Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
19 The definition of incident used for this synthesis has two primary meanings. The more common understanding of an incident is safety-centric. It refers to an event, activity, occurrence, opportunity, or similar happening that could or does relate to the safety of personnel, equipment, or operations at an airport. Examples would be issues associated with airport certification compliance, worker safety under OSHA regulations, emergency response by police or security, and hazards affecting the health and welfare of the public. An SMS gives insight into this meaning of an incident. The other meaning of incident is enterprise-centric and relates to business and organizational performance and risk. It is an event, occurrence, activity, opportunity, or similar happening that relates to a particular organizational goal or performance pathway. While safety may ultimately be impacted in this meaning, examples are more related to non-safety specifics of financial stability, airport reputation and goodwill, development of business activity, and achieving planned goals. An ERM system gives insight into this meaning of an incident. An ERM recognizes that airport organizations must manage a broad array of strategic and operational risks facing an ever-changing aviation industry, including growing financial con- straints, increasing regulatory requirements, and general business concerns. This is in addition to traditional safety concerns: health and operations, identification and mitigation of hazards, and preparing for natural disasters and other emergencies. The monitoring of the broad array of risks is achieved through an incident reporting system. This synthesis addresses both safety-centric and enterprise-centric incidents and is described in Figure 1. An understanding of the distinction between the two is necessary for reviewing this synthesis report, as the methodology, indicators, and metrics are grouped and reported separately for each. For instance, when reading about SPIs, reference is to metrics associated with the safety-centric aspects of an incident. While SPIs provide a picture of organization safety, it is equally important to monitor manage- ment processes. When reading about KPIs, reference is to enterprise-centric metrics associated with the organizational risk and performance. Both connotations can range on a continuum that reflects a positive to negative insight on overall airport safety and performance. There is a tendency to think of an incident reporting system as applying only to the safety-centric side of Figure 1, instead of also applying to the organizational performance perspective. To better understand both aspects, the following paragraphs describe how risk, risk management, and enterprise risk management incorporate the need for, and have a basis in, incident reporting. The basic similarity is that the collection of data is necessary for evaluation, corrective action, and organizational learning. C H A P T E R 3 Incidents Applied to Safety and Risk
20 Airport Incident Reporting Practices Risk Management In its simplest form, risk management involves understanding, analyzing, and addressing risk to make sure the airport achieves its objectives. Like many other terms used in this synthesis, risk management has several variations of the basic definition, depending on how it is applied within an organization. For instance, according to the FAA, risk management is a formalized way of dealing with hazards and is the logical process of weighing the potential costs of risks against the possible benefits of allowing those risks to stand uncontrolled (FAA-H-8083-2 2009, p. G4). The FAA definition reflects an operational approach to risk. Other definitions found in Appendix B reflect a focus on strategic, financial, insurance, environmental, or other types of risks. Despite the different models of risk management, there is a focus on three core tasks: (1) determine the context or system to be evaluated, (2) perform risk assessment, and (3) treat or mitigate the risk to limit loss or disruption. Within the risk assessment task, specific risk identification, risk analysis, and risk evaluation are performed. Figure 2 illustrates the overall risk management process and the risk assessment steps typically found in a risk management program or an SMS. Incident reporting is one of the basic components of a safety risk assessment (SRA). Previously known as SRA, the term has recently been shortened to safety assessment (SA) in FAA SMS documents. To understand the role incident data collection and reporting plays in overall risk management, an understanding of the terms âriskâ and âhazardsâ is necessary. Defining Risk The literature search resulted in several different definitions for the term ârisk.â In its sim- plistic form, risk is the potential for an unwanted outcome. The U.S. Department of Homeland Security (DHS) expands on the definition and describes it as the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences (DHS 2010, p. 27). The U.S. Government Accountability Office (GAO) defines risk as the effect of uncertainty on objectives with the potential for either a negative or positive outcome or opportunity (GAO-17-63 2016, p. 1). ACRP Report 74: Application of Enterprise Risk Management at Airports defines risks as uncertain future events that may influence an organizationâs ability to achieve its objectives (Marsh Risk Consulting 2012). The authors of the report increase understanding of the different aspects of risk by stating it is usually applied in one of three distinct applications: Figure 1. Description of incident data reporting used in the synthesis.
