Understanding the difference between ‘risk’ and ‘threat’

Why do the risks for different vessels vary when confronted with the same threat? And which tools allow you to assess the specific risk to your vessel given an existing threat in an area?

This article discusses threats and risks and how these two concepts can shift based on the type of operations carried out. We will provide you with a complete overview of how the threat in a specific location can be used to calculate the potential risk a vessel faces throughout a voyage.

The confusion between risk and threat:

Most individuals confuse the two terms. We will clarify and define both concepts:

A threat is a communicated intent to inflict harm or loss on another person or an intention to inflict pain, injury, damage, or other hostile action on someone or something in retribution for something done or not done.

When analysing a threat, we assess who might launch an attack against what assets, with what resources, for what purpose, at what point in time, where on the globe and with what probability. If we look at a threat assessment, it may also include certain features about the type of attack’s technology. However, the TA does not always cover the specifics of the attack, the security measures to be evaded, or the vulnerabilities to be exploited.

Risk, is the probability of something bad happening. It involves uncertainty regarding the consequences and impacts of an activity involving something that humans value. Focusing on negative consequences such as fatality, injury, property damage or bad publicity.

Risk is defined as the chance of a security event having an adverse impact on objectives. It can be expressed qualitatively or quantitatively. Security risk comprises the likelihood (taking into account the threat and the target’s vulnerability) and the consequences.

Risks, as stated, can also be calculated quantitatively by taking the numerical values of threat, vulnerability, and consequence into consideration.

Assessing the threat and the risk:

What exactly is a threat assessment?

A threat assessment (TA) is an in-depth analytical analysis of existing or future threats for specified client operations in a defined area or on a defined route.

Furthermore, threat assessments serve as the foundation for decision making and contracting. They can be used to support or confirm policy making.

What is a risk assessment?

A risk assessment (RA), is defined as a comprehensive assessment including a threat assessment, vulnerability assessment and consequence assessment. The scope and complexity is defined by the scope and complexity of the operation.

Moreover, the RA includes recommendations for risk mitigation. The vulnerability assessment built into the RA is more commonly used for selecting and evaluating the best mitigation measures available.

Methodology of assessment reports:

Threat assessment methodology:

The TA methodology comprises of a systematic assessment of several factors. To define the variables in the maritime domain, we often look at the capabilities of groups of attackers known to operate within a defined area. These variables are as follows:

• Range of operation capability;

• Past document incidents;

• Boarding capabilities;

• Use of arms.

The intentions of groups of attackers are also analysed:

• Are they seeking to create chaos and fear (which we define as terrorism);

• Are they seeking personal gain (piracy, theft, kidnap/ransom)

We also concentrate on the opportunities offered by vessel traffic. For example, security force participation and local geography that provides shelter or loitering spots for the perpetrator.

Risk assessment methodology:

The RA methodology combines three factors to reach a conclusion. These factors are assessed individually and the components are: threat assessment, vulnerability assessment and consequence.

The threat assessment is as discussed in the previous section.

The second component is vulnerability. It's described as a specific security weakness or lack of security measures. It could be manipulated by adversaries with various motives and interests in different assets. Moreover, it may be inherent in the target’s operational profile or possibly its layout, mode and freeboard.

The consequence classification refers to the outcome or impact of an event or a threat materialising. It can be measured qualitatively or quantitatively. The consequence criteria specifies the limits of acceptance, which are defined by the client.

Security risk is the combination of all three, generating a result that reflects the possibility of a security incident occurring.

The four evaluations listed below serve as the foundation for all Risk Intelligence risk assessments:

• Threat assessment is a prediction of intent to attack a vessel or operation;

• Vulnerability assessment is a weakness quantification and strength of a vessel against threats in a specific area;

• Consequence is the potential effects of an attack;

• Risk assessment is a compilation of the above results using a basic mathematical formula.

{(P x C) + V}
Probability multiplied by Consequence, + or - the value of Vulnerability

How to mitigate the risk?

When the value of a threat or risk is high or elevated, the question of how to reduce that risk arises. However, there is very little we can do to change or alter the threat factor. They are often mitigated by governments, the military, law enforcement, and remedied by politics, big policy changes or economic changes.

As a result, threats can be addressed through situational awareness, adequate knowledge and preparation, and reduced by avoidance. Avoidance is a result of situational awareness and preparation, as well as advanced knowledge.

Risk, on the contrary, can be reduced. As stated previously, risk is a combination of threat, consequence and vulnerability. Using simple math, we can modify the potential risk by changing one of these components.

We could mitigate the overall risk by reducing a particular vulnerability using the above-mentioned formula. Moreover, by reducing the consequence, which is a critical risk factor, we could significantly minimise the risk.

How to mitigate consequence?

• Enhancing the medical preparedness of a vessel, operation or facility. Thus allowing them to reduce the potential casualties, which would result in a mitigating consequence.

