Professional Documents
Culture Documents
P4-SAF-0004
1 JULY 2021
AAR WASS P4-SAF-0004
Table of Contents
1. Revision History .................................................................................................................. 3
2. Scope .................................................................................................................................... 3
3. Owner .................................................................................................................................. 3
4. References ........................................................................................................................... 3
5. Associated Documents/Forms ............................................................................................ 3
6. Definitions ........................................................................................................................... 3
7. Responsibilities .................................................................................................................... 3
8. Hazards ................................................................................................................................ 7
9. Risks ..................................................................................................................................... 8
10. What Are Assets ................................................................................................................ 11
11. SAFETY RISK ASSESSMENT PROCEDURE .............................................................. 13
12. Hazard Identification ....................................................................................................... 18
13. Principles of Risk Management ...................................................................................... 20
14. Terms and Definitions ..................................................................................................... 22
ATTACHMENT 1 – RISK MANAGEMENT WORKSHEET EXAMPLE ............................... 27
ATTACHMENT 2 – RISK MANAGEMENT WORKSHEET ................................................... 28
TABLES
Table 1: Revision History *Add, Modification or Deletion ......................................................... 3
Table 2: Risk Probability Categories .......................................................................................... 15
Table 3: Risk Severity Categories ............................................................................................... 16
Table 4: Root Cause Table.......................................................................................................... 19
Table 5: Acceptable Risk Determination.................................................................................... 21
FIGURES
Figure 1: SRM/Safety Assurance Diagram ................................................................................. 9
Figure 2: Risk Assessment Potential Risk Chart ....................................................................... 12
Figure 3: Risk Assessment Matrix ............................................................................................. 14
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
1. Revision History
Change Date Number of Figure, Table *AMD Title or Brief Description Change
Number or Paragraph Requester
PID
Rev 1 07/1/21 Annual Review of M Operational Risk Management HH9292
SOP Procedure
2. Scope
To provide all levels of management with a standardized written process to identify and
control undesirable events before they occur. This document shall be used as the
primary risk management tool for all CONUS and OCONUS AAR ground and flight
support activities. An actual “Flight Risk Management” shall be conducted in accordance
with the “Guide for Aviation Training and Standardization (GATS).”
3. Owner
The Aviation Safety Manager owns this procedure. No changes, additions, or alterations
may be made without the owner’s written approval.
4. References
Appendix C to 29 CFR 1910.119 – Compliance Guidelines and Recommendations for
Process Safety Management (Non-Mandatory)
U.S. Army – FM 3-100.12 (DoD Joint Services Publication for Risk Management)
U.S. Army Regulation 385-10
ICAO Safety Management Manual DOC 9859 Fourth Edition, 2018
FAA Advisory Circular Number No: 120-92B
FAA Order 8040.4A Safety risk Management Policy Effective Date 04/30/12
5. Associated Documents/Forms
Plan-4-SAF-0001 Flight / Ground Safety Operations
6. Definitions
Terms and definitions are found in Section 13.
7. Responsibilities
Organizationally, risk management is a shared responsibility at all levels of management.
Employees, at all levels, are responsible for complying with rules, regulations, and
policies, and for avoiding/mitigating risks both in daily activities and in supporting
operational missions and management decisions.
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
The Program Director acting as the Accountable Executive (AE) and all Directors and
Site Managers have all signed a Safety Management Systems (SMS) Policy statement
establishing an effective risk management process to mitigate or eliminate the risks
encountered while conducting Air Wing operations and support activities. Supervisors
and Leads must ensure a supportive risk management environment; provide employees
with the necessary skills and knowledge to identify and mitigate risks and hold them
accountable for doing so; monitor risk indicators and ensure necessary corrective actions
are taken.
7.1. Safety Risk Management (SRM)
SRM Is the core activity of the Safety Management System. It is a decision-making tool
that utilizes a set of standardized processes to proactively identify and fully document
hazards, analyze and assess potential risks, and prescribe appropriate mitigation
strategies.
Throughout the SRM process, hazards are identified; risks are analyzed, assessed,
prioritized, and then mitigated appropriately.
