What the governance, risk management and compliance executives at Deutsche Bank, Barclays, HSBC, United Standard and ING can learn from air plane pilots.
One of the most fulfilling things I ever did was learn to fly a plane. Throughout the rigorous training to get my private license, I was impressed by the continual focus on risk management and compliance, and the systems used to continually improve safety in the aviation industry. Life has a way of putting things together. These days I head up a specialized Governance, Risk and Compliance (GRC), business but it was only recently that I realized how elegantly my life’s seemingly disparate career paths had converged.
What made me aware of this convergence was reading Capt. Richard de Crespigny’s recently published book, “QF32,” the harrowing account of how one of the world’s worst air disasters involving a Qantas A380 flight from Singapore to Sydney in November 2010 was averted. It should be mandatory reading for company directors, CEOs, chief risk officers, chief compliance officers, internal auditors and HSE managers. Had I the means to send a copy to each of them, I would do it in a heartbeat.
As I am not yet in that position; however, I am launching a blog with an inaugural post detailing what governance, risk and compliance professionals can learn from airplane pilots.
Assuming that most of you reading this do not have an aviation background, I shall frame things in a GRC context: Based on Bureau of Transportation Statistics (USA Revenue departures performed: Jan 2012 –Dec 2011), “In the USA, if just .1 of 1 percent of flights failed to reach their destinations, this would result in 26 plane crashes every day.” If this were the case, no one would fly, and we would be back in the travel dark ages.
For all its inherent risks, air travel is the safest form of transportation. How has the industry managed to overcome all the risks involved with flight, and what lessons can we apply in the GRC world? I shall begin with the four basic GRC elements: Bulleted in the next section.
- Detailed knowledge of underpinning law
- Documented standard operating procedures (SOPs) for every single task and contingency, distilled into checklists
- Layered redundancy and backup to support multiple failures of critical systems
- Mandatory, high-frequency training to maintain skill levels, overlaid by routine direct operational assessments.
This is how those principles are applied, every flight, by airline pilots:
GRC Element 1 – Detailed knowledge of underpinning law
Civil Aviation Regulations and associated Civil Aviation Orders are large and complex volumes. But every pilot needs to know them backwards and forwards and is subject to routine tests to ensure this knowledge is maintained. Every pilot is informed of every change to these laws. As explained in the book, “QF32,” the rights of a Pilot in Command are extensive and enshrined in law. So are the obligations. Once the pilot signs the passenger manifest and the aircraft’s doors closed, he/she is completely responsible for the safety of the aircraft, its crew, and all passengers.
Many of the procedures and checklists followed by a pilot and the aircrew have a basis in the law. For example, the no smoking rule and the mandatory passenger safety cards and briefings are legal requirements that are not negotiable. The aviation industry has established procedures based on law and on best practices that cover every single operation and contingency.
Documented systems are also the keystone of good GRC. In addition to regulations and procedures, a pilot must be intimately familiar with every system on board his/her aircraft. During frequent, mandatory simulator flight tests, this knowledge is tested and retested to ensure that every conceivable operational mishap can be handled safely. Knowledge, reinforced by routine training, is what enables a pilot to function calmly in an emergency.
To draw upon a personal example, I once unintentionally bypassed controlled airspace while piloting a Cessna near an international airport. Unfortunately, I did not realize this until I was above cloud and therefore unable to navigate by reference to the ground. I was essentially, for lack of a more dignified term, “lost.”
Controlled airspace, for those of you not familiar, is where big jets fly and where Cessnas do not – except under air traffic control. Without visual cues to orient myself, I could have easily strayed into the area that was off limits to me that day. Instead, I directed the aircraft toward the distant mountains that happened to be the only thing visible above a sea of white.
Although GPS was fitted to the Cessna aircraft I was flying, it was not, at that particular point in time, authorized for operational use. Learning how the system operated, however, had been part of my training. After calming myself down, I keyed in the destination coordinates and was able to navigate myself away from danger and back to safety.
Translating back to GRC-speak, let’s liken the aircraft and its systems to a business under the direction of a board of directors and key GRC people such as a chief risk officer (CRO) or chief compliance officer (CCO). Everything the business does, and each of its products and services, will be subject to rules and regulations. It is vital that knowledge of the law be entrenched in these roles. Think about how much more effective banking and finance governance would be if the CRO and CCO were tested each year on the fine details of all the applicable laws in each area of their operations. Imagine how much more effectively they would confront random risks and threats to their brand’s integrity! Knowledge of the law goes to the heart of good governance. What you don’t know, you can’t manage.
GRC Element 2 – Documented standard operating procedures (SOPs) for every single task and contingency, distilled into checklists
This is the routine I would follow when walking out of the terminal and approaching the Cessna aircraft:
- Inspect aircraft (there are 35-40 items that require inspection, including fuel quantity, fuel contamination, oil quantity, tyres, control surfaces, and dozens more)
- Cockpit pre-flight check (checking the maintenance and serviceability log for outstanding defects, making sure the aircraft power systems, radios, etc., are working)
- Passenger briefing (yes, even in a Cessna!)
- Engine starting checklist
- Pre take-off run-up checks
- Pre take-off
Each check is a multi-item checklist in and of itself. It is learned through study, practice and repetition. It is also available in the procedures manual carried aboard the aircraft. I have deliberately excluded all pre-flight preparation details, by the way. That is easily a book in and of itself.
History shows that the amount of information directed at a pilot in a crisis quickly overwhelms his or her ability to make reasoned decisions. This is where checklists become crucial: they provide a proven process to facilitate a predictable outcome. There is no pause button on the console. Once airborne, every action the pilot takes is critical. An error can spell disaster. This is what makes documented SOPs in aviation so critical.
Procedures also enable financial institutions (and any other type of business) to document the way tasks must be carried out lawfully and according to international standards and/or best practices. In the context of international commerce and trade, procedures enable collaborations between stakeholders. They serve as the foundations for education, training and ultimately, for the continuous improvement of the systems affected by those procedures. Without procedures and documentation, airlines will fail. So will economies.