A risk management framework for maritime Pollution Preparedness and Response

Several risk management frameworks have been introduced in the literature for maritime Pollution Preparedness and Response (PPR). However, in light of the actual needs of the competent authorities, there is still a lack of framework that is established on a sound risk conceptual basis, addresses the different risk management decision-making contexts of organizations


Introduction
Effective risk management for Pollution Preparedness and Response (PPR) is an essential aspect for ensuring a clean marine environment and the vital interests of states, such as tourism, aquaculture and fishery [1].While the frequency of accidental oil spills has decreased over the past decades [2,3], there is strong evidence that the consequences of such accidents can be catastrophic for the marine environment and coastal communities [4,5,6].Occasionally, these events have also resulted in vast economic losses, as demonstrated by previous large-scale accidents such as Erika (1999), Prestige (2002) and Deepwater Horizon (2010) [7,8,9].A recent example is the grounding accident of the 203,000-DWT bulk carrier Wakashio off the island of Mauritius [10].Therefore, it is necessary to continuously ensure that appropriate preparedness measures are in place at both national and regional levels to facilitate a timely and coordinated response to limit the adverse consequences of accidental oil spills [1].
To support the PPR risk management, several theoretical risk concepts, organizational risk management processes and practical risk assessment tools have been introduced in the literature.In most of the studies, the risk concepts are based on the classical positivism approach focusing on accurate risk measurement, whereas in some of them these concepts are derived from constructivism, addressing in particular the uncertainty aspect of risk [11].The outlined processes for managing risks are thus rather based on the strategy of risk-based decision-making (RBDM) than risk-informed decision-making (RIDM), although the latter represents the current scientific approach [12].In the context of the RBDM strategy, the studies are typically based on different interpretations of the International Maritime Organization's (IMO) Formal Safety Assessment (FSA) [13], see e.g., [14,15,16].On the contrary, the ones established on the RIDM strategy utilize novel approaches, including the ISO 31000:2018 standard on risk management, see [3,17].The tools applied for assessing the risk are often based on the quantitative approaches, focusing on the probabilities or consequences of accidental oil spills [18,19,20].Yet, some qualitative approaches have also been used, including modern ways for assessing the uncertainties [21,22,23].Overall, the importance to provide academic contribution for the PPR risk management has been widely recognized across this field and in its different paradigms [24].
In the European Union (EU), national authorities are responsible for the PPR risk management activities in their jurisdictions in accordance with the respective national Oil Spill Contingency Plan [25,26].To reinforce these activities over larger sea areas, regional cooperation agreements have been established between EU member states and other coastal states, such as the Helsinki Convention (HELCOM) in the Baltic Sea area and the Bonn Agreement in the North Sea area.In the context of these agreements, several regional risk assessment initiatives have also been implemented, such as HELCOM BRISK and BRISK-RU in the Baltic Sea (2009)(2010)(2011)(2012) as well as BONN BE-AWARE I and II in the greater North Sea (2012-2014), representing important milestones for strengthening the cooperation in this field.Despite the current progress, these joint European risk assessments have also faced wide criticism for various reasons, including e.g., the lack of systematic and harmonized approaches, and challenges in implementing the risk assessment results [27].
Recently, the EU established a project called OpenRisk, the aim of which was to tackle these subjects of criticism [28,29].During the early stages of the project, the following observations were made regarding its roots [30,31].Firstly, the risk concepts of the PPR authorities are not consistent.For instance, some of them comprehend risk only as a probability of an unwanted event, while others view it as a combination of probability and the consequences of such an event.The same problem related to the lack of a unified risk concept applies also to the risk assessment tools of this field, as many of them are based on different risk definitions or metrics.Second, the decision-making contexts, where the PPR authorities are interested in using risk-related information in their organizational processes, are not similar across the European countries.It was found that these can range remarkably from short-term screening to long-term strategic planning.Third, to provide risk-related information for these different decision-making contexts, a set of various risk assessment tools is needed, including guidelines to assist the PPR authorities in selecting appropriate tools for their particular risk management questions.
These observations are relevant also from a scientific point of view.Regarding the concept of risk, it has been found that the chosen perspective influences the way that risk is assessed [11].Therefore, it can also have serious implications for risk management and decisionmaking e.g., by underplaying the importance of uncertainties in implementing risk mitigation measures [32].The importance of considering the decision-making context when performing risk assessment has also been emphasized.The most well-known risk management guidelines [33,34,35], and state-of-the-art scientific risk research [32,36], state that there is a strong need to clearly connect risk assessment processes with the particular needs of specific decision-making contexts and organizational processes for implementing the results.With this in mind, there are calls for a new framework to address the limitations of current PPR risk management approaches at the EU level.More specifically, such a risk management framework is needed in this field, which is established on a sound risk-conceptual basis, applicable for different decision-making contexts of the PPR authorities, and able to provide appropriate practical risk assessment tools for their different risk management questions.
To conclude, a wide range of valuable research has already been conducted in the context of PPR risk management activities representing different academic paradigms.However, none of them explicitly addresses the earlier noted needs with respect to the PPR risk management framework.To alleviate the limits of the current approaches, this paper proposes a new solution for this purpose, which was developed in cooperation with the competent authorities and other maritime experts through an extensive literature review and a series of workshops.The proposed risk management framework is based on the RIDM strategy and consists of three aligned components.The first component provides a unified theoretical risk concept to the framework.Its purpose is to tackle the problems associated with the co-existence of a multitude of risk concepts in this field.The second component includes systematic and flexible risk management processes.This addresses the different risk management decision-making contexts of the PPR authorities.The third component contains a set of practical risk assessment tools.Its aim is to generate information for various risk management questions of the competent authorities.
The remainder of the paper is organized as follows.Section 2 presents the theoretical background of the proposed framework.Section outlines the development process of the framework.Section 4 presents the results of the framework development process.Section 5 showcases the framework implementation.Section 6 discusses the strengths and challenges of the framework and the case study.The final Section provides conclusions and points to opportunities for future research.

Theoretical background
This chapter outlines briefly the RIDM strategy and the literature related to three key components of the proposed PPR risk management framework: i) theoretical risk concepts, ii) organizational risk management processes, and iii) practical risk assessment tools.The three components are also closely linked to one another.More specifically, the first component sets the scope and conceptual understanding for the risks that PPR organizations seek to assess and manage.The second component addresses how risk management can be systematically and effectively linked into organizational processes.The third component provides practical tools for the organizations risk assessment processes to generate information for their particular risk management questions.

Risk-informed decision-making strategies
During the past two decades we have seen an evolution from RBDM to RIDM strategies [37].The main reason for this paradigm shift is the new way of thinking, where risk assessment models are considered as non-predictive rather than predictive [38,39,40].In terms of validity and reliability, it has been argued that the focus should be on uncertainty treatment in order for a risk assessment to be valid, whereas it should not be expected that analyses performed using different methods or analysis teams provide the same results [41].On the other hand, in this context it has also been stressed that risk assessments are still useful to support decision-making, but that the expectations of modeling and analysis efforts should be more modest [11,42].As Aven and Zio [43] have noted, the value of risk assessment is not in the attempt to accurately measure risks, and its results should not be used directly as a basis for decision-making.Rather, the value of risk assessments lays in broadly and systematically characterizing the available knowledge base and its associated uncertainties.
Considering the above, the proponents of the RIDM strategy suggest further that the results of risk assessment models are only one part of the decision-making process, and need to be set into a wider context as appropriate [44].To this end, managerial judgement processes [45], or a more extensive deliberative process, can be used involving multiple stakeholder groups [46].Such processes aim to consider the quality aspects of risk-related information transparently, as well as to incorporate other managerial and stakeholders concerns, such as political and financial matters [37,45].In terms of quality, Aven and Zio [43] suggest considering i) the reliability and validity of the risk description, ii) the strength of the knowledge that the risk metrics are based on, and iii) the potential for surprises relative to the knowledge.For more criteria, see e.
V. Laine et al. g., [47].Overall, the results of risk assessment should be in line with the mental models and heuristics of the decision-making process participants, or these should be used as an attempt to change their mental models and heuristics [48].

