Integrating security in major projects -

principles & guidelines

OGP Report No. 494
April 2014
International Association of Oil and Gas Producers
Disclaimer
Whilst every efort has been made to ensure the accuracy of the information contained in this publication, neither the
OGP nor any of its members past present or future warrants its accuracy or will, regardless of its or their negligence, assume
liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded. Consequently, such use
is at the recipients own risk on the basis that any use by the recipient constitutes agreement to the terms of this disclaimer.
Te recipient is obliged to inform any subsequent recipient of such terms.
Copyright notice
Te contents of these pages are Te International Association of Oil and Gas Producers. Permission is given to
reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) the source are acknowledged.
All other rights are reserved. Any other use requires the prior written permission of the OGP.
Tese Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales.
Disputes arising here fom shall be exclusively subject to the jurisdiction of the courts of England and Wales.
Global experience
Te International Association of Oil & Gas Producers has access to a wealth of technical knowledge and
experience with its members operating around the world in many diferent terrains. We collate and distil
this valuable knowledge for the industry to use as guidelines for good practice by individual members.
Consistent high quality database and guidelines
Our overall aim is to ensure a consistent approach to training, management and best practice
throughout the world. Te oil and gas exploration and production industry recognises the need to
develop consistent databases and records in certain felds. Te OGPs members are encouraged to
use the guidelines as a starting point for their operations or to supplement their own policies and
regulations which may apply locally.
Internationally recognised source of industry information
Many of our guidelines have been recognised and used by international authorities and safety and
environmental bodies. Requests come from governments and non-government organisations around the
world as well as from non-member companies.
Publications
Revision history
Version Date Amendments
1 April 2014 First issued
Integrating security in major projects -
principles & guidelines
OGP Report No. 494
April 2014
ii
International Association of Oil and Gas Producers
OGP
Acknowledgements:
Tis document was produced by OGPs Security Committee.
iii
Integrating security in major projects - principles & guidelines
OGP
Contents
Introduction 1
Project management and security 1
1. Concept or initiation 2
2. Design and planning 4
3. Execution 6
4. Monitoring and control 7
5. Closure or look-back 8
iv
International Association of Oil and Gas Producers
OGP
C
o
n
c
e
p
t
D
e
s
i
g
n
E
x
e
c
u
t
i
o
n
M
o
n
i
t
o
r
i
n
g
L
o
o
k
b
a
c
k
Operations
C
o
m
m
i
s
s
i
o
n
i
n
g
C
o
u
n
t
r
y

