A Process Model for Cooperative Risk Management in Seaports

: Seaports are critical links within supply chains that are often located near residential areas. These seaports can be directly affected by the consequences of operational risk sources and natural disasters such as undeclared dangerous goods and ﬂood, respectively. The diversity and large number of stakeholders at seaports add another level of complexity for risk management that requires a standard approach and clear guidelines. This paper aims to develop a prescriptive process model for cooperative risk management (CoRiMaS) in seaports to enable the stakeholder to manage different sources of risk during risk prevention and response. The prescriptive process model builds on two previous published papers which focused on developing a conceptual framework and a descriptive model based on an ontology for CoRiMaS, respectively. A detailed requirement analysis based on focus groups and a survey study in the Baltic Sea Region (BSR) provide important inputs to integrate the required elements into the CoRiMaS prescriptive process model. The model requires an overall input represented by the type of seaport and structure. The prescriptive process model presents all steps and aspects related to stakeholder analysis, risk governance, risk management, and knowledge management. Implications for theory and practice, as well as an agenda for future research, are presented.


Introduction
Presently, many organisations encounter numerous challenges due to globalisation and continuous technological development [1]. For instance, industries working in long supply chains face challenges and disruptions linked with uncertain demand as well as supply [2]. These challenges and disruptions cause risks that need to be addressed to prevent and mitigate any negative impact on the economy, the environment, and the health and safety of people. These risks cause disruptions to different nodes within supply chains, including seaports.
Seaports are crucial nodes in international supply chains and logistic networks [3]. They are no longer restricted to one section of the supply chain but are evolving as strategic trade relationships between countries. They are considered to be junctions of cooperation among countries, including logistics, tourism, transportation, and energy. Moreover, seaports are key logistics hubs for various operations: the seaside, for loading and unloading vessels; the storage area, for storing and handling the different cargos; the landside, for distributing the freight via different modes of transport [4][5][6]. These operations are linked with different stakeholders that interact with one another in various scenarios.
Apart from the complex stakeholder structure, various risks can occur near residential and industrial areas at seaports, potentially exposing people to the consequences of accidents [7]. Approximately 50% of all marine causalities and incidents take place in ports or their nearby areas [8]. Recent incidents and accidents, such as the explosion of 2750 tonnes of highly explosive ammonia at the Port of Beirut, revealed the importance of thorough risk management at seaports. Ports are also prone to earthquakes and other natural disasters.
As a result, cooperative RM can play an essential role in effectively mitigating various sources of risk such as natural disasters, oil spills, and high explosive gases and chemicals at seaports.
In view of the foregoing, building a sound risk management system in a seaport demands reliable and extensive cooperation between many organisations [5]. Therefore, this paper aims to develop a prescriptive process model for cooperative risk management in seaports based on a conceptual framework, a descriptive model, and a detailed requirement analysis in the BSR. The remainder of this paper is structured as follows: Section 2 starts with a brief overview of seaports, risk management, and related work that reveals the research gap. Thereafter, Section 3 describes the methodology of the paper, and Section 4 presents the results of the requirement analysis. In Section 5, the process model with its components is presented. Discussion of the results and implications extracted from this research are summarized in Section 6. Lastly, the conclusion, limitations, and outlook of the conducted research are presented in Section 7.

Background and Related Work
This section provides a theoretical background concerning the main areas of this research paper: seaports and risk management. Furthermore, previous related papers are presented to identify the research gap.

Seaports
A seaport is a place where the mode of transportation changes from land to waterborne systems. It can be considered as a facility located along the edge of the sea or ocean for receiving ships and processing cargo to and from them [9]. Benson [10] defines a seaport as "that link in the chain of transport where sea transport is exchanged for inland transport".
Seaports represent a cooperation link between countries in different branches, such as transport, tourism, and energy [11]. They enable nations to gain access to global markets to trade products and materials that contribute to economic development [12]. For instance, seaports are daily points of arrival and departure for convoys of wagons, lorries, and inland waterway craft [13]. While seaports are different in function, they all share a basic structure: the seaside for loading and unloading vessels, the storage area for storing the goods, and the landside for further distribution of the goods by train or truck. Cargo in maritime transport can be classified into bulk and break-bulk cargo [14]. Bulk cargo refers to both liquid and dry freight that is loosely carried in bulk; it is a "homogenous cargo that is stowed loose in the hold and is not enclosed in any container such as a box, bale, bag, cask, or the like." [15]. On the contrary, break-bulk cargo is packed in a variety of boxes, bales, and bags, loaded and stowed separately. The break-bulk is normally referred to as general cargo consisting of freights in small consignment for numerous consignees.
Based on the method of packaging, maritime freight can be classified into general cargo, containerised cargo, roll-on-roll-off cargo, and petroleum products or liquid bulk [16].
Break-bulk general cargo differs from normal bulk cargo based on the type and the way in which the cargo is stowed and loaded. For instance, palletised boxes of bananas loaded into a hold are considered to be break-bulk [15]. Furthermore, the packaging of cargo into a contained form so that it can be easily moved through a multimodal transport chain is referred to as the containerisation method of packaging [16]. In contrast, petroleum products or liquid bulk is usually shipped using oil tankers via pipelines connecting land storage facilities with the vessels [17]. Ro-Ro is "a description of a ship in which cargo is worked horizontally on wheeled vehicles via a ramp and through doors in the ship's wall" [18].
An essential aspect related to the complexity of seaports is the fact that they have a wide range of stakeholders. Stakeholders, such as port authorities, terminal operators, customs, and government ministries, use heterogeneous business information systems, and the integration of these systems presents a challenge [19]. Seaport stakeholders themselves have varying objectives, and accordingly they prioritise different port activities [20]. The management of seaports is complex since it should consider and actively monitor the concerns of all stakeholders. To carry out particular actions and decisions, port operators and managers should primarily consider the interests of those stakeholders who are most closely and critically involved [21]. Due to this complex stakeholder structure and the various risk sources that can occur at seaports, an appropriate risk management process should be established.

