Integrating security in major projects - principles & guidelines

Transcription

1 Integrating security in major projects - principles & guidelines OGP Report No. 494 April 2014 International Association of Oil and Gas Producers

2 Publications Global experience The International Association of Oil & Gas Producers has access to a wealth of technical knowledge and experience with its members operating around the world in many different terrains. We collate and distil this valuable knowledge for the industry to use as guidelines for good practice by individual members. Consistent high quality database and guidelines Our overall aim is to ensure a consistent approach to training, management and best practice throughout the world. The oil and gas exploration and production industry recognises the need to develop consistent databases and records in certain fields. The OGP s members are encouraged to use the guidelines as a starting point for their operations or to supplement their own policies and regulations which may apply locally. Internationally recognised source of industry information Many of our guidelines have been recognised and used by international authorities and safety and environmental bodies. Requests come from governments and non-government organisations around the world as well as from non-member companies. Disclaimer Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neither the OGP nor any of its members past present or future warrants its accuracy or will, regardless of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded. Consequently, such use is at the recipient s own risk on the basis that any use by the recipient constitutes agreement to the terms of this disclaimer. The recipient is obliged to inform any subsequent recipient of such terms. Copyright notice The contents of these pages are The International Association of Oil and Gas Producers. Permission is given to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) the source are acknowledged. All other rights are reserved. Any other use requires the prior written permission of the OGP. These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales. Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of England and Wales.

3 Integrating security in major projects - principles & guidelines OGP Report No. 494 April 2014 Revision history Version Date Amendments 1 April 2014 First issued

4 International Association of Oil and Gas Producers Acknowledgements: This document was produced by OGP s Security Committee. ii

5 Integrating security in major projects - principles & guidelines Contents Introduction 1 Project management and security 1 1. Concept or initiation 2 2. Design and planning 4 3. Execution 6 4. Monitoring and control 7 5. Closure or look-back 8 iii

6 International Association of Oil and Gas Producers Concept Design Execution Monitoring Lookback OCountry threat analysis Change in threats Risk assessment Local security survey New assessment Security policy requirements Security requirements Amendments to security plan? Project security guidelines Project security plan Contractor security plan Sub-contractor security plan perationscommissioning iv

7 Integrating security in major projects - principles & guidelines Introduction Project management & security Throughout the oil and gas industry project management is a key and core skill, and critical for successful development of mineral resources. There are multiple project management models and methods, including individual processes developed for major operators as well as more generic, but no less useful, systems for smaller partners. What all have in common is a methodical and planned approach encompassing at least five phases in a project s life cycle. These are: Concept or initiation; Design & planning; Execution; Monitoring & control; and Closure or look-back. For the purposes of this document we will use this five-element model. Traditionally, security considerations have been brought into projects at a late stage, or even after the commissioning of the completed facility. In recent years it has become increasingly apparent that there are considerable benefits in terms of cost, efficiency and reliability to be gained if security is integrated into project management from the outset. The industry has found that retro-fitting security hardware is both costly and time-consuming, and that almost inevitably the results are less than satisfactory. We strongly recommend that significant security risks and challenges should be factored in to early project decisions, including the key decision on whether to proceed with a project or not. Failure to appreciate, understand, or plan for significant security eventualities can have major repercussions for a project and its owner, and will almost always lead to significant avoidable cost increases and delay. In this document we will set out best practice, based on actual experience, for integrating security planning and execution into the project lifecycle. Views expressed are those of the OGP Security Committee, and do not necessarily reflect those of individual member companies. 1