Concept of risk
The concept of risk is the cornerstone of the entire risk field, as it sets the scope and purpose for its activities [49].Therefore, it also defines the risk that organizations seek to assess and manage through different strategies, including the earlier noted RBDM and RIDM.Since the beginning of this academic field, a substantial number of attempts have been made to describe the meaning of the risk concept within different paradigms [49].
In the classical positivism, risk is considered as an objective feature of a system, which can be identified, analyzed and evaluated precisely against the preset criteria [50].Hence, the results of risk assessment are considered an approximation of an absolute truth and free of value judgments [51].The most well-known risk definition of this paradigm is probably the one of Kaplan and Garrick [52], which defines risk as a set of triples R = {Si, Pi, Ci}, where Si is the i th scenario, Pi is the frequentist probability of that scenario, and Ci is the consequence of the i th scenario, i = 1,2 … N.
By contrast, the constructivism rejects the idea of risk as an objective thinga thing in itself, which is independent of the people assessing or experiencing risk [11].Therefore, it also rejects the view of risk assessments approximating a truth.In this paradigm, the role of individuals and how they judge risk is emphasized, as humans tend to see the world differently [53].On the other hand, its supporters also acknowledge that these so-called human mental risk models may still be inter-subjectively objective [54].
A well-known risk definition of the constructivism approach is the one of Aven and Renn [55], which defines it as a set of triples R = {C´, Q, K}, where C´stands for events/consequences, Q is the associated uncertainty, and K is the knowledge on which Q is based.
Despite that several efforts have been made under different paradigms, no author has managed to define what is risk in a generally accepted way and the task is currently considered unrealistic [32,56].Therefore, the Society for Risk Analysis (SRA) has proposed an approach that allows different perspectives on risk, while making a sharp distinction between qualitative definitions and associated measurements [32].The following summarizes the risk definition text from SRA [56]: 'We consider a future activity […], and define risk in relation to the consequences of this activity with respect to something that humans value.

The consequences are often seen in relation to some reference values […], and the focus is normally on negative, undesirable consequences. There is always at least one outcome that is considered as negative or undesirable.'
The SRA glossary also lists seven qualitative risk definitions and six metrics/descriptions, which are all in line with this broad risk definition.The approach is applicable for the ISO 31000:2018 standard [56], for instance, where risk is defined as 'the effect of uncertainty on objectives' [33].

Risk management processes
The aim of the risk management process is to ensure that the associated tasks of organization are integrated into its overall activities systematically and effectively [33].Risk assessment, on the other hand, is focused on providing information for risk management and the associated decision-making [45].In the scientific research and professional context, several processes have been also introduced for the risk management of different disciplines and industrial sectors.These approaches are primarily based on the RBDM strategy in both science and practice, although the RIDM strategy represents the current state-of-the-art [12].
In the context of PPR risk management, the suggested processes are also typically founded on the RBDM strategy.The different interpretations of the FSA have been a dominant approach in this field for decades, focusing on traditional risk quantification and cost-benefit decision-making principles, see e.g., [14,15].However, there are also indications of a growing interest on the RIDM based approaches, especially on the ISO 31000:2018 standard.In the study of Neves et al. [3] this standard has been applied for assessing the risk of an accidental oil spill off the coast of Lebanon, while Landquist et al. [17] have used it in the context of environmentally hazardous shipwrecks.Importantly, in the study of COWI [57] it has been also recommended to utilize the standard for harmonizing the current risk management practices of PPR organizations at the European level.
To describe the ISO 31000:2018 standard from the RIDM perspective, the following examples can be used.Firstly, the standard notes that any limitations and uncertainties associated with risk assessment results should to be considered explicitly [33].Second, it emphasizes that the decisions supported with risk analysis should take account of the wider context and the actual and perceived consequences to external and internal stakeholders [33].Such topics are not particularly addressed in the FSA based risk management approach, although they are considered to be important in the contemporary thinking, see Section 2.1.
Regarding the ISO 31000:2018 standard based risk management process, it follows approximately the same logic as the COSO Enterprise Risk Management Framework and the AS/NZS 4360 Risk Management Standard [58].The process is thus divided into the following five stages [33], see Fig. 1.
1. Establishing the context, which defines the basic parameters for managing risk and sets the scope and criteria for the rest of the process, including decision-making.2. Risk identification, where hazards, threats, possible failures and unwanted events associated with the system or activity are found, recognized and described.3. Risk analysis, where the aim is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk.4. Risk evaluation, the purpose of which is to support decision-making via comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.5. Risk treatment, the aim of which is to select and implement options for risk mitigation.
Finally, it should be noted that while several authors have critically examined the ISO 31000:2018 standard as a whole [59,60], it has been used in various research applications and organizations [61,62].Overall, the standard provides a consistent basis to manage and assess the risks that could jeopardize the objectives of organization [12].

Risk assessment tools
Risk assessment tools are practical solutions for executing the different stages of the risk assessment process: risk identification, risk analysis and risk evaluation.Their purpose is to generate information, which can be used to support risk management and associated decisionmaking [45].This process may be performed in varying degrees of depth and detail, using one or several tools ranging from simple to complex [33].
In the context of PPR risk management, the tools used for different stages of the FSA-based risk assessment process include e.g., Checklists and HAZOP-techniques for the risk identification, Fault Tree Analysis and Event Tree Analysis for the risk analysis, as well as FN-Curves, Cost-Benefit Analysis and ALARP-techniques for the risk evaluation.For a comprehensive review of the available tools for maritime waterway risk analysis, see e.g., [18,20,24].Most of these same tools can also be applied for the ISO 31000:2018 standard based risk assessment process [63], but the principle of using their results in the context of decisionmaking is not the same, as discussed in Section 2.1.
Recently, Goerlandt et al. [28] and Laine et al. [29] have also proposed a set of open-source risk assessment tools to support the PPR risk management.Some of these tools are commonly applied in the traditional FSA-based risk assessments, such as IWRAP Mk II, BowTie and Cost-Benefit Analysis, whereas others represent novel approaches, including e.g., ERC-M, FRAM and Strength of Evidence Assessment Schemes.This so-called OpenRisk Toolbox can be used to cover the different stages of the ISO 31000:2018 standard based risk assessment process, while also taking into account the various risk management questions in this field.

Risk management framework development process
This chapter outlines the development process of the proposed PPR risk management framework by introducing the stakeholder groups and describing the four-stage process that was used for this purpose.

Stakeholder groups
Although the authors took the main responsibility for developing the new PPR risk management framework, a key feature of this process was the cooperation between PPR and maritime authorities, academics and other relevant stakeholders during the EU-OpenRisk project in 2017-2018.As shown in Table 1, a total of 100 stakeholders participated in four workshops that were organized during the project, representing a wide range of national and international organizations from different countries and areas of expertise.
The main group of the workshop participants consisted of authorities working in the fields of PPR and maritime safety.This included representatives from the European coastal states and intergovernmental organizations, such as the European Maritime Safety Agency (EMSA) and the International Association of Marine Aids to Navigation and Lighthouse Authorities (IALA).As the end-users of the risk management framework, their primary role was to ensure that it is in line with its objectives, and that these are achieved.However, it is worth noticing that none of the governmental bodies represented coastal communities, who could face the immediate consequences of an accidental oil spill and thus loss their source of livelihood.
The other main group were academics, working in the fields of maritime safety and risk management.This concerned representatives from universities and research institutes, including e.g., the University of Helsinki, Hamburg University of Technology, and the Marine Environmental Pollution Research Center of the Republic of Korea.As scientists specialized in the areas of interest, they supported the framework development with analytical and conceptual expertise.Furthermore, many other organizations provided valuable contributions to this work based on their particular expertise, such as the European Joint Research Centre (JRC) and the Det Norske Veritas-Germanischer Lloyd (DNV-GL).

Development process
The development process of the PPR risk management framework encompassed four stages: I) acquisition of the background information, II) configuration of the framework settings, III) design of the framework, and IV) amendment of the scientific component, see Fig. 2. Stages I-III were carried out during the EU-OpenRisk project, while the final stage was made afterward to further strengthen the scientific basis of the framework.

