Boeing 737 MAX: An Operational Risk Case Study

Scenario

In August 2011, Boeing Commercial Airplanes, a subsidiary of Boeing, announced the launched of its new 737 MAX aircraft as the fourth generation of the 737 line. Initial deliveries of the aircraft took place in May of 2017, and the plane entered commercial service shortly thereafter. Among the first passenger carriers to run the 737 MAX commercially were Lion Air, of Indonesia, and Norwegian Air, of Norway. Within a year of its launch, 130 737 MAX aircraft were delivered to 28 Boeing customers, and in total 387 aircraft were eventually delivered.

On 29 October, 2018, a Boeing 737 MAX aircraft operated by Lion Air crashed thirteen minutes after takeoff, killing all 189 aboard. The incident was widely reported by various media outlets at the time. Initial reports targeted a malfunctioning flight-control system which had to be disabled in order for the aircraft to function properly. Responding to the incident, Boeing issued guidance on its operational manual to advise airline pilots regarding procedures for handling so-called erroneous cockpit readings.

On 10 March 2019, a Boeing 737 MAX aircraft operated by Ethiopian Airlines crashed six minutes after takeoff, killing all 157 aboard. Like the Lion Air incident from the year prior, the Ethiopian Airlines crash was widely reported. Coverage reported that the incident was similar to the Lion Air incident.

Though initial investigations into the incidents could draw no official conclusions regarding Boeing’s aircraft or systems, findings pointed to Boeing’s Maneuvering Characteristics Augmentation System (“MCAS”) as the likely culprit. The system, which Boeing did not disclose its 737 MAX pilot manual or in its supplementary directive after the Lion Air crash, was allegedly commanding the plane’s flight systems to repeatedly dive, based on erroneous systems data.

Between 11 and 16 March 2019, aviation regulators in countries across the world–including the US, Canada, China, Brazil, India, and others–issued grounding orders for all Boeing 737 MAX aircraft.

Since the grounding of the 737 MAX, investigations into the two crashes and issues with the aircraft have increasingly focused on Boeing’s deployment of MCAS as the primary culprit. Assessments and testing from a variety of sources within multiple investigations have raised issues with the way in which Boeing designed, developed and deployed MCAS, as well as its lack of training and education of pilots and crews on the system’s existence within aircraft, when it would engage, and what to do in case of its malfunction.

On 4 April 2019, Boeing publicly acknowledged that MCAS played a role in both the Lion Air and Ethiopian Airlines crashes of the 737 MAX.

On 18 October 2019, multiple news outlets reported that in 2016, prior to the safety certification and release of the 737 MAX, Boeing’s chief technical pilot for the 737 program had warned a colleague about MCAS, specifically pointing to issues unearthed in post-crash investigations. While, in the wake of the crashes, Boeing officials had maintained that MCAS was not designed to activate within the “normal flight envelope” of the 737 MAX and therefore its exclusion from the standard operating manual for the aircraft was warranted, the 2016 internal messages specifically highlighted that MCAS was erroneously engaging itself. The messages go on to indicate that, in 2016 or prior, the US Federal Aviation Administration (FAA) may have been supplied with inaccurate information regarding MCAS. Nevertheless, in 2017, the very same Boeing pilot, again communicating the FAA, requested that all mentions of MCAS be removed from the plane’s operating manual because its operation was outside of the plane’s normal envelope. Going further, the Boeing pilot proceeded to engage in inappropriate discourse with the FAA regulator on the subject of obtaining regulatory clearances from other regulators for the 737 MAX.

Boeing turned over documents related to these communications to regulators and to Congress on 17 and 18 October 2019, allegedly months after first discovering them.

Upon receipt and review of the documents, members of Congress made public statements about what they deemed to be a pattern of troubling conduct by Boeing.

Gaps In Risk Management

Independent Escalation Channels – Boeing’s development team for the 737 MAX had knowledge of the issues with the MCAS. However, it is unclear whether any reporting mechanism existed for members of the team (e.g., engineers, test pilots, etc.) to report such issues to oversight resources outside of the 737 MAX’s direct value chain (i.e., officials and / or at Boeing whose success was not tied directly and exclusively to the marketing and sale of 737 MAX aircraft). While knowledge of the ultimately disastrous MCAS failures was present within Boeing long before the first 737 MAX was delivered to a customer, it was contained in isolated pockets, hidden from the view of senior management at the corporate level whose success is tied to the overall health of Boeing as a company. While some concerned members of the 737 MAX development staff may have wanted to communicate their concerns upwards, and while senior management may have wished to hear their concerns, the communication channels simply did not exist. Instead of reporting concerns to a unit or personnel with proper oversight authority, engineers at Boeing were instructed to take their concerns to business unit managers, as reported by the New York Times. However, with their success tied directly to sales of the 737 MAX, business unit managers had strong incentive suppress the identification of safety risks and prevent escalation of same to members of senior management. In the wake of the 737 MAX situation, Boeing has indicated that it has adopted clearer escalation channels from engineers to neutral oversight personnel, including the company’s senior management.

Independent Safety Oversight – Boeing lacked an independent internal organization charged with ensuring product safety. At a firm of the size of Boeing, producing products (i.e., aircraft) which have the potential to be deadly in the event of failure, an independent unit should exist as a check on commercial business units such as development, manufacturing, marketing and sales. The success of such a unit should not depend at all on sales of products, but rather on the safety of those products at time of sale and beyond. In the wake of the 737 MAX situation, Boeing has announced the creation of such a group within the company.