Incidents Applied to Safety and Risk 21 ⢠Risk as exposure. ⢠Risk as uncertainty. ⢠Risk as opportunity. Risk as exposure reflects the more common use of the term. It carries negative connotations in that something bad will happen, such as harm, injury, financial loss, lawsuits, or threats to meeting objectives. Traditional airport safety-centric oversight tends to focus on hazards exposure and the prevention of accidents. Incident reporting is used to identify exposure to risk. Risk as uncertainty considers both positive and negative outcomes and views it as the degree of variance between anticipated outcomes and actual results. This reflects the traditional financial and insurance aspects of risk and incident management. The last, risk as opportunity, implies that a relationship exists between risk and return. The greater the risk, the greater the potential for return, but also the greater the potential for loss. This observation of risk is found in the strategic planning and enterprise-centric opportunity aspects of managing an airport. These categories view risk as the degree of variance between anticipated outcomes and actual results, both positive and negative. The concept of an outcome as positive or negative and having a variance from an intended path or objective helps explain how incident reporting applies to ERM. Other variations of the term âriskâ stem from how it is used or applied in different areas of a business. A common lexicon will categorize risk into financial, strategic, business, operational, security, or similar types of risk. The categorizations help distinguish the risk types referenced and illustrate how risk manifests itself at different levels of an organization, from the strategic, to the operational, to the tactical, and to the individual levels. The categorizations also display Figure 2. The ISO 31000 risk management process. Source: Copyright International Organization for Standardization (ISO). This material is reproduced from ISO 31000:2009 with permission of the American National Standards Institute (ANSI) on behalf of the International Organization for Standardization. All rights reserved. Used with permission.
22 Airport Incident Reporting Practices how within an airport organization risk can be isolated into functional, programmatic, or organizational silos. Hazards Hazards are associated with risks. As with other definitions, context plays a role in how a hazard is defined. The FAAâs Risk Management Handbook describes a hazard as âa present condition, event, object, or circumstance that could lead to or contribute to an unplanned or undesired event such as an accidentâ (FAA-H-8083-2 2009, p. G3). A hazard could also be construed to lead to an unplanned or undesired event, such as a loss of reputation or the failed attainment of a strategic goal. Not referenced in the definitions of hazard is the evolving notion of hazard as an opportunity for the organization to learn how to improve. That is where incident reporting and an ERM are of value. Enterprise Risk Management The objective of ERM is to understand an organizationâs portfolio of top risk exposures, which could affect the organizationâs success in meeting its goal (GAO-17-63 2016). ERM is designed as a tool to support the achievement of an organizationâs mission, goals, and objectives, and to help airport organizations improve their decision-making capabilities. It accomplishes that goal by allowing management to view risks across the whole organization. For it to do so, the organization needs to capture data and monitor variations or incidents that could lead to new directions or to misdirection. That is the role of incident reporting. ERM is also intended to help integrate the functional, programmatic, or organizational silos often found at medium to large hub airports. Traditionally, risk management considerations tend to fall within a single unit or area of an organization, with little sharing of information among other units. This is known as the silo effect. However, activities of one business unit, functional area, or program can and do affect the activities of another. For instance, the departments of finance, insurance, planning, engineering, maintenance, operations, marketing, and ground transportation may all have their own unique risk management attributes. Those attributes may not be shared or compatible with the attributes of other departments, yet a dependency and interdependency can exist between them. The field of ERM is still evolving from its basic formation when it was developed around 1985. Its purpose was to combat fraud in the financial and capital markets. Only in the last decade has it entered the lexicon of todayâs safety and risk managers at airports. At this time, ERM is utilized at relatively few airports. The authors of ACRP Synthesis 30: Airport Insurance Coverage and Risk Management Practices, published in 2011, reported the following (Rakich et al. 2011, p. 16): âNone of the interviewees defined âenterprise risk management.â One interviewee said, âI have yet to meet anyone who actually practices enterprise risk management,â and that it was not easy to do so because uninsurable risks were often addressed by line managers, not by the risk manager.â A year later in 2012, ACRP Report 74 was published (Marsh Risk Consulting 2012). Only three airports were identified in ACRP Report 74 as practicing ERM. For this synthesis report, two of the same airports were involved and five additional airports were found to be practicing ERM [Question 1.a.]. Interviews with the airports indicated different levels of implementation, with none fully developed at this time. With ERMâs slow integration into airport organizations, it became apparent during interviews that the progression of an ERM program was due in part to a champion existing within the organization who was versed in the requirements and metrics of ERM.
Incidents Applied to Safety and Risk 23 Similar to the numerous definitions for risk, ERM has several definitions (see Appendix B). ACRP Report 74 describes ERM as a holistic approach and process to identify, prioritize, mitigate, manage, and monitor current and emerging risks in an integrated way across the breadth of the enterprise (Marsh Risk Consulting 2012, p. 53). In July 2016, the U.S. Office of Management and Budget (OMB) issued an update to Circular A-123 requiring federal agencies to implement ERM to better ensure their managers are effectively managing risks that could affect the achievement of agency strategic objectives (OMB Circular A-123 2016). OMB defines ERM as a discipline that addresses the full spectrum of an organizationâs risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view (OMB Circular A-123 2016, p. 9). The OMB circular requirements filter down to airports through the grant acceptance and assurance processes. An ERM is intended to overcome the limitations of the departmental silo effect by providing a top-down view of risk interactions throughout the organization. For instance, changes in purchasing policies to limit certain negative risk exposure could increase an airfield operations departmentâs risk exposure and jeopardize compliance with airport certification requirements. An example would be for a purchasing department to minimize the number of sole-source providers by requiring at least three bid proposals for an intended procurement. If the policy affects the length of time and cost for airfield operations to acquire aircraft fire fighting foam in a timely and cost-effective manner, emergency response capability and compliance with 14 CFR Part 139 could be jeopardized. An ERM depends on evaluating various drivers (or indicators) that affect the organization. The drivers can be external, internal, or from the various enterprises. Identifying risks and then balancing the risk controls with a degree of flexibility are important to an organizationâs overall ERM. Table 3 lists sample risk categories and related drivers, or KPIs. An incident reporting system would involve data collection for identifying performance trends or possible regulatory compliance for each of the key risks. Source: Yip and Essary 2010. Used with permission. Table 3. Enterprise risk management: sample key risk categories.
