“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders.”
John A. Wheeler
I was facing this new safety roadshow I was invited by a friend at the airport, feeling like a piece of cardboard or a rusty singer. Plenty of familiar faces were scanned in the film making machine I attended every other Wednesday when I was a kid. This dry-wind and free-running based scenario really matched with this fancy room. I had to deliver a lecture on Human Factors Management for Aviation Organizations. Suddenly the assistant to the event told me shifts for the lecturers changed. I set a poker face, agreed to be the second presenter, and told her “Not a problem. Operations have drifts, just like life does.”
The lecturer spread his exciting tone of voice to us as if it were the last chance to address a speech. He was telling us about an audit ranking place our country was among others. He was so proud of the performance we did, that it was pretty much tender to listen to him. “We are close to the third place. When assessments conclude, we will know for sure, if we could end up on the first or second place. I will even accept a round of applause from you guys!” he told us. That did not happen at all. That dangerous and awkward silence hit me on my shoulder. A question arose in my head like the arrows in flames of a battle. Does this close-to-third-place ranking mean processes and procedure are managed in a process-focused approach? Believe me guys; the reality I know is other way around. We are not that good to be ranked in the fourth place. Why so excited then? That was when I realized our lecturer was just focused in the ranking, just on the figures. Just on how effective we were for the compliance with the standards. What about the management system that ensures regulatory issues comprise documentation that tells how we plan to solve any matters and that operational reality is appropriately addressed by the interaction of the processes an organization lays out? No reply for this whatsoever.
As I told you guys in one of my previous article (see “Plenty-of-Risk Based Management”), which you can access at these links https://voice.inxelo.aero/index.php/2020/03/18/plenty-of-risk-based-management/ or https://www.aviationsafetyplatform.com/article/plenty-of-risk-based-management, my concern lies on the organizational attitude, on the defenses we have to set. It must be a risk management-based work. We cannot define, design, and set defenses if we ignore the hazards and consequences and the risks therefore we face. Thus, we are required to address two environments:
Regulations. It is the blueprint where everything works. Specifications and design just work fine. But I dare you to tell me if this is enough.
Risk Management. It is the actual management, wherein with a systemic approach you manage things with direction and control. I also dare you not to manage your airline with this. Do you think regulations are enough?
This above fits perfectly Info Security Magazine’s ‘Gartner says risk-based approach will solve the compliance vs. security issue’ publication of 2013 that says “compliance should be treated as one of the risks within an overall risk management approach to security. Even in a risk-based program, compliance doesn’t go away entirely. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements to mark off a checklist”.