Stage I: acquisition of the background information
The aim of the first stage was to collect background information for the framework design.The focus was on joint European oil spill risk assessments, which have faced wide criticism in national and regional PPR organizations.To have more detailed information about their shortcomings, the authors analyzed the reports of the BRISK & BRISK-RU [64,65], BE-AWARE I & II [66,67] and MEDESS 4-MS [68] projects, and discussed their issues in the Inter-Secretariat meeting of European regional PPR organizations in April 2017.Based on the results, the main critical points can be summarized as follows [27]:

Table 1
Organizations of workshop participants and their geographical locations.• lack of systematic and harmonized approaches for different decisionmaking contexts; • lack of transparency in the conceptual and methodological basis of the tools used in the risk assessments; • lack of comparability of risk assessment results across geographical areas and over time; • high costs of implementing regional risk assessments; and • challenges in implementing the risk assessment results, both at the Member State and regional cooperation level, especially when different authorities are involved.

Stage II: configuration of the framework settings
This second stage focused on configuration of the framework settings.To execute this task, the criticisms identified in the previous stage were used as a starting point for the work.To overcome these issues, the authors organized the first EU-OpenRisk workshop in June 2017 in cooperation with HELCOM, which addressed the end-user needs concerning the risk-related information and risk management in general.Thirty-three experts from different maritime fields participated in the workshop.Beforehand, they also responded to an associated questionnaire.The key points of the results are as follows [30,31]: • the risk concepts of the PPR authorities and their stakeholders are not consistent, and several risk assessment tools of this field are established on different risk definitions and metrics; • the decision-making contexts, where the PPR authorities are interested in using risk-related information in their organizations, are not similar across the European countries, as they range from short-term screening to long-term strategic planning; and • a set of open-source risk assessment tools is needed to provide information for various risk management questions relevant to PPR authorities, including guidelines to assist the authorities in order to select appropriate tools for their organizational context.

Stage III: design of the framework
The aim of the third stage was to design the risk management framework for PPR organizations.In this task, the issues identified in the previous stage were used as a baseline setting for the work.In order to address them, it was agreed with the stakeholders to design such a risk management framework for this field, which is based on the RIDM strategy and consists of three components focusing on the following topics: • theoretical risk-conceptual basis; • organizational risk management processes; and • practical risk assessment tools.
At this stage, it was also agreed that the last two components are a priority and need to be made in cooperation with the stakeholders, while the design of the theoretical risk concept component is primarily a task for the authors.To execute the associated work, the authors conducted a literature review focusing on the maritime risk management frameworks, risk management processes, risk assessment tools and risk concepts, as well as organized three more EU-OpenRisk workshops and associated questionnaires in cooperation with stakeholders.Following the stakeholders request, the authors also carried out a case study on the Baltic Sea region to demonstrate the practical functionality of the new PPR risk management framework.
The second workshop was co-organized with the Lisbon Agreement Fig. 2. The four stages of the new PPR risk management framework designing process.
V. Laine et al. in October 2017.Firstly, the aim was to discuss the proposal of using the ISO 31000:2018 standard as a basis for the organizational risk management process component.Following the discussion, all 19 participants of the workshop approved the suggestion.Second, the purpose was to consult stakeholders on the risk assessment tools that should be included in the associated component.At this point, some of the potential risk assessment tools were also evaluated in terms of their applicability for executing the different standard based risk assessment steps (risk identification, risk analysis and risk evaluation).As a result of the workshop, the authors received valuable information on both matters, which were instrumental in order to proceed with the framework designing process [28,29,69].
The third workshop was hosted in cooperation with the Regional Marine Pollution Emergency Response Centre for the Mediterranean Sea (REMPEC) in April 2018.The aim was to discuss the proposed ISO 31000:2018 standard based approach, which included four interlinked risk management processes focusing on different risk management decision-making contexts of PPR organizations.In the workshop, some potential risk assessment tools for the associated component were also tested in terms of their usability.As a result, 25 participants of the workshop provided suggestions to improve the current standard based approach and pragmatic information on the tested risk assessment tools [28,70].
The fourth workshop was co-organized with the Bonn Agreement in October 2018.The aim was to introduce the final PPR risk management framework [71] and demonstrate its practical functionality through a case study with the integrated data of the northern Baltic Sea [72].During the workshop, 23 participants provided feedback about the framework, with a general conclusion that it would serve as a useful basis for PPR risk management, overall meeting the stated objectives [73].

Stage IV: amendment of the scientific component
The final stage addressed ways for elaborating the scientific basis of the PPR risk management framework, as it was deemed important to ensure that it is strongly rooted in the contemporary risk-conceptual thinking.To achieve this objective, the authors added a third component to the framework focusing on theoretical risk-conceptual basis.
Following an extensive literature review, it was concluded that the SRA's risk concept could be used for this purpose.With its flexible approach, it was considered possible to harmonize the various mental risk models of PPR authorities and their stakeholders, as well as the risk definitions and metrics of the tools used for maritime oil spill risk assessments.After the amendment of this component, the authors streamlined all three components with one another following the ideas of RIDM strategy.

Overview of the PPR risk management framework
The new risk management framework for PPR organizations is based on the RIDM strategy and consists of three components, see Stage IV of Fig. 2. Its main objective is to alleviate the identified problems in the PPR risk management outlined in Section 3.2.2.This Section 4.1 provides an overview of the framework, while Section 4.2 describes the content of its components and Section 4.3 the components' alignment process in detail.
The first component (C-1) focuses on providing a unified theoretical risk concept to the framework through an interpretation of the SRA's risk approach.Its purpose is to tackle the problems associated with a coexistence of multiple risk concepts in the PPR activities.The second component (C-2) includes four interlinked risk management processes based on the ISO 31000:2018 standard.This addresses the different risk management decision-making contexts of the PPR authorities.The third component (C-3) comprises 23 open-source risk assessment tools from the OpenRisk Toolbox.Its objective is to provide practical risk assessment tools for various risk management questions of the competent authorities.
To comply with the RIDM strategy, there is a further need to align these three components with one another, which is made through a fourphase process, as indicated in Stage IV of Fig. 2. Firstly, the general risk definition of C-1 is used for harmonizing the different mental risk models of the persons involved in the RIDM procedures of PPR organizations.The aim is to reach a common understanding concerning the risk that they seek to assess and manage.Second, the different risk perspectives of C-1 are aligned with the four PPR risk management processes of C-2.The purpose is to specify the risk perspective of the general risk definition, which can be managed through a particular process.Third, the risk metrics/description of C-1 is aligned with four PPR risk management processes of C-2.The objective is to provide a common basis for measuring the risk across four processes, while still allowing the different risks´aspects to be emphasized.In this phase, the four risk management processes of C-2 are also aligned with the risk assessment tools of C-3.Considering the risk metrics/description and the different risk assessment steps of these processes, the purpose is to provide appropriate tools for assessing the risk in each one of them.Finally, the aim is to communicate the C-3-based risk assessment results and associated uncertainties to the persons involved in the RIDM procedures of PPR organizations.In addition, the objective is to set these results into a wider decision-making context as appropriate.

Components of the PPR risk management framework
This section describes the content of three components of the PPR risk management framework: i) the theoretical risk concept component, ii) the risk management process component and iii) the practical risk assessment tool component, see Stage IV of Fig. 2.

C-1: risk concept for PPR organizations
The first component focuses on providing a unified theoretical risk concept for the framework through an interpretation of the SRA's risk approach [56].Its aim is to tackle the problems associated with a coexistence of multiple risk concepts in the PPR activities.For this purpose, the component consists of one general risk definition, four different risk perspectives, and one risk metrics/description.All of them are customized to the context of PPR risk management, and in line with one another.
The SRA's glossary includes a broad general risk definition, which allows different risk perspectives and metrics/descriptions, see Section 2.2.In this component, the general definition is adjusted for the needs of PPR risk management as follows: We consider a future maritime activity and define risk in relation to the consequences of this activity with respect to environmental values and ecosystem services.The consequences are seen in relation to the protection of these values and services, and the focus is on negative, undesirable consequences.
The SRA's glossary also includes seven different risk perspectives with respect to the general risk definition.Four of them are adapted to this component, the interpretations of which are as follows: 1. Risk is the deviation from a reference value of maritime incidents and associated uncertainties 2. Risk is the occurrences of some specified consequences of the maritime activities and associated uncertainties 3. Risk is the consequences of the maritime activities and associated uncertainties 4. Risk is uncertainty about and severity of the consequences of maritime activities with respect to environmental values and ecosystem services Furthermore, the SRA's glossary comprises six different risk metrics/ V. Laine et al.
descriptions.One of them is used for this component, which is based on the triplet R = {C ′ , Q, K}, where C ′ stands for the consequences of maritime activities, Q for an uncertainty measurement associated with C´, and K denotes the background knowledge which supports C´and Q.

