Audit Survivor: Auditable and Effective SMS Processes

Every organization has processes. But not all processes are auditable.

At Acclivix, we often encounter well-meaning text that looks official but wouldn’t survive a single round at audit tribal council. That’s why we presented our Audit Survivor session at last week’s Alberta Airports Management Association (AAMA) Conference in Edmonton, Alberta. We challenged participants to plan, prove and prevail - because only by having processes that can stand the test of an auditor, can you keep your torch lit and stay in the game.

Let’s take a closer look at:

• The differences between processes and procedures

• The importance of having audit-ready documentation

• How to improve your processes with a “reward challenge” mindset

Processes vs. Procedures

If we’re to protect our torches and stay in the game, it’s important to understand the difference between processes and procedures. While the terms process and procedure are often used interchangeably, they do have distinct meanings, especially in safety and operational management. And understanding the difference is crucial for creating clear and effective systems in an organization.

A process is the big picture—it tells what you’re trying to achieve and why. Think of it in terms of needing a cake for a birthday party:

• What are we trying to do? → Bake a cake

• Why are we doing it? → For a birthday party

• What should we end up with? → A delicious, fully decorated cake by 3:00 p.m.

The process doesn’t go into every measurement or temperature. Instead, it outlines the objective (the cake), the reason (the party), and the outcome (on-time, tasty success). In safety terms, this is like your Hazard Identification and Risk Assessment Process or Runway Safety Process—structured, purposeful, and results-oriented.

There may be several procedures that enable a single process.

The procedure is what gets your hands dirty—literally. If we’re going to bake a cake, we need to:

• Preheat oven to 350°F

• Mix 2 cups flour with 1 cup sugar

• Add eggs, vanilla, and melted butter

• Bake for 30 minutes

• Let cool, then frost with chocolate icing

This is your Standard Operating Procedure (SOP). It tells you exactly how to do something including the step-by-step instructions so that even a new staff member can follow it.

Why Both Matter in Safety Management

In airport safety:

• A well-written process ensures your team knows what success looks like

• A clear procedure ensures your team knows exactly how to get there

If your process is missing, the cake never gets baked. If your procedure is missing, people start guessing—and that’s how you end up with salt instead of sugar.

In SMS terms, that could be the difference between effective hazard control and a preventable incident.

Three (Real-ish) Examples of Broken Processes

This is where the game gets real. In the course of reviewing Safety Management Plans for various airports, we have encountered some common issues with their plans – and you might think of these as things that can get you voted off the island! Here are a few examples. But don’t worry, I’ve changed the wording and removed the names! Any similarity to your Safety Management Plan is purely coincidental – and if they DO seem familiar, then maybe you need to revise your processes, too!

1. The “Kinda, Sorta” Safety Policy

“The Airport shall implement a Safety Management System (SMS) that complies with Canadian Aviation Regulations (CARs) and follows an organized approach to managing safety. This will include identifying safety hazards, ensuring risks are addressed, and continuously monitoring the airport’s safety level. The Safety Policy outlines the airport’s safety objectives, management principles, and commitment to continuous improvement. The Policy is signed by the Accountable Executive, displayed in airport work areas, and reviewed annually before January, with any changes recommended to the Accountable Executive.”

While this all sounds good, it describes intentions, not a process. An effective process should include specifics that point to records and accountability.

2. Records Management-ish

“Safety Management System (SMS) records will be stored electronically to ensure that all documents necessary to support the SMS are retained, accessible, and transparent. The electronic system is backed up daily on the airport server. Records will be retained for two (2) audit cycles to ensure availability during audits.”

What types of records are included? How are they to be controlled? Who is responsible for doing it? Auditors want more than hand-waving. If you can’t point to the records system and show consistency, it won’t stand up to scrutiny.

3. Hazard Identification, or Hazardous Identification?

“The Airport conducts hazard analysis and prepares a safety case for significant changes that could impact airport operations. For planned changes, the safety case is developed before the change is implemented. For unplanned changes, the safety case is created as soon as possible after the change occurs. For changes that are not considered significant, hazard analyses are conducted on an as-needed basis when issues are identified.

Hazards are recorded in the Hazard Register. Each year, the Hazard Register is reviewed to identify the most significant hazards, which are then prioritized and listed in the Safety Risk Profile. The Safety Risk Profile is used to inform the airport’s annual objectives and goals.”

This implies hazard tracking is reactive, inconsistent, and lacking proactive analysis. That’s a missed opportunity to control risk before it causes harm.

What Makes a Process Auditable?

A process should be:

✔️ Defined: It says what will be done, why it’s necessary, and by whom
✔️ Documented: It’s written down in accessible, living documentation
✔️ Repeatable: Anyone stepping into the role can follow it
✔️ Monitored: You track performance, effectiveness, and compliance
✔️ Verifiable: You can prove that what you said would happen actually did

How to Improve Your Processes

Make sure your team has the Immunity Idol.

1. Understand the Regs and Elements: Reviewing both Transport Canada’s regulations and the ICAO standards will help ensure compliance.

2. Use an Auditor’s Lens: Read your Safety Management Plan and ask:

   •If I were looking for proof, where would I find it?

   •What evidence would I expect to see?

   •Can I find it quickly?

3. Get Another Set of Eyes:

   •Ask a colleague, another airport, an SMS professional, or a consultant to review your processes.

   •Involve your staff—they’re the ones using the system!

4. Make Sure the Processes Work Within Your System:

   •There’s a reason it’s called a Safety Management System—the processes must integrate with your operations, staff, and resources.

   •Consider Transport Canada’s definition of SMS: which is "A documented process for managing risks that integrates operations and technical systems with the management of financial and human resources to ensure aviation safety or the safety of the public."

5. Have the Evidence—And Be Ready to Produce It:

   •Don’t scramble at audit time! Make sure you can quickly produce the evidence for both internal and external audits.

   •Remember that your evidence must show that your processes are working and effective.

Your Reward Challenge

Start with a single process—just one.

1. Name the Process: What is it supposed to do?

2. Assign Responsibility: Who owns it? Who carries it out?

3. Map the Steps: What happens first, next, and last?

4. Make it Measurable: How would you know it worked?

5. Write It Down: So it lives beyond staff turnover or institutional memory and make sure others can read and understand it.

6. Test It: Run a simulation. Survive an audit. Update as needed.

Always—always—involve your team. The best processes are built by those who use them.

And if you need a guide on your journey, Acclivix is here to help you keep your torch lit. Contact us today!