Written by James
Are our manuals, plans and systems usable
User Interaction Design
User Interaction Design
The definition of a risk assessment, according to the Code of Safe Working Practices (COSWP) is intended to be a careful examination of what, in the nature of operations, could cause harm, so that decisions can be made as to whether enough precautions have been taken or whether more should be done to prevent harm.
A security risk assessment is no different in that it is a careful examination of what could cause harm. With regard to the security aspect, the indicated harm is always intentional and so we need to analyse the security incident by looking more closely at our own limitations that would allow us to be attacked or harmed.
The Piracy Security Incident has four distinct areas that allows us to try and identify precautions or actions to take to assist in limiting the outcome. The diagram below shows the four areas (Threat, Attack, Vulnerabilities and Impact) and how they interact, it also shows the measures that can be implemented to remove or lower the risk in that area.
The steps to take when assessing a security risk will be different to those taken for a safety risk assessment. Hazard identification is replaced by a threat assessment and the threats to the vessel will generally progress from one to another for example, the threat of attack will lead to the threat of boarding which in turn, will lead to the threat of penetrating the citadel.
Due regard should be given to this likelihood. If the threat of attack is low then the threat of boarding or penetrating the citadel cannot be more than low.
The piracy threat is well known and documented and the known consequences of attack well publicised. The variable that needs to be fully analysed is the likelihood that the threat will be present during the proposed voyage.
The latest threat assessments should be sought from the CSO who will be able to investigate this through the recommended agencies such as UKMTO, MSCHOA etc. This threat assessment can then be used as the foundation for carrying out the remaining risk assessment.
Governing risk factors for the threat assessment would be weather, route, pirate activity and military presence. These must all be considered when determining the likelihood of the threat and the possibility of attack by pirates. This threat could change during the voyage as the vessel enters choke points or moves further away from land.
The next stage in the Security Risk Assessment is to determine the vessels weaknesses taking into account measures that are already in place. These could be deterrent measures such as armed guards or high freeboard or preventative measures such as razor wire or ballistic protection.
The effectiveness of these measures should be assessed considering the piracy chain of events:
The self-protective measures can be scored to allow you to build up a good idea of how effective they would be using the guidance given in BIMCO’s Guidelines on Ship and Voyage Specific Security Risk Assessment. However, it should be noted that the scores given could change as the threat changes and evolves. For example, the use of dummy lookouts may have some effect from a distance but the latest profile suggests that the pirates will make a “soft” approach to assess the reaction from the vessel and so dummy guards would prove ineffective.
Again, with the progressive nature of the chain of events, the likelihood of subsequent events cannot be greater than the one before. For example if there is a low chance of attacking, there cannot be a high chance of boarding.
Once the likelihood of each stage of the event tree has been completed, the risk factor (the tolerability) can be assessed using the typical likelihood / severity table. The impact severity of each link in the chain of events should be considered using company guidance. In my example I have used the following severities:
There are four courses of actions that you may be able to take when presented with a risk assessment:
So, I finally got around to updating my blog. I've done away with the 'oh so heavy' Wordpress and instead gone with a great little feather-weight, AnchorCMS.
I'll be posting about my journey coding a web app that I'm going to create and also using the site to show case a few experiments.
Come back often, check for updates and enjoy.
When our root cause analysis returns a human factor, is this a root cause or should we dig deeper? The majority of people don't set out to be malicious or negligent. There are factors that lead to this perception.
Types of questions that need to be posed in this analysis include "Was the behaviour intentional or unintentional?" By intentional we mean - was directed to do it by procedure, instructions, training etc.
Unintentional might be something like hitting the wrong button as two looked the same, forgetting to do something even though trained etc.
RCA tracks the progression of causation until it hopefully lands on a unit system or cluster of subsystems within the grand scheme of things which is responsible for the problem.
Should negligence be regarded as a Root Cause. In some opinions, negligence can't be a root cause, because negligence is not an act but rather the description of an act.