C-2: risk management processes for PPR organizations
In the second component, the generic risk management process of the ISO 31000:2018 standard [33] is adapted to the risk management activities of PPR organizations.Its purpose is addresses the different risk management decision-making contexts of this field.Recognizing a variety of reasons for executing a given risk management process, the types of envisaged decisions, and the available resources, four PPR risk management processes are distinguished: basic screening, extended screening, intermittent, and strategic.
The basic screening process aims to monitor the risks in a given sea area, to determine whether there are significant changes in the risk level of maritime transportation activities in a given reference period, see Table 1.A (Appendix).As this process is executed relatively frequently, it is devised so that only few organizational resources are required for its implementation.Following the results of associated risk assessment, this process leads to decisions focusing on whether further risk management activities should be implemented, such as the intermittent or strategic process, or whether the risks can be considered acceptable without additional risk control measures.
The extended screening process focuses on new and emerging risks, which are associated with changes in the internal and external contexts of PPR organizations, see Table 2.A (Appendix).This includes e.g., changes in policymaking, legal framework or maritime technologies, which can result in new hazards from the PPR point of view.The process requires somewhat more resources than basic screening due to the complexity of its scope and context, but the decisions to be made are similar.
The intermittent process addresses accidental oil pollution risks in more detail, leading to decisions addressing actual changes in the PPR system, see Table 3.A (Appendix).In particular, its purpose is to support medium-term decision-making concerning the capacity and organization of the current response fleet, and to assess the performance of the response measures.In this process, decisions typically concern adjustments to existing response measures, e.g., reviewing of operational or training procedures, or replacing particular equipment or assets, which require relatively limited resources within available budgets.
The strategic process focuses on obtaining a holistic picture of accidental oil pollution risk in a given sea area for supporting long-term decision-making related to the capacity and organization of the response fleet, and to assess the performance of the overall response system, see Table 4.A (Appendix).Therefore, the associated decisions can have long-lasting implications to the response fleet or operational procedures, e.g., commissioning of new response vessels or new equipment types, for which additional budgets may be required.Such a risk management process is very complex and resource-intensive, as well as requires extensive analytical expertise and access to a wide variety of domain experts.
These four risk management processes are also linked to one another.The basic and extended screening processes are periodically and continuously performed, with different frequencies, due in part to the different levels of resources required for their successful execution.Depending on the results of the risk evaluation stage in these processes, the risk treatment consists of executing an intermittent or a strategic risk management process, or just continuing monitoring the risk levels through the basic screening process.On the contrary, within the intermittent and strategic processes, the risk treatment consists of actual modifications to the pollution response system.Once these risk mitigation measures are accomplished, the results of the associated risk assessments are used to update the current risk picture of the basic screening process, and the overall process starts from the beginning.

C-3: risk assessment tools for PPR organizations
The third component is focused on providing practical risk assessment tools for different purposes, as needed by the PPR authorities, depending on the decisions to be made, available resources and other information needs.Moreover, the component provides guidance for the authorities to select appropriate tools for their particular risk management questions of interest.To this end, the OpenRisk Toolbox is used; see Table 5.A (Appendix) for tool specifications and associated risk management questions.
As shown in Table 5.A, this component comprises a set of 23 opensource risk assessment tools especially for identifying hazards and analyzing risks of maritime activities.The tools range from simple to complex.Some of them have a proven track record in maritime risk management, such as PAWSA, IWRAP Mk II and SeaTrack Web, while others are more generic, including e.g., Delphi, FRAM and Cost-Benefit Analysis.Furthermore, the component includes three new tools: Marin Risk Index, ADSAM C/G and ERC-M, which were developed by the authors in order to close the existing gaps in the current selection.For a detailed description of the OpenRisk Toolbox, see [28,29].

Alignment of the PPR risk management framework components
This section describes how the three components of the risk management framework are aligned with one another, including the RIDM strategy for PPR organizations.The four-phase alignment process is shown in Stage IV of Fig. 2.

Phase-1: mental risk models and general risk definition
The first phase is focused on aligning the different mental risk models of PPR authorities and their stakeholders with the general risk definition of C-1.The aim is to achieve a common understanding of the risk that these actors seek to assess and manage.
The RIDM procedures of PPR organizations may involve competent authorities and several different stakeholder groups, see Tables 1.A-4.A (Appendix).However, many of them understand the risk concept differently, and there are also differences on this matter between the countries.Therefore, in line with the SRA's approach, the general risk definition is designed to be broad enough to allow these different views on risk in the context of PPR activities, see Section 4.2.1.
Fig. 3 illustrates the alignment procedure.The general risk definition of C-1 is used to capture the various mental risk models of PPR authorities and their stakeholders, and to conceptualize them into a shared mental risk model being inter-subjectively objective.As a result, these actors can have a broad common understanding about the risk that facilitates better risk communication and sets the basis for further risk management.V. Laine et al.

Phase-2: risk perspectives and organizational risk management processes
The second phase is addressed to align the risk perspectives of C-1 with the different organizational risk management processes of C-2.The purpose is to provide appropriate theoretical risk perspectives for each of the risk management processes.
The C-1 comprises four specific risk perspectives (RP-1 -RP-4) with respect to general risk definition, see Section 4.2.1.The C-2, on the other hand, includes four risk management processes: basic screening, extended screening, intermittent and strategic, which are focused on different risk management decision-making contexts of PPR organizations, see Section 4.2.2.Taken into account the definitions of different risk perspectives and the objectives of four risk management processes, these two components are aligned with one another as shown in Fig. 4.
Firstly, RP-1 is aligned with the basic screening process, which focuses on monitoring the evolution of risk levels in maritime activities, and its deviations from the reference level.Second, RP-2 is used for the extended screening process, where the focus is mainly on emerging risk phenomena and future hazards.Third, RP-3 is aligned with the intermittent process, which aims to understand particularly the consequence aspect of maritime pollution risk.Fourth, RP-4 is used for the strategic process, which has the purpose of obtaining a holistic understanding about the risks of maritime activities.As a result, the appropriate theoretical risk perspectives are provided for the four risk management processes.

Phase-3: risk metrics/descriptions, risk management processes and risk assessment tools
The third phase focuses on aligning the risk metrics/descriptions of C-1 with the different risk management processes of C-2.The aim is to provide a common basis for measuring the risk across four processes, while still allowing the different risks´aspects to be emphasized.In this phase, the practical risk assessment tools of C-3 are also included in the alignment procedure.The purpose is to provide appropriate tools for the four risk management processes in terms of different risk measurement aspects and risk assessment steps, namely risk identification, risk analysis and risk evaluation.
The C-1 contains a risk metrics/description R = {C ′ , Q, K}, see Section 4.2.1.Its purpose is to provide a common basis for measuring the risk across the basic screening, extended screening, intermittent and strategic risk management processes.However, depending on the risk management process, the focus of this triplet's aspects is somewhat different.
Fig. 5 shows the risk aspects that are emphasized in each risk management process.Based on the process deceptions in Section 4.2.2, both screening processes are mainly focused on the uncertainty aspect of risk (Q), whereas the intermittent process is more on the consequences aspect of risk (C ′ ), and the strategic process addresses both consequences and uncertainties.As regards to the strength of knowledge aspect (K) that supports C ′ and Q, it can range from weak to strong in all four processes.
The C-3 comprises a set of 23 open-source risk assessment tools to generate information for different risk management questions of PPR organizations, see Table 5.A. (Appendix).In this phase, there is a further need to describe the applicability of these tools for the different aspects of triplet R = {C ′ , Q, K}, as well as for the different ISO 31000:2018 standard based risk assessment steps of the four risk management processes.
Fig. 1.A (Appendix) illustrates the applicability of C-3-based risk assessment tools to the different aspects of the triplet.To give some examples, the colour codes indicate that the AISyRISK (No.1) tool is strongly applicable (green) for the C´and Q aspects of the triplet, but not applicable (red) for the K aspect.On the contrary, the SoE (No.20) tool is not applicable (red) for the C´and Q aspects of the triplet, but strongly applicable (green) for the K aspect.
Similarly, Figs.2.A-5.A (Appendix) offer an insight into the applicability of these risk assessment tools in terms of the different ISO 31000:2018 standard based risk assessment steps of the basic screening, extended screening, intermittent and strategic risk management processes.For instance, in the context of the basic screening process, the AISyRISK tool is applicable for the risk identification, strongly applicable for the risk analysis, but not applicable for the risk evaluation.However, for that purpose, tools such as SoE and ALARP (No. 22) can be used to accomplish the risk assessment within this process.
Consequently, this phase has provided a common basis for measuring the risk within the four risk management processes.The approach can also be used to highlight the different aspects of risk measurement as needed.In addition, it has provided proper risk assessment tools to the four risk management processes.Depending on the applicability of the tools, these can be used to measure the different aspects of risk and to cover the ISO 31000.2018standard based risk assessment steps.