Risk Management
The definition of RM in this paper is adapted from Norrman's and Lindroth's (2004) definition of supply chain risk management (SCRM) [22]. RM in seaports is defined as the cooperation among partners within the network of a seaport by applying RM process methods and tools to deal with risks that might have considerable impacts on the economy, the environment, and/or the health and safety of people. A clear understanding of different risk sources should be achieved to define appropriate measures, tasks, and responsibilities.
The identification of risk sources (hazards) is an important step that should be followed to effectively assess threats and potential consequences at seaports. If a threat is somehow overlooked or underestimated, it is likely to trigger a hazard that could result in an inappropriate top event (risk). For this reason, developing a thorough list of potential foreseeable risk sources in seaports is important [23]. The specialisation type (i.e., cargo handled) at the corresponding seaport influences the potential risk sources that can be triggered by specific threats.
In port facilities, many risk sources can be triggered by various threats. To categorise them in an effective and understandable way, two terms are used: natural or man-made risk groups [7] (see Figure 1).

Figure 1.
Natural and man-made risk groups (own illustration based on [7,24].) Natural risk sources are normal processes that occur in the natural environment [25]. These risk sources pose a threat to societies and organisations since they arise from uncontrollable changes in the physiognomy of the planet, such as meteorological, hydrological, atmospheric, geophysical, or mass movement fluctuation [7,24]. Unlike natural disasters, man-made risk sources are intentional or unintentional actions that can potentially cause harm to people or organisations [24]. In other words, a man-made risk is caused mainly by one or more intentional or negligent human acts. The man-made risk groups can be divided into different categories, including operational, technical, organisational and environmental, depending on the nature of the activity, the situation, and the consequences.
Managers in seaports are required to continuously assess and manage the aforementioned risk sources. In the literature, different risk management processes are presented [22,26,27]. A clear and standard risk management (RM) process can facilitate an efficient management of risks. The ISO 31000 standard for risk management provides a standard process for risk management that consists of the following phases based on a specific defined context: risk identification, risk analysis, risk evaluation, risk treatment, as well as monitoring and review. Every phase is linked with communication and consultation with internal and external stakeholders [28].

Related Work
A brief discussion of existing relevant works is provided in this subsection. Table 1 presents selected main references that deal with process models for risk management and/or cooperation in seaports. The research on process models for risk management covers different areas. For instance, Barafort et al. [29] developed an integrated risk management process model for IT settings; Ilvonen et al. [30] aimed at developing a process model for knowledge security risk management; Kajko-Mattsson et al. [31] developed their risk management process model for software products; Caballini et al. [32] focused on the cooperation between truck carriers in seaport containerised transportation; Lanne and Sarsama [33] developed a collaboration approach for managing safety and security risks in organisations; Li et al. [34] developed a risk and optimisation model for trustworthy software process; Wong and Kozan [35] developed a model for the optimisation of the container process at seaport terminals. However, there are only a few publications that deal with risk management cooperation in seaports (see Table 1). These papers deal with a descriptive analysis based on an ontology as well as community analysis for stakeholders at seaports (see [4,5]). None of the examined publications provided a process model for cooperative risk management in seaports. This research fulfils this gap and develops a prescriptive process model for CoRiMaS. It complements the research and recommendations conducted and provided by [4,5] with regards to CoRiMaS. The next section outlines the methodology of this research paper.

Methodology
This paper builds on two previous published papers which focused on developing a conceptual framework and a descriptive model based on an ontology for CoRiMaS, respectively (see [5,36]). The conceptual framework provides an initial analysis of the main building blocks that are elaborated and structured in detail within the prescriptive process model. The descriptive model provides an ontology that links existing processes and practices with specific classes. These are used as a standard common syntax in the knowledge management process phases within the process model. A detailed requirement analysis based on focus groups and a survey study in the Baltic Sea Region (BSR) provide important inputs to integrate the required elements into the CoRiMaS prescriptive process model. The overall approach of the research paper is presented in Figure 2.