The end state of the process is to reduce risk to “As Low as Reasonably Practicable”
(ALARP). Staff members must work towards risk mitigation in daily activities, alert
supervisors to possible problems, and help take corrective actions.
7.2. Purpose of Safety Risk Management
The purpose of risk management is to identify potential problems (undesirable events)
before they occur so risk-handling activities may be planned, developed, and invoked as
necessary to mitigate identified hazards. The objective is to protect personnel and assets
against the negative consequences of non-desirable events in order to achieve desired
objectives.
The overriding objective for implementing risk management is to provide reasonable
assurance to both executive and senior-level management that the organization’s goals
and objectives are achieved. It is a primary management tool to assist in the alignment
of risks and strategy, enhance risk response decisions, reduce operational surprise and
losses, identify and manage cross-MOB/FOL risks, provide integrated responses to
multiple risks, seize opportunities and improve rapid response capabilities.
7.3. Applicability of the SRM process
The SRM process is designed to be multifaceted and can be applied in one of three
ways:
Reactive – The reactive application of the SRM process is typically in response to the
identification of a hazard or an ineffective risk control resulting from an event that has
already occurred (investigation or quality escape). The process will allow for further
review of additional or hidden risks associated with the event as well as any new risk
controls required for mitigation purposes.
Proactive – The proactive application of the SRM process is initiated in response to
significant changes to the organization or its operations that could lead to new hazards.
The intent is to prescribe appropriate mitigation strategies to control risk before an event
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
occurs. The SRM process will be applied to high-risk audit findings and may apply to
lower-risk audit findings at the discretion of the Site Manager.
Predictive – The predictive application of the SRM process is initiated with any observed
“trend” resulting from internal trend analysis processes or key performance indicators.
The intent is to provide insight into any undiscovered hazards that may not be readily
identified by trend analysis.
7.4. Risk Management and When to Use It
Risk management tends to facilitate the exchange of information, ideas, and expertise
across functional areas and disciplines. Its purpose is to generate ideas and promote the
good business practice. All too often, assessments of hazards are crudely made and the
consequences of getting things wrong can be serious, including lost opportunities, loss
of business, loss of reputation, and even life. In the long run, risk management can save
time, money, and protect assets.
Risk management must be used whenever there is a likelihood of a non-desirable event
or negative outcome that may place the organization, assets, or personnel at an
unacceptable risk. This also includes the inability to meet desired goals and objectives.
Risk consideration must include those activities or circumstances associated with
business, finance, operational support, politics, legal activities, security, accidents,
safety, or the environment.
7.5. Safety Risk Management Assists Management
Safety Risk management (SRM), corporate policies, and program standard operating
procedures must be integrated and should augment each other. Risk management
strengthens executive-level oversight, forces an assessment of existing senior
management-level oversight structures, clarifies risk management roles and
responsibilities, sets risk management authorities and boundaries, and effectively
communicates risk responses in support of key business objectives:
• Evaluating the likelihood and impact of non-desirable events
• Developing responses to either prevent those events from occurring or
manage their impacts if they do occur.
There are many silos of ideas and stove-piping of information within the organization,
each having a point of view on managing risks. Silo or stove-piping mentality inhibits
efficient allocation of resources and management of common risks, program wide. When
managing multiple risks there is a need for a common framework within the SMS
program in order for risk management to be effective.
As AAR and other departments within AAR talk more about the importance of Safety
Risk Management (SRM), senior management may be required to disclose and
comment on the department’s capabilities for understanding and managing risks. Formal
and informal assessments are necessary to determine whether expected results are
adequate in relation to the risks undertaken.
