Understanding Risk Severity and Probability in SMS

Understanding risk severity and probability in SMS is a foundational requirement for any Safety Management System in business aviation. These two concepts form the basis of how hazards are evaluated, prioritized, and managed under FAA 14 CFR Part 5 and ICAO Annex 19. Without a clear and consistent approach to defining severity and probability, operators struggle to distinguish between acceptable risk and risk that requires action.

In practical terms, risk severity and probability answer two simple but essential questions. If this hazard leads to an unsafe outcome, how serious would the consequences be? And how likely is that outcome to occur given current controls and operating conditions? Together, these answers allow safety managers and accountable executives to make informed decisions that align with regulatory expectations and operational reality.

This article explains what risk severity and probability mean within an SMS, why they matter in business aviation, how they are applied in real-world operations, and what effective implementation looks like across different types of operators.

What Are Risk Severity and Probability in an SMS?

In a Safety Management System in business aviation, risk is typically evaluated using two dimensions: severity and probability. These dimensions are assessed separately, then combined to determine overall risk level and required response.

Risk severity describes the potential consequences if a hazard leads to an undesired event. It focuses on the worst credible outcome, not the most common or convenient one. Severity is concerned with impact, including harm to people, damage to aircraft or facilities, regulatory exposure, and operational disruption.

Risk probability describes the likelihood that the undesired event will occur. It reflects how often the hazard could reasonably be expected to result in the defined consequence, considering existing mitigations, operational controls, and exposure.

Part 5 does not mandate a specific risk matrix or scoring system. Instead, it requires operators to establish a structured process to assess risk and make decisions based on severity and likelihood. ICAO Annex 19 reinforces this approach by emphasizing consistency, objectivity, and repeatability in risk assessment.

How Does FAA Part 5 Address Risk Assessment?

FAA 14 CFR Part 5 requires operators to identify hazards, analyze risk, and implement controls where necessary. While the regulation avoids prescribing exact definitions, it is clear that risk assessment must consider both the potential consequence and the likelihood of occurrence.

Under Part 5, risk assessment supports several SMS functions, including hazard reporting, change management, and safety assurance. The FAA expects operators to show that they understand their risks and can justify why certain risks are accepted, monitored, or mitigated.

For Part 135 operators, this expectation is explicit and auditable. For Part 91 operators, especially large or complex flight departments, the same principles apply even when SMS adoption is voluntary. For Part 145 repair stations, severity and probability assessments often focus on maintenance errors, human factors, and latent conditions that may not result in immediate operational consequences but can significantly affect downstream safety.

Defining Risk Severity in Business Aviation

Risk severity describes how serious the outcome could be if a hazard is realized. Severity categories should be clearly defined and consistently applied across the organization.

In business aviation, severity often considers multiple dimensions:

• Injury or loss of life to passengers, crew, or third parties

• Damage to aircraft or critical systems

• Impact on regulatory compliance or certificate status

• Operational disruption, including mission loss or reputational harm

Severity is not limited to catastrophic outcomes such as accidents. A maintenance documentation error, for example, may have low immediate operational impact but high regulatory or compliance severity if it leads to findings, enforcement action, or grounding.

A common mistake is defining severity too narrowly or tying it directly to historical outcomes. Effective SMS programs evaluate severity based on credible worst-case outcomes, not what has happened in the past or what usually happens.

Defining Risk Probability in an SMS Context

Risk probability addresses how likely the defined outcome is to occur. This assessment should be grounded in operational exposure, historical data where available, and an understanding of existing controls.

Probability categories are often described using qualitative terms such as rare, unlikely, possible, likely, or frequent. The key is not the terminology but the consistency and rationale behind each category.

In business aviation, probability assessments must account for variability. Flight frequency, crew experience, maintenance practices, operating environment, and organizational culture all influence likelihood. A hazard that is unlikely for a Part 91 flight department with stable crews and predictable missions may be more probable for a Part 135 operator with high utilization and variable schedules.

Probability should reflect current conditions, not idealized procedures. If a control exists on paper but is inconsistently applied, probability should be adjusted accordingly.

Why Severity and Probability Matter in Business Aviation

Business aviation operations face a unique mix of complexity, flexibility, and resource constraints. Unlike airline operations, many business aviation operators have small teams where individuals wear multiple hats. This makes structured risk assessment even more important.