Conceptual Framework
A conceptual framework is "a bridge between paradigms which explain the research issue and the practice of investigating that issue" [37]. The conceptual framework is developed based on the analysis of theories that influence CoRiMaS from four research areas: risk management, knowledge management, network science, and process management. For instance, examples from the extracted theories include End-to-End process management theory applied in process management and catastrophe theory applied in risk management (see [36] for the list of all theories). The aspects of these theories were refined based on an interview study conducted at the port of Hamburg. The coding analysis of the interview study refined each theoretical aspect and added further issues that should be considered in the development of the prescriptive process model. The framework has six main components: (1) overall inputs represented by seaport type and structure as well as regulations, directive, and standards, (2) network science, (3) core stakeholders, (4) process management, (5) risk management, and (6) knowledge management (see [36]). The framework provides essential components that are further refined in the developed process model.

Descriptive Model
Two process models can be distinguished: descriptive and prescriptive process models that follow each other. Current processes and situations are first modelled and represented in a descriptive process model; then, based on the descriptive model, problems and potential for improvements are identified and mitigated by changes to the process model [38]. A prescriptive process model tells people to carry out things differently, which means a change in their behaviour. Prescriptive frameworks and models derive their logic from theoretical arguments and/or empirical results [39].
The descriptive model is based on an ontology (An Ontology is a "an explicit formal specification of a shared conceptualization" [40]) for cooperative risk management in seaports. The classes of the ontology and their classifications were tested based on a case study at the port of Hamburg. The ontology has five main classes: the seaport, the hazard, the stakeholder, the cooperation aspect, and the process (see [5]). The ontology contributes to the development of the prescriptive model for CoRiMaS. It is used especially as common standard syntax in the knowledge management (KM) process phases in the developed model.
The conceptual framework and the descriptive model provide the initial two building blocks for the prescriptive process model. The third block is related to the detailed requirement analysis, which is elaborated in this paper.

Requirenment Analysis
The requirement analysis comprises the extraction of opportunities/benefits, barriers/challenges, and essential aspects for implementing CoRiMaS. This is the third building block for the prescriptive process model. The focus groups, as well as the online survey study covering the BSR, were used for this analysis.

Focus Groups
Two focus groups were organised with European experts in the BSR to determine the challenges, barriers, opportunities, and requirements for implementing cooperative RM in seaports. The focus groups comprised representative stakeholder categories, including authorities, terminal and port operators, and researchers from Germany, Sweden, Finland, Estonia, and Lithuania.
Focus groups, according to according to Kitzinger [41], are a form of group interview that is based on the communication between a group of experts and research participants in order to generate data. In focus groups, group interaction is explicitly part of the method: participants are encouraged to talk to each other by asking questions, sharing anecdotes, and commenting on their experiences and viewpoints. This method is useful for exploring people's knowledge and experiences, and it can be used to examine how people think and why they think that way. Diversity in a group that comprises people from different fields can maximise the exploration of different perspectives within the group setting. The conducted focus groups consisted of representative stakeholders such as port and terminal operators as well as rescue services. The focus groups results are used as an input for the online survey.

Online Survey
The online survey was carried out based on a structured approach comprising six steps: survey development; pilot testing; creation of respondent list; survey initiation, distribution, and administration; survey response and data handling; survey analysis (see Figure 3). The survey questions were developed based on an ordinal scale that has ordered categories where variables have an explicit hierarchy in the response choices. Four ranking questions were posed to extract the top opportunities, benefits, barriers, and challenges, as well as specific requirements for the prescriptive process model of CoRiMaS. The survey questions were translated into five different languages (English, German, Lithuanian, Polish, and Estonian). The translation process enabled the targeting of a larger set of stakeholders in the BSR. After implementing the survey questionnaire in the online survey tool LimeSurvey, the survey was sent to 12 experts for piloting. Pilot surveys help in identifying problems regarding the questionnaire, the interface, and related implementation methods. The survey questionnaire was developed to address different stakeholders involved in activities related to the RM in major seaports of the BSR. The major seaports of Estonia, Finland, Germany, Lithuania, Poland, and Sweden were identified by experts from each respective country. A thorough online search was conducted by visiting the websites of the identified major seaports and information about the identified stakeholders was collected. This was carried out to develop the list of respondents, and a sample size of 2035 was prepared for the next step.
The survey was initiated in LimeSurvey, and the survey link was distributed via email. A distribution email was followed by another email as a reminder one week later, since reminder e-mails can increase receptivity and response rate. The survey ran for two months (November 2018 to January 2019). A total of 265 responses were received, representing a response rate of 13%. Of those 265 responses, 157 were incomplete, and 108 were complete full responses that were considered valid for analysing the data. The data was analysed using Microsoft Excel.

