Airlines Operator’s Risk Management Measures and Governance: Experience From Pandemic
Abstract
The presence in an industry of a low-cost carrier with a low-profit margin, Capital A as one of the main players in Asian region for airlines operators have puts extra effort into risk identification and management in safeguarding it business sustainability. A Risk Management Committee is an integral part of the Group's corporate governance structure, helping it to achieve its primary goals of protecting stakeholders' interests and realizing long-term shareholder value. The CEO, the President of Airlines, and other Board members have assured the Board that the risk management and internal control systems are functioning suitably and successfully in all relevant aspects. Action plans are being created for areas that need improvement, and the corresponding heads of department are keeping an eye on the dates of execution. Through its Board Committees, the Board also gets quarterly reports on important issues related to internal control and risk management. The Board believes that the Group risk management and internal control systems were functioning suitably and successfully, based on assurances from management and reports from the Board Committees. This document describes the steps that Capital A took in terms of risk management viewpoints both before and after the COVID-19 epidemic.
Keywords: Airline Operators, Capital A, Pandemic, Risk Management
Introduction
Capital A Berhad, formerly known as AirAsia Group, is an investment holding company that operates a variety of data- and technology-driven travel and leisure companies, including the AirAsia Super App, BigPay fintech, and Teleport logistics venture. Its goal is to create and provide products and services with the greatest possible value for the money. It achieves this by utilising reliable data amassed over the course of its 20 years in operation and one of Asia's top brands committed to aiding the marginalized.
Being in a business of a low-cost carrier with a low-profit margin, Capital A puts extra effort into risk identification and management to ensure business sustainability. In order to achieve its primary goals of preserving stakeholder interests and maximizing long-term shareholder value, the Group integrated a Risk Management Committee into their corporate governance framework. The main duties include: (1) supervising and advising on the Enterprise Risk Management framework and strategies; (2) putting the Business Continuity Plan into action and keeping an eye on it; and (3) creating and fostering a culture of risk awareness. Because the airline industry is so diverse, determining the risk profile within the sector is extremely difficult. The interpretation of the risk profile differs among the airlines due to variations in business directions.
It was said that the pandemic highlights many gaps airlines have in their risk management models. They lack an all-encompassing enterprise risk management (ERM) framework and face siloed organizations, and key staff are short on risk management knowledge. Hun (2019) reported that the company facing outrageous risk of technology failure even though the company was well-equipped with updated information technology. However, Capital A remains strong with support from its leaders and the Board in managing relevant risk. A significant step taken by Capital A during the Covid-19 pandemic in 2019 and 2020 was the establishment of a Management Level Risk Committee ("MRC") to enhance management participation in risk management procedures and evaluate the Group's major risks before submitting them to the RMC on a quarterly basis (Bursa Malaysia, 2019; Bursa Malaysia, 2020). In order to respond to business continuity events, the Risk Management Department also identified and formed Crisis Management Teams throughout the Group. Additionally, BCP exercises were carried out for important systems, functions, and stations in order to reduce the likelihood of significant operational disruptions in the event of a crisis throughout the Group.Don't alter the meaning when you paraphrase it for a research paper using simple, everyday language.
The COSO Enterprise Risk Management (ERM) approach implemented by Capital A Berhad is intended to detect, assess, and reduce risks within the company. The following are the elements of the ERM framework:
A risk governance structure with distinct roles and duties for managing risks has been established by Capital A. To ensure risk management is incorporated into daily operations, the risk culture is pervasive throughout the organization.
Risks are identified and evaluated as part of the risk assessment process to ascertain their likelihood and potential impact. Strategic, operational, and financial risks are evaluated at different organizational levels.
To ensure risks are adequately managed, control activities are put into place. These actions consist of internal controls, rules and procedures as well as monitoring.
For the ERM framework to be successful, hazards and risk management tactics must be effectively communicated. A frequent reporting schedule to the board of directors and senior management is part of AirAsia's communication strategy.
To make sure the ERM framework stays useful and successful, it is regularly examined and reviewed. Internal audits, periodic risk assessments, and impartial reviews are all part of this.
