Contact Us

Contact Us


The Organizational Risk Profile

The Organizational Risk Profile

“Accidents are no longer accidents at all; they are failures of risk management.” 

-a renowned safety scholar


If the expert is right, all public safety aviation organizations should know their risks and what they are doing about them.  How exactly can you know your risks and what you are doing about them? Determine your organizational risk profile.


Deliberate Risk Management


An organizational risk profile is a dashboard-style depiction of every current iteration of the deliberate risk management process your organization has performed on all its hazards and incident/accident causal factors. So, what is the “deliberate risk management process”?


When ICAO or FAA talk about risk management, they refer to evaluating the severity and probability of an incident using a matrix. To distinguish this type of risk management from a daily worksheet, such as a flight risk assessment tool, we refer to the process as “deliberate.”


The deliberate risk management process has five steps:


  1. Identify the causes and conduct a safety investigation.
  2. Assess initial risk based on severity and probability using your organization’s approved risk matrix.
  3. Develop controls and mitigations using the hierarchy of controls.
  4. Assess residual risk based on severity and probability using your organization’s approved risk matrix.
  5. Implement, communicate and follow-up.



Figure 1 shows a sample organizational risk profile. Most of the column headers have a number in parenthesis. The number corresponds to each of the five step numbers in the deliberate risk management process. (Note the abbreviations in the “Control(s)” column mean as follows: EI = Expected Implementation, PI = Partially Implemented and FI = Fully Implemented.)

The Control(s) and “Residual Risk” columns circled in red are the keys to the organizational risk profile, as they answer our two critical questions: What is our risk exposure, and what are we doing about it? Being able to see the information at a glance allows organizations to:


Quantify risk exposure and prioritize and allocate resources.

See the big picture.

Help new staff learn the organization.

Demonstrate management commitment to frontline staff.


Let us consider the two columns with backfill colors in Figure 1, steps 2 and 4. The boxes come from the organization’s approved risk matrix, a severity and probability table like the one shown in Figure 2.

Along with its risk matrix, the organization must establish decision criteria for each box or color in the matrix. For example, the yellow boxes might mean only the accountable executive is authorized to accept the risk. Green might mean the risk is acceptable as-is, and red might mean the risk has to be mitigated before the mission is undertaken. (Note: Sample risk matrices are widely available; the key is using the matrix consistently in the organization.)



Turning the Tables


In the risk profile sample in Figure 1, the column labeled “Approved by” contains the initials of the person with authority to accept the “Residual Risk” causing a yellow box in the matrix. The process ensures risk decisions are explicitly made at the right level.


Notice some of the controls in Figure 1 include adding an appropriate line item to daily FRAT templates. Using a FRAT can be both a control of deliberate risk management in step 3 and a source of data for additional deliberate risk analysis. By itself, the FRAT does not satisfy the deliberate risk management process as described by ICAO and FAA, as it does not include direct, matrix-driven severity and probability analyses. Conducting deliberate risk management with severity and probability analysis is required in a fully implemented SMS.


How big should your organization’s operational risk profile be? While no formula offers an exact number, the profile tends to dictate its own length as an organization populates it. Be sure to include aspects of your entire enterprise, including operations, maintenance, facilities, personnel, etc.


Who should build your organization’s risk profile? One answer is, whoever performs the deliberate risk management process for hazards, incidents and accidents in your organization—work often done by a safety committee. For another answer, consider the experience of technicians working in the wind industry. While at an annual conference, the turbine technicians were asked to review the Control(s) column to see if they thought the efforts were adequate and properly applied. Through the exercise, the technicians gained insight into new controls being used and ineffective existing controls, as well as previously unidentified risks. By including frontline staff in the process, the safety culture was enhanced, as the individuals saw risk management as a tangible commitment executives made to their safety.


If you would like to learn more about what this article covers in person with our subject matter experts please sign up for one of our SMS Courses here.


This article was written by Susan Cadwallader and published in the Airborn Public Safety Association’s offical Journal, Air Beat Magazine, January-February 2020 edition.  The  original article can be seen here.

[purchase_link id="5416" text="Purchase" style="button" color="blue"]