As the business environment continues to change and the pace of change accelerates,
management must become better at identifying, prioritizing, and planning for risk. Risk
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
The schematic below illustrates categories of potential future events that might
be considered during a risk assessment:
Pervasive quality
Unauthorized use Physical Customer Significant losses of
Inefficient use Assets Assets key customers or
channels
Catastrophic loss
Inefficient channels
Unacceptable costs
Loss of market or
business opportunities
Organizational
Assets
Talent shortages
Poor economic performance Employee Work stoppages
Lack of economic sources of debt Finance
or equity capital Supplier Loss of morale
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
11.2. Risk Assessment Matrix Probability Scale (Top of Matrix – Left to Right)
Frequent
A-5 A-4 A-3 A-2 A-1
A
Probable
B-5 B-4 B-3 B-2 B-1
B
Remote
C-5 C-4 C-3 C-2 C-1
C
Extremely
Remote
D-5 D-4 D-3 D-2 D-1
D
Extremely
Improbable
E-5 E-4 E-3 E-2 E-1
E
Frequent Expected to occur more than 100 times per year (or
Expected to occur routinely
A more than approximately 10 a month)
Remote
Expected to occur infrequently Expected to occur one time every 1 month to 1 year
C
Extremely
Remote Expected to occur rarely Expected to occur one time every 1 to 10 years
D
Extremely
Improbable Unlikely to occur, but not impossible Expected to occur less than one time every 10 years
E
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
available facilities, available time, host nation, and civil considerations. These
factors are used because they have a direct impact on our mission and operation.
• Personnel Factors includes company policies for recruitment, training, and
remuneration.
• Procedures and Operating Practices: This includes documentation of procedures
and operating practices, checklists, and their validation under actual operating
conditions.
• Regulatory Oversight Factors: includes the applicability and enforceability of
regulations, the certification of equipment, personnel and procedures, and the
adequacy of surveillance audits.
• Security Factors: includes individual employee non-compliance, criminal
violations, and deliberate attacks from an adversary.
• Work Environment Factors: includes ambient noise and vibration, facilities,
temperature, hazardous materials, lighting, and the availability of protective
equipment and clothing.
12.3. Root Causes
Identify the root cause(s) for each hazard identified. Think of the reason why this
undesirable event could occur. There may be several root causes of a hazard. Use
the table to assist in the identification of root causes.
Root Cause
1.0 Process 2.0 People, Organization 3.0 Information 4.0 External and Environment
and Culture Technology
1.1 Inefficient/ineffective 2.1 Employee error 3.1 Unavailability and 4.1 Natural disasters, catastrophic
process design 2.2 Employee fraud and instability of systems events, terrorist attacks
1.2 Inadequate delivery of misconduct 3.2 Lack of information 4.2 Key supplier and partner
outsourced activities 2.3 Inability to attract, integrity exposure
1.3 Insufficient customer develop, and retrain 4.3 Political and economic
assessment 3.3 Inappropriate impacts
intellectual capital
infrastructure
2.4 Lack of clear roles and 4.4 Unresponsive to
responsibilities 3.4 Lack of timely, reliable, legal, regulatory, or
2.5 Deficient values, and relevant information compliance changes
integrity,and ethics for decision making 4.5 Product misuse
(internal and external)
2.6 Insufficient organizational 4.6 Physical asset misuse
structure, oversight, and 3.5 Inadequate data security or theft
accountability and access 4.7 Inadequate workspace
2.7 Inappropriate 3.6 Inappropriate data usage 4.8 Insufficient time
performance (internal andthird party)
incentives (customer-imposed
3.7 Competitor Actions schedule)
2.8 Inadequate
workplace safety
Table 4: Root Cause Table
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Extremely High Catastrophic Risk - Mission cancellation or implementation of Risk Mitigations until
levels are controlled to Medium Risks.
Accept Risk When Costs Outweigh the Benefits: The process of weighing risks
against opportunities and benefits helps to maximize operational success. Balancing
costs and benefits are a subjective process.
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Anticipate and Manage Risk by Planning: Integrate risk management into planning
at all levels. Managers must dedicate time and resources to apply risk management
effectively in the planning process, where risks can be more readily assessed and
managed. Integrating risk management into planning as early as possible provides
leaders the greatest opportunity to make well-informed decisions and implement
effective risk controls. During execution phases of operations, the risk management
process must be applied to address previously unidentified risks while continuing to
evaluate the effectiveness of existing risk control measures and modify them as
required.
13.3. Risk Assessment Pitfalls
The following are some pitfalls that should be avoided during the Risk Assessment
process:
• Over-optimism: “It can’t happen to us. We’re already doing it.” This pitfall results
from not being honest and not looking for root causes of the hazard.
• Lack of Urgency: This is not an “over-optimism” or the “sky is falling” attitude, but
it may be necessary to jolt people out of complacency to make them believe that
the current situation is more serious or dangerous than first believed. Without
motivation, people won’t help, and the effort goes nowhere.
