Since 9/11, port facilities and ships have been identified as the primary potential threat to international security. The theory behind this seemed to suggest that ships and their port interfaces were vulnerable to threats and were the means by which international terrorism would be able to perpetrate their deeds. The more cynical in the industry suggested that ships and ports were selected because they were easy to ring fence and there was an established mechanism in place to introduce regulatory requirements; through the IMO. Thus, the International Ship and Port Facility Security (ISPS) code was created, and by July 2004, some 35,000 ships were certified compliant with the ISPS code and deemed ‘secure’ and the world was a safer place. Or was it?
Visit any port and look at what security arrangements are in place. Some have three metre high boundary fences, some don’t. Some have cameras peering into every corner; some rely on just a few or none at all. Some have guards patrolling and static guarding at gates and entrances and exits, some don’t or, if they do, the guards are not always instructed on what to look out for. So what should ports be doing to protect ships taking on or discharging cargo and passengers, and the supply chain
with which they interface? How can a port authority judge what should be done to make itself and its supply chain partners secure without overdoing it or spending unnecessarily on infrastructure, equipment and resources?
The decision making has to be part of an intelligent process; top management led that adopts a – ‘what if?’ approach and linked to a – ‘what should we do?’ Such a process is generically called risk assessment or risk management. The ISPS code recognises that the Port Facility Security Plan (PFSP) is ‘fundamentally a risk analysis of all aspects of a port facility’s operation to determine susceptibility to attack.’
Risk assessments needs to consider all sources of risk, such as security threats or events that might interrupt operations and then assess the likelihood or vulnerability and consequence of each of these occurring. The result will be a documented record of all potential events, not just those considered possible or probable, but all, so that all those thought of during previous iterations can be revisited periodically for re-evaluation.
Evaluating risk for all eventualities is not an easy process. It can’t be done by one person sitting in a dark room with a blank piece of paper. It’s part of the intelligent evaluative process that requires input from a ‘team’ of experienced, knowledgeable people who can provide the necessary cross functional and operational input about all aspects of the port facility’s internal activities and external influences that might also impact on the port facility’s up-stream and down-stream supply chain security. The team needs to consider every eventuality, however unlikely or ‘off the wall.’ To do this properly, with confidence that outputs will be treated seriously and dealt with the necessary resource and investment, top management support and commitment is needed from the outset.