8 International Association of Oil and Gas Producers 1. Concept or initiation 1.1 Security planning for any major project should commence as early as possible in the project cycle. The level of security engagement will depend largely on the nature of the project, and on the geographical location(s) in which it will be conducted. The overriding purpose of integrating security provision and planning is to ensure that the project can be completed without avoidable delay or additional costs. As always, the priority for security planning is the protection of life and prevention of injury, followed by the protection of the company s assets, reputation and property. As a general guideline, the following points should always be considered when determining the level of security engagement required in any given project: The location of the completed project; The location(s) of critical elements of the project, such as fabrication yards, and transportation and supply chain routes; The availability of critical personnel or replacements for critical components or equipment; The size and composition of workforce required at various stages of the project; Prevailing security conditions and threats in all of the above; Criticality of the project to the company/ies concerned. 1.2 Having determined the factors to be considered in setting the level of security engagement in the project, it is now helpful to conduct the first assessment of security-related risks that could adversely affect it. Risk assessment processes are adequately documented, and there are several methodologies to choose from. The selected one should include an acceptable method of identifying threats, assessing the probability of a specific threat affecting the project, and determining the impact on the project if it does. 1.3 For major or complex projects early investment of time and effort is conducting a thorough assessment of the prevailing threat environment surrounding all stages of the project should prove worthwhile. The better the project team, and those responsible for security, and the better their understanding of real and potential security issues the better equipped they will be to mitigate them and complete the project successfully. 1.4 Proper security planning depends on good risk assessment, followed by a clear understanding of what measures are needed to reduce the threat, likelihood or impact of any given risk. The most effective tool for monitoring progress in this respect is a risk register. Different project managers have different approaches to recording risks, sometimes in a number of different locations or registers. Experience shows us that the ideal situation is for the most significant security risks, e.g. those which could cause significant delay or additional cost, or have some other major impact, should be recorded in the main project risk register, where they can be reviewed regularly by project decision-makers. Where this is not possible, an acceptable alternative would be to maintain a specific security risk register, but only 2

9 Integrating security in major projects - principles & guidelines where the risk owner has either the authority to deal with the risk or has direct access to someone who does. It is not advisable to incorporate security risks in sub-sets of other risk registers where they might easily be overlooked. 1.5 Major projects can have a lifecycle of many years. Conditions and threats can and do change considerably during the life of a project, but rarely should such changes be entirely unforeseen. To be best prepared to meet changing security challenges an open-minded view of the threat environment and associated risks is advised. Consequently, it may be that risks are reassessed periodically, or certain trigger events can be identified that initiate security risk reviews. We advise security professionals engaged in projects to develop agreed mechanisms to reassess risks during each and every stage of the process. 1.6 Effective security planning for major projects, and indeed in other industrial contexts, should have the best interests of the business at its core. In short, effective security planning will enable the business or project to succeed. To this end a rational appreciation of costs versus benefits should be clearly understood by security professionals and by management of both the project owner and any contractors involved. If the cost of security measures required ensuring the safety of personnel and protection of assets exceeds the value to the company of the project concerned it is better to understand this early in the planning cycle. For very high-value projects there may be complex considerations of ongoing benefits that would make investment in security measures worthwhile, but in any case the person responsible for security planning should be comfortable as a participant in the decisionmaking process. 1.7 Opportunities for early participation of security designers or architects exist during the concept or initiation phase of a project. Building in key features, such as safe-havens or access control equipment, can save significant cost and disruption later, as can selection of materials and design of facilities. 1.8 Finally, in the initiation stage of a project consideration should be given to the development of security management practices and procedures that allow for easy transition between the different stages of a project, and eventual incorporation within the security framework of the facility operator. This is best achieved through methodical documentation and reliance on common understanding of security practice. To this end early liaison between those responsible for security at differing stages and locations of the project can be seen as a sound investment of time and effort. 3

10 International Association of Oil and Gas Producers 2. Design & planning 2.1 Security risk assessment should be a constant activity throughout the life of a project. Considerations may change periodically, but if done effectively during the concept and initiation phase the original risk assessment should serve as a good foundation throughout. It can be adapted to meet specific circumstances, or to address specific requirements at different phases of the project. For example, if there is a fabrication phase in a project that will entail deployment of company personnel to a remote location on a temporary basis, there may be a need to include an assessment of security risks to those personnel in the overarching risk assessment document. 2.2 As a project progresses the need for active monitoring of security risks will become greater, and more significant. The recording and monitoring method developed in the initial project phase should continue, and the ideal situation would be where significant security risks are monitored and updated through the project s central risk register. 2.3 The design phase of a project presents the best opportunity to include physical security considerations in the most cost-effective manner. For example, anti-piracy measures can be built in to offshore platforms rather than added at a later date, or protective security measures can be designed into critical process components. It is advisable to have an understanding of the cost elements involved, and the likely differences that would be encountered if necessary security measures needed to be retro-fitted rather than installed at the construction phase. Likely cost-savings might be found in amending the specification of materials in construction, utilisation of a planned workforce as opposed to remobilising one at a later stage, or reduced loss of operational availability of a facility. 2.4 If security measures are considered appropriate, it is advisable to engage the services of qualified and experienced architects, engineers or designers with specialist security knowledge. These can often define accurately the specifications of materials for the design of a facility with specific risks in mind. Specialisms can include blast and ballistic effect modeling where there is a risk of terrorism or violent attack, perimeter construction, or anti-piracy measures. 2.5 The design phase also allows for the inclusion of measures to reduce the impact of a security incident should it occur; enhanced safety and life-support facilities for example. Often such facilities are stipulated by international regulations, but there may be opportunities to enhance or amend the specifications to a level above the regulatory requirements. For example, provision of one safe haven or citadel might be a requirement, but the risk assessment indicates that one or more additional safe havens, perhaps smaller in scale would provide better protection for personnel in the event of an emergency. Similarly, it might be preferable to build in facilities that would allow for shelter in place for an extended period above the minimum specified by regulations. 2.6 In a similar vein, inclusion of electronic devices and communication equipment, or wiring to facilitate their use, should be considered at the design stage. The ability to communicate with the outside world, or to control or shut down a facility from inside a safe haven can significantly reduce the impact of a major security incident. 4

