“The more innovative our products have become; the more risk we must take. The alternative to risk management is luck and fate.” — Christoph Schwager, chief risk officer, EADS
The aerospace and defense (A&D) sector is all about risk. There is inherently more risk in innovating and delivering high-tech A&D products than, for example, building houses, getting fresh bread onto supermarket shelves or mass producing widgets. But reduced budgets, tighter contracts and increased transparency mean that if you don’t have a handle on the real risks to your projects and your whole business, then you are depending on luck and fate.
The A&D industry has some of the world’s most complex projects involving numerous contractors and supply chain partners, many spread around the globe. The real risks to the success of your projects, and even the reputation and survival of your business, may be in the hands of people who don’t work for you, whom you will never meet.
So what can you do to protect your organization, while still being able to take the risks needed to drive innovation and growth in the sector?
Here are three critical lessons that will help A&D businesses more effectively manage risks:
■ Take a holistic approach to risk across your enterprise.
■ Collaborate with contractors and suppliers to identify and manage risks at the most appropriate point in the supply chain.
■ For project success you need to bring risk into the equation; it’s not delivered by the traditional focus on cost and schedule alone.
EADS has taken an enterprise approach, which sees risk management as being embedded into the business and rolled out across its divisions. It is using a common software system to support the risk management process across the organization.
It realized that a multisystem or spreadsheet solution might provide pockets of excellence, but could not deliver the overall view of risk required by senior management to make informed strategic decisions. A one-system approach is vitally important to the success of its risk management initiative.
Similarly, US Air Force Materiel Command (AFMC) is moving to one system to manage risks. To ensure correct funding and resource investment decisions are made, AFMC needs to know the risk profile of each Air Force program. Decisions can then be taken as to whether additional funding is required to mitigate risk in one program while funds in another can be released as successful risk mitigation strategies are deployed.
EADS is also an example of the growing number of businesses that have evolved their governance models to take a “three lines of defense approach” for risk. This is an increasing trend among organizations that take risk management seriously.
The first line is provided by operational management. The people involved in projects and day-to-day operations are closest to the risks and opportunities and are always going to have the most in-depth knowledge.
The trick to making the first line effective is for senior management to create a culture in which all employees see risk management as part of their day job and to provide a system that’s so easy to use it doesn’t become a barrier, yet can support the business’ risk, compliance, health and safety needs with single data input.
The second line of defense is provided by the risk professionals. Their job is to keep risk on everyone’s agenda and to make the process and system run smoothly, while meeting the risk information needed at each level in the business. This group must ensure risk is reported upward, but that ownership remains in the business and is not transferred to the risk team.
Internal audit traditionally has had an important role in risk management, but it has now moved to provide the third line of defense in organizations like EADS. The Internal Audit team looks at the effectiveness of the controls in place.
Taking a holistic view of risk management can help focus the Internal Audit team’s efforts. Audits can be targeted on the projects and areas with the highest risk levels that could have the greatest impact for the organization as a whole.
Loren Padelford, executive vice president and general manager at Active Risk, which operates webinars and works with businesses in the aerospace and defense and other sectors to promote risk management.