• Strengthening certain areas with ballistic protection and reducing the potential effects of gunfire, if such a threat exists.

• Armed guards escorting a vessel in the Indian Ocean or West Africa with citadel access could lessen vulnerability and consequences. Since the armed guards can keep the attackers at a distance, potentially decreasing ship damage and casualties.

Comparison of threat and risk assessments:

Threat assessment (TA):

• Who, what, where, why, how and will it likely happen to me?

• The TA is an in-depth analysis describing a situation, where it derives from, where it’s going and how could it affect me. To assist me in decision-making, awareness and preparation.

• We can only mitigate threat by awareness and avoidance.

Risk assessment (RA):

• If it happens to me how can I avoid, detect, deter, delay and respond?

• The RA, based on the TA, describes how that threat can affect me. What could be the results and how can it assist me in deciding what to do to reduce the risk?

• We can reduce risk by applying mitigation measures and reducing vulnerability and/or consequence.

What scenarios should we prepare for?

What is the situation in the actual port, as well as in the port's surroundings and immediate area? What is the situation - also in relation to the cargo carried by the vessel?

In Libya’s case, shipping NAFTA or other refined materials may pose risks, whereas general cargo may not present as many. In addition to the actual route, we must examine what cargo, vessel type, port and surroundings the client is planning on.

All of this can lead to a change in threat and/or risk depending on where we are in the world. The situation in some areas, such as Libya, is volatile. It varies from week to week, resulting in a dynamic threat situation.

The geopolitical impact

Apart from vessels and cargo, the consequences of flags of cargo ownership must be considered. Due to conflicting land interests, you may become entangled by the charter or the cargo owner.

Voyage risk assessment:

How can a voyage risk assessment be implemented in high-risk areas?

There are two types of threats and risks. Let’s discuss both Libya and Gulf of Guinea. In the case of Libya, the threat and/or risk are significant in the port region or its immediate surroundings. However, the situation is considerably different at any port or terminal in Western Central Africa's Gulf of Guinea. In that case the threat is primarily associated with the actual voyage going to and from the port.

Compared to Libya, this is a severe threat, but more stable and there are no anticipated changes from week to week. In a voyage risk assessment, it does not matter if the vessel is a bulk carrier or a container vessel. Alarming is the threat posed by groups that attack vessels with the intent to kidnap seafarers. This is a threat that affects all types of vessels.

Depending on the vulnerability of the vessels, there are varying degrees of risk. Container ships and LNG tankers are more difficult to board than smaller product tankers. Despite this, container ships have been successfully attacked at high freeboard and speed.

When conducting a voyage risk assessment, we consider the client’s desired route rather than recommending one. Then we analyse the threats and risks associated with the planned route.

Another important component to consider is the location specification. Is it better to be far from the shore or close to it? In certain cases, it’s more beneficial for vessels to stay closer to the coast. Naval forces can respond to an actual attack faster than if it occurred 200 miles out at sea.

Ways to reduce consequence and vulnerability of a specific vessel:

• implementing all hardening measures;

• training the crew;

• conducting regular security drills;

• ensure that the crew is aware of the citadel’s location.

Forecast of incidents:

We undertake a risk assessment by analysing the existing situation on the intended route and in the port, including its surroundings. We measure six-month criteria and what's expected to happen in the route's daily area. Our operations will not be affected by an unanticipated event that might happen in three months since we’re prepared for it.

Some companies, operating in Mozambique are concerned due to the insurgency threat in the north-eastern part of the country. Alternatively, incidents in another region of the world may have an impact on the chosen route.

As a result, mitigation is critical for limiting risks for a specific project and reducing potential consequences. Add to this, the difficulty of locating accurate or confirmed information. We must analyse a great deal of propaganda in all parts of the world.

How can we help?

Risk Intelligence offers a wide range of tools for a variety of purposes. Our primary system, the Risk Intelligence System, consists of many tools covering both threat and risk requirements, in addition to multiple other benefits, utilities, and functions.

Risk Intelligence advisory service tools

Threat and Environment assessment (TEA): a bespoke report tailored to the client’s needs. It’s a comprehensive report that includes an executive summary, in-depth analysis with examples and explanations.

Voyage risk assessment (VRA): a standardised semi-quantitative assessment for a specific individual voyage. VRAs incorporate all risk assessment criteria, such as threat, vulnerability, consequence and overall risk. We also provide bespoke and enhanced VRAs, which might include a single or multiple ports that are transmitted.

Security risk assessment (SRA): can be conducted for a particular voyage, a simple or complex operation. This could include a crew change, multiple vessels, a land-based operation, or a combination of all of the above. The SRA, like all other risk assessments, always includes a TEA. In addition, the vulnerability segment can be either conducted remotely based on information provided by the client, which is the desktop, or include an onsite survey of the vessel operation or facility, in which we would collect and assess the necessary information after we have actually seen it.