By Penny Cagan, Lecturer in the Enterprise Risk Management Program, School of Professional Studies
I am haunted by the photo of a young man who had his shirt blown out of an Alaska Airlines plane shortly after it took off from Portland International Airport in early January.
A plug that sealed an unused door fell off the plane shortly after takeoff and left an exposed gap in the fuselage. By some providential act, no one was seated directly next to the door and pilots were able to land the plane without casualties. Still, there remains the frightening reality of a full flight of passengers exposed to a depressurized cabin and the open air.
Risk management and quality concerns within Boeing were highlighted as far back as 2001, when a company engineer published a paper warning of the firm’s strategy to outsource the manufacture of airline components while concentrating on the final assembly. At the time, the engineer warned that the final product is only as good as the capabilities of the least-proficient supplier. Lesson number one in third-party risk management is that the contracting firm owns all the original risk plus the risk of being exposed to a supplier and its manufacturing process.
Spirit Aerosystems was Boeing’s only fuselage supplier. And yet, there have been reports in the press that Boeing pressured Spirit to cut costs and that they were engaged in a tussle for years. When a supplier is asked to cut costs, they naturally look to where savings can be found, and this can lead them to reassess the cost of employees, materials, and quality controls. Spirit Aerosystems laid off experienced employees during the pandemic and that lost expertise was difficult to replace. This event is yet one more reminder that cutting expenses related to quality control can cost more in the long run and be devastating to a firm’s reputation.
Boeing’s CEO took over leadership of the company in 2020 and made some top-level changes that were designed to tackle ongoing quality concerns. These efforts included establishing a safety board comprised of senior leadership, the appointment of a chief safety officer, and a restructuring that had all engineers report directly to the chief engineer. However, these high-level efforts appear to have missed critical quality issues embedded in the company’s processes.
Here are some lessons learned from the event:
- Issues do not age well, and the most critical quality issues should be prioritized and remediated.
- When an issue occurs with a vendor, the ultimate responsibility resides with the company itself. Managing third parties requires ongoing monitoring and oversight.
- The final product is only as good as the least-good supplier, and any one defective component can create serious consequences for the whole.
- Choking a supplier on costs can backfire and result in cutbacks in quality and subpar delivery. The contracting firm should consider itself a partner rather than adversary with the supplier.
- Concentration risks associated with a single supplier of a critical service, product, or resource should be managed closely.
- It is challenging to regain lost knowledge when experienced personnel are laid off.
- Culture is important and employees should feel empowered to highlight potential issues.
- Top-down initiatives should incorporate bottom-up process reviews.
Views and opinions expressed here are those of the authors and do not necessarily reflect the official position of Columbia School of Professional Studies or Columbia University.
About the Enterprise Risk Management Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.
Fall 2024 application deadlines for the M.S. in Enterprise Risk Management program are March 15, 2024 for applicants with international documents, and May 1, 2024 for the final deadline. Learn more here.
About the Operational Risk Management Course
Enterprise Risk Management lecturer Penny Cagan's Operational Risk Management course offers a review of the various types of operational risks, such as technology risk (e.g., cybersecurity), human resources risk, and disasters. The course includes case studies, risk analysis frameworks and metrics, and common mitigation techniques, such as insurance, IT mitigation, and business continuing planning.