Appendix – Risk Assessment and Management Tools

  2.1.1 The risk register is a tool to document different scenarios and the associated findings on threat (likelihood based on intent and capability), impact, vulnerability and risk score. The format (at Table 1, below) is listed below along with accompanying explanations for each column. A step-by-step guide for completing the risk register follows the definition as well as details on the scoring mechanism.

 Column 1: Reference number

• Each scenario should be listed with an assigned number so that it can be easily identified and its development tracked.

 Column 2: Threat scenario

• This column is for the listing of the threat by name and a brief description of what it entails.

 Column 3: Lead organization

• Each scenario needs to have a lead organization or coordinating body identified so that initial points of contact and responsibilities may be established.

 Column 4: Support organizations

• List of those agents directly involved but not leading such as local police, fire departments, coast guards, etc.

 Column 5: Threat (likelihood)

• This column gives the likelihood or probability of the situation coming to fruition if there were no security measures or mitigating controls in place to prevent them. It is scored on the basis of the intent and capability of those wishing to commit the act. Scoring for this element is explained later on in paragraph 3.4.

 Column 6: Impact

• This column indicates the impact or consequence should the incident occur. Again scoring for this element is explained further in paragraph 4.

 Column 7: Key assets

• This column contains a list of the most important resource key assets which could be affected by the scenario; this should include people, objects, physical infrastructure and equipment. By listing these assets a risk assessor is better able to consider what safeguards are in place and hence assess the vulnerability more accurately.

 Column 8: Mitigating controls

• List and consider any mitigating controls (security measures) which are already in place to protect the key assets.

 Column 9: Vulnerability score

• This is an assessment of the characteristics of a target or asset that can be exploited, balanced against mitigating controls (listed above). The scoring for this is also included later in paragraph 5.4 and considers what effect the mitigating controls have on the threat, the associated impact or both.

 Column 10: Risk score

• All of the information gathered on threat, impact and vulnerability is used to score the risk. Groups or individuals should use the following formula to produce the score for each scenario:

• RISK = THREAT x IMPACT x VULNERABILITY

• Threat scenarios which could exist (or do exist);
• Who the lead and support organizations are for each scenario; and
• How to score accurately the threat and impact.

  3.2.1 The process should identify criminal acts which could take place.

  3.2.2 The first task when completing a risk register is to consider and agree on which scenarios or events could apply.

  3.2.3 It is useful to have a (brainstorming) session where subject matter experts consider:

• whether there are any additional scenarios, which should be listed; and
• any refinements needed to develop to the initial list.

  3.2.4 It is useful when producing this list to consider potential perpetrators:

• .1 Who are the groups and individuals who may act? For example:

  • Terrorists
  • Criminals
  • Political groups
  • Ideological groups
  • Activists (e.g., animal rights/environmental)
  • Disruptive passengers
  • Employees
  • Mentally unstable
  • Those with inadequate documentation

• .2 How do perpetrators operate?

• .3 Some variables to consider in how they operate include:

  • Reconnaissance, advanced planning; and
  • Is there a precedent?

• .4 What is their intent and their capability to act?

• 4.1 Intent

• • Definition: Motivation is what drives a perpetrator (e.g., financial gain, publicity, vengeance). Intent is who/what they want to harm to achieve their goal.

• 4.2 Capability

• Variables to consider include:

  • numbers/organization
  • status
  • training
  • funding
  • weapons available
  • track record
  • support
  • operational security

  3.3.1 The lead organization(s) should either:

• .1 own the assets;

• .2 set the policy;

• .3 have legal responsibility for, or have the major role in, mitigating or responding to a particular threat; or

• .4 a combination of the above.

  3.3.2 Distinctions should be made where appropriate between responsibilities for (i) preventive/protective security measures, (ii) contingency planning and reactive security measures to deal with and contain an incident, and (iii) implementation of the measures in (i) and (ii). There may be a different lead organization for each of these where responsibilities vary depending on type of threat, location and method.

  3.3.3 Support organizations will be those which have a supporting role in mitigating the threat but don't meet the criteria above. The risk assessor may decide all stakeholders are support organizations in being vigilant, providing a deterring presence and sharing information with others.

  For some threats, identifying lead and support organizations is not a simple task. There may be differing views but it is important that consensus is reached, particularly as later on lead organizations will have a primary role in developing and delivering action plans, where these are necessary.

  There may, quite correctly, be more than one lead organization but if the group has listed several, it may be worth re-evaluating to check accuracy and minimize the potential for confusion and duplication.

  The score should reflect the likelihood of each of the threat scenarios in the register occurring if there were no security measures or mitigating controls in place to prevent them.

• List examples of the type and magnitude of impact that might be expected if the event happened; e.g., loss/damage to people, infrastructure, operations, finance or reputation;
• Assessors may wish to consider using or modifying the table at Table 3 below to record discussions. Note that the list of possible impacts highlighted below is not exhaustive.

