Integrating Security Solutions:

A Necessity for Small and Medium-Sized Organizations
The recent guidance to Operators and Ship Owners regarding anti-piracy measures provides the first elements of concrete guidance in response to a challenging issue. The guidance, however, does pose some challenges, particularly for smaller and medium sized organizations. While many of the identified best practices would normally be considered sound, they are generally considered sound because of the context within which they are applied. For Operators and Ship Owners, it should be clear that it is up to them to identify what works best for their organizations and that the guidance provided by the IMO should be used in terms of options and best practices, not a checklist to be adhered to in all circumstances.
This challenge is illustrated on two fronts. Consider this; does it make sound business sense to create an anti-piracy plan when the ship is already required to maintain a Ship Security Plan as part of its requirements under the International Ship and Port Facility Security (ISPS) Code? Arguments based on efficiency would perhaps lead one to the conclusion that the Ship Security Plan should be able to deal with this identified threat. On the other hand, however, those ships that do not fall under the ISPS Code may do well to have a plan in place for these kinds of situations. Again, however, one might look to the ISPS Code in addition to MSC 623 so that both a sound approach and some best practices are identified.
The second obvious example of this challenge is illustrated by two recommendations that come into apparent conflict with each other. On one hand, the IMO MSC does not recommend running the ship blacked out due to a number of safety issues, including the potential loss of night vision. It does, however, identify night vision equipment as a potential option to improve the ship’s ability to detect potential pirate vessels. With very few exceptions, these recommendations would be mutually exclusive. Again, the Operator or Ship Owner should return back to their own risk assessments and operations to determine which option rings truest in their own particular context.
Owners and operators have security programs for one of three reasons. The first reason is to reduce losses suffered by the organization that may occur through theft, vandalism, etc. This approach generally turns to security consultants that are drawn from professional associations that promote their own doctrines and approaches to security. The second reason is that the security program may be a requirement that has to be met if the company wants to be involved in certain activities—such as the ISPS Code and international shipping. The requirements of these structures (or even Conventions) are often drawn from multiple sources and use a consensus model, meaning that the approaches they take may be nearly unique in nature. The third reason for the security program stems from the belief that participating in certain programs or communities can reduce the overall burden that security places on an organization – such as illustrated in the C-TPAT program and its ability to facilitate the inspection process. The constant thread across all these programs is the owner-operator that has to design, implement, maintain and demonstrate adherence to the various requirements.
Maintaining and demonstrating that level of compliance can be challenging for Ship Owners and Operators. The challenge here is that the various programs may not align particularly easily, putting the organization at risk of em-placing wasteful programs or practices. These practices may include performing multiple tasks that achieve the same result because the requirements demand that a certain approach be taken. It may also involve the creation of parallel programs (involving costs associated with people, infrastructure and operations) that lead to security organizations competing against each other for scarce resources –or the organization paying more than what would normally be required to run a coherent program.
The answer to this management riddle lies in establishing an integrated security solution. This means that the organization sets up one overarching security management system and then integrates new programs into that structure as they are required. The overall framework is founded upon a model such as the Plan-Do-Check-Act structure that is currently being integrated into an increasing amount of security management systems or even the ISO 28000 standard. Having established this overall structure, the goal is to integrate additional requirements as they emerge into the common framework, taking particular care to identify overlapping elements, communication points and even potential areas of conflict. For the manager of the company, ensuring that the person or team brought in to address this challenge possess the necessary expertise across a number of systems is particularly important so that any risks associated with losing the ability to demonstrate compliance are minimized.
Today's environment is reaching what can be described as a critical mass. On one hand, operators (at all levels) are under significant financial pressure to keep costs down in order to compete effectively. At the same time, requirements and guidance passed on as best practices (such as the recent IMO MSC document) put additional strains on organizations in terms of costs since much of society expects to see organizations adopting best practices. Finally, the overall system is under pressure to keep the per-unit shipping cost low so that the impact on prices passed to the consumer are kept to a minimum. While an Integrated Security Solution may appear to be beneficial today, it will likely be essential in the near future.
//End of Article//
//Author Bio//
Allan McDougall is the co-Director of Evolutionary Security Management in Canada, a leader in the Critical Infrastructure Assurance and Protection domains in addition to being a recognized marine security training institution. He holds several professional certifications in the asset protection and anti-terrorism domain (including recently the lead auditor for ISO 28000 training) and is a published author on Transportation Systems Security. He currently sits on a number of strategic-level working groups, including as the Chair of the Anti-Terrorism Accreditation Board`s Transportation Security Committee, the TSA CIPAC on cyber-security in the Transportation Systems Sector, and a number of government working groups.