ISPS port risk assessment: Is the true value in the numbers or in the process?

Various activities to enhance security against terrorist threats were initiated in response to the 9/11 attacks. In 2004 the European Union released regulations based on the International Ship and Port Facility Security Code (ISPS Code) requiring ship owners, harbor operators as well as designated authorities to implement measures and procedures to prevent possible terrorist attacks or activities on port facilities and ships. VESPERPLUS, a collaborative project funded by the German Federal Ministry of Education and Research, investigates security standards in the maritime domain. Among other activities, VESPERPLUS reviews applicable risk assessment methodologies. In this paper we review the ISPS risk analysis framework and its practical use for Port Facility Security Assessments (PFSA) and risk management activities. Our findings suggest that the numbers that are produced by most risk analyses methods are not as sure as the output may suggest, and therefore may not be the best base for preparing risk management activities. We propose that the process of conducting the risk analysis, rather than the numbers produced, holds the true value for understanding and prevention. The risk analysis methodology should be re-structured to capture the content of this process, considering additional options for collecting input, updates and insight from a wide range of experts, as well as for additional sharing of some of the output.