Security and Training – Intrinsically connected

A Process-Based approach to security based on training

One could conclude that the process-based approach where implemented correctly should ensure efficiency and lead to ‘cash in the bank’*. The ‘people>processes>system approach’ *  based on the international standard ISO 9001has been well tried, as the global economy has come closer necessitating standardization of procedures to ensure systems don’t conflict and adversely affect efficiency. Economy today is globally dependent and the process approach brings a system approach to it. Using the approach, one would think organizations would ensure continual improvement, innovate and grow the organization. The process approach as envisaged in the ISO 9001 however leaves out the risk aspects, pollution and the by-products of a process! To stay in business therefore the organizations implement the global standard ISO 14001 encompassing the Environmental Management System (EMS) requirements in addition to the Quality Management System requirements (QMS).

Consequent to the tragedy of 9/11, the post 2001 scenario underwent a negative sea change. Lack of security could wipe away the business totally! It is not that security was not a concern pre-2001; however, the vulnerability of the very symbols of American economic power changed the international equations, which adversely affected the business continuity. If the only superpower on earth was vulnerable and unable to protect its economic center from terrorists then it required a drastic change in the priorities of the business if they were to remain viable. It changed the priorities of the government’s worldwide. For a business to remain sustainable, ensure continuity it was not just essential to be process based and ensure pollution control, environmental protection, be risk based and catering to the by-products, but also of the utmost importance to ensure security of the business. Security became a prime concern. All investment in business can be lost in a moment if a security breach takes place.

The maritime industry is intrinsically involved with the world economy, in that more than 90% of world trade is by vessels trading the globe. The maritime world had its process approach to safety and pollution prevention covered by the SOLAS convention published and implemented as the mandatory ISM Code. Pollution aspects of vessels are specifically addressed by the MARPOL convention. The security uncertainty post 9/11, quickly lead to the implementation of the mandatory ISPSCode for all internationally trading vessels and for the ports where these vessels came in. With the implementation of the ISPS Code, the maritime assets are protected.

The global supply chain is however, not limited to the maritime assets! The concept of maritime asset protection needed to be broadened, as the assets were vulnerable to breach both ‘up-stream’ and ‘down-stream’ of the ISPS Code. Breach of security anywhere in the global supply chain could have catastrophic consequences on the global economy. The introduction of the global standard ISO 28000 filled this vacuum and provided the requirements for implementing procedures to create a system to protect the global supply chain.

Ninety percent of the US homeland imports come in by sea. Inspecting such a large quantity has colossal challenges. Only about 3 to 5% of the containers coming, for example are inspected! It is a daunting task for the USCG and CBP. The CBP initiative in terms of C-TPAT relies on partnership with the industry and encourages those trading with the US to make their security systems compliant with these requirements. It is essentially a process-based approach to security aligned and based on the ISO 28000.

Just the planning and implementation of the security requirements is not sufficient. Individual responsibility is integral to security and when combined with the system approach can pay dividends. All the standards be it ISO 9001, ISO 14001 or ISO 28000 or as applicable in the maritime world: ISM Code, ISPS Code or the MARPOL convention, each requires a system approach. It is vital to the success of this approach that the top managements (TM) are conscious of their responsibilities. Other stakeholders, be they owners, operators, auditors, statutory or regulatory bodies, flag State Administrations do their bit, but TM remains totally responsible for security.

This alignment of TM responsibility being paramount has another variance in the security scenario. I think this vital difference needs recognition by all parties involved in the security of the global supply chain. The major difference is epitomized (particularly for the maritime industry) in Clause A/ 19.1.3 of the ISPS Code. The clause is often considered just advisory in the verification process. However, the sting in the clause is applicable to the entire body of security. The clause virtually requires the Flag State to 'guarantee' full proof security following verification by the Administration! No other international or maritime standard requires this assurance from a regulator. All security related industries, not just the maritime industry (who in any case have no choice!) must take cue from this clause as it leads to a fresh interpretation of security responsibilities for all stakeholders in the global (particularly maritime) supply chain. The auditors, inspectors, the involved organization, regulators et al take due responsibility for the security.  To broaden the implications of the thought behind the clause each entity looking at the security aspect must be fully satisfied and guarantee 100% security. No deficiencies/ NCs (Non-Conformities) are acceptable. Howsoever minor the NC it must be addressed promptly. The strength of the global supply chain is defined by the weakest link in it, and as such, the deficiencies need to be completed before any verification certificate is given.

The challenge and requirements are then clear. The question is how is this to be ensured? Perhaps by getting the best available equipment? Hiring top-notch security personnel? Will just the participation of competent professional manpower and best of surveillance equipment do the magic? Alternatively, perhaps the putting in place of the correct procedures to complete the system is the guarantee of an impregnable security system.

                   

What it requires, I think, firstly is the total TM commitment, to ensure and motivate their teams by care and coordination to ensure the security system works. The security policy published by the TM should be totally in keeping with the actual security requirements of the organization and based on an in-depth study of the threat perceptions. The policy if well thought over and reflecting the actual of the organizations security threats will then lead to measurable objectives and goals for the security team. The team then can have the organization and procedures aligned and resourced to meet these objectives. Once the procedures are ready and introduced the vital phase of training and training alone will determine the outcome of the desired results. Both prevention in terms of preparing for a security eventuality and the response in consequence to a security tragedy will require the systematic P-D-C-A (Plan-Do-Check-ACT cycle)* approach. A good security plan based on a through security assessment (SA) as it moves to the working phase/ Implementation stage (Do) requires aware leaders leading their team through constant training.

Drills to practice and work the security procedures and build the required confidence level will require regular, well-planned training. Drills must exercise each security element of the global supply chain. The success in drills will then need to be bridged by training to ensure each element in the global supply chain (for that matter the domestic supply chain too) is exercised. The more innovative and realistic these drills and exercises the greater will be the confidence level of the management and employees (as also all stakeholders) in their ability to both prepare and be able to react to a breech in security of the supply chain or any of its elements.

SA is essential and integral to a security plan (SP). However, emphasis on carrying out a detailed and thorough threat perception as a must ‘pre-cursor’ to SA before a SP is made should be part of the system ensuring security. Each security drill and exercise should encompass the elements of ‘lessons learnt’ at each level, finally leading to the TM review. TM must remain involved and committed to the security ensuring continual improvement is taking place and innovation encouraged. It must be remembered that the terrorist organizations recruit and train a very motivated work force on their well-tried methods! These terrorists are often two steps ahead of the security measures the industry takes and are ever ready to circumvent security. The security of the global supply chain can only be ensured by the training system being innovative, proactive and capable of recognizing potential threats to the security. Following up on NC by correction and corrective action is essential, but an indicator of the organization being a step behind the ‘bad elements’. Following up on NCs against the security system at its best can be defined as reactive. The security team will be effective; the security system will function as planned when the indicators point to the capability of the system to predict potential security breaches (NCs) by analyzing security threats and trends from available security warnings, threat perceptions. The occurrence of a NC always costs the organization, however small or catastrophically. However, there is a cost associated.  With good training, the team with its involvement and commitment can recognize the potential NCs and add value to the system protecting the global supply chain and each element in it. The security system must therefore drill and exercise the team members to ensure competence and provide them the ability and confidence level to understand the security system so well that analysis of indicators is carried out with professionalism and correct TM decisions taken to secure the global economy from unscrupulous elements.