Strategic Risk Analysis
One of the significant risks and mitigation actions that Capital A Berhad (later mentioned as CA) stated in their Annual Report was strategic risk which comprises three categories; Political and Environmental Uncertainty, Competition, and Reputation and Branding.
The analysis will be carried out based on pre- and post COVID-19 pandemic's differences on strategic risk and mitigation actions according to four (4) years which are divided into two (2) groups; 2018 and 2019 for pre Covid-19 period and 2020 and 2021 for post Covid-19.
Sales Shocks / Political and Environmental Uncertainty Risk
Risk Analysis on Pre Covid - 19 Pandemic Period
According to strategic risk 2018, there are only two topics focused on risk management under the first category;. Political instability and market downturns are mentioned as potential threats to the company's operations and earnings. As part of their mitigation strategy, they also implemented a few other strategies, like regular market analysis and coordinated reactions to market developments. They occasionally ran low-cost specials as well in an effort to boost sales during slow times. In 2019, based on the Statement on Risk Management & Internal Control reported in the Annual Report, CA was found to add three new topics/areas under political and environmental uncertainty risk (previously stated as Sales Shock Risk in 2018). Natural catastrophes, health crises, or other uncontrollable occurrences in the countries in which the Group conducts business that are thought to be detrimental to operations and income if they are not appropriately managed are the three other themes. Meanwhile for the mitigation actions, CA included fleet reallocation and capacity management on top of the actions that they stated in the 2018 Statement of Risk Management and Internal Control.
Risk Analysis on Post Covid - 19 Pandemic Period
As reported, the first known outbreak of COVID-19 started in Wuhan, Hubei, China, in November 2019. Meanwhile in Malaysia, the COVID-19 outbreak came in two waves. The first wave began on 24 January 2020 with three cases imported from China via Singapore, resulting in only 22 cases by mid-February. Then came the second wave, which began on February 27, 2020.
Although the outbreak in Malaysia started early 2020, we believed that CA had included the three topics/areas later in 2019 considering the risk they might face in the following years. Regarding the mitigation step, Bursa Malaysia (2019) indicated that, in addition to previous year's mitigation, CA has established Crisis Management Teams to respond to and lessen the impact of a crisis on its business operations.
For the period after Covid-19 pandemic strike this country, the strategic risk topics/areas established since 2019 have been practised the same for 2020 and 2021. Meanwhile for the mitigation action, CA maintained the existence of Crisis Management Teams which assist in responding and mitigating the crisis on the business operations. CA keeps on focusing on constant monitoring information related to areas that can impact its business operation. Such information is then used to adjust asset allocation, capacity management and promotions to reduce the potential impact of these risks.
Competition Risk
Competition risk is the second significant risk categorised under strategic risk. As analysis conducted on the period of pre- and post-COVID-19 pandemic, we have found no changes for the past 4 years. It was all reported the same each year from 2018 until 2021 (Bursa Malaysia, 2020; Bursa Malaysia, 2021).
This risk area concerns intense market competition arising from the entry of new competitors, price conflicts, and the expansion of competitors' networks. CA has implemented risk mitigation strategies, including enhancing its route network, entering emerging markets to benefit from "first entrant" advantages, which lead to reduced airport charges, and actively competing and securing market share by offering competitive fares using dynamic pricing.
Reputation and Branding
The third risk categorised under strategic risk is reputation and branding risk. Based on observation and analysis on pre- and post-COVID-19 pandemic periods, no significant changes have been found.
This risk's issues and categories include reputational harm from negative media coverage or social media platforms that act as forums for customer complaints or anti-business campaigns. In addition to risk mitigation, yearly brand health evaluations were planned, the findings of which were utilized to carry out effective PR initiatives, such as focused marketing campaigns, as mentioned in the 2018 statement. on order to respond to client concerns on key social media channels more quickly, CA established a 24/7 Social Command Centre in 2019. This centre employs customer support tools and real-time monitoring of consumer attitudes gleaned from social networks using social listening services. In addition, a team is set up to guarantee that appropriate action is taken to lessen any potential reputational risks, and a media monitoring service is utilized to keep an eye out for and alert the CA to any targeted media coverage of AirAsia.
