ABS Group
EQECAT
Contact Us
Employment
Terms of Use

Home | Press Room

Creating a Safe and Secure Environment for the Marine Transportation of Energy

Remarks by Frank J. Iarossi,
ABS Chairman and CEO
Mare Forum
Houston, 18 November 2002

View Slide Presentation

Good morning ladies and gentlemen and welcome, especially to those of you who have traveled a considerable distance to join this Forum. This morning we heard discussions about energy demand, future energy sources and worldwide distribution. I would like to now shift your focus to the transportation of energy, more specifically, the safe and secure transportation of energy.

Houston is the energy capital of the world. Those of you who have not yet had a chance to travel the Houston Ship Channel would be astonished by the petrochemical complex that lines the 50-mile waterway. The 300 plants along its banks provide the heartbeat of this city.

Since the terrorist attack on the World Trade Center, that complex also provides an ever-present reminder to those of us who live and work here of the new vulnerabilities to which we, as a community, are exposed. One of the articles in yesterday's Houston Chronicle was headlined "Ship Channel Increases Vigilance." The article listed "oil facilities" as one of four potential targets put on high alert by the U.S. Government.

With the even more recent attack just six weeks ago on the tanker Limburg it is very easy to imagine catastrophic risk scenarios involving that waterway, the ships that traverse it and the refineries and petrochemical plants that line its banks.

Since it is not possible to create a world that is free of risk, one that is protected by an impenetrable shield, we need to understand how to deal intelligently with terrorist risk.

Our challenge is to assist those with a stake in the safe and secure transportation of energy, to manage their risk exposure.

The stakeholders are the owners of the refineries, the ships, the pipelines, the offshore rigs and the millions of citizens in this community who would be affected by an attack.

They include the federal, state and local governments with jurisdiction over those vulnerable areas.

It includes the port authorities and terminal operators who are attempting to prevent their facilities from being used as a conduit for destruction.

And it includes the underwriters, the charterers and ultimately the seafarers who must now confront an adversary as furious and as unpredictable as the sea itself.

How do we assist them to manage their risk exposure? What concepts and technologies are available to enable us to provide this assistance?

How do we balance the interests of international commerce with the need for security in a threatening world? This is our principal dilemma. How do we balance the interests of commerce with the need for security?

Terrorist risk may be a new phrase in the general lexicon but risk assessment, risk management and risk mitigation are not.

The rational, logical application of these concepts can greatly enhance the security of the marine transportation sector and of the port, terminal, intermodal connections and industrial facilities with which the ships directly interface.

Normally, risk management is used by organizations seeking to improve their business performance.

Every organization or enterprise operates within a spectrum of risks every day.

We may subconsciously evaluate our exposure to risk and the probable consequences, as we do when crossing a busy street.

Or we may apply very sophisticated analytical techniques as often occurs within the nuclear power sector.

But security risk introduces a slightly different and much more ominous rationale.

The fundamental risk elements of frequency and consequence must be amended to take into account two new elements.threat and vulnerability.

Threat is a measure of the likelihood that a specific type of attack will be initiated against a specific target.

Vulnerability is a measure of the likelihood that various types of safeguards against such a threat scenario will fail.

And so the normal risk elements of frequency and consequence must be modified to include threat, vulnerability and consequence.

The fundamentals and methodology are the same - only the application is special.

This brings me to a very simple, but very important point.

It is easy to become caught up in the drama of catastrophic terrorist risk. It is essential that the prudent energy transporter take these new risks into account.

But they should not supplant existing business related risk management systems. None of these elements exists in isolation. Instead they must be considered as part of an enterprise solution to risk.

An effective risk based security management process must take a holistic approach.

There are three phases that must be considered within such an integrated process.

First, it is necessary to identify all reasonably foreseeable threat scenarios.

Then the risk of each scenario must be characterized.

By that I mean that the threat of each scenario must be assessed; the vulnerability to each scenario must be analyzed; and the possible consequences of each scenario must be determined.

And finally the information gained from this security risk assessment must be used to adjust the planned risk management controls that are already in place or that should be developed to address normal operational risk.

By prioritizing threats according to risk, an organization can focus its attention and its resources on the areas of greatest concern.the areas of greatest risk.

It is not possible to eliminate all risk. But through the clear, logical application of the risk management process risks can be identified, ranked and controlled in a practical manner.

To be most effective, to provide for the best allocation of scarce resources, whether that is money, trained people, security technologies, or even armed protection, we, as an industry, need to bring more technical and scientific rigor to the understanding of the threats.

Risk technology plays a critical role in turning well-intentioned defensive proposals into a coordinated and rational response.

The application of risk assessment techniques is what gives us the confidence that we are properly addressing the impact of terrorist risk.

It is risk technology that helps us to quantify the vulnerabilities and characterize the security threat scenarios.

For example, technology can allow us to simulate the event footprints resulting from blast, explosions, chemical release or gas dispersion should an incident such as the Limburg occur in the densely developed Houston Ship Channel.

A risk profile brings all the information together in a manner that simplifies the decision making process. It allows a rational assessment of alternative strategies such as expanding security zones or arming ship's crews.

Let me give you a practical example. ABS Consulting has been working with the US Coast Guard for some time, starting a few years before 9/11. Our role as risk management consultants was to assist the U.S. Coast Guard in the development of risk based decision-making techniques.

The events of 9/11 led the Coast Guard to apply these techniques to examine the safety and security of existing LNG operations in Boston Harbor.

The location of the LNG terminal in Boston requires a laden LNG carrier to pass through urban areas and close by the City's international airport.

