Lions Gate Articles

A Canadian Marine Facility Operators Security Navigation Chart – White Paper

30/08/2019

At the core of any fully credible integrated marine facility security solution lies a living breathing security management program.  It is from here, that all things security, should develop.

Undertaking the work to put together a Security Management Program requires planning.  It is a project in its own right and requires the time and commitment from a number of individuals to do well.  Your program should be aligned alongside and within the internal control framework adopted by the Board of Directors as part of their corporate governance responsibilities.

It is common practice for clients to take a best value approach when contracting security projects, one where budget palatability and deliverables are agreed upon as meeting an outcome requirement. The backdrop for security is that it remains a grudge purchase in many organizations.  That is no longer a sustainable position because experience shows that any dilution or tokenism will be, ineffective, and likely cost more in the intermediate to longer term.  It may also expose you to greater risk in litigation unless you can demonstrate that your security posture is reasonable and prudent.

Risk Pitfalls

One of the challenges many security directors and managers have to deal with, is a lack of understanding about what security risk is.  Good risk management is difficult to implement, and failing to grasp that single fact may explain why many marine organizations, that live with risk every day, get the management of risk wrong.  There seven core reasons why this is the case are:

  • The potential interaction of multiple risks was underestimated or disregarded
  • Probabilistic modelling was over-emphasized; shortcuts were taken; scenario planning was underused; transparency into potential issues was absent
  • Risk managers were isolated in silos
  • Warnings were ignored; those who delivered them were dismissed as negative or criticized for not being team players
  • A short-term perspective with a single-minded focus on making the quarterly financials
  • Companies lacked a comprehensive approach to firm wide risk management; authority and responsibility were poorly controlled and defined
  • Risk management often focused on compliance rather than performance, leading to inadequate assessments and responses

Compliance Pitfalls

Don’t let the compliance risk comment in the previous paragraph misdirect you.  You must still meet Transport Canada Marine Transportation Security Regulations and dependent upon your commodity may still need to meet Canadian Standards CAN/CSA Z246.1, CAN/CSAZ 276.15 or both,but don’t be confined to achieving the minimum standard for achieving a compliance check mark; don’t just cross the line leaving no margin for change.  Undertake thorough assessments, and identify responses that will ensure enhanced performance.

Cross Border Adaption and Adoption

Don’t be diverted from continuing to read this article just because it is firmly based on a Canadian context by thinking this doesn’t apply to me.

The compliance regime and exact requirements may be different in the United States and elsewhere but the core principles will be very similar; driven by the International Maritime Organization IMO and the International Ship and Port Facility Security Code ISPS.

Furthermore, in the hands of a seasoned security risk manager, adaption to, and adoption of, regulatory, legislative, and compliance frameworks in other jurisdictions,should be second nature.

Plan or Program? – Terminology Check

One of the first questions I am normally asked by clients is how is a plan different from a program and does this matter?  What it comes down to in the final analysis is not the term but the interpretation.  To assist in this, consider the following:

Plans are documented and sit on the shelf only to be looked at in an emergency situation.  Programs, on the other hand, are viewed regularly. They are always being practiced and tested.

  • Plans are based on theory; programs are based on results.
  • Plans are dormant; programs are active.
  • Plans become obsolete; programs evolve.

So, where the terminology refers to a plan such as the Canadian Marine Transportation Security Plan and when you review the ‘parts’ the requirement is actually for a program.

Integrating Marine Compliance into your Security Management Program

“A properly maintained Security Management Program gives you risk scores that are always current and will properly drive forward planning and all program activities”.

Under compliance pitfalls we addressed the risk of focusing exclusively or too heavily on compliance. The regulatory, legislative and compliance backdrop in Canada as it pertains to marine facility operators is best briefly explained through responses to five questions. These responses do not address requirements outside of Transport Canada i.e. CAN/CSA Standards.

What is the IMO?

The International Maritime Organization IMO is a specialized agency of the United Nations and it’s the global standard-setting authority for the safety security and environmental performance of international shipping.

Is the International Ship & Port Facility Security Code applicable to me?