Operational Risk Analysis (System Outage and Value Chain)
Generally, operational risk refers to the possibility of suffering losses due to ineffective operational activities, structure, processes, system and people within the organisation. The risk is closely related to the core business of the organisation. Failing of managing and mitigating this risk may cause a huge impact to the business. Thus, proper risk assessment and mitigation have to be taken place effectively.
Before Covid-19 took place, for the year 2018, there were only two risks subjected under the operational risk; which are system outages and value chain disruption. Starting from the year 2019, cyber and safety threats have also been included as operational risk apart from the two risks reported earlier.
System Outages
Before the pandemic, the systems addressed in CA's Statement on Risk Management and Internal Control pertained to critical systems that were essential for ensuring the uninterrupted operation of flights and revenue channels. Failure or interruption of any of these systems may affect the business operations significantly and may also give rise to reputational risk to the company as a whole.
As reported in the year 2018 and 2019, the system outages frequently happened in the commercial aviation industry and this resulted in significant losses to CA. For instance, system outages happened in July 2019 as reported in the news (Hun, 2019). During that time, the CA experienced an IT system outage, which impacted several systems, including its website, www.airaisa.com and AirAsia mobile application. The AirAsia website showed a "Welcome to our waiting room" picture with a repeating 15-second countdown during the outage. Several customers vented their concerns on social media about the system failure, which they claimed prevented them from making online check-ins and flight purchases.
To mitigate this risk, CA has designed, put into action, and tested backup and failover systems tailored for specific systems to reduce the impact of disruptions. Additionally, the company has established an IT Emergency Response Plan and a corresponding Group Operational Response Plan to ensure the continuity of business operations in the event of a critical system failure..
After the pandemic, CA continues to report system outages/failure as one of its main operational risks in the year 2020 and 2021. The backup of the system is still running as previously implemented, but the company has also taken a step forward in order to minimize such risk. In the event that these mission-control systems fail at any one location, the company has established backup sites in multiple geographic locations. Besides, a Crisis Management Plan (CMP) and Business Continuity Management Plan (BCMP) have also been implemented by the company. CMP is developed to put into action and maintain business continuity plans that include methods and procedures for resuming essential business operations in the event of an unanticipated calamity whereas the goal of BCMP is to reduce major operational disruptions throughout the Group during a crisis.
Value Chain Disruption
A value chain represents the comprehensive series of steps involved in delivering a company's products or services. Any circumstance that obstructs the production, sale, or distribution of these goods or services is regarded as a disruption in the value chain. These disruptions may stem from a variety of factors, including pandemics, regional conflicts, and natural disasters.. In the case of CA (an airline company), the aviation industry's value chain includes critical elements like luggage handling systems, fueling processes, customs and immigration procedures, as well as quarantine protocols.
Prior to the pandemic, CA reported value chain disruption as its operational risk in the year of 2018 and 2019. In order to mitigate the risk, the company monitored and informed service providers regarding potential service disruption to ensure that there is little to no disruption to operations. The company also worked collaboratively with airport operators and authorities to develop and test incident-specific business continuity plans for selected key hubs.
During the post pandemic, this risk continues to be reported as one of the operational risks in 2020 and 2021. Bursa Malaysia (2019) and Bursa Malaysia (2020) reported that the pandemic has caused a significant impact to the entire aviation value chain. The number of flights and locations have been reduced since the pandemic. Besides, the company needs to adhere to the government’s policy or standard of operating procedure in order to prevent COVID-19 spread. In mitigating this risk, CA continues to work closely with the airport authorities for constant monitoring and communication with regards to probability of service disruption. Via its Business Continuity Management Plan, the company also conducts periodic testing in various airports and hubs to ensure less inconvenience and minimise disruptions.