Phase-4: risk assessment results and decision-making in PPR organization
The fourth phase is addressed to align the results of C-3-based risk assessment tools with the decisions to be made in PPR organizations.To comply with the RIDM strategy, the aim of this phase is twofold: i) to communicate the results of risk assessment and its quality aspects transparently, and ii) to set these results into a wider decision-making context as appropriate, see Section 2.1.The alignment procedure is illustrated in Fig. 6.
The C-3-based risk assessment tools can be used to cover all aspects of the risk metrics/description of C-1 as well as the different risk assessment steps of the basic screening, extended screening, intermittent and strategic risk management processes of C-2, see Section 4.3.3.The first objective of the final phase is thus to communicate the results of  V. Laine et al. these risk assessment tools to the persons involved in RIDM procedures of PPR organizations.The focus here is on the K aspect of triplet R = {C ′ , Q, K}, in particular.To clarify this, the aim is to describe also the uncertainties with respect to the risk assessment results to the decisionmakers and stakeholders of PPR organizations, which are defined in Tables 1.A-4.A (Appendix).For this purpose, the SoE tool can be used to describe the strength of knowledge concerning the risk assessment results, whereas the Delphi (No.3) tool is applicable for describing the potential for surprises relative to the knowledge.Furthermore, by using e.g., the RM-PCDS (No.21) tool the risk-related information can be summarized and visualized in a way that is easy to understand for the non-experts as well.
The C-2-based processes for PPR organizations are focused on different risk management decision-making contexts of this field.Tables 1.A-4.A (Appendix) describe the type of decisions, the key stakeholder groups and the regulatory criteria for each of the processes.As the second objective of this final phase is to consider the risk assessment results and its quality aspects in a wider decision-making context as appropriate, the information of these tables can be used as a reference.For example, in the basic screening process the decisions are restricted to whether or not further risk management processes need to be executed.Such a decision is typically made by the PPR authorities only, and its impact is limited to the internal context of their organization.On the contrary, in the strategic process the decisions include risk treatment options, such as investments on a new response fleet, which may require remarkable financial investments.Decisions of this type are usually made in cooperation with other authorities and high-level policymakers, and their impact may also affect the external context of the PPR organization.Simultaneously, the other concerns become ever more relevant in order to make good decisions on the matter in hand.
To conclude, this phase has provided a RIDM based procedure for how to communicate the risk assessment results and its quality aspects to the decision-makers.This procedure provides also a guidance regarding the impact level of different types of decisions and stakeholders involvement.

Establishing the context
The aim of this Baltic Sea case study is to demonstrate the practical functionality of the new PPR risk management framework.For this purpose, the basic screening and intermittent risk management processes of C-2 are used as an example, including the associated risk perspectives and risk metrics/description of C-1, and selected applicable risk assessment tools of C-3.
From the spatial point of view, the case study covers the sea areas of the Gulf of Finland and the Archipelago Sea.These sub-areas of the Baltic Sea are selected as illustrative sites for the study due to the availability of sufficient information and data.
The key criteria for evaluating the response performance in the case study area are medium-sized and large-scale oil pollution accidents as well as the associated response time limits, derived from HELCOM Recommendations 28E/12 [95] and 31/1 [96].These recommendations are used for this purpose, as all the countries in the Baltic Sea region are contracting parties of the Helsinki Convention.
In this context, the Baltic Sea case study is focused on following the risk management questions of Table 5.A (Appendix): 1.Where are the historic accident risks in the sea area? 2. What kinds of hazards occur in the sea area? 3. How big can oil spills get in a collision or grounding accident?4. What is the effect of oil evaporation and its dissolution with water? 5.Where does the oil drift to in the sea area? 6.What are the consequences of an accidental oil spill with or without response measures?7. What accident scenarios are likely?8. How much evidence is there for the elements in the risk analysis?9. What is the risk level in different scenarios?10.Are the risks acceptable?
The main limit of this Baltic Sea case study is the lack of Vessel Traffic Service (VTS) incident reports of the Russian Federation and the east coast of Sweden.In addition, the Automatic Identification System (AIS) data for the basic screening process covers only a short time period.Both of these limits lead to certain restrictions with respect to the quality aspects of case study results.

Tools, procedure and material
The Baltic Sea case study provides a demonstration on the nine different risk assessment tools of C-3.To execute the risk assessment of the basic screening process, first the MarinRisk (No.2) tool is applied, which is strongly applicable for the uncertainty measure Q of the triplet R = {C ′ , Q, K}, as indicated in Fig. 1.A (Appendix).Second, this process is continued with the SoE (No.20) tool focusing on the strength of knowledge K aspect of the triplet.Fig. 2.A (Appendix) shows how the MarinRisk tool is applicable to cover each step of the ISO 31000:2018 based risk assessment processes, whereas the SoE tool can be used only for the risk analysis.
In the context of the intermittent process, ERC-M (No.7), ADSAM C/ G (No.8), ADIOS (No.9), SpillMod (No.11), POLSCALE (No.14), SoE (No.20), RM-PCDS (No.21) and ALARP (No.22) tools are applied for the associated risk assessment.Most of these tools are applicable for measuring the consequence aspect C´of the triplet, while some of them are applicable for measuring the uncertainty aspect Q or the strength of knowledge aspect K of the triplet, see Fig. 1.A (Appendix).Together, these eight different risk assessment tools are also able to cover all steps of the ISO 31000:2018 standard based risk assessment process in this context, see Fig. 4.A (Appendix).Fig. 7 illustrates the procedure applied to this Baltic Sea case study.It shows how the nine different risk assessment tools are used in a logical sequence, where an output of one tool is used as an input for another tool until results are provided for all risk management questions.In the context of the basic screening process, the results of risk assessment are used to support the decision of whether or not further risk management processes need to be executed.In the intermittent process these are used for the risk-informed decision of whether actual changes are needed in the PPR systems as risk treatment.When selecting the tools for different risk management questions, Table 5.A (Appendix) has been used as guidance.
The data used in this Baltic Sea case study consists of various The next two sections outline the results of the Baltic Sea case study, and how these are used to support decision-making in the context of selected risk management processes.Table 2 provides a summary of this case study, including the key results.

Table 2
Context, risk aspects and descriptions, key results and associated decisions of the Baltic Sea case study.

Context
Risk aspects

Key results & decisions
Basic screening process Q-1: Where are the historic accident risks in the sea area?
C ′ ,Q The level of historic accident risk for ship-to-ship collision was higher in the Helsinki-Tallinn sea area and off the coast of St. Petersburg compared to the rest of the Gulf of Finland (Fig. 6.A Appendix).Q-8: How much evidence is there for the elements in the risk analysis?

K
The SoE ranking was weak strength of evidence for both C ′ and Q aspects, as e.g., the amount of AIS data was very limited.

