Here, the RM is subdivided into two main processes: proactive (prevention) and reactive (response) processes (a similar categorisation is followed [
52,
53]). Both processes are interlinked and interdependent, and cooperation aspects such as the joint development and definition of methods, emergency plans, and measures are incorporated into the proactive and reactive processes.
5.4.1. Proactive Process (Prevention)
The proactive process includes the definition of prevention measures as well as emergency plans and countermeasures for the identified risks.
Figure 10,
Figure 11 and
Figure 12 illustrate the process model for the proactive process.
The process requires important inputs from the risk governance procedure. These inputs include the selected RM process and the corresponding process owner. The list of risk owners as well as their roles and responsibilities for RM are utilised here based on the stakeholder analysis process.
The process starts with the selection of a risk group classification (e.g., operational, safety, or environmental risks). Each risk group should be connected to a risk catalogue, which lists all identified risks that fall under the main risk group. Stakeholders’ roles and responsibilities, defined in the stakeholder analysis process, are filtered based on the corresponding risk source, and all previously created, shared, and transferred knowledge should be utilised in this step.
Then, the risk identification process begins by analysing the examined risk within the specific risk category (e.g., environmental risks). If the risk is already identified, then the corresponding risk owner should be selected; otherwise, the risk catalogue should be updated with the new risk, and a risk owner should be assigned to the new identified risk. In this phase, risk identification methods should be used. These methods, such as brainstorming, root cause analysis, or the Delphi method, can be selected in advance to aid in the identification of new risks. Any additional risks identified should be added to the current risk catalogue. Based on the risk group classification, adequate methods (including online tools such as simulation tools) to analyse and evaluate the examined risks should be selected.
New risk assessment methods should be made available and selected within the circle of assigned process and risk owners. For instance, risk owners should consider using methods from predictive analytics, such as predictive modelling. These methods should be connected to an online RM methods database, which describes their usage and properties. The risk analysis phase should then utilise the methods extracted from the previous step to analyse the causes, the consequences, the occurrence probability, and the severity of consequences. Previously created, transferred, and shared knowledge is important for this phase. Furthermore, the risk owners should organise workshops and meetings to mutually analyse and evaluate the identified risks. The subsequent risk evaluation phase depends on the output of the analysis phase. The risk owner here should determine the risk class and priorities for treatment based on internal and external meetings.
Emerging risks can become familiar risks over time through information gathering and effective management [
49]. Therefore, mutual meetings, workshops, and knowledge transfer are crucial. For instance, expert panels can provide helpful input in all phases of the RM process.
Next, the risk treatment should define the required strategies for the identified risk. Based on the selected strategy, suitable preventive or emergency plans and countermeasures should be mutually defined with the responsible risk owners. Definition of measures and emergency plans should then be documented in a shared database to enable their usage when required. The knowledge sharing process should determine which of these measures and emergency plans are confidential and can, hence, only be shared with selected stakeholders.
After defining the emergency plans and countermeasures, the communication means and devices should be identified in advance to achieve an efficient response process. These include radio devices, online solutions, mobile applications, emails, and phone calls. All involved stakeholders should be familiar with the usage of such communication means and devices. This identification will aid, for instance, in defining the order of implementing the countermeasures and emergency plans.
5.4.2. Reactive Process (Response)
The response phase of RM includes the implementation, monitoring, and evaluation of countermeasures and emergency plans that have been defined in the proactive process for each risk source. Therefore, this process should utilise the content of the proactive process for its successful execution. Once the required countermeasures and/or emergency plans have been selected, they should be implemented according to their operational sequence to mitigate the occurred risk.
The process owner should initiate the process by classifying the risk source based on the developed online risk catalogue. The responsible risk owners should then be selected based on the documented roles and responsibilities. As previously mentioned, these risk owners should select suitable communication means and devices that have been defined in the proactive process.
The risk treatment phase in the reactive process should implement the suitable countermeasures and emergency plans that can be extracted for the corresponding risk. The knowledge application process is utilised in this stage. The monitoring and review phase starts after the situation is recovered in order to review the process and monitor the effectiveness of the implemented measures and/or emergency plans.
Figure 13 and
Figure 14 present all corresponding steps of the reactive RM process.
5.4.3. Monitoring and Review
After successful mitigation of the risk, the implemented countermeasures and/or emergency plans should be monitored to analyse their effectiveness in mitigating the corresponding risk. The process and risk owners for the corresponding risk source are responsible for the review and monitoring in this stage. Suitable monitoring procedures can be extracted from a shared database of RM methods.
The preventive measures, countermeasures, and emergency plans in seaports should be mutually discussed to select suitable options for further consideration and to reject unsuitable ones. A scheduled workshop or meeting should be held with the involved stakeholders and should focus on the extracted lessons learned and potentials for improvement. Knowledge can be applied from previous meetings and/or documented measures. Furthermore, internal audits and EU inspections, for instance, can be utilised in this phase.
The online database for measures and emergency plans should be updated in case of any adjustment after the monitoring and evaluation process. This corresponds to the knowledge creation, transfer, and sharing processes. The monitoring and review step is integrated into the reactive RM process as illustrated in
Figure 14.