  4.2 This information should provide a robust basis for scoring. To score the impact accurately, groups or individuals should, in the same way as for threat:

• consider the impact should the event occur;
• consider the impact on the vessel (to safety, security, finance and reputation) of each of the risks occurring if there were there no security measures in place;
• consider how to record the scores allocated under each of the sub-headings. For simplicity an average may be taken in most cases. Where one score differs markedly from the other three it may be best to record it separately for future consideration rather than “losing” it in an average;
• read the definitions in Table 4 below and decide which one best applies (remember the score is without mitigating factors in place):

Risk register - scoring definitions - threat

Score	Likelihood	Criteria
4	SUBSTANTIAL		Potential for: multiple fatalities
			Serious loss or damage to assets, infrastructure, vessel
			Economic cost of more than (agreed figure)
			Widespread coverage resulting in serious reputational damage
3	SIGNIFICANT		Potential for: loss of life
			Significant but repairable loss or damage to assets, infrastructure or craft
			Economic cost of less than (agreed figure)
			National adverse media coverage
2	MODERATE		Potential for: major injuries
			Short-term minor loss or damage
			Economic cost of less than (agreed figure)
			Major local reputational damage
1	MINOR		Potential for: minor injuries
			Minimal operational disruption
			Economic cost of less than (agreed figure)
			Minor reputational damage

 Identifying the current mitigating controls and assessing how effective they are is a vital but time consuming and intensive process. It may be useful to use the following processes:

  5.2.1 Drawing up process maps can be helpful in understanding complete processes, how each process works, who plays what role and what point, what the key points, strengths and weaknesses are and in identifying where and how aspects may be exploited.

  5.2.2 The perceived benefits of process mapping are that it provides a genuinely holistic view of a process and is potentially a better way of:

• appreciating and accurately evaluating the various processes that take place;
• identifying synergies, duplication and gaps; and
• evaluating what action planning is required and how effective it is.

  5.2.3 Rather than considering each threat separately, process mapping requires examination of the crime and security picture either:

• by article: vessel's stores; cargo; or
• by individual: crew or passengers.

  5.2.4 Process mapping involves mapping the complete journey of a person or item and the evaluation and plotting of each potential threat, early warning indicator and mitigating measure in place. It should encompass all areas where and all times when the criminal act could be perpetrated.

  5.3.1 This is a useful method to establish how a risk could materialize at the port and what areas of control need to work well.

  5.3.2 Taking in turn the risks, the following five questions should be considered:

• What type of individuals or groups would want to carry out this event?
• Where is this event likely to take place? (Targeted at what?)
• How would it be carried out?
• What is going to deter or delay or detect or deal with them?
• What can go wrong? (e.g., poor communication).

  5.3.3 Assessors may want to use the table in Table 5 below to note all this information down.

  This is a useful review tool to reconsider the effectiveness of control measures highlighted in the risk register and identify where there are weaknesses and gaps.

  5.4.1 Evaluation of targets' characteristics on the one hand and the early warning indicators, embedded monitors and existing mitigating controls on the other should be translated into a vulnerability score. Table 7 below illustrates a possible scoring system to be used for assessing vulnerability:

  6.1.1 Finally, all of the information gathered on threat, impact and vulnerability should be used to identify and assess the residual risk. To score the risk accurately, groups or individuals should use the formula:

  6.1.2 So, for example, using an initial threat score of 2, an impact score of 4 and, where there are no mitigating measures in place (a vulnerability score of 4) the residual risk score would be 32 (2 x 4 x 4 = 32). Where measures are adjudged to reduce the vulnerability to some extent, but not to an acceptable level, the residual score would be 24. The threat and impact scores of 2 and 4 remain but the vulnerability score is now 3; hence 2 x 4 x 3 = 24. And so on. There is a presumption that no threat scenario can be managed totally out of existence, i.e. you can never have a threat, impact or vulnerability score of 0.

  6.1.3 It should be noted that scenarios with differing individual threat, impact and vulnerability scores can have the same overall risk score. For instance a particular scenario may have a threat score of 2 an impact score of 2 and a vulnerability score of 2 whereas another scenario may have a threat score of 1, an impact score of 4 and a vulnerability score of 4. Both scenarios produce a risk score of 16 despite having differing individual values of threat, impact and vulnerability.

  6.1.4 Risk can then be ranked into three broad categories: high, medium and low:

• HIGH - A residual risk score of 27 or more.
• MEDIUM - A residual risk score of between 8 and 24.
• LOW - A residual risk score of 6 or less.

  7.4 Actions will probably fall into the following categories:

• Actions that may be implemented by the group;
• Tactical or operational issues; and
• National, policy or strategic issues.