The International Ship and Port Facility Security Code (ISPS), is an amendment to the Safety Of life At Sea (SOLAS) convention (1974 to 1988) on minimum security arrangements for ships, ports, and government agencies, so, yes as a Marine Facility Operator, it is applicable to you.

What does the Marine Transportation Security Act legislate?

Because Canada places great value on maritime security and has been working towards reducing the risk of criminal and terrorist activity on the vessels and ports for more than 15 years, the Marine Transportation Security Act gives the Minister of Transport the tools necessary to help ensure the security of Canada’s maritime transport industry.

What are the Marine Transportation Security Regulation’s?

The Marine Transportation Security Regulations (MTSR’s), came into force July 1, 2004 and they provide a framework to detect security threats and take measures to prevent security incidents that could affect marine vessels and their facilities.

Does my facility need to comply with Transport Canada Marine Transportation Security Regulations?

Yes, your facility does need to comply with Transport Canada Marine Transportation Security Regulations. The specifically relevant part of the of the MTSR for you is Part Three which covers Marine Facilities and Port Authorities

Your security management program should not be shaped around compliance to the exclusion of all else; compliance should a core consideration alongside other key elements in your security management program, not the only consideration.

Marine Facility Operator Security Management Program

Your comprehensive Security Management Program, will be the product of four comprehensive phases:

Strategy and Planning

Introduces a number of business management concepts that will help a marine facility operator position their Security Management Program SMP within their environment to ensure its successful implementation.  By identifying these business management concepts beforehand, the process of raising awareness and securing buy-in to the Security Management Program at the right time, will happen as and when you, the as the party responsible for security, need it.  The Security Management Program will have visibility and acceptance within the organization, and have a greater chance of implementation.  Establishing the legislative and regulatory requirements. The timely engagement of stakeholders is essential in this phase.

Who are the key stakeholders we should engage to ensure our Marine Facility Security Plan is effective?

Your stakeholders are essentially anyone or any group that can come into contact with your project in any capacity.  That’s a fairly broad net cast so you should begin with key and core stakeholders competent to act or responsible for acting in support of your Marine Facility Security Plan.

Transport Canada – The Port Authority – Law Enforcement – Fire Department – Municipality – First Nations – Ship Owners and Operators, Company, Ship, Vessel Security Officers and Community Groups

The stakeholder list for your broader security management program will be larger and including but not restricted to: Board/Senior Management, Operation of the Asset, Corporate Services, Financial Interests, Local & National Government, The Community, Emergency Services, Industry Regulator, Business Partners.

Assessment

It should be evident to those that drill deeper, that the Risk Assessment process is quite detailed, and will in most cases take a reasonable amount of time to conduct. However, once completed this will provide a thorough under-standing of risks facing your organization, and also an excellent basis upon which to formulate the remainder of the Security Management Program.

It will also provide a key tool for ongoing risk management activity in the form of the Risk Register, which can be updated on a regular basis to en-sure that your organization is always in control of the risks facing the company and its assets.

“At Lions Gate we use a proprietary dynamic model where we score criminal and non-criminal threats, we score consequences, we attach scoring to vulnerability, threat capability, target attractiveness, and threat likelihood.  We score resilience, residual consequence and the probability of loss event.   All of these numbers are pulled together in a dynamic risk register where for each risk scenario critical point a risk assessment score on a scale of very low to very high risk is calculated”.

“Where all dynamic sheets are updated in real time the dynamic risk register automatically prioritizes most and least prevalent risks, which in turn ensures that protection objectives can be tested for ongoing relevance or made a candidate for adjustment or removal or be a new addition. Protection Objectives will be used as the basis for the design of risk mitigation measures and will also need to be responsive to minor and major changes in real time.  This would include responses to changes to the MARSEC levels, both pre-planned escalation steps and no notice incident driven variations”.

“Our model is more comprehensive and more scientific than that required by ISPS and will also surpass the Transport Canada Requirement without becoming a cumbersome extra work scheme”

Mike Franklin VP Lions Gate

Once you have a handle on the dynamic registering of risks and the power of this as tool in your security toolbox you should no longer have any doubt as to why having a Security Management Plan is necessary, why the investment that could be required to implement it should be regarded as a priority, and why it should be included as part of the risk management framework used by a marine facility operator and monitored in an ongoing process, on an ongoing basis.