• Misrepresentation: Individual perspectives may distort data. This can be
deliberate or unconscious.
• Alarmism: The “sky is falling” approach, or “worst case” estimates are used
regardless of their possibility.
• Lack of follow through: “An out of sight out of mind” attitude – you start the risk
assessment but fail to supervise, enforce changes, or make changes after risk
factors have been altered or have changed.
• Lack of Communication: Risk management is not possible unless personnel are
informed and understand the process or goals. Personnel must be informed and
willing to help even if only making short-term sacrifices.
• Lack of Planning: Risk management is not possible due to the lack of proper and
timely planning.
13.4. In Review
Risk management is the process of identifying hazards, assessing the hazard, and
taking steps to eliminate the risk or reduce risk to an acceptable level. It is an integral
component of business and operational support activities which involves a logical
process of objective analysis, particularly in the evaluation of the hazards.
14. Terms and Definitions
Hazard – is any real or potential undesirable event that can: (1) have a negative
impact on financial markets; (2) prevent the company from meeting business or
operational objectives; (3) have a negative impact on the project or program; (4)
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
cause or increase legal liabilities; (5) increase credit risk; (6) cause or have the
potential to cause injury, illness, death to personnel; (7) cause damage to or loss of
equipment or property, or environmental impact; (9) undesirable events resulting in
criminal actions, fines or other financial responsibility; (10) affect or weaken security
efforts; (11) have negative political impacts; (12) put personnel and assets at risk
because of natural disasters as well as deliberate attacks from an adversary.
Business Disruption and System Failures – Losses arising from the disruption of
business, operations, or system failures.
Execution, Delivery, and Process Management Breakdowns – Losses from
failed transaction processing or process management, from relations with trade
counterparties and vendors.
Clients, Products, and Business Practices Failures – Losses arising from an
unintentional or negligent failure to meet a professional obligation to specific
clients (including fiduciary and suitability requirements), or from the nature or
design of a product.
Damage to Physical Assets – Losses arising from loss or damage to physical
assetsfrom natural disasters or other events.
External Fraud – Losses due to acts of a type intended to defraud,
misappropriate property or circumvent the law, by a third party.
Failures of Employment Practices and Workplace Safety – Losses arising from
acts inconsistent with employment, health, or safety laws or agreements, from
payment of personal injury claims, or diversity/discrimination events.
Financial and Regulatory Reporting Errors – Losses resulting from financial or
regulatory reporting errors or failures, thus not ensuring the complete and accurate
disclosure of the Company’s financial, business, and regulatory results.
Internal Fraud – Losses due to acts of a type intended to defraud, misappropriate
property or circumvent regulations, the law, or company policy, excluding
diversity/discrimination events, which involves at least one internal party.
Issue – A concern that will negatively impact forward progress towards programobjectives.
Probability (Likelihood) – The likelihood that an undesirable event or hazard will
occur.
Risk – Any condition, event, or factor that might prevent the organization from
achievingits objectives.
Root Cause – Ultimate source of a defect or hazard, in that if the root cause
isremoved, the defect or hazard would be decreased or removed.
Severity – The expected consequence of an undesirable event (hazardous incident)
interms of the degree of injury, property damage, fines, loss of revenue, or other
mission impairing factor.
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Threat – A “threat” represents the failure mode through which the hazard can
materialize. It is a “sub-set” of a hazard and a direct immediate source of danger or
an undesirable event including any opposing force, condition, source, or circumstance
with the potential to negatively impact personnel, program assets, or mission
accomplishment and/or degrade mission capability.
Undesirable Event – An event that interrupts or restricts the continuity of maximum
quality of production and operational effectiveness. Undesirable events also include
negative deviations from standards.
14.1. Operational Risk – Process
• Inefficient/Ineffective Process Design – The Risk of Inadequate or poorly
designed business/transaction processes, including is a lack of end-to-end
process ownership and accountability.
• Inadequate Delivery of Outsourced Activities – The risk that outsourcing partners
do not deliver services in the line with expectations or commit actions that are
inconsistent with AAR's strategies, objectives, and values.
