Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
8Airports have always focused on preventing hazards and finding ways to reduce the risks associated with their operations. However, merely promoting safety in operations and insuring against natural disasters is not sufficient. Airports must also manage the broad array of strategic and operational risks facing an ever-changing aviation industry, including growing financial constraints and increasing regulatory requirements. Many airports face resource constraints, and staff are stretched thin by the multitude of activi- ties they are asked to accomplish. In such an environment, ERM can be an important management tool that assists airport staff in driving decision-making and allocating resources on a risk-based basis. In many aspects of airport management, just as in private business, the key to long-term success is not just avoiding the downside of uncertainty, but also anticipating how uncertainty can be turned into opportunities and positive outcomes. Through ERM, potential risks and emerging opportunities are proactively identified, assessed, monitored, and addressed on an organization-wide basis. Understanding finan- cial, operational, strategic, and reputational risks and opportunities, the airport can capture the full gambit of the uncertainty that is faced in all facets of airport operations. The âbig- pictureâ perspective of the enterprise and consideration of long-term implications ensure that efforts are directed at the issues and activities that are truly important to everyone. In summary, ERM assists airport management in proactively managing the uncertainty that their organization faces and improves the long-term outcomes of the organizationâs activities and decision-making. 2.1 What Is ERM? ERM is a structured, consistent, and continuous system that is applied across an entire orga- nization to manage uncertainty. Risks are uncertain future events that can influence an organi- zationâs ability to achieve its objectives. The term âriskâ is usually applied in one of three distinct applications: ⢠Risk as threat versus exposure. Risk considered as a threat implies potential negative events that could result in financial or reputational harm to the organization, whereas risk considered as exposure could also be positive. ⢠Risk as variance. This interpretation of risk includes the distribution of all possible outcomes, both positive and negative. Stated differently, risk is synonymous with variance. ⢠Risk as opportunity. This understanding of risk is based on the concept that a relationship exists between risk and return. The greater the risk, the greater the potential return and the greater the potential for loss. Airport ERM S e c t i o n 2
Airport eRM 9 A fundamental difference between traditional risk management and ERM is that traditional risk management focuses on risks independent of business concerns and organizational strategy. However, additional differences exist, as outlined in Table 1. 2.2 Value of Implementing ERM at Airports ERM is a valuable approach that informs and directs management decisions at all levels of an organization. Understanding an airportâs risk exposures can be valuable in forward-looking processes such as strategizing, performance management, and planning. Integrating risk prac- tices into routine processes and decision-making allows airport management to effectively iden- tify and manage causes of volatility (sources of risk) and ultimately make informed and ârisk/ reward-awareâ decisions. The value derived from ERM has two dimensions: ⢠Internally, value is created by helping managers to better understand their risk profile, better anticipate financial performance, mitigate risks, make better-informed decisions, and leverage opportunities. ⢠ERM also enables an organization to satisfy policymakers and external stakeholdersâ (auditors, regulators, partners, public users, and local communities) expectations of internal control and risk management. ERM Traditional Risk Management Risk identification and assessment ⪠Critical airport risks are identified, quantified, and w eighted against opportunit y ⪠Risk/opportunity drivers are identified ⪠Effectiveness of risk controls is evaluated ⪠Risk/opportunity materialit y is considered ⪠Risk/opportunity ow nership is assigned ⪠Focus on hazards and transferable risks ⪠Insurable risks are identified and assessed based on the relative availabilit y of insurance Risk mitigation strategies ⪠A variet y of options are considered including risk transfer options and organizational change ⪠Strategies are developed for pursuing opportunities that take into account potential risks ⪠Balance of available insurance polic y limits against retained levels of financial loss (deductibles, retention levels) ⪠Risk management is intuitive and indistinct from standard operating process Monitoring and reporting ⪠Ongoing ⪠Integral to airport strategy ⪠Helps to ensure the integrit y of financial reporting ⪠Static ⪠Revisited in response to an event or annual audit Ho w ri sks are vi ew ed ⪠There is an aggregated vi ew of risk across the enterprise ⪠The balanced relationships bet we en opportunities and risks are evaluated ⪠Entit y level portfolio of risks and opportunities ⪠Risks are vie wed in silos ⪠Risks as individual hazards Risk categories ⪠All risk/opportunit y categories are considered (e.g., hazard, financial, strategic, operational, people, legal, regulatory, etc.) ⪠Risk categories tend to focus on hazard, safet y, and financial Ultimate goal ⪠Risk/re wa rd optimizationâpreserve and create value ⪠Mitigation of insurable risks ⪠Minimize risk transfer spend Table 1. Comparison of ERM and traditional risk management.