Decision
Execute the intermittent process as risk treatment Intermittent process Risk identification Q-2: What kinds of hazards occur in the sea area?
C ′ ,Q Five high incident density sea areas were identified in the case study area (Fig. 7.A Appendix).
The main hazard to the marine environment in this context was the potential collision or grounding accidents of crude oil and oil product tankers.Ten accident scenarios were defined for the case study area focusing on medium-sized and large-scale oil pollution accidents.Risk analysis Q-3: How big can oil spills get in a collision or grounding accident?
C ′ Depending on the scenario, the results range from a 150-t gasoline spill to a 20,000-t light-medium crude oil spill.Q-4: What is the effect of oil evaporation and its dissolution with water?
C ′ Results were provided for each of the ten scenarios on how the marine environmental factors could affect the magnitude of the oil spill over the three days following the accident.Q-5: Where does the oil drift to in the sea area?
C ′ Depending on the scenario, the propagation of oil ranges from regional to international dimensions.In the worst-case scenario, the light-medium crude oil was propagated extensively in the Gulf of Finland despite oil evaporation and its dissolution with water.Q-6: What are the consequences of accidental oil spill with or without response measures?
C ′ Without response measures (i.e., baseline), the consequences could be catastrophic for the marine environment in some of the scenarios (Table 6.A Appendix).In contrast, with response measures these consequences could be limited to some extent.However, in the large-scale diesel oil or light crude oil accident scenarios the consequences could still be serious.Q-7: What accident scenarios are likely?

Q
The frequency of oil tanker incidents was highest in the Helsinki-Tallinn sea area, and the high-risk events were also focused on the same sea area (Fig. 8.A Appendix).In contrast, for both calculations the lowest values were recorded in the sea area off Turku.Q-8: How much evidence is there for the elements in the risk analysis?

K
For the baseline option, the SoE ranking was medium-strong for both C´and Q aspects, whereas for the response option the (continued on next page) V. Laine et al.

Basic screening risk management process
The basic screening risk management process focuses on monitoring the evolution of risk levels in maritime activities, and its deviations from the reference level.The process is based on the risk perspective (RP-1), where risk is defined as the deviation from a reference value of maritime incidents and associated uncertainties.
As noted in Section 4.2.2, the results of the basic screening process are used to support the decision of whether or not further risk management processes need to be executed.The criteria applied for this purpose are derived from the HELCOM Recommendations 28E/12 [95] and 31/1 [96], which may also be implemented into the national Oil Spill Contingency Plan.The aim is thus to consider the risk assessment results, its quality aspects and the criteria when deciding, whether additional action is required.As indicated in Table 1.A (Appendix), the PPR authorities may take such a decision without further consultation and communication with the stakeholders.

Results of the basic screening process
In the context of the basic screening process, the risk was assessed for the Gulf of Finland focusing on Q-1.To address this question, the Mar-inRisk tool [75] was applied for screening the average ship-to-ship collision frequencies in the sea area.This stage is discussed at length by Koldenhof et al. [97], with the main conclusion being that the level of historic accident risk is higher in the Helsinki-Tallinn sea area and off the coast of St. Petersburg compared to the rest of the Gulf of Finland, see Fig. 6.A (Appendix).
To analyze the strength of knowledge aspect regarding the previous stage results, the state-of-the-art SoE scheme was applied for Q-8.The tool is applicable for assessing the uncertainties in the evidence base of the risk analysis [92].For this purpose, the data sources, methodology and the MarinRisk tool outcomes were used as input materials.Based on the results, the SoE ranking is weak strength of evidence mainly due to the use of very limited AIS data.Moreover, it should be noted that Mar-inRisk tool addresses only the risks associated to ship-to-ship collision accidents.In other words, its capability for assessing the accidental oil pollution risk as a whole is very limited.
Taking into account the risk assessment results, quality, limitations and criteria, it was decided in this case study to carry out the intermittent process to obtain more detailed risk-related information on the entire case study area, in particular on the consequence aspect of risk.Such information can also provide better understanding for the PPR authorities, whether they are able to comply with the HELCOM recommendations.

Intermittent risk management process
The intermittent risk management process aims to understand particularly the consequence aspect of maritime pollution risk.The process is based on the risk perspective (RP-2), where risk is defined as the consequences of the maritime activities and associated uncertainties.
The results of the intermittent process are used to support the decision whether actual changes are needed in the PPR systems as risk treatment.The decision-making principles in this context are similar to the basic screening processes, except that it is also necessary to consult at least the maritime safety authorities during the process execution, see Table 3.A (Annex).

Risk identification
In the context of the intermittent process, the risk identification stage focused on Q-2.In the study of Laine et al. [80], the question was first addressed with the Kernel spatial density analysis tool to identify high incident density sea areas in the Gulf of Finland and the Archipelago Sea.Thereafter, the ERC-M tool was applied to obtain more detailed information about the risk of environmental damage in these sea areas resulting from maritime activities.
The results of spatial analysis showed that there are five high incident density sea areas in the case study area, see Fig. 7.A (Appendix).Furthermore, the results of ERC-M indicated that the risk of environmental damage has been the highest in potential collision or grounding events of crude oil and oil product tankers.
Based on the results and associated data sources, ten oil tanker accident scenarios were defined, focusing on five high incident density sea areas.To comply with the HELCOM 28E/12 Recommendation [95], the scenarios represented both the medium-sized and large-scale oil pollution accidents.

Risk analysis
In the risk analysis stage, the ten oil tanker accident scenarios were used as a basis for measuring the consequences (C´), the uncertainties (Q) as well as the strength of evidence with respect to risk assessment results (K).
For analyzing the consequence aspect, the ADSAM C/G was applied for Q-3, as the tool is designed in particular for analyzing the consequences of collision and grounding accidents involving tankers [81].The results provided an estimate for each of the ten scenarios on the magnitude of expected oil spill [72].To comply with the HELCOM Recommendation 31/1 [96], these results were next used as a basis for estimating the severity of consequences over a three-day period, should the scenarios be materialized.First, a widely applied ADIOS tool from the NOAA [82] was used for Q-4 to estimate the effect of environmental factors on the magnitude of oil spills in the set time period.Second, these estimations were used to support oil spill drift calculations in Q-5, which were made with the SpillMod tool, introduced by Ivchenko [84].As a result, modelled predictions were provided for each of the ten scenarios on how the oil could propagate at the case study sea area in the set time period, see [72,98].Third, the EU-recommended POLSCALE [87] was adopted for Q-6.With the support of this tool and the outcomes of Q-3 -Q-5, the Finnish response authorities estimated the severity of consequences in each scenario and for two different options: i) where no response measures are executed (baseline), and ii) where response measures are executed, see Table 6.A (Appendix).The purpose of these options was to describe the effectiveness of HELCOM countries' response measures as a control for risk mitigation.
The analysis of the uncertainty focused on Q-7.The question was addressed through calculating the frequency of tanker incidents per year, which aligns with an aleatory interpretation of uncertainty.The equation used for this purpose was: where N ti Y is the number of tanker incidents per year, N ti the number C ′ , Q, K Visual representation of the risk assessment results was provided, including all aspects of the triplet R = {C´, Q, K}.This was made for both the baseline and response options (Fig. 9.A Appendix).Q-10: Are the risks acceptable?Decision -Despite the response measures, the residual risk in large-scale diesel oil and light crude oil spills was still considered unacceptable.
Adjustments to current response system as risk treatment of tanker incidents in the specific high incident density sea area during the period 2014-2016, and Y is the total number of years [72].Furthermore, the ERC-M tool was applied at this step to describe the risk level of environmental damage in these incidents.The key results are shown in Fig. 8.A (Appendix).
To analyze the strength of knowledge aspect and epistemic interpretation of uncertainty, the SoE scheme was applied for Q-8.For this purpose, the information, data, tools and the outcomes of Q-2 -Q-7 were used as an input material.The results are shown in Table 7.A (Appendix), which indicate the SoE ranking for both baseline and response options [72].Overall, the strength of knowledge is weaker in the response option, as the uncertainty increases when response operations are included in the assessment.

