Understanding Risk Management

Safety Risk Management (SRM) is the pillar of SMS that transforms identified hazards into managed risks. It provides a structured, repeatable process for asking three essential questions: what could go wrong, how bad could it be, and what are we doing about it? The answers to these questions — documented, tracked, and periodically reassessed — form the backbone of an organization’s safety posture.

​

Hazards vs. Risks

Before diving into the process, it is important to distinguish between two terms that are often used interchangeably but mean different things in SMS. A hazard is a condition that could foreseeably cause or contribute to an aircraft accident (14 CFR 5.5). It is a state of the world — ice on a runway, a fatigued pilot, an ambiguous procedure, a worn component. A hazard exists whether or not anything bad happens. A risk is the composite of predicted severity and likelihood of the potential effect of a hazard (14 CFR 5.5). Risk is the assessment of what could happen if the hazard is realized — how bad the consequences could be and how likely they are to occur. This distinction matters because it separates identification from assessment. You identify hazards. You assess risks. A runway with ice is a hazard. The risk associated with that hazard depends on your operational environment, deicing procedures, crew training, aircraft performance, and a dozen other factors. The same hazard can present very different risk levels for different operators.

​

The SRM Process

Safety Risk Management follows a structured sequence defined in 14 CFR Part 5, Sections 5.51 through 5.57. Each step builds on the previous one.

​

Step 1: Trigger

SRM is not a periodic exercise. It is triggered by specific events defined in Section 5.51: new systems or operations (launching a new route, acquiring a new aircraft type, introducing a new procedure), changes to existing systems (modifying maintenance procedures, changing crew scheduling practices, relocating a base), hazards identified through safety assurance (trends in safety reports, audit findings, investigation conclusions), ineffective risk controls (monitoring reveals that an existing control is not reducing risk as intended), and external changes (new regulations, industry safety alerts, changes at airports you serve). This trigger-based approach ensures SRM is applied when it matters most — when something in the operation is changing or when new information about existing hazards becomes available.

​

Step 2: System Analysis

Before identifying hazards, you must understand the system under review. Section 5.53 requires consideration of the function and purpose of the system, the operating environment, relevant processes and procedures, personnel, equipment, and facilities, and interfaces with other systems. System analysis establishes the boundaries of the assessment. A narrow focus (one procedure, one aircraft type) produces specific, actionable findings. An overly broad scope (the entire operation) produces generalities that are difficult to act on.

​

Step 3: Hazard Identification

Identify conditions within the system that could foreseeably cause or contribute to an accident. Sources include: Effective hazard identification looks beyond obvious physical hazards to include organizational factors — staffing shortages, training gaps, procedure ambiguity, communication breakdowns, and cultural issues that create conditions for error.

​

Step 4: Risk Analysis and Assessment

For each identified hazard, determine the potential severity of consequences and the likelihood that those consequences will occur. Compare the result against your organization’s defined acceptable risk levels. This is where the risk matrix comes in.

​

Step 5: Risk Controls

For any risk assessed as unacceptable, develop controls to reduce it. Then reassess the residual risk — the risk that remains after controls are in place. If the residual risk is acceptable, document the decision and implement the controls. If it remains unacceptable, develop additional controls or reconsider the operation.

​

The 5x5 Risk Matrix

The standard ICAO risk matrix plots severity against likelihood to produce a risk rating. The FAA does not mandate a specific matrix format, but requires that organizations define and document their risk assessment criteria. The 5x5 matrix is the de facto standard in aviation SMS.

​

Why These Two Dimensions?

Severity and likelihood capture the two aspects of risk that matter for decision-making. A hazard with catastrophic potential severity but improbable likelihood (a meteor strike) warrants a different response than one with minor severity but frequent likelihood (a paperwork error). The matrix forces you to consider both dimensions simultaneously.

​

Severity Levels

​

Likelihood Levels

​

Three Risk Zones

The intersection of severity and likelihood places each risk into one of three zones:

​

Consistency Over Precision

The matrix is a decision-support tool, not a scientific instrument. Different assessors may reasonably disagree about whether a hazard is “probable” or “occasional.” What matters is consistency — everyone in the organization should evaluate similar hazards similarly, and the rationale for each assessment should be documented. PlaneConnection’s risk matrix provides standardized definitions and examples for each severity and likelihood level, helping assessors calibrate their judgments. Historical assessments are visible, so new assessments can reference how similar hazards were previously rated.

​

The ALARP Principle

ALARP — As Low As Reasonably Practicable — governs the yellow zone of the risk matrix. When a risk falls in the tolerable range, you are not required to eliminate it (that may be impossible), but you must reduce it as far as is reasonably practicable. “Reasonably practicable” involves a proportionality judgment. A control that costs $500 and significantly reduces risk should obviously be implemented. A control that would require$10 million and marginally reduces an already-low risk may not be practicable. The burden of proof lies with the operator. If a risk control is technically feasible and the cost is proportionate to the risk reduction, the expectation is that you implement it. Your reasoning must be documented, because the FAA may review ALARP decisions during surveillance.

​

Initial Risk vs. Residual Risk

Every risk entry should track two states: Initial risk (also called inherent risk) is the risk level before any controls are applied. This represents the raw exposure — what could happen if you did nothing. Residual risk is the risk level that remains after controls are in place. Effective controls move a risk from a higher zone to a lower one — from unacceptable to tolerable, or from tolerable to acceptable. The gap between initial and residual risk demonstrates the value of your controls. If a control does not meaningfully reduce the risk, it is either the wrong control, it is not being implemented effectively, or the risk was already lower than initially assessed. PlaneConnection tracks both initial and residual risk on every risk register entry, providing a clear record of how controls change your risk profile over time.

​

The Bow-Tie Model

The bow-tie model is a visualization tool that connects threats, hazards, and consequences through two types of barriers. It is particularly useful for understanding layered defenses — a concept rooted in James Reason’s Swiss cheese model. On the left side, threats are conditions that could activate the hazard. Preventive barriers (proactive controls) sit between threats and the hazard — training, procedures, automation, maintenance programs, inspections, and checklists. On the right side, consequences are potential outcomes if the hazard is realized. Recovery barriers (reactive controls) limit the severity — emergency procedures, fire suppression, emergency response plans, crashworthiness features, and insurance. The bow-tie model shows that safety depends on multiple layered defenses. When you identify that a barrier has degraded or failed, the model shows exactly where your vulnerability lies and which consequences become more likely.

​

Hierarchy of Controls

Not all risk controls are equally effective. The hierarchy of controls, adapted from occupational safety, ranks control strategies from most to least effective: Higher-level controls are more reliable because they do not depend on human behavior. Engineering controls work whether or not the person remembers to use them. Administrative controls — the most common type in aviation — require people to follow procedures consistently, which makes them vulnerable to fatigue, distraction, and normalization of deviance. A robust risk management approach uses multiple layers of controls from different levels of the hierarchy rather than relying solely on procedures and training.

​

How Risk Management Connects to the Rest of SMS

SRM does not operate in isolation. It connects to every other pillar. Safety Policy defines the acceptable risk criteria and the organization’s commitment to managing risk. Safety Assurance monitors whether controls are working and feeds findings back into SRM when they are not. Safety Promotion ensures that people understand risk management processes and can participate effectively. In PlaneConnection, risk assessments connect to CPAs, ensuring that identified risks lead to tracked, verified remediation. The Management of Change module requires risk assessment before implementing operational changes. Reports and investigations feed hazard identification into the SRM process. And the compliance dashboard shows whether your SRM processes meet Section 5.51 through 5.57 requirements.

​

Related