Prescriptive Process Model
The conceptual model developed in this dissertation follows a prescriptive process approach. A conceptual model is "typically based on or guided by theory and grounded in reality to make it directly applicable for the context and setting being studied. This has the distinct advantage of being able to incorporate theory with other factors that have a bearing on the unique aspects of this specific situation" [42]. Prescriptive process models have been recommended to optimise and organise the design process. These models can be represented using flow charts of the steps that should be followed [43].
The prescriptive process model is based on the notions of flowcharts and rules defined by the Unified Modelling Language (UML), which is a general-purpose visual modelling language that is used to specify, visualise, construct, and document the artifacts of a software system. Various authors have utilised standard flowcharting symbols for inputs, processing, output, data stores, and connectors (see [44]). Table 2 presents the selected flowcharting symbols for the intended modelling in this study. Table 2. Flowcharting symbols (own illustration).

Symbol Description
Start/End of a process. Process.

Subprocess.
Decision that has two outputs. Input/output.
Off-page connector.
Direct logic flow from one element to another element. Dependency flow that presents the relationship between two elements. Return value from a database. The prescriptive process model uses the dependencies presented in Table 3-based on [45]-to connect different dependent processes or process elements together. The dependency element was incorporated into the development of the model since changes, for example, in several steps of the RM process, can supply or affect the information needed by one or several step(s) of the knowledge management process. Table 3. Type of selected dependencies (own illustration based on [45]).

Dependency
Function Keyword usage Statement that one element requires the presence of another element for its correct functioning. <<use>> Import Permission of an element/process to access the content of another element/process. <<import>>

Requirement Analysis
This section elaborates and analyses the requirements for cooperative RM in seaports. The requirements are analysed based on the opportunities, benefits, barriers, challenges, and specific requirements for implementing the prescriptive process model. The detailed analysis is based on two focus groups and the survey study in the BSR region comprising 108 full responses.

Opportunities and Benefits of Cooperative Risk Management in Seaports
The opportunities and benefits that could be achieved by implementing cooperative RM in seaports can be grouped into three subcategories: knowledge transfer, efficiency, and standardisation. These subcategories are represented by the sharing of knowledge and information among experts in the field of RM: a two-way communication approach with high efficiency, and a process with standard, harmonised methods for RM. All aspects collected from the conducted focus groups are summarised in Table 4. The stakeholders in the BSR region in the online survey were asked to rank the opportunities and benefits of implementing cooperative RM according to their importance. The most important ones are (1) clear tasks and responsibilities and (2) the possibility of having an efficient and short method of communication. Figure 4 illustrates the frequency counts for the aspects that were ranked as highly important.

Barriers and Challenges of Cooperative Risk Management in Seaports
The list of barriers and challenges for CoRiMas were extracted from the focus groups, as listed in Table 5. The barriers and challenges of implementing CoRiMaS concern legalisation and change management. A high-level discussion is required with ministries and port authorities in this regard. Furthermore, there is no dominant actor who can manage and monitor the RM process at the seaport. Different standards and regulations for RM also exist, thus, causing complexity in following a uniform approach. The stakeholders in the BSR region were asked to rank the barriers for cooperative RM according to their importance. The most important barriers are (1) the absence of a central actor who can control and manage the process of RM and (2) the large amount and high complexity of legislation. Figure 5 illustrates the frequency counts for the barriers that were ranked as highly important.

Requirements of the Prescriptive Process Model for Cooperative Risk Management in Seaports
A list of requirements for the model were extracted from the focus groups, as listed in Table 6. The table lists the specific requirements related to, for instance, standard risk assessment methods and risks that could occur at seaports. The model should provide a common view of RM with all associated steps and suitable methods for identification, analysis, and evaluation of risks. An additional desired requirement is the provision of a communication approach that allows for interaction with other stakeholders. A related question was posed in the compact survey to rank several aspects of the implementation of cooperative RM in seaports. Figure 6 presents the distribution of aspects according to the highest value on the ordinal scale (extremely important). As the figure illustrates, the stakeholders placed high emphasis on the aspect related to the definition of responsibilities and tasks concerning RM activities. The definition of mutual measures, joint training and exercises, and knowledge generation and transfer also scored highly, while the other aspects received relatively moderate values compared to the aforementioned aspects. This section provided a detailed analysis on the requirements that need to be tackled for developing the prescriptive process model for cooperative risk management in seaports. The model and its elements are elaborated in the following.

