Latest Products

Lessons from Aviation Risk Management

Friday 13 January 2017

Friday's Feature 

Risk management is industry-agnostic. And, while business priorities for each industry may be different, all organisations need to have an effective risk management framework.

Risk levels for some industries are higher than for others. The positive here, however, is that industries can learn from one another to improve their own risk management systems.

Last year, Sasha Culjkovic, a GRC Institute Director, highlighted the similarities between the aviation and financial industries in a presentation entitled What the Financial Industry can learn from Risk Management in Aviation.

In his presentation, Culjkovic looked broadly at several categories:

  • Risk profiling
  • Risk identification
  • Cultural indicators
  • Audit and its development
  • Risk rating
  • Communication
  • Benchmarking
  • Transnational learning

Risk profiling
In his presentation, Culjkovic demonstrated the significance of aviation risk profiling—that is, the way of determining the risk of an existing process, then developing an appropriate strategy for that area—through the example of aerial mustering.

Aerial mustering “…is where rotary-wing helicopters fly very low over cattle and try to herd them all together in certain direction—lots incidents, lots of accidents and lots of fatalities,” Culjkovic explained.

The Civil Aviation Safety Authority (CASA) presents a picture of the key risks affecting the sector at a specific point in time.

“The risk profile for the sector contains the definition of the sector, the content used to develop the risk profile, identification of the risk, risk ratings, location of the participants in the sector and the proposed risk treatments,” Culjkovic continued.

Of course, these steps should not be new to risk management professionals. But performing risk profiles across multiple sectors, and comparing those sectors, is something the aviation industry has been very good at.

It would be very valuable, Culjkovic believes, if the financial industry could also take that sector-specific process and do a holistic risk assessment.

“CASA did a stakeholder map to show all those involved in aerial mustering—that is, those key stakeholders with an influence over or who are affected by aerial mustering,” he said. That stakeholder map included not only those involved in aviation and transportation, but also organisations like the RSPCA, who are interested in animal welfare.

“Often, you have different regulators from different backgrounds having a very strong influence on the risks relating to this particular industry or the sector. So, I think it won’t be much different in the financial industry, where it’s a big piece of learning to say ‘are we considering all stakeholders in our risk assessment?’” Culjkovic said.

Risk identification
As part of the risk identification process, the aviation industry tends to ask their senior managers, ‘What keeps you awake at night?’ After that, the next question is always, ‘What are you doing about it?’.

According to Culjkovic, “This is a very contemporary approach to risk identification, but one used more and more in high-risk industries. The benefit of it is that it really introduces personalisation to the whole concept of risk.”

Questions that target the human element attempt also to identify what it really means to the person employed in that role. Such subjective questions are different to just going in and asking what the key risks might be. More importantly, the response to those types of questions is also different.

Culture and cultural indicators

The subjective approach can also be used to identify employees’ perceptions of the culture of their organisation.

Asking staff to answer ‘I feel’-oriented questions can give assessors a chance to identify not only where staff members are at, but it can help determine the way they perceive their organisation. This can and will impact on their behaviour towards the organisations’ mandatory and voluntary commitments.

“There is no ‘right or wrong’ in this because it is their subjective feeling,” Culjkovic explained. “When people make behavioural decisions in the workplace, they do so based on their subjective feelings.”

Thus, the way a staff member behaves, and the decision they make in the workplace, is influenced by their feelings, which, in turn, can be influenced by factors external to their role, and indeed, to that organisation.

 “It is itself a lead indicator,” Culjkovic explained, “which is something we are all moving towards. If people feel the organisation does not care—either about them, or about risks facing the company —they will start to behave unsafely.”

With the Australian Securities Investment Commission (ASIC) now focussing on culture and the impact of ‘media regulation’, organisations should not be surprised at how important it is to assess the culture of your different business units in order to mitigate risk.

Further to this, Culjkovic said that another effective measure of cultural indicators would be the attendance of executives to risk committee meetings, because it can indicate the priority allocated to risk management over other tasks at hand.

High-risk industries are making a move to a more collaborative mode of auditing.
“A lot of organisations to which I have spoken have started to utilise different types of auditors. So, not those policemen and women, but more cultural and ‘HR’ types, who can actually build a personal rapport with the auditee,” Culjkovic said.

It is very much a move away from the text-book style of investigation. “Auditing duties are now expanding beyond the small audit team increasingly training up other staff to assist in auditing activities, so that more people are involved in and take ownership of the risk management process.”

