What Is Risk?
In aviation safety, risk is defined as the composite of two factors: the severity of potential consequences if a hazard is realized, and the likelihood that those consequences will occur. Risk is not binary — it exists on a spectrum, and the purpose of Safety Risk Management (SRM) is to evaluate where each identified hazard falls on that spectrum and decide what to do about it.
This definition matters because it separates hazards from risks. A hazard is a condition that could foreseeably cause or contribute to an accident — for example, ice accumulation on an aircraft. The risk associated with that hazard depends on how severe the consequences could be (catastrophic, if it leads to loss of control) and how likely they are (which depends on your operational environment, deicing procedures, crew training, and other factors).
The SRM Process
Safety Risk Management follows a structured sequence defined in 14 CFR Part 5:
-
System analysis — Understand the system under review: its function, operating environment, procedures, personnel, equipment, and interfaces with other systems.
-
Hazard identification — Identify conditions within the system that could cause or contribute to an accident. Sources include safety reports, operational data, audit findings, incident investigations, and industry information.
-
Risk analysis — For each hazard, determine the potential severity and likelihood using defined criteria.
-
Risk assessment — Compare the analyzed risk against your organization’s defined acceptable risk levels. This is where the risk matrix comes in.
-
Risk controls — For any risk assessed as unacceptable, develop controls to reduce the risk. Then reassess the residual risk with controls in place.
SRM is triggered by specific events: new operations, changes to existing systems, hazards identified through monitoring, ineffective controls discovered during assurance, and external changes affecting operations. It is not a periodic exercise — it is applied when needed.
The Risk Matrix
The standard ICAO 5x5 risk matrix plots severity (1-5) against likelihood (A-E) to produce a risk rating in one of three zones:
| Zone | Meaning | Required Action |
|---|
| Acceptable (Green) | Risk is within tolerance | Accept and document the decision |
| Tolerable / ALARP (Yellow) | Risk requires reduction | Reduce As Low As Reasonably Practicable |
| Unacceptable (Red) | Risk exceeds tolerance | Do not proceed without effective controls |
The ALARP Principle
ALARP — As Low As Reasonably Practicable — governs the yellow zone of the risk matrix. When a risk falls in the tolerable range, you are not required to eliminate it entirely (that may be impossible or prohibitively expensive), but you must reduce it as far as is reasonably practicable.
“Reasonably practicable” involves a proportionality judgment. The cost, effort, and operational impact of a control must be weighed against the risk reduction it achieves. A control that costs very little and significantly reduces risk should obviously be implemented. A control that would shut down operations entirely to address a remote risk may not be practicable.
ALARP does not mean “do whatever is convenient.” If a risk control is technically feasible and the cost is proportionate to the risk, the expectation is that you implement it. Document your reasoning — the FAA may review your ALARP decisions during surveillance.
Initial Risk vs. Residual Risk
Every risk assessment should consider two states:
Initial risk (or inherent risk) is the risk level of a hazard before any controls are applied. This represents the raw exposure.
Residual risk is the risk level that remains after controls are in place. Effective controls move a risk from a higher zone to a lower one — for example, from unacceptable (red) to tolerable (yellow), or from tolerable to acceptable (green).
The gap between initial and residual risk demonstrates the value of your controls. If a control does not meaningfully reduce the risk, it is either the wrong control or it is not being implemented effectively. PlaneConnection tracks both initial and residual risk on every risk entry, providing a clear record of how controls change your risk profile.
The Bow-Tie Model
The bow-tie model is a visualization tool that connects threats, hazards, and consequences through two types of barriers:
On the left side, threats are the events or conditions that could activate a hazard. Between threats and the hazard sit preventive barriers (also called proactive controls) — measures that stop the threat from reaching the hazard. Examples include training, procedures, automation, and maintenance programs.
On the right side, consequences are the potential outcomes if the hazard is realized. Between the hazard and its consequences sit recovery barriers (also called reactive controls) — measures that limit the severity of the outcome. Examples include emergency procedures, fire suppression systems, emergency response plans, and crashworthiness features.
This model is valuable because it shows that safety is not a single control but a series of layered defenses. When you identify that a barrier has failed or degraded, you know exactly where your vulnerability lies and what needs attention.
How Risk Assessment Drives Decisions
Risk assessment is not a paperwork exercise — it should directly influence operational decisions. When a risk assessment reveals an unacceptable risk, the operation should not proceed until effective controls are in place. When an existing control is found to be ineffective through safety assurance, the risk must be reassessed and new controls developed.
In PlaneConnection, risk assessments connect to corrective and preventive actions (CPAs), ensuring that identified risks lead to tracked, verified remediation. The Management of Change module requires risk assessment before implementing operational changes. And the compliance dashboard shows whether your SRM processes meet the requirements of 14 CFR Part 5 Subpart C.