24 Airport Incident Reporting Practices The ERM process is described in ACRP Report 74 as âa continuous process that involves the identification and prioritization of risks and opportunities and the implementation of actions to mitigate top risks and capture opportunitiesâ (Marsh Risk Consulting 2012, p. 24.) An ERM is based on the concept of continuous improvement and reflects the quality control process of the Plan-Do-Check-Act (PDCA) cycle. The outer circle of Figure 3 reflects a basic decision-making process. Incident reporting is part and parcel of basic decision-making, as it is a key element of the risk identification phase. It is one of the tools used to identify hazards, risk, and opportunities at an airport. Incident data collected in the risk identification stage are then used in the safety assurance phase as a check on the risk assessment mitigation strategies to ensure the intended corrective results have been achieved. For organizations that use an ERM program, the use of incident reporting is an important element, as it enhances organizational decision-making. In both ACRP Synthesis 30 (Rakich et al. 2011) and ACRP Report 74 (Marsh Risk Consulting 2012), ERM conceptually requires airport management to proactively anticipate the significant risks and opportunities their airport faces and to develop response and resource plans in advance. An incident reporting system is a primary tool for fulfilling the risk assessment process for proactively anticipating risks and opportunities. A critical element of incident reporting is to identify risks. The term âreportingâ also signifies the importance of communication to others as a means for continuous improvement. For ERM, communication and consultation are important, as it is necessary to monitor an organization at different levels to ensure incidents and risks do not become silo-constrained. Incident reporting under an ERM is designed to recognize change in the airportâs risk profile. A risk profile is basically an overall picture of issues that may introduce risk and change at any level of the organization at any time. A change can be negative or positive, be qualitative or quantitative, and have certain or uncertain consequences. With the sharing of incident and risk information, trust within and outside of the organization is developed. Figure 4 illustrates the numerous stakeholders that can be affected by an incident or change in the organization. Airport Goals, Objectives, and Strategies Assess/analyze/ evaluate risk Identify all risks Review control effectiveness Develop risk responses Aggregate results & integrate Review results, report, and monitor Risk Identification R isk P rio ritizationM ea su re , M o n it o r an d R ep or t Risk Response Planning Review of C urr ent Co nt ro ls INCIDENT COLLECTION REPORTING AND DATA INCIDENT FOR USE OF REPORTING AS A BASIS INDICATORS PERFORMANCE In te gr ate wi th D ecis ion-M aking Figure 3. Importance of incident reporting system in an enterprise risk management program. Source: Marsh Risk Consulting 2012. Used with permission.
Incidents Applied to Safety and Risk 25 To properly implement an ERM at an airport, the literature indicates the following require- ments are necessary: ⢠Encouragement and promotion of risk, hazard, and incident reporting. ⢠Assessment of risks. ⢠Need for management, staff, and employees to understand their roles in ERM. In understanding oneâs role in ERM, the literature suggests that training programs need to do the following: ⢠Support the reporting of risks, hazards, and incident reporting. ⢠Provide a culture of open feedback. ⢠Develop a risk-aware culture that enables all persons to speak up and then be listened to by decision-makers. ⢠Encourage the sharing of risks and incident information. Scorecards and Dashboards To help manage the information provided in an ERM, scorecards, dashboards, and indicators are common tools for understanding the parameters chosen by the airport to evaluate and monitor incidents. At a glance, each conveys important performance information. Dashboards and scorecards allow airport organizations the ability to visualize and track key incident management, safety, or performance measures. Dashboards can be adapted to all levels of the organization to display strategic, tactical, and day-to-day operations. Scorecards are usually associated with more strategic initiatives and are used primarily at the executive levels. Examples of dashboards are provided in several case examples found in Chapter 9. Available on the internet are a number of spreadsheet or other program templates for creating dashboards. In the survey, seven airports stated they have a dashboard or other benchmark method to display their incident data [Question 4.g.]: Atlanta, Dallas-Fort Worth, Houston, Portland, Seattle, Columbus, and Sarasota (see Chapter 9). Figure 4. Stakeholders affected by an incident or accident in the organization. Source: Freibott 2013. Used with permission.
