs, and benefits of options or actions taken to mitigate the risk must be identified and spelled out succinctly.|
SAS or Scandinavian Airlines did do some type of risk analysis regarding its Dash-8 or Q400 turboprop plane manufactured by Bomardier. SAS was the first airline that put this type of plane into service January 2000.One of the problems it discovered was the possibility of the plane’s landing gear collapsing.Based on its own investigative work and analysis of this risk, the firm decided to give its flight crews special training to cope with this possibility.In early September, one crash-landing in Aalborg and one Vilnius showed that crews required this additional training sooner than expected to prevent fatalities.Thanks to the crews’ training nobody got seriously hurt in both accidents. Unfortunately, SAS management and board failed to see the writing on the wall by:
1) doing the risk analysis again (point 2 above), AND
3) followed by assessing what options can be taken (see point 3 above)
when the Aalborg accident happened. Instead, management decided to continue until three days later when the Vilnius crash-landing happened….. and then Scandianvian Airlines had no choice but was forced by aviation authorities to ground the planes.
|risk management is the process of combining a risk assessment with decisions on how to address that risk|
|4||making sound decisions||determine the best solutions and how they could be implemented in ways that are:feasible, cost effective, and socially acceptable.|
|5||implementing decisions||find out what actions are needed to implement and deal with any objections or reassessments.|
|6||evaluating actions taken||determine what is an acceptable and effective means of evaluating the effectiveness or appropriateness of the risk management actions.|
As a result of these two crash-landings, authorities wanted the he 27 Bombardier-manufactured turboprops to undergo further inspections. The latter did result in some repairs to minimize risks.Once these inspections and repairs had been concluded, management failed to follow proper risk assessment procedures it seems. For instance, the board of directors did not demand from Mats Jansson, SAS chief executive another risk assessment. The latter information could then have been used to decide about options to either letting these planes up into the air again, or else, replace them with another type of aircraft (most likely these would have had to been leased from other airlines).
To perform a risk analysis and assessment that will be useful to your organization, you must first define the risks:
Flights with the aircraft were resumed in early October. But apparently either maintenance work failed to discover the possible corrosion in the landing gear of these aircrafts or the risk assessment done did not warn management and require the planes to stay grounded.
The third and most worrisome possibility is that management got the information and decided once again that the risk was worth taking and gave the okay for these aircraft to serve again. Remember, they had already decided once that it was worth taking the risk by giving special training to pilots helping them cope in the event of such a near-crash.
It seems now that this may have been a too big of gamble regarding risk management. Already a few days after having been in the air again after their three week grounding, another plane had to crash-land:
Two previous crash-landings that ended in near disasters for passengers had forced SAS management’s and the board’s hands. Scandinavian Airlines 27 Dash-8 fleet was grounded for three weeks for repairs and additional check-ups to determine if the landing gear problems (apparently possible corrosion) had been fixed properly.
This example shows that risk assessment and risk management is a process and not a destination. This means that risks can change and assessments need to be re-done from time-to-time using a systematic and thorough approach.
And yes, in the Scandinavian Airlines example risk assessment and risk management should have been used again after grounding the planes BUT BEFORE they were put in service again.
What if this Saturday’s crash-landing had resulted in 44 people dead?
The final report from the Accident Investigation Board Denmark will tell us more about what happened and why.
Concluding it can be said that a proper risk assessment process and risk management should minimize the risks for such an accident to happen. Finally, this also applies for information security issues. Being careful and thorough prevents such reputational disasters as the one SAS is currently trying to cope with. It gets people out of harms way and, as importantly, it protects customers and shareholders from having to pay the bill either by being hurt or loosing money.
Management and Scandinavian Airlines board should be held accountable for this public relation disaster that is costing the firm much goodwill and revenues. One outcome should be that some top management folks and board members are shown the door. This is a clear failure in using proper controls and discharging one’s responsibilities according to the letter and spirit of the law and good corporate governance.
To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.