10 Application of enterprise Risk Management at Airports 2.2.1 Risk Awareness ERM provides a framework for the aggregation of risk and opportunities across an airport, resulting in better visibility. Airports already manage risk, particularly health and safety exposures and business continuity risks; however, risks do not just fall into select silos of an airportâs gov- ernance structure. Uncertainty affects the organization at an enterprise-wide level. The risk and opportunity awareness that ERM provides senior management helps to identify dependencies across the organization, as well as major risks that may have an enterprise-wide impact. The many facets of airport management and the management teamâs diverse responsibilities make gaining this collective view of risk important because such a view provides a focus on what matters for the enterprise as a whole. Greater visibility of an organizationâs risk profile can enhance business and strategic planning by ensuring that risks and opportunities are taken into consideration in decision-making. 2.2.2 Proactive Preparation for Catastrophic Events ERM also aids airports in developing plans for addressing events that are very unlikely to occur, but that will have a very significant impact if they do materialize. These events include natural catastrophes, terrorist attacks, ash-producing volcanic eruptions, extreme weather, or airplane crashes. Employing techniques such as scenario analysis helps organizations to consider their response to âhigh-impact/low-frequencyâ risks that are highly unpredictable. Better visibility of the risk profile is particularly important for airports today in order to ensure that emerging sources of catastrophe are identified and managed. The changing nature of transnational and domestic terrorism has required airports to respond in innovative ways to mitigate risk. Other emerging risks requiring enterprise-wide recognition and response include the global financial crisis and associated credit challenges, environmental impacts aris- ing from usage of scarce resources, emissions, noise, and pandemic outbreaks (H1N1 Influ- enza, H5N1 Influenza, and SARS) where the spread of outbreaks is accelerated by domestic and international air travel. 2.2.3 Business Uncertainty In the aviation industry, the market is changing; tighter competition, aging infrastructure, increased reliance on non-aviation revenue, and the increasingly unstable financial status of airlines (influenced by the economic climate as well as wage pressures, increasing fuel prices, and the cyclical nature of demand) are all characteristics of a changing business environment. By implementing an enterprise-wide approach to management of uncertainty, the airport can be in a better position to monitor its market environment, identify emerging changes in that environment in early stages, and quickly implement preexisting risk-response plans or initiate strategies to capture opportunities. 2.2.4 Addressing Financial Uncertainty Through identifying the many different types of potential risks an airport faces and providing proactive response plans, ERM can identify strategies to protect an airportâs balance sheet from unexpected losses. Through identifying and mitigating those risk exposures that could prevent the successful attainment of strategic objectives, ERM reduces volatility and thereby provides a degree of certainty with regard to expected outcomes. An example of how ERM can improve financial certainty is through the maintenance of, or even upgrade in, credit ratings from Stan- dard & Poorâs for those airports reliant on loans or credit. In its credit rating assessment, the rating agency explicitly takes into account an organizationâs approach to ERM. An organization
Airport eRM 11 with a demonstrably solid approach to risk management may be in a better position to receive an upgrade in its rating. 2.2.5 Policymaker and Stakeholder Expectations Airport policymakers and stakeholders, including regulators, suppliers, airline partners, local communities, public users, and auditors, place a high level of accountability for managing uncertainty on the airport senior management team and board. Airports need to demonstrate that risk is effectively considered and controlled, especially during strategic decision-making. Transparency in the risk management process is not only required as a defense when something goes wrong, it is increasingly sought by policymakers to provide assurance that the organiza- tionâs internal controls and management decision-making are effective. In response to a ques- tion about the drivers to establishing ERM and the value it has created, a large airport in North America commented: Stakeholders expect management to capitalize on opportunities, protect revenues and assets, and com- ply with laws and contractual obligations. If there is a negative event, all stakeholders want to know whether management should have foreseen the cause and addressed itâERM facilitates the airportâs management of business risks by taking the right risks to get the right rewards. When applied appropriately, ERM can bring airports multiple benefits. It can help organiza- tions achieve their stated objectives and better deliver on intended outcomes. This value from ERM can be realized, but it requires ⢠A supportive organization; ⢠A simple, understood process; ⢠Methods, tools, and techniques; ⢠Policymaker buy-in; ⢠Leadership; and ⢠Committed and competent people. 