Other Operational Risk Analysis
Cyber Security Risk
Before the onset of the COVID-19 pandemic, CA focused on minimizing the risk of cyberattacks through strategies like emphasizing internet sales channels, managing guest reviews, providing customer support through digital means, and implementing various online solutions. In terms of safeguarding information security across its operations, the Group adhered to the International ISO/IEC 27002 Code, employing controls in its processes, procedures, and technology. Furthermore, the Group consistently evaluated and adopted new technologies and methodologies as part of its ongoing efforts to mitigate emerging threats. In 2019, the realm of Cyber Security Risk was integrated into the broader category of Operational Risk and specifically identified as Cyber Threats. Following the COVID-19 pandemic, CA shifted its attention towards addressing specific threats, such as ransomware, phishing, data breaches, hacking, and insider threats stemming from diverse information system channels. To counteract these threats, which have the potential for substantial harm and damage, the Group has implemented a comprehensive information security system based on ISO/IEC 27001 processes and methodologies to safeguard its information systems.
Security Risk
Both before and after the COVID-19 pandemic, there has been an escalation in Safety Risk due to the Group's expansion of routes, flights, and passenger volumes. In 2019, Safety Risk was integrated into Operational Risk and was labeled as Safety Threats. To mitigate this risk, the Group relies on a robust Safety Management System, with a particular focus on the Safety Review Board (SRB). The SRB is instrumental in ensuring the achievement of stringent safety goals through the application of safety and quality standards. The Group also emphasizes digital tools that capture data for safety risk analysis that promotes continuous improvement. The Group is subject to routine mandatory Safety Audits for its operating licenses. The Group has completed all IATA Operational Safety Audits with the relevant certification for Malaysia, Thailand, Indonesia and Philippines.
Sustainability Risks
Prior to the COVID-19 pandemic, CA was concerned about Sustainability Risks, specifically focusing on environmental risks encompassing economic, environmental, and social consequences that could potentially harm the group. To mitigate these risks, CA established a Sustainability Working Group Committee, comprising representatives from various departments. This committee, led by the Group Sustainability Team, played a pivotal role in guiding the effective and efficient execution of sustainability strategies. However, it's worth noting that in 2020, this risk was removed or no longer considered a significant concern.
Analysis of Financial Risk
Commentary- Observing the reaction of Capital A group in the pre-pandemic risk identification and mitigations in respect to the ERM projects, there are two mains pre-pandemic risk that surfaces under the financial risk which are highlighted below:
Fuel price
A sharp increase in fuel prices could substantially affect the Group's profits, given that fuel is a major cost element in its operations. To address this, the Group has effectively managed and monitored its vulnerability to fuel price fluctuations by employing hedging strategies. This mitigation approach has proven to be highly effective, as there have been no alterations in the post-pandemic period, and the same strategy was consistently applied as indicated in the 2021 report.
Foreign Currency Translations
An unforeseen devaluation of the Malaysian Ringgit, especially in relation to the US Dollar exchange rate, could notably affect financing costs and overall business operations. To counter this risk, the Group consistently tracks and handles its exposure to foreign currency fluctuations using diverse hedging strategies. The Group's treasury department maintains a dedicated team responsible for monitoring and managing these hedging strategies. It's worth noting that the same risk mitigation measures have been retained in the post-pandemic period, underscoring the effectiveness and durability of these actions.
Covid-19 Pandemic
The aviation sector has experienced severe impacts from the closure of international borders and a significant decrease in flight operations and passenger numbers. This has resulted in difficulties in maintaining operating cash flow and potential financial losses that might jeopardize the company's solvency. To address this risk, the Group has undertaken cost-cutting measures and initiatives to prevent revenue loss. Additionally, the group has explored various corporate actions to secure additional funding and ensure its ongoing viability.
In addition to the three main risks identified under the financial risk category, the introduction of Covid-19 risk was the most significant and major reaction in the entire post pandemic Enterprise risk management strategy. This particular risk has threatened the existence of the Capital A group as most flights have been grounded in the peak of the pandemic. It has far too many consequences for almost all the stakeholders involved including staff, shareholders, passengers, regulators and so on.
