As shown in section 2, the security analysis has to be ship specific which calls for a well-developed knowledge about the ship. This knowledge is here assumed to be inherent to the ship operators organization and left out of the analysis. This study instead focuses on the following three areas with the intent to describe their role in the risk management process:
-
Methods for security risk analysis,
-
The maritime security environment, and
-
The crews’ role in the security efforts.
These three areas, and especially the challenges identified in previous sections, are analysed with respect to their effect on the ship operators’ risk management process as defined by section 2 and Fig. 1.
Risk assessment
The type of intent, expressive or instrumental, varies greatly between different regions and also between different organizations in a region. Also, organizations with the same type of intent can have different capabilities and thus modus operandi. Therefore, there is a great variety of threats that, in the general case, needs to be analysed. In safety, historic frequency can give insight to which areas that can be neglected as a result of relative low risk. No such reliable insight exists for security in order to choose threats to focus on in the analysis. At the same time, it is not possible to analyse all security threats and therefore assumptions need to limit the analysis, but without decreasing the validity of the result.
Research shows that preventive and preparatory work on board affects the likelihood of an attack and that a ship that is perceived as being well prepared will be less likely to be attacked (Liwång et al. 2013). In order to, in the risk assessment, include effects of security risks on the crew, risk estimation has to consider education and training, coping strategies, usability of technical and administrative systems and systems for providing for both seafarer and family, i.e. an understanding on how the crew can be made to feel safe and secure and become less affected by security stressors. Further, risk estimation must include an understanding on how aspects such as political and demographic conditions on land lead to risks as well as how these conditions can pose as psychological stressors on the crew. Since these areas of understanding are not in the ship operators typical competences, there is a need to use external experts. However, there is no guide on how to choose and use external experts.
The probability for an incident to occur is dependent on external factors such as weather and local geography, but also political changes, security incentives and recent incidents. Some of these aspects can be included in the system and scenario definition, but others will have to be considered at the risk estimation or even on board during a voyage. Currently, there is a lack of standardized and thoroughly documented examples or methods (best practices) on how security risk estimation can be done and continuously updated on ship operator level.
The ship operators’ risk tolerability decisions are dependent on the consequences studied as well as the evaluation criteria used. However, there are no standard sets of security risk consequences or evaluation criteria to use, but criteria for safety could, to some extent, be used as guidelines.
In most cases, the analysis of options requires that the ship operator revisit the risk analysis to test risk control measures and examine how they affect the risk. There is a reason to believe that this process is extra challenging for security cases as the studied system can be altered as new controls are introduced.
Risk reduction and control
The implemented controls should be in a wide range of aspects such as training, route planning, new routines on board or in the shore organization and technical equipment. A notion of insecurity is enough to increase the risk; therefore, it is important for the ship operators to both reduce the actual risk but also to make sure that the crew is included in the process and perceives the reduction as effective.
Continuous shipboard training is important to reduce the effect of psychological stressors on the crew and to develop coping strategies for potential unsecure situations that may arise. Since stress negatively affect the crew’s decision-making on board, it is important that the implementation is robust, i.e. insensitive to reduction in crew effectiveness. This can be achieved by implementing measures that are understood by the crew accompanied by clear and usable routines and continuous training. As with all changes in organization or introduction of new technology, it is crucial to develop this implementation in cooperation with the crew.
The threat, organization, technology, working practices, the regulatory environment and other factors are constantly changing. Therefore, choice of control measures must be reviewed regularly. Additional risk assessments will be needed for infrequent activities or those being undertaken for the first time.
For ship security, the monitoring must cover changes in the crew’s security perception. This is necessary since the cognitive, emotional and social situations on board can change over time without a change in the threat. Furthermore, the situation on land and the maritime security environment must be continuously monitored. Therefore, the ship operator must have the ability to monitor the overall situation on land and at sea in order to be able to react if the situation changes from the security scenarios studied. It is likely that such a monitoring process will have to be supported by external experts.
Implications on security management
An effective and successful security risk management process poses many challenges to the ship operator, this as a result of the lack of guidance in combination with a complex and diverse situation beyond the control of the ship operator. The analysis is prescribed to be risk based, but the process of the analysis itself is ungoverned.
According to the analysis above, ship operators have reasonably clear decision alternatives and reasons to choose the alternative that best meets the utility (risk) estimates. However, there is no guidance on how to achieve relevant risk estimates for all possible alternatives and probability estimates. The reason for this can be found in the lack of explicit discussions on how, and that, the ship operator should:
-
Estimate how different threats (and other external aspects) interact with the crew’s risk perception (and resulting effectiveness) in order to assess the utility of different control options, and
-
Estimate and validate probability estimates, especially given the tight coupling between the threats intent, the crew’s preparedness and chosen controls.
There is also no guidance on how to structurally work with the effects of the crew’s risk perception on the effectiveness of chosen risk reduction measures. There is also limited knowledge on how the crew’s risk perception can be monitored. Hence, subjective aspects which lay beyond the ship operators’ control impact the security threat analysis. This seems to be the fact for all aspects of the security risk management process.
Changes in safety risks are often a result of changes by the ship operator or in the onboard environment. However, for security risks, the situation can change dramatically even though there are no changes in the ship operation. Therefore, and to underline the complexity of the security risk management, Fig. 5 presents a cyclic version of the risk management developed from Fig. 1. As illustrated in Fig. 5, the ship security management process can be seen as highly iterative and depending on situations on board and beyond the ship operator’s control. The illustration also shows the interdependencies between the processes, the situation on board and the political, economic and social situations in the areas transited and visited. The analysis of the risk management process shows that the work has to include these iterative aspects and interdependencies in order to support rational decision-making.
Figure 5 presents no effect on the external factors by the ship operators risk management, only on the ship security management from external factors. However, if the analysis and implementation is systematic and consistent by a majority of ship operators in a specific region, the security management can, in the long run, also affect the security situation. This can be seen off Somalia where the implementation of the BMP4 is one of the contributing factors for changes in the pirates’ modus operandi and for reducing piracy (IMB 2013).
Ship security management is, however, not insurmountable, but in order to make it manageable and effective there has to be a focus on the critical aspects identified here and stated below.
In the risk assessment, the ship operator must put particular focus on the following:
-
Methodological understanding beyond what is described in the guidelines, especially in relation to how to achieve an output that is valid and effective,
-
Collecting relevant system understanding from a relevant combination of experts with knowledge about the particular external conditions (such as threats and their respective incentives as well as security initiatives) and internal conditions (such as education, training and usability of technical and administrative systems), but also about how the external and internal conditions interact, and
-
Using well-defined and communicated risk acceptance criteria that also include stressors to the crew and are based on a sound understanding on human factors.
In the risk reduction and control, the ship operator must put particular focus on the following:
-
Inclusion of all levels of the organization in the risk reduction implementation based on a sound human factors understanding,
-
Continuous and broad awareness when monitoring different activities that can directly and indirectly affect the ship security, and
-
The necessity to adapt countermeasures accordingly during voyage.