2.3 ERM Guidance/Standards Numerous best-practice, risk management guidelines, requirements, and standards exist, vary- ing in content and methodology according to the jurisdiction or governing body that employs them. Each individual standard exhibits particular strengths and incentives for adoption; however, all ERM standards aim to ⢠Ensure appropriate ERM accountability, ⢠Enhance organization flexibility and resiliency, and ⢠Account for the full spectrum of risks. Outlined below are brief descriptions of four standards that are frequently adopted by orga- nizations of all sizes, both inside and outside of the aviation industry: COSO ERM Integrated Framework; ISO 31000; the AIRMIC, ALARM, IRM: Risk Management Standard; and Basel II. 2.3.1 COSO Enterprise Risk ManagementâIntegrated Framework Following a number of highly publicized business failures, scandals, and frauds in the 1990s and early 2000s and the subsequent introduction of laws, regulations, and listing stan- dards calling for strengthened corporate governance and risk management, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its framework for enterprise-wide risk management in September 2004: Enterprise Risk Managementâ Integrated Framework.
12 Application of enterprise Risk Management at Airports The goal of the framework is to enable organizations to standardize ERM so that they can more easily benchmark, establish best practices, and have more meaningful dialogue about the critically important issue of risk management. One concern regarding the COSO ERM framework is that its overarching nature can appear overwhelming for some orga- nizations, particularly those that are small in size or have not previously established an ERM culture. 2.3.2 ISO 31000 ISO 31000 is a family of standards relating to risk management, codified by the International Organization for Standardization, a non-governmental organization that forms a bridge between the public and private sectors. The purpose of ISO 31000:2009 is to provide principles and generic guidelines for risk management. ISO 31000 seeks to provide a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed across industries, subject matter, and regions. Currently, the ISO 31000 family includes the following: ⢠ISO 31000:2009-Principles and Guidelines ⢠ISO/IEC 31010:2009-Risk ManagementâRisk Assessment Techniques ⢠ISO Guide 73:2009-Risk ManagementâVocabulary ISO 31000:2009 provides generic guidelines for the design, implementation, and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices is generally adopted by companies that require an ERM standard that accommodates multiple âsilo-centricâ management systems. 2.3.3 AIRMIC, ALARM, IRM: Risk Management Standard In the United Kingdom, the Risk Management Standard was originally published in 2002 by the Association of Insurance and Risk Managers in Commerce (AIRMIC), the Public Risk Management Association (ALARM), and the Institute of Risk Management (IRM). The Risk Management Standard has subsequently been adopted by the Federation of European Risk Man- agement Associations (FERMA) and referenced by the U.S. Risk and Insurance Management Society (RIMS). This was more of a guidance document for risk management and has wherever possible used the terminology for risk set out by the International Organization for Standardiza- tion (ISO) in its document ISO/IEC Guide 73 Risk ManagementâVocabularyâGuidelines for use in standards. The guidance is not intended to produce a prescriptive box-ticking approach or to establish a certifiable process; instead, the guidance provides a best-practice guideline against which organizations can benchmark themselves. This guidance was effec- tive when it was released in 2002 but has now been superseded in terms of currency and validity by ISO 31000. 2.3.4 Basel II Basel II is the second set of recommendations on banking regulatory issues produced by the Basel Committee on Banking Supervision. This risk management regulation is focused exclu- sively on financial services. Its objective is to ensure that capital allocation is more risk sensitive, to separate operational risk from credit risk, to explore measures for the quantification of risk, and to align economic and regulatory capital more closely.