Risk evaluation
The final stage of the intermittent process-based risk assessment focused on risk evaluation.To support the visual communication, the outcomes of Q-6, Q-7 and Q-8 were first summarized with the RM-PCDS [13] tool in order to answer Q-9.In line with the proposal of Paté-Cornell [99], the results provided a holistic risk picture addressing the risk of accidental oil pollution in the case study area [72].As indicated in Fig. 9.A (Appendix), the description was made for both baseline and response alternatives.
Thereafter, a widely applied ALARP [93] tool was adopted as a guiding principle for Q-10.The results suggested that despite the effective response measures, the residual risk in large-scale diesel oil or light crude oil spills in particular is still not acceptable [72].
Based on the risk management framework description, in the next stage of the intermittent process it should be thus decided if additional risk mitigation measures will be implemented to the current PPR system.The decision on this matter should take into account the risk assessment results, quality and limitations.Moreover, it should address the HEL-COM criteria focusing on the response time limits and the capability to manage different size and types of oil spills.Overall, in this process the consideration should be more comprehensive compared to the basic screening process, while involving also the key maritime stakeholder groups.

Review on the PPR risk management framework
The main objective of the new risk management framework for PPR organizations was to address the shortcomings of joint European risk assessments within this field.These included e.g., incoherencies in the conceptual and methodological basis of the tools used in the risk assessments, lack of systematic and harmonized approaches for different decision-making contexts, and challenges in implementing the risk assessment results, as noted in Section 3.2.1.In this respect, the fundamental question is whether the proposed approach in this paper is appropriate for this purpose.
A key feature in addressing these shortcomings was the strong commitment of the competent authorities and other maritime stakeholders to the risk management framework development process through workshops, questionnaires and e-mail inquiries.The chosen approach proved to be essential for understanding the complexity of this field and achieving the set objective.On the one hand, it revealed the mixture of various risk concepts, decision-making contexts and riskrelated information needs in the European PPR risk management, which turned out to be the root causes of the identified problems.On the other hand, it also paved the way to address and find solutions to these problems while leading to the consensus on the proposed framework approach.Even though the importance of deliberating the risk perspectives, risk management decision-making contexts and associated information needs has been strongly emphasized by e.g., Goerlandt and Montewka [11], Aven [32], and Lathrop and Ezell [36], the diversity in this context had neither been recognized nor considered in the previous works of this field.
Through recognizing the reality of European PPR risk management and coping with it, in this paper an innovative framework approach has been introduced.The framework is based on the RIDM strategy while including three aligned state-of-the-art components focusing on i) theoretical risk-conceptual basis, ii) organizational risk management processes, and iii) practical risk assessment tools.Based on the feedback from the competent authorities and other maritime stakeholders, the proposed framework is useful and flexible enough to consider the various needs of its end-users, while still complying with the set objective.Therefore, it can be argued that the work has provided a valuable contribution to this field.

Theoretical risk concept of the framework
The first component focused on providing a sound risk-conceptual basis for the PPR risk management framework.Its main purpose was to harmonize the mixture of multiple risk concepts of this field, the problem of which concerns not only the mental risk models of the competent authorities and their stakeholders, but also the tools used for the risk assessment.To overcome this issue, the SRA's risk approach was adopted due to its flexibility and state-of-the-art risk-conceptual thinking.Based on the literature review, it was considered to be the best option in this matter, as it was not realistic to develop one unified risk concept to this field, nor did it seem to be even necessary.
As indicated in this paper, the SRA's risk approach can be customized to the context of PPR risk management, and it was proved to be useful and adequate to achieve the set objectives.More specifically, an interpretation of the SRA's general risk description can be used to provide a broad common understanding of the risk that PPR authorities and their stakeholders seek to assess and manage, while its different risk perspectives can be applied as a theoretical basis for the specific risk management decision-making context.In addition, the SRA's risk metrics/description R = {C´, Q, K} can be used to provide a common base for measuring the risk, while still leaving room for emphasizing the specific aspects of risk.In this respect, the paper has provided support to this novel risk approach of the SRA.

Risk management processes of the framework
The second component addressed the different risk management decision-making contexts of PPR organizations, as these range from short-term screening to long-term strategic planning.Based on discussions with the competent authorities and other maritime stakeholders, the ISO 31000:2018 standard was applied and concretized for the PPR risk management purposes.The works of Neves et al. [3] and Landquist et al. [17] as well as the recommendations of COWI [57] also supported the solution.
The ISO 31000:2018 standard proved to be a useful and suitable approach for the PPR risk management, as it was flexible in accounting for specific organizational needs as well as strengthening the link between risk assessment and risk management.Following on the standard's approach, four interlinked risk management processes were established: basic screening, extended screening, intermittent and strategic.The aim of these processes was to consider e.g., the different risk management decision-making contexts, available resources as well as the internal and external context of PPR organizations.Importantly, it was also possible to link different risk assessment tools into these four processes in a way that all standard-based risk assessment steps can be covered.
Compared to the works of Neves et al. [3] and Landquist et al. [17], this paper has thus extended the use of the ISO 31000:2018 standard in the context of maritime PPR risk management.As noted above, it has been used to consider the various interests of PPR organizations in terms of risk management and associated information needs.Such topics are beyond the scope of previous works, even though the differences in e.g., decision-making contexts could be large, and a specific result is needed to support different types of decisions, see [32].
Furthermore, in this paper the standard's risk concept "the effect of uncertainty on objectives" has been replaced and extended with the stateof-the-art SRA-based approach, as noted in Section 6.2.In this respect, the paper contributes also to the need for strengthening the scientific foundations of the current risk management standards and the adaptation of the scientific knowledge into practical risk management tasks of organizations.Such attempts are strongly encouraged e.g., in the recent study of Aven and Ylönen [59].

Risk assessment tools of the framework
The third component aimed to provide proper risk assessment tools for the different risk management questions of the PPR authorities.It was made through an extensive literature review and in cooperation with the earlier noted stakeholders.When selecting and developing the tools for this purpose, it was also emphasized that these need to cover all steps of the ISO 31000:2018 standard risk assessment process within the four PPR risk management processes, as well as the different risk aspects of the triplet R = {C ′ , Q, K}.
To understand the PPR authorities' needs for risk assessment and make them familiar with the tools used for this purpose, several workshops were organized.As a result, a great deal of valuable information was received for the toolbox development task.In the workshops, some of the risk assessment tools were e.g., evaluated in terms of their practical usability [28].The results indicated that among the end-users the automated applications such as AISyRisk, MarinRisk and IWRAP Mk II received rather high support, ADSAM-C/G, NG-SRW and ERC-M more mixed support, and FRAM only little support.In general, these tools were considered to be relatively easy to understand and use, but the availability of data to apply them varied significantly between the PPR organizations of different countries.
The workshops also showed that in the future more risk assessment tools should be added to this component, focusing on new and emerging risks in maritime transportation as well as spills of hazardous noxious substances (HNS).Interestingly, there is some evidence that new nonlinear tools are the most appropriate to the former [22], although the FRAM received only little support among the competent authorities.Such a paradox could be an attractive topic to address in more detail, including the applicability of different tools for assessing the future hazards and associated risks.In addition, the future research in this context could include further testing of risk assessment tools within organizational settings, focusing in particular on the validation problems, see [47].

