Shipowners and operators need to treat piracy like a form of risk management that must be factored into their annual operating costs
Sea trade and the maritime industry have always faced risks – from ship integrity through to safe passage in open waters. These risks may relate to operations and ships’ physical structure, crew safety, financial viability, company reputation and cargo integrity. All these
issues are currently under pressure due to international piracy at sea.
Decisions about how best to serve the interests of the company and clients require a significant level of sound judgements throughout the business’s life. Financial decisions, insurance, mergers and acquisitions – all involve high levels of due diligence and understanding of the possible strengths and weaknesses of the outcomes to decisions. In other words, “understanding the risks”.
Risk is now internationally defined as the “effect of uncertainty on objectives” [ISO Guide 73 – Risk management – vocabulary] and is determined by having a clear understanding of not only the consequences of an event or incident, but the likelihood that the event or incident will impact the area/activity of interest.
The International Standards Organisation (ISO) released a standard on risk management, ISO 31000, in 2009 which sets global best practice in respect to the principles and processes to best identify and manage risks. While ISO 31000 is not a “management system” akin to ISO 9001 quality), it does establish the principles and processes for applying risk management within risk-based management systems, such as ISO 28000 (security) or ISO 14000
(environment).
ISO 31000 is suitable for all organisations, irrespective of size, from a multinational to an individual operator and can be applied to the entire organisation; across its many areas and levels, at any time, as well as to specific functions and activities.
Sound decisions
So, how does this assist the maritime industry and its operators? Every business has different activities or streams that contribute to the overall success or failure of that business. In better understanding the “risks”, businesses are better placed to make sound decisions, bringing us back to the question of managing an operator’s or owner’s risks (effect of uncertainty on objectives), what does that mean, what objectives, when and where?
The answer is, wherever the user decides to use the process. BMP4 (3.1) states that “it is important that the risk assessment is ship and voyage specific, and not generic”. It should be noted however that sound security risk management ought to be applied to the entire organisation to maximise the benefits.
When deciding where organisations need to improve or seek a better understanding and management strategy of risks, the operators
themselves define the scope of application (operations, security, environment, safety, etc.), followed by further defining the
factors or context that may have a bearing on the risk management processes. This context encompasses internal factors, external factors and the risk assessment and management criteria.
The external context includes cultural, political, legal, regulatory, financial, natural, location and criminality factors as well as the
business arena (international, national, local). Using piracy as an example, these factors include flag state requirements or restrictions, IMO regulations or best practice, the maritime assistance force, the pirates’ areas of operations and their methods, seafarers’ unions decisions on safety and security, the legal requirements of port states, the geographic location, and the interests of clients and other external stakeholders.
The internal context includes:
– the organisation’s capabilities and understanding in terms of resources and knowledge (people, processes, systems,
technology, time and capital)
– information and systems flows and decision-making processes
– the interests of internal stakeholders
– the objectives and strategies of theorganisation.
Other internal factors or contexts include:
– the perception, values and culture ofthe organisation
– the policies and processes applied andthe standards, industry requirements, reference models, structures (governance, roles and accountabilities) to which the organisation subscribes.
Policies and practices
In respect to the piracy issue, the internal context includes shipping routes, operational practices, staff training and competency, information management, policies on armed guarding, compliance with recommended practices (BMP4), and physical security measures adopted. Business key performance indicators (KPIs) or financial targets, the requirements or expectations of internal stakeholders (Insurance and business partners), all have a bearing on risk.
In order to establish a system that contributes to sound and robust risk identification, an agreed process for risk assessment methodology, risk criteria (hazards/threats, vulnerabilities, likelihood
and consequence), risk assessment program and timing must be established.
Setting these criteria contribute to the objectivity of the system’s findings.
Risk-based security management contributes to better business by identifying and mitigating the plausible disruptions and incidents/events that havethe potential to harm a business. That
harm not only manifests itself in losing a vessel to pirates, but also losing clients or client confidence as a result of the incident, seafarer welfare issues, insurance premiums and other ancillary costs.
An organisation is better placed to make the right decisions for safeguarding its operations by adopting a systematic
security management system that defines its scope and context, identifies risks through an appropriate risk assessment methodology, identifies and selects security risk mitigation strategies (including business processes, operations, security personnel, fixture integrity, security hardware and technology) that are “fit-for-purpose”.
This systematic management process facilitates the establishment of security objectives based on the identified risks. The selection and use of appropriate security measures (processes, people, physical and technological) to meet the objectives becomes an integral part of the overall program.
Through these security objectives the operator determines if their preferred outcome is to “Detect, Deter, Delay, Respond and/or Recover” from an incident.
Peter Boyce
Senior Business Manager – Security and Business Continuity Management Systems at Lloyd’s Register Quality Assurance
This article first appeared in LR Horizons published by Lloyd’s Register