Thursday, January 27, 2011

'Fight harder' to hold off pirates

From Safety at Sea Weekly News;

"AN EU NAVFOR commander today denounced a culture of “compliance, club-class flights and conferences” among flag states and shipping companies for undermining naval anti-piracy efforts in the Indian Ocean.

Colonel Richard Spencer of the UK's Royal Marines used an IMO piracy workshop in London to excoriate the shipping industry for, in many cases, failing to take adequate self-protection measures or assist the co-ordinating naval bodies.

“NATO has taken to phoning up ships within 50 miles of a mother ship sighting to warn them of the risk,” he told delegates, because the commercial ships are not heeding NAV warnings. “They are sailing blind.”

Spencer acknowledged the inadequacy of the political response and the lack of naval resources available but also said fewer attacks would succeed if ships could hold off pirates for 45 minutes.

“You’ve got to play the game [and] fight harder for your ships,” he declared. “I recognise they [crews] are civilians, but if it were me in a choice between 45 minutes and eight months held hostage, I’m in for a fight.”

Some flag states are registering ships for passage and providing LRIT information, but their ships “as we watch them go by” are obviously not implementing best security practices, he said. “There is a reason why some flags consistently have the highest number of ships taken,” Spencer said. “I’m speechless as to why some flag states are not doing more."

“There are an awful lot of club-class flights and conferences, but are they meeting their responsibilities?”

When I was a child, I tended to get into trouble from time to time—it’s part of the traditions of those that work in the maritime industry that we have our occasional brushes that way. I remember that one day, after a particularly difficult game, we had broken a window and one of our the “Dad’s” came out—in all his anger and carrying his belt to ask who was responsible. It was amazing how quickly people pointed everywhere else when they were asked whose responsibility it was. Today, we are seeing the same thing with respect to the measures regarding piracy—and, courtesy of Colonel Spencer, the game’s afoot and all the fingers are up.

Let’s be clear here. Each group has had its successes and its failures. We tend to remember the failures better—even though some might argue that the plight of the number of hostages in Somalia speaks volume to our memories or our values. And let’s keep it in perspective...the goal here is to ensure that ships can move (legitimately) persons and goods from one place to another so that they arrive on time, in acceptable condition and for reasonable cost.

First of all, there have been some flag states that have done precious little with respect to this issue. These states are not hard to find...just do a quick look through the various sites where they publish their bulletins and such. Others have imposed baseline security requirements, often stating that compliance with BMP3 measures is mandatory. And in this lies the problem.

The first problem is that certain groups, even cultures, seem to equate security with compliance. This is not the case and, one might even argue, is dangerous. Compliance is about ensuring that you follow everything on a list. The problem here is that the other team has probably read the list and this means they can work their way around to find the nooks and crannies. So much for your protective posture...particularly if you have the kind of organization that uses dummies for watchkeeping.

Security on the other hand can be broken down into the following major steps—identifying what you need to accomplish something, identifying threats that can cause injury to those assets, assessing how vulnerable you are, calculating the risk and then, in some cases, working further to install security controls (not necessarily through the installation of infrastructure, it can be as easily as adjusting a process). Compliance with a set number of security requirements may address this, but it is as much an educated guess as a sound practice as simple compliance does not validate the vulnerabilities and risks that may be unique in the system.

Compliance has been a long-standing issue for those in maritime security. Those that remember the frantic pace with which the ISPS Code came into force also remember the number of inspectors (particularly safety and customs) that were rebadged into the security role. This was the beginning of the problem. The second element was that in order to create and enforce regulations, it is inherently easier to write and enforce prescriptive regulations. Why? Because there is less room for discussion or argument—the fence is either eight feet high or it is not. If you need to enforce it, you measure it and see if it meets the minimum requirements.

So, if we need to look at this whole issue of who is responsible, then let’s ask the question. Who is responsible? Well, most of these ships carry some form of an International Ship Security Certificate under the ISPS Code. Well, how many states have required that their ships operate at anything other than the basic security level (MARSEC 1) while transiting through this area... the list is pretty few. The fact of the matter is that if ships, and their flag states, were meeting their obligations under Part A of the ISPS in accordance with sound security practices (not somebody’s designed-by-committee guess), we would have a lot fewer of these things.

As for the argument that it is the job of the navy to protect ships...that is only partially true. The ship is a corporate asset, meaning that there is a responsibility to preserve the asset from a management perspective. There is also a requirement for the company to take reasonable steps for the protection of the crew—if not legally, then at least ethically. Is there a reasonable expectation that a warship will break away from its mission to travel over 500 nautical miles to rescue a ship? Or is there perhaps an argument that a security officer would have had a sense as to how long it would take for a response to an attack and would have realized that, based on the strength of a stronger room, there was more than enough time for pirates to get in. This is basic security—literally 101 taught to the most junior security officers—time to delay must be greater than the time for effective response.

I would like to put forward five major things that would likely go a long way towards reducing this issue:
·        First, the IMO and other bodies conduct proper threat and risk assessments on the waters they are dealing with—making the results available throughout the shipping and ship security communities;

·        Second, flag states require that the routes ships are going to take are compared against the threats identified in the Ship Security Assessment to ensure that those threats have been considered under the ship security plan as a condition of the basic ISSC;

·        Third, that there be a credible and critically reviewed Ship Security Standard developed that aligns with a proper risk-based management system;

·        Fourth, that the military, shipping and ship security communities open up lines of communication with respect to reporting instead of each cloistering its information under the veils of “sensitive” or “proprietary” information; and

·        Fifth, that pressure be brought to bear properly on the various companies that are not exercising their due diligence by appropriately assessing risk and taking steps to mitigate that risk in terms of commercial insurance penalties, regulation preventing them from hiring until they can demonstrate that the risks have been met and addressed appropriately.

Finally, it is time that those practicing security be able to demonstrate competence in the field. We need more than trigger pullers riding ships and we need more than career bureaucrats setting down security regulations. What piracy has shown us is that we can continue to do business as normal—we just have to be willing to sacrifice a couple of hundred people a year—or we can decide to adapt and start handling the job the way it needs to get done.

1 comment:

  1. We are seeking to address point 4 - enable collaboration and coordination through information sharing. Secure, real-time, online exchange capability. See