Severity and probability provide a common language for discussing risk across departments and roles. They help safety managers explain concerns to accountable executives and support defensible decision-making during audits or investigations.

These concepts also help avoid two common extremes: overreacting to low-risk issues and underestimating risks that develop slowly over time. When applied correctly, severity and probability focus attention on what truly matters to safety and compliance.

This discussion builds directly on concepts explained in foundational guidance on what a Safety Management System is in business aviation and how the four pillars of SMS support structured decision-making.

How Risk Severity and Probability Are Used in Practice

In real-world operations, severity and probability are typically applied during hazard reporting, risk assessments, and management of change activities.

Consider a reported hazard involving recurrent unstable approaches at a specific airport. The severity assessment may consider potential outcomes ranging from minor deviations to runway excursions. Even if no incidents have occurred, the credible worst-case severity may be high.

Probability would then consider factors such as frequency of operations into that airport, known environmental challenges, crew familiarity, and existing stabilized approach criteria. If the conditions align regularly, probability may be assessed as possible or likely.

The combined assessment informs whether mitigation is required, such as additional training, revised procedures, or operational limitations.

Similar logic applies in maintenance environments. A tooling control issue may have moderate immediate severity but increased probability if the same error is observed repeatedly across shifts.

Common Mistakes in Assessing Severity and Probability

Many SMS programs struggle with consistency in risk assessment. Common issues include:

Treating severity and probability as subjective opinions rather than defined criteria. Without clear definitions, different assessors reach different conclusions for the same hazard.

Automatically downgrading severity because an event has not occurred. Past absence of accidents does not reduce potential impact.

Inflating probability to force action or deflating it to avoid mitigation. Both undermine the credibility of the SMS.

Failing to reassess probability after mitigations are implemented. Controls change likelihood and should be reflected in updated risk assessments.

These issues are often highlighted during audits, reinforcing the importance of structured and documented risk evaluation processes as discussed in guidance on what auditors look for in an SMS program.

What Good Implementation Looks Like

Effective implementation of severity and probability in an SMS shows several consistent characteristics.

Definitions are documented, understood, and applied consistently across departments. Safety managers, maintenance leads, and operations personnel use the same language and criteria.

Assessments are evidence-informed. Where data exists, it is used. Where it does not, rationale is clearly documented.

Risk acceptance decisions are transparent and traceable. When risk is accepted, the reasoning aligns with defined thresholds and organizational risk tolerance.

Assessments are revisited. Severity may remain constant, but probability changes as operations evolve, mitigations mature, or exposure increases.

This level of maturity supports identification of systemic risk patterns, rather than isolated events, reinforcing the broader safety objectives of an SMS.

Differences Across Part 91, 135, and 145 Operations

While the principles of severity and probability are consistent, application varies by operation type.

Part 135 operators often apply more formalized risk matrices due to regulatory oversight and operational tempo. Probability assessments frequently rely on utilization data and trend analysis.

Part 91 operators may use simpler tools but still benefit from structured definitions, particularly in large or complex flight departments.

Part 145 repair stations focus heavily on latent conditions, human factors, and maintenance-induced risk. Severity may relate more to downstream operational impact than immediate safety outcomes.

Understanding these differences helps tailor SMS processes appropriately, as explored in guidance on how SMS applies differently to Part 91, Part 135, and Part 145 operators.

How Technology Supports Severity and Probability Assessment

Modern SMS platforms support severity and probability assessment by improving consistency, traceability, and visibility. Technology can guide users through defined criteria, reduce variability in scoring, and link risk assessments to hazard reports and corrective actions.

Data aggregation allows organizations to refine probability assessments over time based on actual trends rather than assumptions. Workflow tools ensure reassessments occur when mitigations are implemented or operational changes take place.

While technology does not replace professional judgment, it provides structure that supports regulatory compliance and continuous improvement within a Safety Management System in business aviation.

Summary

Risk severity and probability are central to effective risk management under FAA Part 5 and ICAO Annex 19. They provide a structured way to evaluate hazards, prioritize action, and support defensible decision-making.

When clearly defined and consistently applied, these concepts help business aviation operators focus resources where they have the greatest safety impact. When misunderstood or inconsistently used, they undermine confidence in the SMS and weaken safety outcomes.

A mature approach recognizes severity and probability as living elements of the SMS, informed by operational reality, reviewed over time, and integrated into everyday decision-making.