Employee Communications Monitoring – It is unclear whether Boeing had a function in place to monitor employee communications. As with all public companies, however, it should. Monitoring of employee communications over company-provided systems (such as e-mail, instant messenger, SMS on company-provided phones, etc.), coupled with a general policy and enforcement program that all company business be conducted solely over those company-provided, and not personal, communication systems, is a crucial arm of risk management in an era in which employee communications are a major driver of risk. Near real-time monitoring of employee communications by a unit of Boeing’s compliance group would have alerted senior management to ground-level issues with MCAS in parallel to–and as a backstop to–internal reporting and escalation of the issue from engineering or other staff.

Regulatory Affairs Oversight – While a debate rages on as to whether the FAA has fallen victim to so-called “regulatory capture” by firms such as Boeing, it is nonetheless crucial for the successful, comprehensive management of risk that all communications by a company’s personnel with regulators be not only monitored, but centralized and streamlined through a single source, such as an internal unit overseeing regulatory affairs. In instances such as this, where the specter of impropriety looms large over conduct by Boeing employees and, possibly, the FAA, it is essential that companies are able to manage their official positions on issues facing regulators and are furthermore able to deliver consistent messaging from all personnel involved. While Boeing, in this case, may be able to blame one or more rogue actors for the impropriety with respect to certain FAA-related issues, the company would do itself no favors in the eyes of its regulators, world governments, its customers, its investors and the general public by claiming to have little power to govern the conduct of its employees. Additionally, the FAA’s approval of the 737 MAX has not served as a significant line of defense against Boeing’s liability for its aircraft’s failures, owing partly to the relationship its staff (such as the chief technical pilot) enjoyed with members of regulatory staff. The surfacing of inappropriate communications between members of Boeing and regulator staff has only stoked the fire of governmental concern over Boeing and the regulatory framework meant to govern its conduct.

Costs & Impacts

Financial – Boeing has experienced catastrophic financial losses in the wake of the evolving 737 MAX situation, having posted a company record loss of $2.9 billion USD for Q2 2019. Its market capitalization, as of August 2019, has fallen by $62 billion USD, on the back of a 25% erosion in share price. Overall, the halt of sales and impending cancellation of orders may cost Boeing roughly $600 billion USD.

Business Position – Boeing has seen fit to postpone development of at least one critical project (the Boeing New Midsize Airplane) and is reportedly considering staff reductions as of Q3 2019. Following the grounding of the 737 MAX, Boeing has suspended all deliveries of the aircraft to customers and slowed its production schedule (financial impacts of which are noted above).

Brand Equity – While multiple crashes and a global grounding of the 737 MAX fleet may have been sufficient to critically damage the public’s trust in Boeing, later evidence pointing out that the company knew of the issues giving rise to the crashes and buried them only further stokes the fire. Numerous polls have indicated that the public has lost its trust in the 737 MAX, and with recent evidence coming to light about Boeing’s practices, the same may well be said of public trust in Boeing itself as well. Serving the needs of the general public, airline customers of Boeing will face increased scrutiny and pressure on their dealings with the company, impacting Boeing’s ability to sell its products across the board.

Criminal Investigation – At the time of this writing, Boeing and certain individual employees may face criminal prosecution in connection with the 737 MAX crash incidents.

Civil Litigation – Boeing now finds itself the target of civil litigation from a variety of sources, including pilot groups seeking compensation for lost wages, crash victims’ families seeking compensation for wrongful deaths (potentially including punitive damages), and others. At the time of this writing, the total outcome of the global 737 MAX litigation is yet to be known.

Regulatory Pressure – Boeing will likely face significantly increased regulatory scrutiny across the globe as trust in the company and its practices has been eroded by the 737 MAX crashes and their aftermath.

Key Takeaways

1.  Companies must designate certain personnel or units as managers and overseers of risk, with their success directly tied to safety and effective risk mitigation instead of sales and other commercial metrics. Companies cannot rely on commercial units (e.g., sales, marketing, etc.) to manage risk. With the success or failure of these units being tied directly to the sales performance of their managed products, these units are inherently disincentivized from reporting issues which may imperil sales and are not likely to serve as effective mitigants of risk.

2.  Companies must ensure clear and independent lines of communication between ground level staff and those personnel and / or units designed to manage risk. Staff members in product development, sales, marketing and a variety of other functional groups must be able to communicate clearly and confidentially with risk managers in order to effectively relay concerns without fear of reprisals or dismissal.

3.  Companies must institute policies, procedures and technological capabilities in order to be able to effectively monitor employee communications in real-time or near-real-time. Failure to monitor employee communications robs companies of their opportunities to manage risks borne out of the behavior of rogue actors. Assigning blame for corporate malfeasance to rogue internal actors ex post facto is not an effective strategy. Instead, companies must own the risk that their personnel may act against the best interests of the firm and effectively manage incidents as they are occurring.

4.  Companies with regulatory exposure must institute policies, procedures and top-down governance over corporate communications with regulators. While in most cases, a regulatory communications function serves to manage regulatory relations and minimize the risk of incurring penalties or enforcement actions, in some cases, its purpose may be to detect regulatory capture and therefore ineffective regulation. While ineffective regulation may not seem, at first, to be a risk for regulated businesses, for businesses without strong regulatory affairs units, it may present itself as an invitation for corporate misconduct, as evidenced above.

Conclusion

Companies should be proactive about risk management and conduct broad risk assessments on a regular basis. Such assessments should monitor for threats across strategic and tactical vectors. From broad-based standpoints such as ensuring clear and independent reporting lines, to granular measures such as monitoring high-risk employee communications, risk management efforts must be comprehensive. Finally, it is vital that key stakeholders up and down a company’s chain of command “buy in” to the importance of risk management and participate in the process in a transparent and cooperative manner. It is incumbent upon company leadership to ensure that a “culture of risk awareness and management” is present at all levels of the organization.