Process Model
In this section, the overall prescriptive process model is presented based on the conceptual framework, the descriptive model, as well as the gathered requirements from the empirical study. Afterwards, each component of the model is presented using a process flowchart.
The model comprises five components that are linked with one another, as illustrated in Figure 7. The model requires an overall input represented by the seaport type and structure. The prescriptive process model presents all steps and aspects related to stakeholder analysis, risk governance, RM, and KM. In the following subsections, each process and aspect are elaborated. To examine the structure of stakeholders, it is important to determine the organisational type of the seaport (e.g., a landlord, public service, tool, or private service port model). This will aid in the determination of the public or private ownership and the roles in the port. For instance, in a landlord model, the public sector acts as the developer, planner, facilitator, and regulator, providing connectivity to the hinterland, whereas the private sector serves as the operator, service provider, and sometimes a developer [46].

Specialisation Type
Each seaport specialises in handling specific types of cargos. For instance, the Port of Hamburg is a universal port that handles all forms of cargo, including bulk, break-bulk, and container cargo. Other port types include, for instance, container, bunker, and multipurpose ports [47]. The specialisation type influences the different risk sources that could occur at the examined seaport. It also influences the different local, national, and supranational regulations that should be followed based on the type of cargo being processed, for instance EU regulations related to dangerous goods as well as other International Maritime Organisation (IMO) regulations (e.g., oil spill response).

Water access Type
Tidal ports are exposed to fluctuations in water levels and, hence, have risk sources associated with storm surges and heavy rain that cause floods. Therefore, it is important to determine whether the examined seaport is tidal or non-tidal and whether it is connected to an inland port with waterways. Directive 2007/60/EC on the assessment and management of floods requires member states to analyse and evaluate whether any water courses and coast lines are exposed to flooding risk [48].

Stakeholder Analysis
The network of stakeholders should be defined to facilitate cooperation in RM. The network is based on the seaport type and structure, and all relevant internal and external stakeholders should be identified. Port internal stakeholders who perform RM activities at the seaport should be highlighted. These stakeholders are identified in the model as primary or core stakeholders for RM.
All other stakeholders who contribute or benefit from the RM activities carried out by the core stakeholders should also be identified. They are considered to be secondary stakeholders for RM. Moreover, the list of stakeholders should be continuously updated in a shared database, and all previously created, shared, and transferred knowledge should be utilised in this step. Each core stakeholder should identify the risk owner(s) in their organisation whose task is to ensure that risks are managed properly. The risk owner(s) in each organisation should focus on the management of risks that fall under their area of responsibility (e.g., handling of dangerous goods, floods, and oil leakage). Risk owners, as defined by [28], are "individuals who have the accountability and authority to manage risk".
Risk owners should be included in a shared database that lists their roles and responsibilities concerning RM in seaports. All previously created, shared, and transferred knowledge should also be utilised in this step. Figure 8 presents the stakeholder analysis process. The process model highlights the usage of knowledge creation, transfer, and sharing processes to utilise already documented knowledge concerning the list of stakeholders, as well as the roles and responsibilities of risk owners. The stakeholder analysis offers essential input for risk governance in seaports. It enables the identification of the process and risk owners that contribute to each phase of the risk governance process. Continuous monitoring of participating stakeholders should be ensured to facilitate the creation of a comprehensive list of roles and responsibilities for RM.

Risk Governance
Based on ISO 31000 [28], the effectiveness of RM relies on its integration into the organisational governance, including decision-making. The risk governance process is displayed in Figure 9. Analysing the internal and external context also yields important input for the risk governance process. The internal context includes, for instance, the strategy, objectives, and policies of the organisation, while the external context includes, for instance, legal, economic, technological, and social factors [28]. The risk governance in the model covers the seaport in general as well as the risk governance process in each organisation.
This risk governance process should consider context-related changes that may affect the expected impacts in terms of nature, probability, and magnitude. For example, unexpected new risks can arise from established technologies, products, or processes in evolving contexts [49]. Furthermore, local, national, and supranational regulations as well as international standards (e.g., ISO 31000) should also be considered. Each step of the risk governance process at seaports should be linked with three principles: communication and inclusion, integration, and reflection [50].
Here, the communication and inclusion principle refers to exchanges between policymakers, experts, and other relevant stakeholders to provide a basis for trust and mutual support for the responsible governance of risks. The main objective is to involve stakeholders in risk-related decisions, and here, inclusion describes the process of whom and what to include, covering the whole process from the framing of the problem and the establishment of measures, to the evaluation phase, and finally to the joint generation of a conclusion. Various conditions should be met to achieve these goals, such as a common understanding of the consequences of the risk and the possible countermeasures, and involvement of all major stakeholder groups, such as authorities and terminal operators. By fulfilling these requirements, the included stakeholders will develop faith in their competencies and will begin to trust one another in the RM process.
Integration refers to the synthesis and collection of all relevant information, especially scientific knowledge, which aids in the assessment and treatment of uncertain and/or complex risk sources. The communication and inclusion principle is a supportive mechanism for the reflection principle, which requires involved stakeholders to achieve a collective reflection regarding the pros and cons of every step of the risk governance process [50].
Within risk governance, a process owner should be defined, whose responsibility is to lead the strategic and decision-making levels of cooperative RM during prevention and response. According to ISO 9004 [51], the process owner can be defined as the person who has "defined responsibilities and authorities to determine, maintain, control and improve the process and its interaction with other processes it impacts and those that have [an] impact on it". The process owner can be a person or a team and is considered to be a central stakeholder for the coordination process among risk owners in each organisation. Therefore, the identification of the process owner is an important step of the risk governance process.
Furthermore, the process owner should select suitable communication means for the inclusion of stakeholders in the risk governance and management process. Thereafter, a standard process for RM can be selected based on available standards and guidelines. A standard process enables efficient coordination among process and risk owners during each phase of the RM process. Once a process is defined, the process owner, along with top management in each core stakeholder organisation, should ensure the allocation of appropriate resources for RM, such as documented processes and procedures, and professional development and training needs (see [28]).
Discussion about and reflection on the defined and/or implemented methods, measures, and process should be carried out during the monitoring and review phase to guarantee an efficient use of resources. Based on the ISO 31000 [28], the purpose of monitoring and review is to evaluate and improve both the quality and the effectiveness of process design, implementation, and outcomes. At this stage, the overall RM process should be monitored and evaluated, and the content of proactive and reactive RM processes should be imported.