General review on the Baltic Sea case study
The objective of the Baltic Sea case study was to demonstrate the practical functionality of the new PPR risk management framework through the basic screening and intermittent risk management processes.To this end, nine different risk assessment tools were used with integrated data from the northern Baltic Sea region.
Firstly, the case study showed how the selected risk assessment tools can be used to describe the risk perspectives of the basic screening and intermittent processes, including the associated risk measurements.In the basic screening process, the MarinRisk tool was applied to monitor and measure the evolution of the risk levels of maritime activities and its deviations from the reference level, with an explicit focus on the Q aspect of the triplet R = {C´, Q, K}.Additionally, the SoE tool was adopted for assessing the strength of evidence aspect K in this context.In the intermittent process, ERC-M, ADSAM C/G, ADIOS, SpillMod, POLSCALE, SoE, RM-PCDS and ALARP tools were used to understand and measure the consequence aspect of maritime pollution risk, while specifically addressing the C´aspect of the triplet.
Second, the case study indicated how the results of basic screening and intermittent processes can be used to support decisions about the different risk treatment options.More specifically, the results of basic screening showed that the risk level of maritime activities was higher in the Helsinki-Tallinn sea area and off the coast of St. Petersburg compared to the reference level.Therefore, it was decided to execute the intermittent process as risk treatment.Following this, the results of the intermittent process showed that, despite effective response measures, the residual risk in large-scale diesel oil and light crude oil spills was still unacceptable.Therefore, it was decided to recommend adjustments to the current response system and tactics as risk treatment.
Third, the case study showed the usefulness of measuring all risk aspects of the triplet R = {C´, Q, K}.For example, in the sea area off the coast of the Hanko Peninsula the oil tanker incident frequencies were rather low compared to many other sea areas in the Gulf of Finland and Archipelago Sea, see Area 3 in Fig. 8.A (Appendix).However, if the defined accidental oil spill scenarios would be materialized one day, the consequences within this sea area could be one of the worst, see e.g., scenario 6 in Table 6.A (Appendix).A detailed assessment of the risk's consequence aspect also revealed that the worst scenarios in the case study area are associated with the accidental large-scale diesel oil or light crude oil spills.This information was instrumental for the competent authorities, as the current response systems and tactics are focused on minimizing the consequences of crude oil spills.
Fourth, the PPR authorities found the strength of evidence assessment to be interesting and useful, as this had not been consistently considered before.For example, in situations where the risk level of different scenarios is the same, the SoE aspect can be of help to prioritize the risk mitigation measures [12].In the literature, however, this approach has been a subject of dispute.While some authors claim that such qualitative assessments are done based on crudely defined scoring criteria that limits the practical application [100], others view it as a significant step forward in the risk field [43,47,92].It should also be noted that the PPR authorities supported strongly the use of the RM-PCDS tool for summarizing and visualizing the results of risk measurement, including the strength of evidence aspect.Based on their feedback, the RM-PCDS based description was clear and easy to understand.
Fifth, based on the feedback from the competent authorities and other maritime stakeholders, the Baltic Sea case study achieved its objectives.The results helped to understand the functioning of the new risk management framework, and contributed also to good and open discussions.These provided authors with new perspectives on the risk assessment results, while the authorities received useful and up to date information on the risk of accidental oil spills.Hence, the risk-related knowledge on the matter in hand was increased, which is one of the key objectives in RIDM strategy.
Finally, it would still be necessary to carry out an additional case study in the future, where the here presented results are compared to the BRISK and BRISK-RU results that have been strongly criticized, see Section 3.2.1.In this way, it could be possible to analyze the strengths and weaknesses of the new PPR risk management framework in more detail.Such case study should address particularly, how the adoption of RIDM strategy and uncertainty based risk concepts affects risk communication, when the current RBDM based approaches are used as a reference.

Limitations
Even though a number of PPR authorities and other maritime stakeholders were strongly committed to the risk management framework development process, the main limitation of this study is the fact that the response and maritime safety organizations of several European countries did not participate in this work due to e.g., limited resources, lack of interest or political issues.Based on the authors' experiences from the EU-OpenRisk project, those who were active in this process also had a general interest in risk-related topics.However, such persons may not constitute a representative sample of the framework's end-users.Moreover, the coastal communities were not involved in the framework development and formulation, which could mean that important information was missing from its development process.Therefore, the results described in this paper could be somewhat biased.
Another significant limitation of this study is the lack of validation of the framework, as it has not yet been tested nor implemented in any PPR organizations.As such, it is still unknown to what extent the framework can actually resolve the problems for which it was developed, and whether the competent authorities are really willing to use it instead of resorting to expensive BRISK and BRISK-RU types of approaches.Such questions remain open for the time being, but should be addressed in the future.

Conclusions
In this paper, a new risk management framework has been introduced for the maritime PPR organizations to alleviate the limits of existing approaches.The framework is based on the RIDM strategy while consisting of three components.
The first component focuses on providing a unified theoretical risk concept to the framework through an interpretation of the SRA's risk approach, including one general risk definition, four different risk perspectives and an overall metrics/description.The second consists of four ISO 31000:2018 standard based processes: basic screening, extended screening, intermittent, and strategic, which addresses the different risk management decision-making contexts of the PPR organizations.The third comprises a set of 23 practical risk assessment tools to generate the information that is needed.Within the framework, these three components are also aligned with one another in accordance with the RIDM approach and through a four-phase process.
The risk management framework has also been applied for the Baltic Sea case study to demonstrate its practical functionality.For this purpose, the basic screening and intermittent risk management processes were used as an example, including the associated risk perspectives and risk metrics/description.The risk assessment part of these processes was performed through nine different tools of the associated component by using the data from the northern Baltic Sea region.The results indicated the functionality of the framework while providing the competent authorities with new information, in particular on the risks of large-scale diesel oil and light crude oil spills.Based on the feedback from the PPR authorities, both the risk management framework and the Baltic Sea case study achieved the set objectives.
The main conclusions of this work are as follows.Firstly, in the context of PPR risk management there is a great mixture of different risk concepts, decision-making contexts and risk-related information needs.This has neither been recognized nor addressed in previous studies, although the importance of associated topics has been emphasized in the scientific literature and professional context.Second, to comply with the reality of risk management of this field, flexible approaches are needed.To this end, the RIDM has proved to be a proper strategy, while the SRA's approach is applicable to consider the different risk concepts and the ISO 31000:2018 standard the risk management decision-making contexts of this field.In addition, a set of different risk assessment tools is necessary to address the various risk-related information needs.Third, it seems to be unnecessary to have one specific risk definition, at least for the PPR activities.The results of this work support the SRA-based risk approach which includes a broad risk definition and allows different perspectives on risk, while making a sharp distinction between qualitative definitions and associated measurements.
Recalling the main limitations of this paper, future work should address general knowledge and interest in risk-related topics in the context of maritime PPR risk management, including the level of deployment on risk assessment results.A need was also recognized for developing methods and practices to validate risk assessment results, as well as to test the risk management framework and its tools in practical settings.The testing could be done through a case study, for example, where the BRISK an BRISK-RU results are compared to the here presented framework results.Based on the feedback from the stakeholders, integrated software tools are also needed for executing the risk assessments fluently, as well as new tools to assess the risks of HNS spills and new emerging risks in maritime transportation.To evaluate whether risk is acceptable or not seems to be often the most challenging part of the risk assessment process, and thus more guidance and good principles should be developed for this purpose as well.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Fig. 1 .
Fig. 1.The ISO 31000:2018 standard based risk management process.Stages 2-4 are referred to as risk assessment.In addition, this process includes two parallel activities: a) communication and consultation with relevant stakeholders, and b) monitoring and review of the adequacy of the implementation of the five stages.

Fig. 3 .
Fig. 3. Alignment of different mental risk models with the general risk description of C-1.

Fig. 4 .
Fig. 4. Alignment of the risk perspectives of C-1 and risk management processes of C-2.

Fig. 5 .
Fig. 5. Alignment of the risk metrics/description of C-1 and risk management processes of C-2.

Fig. 6 .
Fig. 6.Alignment of the risk assessment results of C-3 with decisions to be made in the PPR organization.

Fig. 1 .Fig. 2 .Fig. 3 .Fig. 4 .Fig. 5 .Fig. 6 .
Fig. 1.A. Applicability of the C-3-based risk assessment tools for different aspects of the C-1-based risk metrics/description, R = {C ′ , Q, K} (Strongly applicable = Green, Applicable = Yellow, Not applicable = Red).(For interpretation of the references to colour in this figure legend, the reader is referred to the web version of this article.)

Fig. 7 .
Fig. 7.A.Five hotspot sea areas of the case study area and an overview of the ten associated accidental oil spill scenarios [80].

V
.Laine et al.

Fig. 9 .
Fig.9.A. Risk matrix for the ten scenarios with no response and response.In the figures C1-C4 represent the consequence estimation, P1-P4 the likelihood estimation, and the colour codes from green to red the risk level in terms of these two aspects.The black and grey colors indicate the strength of evidence aspect in ten scenarios.The ranking is medium-strong when the response operations are not executed, and medium when these are executed.(For interpretation of the references to colour in this figure legend, the reader is referred to the web version of this article.)