The group reacted to these major shocks by initiating major redundancies in the staff component, and as a result nonessential staff of the company has been laid off for the purpose of cost reduction. The pandemic has caused border closures and therefore, there was no passenger traffic which was the main source of revenue for airlines. This has caused serious cash flow problems in carrying out the operational activities of the group and can force the group into insolvency. The group has no choice but to engage in further corporate exercises to generate additional funding for the existence of the Company.
Compliance Risk Analysis
Compliance risk management involves the systematic identification, assessment, and mitigation of potential losses arising from a company's failure to adhere to an array of laws, regulations, standards, and internal and external policies. The core objective of these management practices is to aid companies in upholding compliance with a myriad of rules and laws. Organizations often establish policies and processes to govern compliance risk, which serve as the structural framework and control mechanisms for this risk. It is a continuous process that necessitates tracking changes in the regulatory landscape to ensure the organization's ongoing compliance. To remain current with new policies, directives, and regulations, compliance policies, procedures, and training materials are periodically reviewed. In the context of its airline operations, CA is subject to various regulatory requirements.
Non-Compliance to Regulatory Requirements and Data Security and Privacy
Before Covid-19 took place, which is for the year 2018 and 2019, there are only two risks subjected under compliance risk which are non-compliance to regulatory requirements and data security and privacy. As a large company, CA is exposed to the risk of legal action due to potential violations of contracts, industry standards, and regulatory or consumer authority requirements in many jurisdictions as well as local laws and regulations. Air Asia has proactively mitigated this risk by maintaining active collaboration with local regulatory bodies and authorities, thereby ensuring prompt understanding and compliance with any newly introduced regulatory obligations. CA also takes initiative to always keep updated with the local regulatory landscape if there is any amendment of regulations that will affect the group. Next, CA also faces the risk of violating data privacy laws and regulations, as well as losing customer trust as a result of a data breach. In order to reduce this risk, in 2018, CA came out with a data governance working group. The establishment of this group is to ensure that CA always follows the law, regulations and best practices in order to protect data privacy and gain confidence from the customers.
Anti-Bribery and Anti-Corruption Regulatory Requirements
Since the onset of COVID-19 in 2020, CA has expanded its compliance risk framework to include anti-bribery and anti-corruption regulatory obligations. This entails adherence to regulations set forth by the Malaysian Anti-Corruption Commission (MACC), initially enacted in 2008 and later amended in 2018. Notably, Section 17A of the MACC Act of 2009 introduces a corporate liability concept, making commercial organizations accountable if their employees or associates engage in corrupt practices on behalf of the organization. The organization can be held responsible for corruption, even if its top management or representatives are unaware of the corrupt activities carried out by employees or associates. To mitigate this risk, CA has implemented a strict zero-tolerance stance against bribery and corruption. They also make certain that all individuals both within and outside of CA are well-informed about and exposed to this policy.
Enterprise Risk Management (ERM)
Based on Capital A’ Risk Management reports, the Group’s ERM identifies broad risk categories and put forward the appropriate strategies to efficiently mitigate the risk. Bursa Malaysia (2019), Bursa Malaysia (2020) and Bursa Malaysia (2021) together with Bursa Malaysia (2022) outlined the Group’s ERM in a very conscience reporting of risks. Each of the risk identified were listed out together with the respective risk event and risk mitigation strategy. These can be found as in Table 1: Type of Risk, Risk Event and Risk Mitigation Strategy.