Risk Management
Here, the RM is subdivided into two main processes: proactive (prevention) and reactive (response) processes (a similar categorisation is followed [52,53]). Both processes are interlinked and interdependent, and cooperation aspects such as the joint development and definition of methods, emergency plans, and measures are incorporated into the proactive and reactive processes.

Proactive Process (Prevention)
The proactive process includes the definition of prevention measures as well as emergency plans and countermeasures for the identified risks. Figures 10-12 illustrate the process model for the proactive process.   The process requires important inputs from the risk governance procedure. These inputs include the selected RM process and the corresponding process owner. The list of risk owners as well as their roles and responsibilities for RM are utilised here based on the stakeholder analysis process.
The process starts with the selection of a risk group classification (e.g., operational, safety, or environmental risks). Each risk group should be connected to a risk catalogue, which lists all identified risks that fall under the main risk group. Stakeholders' roles and responsibilities, defined in the stakeholder analysis process, are filtered based on the corresponding risk source, and all previously created, shared, and transferred knowledge should be utilised in this step.
Then, the risk identification process begins by analysing the examined risk within the specific risk category (e.g., environmental risks). If the risk is already identified, then the corresponding risk owner should be selected; otherwise, the risk catalogue should be updated with the new risk, and a risk owner should be assigned to the new identified risk. In this phase, risk identification methods should be used. These methods, such as brainstorming, root cause analysis, or the Delphi method, can be selected in advance to aid in the identification of new risks. Any additional risks identified should be added to the current risk catalogue. Based on the risk group classification, adequate methods (including online tools such as simulation tools) to analyse and evaluate the examined risks should be selected.
New risk assessment methods should be made available and selected within the circle of assigned process and risk owners. For instance, risk owners should consider using methods from predictive analytics, such as predictive modelling. These methods should be connected to an online RM methods database, which describes their usage and properties. The risk analysis phase should then utilise the methods extracted from the previous step to analyse the causes, the consequences, the occurrence probability, and the severity of consequences. Previously created, transferred, and shared knowledge is important for this phase. Furthermore, the risk owners should organise workshops and meetings to mutually analyse and evaluate the identified risks. The subsequent risk evaluation phase depends on the output of the analysis phase. The risk owner here should determine the risk class and priorities for treatment based on internal and external meetings.
Emerging risks can become familiar risks over time through information gathering and effective management [49]. Therefore, mutual meetings, workshops, and knowledge transfer are crucial. For instance, expert panels can provide helpful input in all phases of the RM process.
Next, the risk treatment should define the required strategies for the identified risk. Based on the selected strategy, suitable preventive or emergency plans and countermeasures should be mutually defined with the responsible risk owners. Definition of measures and emergency plans should then be documented in a shared database to enable their usage when required. The knowledge sharing process should determine which of these measures and emergency plans are confidential and can, hence, only be shared with selected stakeholders.
After defining the emergency plans and countermeasures, the communication means and devices should be identified in advance to achieve an efficient response process. These include radio devices, online solutions, mobile applications, emails, and phone calls. All involved stakeholders should be familiar with the usage of such communication means and devices. This identification will aid, for instance, in defining the order of implementing the countermeasures and emergency plans.