11 Integrating security in major projects - principles & guidelines 2.7 With many facilities there is severe pressure on accommodation space when it becomes operational. If a risk assessment indicates that addition of security personnel in certain circumstances might be needed to reduce a risk, consideration can be given at the design stage to supplementary accommodation, either permanent or temporary, being made available from time to time. 2.8 The design and planning phase of a project is the time when thorough examination of project plans can be made to identify requirements for specific security plans at various stages of development and execution of a project. For example, there may be a need to transport items to the project site that are very difficult to replace, in which case attention should be given to security risks that could result in the loss, damage or delay of the items concerned. Often such items might be large and require seaborne transportation through hostile waters, in which case appropriate marine security plans should be agreed with all parties concerned. Similarly, as mentioned in paragraph 2.1 above, there may be fabrication yards in remote locations that produce critical items for the project. Security at these locations would probably be the responsibility of the site managers, but there is an opportunity to minimise risks to the project through security liaison and collaboration. 2.9 Another example of a project security risk that might need specific planning and attention might be supply chain fraud and integrity of components and materials. Major projects are attractive opportunities for criminals or unscrupulous businesses seeking to make or maximise profit. The design and planning stage of a project should be the time when appropriate due diligence enquiries are made on prospective suppliers, and the right audit and materials approval rights are built-in to contracts to prevent fraud and material substitutions This collaboration can often be encouraged or facilitated by including security provisions in contracts with suppliers, fabricators, and shippers. Capturing security provisions in contracts at the design phase reduces confusion and conflict at later stages, and consequently reduces unplanned cost and delay. Typical inclusions in contracts to mandate security as a consideration can include a requirement to share security plans and allow security audits, or to collaborate in the form of a security oversight group made up of the companies concerned in the project. The utility of these contractual agreements cannot be overstated when it comes to executing projects in higher risk environments A significant risk to major projects is industrial unrest and labour relations. These can cause significant delay and additional costs, as well as endangering individuals and reputations. It is advisable therefore to include security planning in mobilisation and demobilisation plans at the planning stage Finally, the project planning stage is the appropriate time to consider long-term security provision for the project facility and for its transfer to operational status once the project is concluded. It is important that processes and equipment involved in security provision are compatible with the security structures put in place by the eventual operator. 5

12 International Association of Oil and Gas Producers 3. Execution 3.1 Without doubt, the most demanding and complex period of any project is the execution phase. This is when all the preparation and planning are put to the test, and when variations can occur at short notice. Advice to security practitioners can be summarised briefly: review your previous assessments and planning, and implement them. Consequently, this section of the document is short. 3.2 If recorded properly, security risks would be monitored both by security professionals and by the project management team and any adjustments or remedial action would be generated by the risk monitoring process. The aim during a dynamic phase is always to reduce security risks to acceptable levels by minimising or removing one or more of the three components: threat, likelihood or impact. 3.3 Deployment of a dedicated security professional as a member of the project team is desirable, but not always possible. Across the industry there are examples of utilising non-security personnel as the responsible person on a project, with appropriate support from the project company or project management team. There are also examples of a security professional being deployed to cover security together with other roles where they are qualified and competent to do so. For example, a security manager might also be responsible for travel, accommodation and logistics, or a supply chain manager might also have the security portfolio. The important factor is the project owner s commitment to the security of the project, and its successful and timely completion. If security has been properly engaged during the concept and design and planning stages, the execution phase should present few unexpected challenges. Where this has not been the case, and there are security risks, those responsible for security in the project-owning company may need to condense all the steps recommended in the early phases into the execution phase. 3.4 Apart from the ongoing risk assessment process and implementation of security plans, there may be requirements in the execution phase to respond to changes, planned and unplanned, or to emergencies or incidents. To that end, it is advisable to practice drills and procedures with security personnel, e.g. guards, or government security forces as appropriate, bearing in mind local laws, company policies and the provisions of the Voluntary Principles on Security and Human Rights as applicable. In addition, it is important for the person responsible for security to be aware of developments on the project, and of any circumstances that could affect the security risk assessment, for example dissatisfaction among elements of the workforce. There should always be contingency plans in place to deal with arising situations, ideally considered in advance and included in the overall security planning package. If this is not the case, it is important that those responsible for security have the appropriate experience and leadership to respond rationally and proportionally to the situation in question. 6