Conclusion
This paper has rigorously scrutinised the risk management report of the Capital A group in relation to its reaction on the Pre and Post pandemic era that has caused severe disruption in the entire aviation industry. Although Capital A have shown notable effort in revealing its approach in dealing with relevant risk to the industry, we observed minor deficiency in its Risk Management Statement, which may imply lack of transparency: (i) The dramatic drop in demand for passenger in air transport attributed to the COVID-19 pandemic and prolonged containment measures (the enactment of domestic and foreign travel restrictions) threatened the viability of the Group. The level of People Risk, under the broad category of Operational Risk should have amplified in view of the Group’s struggle in ensuring retention of skilled manpower and talent. Many of them had to be laid off, as part of the Group’s strategy to survive. There was lack of information on how the Group’s deal with this issue. (ii) The termination of several routes under Air Asia X, which was seen as a low hanging fruit in the Group’s effort to cut cost was not surfaced in the report. The ceasing of operations which started in early 2019 and subsequent restructuring activities after a long hibernation was part of Capital A’s effort in managing its Financial Risk. This info was not seen in the Group’s pre & post Risk Management report. Enterprise risk management (ERM) was introduced prior to pandemic but much priority has been given to it at the Board level after the post pandemic era to cater for more proactive mitigation strategies for contingency purposes. Considering the four main categories of the risk identified as strategic, financial, compliance and operational risk, the team has studied the reports and came up with facts that stood out as the major reaction of Capital A in its ERM projects:
- the major difference as to the ERM in the post pandemic era is the introduction of Anti-Bribery and Anti-Corruption Regulatory Requirements in the report. Although this is only identifiable in the post pandemic era, it is seen as a more robust measure that Capital A has taken, being more proactive to risk.
– the introduction of Covid-19 as an additional risk to the already existing risk indicates the reaction of the Group and the mitigation action that has been considered. This particular risk is the major difference in the entire report as it has posed significant threats to the existence of the Company.
has been quite steady on the pre and post pandemic of the ERM projects and perhaps is an indication that the initiatives that have been taken in the pre-pandemic era are quite sufficient for continuity as it is addressing the need of the company in respect of mitigating the possible risk in those categories.
The Board has been assured by the management that the Enterprise Risk Management (ERM) and internal control systems are functioning effectively in all significant aspects. Any areas requiring enhancement are being addressed with action plans in development, overseen by department heads who monitor implementation timelines. Additionally, the Board routinely receives quarterly updates on critical risk management and internal control issues via its Board Committees.
Acknowledgment
Authors wish to express gratitude and thankful to Universiti Teknologi MARA, Research Management Centre (RMC) of Office of Deputy Vice Chancellor: Research, UiTM Selangor Campus, and Faculty of Accountancy of UiTM for granting research funding and opportunity for conducting research. This research was funded by the grant under the registered number of 600-RMC/GPK 5/3 (019/2020).
References
Bursa Malaysia. (2019). 2018 Annual Report of Airasia Group Berhad. https://www.bursamalaysia.com/market_information/announcements/company_announcement/announcement_details?ann_id=2950525
Bursa Malaysia. (2020). 2019 Annual Report of Airasia Group Berhad. https://www.bursamalaysia.com/market_information/announcements/company_announcement/announcement_details?ann_id=3073106
Bursa Malaysia. (2021). 2020 Annual Report of Airasia Group Berhad. https://www.bursamalaysia.com/market_information/announcements/company_announcement/announcement_details?ann_id=3162964
Bursa Malaysia. (2022). 2021 Annual Report of Airasia Group Berhad. https://www.bursamalaysia.com/market_information/announcements/company_announcement/announcement_details?ann_id=3256988
Hun, C. J. (2019, July 10). AirAsia Says Experiencing IT System Outage. https://www.theedgemarkets.com/article/airasia-says-experiencing-it-system-outage
Copyright information
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
About this article
Publication Date
15 November 2023
Article Doi
eBook ISBN
978-1-80296-130-0
Publisher
European Publisher
Volume
131
Print ISBN (optional)
-
Edition Number
1st Edition
Pages
1-1281
Subjects
Technology advancement, humanities, management, sustainability, business
Cite this article as:
Paino, H., Abdullah, N., Azli, N. H. M., Abdullah, S. N. A. K., Zakaria, Z., & Darboe, T. (2023). Airlines Operator’s Risk Management Measures and Governance: Experience From Pandemic. In J. Said, D. Daud, N. Erum, N. B. Zakaria, S. Zolkaflil, & N. Yahya (Eds.), Building a Sustainable Future: Fostering Synergy Between Technology, Business and Humanity, vol 131. European Proceedings of Social and Behavioural Sciences (pp. 1051-1063). European Publisher. https://doi.org/10.15405/epsbs.2023.11.86