Risk rating
Culjkovic said that it is generally accepted that Risk=ProbabilityxMagnitude, particularly for organisations in the public eye.

He added that increasingly, businesses adopt Sandman’s model (2001), which suggests that Risk=Hazard+Outrage.

“This means that what we need to assess risk not only in the traditional way, but also based on public interest in adverse outcome. Yes; there are the obvious hazards, but there is also the outrage component, which is purely psychological,“ he explained.

Dr Peter Sandman, who coined this model, wrote on his website that:
In the mid-1980s, I coined the formula “Risk = Hazard + Outrage” to reflect a growing body of research indicating that people assess risks according to metrics other than their technical seriousness: that factors such as trust, control, voluntariness, dread, and familiarity (now widely called “the outrage factors”) are as important as mortality or morbidity in what we mean by risk.

In an era when every device has a camera, and posting content online is easy, any industry in the public eye—such as the financial industry—needs to be aware of the serious damage posed by the psychological impact of differing perspectives on the same issue.

For example, in aviation, “There would be a landing and the aircraft has to brake heavily, and the brakes catch fire,” Culjkovic said. “That is just not a big deal in aviation; brakes are designed to catch fire and has built-in fire suppression systems.

However, if a burning landing gear is shown on the news, it catches the attention of the public, which is generally not educated in aviation matters and hence cannot properly assess the severity of the event. Thus, brake fires become a more major risk.”

Both formulas are relevant when it comes to public relations, as well as when trying to control the narrative around your organisation, especially in light of out-of-context uploads and the ongoing ‘fake news’ phenomenon.


Culjkovic reinforces the importance of engaging other staff members in risk management.

“The aviation industry has a name for it,” he said. “It’s called Safety Promotion.” He added that organisations in other industries also need to have a safety management system (SMS) that is promoted across the organisation—that is, they need their own method of safety promotion.

Communicating outside the risk management space also means to be able to translate highly technical data in such a way that it is understood by staff outside of risk management business units. This should not be a foreign concept in risk management; it supports the universality of the fundamental principles of risk management.

 “It encompasses the move in risk management from data to information, the latter being data that has been interpreted and is presented in a way that can start a good conversation within the organisation.”

Internal benchmarking is prevalent in high-risk industries. “That means different areas have different functions in relation to risk, the mitigations of those risks, and the effectiveness of those mitigations. But how do different sectors within the organisation compare to each other?” Culjkovic asked.

The emphasis of benchmarking to each sector is not so different from the example of aerial mustering, and the importance to the aviation industry of highlighting the stakeholders from different, and even external, areas. 

With benchmarking, it is possible to involve staff through friendly competition, such as the example of the ‘I feel’ and the ‘What keeps me up at night’ cultural behaviour questions. It all has to do with psychological impact.

Culjkovic added the scientific basis for this can be linked back to BF Skinner and the concept of the rewards system that underpins the notion of classical conditioning. “Whoever ‘wins’ the internal benchmarking gets a positive reward, which in turn gives an immense amount of ownership. Next year, they will want to win that prize again,” he explained.

Transnational learning
While the example Culjkovic gives for transnational learning does not correlate directly with the aviation industry, it does relate to high-risk industries in general.

“It really came out, in particular, after the Fukushima nuclear disaster. One of the key reasons why one of the books published after the disaster dedicated an entire chapter to transnational learning was because they realised that, had they actually just looked at some of the incidents that had already occurred overseas, the Fukushima disaster would never have happened,” Culjkovic said.

This is something organisations should already be doing, alongside efforts to overcome cultural, social and political differences.

This can also translate to the financial industry in cases where businesses have felt they had to resort to unethical and non-compliant practices, such as the J.P. Morgan case, highlighted recently in the media for violating the Foreign Corrupt Practices Act (FCPA) by hiring relatives of senior Asian officials in order to overcome the difficulties of breaking into that market.

It’s all just risk management 
While the presentation focused on what the financial industry can learn from risk management in aviation and other high-risk industries, the fundamental principles of risk management are universal.

And, ultimately, whether you consider your organisation’s place on the risk scale to be immature (who does?), emerging, or mature, risk management is agnostic, and so are many of the methods you can use to mitigate the risks specific to your industry.


Sasha Culjkovic, a Director of the GRC Institute

Sasha Culjkovic is a dynamic and enthusiastic GRC professional, who combines theoretical business knowledge with almost 20 years practical GRC management experience to assist organisations in overcoming compliance challenges.