Calculated Risk Management for Business Aviation

Andrew Nicholson


View profile

Andrew Nicholson


Andrew, CEO, founded Osprey Flight Solutions with the aim of driving a quantum shift in the capabilities available to the industry for security risk management, enabled by a focus on cutting edge computing techniques and data-led risk management. Recognised as a leader in the aviation security arena, Andrew frequently provides expert comment and analysis to the leading international news networks, discussing topical global aviation security issues, as well as being a regular contributor and featured speaker at numerous international industry events. In 2021 Andrew was named a Top 20 Dynamic CEO by The CEO Publication.

After graduating with a degree in engineering, Andrew spent 12 years in the Royal Navy, 6 with UK Special Forces, which included operational tours in all major conflict regions. Leaving the military at the height of the Somali Piracy phenomenon, for 3 years Andrew led the maritime and oil and gas divisions for the largest provider of maritime security in the industry. At the same time, he was a member of the steering committee and subsequent Board of Directors for the only international human rights focused initiative for the security risk management industry.

Andrew moved to International SOS and Control Risks in July 2014 to head up the aviation security team. Realising that the industry’s requirement for risk management support had changed in the wake of the MH17 disaster, Andrew co-founded Osprey, which is now recognised across the industry as the leader in open source risk management data, developing innovative tools to support all operators, no matter their size or resource, in conducting comprehensive and accurate risk management.

Within the aviation industry, the sphere of security risk management covers a very large spectrum, from passenger and baggage screening at security check-points, through terrorism and insider threats, cyber and drone activity, to threats to aircraft on the ground. Usually, the most important risks facing owners are their personal security and the safety and security of the aircraft, both on the ground at departure and destination airports, and in the airspace through which they are flying. With an ever-increasing regulatory burden and a focus on risk-based decision making, what do you need to know when trying to conduct effective risk management of your flight operation?

Risk Assessment Is Simple

The process of risk assessment is well documented and practiced. While there are numerous educational and theoretical articles and papers easily found through a simple internet search, and many courses offered by private organizsations and aviation regulating authorities, risk assessment is, at its core, extremely simple. Document 10084 of the International Civil Aviation Organization (ICAO), a UN agency, provides a good aviation-specific risk management process you can use as a starting point:

There are several steps to the process. In summary:

  • A data and information gathering exercise to allow the assessor to fully understand the environment to which they are travelling.
  • An assessment of the existence of threats (a capability and intent to target and have a negative impact on the operation, either directly or as collateral from the targeting of someone else) and hazards (events not deliberately targeted but that have an impact on the operation, such as weather or other natural phenomena), and
  • The application of mitigation measures to reduce the risk. Calculating risk is purely an equation of Impact x Probability, but how do you assess the impact of a potential event, or the probability that it will occur? Large airlines and aircraft management and charter operators with significant resources can employ a team of skilled analysts who can use their knowledge and experience to assess these aspects. But for a single aircraft operator, this is simply not practicable.

The challenge is simple: capacity. How can a single individual comprehensively understand the situation in an environment in which they’ve never been, and then gather enough information to be able to quantify that situation and finally conduct the calculation? Even the most risk-obsessive among us would find this impossible, and the results are fraught with danger – sometimes more so than if no risk assessment were conducted at all. Basing decisions on partial knowledge or understanding can easily cause an operator to walk straight into a major issue that otherwise would not have presented itself.

So, What Can You Do?

Technology can help. There are now tools that can be used to gather vast amounts of largely relevant data from a huge number of sources, removing that burden from an operator. Open-source exploitation software can provide a feed of information. There are systems (like ours) that not only gather that data, but filter, sort and analyze it, delivering data visualizations and analytics, alerts, and reports so the operator has an instantaneous picture of the risks. Why should you bother doing this at all? The process can be long, difficult, and time-consuming – or could cost you money to get someone else to do it for you. In addition to the growing regulatory scrutiny on risk management processes, there is a very simple answer. It is just good business sense. Avoiding risks, or at least putting in place mitigating measures that minimize the effect of incidents, can help ensure your safety and security, potentially can save you huge amounts of money, and can make your travel a far more pleasant and relaxing process.

The Business of Business Aviation