Airport eRM 13 2.4 Elements of an ERM Framework Airports are both quasi-public entities and business operations and therefore are directed by policymaking bodies, may be part of a larger governmental entity, and must tailor their operat- ing activities and business decisions to satisfy multiple stakeholder agendas. Through ERM and a comprehensive risk reporting structure, the different requirements of each stakeholder can be managed. Each airport has a unique combination of operating environment, governance structure, and organizational culture. An airportâs ERM framework should reflect this. Nonetheless, there are also a number of common fundamental elements that every airport should consider when implement- ing an ERM framework: governance and infrastructure, identification and prioritization, controls and risk response, monitoring and reporting, implementation, integration with key processes, and continuous improvement and sustainability. These elements can be described as follows: ⢠Governance and infrastructureâAn enterprise-wide approach with executive and board- level sponsorship, policies, standardized processes, a clear vision of risk materiality, and defined accountabilities is communicated throughout the organization. Section 3 of this guidebook provides guidance on this element. ⢠Identification and prioritizationâRisks and opportunities, including new and emerg- ing risks and opportunities, are systematically and consistently identified across the airport, including projects, strategic decisions, and partnerships. Risks are assessed and prioritized to focus time and resource on the critical risks. Sections 4.1 and 4.2 of this guidebook provide guidance on this element. ⢠Controls and risk responseâCurrent controls are assessed as to whether they effectively mitigate the risk to the required level. Risk-response planning is focused on those risks that require additional controls to mitigate the risk to an acceptable level. Sections 4.3 and 4.4 of this guidebook provide guidance on this element. ⢠Monitoring and reportingâThere is a strong governance framework in place to facilitate risk reporting and monitoring at all levels of the organization. Reporting is supported by tools and systems where appropriate. Management fully understands and monitors the risks and opportunities the organization faces, as well as the effectiveness of the ERM framework. Inde- pendent assurance is sought where required. Sections 4.5 and 4.6 of this guidebook provide guidance on this element. ⢠ImplementationâA plan is in place to guide and drive ERM implementation, reflecting the target level of ERM maturity. All employees understand the benefits of ERM and have the knowledge, skills, and tools to embed the ERM process. Section 5 of this guidebook provides guidance on this element. ⢠Integration with key processesâThe ERM framework is aligned with key processesâstrategic planning, budgeting, and SMSsâto avoid duplication and ensure value is created throughout the airport. Section 6 of this guidebook provides guidance on this element. ⢠Continuous improvement and sustainabilityâThe ERM framework is reviewed against performance metrics, issues addressed, and improvement opportunities implemented. Staff are informed of developments in best practice and given the opportunity to advance their risk management skills and knowledge. Section 7 of this guidebook provides guidance on this element. 2.5 Examples of Airport ERM in Practice Provided below, as examples of airport ERM in practice, are descriptions of ERM implemen- tation experiences at three airports (Columbus Regional Airport Authority, Dallas Fort Worth International Airport, and Greater Toronto Airport Authority).