• Insufficient Customer Assessment – The risk of inadequate or failed processes
to assess existing and potential customers for suitability concerning regulatory
requirements and AAR's policies and values.
14.2. Operational Risk – People, Organization and Culture
• Employee Error – The risk of unintentional errors by employees due to a lack of
competence, training, or unfamiliarity with regulations, policies, and procedures.
• Employee Fraud and Misconduct – The risk of intentional misconduct and/or
fraudulent activities against AAR's assets by employees.
• Inability to Attract, Develop and Retain Intellectual Capital – The risk of
insufficient programs and initiatives to attract, develop and retain key personnel,
capture and institutionalize intellectual (knowledge) capital, and protect against
the sudden loss of key individuals or groups of employees.
• Lack of Clear Roles and Responsibilities – The risk that roles and responsibilities
are not clearly defined, communicated, and understood by employees, including
cross-organizational objectives.
• Deficient, Values, Integrity, and Ethics – The risk of an employee breach of AAR
values and Code of Conduct standards related to integrity, ethics, and
discrimination.
• Insufficient Organizational Structure, Oversight, and Accountability
• The risk that business line organizational structure and management oversight
is insufficient to monitor and manage day-to-day business activities and hold
employees accountable for their performance.
• Inappropriate Performance Incentives – The risk of either insufficient
performance incentives or incentives that are unrealistic or misunderstood
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR WASS P4-SAF-0004
Printed or saved copies are considered uncontrolled and shall be used for reference only.
AAR P4-SAF-0001
Operational Risk Management
Dept.: Safety Eff. Date: 05/12/2021 Rev.: 1 Pg. 27 of 28
PREPARED BY: John Smith FUNCTIONAL AREA: OPs PHONE NUMBER: 321-123-4567
PID:JS12345
POSITION / TITLE: Ops Mgr.
STEP (2) RISK STEP (3A) DEVELOP CONTROLS & MAKE
STEP (1) IDENTIFY HAZARDS
ASSESSMENT RISK DECISION STEP (3B) HOW TO STEP (3C) HOW TO
IMPLEMENT SUPERVISE
PHASE OF INITIAL RISK RESIDUAL
HAZARDS CAUSES DEVELOP CONTROLS
OPERATION ASSESSMENT RISK
Initial arrival Pro OPERAT testers 4.4 Political and High Personnel Moderate Training civil affairs, First line supervisors
- riots economic Impacts (Risk Value) awareness, arrive (Risk Value) fencing, guards
after 12/12/2018
Initial arrival IEDs 4.1 Terrorist attacks Extremely High Use different FOL Low Select an acceptable Site Manager
(Risk Value) (Risk Value) location
Initial entry Diseases 2.8 Water and airborne High Immunize Field Low Pre‐deployment actions, FOL Manager
(Risk Value) sanitation (Risk Value) training
Contract cleaning
Transporting non‐ Pilferage 2.6 Insufficient Moderate Increase Security Force Low Augment security force Logistics Manager
sensitive support organizational structure, (Risk Value) (Risk Value)
Equipment oversight and
accountability
Transporting Pilferage 2.6 Insufficient High Increase Security Force, Moderate Augment security force Operations Manager
sensitive organizational structure, (Risk Value) Provide air cover (Risk Value)
Equipment oversight and
accountability
Post Deployment Loss of sensitive 2.6 Insufficient Moderate Proper inventory Low Pre‐deployment actions, FOL Manager
equipment organizational structure, (Risk Value) Double Locks (Risk Value) training
oversight and
accountability
Printed or saved copies are considered uncontrolled and shall be used for reference only
AAR P4-SAF-0001
Operational Risk Management
Dept.: Safety Eff. Date: 05/12/2021 Rev.: 1 Pg. 28 of 28
OVERALL RISK LEVEL AFTER CONTROLS ARE IMPLEMENTED: AUTHORIZED APPROVING AUTHORITY
NAME: PID:
☐ LOW ☐MODERATE ☐HIGH ☐EXTREMELY HIGH SIGNATURE: JOB TITLE:
(Acceptable) (Undesirable) (Unacceptable) (Intolerable)
Printed or saved copies are considered uncontrolled and shall be used for reference only