If asked:
what did you know?
when did you know it?
what did you do about it?

a maintained security risk management program and the dynamic sheets at the heart of it should provide the basis for response to all three of those questions, unless response to question three is unaddressed in which case you are categorized as aware and exposed.

Do I need a Security Risk Assessment before I can complete my Marine Facility Security Plan?

A Security Risk Assessment (SRA) is a Transport Canada requirement and needs to be completed, prior to the development of your Marine Facility Security Plan. Furthermore, it needs to be revisited annually.

If my facility is ‘pre-build’ or ‘pre-construction’ can you still undertake a security risk assessment?

Yes, for pre-build or preconstruction we can still undertake a security risk assessment.  This is done at the same time as the construction documents design phase, where Lions Gate provides a security overview.  This is to inform the finalized technical design, engineering, structural engineering, civil works, landscaping design and detailing across all drawings to determine:

  • Whether there are any outstanding security vulnerabilities in the design that should be addressed.
  • To ensure that security guidance provided in earlier design phases, has made it to the plans as was intended to meet compliance and security standards.

What are the MARSEC levels?

The MARSEC, Marine Security Levels are:  1 minimum-security requirements level. 2 additional or enhanced security requirements and 3 highest level security requirements.  Within each increased level, security is supplemented and is generally a combination of additional human resources, the closer monitoring of electronic security and the additional physical layers to deflect or deny unauthorized access.

Design

Infrastructure security design is a very complex area and despite any person being able to obtain a broad overview of the subject matter, it is likely that the level of technical expertise necessary to design your Integrated Security Solution will only be available from external specialists in this field. It is important to ensure that where necessary external support is made available to the Project Team since the potential for cost overrun associated with a poorly designed project far outweigh the small initial cost of independent design consultancy.   By connecting to external specialists, you will gain access to a sequential process that allows you to design and specify the most important aspects of a robust risk mitigation solution – those that relate to its performance.  Subsequently this will form the basis for engagement with your external providers in a controlled manner, providing reassurance to stakeholders that business risks will be mitigated in a cost-effective manner.

Do not confine your security design mindset to physical, human, and electronic security.  There are the four P’s, Protocols, Procedures, Policies and Programs; What needs to be done, why it needs to be done and how it needs to be done.  These are the instruction manuals, assembly instructions, operating instructions.

Transport Canada Marine Facility Security Officer qualifications and responsibilities under sections 305 and 306 of the Marine Transportation Security Regulations MTSR’s are extensive.  They reach well beyond the marine security environment, a single discipline or the knowledge, skills and abilities of most security individuals.  The most cost effective and efficient means of providing marine security support for a facility based MFSO and operator, is to connect with a third-party security consultancy team.

Connect with a security consultancy team that:

  • Has combined knowledge, skills and ability toservice MTSR 305 and 306 gaps and can provide support on an as needed basis.
  • Is driven by client needs and security industry concepts not affiliations with security products.
  • Provides integrated and layered security solutions and front to back services that are appropriate and realistic
  • Ensures your marine security memory is not lost due to internal security management churn.

For example: At Lions Gate our technical expertise can be found in our Marine Transportation Security Consultation Group which includes three qualified Marine Facility Security Officers MFSO’s, a former Master Mariner Foreign Going Vessels MMFG and an ex Harbour Master and Wharfinger.  Furthermore, two of our MFSO’s are design specialists who are able to conduct Security Risk Assessments and develop Marine Facility Security Plan’s from construction documents and plan drawings for new build projects, meeting Transport Canada compliance requirements by design.

Who can help steer us through the development of policies, procedures and protocols that will meet the requirements of the Marine Transportation Security Regulations and our Marine Facility Security Plan?

Again, it is highly likely that the level of expertise to design your ‘P’ Suite and integrate it with your infrastructure security design will only be available from external specialists in the field.  The security documentation library and supporting components really need to be developed during the SRA and MFSP development process to ensure proper integration and effectiveness.