Reactive Process (Response)
The response phase of RM includes the implementation, monitoring, and evaluation of countermeasures and emergency plans that have been defined in the proactive process for each risk source. Therefore, this process should utilise the content of the proactive process for its successful execution. Once the required countermeasures and/or emergency plans have been selected, they should be implemented according to their operational sequence to mitigate the occurred risk.
The process owner should initiate the process by classifying the risk source based on the developed online risk catalogue. The responsible risk owners should then be selected based on the documented roles and responsibilities. As previously mentioned, these risk owners should select suitable communication means and devices that have been defined in the proactive process.
The risk treatment phase in the reactive process should implement the suitable countermeasures and emergency plans that can be extracted for the corresponding risk. The knowledge application process is utilised in this stage. The monitoring and review phase starts after the situation is recovered in order to review the process and monitor the effectiveness of the implemented measures and/or emergency plans. Figures 13 and 14 present all corresponding steps of the reactive RM process.

Monitoring and Review
After successful mitigation of the risk, the implemented countermeasures and/or emergency plans should be monitored to analyse their effectiveness in mitigating the corresponding risk. The process and risk owners for the corresponding risk source are responsible for the review and monitoring in this stage. Suitable monitoring procedures can be extracted from a shared database of RM methods.
The preventive measures, countermeasures, and emergency plans in seaports should be mutually discussed to select suitable options for further consideration and to reject unsuitable ones. A scheduled workshop or meeting should be held with the involved stakeholders and should focus on the extracted lessons learned and potentials for improvement. Knowledge can be applied from previous meetings and/or documented measures. Furthermore, internal audits and EU inspections, for instance, can be utilised in this phase.
The online database for measures and emergency plans should be updated in case of any adjustment after the monitoring and evaluation process. This corresponds to the knowledge creation, transfer, and sharing processes. The monitoring and review step is integrated into the reactive RM process as illustrated in Figure 14.

Communication and Consultation
Communication and consultation with internal and external stakeholders are essential aspects that should be carried out throughout all steps of the RM process. Communication aims to increase both awareness and understanding of risk, whereas consultation focuses on obtaining feedback and information to support decision-making [28]. The exchange of data and information; the dissemination of risk-related issues; the sharing of best practices and experiences; the provision of information; the issuing of warnings about natural disasters, dangerous goods, and other operational and environmental risks are examples of aspects that should be communicated with internal and external stakeholders.
The process and risk owners should coordinate and organise meetings where experiences and best practices are shared and discussed. This supports building a sense of ownership and inclusiveness among those affected by risks [28].

Knowledge Management
Each phase of the KM process is connected to the stakeholder analysis process as well as to the proactive (prevention) and reactive (response) processes of RM. This section elaborates on the process steps of each phase.

Knowledge Creation and Transfer
Input for knowledge creation and transfer comes from the stakeholder analysis process as well as the proactive and reactive RM processes.
The risk and/or process owner(s) should organise workshops, exercises, and/or training for specific scenarios (e.g., explosion of dangerous goods, oil leakage, fire on ships), which would facilitate the knowledge externalisation process, where implicit knowledge is codified. A common syntax here for the risk terminologies, process, and stakeholder structure, should be guaranteed. This includes, for instance, a common syntax for the RM phases.
Any documented guidelines and information that are shared online and offline facilitate the combination process, where already explicit knowledge is combined, structured, and made available for other stakeholders. A combination can also result from organising meetings, workshops, training, and exercises, by combining documented lessons learned and discussion points into more structured, complex, and systematic knowledge that can be made available for other stakeholders. Figure 15 presents the knowledge creation and transfer process.

Knowledge Sharing and Application
Knowledge sharing and application are connected with each other. Knowledge, once retrieved, can be applied to a specific scenario.
The process of knowledge sharing depends on two actors: a knowledge provider and a knowledge seeker. The knowledge provider (e.g., risk owner) can type in relevant information, such as risk categories, methods, measures, and emergency plans, which is then stored in an online knowledge reservoir based on a storage process. The mechanism of the storage process should be analysed to determine the stakeholders who are allowed to save and/or retrieve specific data, and an automatic backup process should be ensured. For instance, the storage process can be carried out by selected risk owners who update the online database, and it should be monitored by the process owner and responsible IT staff. An important aspect here is the confidentiality of data and information.
The online documentation of risks, methods, measures, communication means and devices, and lessons learned should be carried out on a secured server that is managed by the process owner (e.g., port authority or ministry of interior). Any confidential information/data that cannot be shared can be stored offline, and only non-confidential information/data can be shared online with other risk owners at the seaport. Figure 16 presents the knowledge sharing process. Knowledge seekers (e.g., core or secondary stakeholders) might request certain data from the knowledge reservoir to aid them in carrying out RM-related and/or dissemination activities. The knowledge provider might not share any confidential information online, and some of this knowledge might only be available to certain stakeholder clusters. The knowledge application process is presented in Figure 17. The shared knowledge is utilised based on online or local storage processes, and it is applied based on a specific scenario. Moreover, relevant information is retrieved from the online knowledge reservoir, in case of online storage, or offline from a local server.