13 Integrating security in major projects - principles & guidelines 4. Monitoring & control 4.1 The fourth phase of a project, for the purposes of this document the Monitoring & control phase, is the period of consolidation and quality assurance that takes place between the execution of a project and the commissioning of the finished product. In many ways this can be a period of increased risk; especially of there have been cost overruns or delays. It will also be the period in which unscrupulous individuals may wish to cause delay in order to extend contracts or increase revenue, or to extract additional benefits from the project owner. In any event, it is a time when security awareness and vigilance should be maintained at an appropriate level. 4.2 The risk assessment that has been constantly monitored and updated throughout the project remains the key element to maintaining the correct security posture at this stage. Some risks will have been eliminated, such as those pertaining to transportation and fabrication, while others, such as those concerning workforce demobilisation or the physical protection of critical assets will come to the fore. It is advisable to update security processes and procedures to meet changing risks, ideally in a manner that is planned and designed to facilitate the transition from project to operational status of the facility. As such, the operational security risk environment of the facility concerned becomes more prominent and relevant to security planning and practice during this phase. 4.3 As the project prepares for the transition to operations, so the security function should also be preparing for it. This might include inducting new personnel, or training security providers from the operational facility on aspects of the project. If security assessment and planning has been conducted as advised in this document there should be no untoward surprises and the transition will be smooth. Where there is any kind of disconnect between the security elements of the project and the operation it may be necessary to implement some remedial action to ensure the continued security of project personnel and assets. This is especially true if the project is now located in a relatively high risk area controlled by the operator, and protected by his security provisions. The remedial action referred to might include, for example, inclusion of the operator s security function in project security meetings, and vice-versa, or conducting a joint review of project and operation security procedures to ensure that there are no unresolved conflicts or contradictions. 4.4 Among the preparatory tasks for transition during this phase, the following are examples of the kinds of issue that might be considered: Defining and monitoring security performance metrics; Developing ongoing standard operating procedures to aid full integration with the operation; Adapting security plans to meet any remaining project deviations; and Defining critical components of security infrastructure if changes are needed. 7

14 International Association of Oil and Gas Producers 5. Closure or look-back 5.1 The final project phase entails bringing the project to a close, handing it over to the operation, and reviewing each phase retrospectively to identify opportunities for improvements in future projects, and to rectify any perceived flaws in project planning or execution. It is advisable to follow this path from the security perspective, as much as from any other. 5.2 One suggested method for achieving a comprehensive look-back is to reconvene the security oversight group referred to in paragraph 2.10 above, or to capture feedback obtained from its members at the relevant time. This, coupled with examination of risk assessments and any security incidents that occurred would provide an efficient narrative against which to measure the effectiveness of the security planning employed. 8

15 For further information and publications, please visit our website at:

16 About us: OGP is a global organisation that has been active for nearly 40 years, facilitating continual improvement in upstream (exploration and production) health safety and environmental issues as well as improvements in engineering and operations. OGP, with offices in London and Brussels, represents publicly-traded private and state-owned oil and gas companies, field service companies and industry associations. Its members produce more than half of the world s oil and over one-third of its gas. More information about OGP and the production of gas from shale can be found at: Blackfriars Road London SE1 8NL United Kingdom Telephone: +44 (0) Fax: +44 (0) Bd du Souverain 4th Floor B-1160 Brussels, Belgium Telephone: +32 (0) Fax: +32 (0) Website: reception@ogp.org.uk