Implementation & Monitoring

This final phase of the formation of a Security Management Program completes the development cycle towards the management of risk for your organization in a cost-effective, quality-assured manner.  Future Program related activities are then shaped to ensure the program is maintained and sustained.  This will include training, drills and exercises.  The whole risk management program and process from implementation forward must be open to an audit process that ensures that a) the program and process has been implemented as well as it should be; and b) remains current and reflective of the dynamic environment it seeks to operate within.

Who looks after our Marine Facility Security and do they need training?

Your marine facility security will be looked after by your qualified and designated Marine Facility Security Officer MFSO, or their deputy. On any marine facility that qualified position needs to be present.  To achieve the qualification, they undergo formal training. It’s not just the MFSOs that will require training, your staff will require training to meet the requirements of Transport Canada and the MTSR, whether they have security responsibilities or not.  A number of these individuals will also need to obtain Marine Transportation Security Clearances MTSC and who is included in this can be found in MTSR 503.

A Risk Management Framework

The model below sets out the key elements of an overall risk management framework as a series of interlinked elements that build on capabilities to deliver a series of results or outcomes – essentially inputs and outputs. Almost every risk management model has these same elements, they may be presented differently but the purpose and intent of each is the same.

Security Maturity Levels

There is no doubt that the trend in risk management – irrespective of which risk – is towards a greater maturity.  One of the first steps is to establish a marine facilities current maturity level, before incorporating maturity improvement in your security management plan.  This is undertaken at the outset and as part of the assessment of client needs.  An improvement in security maturity level is as clear an indicator of performance improvement as anything.  The determination should be in the hands of an independent auditor.

The Risk Management Framework above has the right elements and addresses the right questions, but how do you know if it works? Where is the evidence that it is being used, that people understand it, and that the outcomes are being delivered?

It is important that you know how effective the current risk management framework is for the Asset because the Security Management Plan is going to form part of it. If the existing framework is regarded by those responsible for the Asset as having a value in delivering effective internal controls, the Security Management Plan has a greater chance of being implemented.

By finding out the answers to the questions posed below you will be able to assess how well risk is managed and how to position security risk accordingly. The questions focus on three key aspects of any risk management framework which have their genesis in the risk management framework model above.

The sub text to each question involves considerable research and study and an understanding of the scoring criterion but is a key part of the monitoring.

Capabilities:

  1. Do senior management support and promote risk management?
  2. Are people equipped and supported to manage risk well?
  3. Is there a clear risk strategy and risk policies?
  4. Are there effective arrangements for managing risks with partners?
  5. Do the organization’s processes incorporate effective risk management?

Risk Handling:

  1. Are risks handled well?

Outcomes:

  1. Are risks handled well?

The maturity levels between 1 and 5 on a rising sliding scale are:

To reiterate, you need to establish where your marine facility sits on this spectrum because it has an impact on how well received the Security Plan will be and your ability to implement it. You may feel that security risk management itself is not well established and is perhaps, ‘ad hoc’ in nature. This may, or may not, reflect how risk is managed across your facility.

In Conclusion

The operating environment in the marine sector is becoming more complex and requires the best possible risk management to be evident in order to satisfy the risk to reward expectations of an increasingly complex and interwoven Stakeholder environment.  Developing and then maintaining a security management program to advance your security maturity on the sliding scale should be your goal, maturity improvement through performance improvement.  Beneath this, as you will now be only too well aware, there are many contributory moving parts.

How will I know if I have achieved the level of security required to secure Transport Canada approval for my Marine Facility Security Plan?

In the final analysis Transport Canada will provide you with approval, but there are precursor targets to be achieved to reach this approval level. This will include the Security Risk Assessment; the Marine Facility Security Plan and all the component parts. As we have emphasized throughout this paper, by using a dynamic security management program model which is continually updated you will surpass the minimum requirements for compliance, not just for Transport Canada or Canadian Standards but also for other jurisdictions.  You will also meet required performance standards to have the most marked impact on costs, levels of victimization and risk exposure.  It is here that returns on investment will be realized going forward.

Are you ready to connect with a
Lions Gate team member?

get in touch