14 Application of enterprise Risk Management at Airports 2.5.1 Columbus Regional Airport Authority The financial crisis was Columbus Regional Airport Authorityâs original driver to imple- ment ERM as it would provide better internal awareness of possible risks to airport operations. The initiative was a directive from the President and CEO of the organization, and the CFO is the primary sponsor. The ERM program manager, who drives the ERM process, meets with each department to work on and review its inventory of risk. The departmental risks are aggregated at the enter- prise level as required. The program manager also attends staff meetings to share ERM updates, answer questions, and share ideas from other divisions. The airport found that the most challenging elements to implementing ERM were getting the right resources committed, ensuring the delivery of training, and getting support for integration at the very top of the organization. However, the biggest win since implementing ERM has been the sharing of âinternal sins,â exposing mistakes to learn from and applying risk mitigation techniques for future avoidance, creating a culture willing to talk about mis- takes and lessons learned without consequence. Discussion of risk now has a greater level of maturity. 2.5.2 Dallas Fort Worth International Airport From Dallas Fort Worth International Airportâs perspective, ERM is a structured, consistent, and continuous improvement process applied across the entire airport enterprise that brings value by ⢠Proactively identifying, assessing, and prioritizing material risks; ⢠Aligning ERM with strategic objectives and business processes; ⢠Developing and deploying effective mitigation strategies; and ⢠Embedding key components into the airportâs culture: â Risk ownership, governance, and oversight; â Reporting and communications; and â Leveraging of technology and tools. ERM was initiated at the airport in 2008 and officially began with an executive staff briefing in June of 2009. ERM has a defined mission, executive sponsorship structure, and process. Prior to implementing ERM, the airport reviewed its current risk management processes and established a plan to develop a formal ERM model that would best suit the current operating environment of the airport. The ERM effort has been led by the risk management department with strong support by senior management who served on the initial task force to review the program and continue as executive sponsors of the ongoing effort. The executive sponsors provide oversight on ERM policy and strategy, and they receive regular updates from the risk council. The risk council serves as the mechanism to implement ERM and comprises 4 executive sponsors, the risk officer, and 13 council members who are managers across the various functional areas of the organization. With respect to overall business decision-making, ERM is viewed as a process that drives a structured and disciplined approach to enterprise initiatives. ERM provides the methodology for measuring business risks and increases awareness of opportunities and potential risks. Through ERM, the airport can aggregate risks and benefits from an enterprise perspective, which leads to better capital allocation and enhanced efforts to protect the airportâs competi- tive position.
Airport eRM 15 2.5.3 Greater Toronto Airport Authority Building on three formal risk assessments that were performed in 1999, 2005, and 2007, the Greater Toronto Airport Authority decided, in 2009, to enhance its risk management program with the design of an ERM framework. This ERM framework provides the following: ⢠A proactive approach to risk that is built into the strategic planning and performance manage- ment processes and is supported by all organizational units ⢠An efficient, independent risk function designed to support risk-takers and senior manage- ment with direction, tools, aggregation, and analysis ⢠The use of common risk definitions to help create a common vocabulary and organize the risk management process ⢠Transparent information flows that aid decision-making processes ERM implementation had extensive support from the executive leadership team and the policy makers. The ERM framework was structured with a top-down direction, including board of directors and executive management setting the tone at the top for ERM to be fully embraced and sustained over time. The airport recognized the importance of developing a risk-aware cultureâan environment where employees are managing risks by making conscious choices in their day-to-day working activities about risk identification, assessment, and response. With the institution of a defined ERM framework, these risk management activities are further developed as employees proactively plan how to manage risks in the future. The guiding principles under this culture are the following: ⢠Risk-taking is encouraged where risks are known, are within the defined risk appetite, and can be expected to generate desired returns. ⢠Corporate risk is partnered with the business areas in order to raise awareness, educate, and gain consensus on desired risk management outcomes. ⢠A culture of risk transparency, disclosure, and open dialogue is encouraged with the goal of âno surprises.â ⢠The risk awareness of employees is enhanced through education sessions and management communications, increasing the likelihood that employees think about risk when making daily decisions and taking actions. The tangible benefits of ERM are linked with the strategic plan and objectives of the airport and are clearly communicated and understood by all employees to foster the development of a risk-aware workforce that views risk management in terms of achieving strategic goals and priorities.
