Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Risk and the United Airlines Fiasco

Comments Views

​I think we can all agree that what happened to the United Airlines passenger who was forcibly removed from the plane was a disaster not only for the passenger but for the airline.

Sometimes being in the right according to the law is not enough.

But this post is not about that.

It's about the fact (a highly likely assumption) that what happened was not on the company's risk register or the heat map shared with executives and the board.

It's fine to have a list of the "top risks" or the "strategic risks," but what actually causes harm or even disaster to an organization is more often than not the result of a bad decision. Perhaps there have been a series of bad decisions, where people didn't think through well enough what might or might not happen.

The United (UA) CEO said that the company's on-site staff was following policy.

Somebody wrote and somebody else approved that policy.

Did they think through what might happen if the policy was followed and the passenger refused to leave? Did they consider not only the possibilities of legal action (assuming that the action was legal and the "risk" was low) but the reputation damage, including whether other passengers would decide not only to avoid UA in the future but spread the word and video recordings on social media? What about the possibility that other passengers would be affected, either defending the passenger or being harmed by him or the security personnel?

I doubt that they thought it through. As a result, they made what most would agree was a poor decision.

Somebody within UA decided to follow the policy.

Did they also think through what might happen? Did they consider that the airport security staff might use what others might consider excessive force to remove the passenger? Did they even consider not following policy and exercising their legal rights?

Again, I doubt that they thought it through.

They may or may not have considered all other options to get crew to their destination (the passenger was removed so that UA crew members could get to a plane they were to man). For example, I wonder whether the issue was escalated so that more senior UA management could assess other options for getting crew for that plane, including moving other personnel around, or delaying the departure of the plane so that crew could get to it on another flight.

UA on the plane took no action when the passenger was being removed.

To my knowledge, neither UA gate personnel nor crew members stepped in on behalf of the passenger when force, perhaps excessive force, was being used to remove him.

Was that a good decision? In hindsight, no, it was not.

Did those individuals consider what might happen if they took action, including whether they stood by and allowed it to happen without comment?

UA's stock price declined 1.13 percent on April 11th following the news. They also refunded the fares of every passenger on the flight and are now facing a lawsuit.

Was that within management's "risk appetite"?

Risk was taken with each of the decisions and lack of decision in this incident.

Did the company's risk appetite statement help the decision makers? I strongly doubt it.

I am recounting all of this in support of my contention that a risk appetite framework, a list of top risks in a risk register, the periodic review of a list of risks by management and the board, and even "objective-based ERM" (i.e., the assessment of whether objectives are likely to be achieved) are insufficient.

Risk is being taken every hour of every day across the extended enterprise.

Every hiring decision creates or modifies risk.

Every selection of a vendor creates or modifies risk.

Every sales proposal creates or modifies risk.

Every word to an employee can create or modify risk.

The only way to provide reasonable assurance that the right level of the right risk is being taken is to address the quality of decision-making at all levels of the organization.

Is it disciplined, informed, and are all potentially affected individuals included?

In other words, risk management is about effective decision making, or should I say effective management.

I welcome your thoughts.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3