Results of the Prescriptive Process Model for Cooperative Risk Management in Seaports
The prescriptive model can guide stakeholders working at seaports by utilising different cooperation aspects during risk prevention and response. The model requires overall input represented by the seaport type and structure. The prescriptive process model presents all steps and aspects related to stakeholder analysis, risk governance, risk management, and knowledge management. The resources and needs of every participating organisation should be carefully analysed to ensure a successful implementation.
Stakeholder analysis yields essential input for risk governance in seaports. It enables the identification of process and risk owners that contribute to each phase of the RM and governance processes. Continuous monitoring of involved stakeholders should be ensured to facilitate the creation of a comprehensive list of core and secondary stakeholders for RM.
Within risk governance, a process owner should be defined, whose responsibility is to lead the strategic and tactical levels of cooperative RM during prevention and response for different risk sources. The risk owner(s) in each organisation should focus on the tactical and operational management of risks that fall under their area of responsibility (e.g., handling of dangerous goods, floods, and oil leakages). The process owner is considered to be the central actor for the coordination process among risk owners in each organisation. Knowledge management is linked with the previous three processes (i.e., stakeholder analysis, risk governance, and risk management) to enable the continuous creation, sharing, retrieval, and application of risk management-related activities

Implications for Theory and Practice
The results of this paper support the relational view theory which argues that companies can reduce their vulnerability to the different consequences of risks by investing in interfirm relational arrangements [54]. Furthermore, the comprehensive, structured, and prescriptive model developed in this research will assist researchers in selecting risk management methods and tools for a specific system that benefits from cooperative risk management. It will also assist them in identifying the requirements needed for implementing cooperative risk management. Additionally, the results of this paper support the research of inter-organisational collaboration within the scope of risk management. The developed model presents specific processes, phases, and steps that need to be customised and refined when studying other related systems. Case studies can present here a valuable approach to test the applicability of the developed model both in seaport and other systems where cooperation takes place.
Cooperative risk management implies that companies should consider various processes and aspects to mutually identify, analyse, evaluate, and monitor risks that occur within a seaport system. It is essential to establish a risk governance process to include all core stakeholders who perform risk management as well as monitor the overall risk management-related activities. Within risk governance, a process owner should be selected, and a standard process with defined communication means and devices should be mutually defined. Best practice is to utilise recognised risk management standards such as the ISO 31000 as a guide to define a standard risk management process. A common standard language for risk management decreases the equivocality, and makes knowledge creation, sharing, and application easy to perform.
A policy implication is to address the usage of developed methods and online tools for CoRiMaS. In this context, the policy should explain how data and information are stored, and which aspects can be shared with other stakeholders. The structed steps in the CoRiMaS model can guide the development of an interactive online tool that can be customised according to the seaport context. Such a tool can be integrated within a port community system and can be linked with existing solutions that solely focus on specific risk sources such as those related to the handling of dangerous goods. It is required to carefully monitor and maintain the storage process in a secured server managed by the process owner. This will allow the secure storage and retrieval of risk-related knowledge among the circle of core stakeholders.

Conclusions, Limitations, and Outlook
Seaports are critical links within supply chains that are often located near residential areas. These seaports can be directly affected by the consequences of operational risk sources and natural disasters such as undeclared dangerous goods and flood, respectively. The diversity and large number of stakeholders at seaports add another level of complexity for risk management that requires a standard approach and clear guidelines. For instance, a clear language for RM as well as roles and responsibilities for RM-related activities should be defined.
In view of the foregoing, this paper aimed to develop a prescriptive process model for cooperative risk management in seaports to enable the stakeholder to manage different risk sources during risk prevention and response. The model is based on a conceptual framework, a descriptive analysis, and a detailed requirement analysis. This research fulfils the research gap presented in Table 1 that demands studies which focus on developing process models for cooperative risk management at seaports. The limitations and the research outlook of this research are presented in the following.
The requirement analysis carried out in this research was based on focus groups and a compact survey in the BSR. The online survey resulted in 108 full responses out of the 265 responses received. Additionally, several conceptual aspects might not have been included in the development of the model. Furthermore, the developed model was not validated in real case scenarios for risk prevention and response. A qualitative interview study can be used to verify and expand the extracted requirements. An outlook for the research is to develop a demonstrator or a software tool that implements the steps of the process model to facilitate a verification process based on the collected requirements. Additionally, a validation of the model based on a specific validation process is a topic for further consideration in order to test the model design using real case scenarios for risk prevention and response. Funding: This work was supported by the European Regional Development Fund (ERDF) and the European Neighbourhood Instrument (ENI) within the scope of the Interreg Baltic Sea Region Programme through the EUSBSR flagship project HAZARD (http://blogit.utu.fi/hazard/, accessed on 15 December 2021). Publishing fees were supported by the Funding Programme "Open Access Publishing" of the Hamburg University of Technology (TUHH).

Informed Consent Statement: Not applicable.
Data Availability Statement: Please contact the corresponding author.