An effective and successful security risk management process poses many challenges to the ship operator. This is a result of the lack of guidance in combination with a complex and diverse situations beyond the control of the ship operator. While the analysis is prescribed to be risk-based, the process of the analysis itself is ungoverned. There is a lack of explicit discussion on how the ship operator could:
- estimate how different threats (and other external aspects) interact with the crew’s risk perception (and resulting effectiveness) in order to assess the utility of different control options, and
- estimate and validate probability approximations, especially given the tight coupling between the threat’s intent, the crew’s preparedness and the chosen controls.
Changes in safety risks are often a result of changes by the ship operator or in the onboard environment. However, for security risks the situation can change dramatically even though there are no changes in the ship operation. As a result the ship security management process is highly iterative and depends on situations both on board and beyond the ship operator’s control. There are also interdependencies between the processes, the situation on board and the political, economic and social situation in the areas transited and visited. Ship security management is, however, not insurmountable, but in order to make it manageable and effective there has to be a focus on the critical aspects stated below.
In the risk assessment the ship operator must put particular focus on:
- methodological understanding beyond what is described in the guidelines, especially in relation to how to achieve an output that is valid and effective,
- collecting relevant system understanding from a relevant combination of experts with knowledge about the particular external conditions (such as threats and their respective incentives as well as security initiatives) and internal conditions (such as education, training and usability of technical and administrative systems), but also about how the external and internal conditions interact, and
- using well defined and communicated risk acceptance criteria that also include stressors to the crew and are based on a sound understanding on human factors.
In the risk reduction and control the ship operator must put particular focus on:
- inclusion of all levels of the organization in the risk reduction implementation based on a human factors understanding,
- continuous and broad awareness when monitoring different activities that can directly or indirectly affect ship security, and
- the necessity to flexibly adapt countermeasures accordingly during the voyage.
While the understanding of safety (hazard-based) risks may come from objective historical accident statistics, the security (threat-based) risks must rely on expert judgements based on knowledge and experience as well as objective data. The process is complicated in that the link between consequences, evaluation criteria, risk control measures and crew preparedness is strong, but not intuitive.