Using risk based techniques, developed for it by ABS Consulting, the Coast Guard performed a "what-if" analysis of terrorist threats to a gas carrier entering Boston Harbor.

ABS Consulting documented an LNG consequence analysis to identify and prioritize credible threat scenarios.

We reviewed, critiqued and integrated incident scenario models that had been previously developed by other organizations and government agencies.

We performed further modeling of potential consequences including fire and vapor cloud explosions to fully characterize a wide range of possible outcomes.

I am not at liberty to reveal the outcome of those analyses but I can say that the findings helped address some of the startling differences in the various fire and explosion analyses that had been performed previously.

And they allowed the Coast Guard and Government personnel to better understand the threats, vulnerabilities and consequences so that an effective assessment of the risk of LNG shipments into Boston could be developed and reasonable decisions could be made about appropriate risk controls.

The bottom line was that, as a result of the extensive application of risk assessment concepts, the temporary ban on LNG carrier movements within Boston Harbor was lifted and normal trading resumed, with appropriate safeguards.

Having given you a flavor of what the application of security risk management techniques can do, I would like to take a few minutes to address the pending IMO International Ship and Port Security Code. This ISPS Code is expected to be adopted at the Maritime Safety Committee meeting in December and should enter into force as part of SOLAS in mid-2004.

Much more will probably be said about the ISPS Code this afternoon so I want to limit my remarks to a fairly broad assessment of the direction and effectiveness of the proposed code within the context of my preceding remarks about security risk management.

Is this ISPS proposal a positive step forward? .Absolutely.

Could it have been bolder? .Yes.

Are there clear weaknesses? .Yes.

The framers of this code are to be congratulated both for the speed with which they have produced these requirements, and for the breadth of vision they brought to the problem.

They did their best to introduce an enterprise solution by extending its applicability beyond the ship to include immediate port facilities.

And they showed an awareness of the need to take a holistic approach to the question of risk management by positioning the code for future adoption as an extension of the International Safety Management Code.

That said, I fear that the IMO will accede to the lowest common denominator, being a consensus driven, political body.

The mandatory Part A of the proposed code is a step forward but a tentative and rather simplistic step.

The real impact of the proposed security code, the part that can form the basis for a true security risk management approach, has been placed in Part B. However, Part B is currently labeled as "recommended" which obviously means voluntary.

Unfortunately, the majority of the maritime industry has a consistent history of minimum compliance, of doing only what is mandated. A small number of highly responsible operators will do more because they will realize that by doing so they will be investing in their future.

Some will do more than the minimum because of a fear of liability. Others will do more than the minimum because it can be expected that the U.S.A., through the Coast Guard, will make the higher standards contained in Part B, a mandatory requirement for entering any U.S. Port.

In fact, the recently released U.S. Coast Guard Security Guideline For Vessels - NVIC 10-02 - does just that and more. It is labeled "Guidelines" but we all know governments have various methods of enlightening those who do not follow its "guidance". With the passage last Thursday of the U.S. Maritime Security Act, this is no longer speculation.

Let me make one point perfectly clear. As a U.S. citizen, and as a grandfather of five American children suddenly vulnerable to biological, chemical and radiological attack, I strongly urge that the U.S. Coast Guard take such action.

A voluntary approach to improving maritime security offers little, if any security and simply will not be acceptable to the average American citizen.

Tough, effective standards are needed and they should be mandated.

If IMO cannot muster the collective will to do this, then unilateral action by the U.S. Government will be demanded by its citizens as they confront a threatening world.

If a tough, enforceable standard is not mandated, I believe there is a real risk that the IMO regulations will do no more than encourage a check sheet approach to maritime security, similar to the manner in which much of the industry has responded to the ISM code.

The operational and business benefits of the ISM Code, or of any management system, can only be attained through a total, top down commitment to its application.

In the same way a security risk management system will only be effective if there is a similar commitment within the organization, on each ship, and in every port.

Any management system is only effective if it is dispassionately audited at regular intervals.

Safety, quality and environmental management systems adopted by land-based enterprises are audited at least annually and often even more frequently.

The ISM Code's management system certification is valid for 5 years and requires only one intermediate audit that can take place up to 3 years after the certificate is issued.

Stop and think about that for a moment. It means that an auditor goes aboard that ship for one day in every 1,000 days.

The IMO has taken a similar approach with the proposed security code; a 5-year validity with only a single, intermediate audit.

Only a pack of fools would think that a voluntary program, audited once every 1,000 days, will provide protection against a determined terrorist.

We don't need a rigorous scientific analysis to make that judgment. If that is the best the maritime industry can come up with, then more stringent mandatory U.S. Government rules are a sure bet.

Until 9/11 most forward-looking companies recognized that they were navigating through a complex risk landscape dominated by natural and operational hazards.

They faced two basic questions.

How much of the risk can I live with?

In the case of security this becomes a question of how much risk the threatened society is willing to live with. It is no longer about the risk threshold of a company, but of a society.

How much am I willing to spend to reduce my exposure to unacceptable risk?

Again it becomes the role of the threatened society to determine necessary risk reduction measures.

However, you are not alone in the wilderness. Traditional risk technology has already been adapted to help you chart your way forward.

Security risk management is going to be a very visible priority within the energy sector for some time. We face many challenges ahead as we seek to allocate our limited risk mitigation resources wisely.

The tools are there to help. The skills are available and the willingness to help is unbounded. Together we can rise to meet this challenge and to beat the terrorists who have posed it.

Thank you,

Frank J. Iarossi