Airside Management and Safety AHM 621

AHM 621
RISK MANAGEMENT SYSTEM
FOR GROUND OPERATIONS
1. RISK MANAGEMENT
1.1 A risk management system for operational risks that is
formulated, driven, and enforced at the corporate level and
that is implemented at all stations shall be in place. The risk
management system shall have policies and procedures that
require:
(i) hazard identification;
(ii) risk assessment (identification, prioritisation, analysis);
(iii) risk control;
(iv) measurement;
(v) Follow-up and reporting.
In addition to the policies and procedures outlined above, the
risk management system must contain an organisational
framework and an infrastructure that effectively provides for
management of the company's exposure to risk in its daily
operations. The framework and infrastructure should be
comprised of:
1. An organizational chart that identifies all positions in the
organization that have supervisory responsibility for
managing operational risks;
2. Job descriptions for supervisory positions outlining the
risk management responsibilities and accountabilities for
each (example: . . . is responsible for managing the
company's exposure to operational risks . . . ).
3. A document describing:
(a) Risk management roles and responsibilities for all
positions in the company that deal with operational
risks;
(b) Company's philosophy on managing risk, i.e. level
of acceptable risk;
(c) Common language for identifying, prioritising, analysing, measuring and controlling risks;
(d) The kinds of internal communications to be disseminated on what risk management culture
means in the company;
(e) A process for conducting a periodic risk management review.
One of the reasons for implementing a formal framework for
a risk management system is to ensure that senior management is driving the system, roles are defined, accountabilities
are assigned, and employees understand what risk management means, how they fit into the picture, and how their
actions contribute to the company's overall exposure to risk.
1.2 A process shall be in place at the corporate level for
conducting a routine, periodic risk management review of all
of its operational risks at all stations. In addition, it shall be
ensured that formal risk assessments are performed more
frequently in response to significant events, initiatives or
hazardous conditions that could affect the safety or security
of ground handling operations, to include, at a minimum:
(i) the introduction of new operations;
(ii) significant changes to the internal and/or external business environment;

30TH EDITION, JANUARY 2010

477

Airport Handling Manual

(iii) hazardous operational conditions;
(iv) accidents and incidents.
Ideally, a risk management review is comprised of these
steps:
1. Identification
2. Prioritisation
3. Analysis
4. Measurement
5. Control
6. Reporting
7. Follow-up and Repetition
The risk management system itself is structured to provide a
continual and comprehensive oversight of the Ground Operations company's business activities for the purpose of
identifying any aspects that might pose a safety or security
threat to aircraft, passengers, operational personnel, facilities, systems or equipment. Once identified, the risks are
prioritised according to their significance to the operation.
The next step is key: analyse why certain risks exist, whether
they can be controlled, and the extent to which they can be
controlled in order to prevent harmful consequences. If
adverse consequences cannot be completely prevented, then
the company must decide what level of risk is acceptable and
whether it will assume and control the risk, finance it or
transfer it to someone else. Once a risk is controlled, it is
important to measure whether the control has been effective
or not. The results must be followed-up and reported from
the station level to the corporate level, usually to the risk
management committee, the Chief Executive Officer, the
Board of Directors and the Audit Committee. Finally, the
process must be repeated continually.
1.3 A corporate policy should be in place requiring a risk
register as part of its risk management system for operational
risks for the purpose of documenting relevant information
associated with risks that have been identified and subjected
to risk control.
A risk register should include:
1. Description of each risk
2. Ranking according to significance to the company
3. Existing mitigation plan or control
4. Corrective action
5. Ownership (accountable person) for corrective action
6. Completion date assigned
7. Actual completion date
8. Comments/explanation
9. Integration of Risk Management System
1.4 The risk management system for operational risks should
be integrated with all business management systems
throughout the organisation, not just those systems that
address ground handling operations on a day-to-day basis.
The risk management system for operational risks must be
integrated with the company's other management systems
such as its enterprise-wide risk management system or ERM.
The system for managing operational risks is usually one
component of a larger approach to managing the company's
legal, financial and strategic risks.
Integration also means that the two systems (operational
level and enterprise level) are linked together between the
corporate level and the station level. Integration is accomplished through a company's formal, organizational
framework, but as a practical matter it is done through

478

day-to-day activities such as documentation, meetings and

other communications, risk management reviews, and
reporting of accident and incident information.
Integration also means that station level risk management
activity is tied together and information is shared horizontally
across all stations. The sharing of information across all
stations is essential to analysing why accidents and incidents
are occurring and how they can be prevented or at least
minimized in the future.
1.5 A senior management official should be assigned with
the overall accountability for the risk management system for
operational risks as specified in 1.4, to include authority and
control over resources necessary to implement and enforce
risk management policies and procedures throughout the
organisation.
The senior management official in charge of the risk management system for operational risks is likely the Director of
Quality or Safety. A large organization may have a chief risk
officer who reports to the CEO who is responsible for the
enterprise-wide risk management system and/or the risk
management system for operational risks. More often than
not a company will assign this oversight function to the
manager or director of quality or safety. Regardless of the
position or placement of the individual, it is important that
he/she has authority to:
1. Enter into contractual arrangements on behalf of the
company,
2. Modify policies and procedures,
3. Determine scheduling sufficiency,
4. Determine staffing qualifications,
5. Determine staffing adequacy,
6. Access contracts, records and information such as
service level agreements, accident and incident reports,
7. Communicate with customers.
The individual should have direct access, if not reporting
responsibility, to the Chief Executive Officer of the company.

30TH EDITION, JANUARY 2010

Airside Management and Safety AHM 621

2. RISK ASSESSMENT FLOW CHART

30TH EDITION, JANUARY 2010

479

Airport Handling Manual

3. RISK ASSESSMENT MATRIX

Risk Matrix
A hazard is any physical situation or object that has the potential to cause harm to people and/or damage to property, and risk is
the likelihood of a specific undesired event occurring within a specified period. Risk is therefore a function of both the likelihood
and consequence of a specific hazard being realized.
Risk assessment is the process of estimating the likelihood of occurrence of specific undesirable events (the realization of
identified hazards), and the severity of harm or damage caused, together with a value judgement concerning the significance of
the results. It therefore has two distinct elements: risk estimation and risk evaluation.

480

30TH EDITION, JANUARY 2010