t
h
r
e
a
t

a
n
a
l
y
s
i
s
R
i
s
k

a
s
s
e
s
s
m
e
n
t
L
o
c
a
l

s
e
c
u
r
i
t
y

s
u
r
v
e
y
N
e
w

a
s
s
e
s
s
m
e
n
t
C
h
a
n
g
e

i
n

t
h
r
e
a
t
s
S
e
c
u
r
i
t
y

p
o
l
i
c
y

r
e
q
u
i
r
e
m
e
n
t
s
S
e
c
u
r
i
t
y

r
e
q
u
i
r
e
m
e
n
t
s
A
m
e
n
d
m
e
n
t
s

t
o

s
e
c
u
r
i
t
y

p
l
a
n
?
P
r
o
j
e
c
t

s
e
c
u
r
i
t
y

p
l
a
n
S
u
b
-
c
o
n
t
r
a
c
t
o
r

s
e
c
u
r
i
t
y

p
l
a
n
C
o
n
t
r
a
c
t
o
r

s
e
c
u
r
i
t
y

p
l
a
n
P
r
o
j
e
c
t

s
e
c
u
r
i
t
y

g
u
i
d
e
l
i
n
e
s
1
Integrating security in major projects - principles & guidelines
OGP
Introduction
Project management & security
Troughout the oil and gas industry project management is a key and core skill, and critical for
successful development of mineral resources. Tere are multiple project management models and
methods, including individual processes developed for major operators as well as more generic, but
no less useful, systems for smaller partners. What all have in common is a methodical and planned
approach encompassing at least fve phases in a projects life cycle. Tese are:
Concept or initiation;
Design & planning;
Execution;
Monitoring & control; and
Closure or look-back.
For the purposes of this document we will use this fve-element model.
Traditionally, security considerations have been brought into projects at a late stage, or even afer the
commissioning of the completed facility. In recent years it has become increasingly apparent that there
are considerable benefts in terms of cost, efciency and reliability to be gained if security is integrated
into project management from the outset. Te industry has found that retro-ftting security hardware
is both costly and time-consuming, and that almost inevitably the results are less than satisfactory.
We strongly recommend that signifcant security risks and challenges should be factored in to early
project decisions, including the key decision on whether to proceed with a project or not. Failure to
appreciate, understand, or plan for signifcant security eventualities can have major repercussions
for a project and its owner, and will almost always lead to signifcant avoidable cost increases and
delay.
In this document we will set out best practice, based on actual experience, for integrating security
planning and execution into the project lifecycle.
Views expressed are those of the OGP Security Committee, and do not necessarily refect those of
individual member companies.
2
International Association of Oil and Gas Producers
OGP
1. Concept or initiation
1.1
Security planning for any major project should commence as early as possible in the project cycle. Te
level of security engagement will depend largely on the nature of the project, and on the geographical
location(s) in which it will be conducted. Te overriding purpose of integrating security provision and
planning is to ensure that the project can be completed without avoidable delay or additional costs. As
always, the priority for security planning is the protection of life and prevention of injury, followed by
the protection of the companys assets, reputation and property.
As a general guideline, the following points should always be considered when determining the level
of security engagement required in any given project:
Te location of the completed project;
Te location(s) of critical elements of the project, such as fabrication yards, and transportation
and supply chain routes;
Te availability of critical personnel or replacements for critical components or equipment;
Te size and composition of workforce required at various stages of the project;
Prevailing security conditions and threats in all of the above;
Criticality of the project to the company/ies concerned.
1.2
Having determined the factors to be considered in setting the level of security engagement in the
project, it is now helpful to conduct the frst assessment of security-related risks that could adversely
afect it. Risk assessment processes are adequately documented, and there are several methodologies to
choose from. Te selected one should include an acceptable method of identifying threats, assessing
the probability of a specifc threat afecting the project, and determining the impact on the project if
it does.
1.3
For major or complex projects early investment of time and efort is conducting a thorough assessment
of the prevailing threat environment surrounding all stages of the project should prove worthwhile.
Te better the project team, and those responsible for security, and the better their understanding of
real and potential security issues the better equipped they will be to mitigate them and complete the
project successfully.
1.4
Proper security planning depends on good risk assessment, followed by a clear understanding of what
measures are needed to reduce the threat, likelihood or impact of any given risk. Te most efective
tool for monitoring progress in this respect is a risk register. Diferent project managers have diferent
approaches to recording risks, sometimes in a number of diferent locations or registers. Experience
shows us that the ideal situation is for the most signifcant security risks, e.g. those which could cause
signifcant delay or additional cost, or have some other major impact, should be recorded in the main
project risk register, where they can be reviewed regularly by project decision-makers. Where this is
not possible, an acceptable alternative would be to maintain a specifc security risk register, but only
3
Integrating security in major projects - principles & guidelines
OGP
where the risk owner has either the authority to deal with the risk or has direct access to someone who
does. It is not advisable to incorporate security risks in sub-sets of other risk registers where they might
easily be overlooked.
1.5
Major projects can have a lifecycle of many years. Conditions and threats can and do change
considerably during the life of a project, but rarely should such changes be entirely unforeseen. To be
best prepared to meet changing security challenges an open-minded view of the threat environment
and associated risks is advised. Consequently, it may be that risks are reassessed periodically, or certain
trigger events can be identifed that initiate security risk reviews. We advise security professionals
engaged in projects to develop agreed mechanisms to reassess risks during each and every stage of the
process.
1.6
Efective security planning for major projects, and indeed in other industrial contexts, should have
the best interests of the business at its core. In short, efective security planning will enable the
business or project to succeed. To this end a rational appreciation of costs versus benefts should be
clearly understood by security professionals and by management of both the project owner and any
contractors involved. If the cost of security measures required ensuring the safety of personnel and
protection of assets exceeds the value to the company of the project concerned it is better to understand
this early in the planning cycle. For very high-value projects there may be complex considerations
of ongoing benefts that would make investment in security measures worthwhile, but in any case
the person responsible for security planning should be comfortable as a participant in the decision-
making process.
1.7
Opportunities for early participation of security designers or architects exist during the concept or
initiation phase of a project. Building in key features, such as safe-havens or access control equipment,
can save signifcant cost and disruption later, as can selection of materials and design of facilities.
1.8
Finally, in the initiation stage of a project consideration should be given to the development of security
management practices and procedures that allow for easy transition between the diferent stages of
a project, and eventual incorporation within the security framework of the facility operator. Tis
is best achieved through methodical documentation and reliance on common understanding of
security practice. To this end early liaison between those responsible for security at difering stages
and locations of the project can be seen as a sound investment of time and efort.
4
International Association of Oil and Gas Producers
OGP
2. Design & planning
2.1
Security risk assessment should be a constant activity throughout the life of a project. Considerations
may change periodically, but if done efectively during the concept and initiation phase the original
risk assessment should serve as a good foundation throughout. It can be adapted to meet specifc
circumstances, or to address specifc requirements at diferent phases of the project. For example, if
there is a fabrication phase in a project that will entail deployment of company personnel to a remote
location on a temporary basis, there may be a need to include an assessment of security risks to those
personnel in the overarching risk assessment document.
2.2
As a project progresses the need for active monitoring of security risks will become greater, and more
signifcant. Te recording and monitoring method developed in the initial project phase should
continue, and the ideal situation would be where signifcant security risks are monitored and updated
through the projects central risk register.
2.3
Te design phase of a project presents the best opportunity to include physical security considerations
in the most cost-efective manner. For example, anti-piracy measures can be built in to ofshore
platforms rather than added at a later date, or protective security measures can be designed into
critical process components. It is advisable to have an understanding of the cost elements involved,
and the likely diferences that would be encountered if necessary security measures needed to be
retro-ftted rather than installed at the construction phase. Likely cost-savings might be found in
amending the specifcation of materials in construction, utilisation of a planned workforce as opposed
to remobilising one at a later stage, or reduced loss of operational availability of a facility.
2.4
If security measures are considered appropriate, it is advisable to engage the services of qualifed and
experienced architects, engineers or designers with specialist security knowledge. Tese can ofen
defne accurately the specifcations of materials for the design of a facility with specifc risks in mind.
Specialisms can include blast and ballistic efect modeling where there is a risk of terrorism or violent
attack, perimeter construction, or anti-piracy measures.
2.5
Te design phase also allows for the inclusion of measures to reduce the impact of a security incident
should it occur; enhanced safety and life-support facilities for example. Ofen such facilities are
stipulated by international regulations, but there may be opportunities to enhance or amend the
specifcations to a level above the regulatory requirements. For example, provision of one safe haven
or citadel might be a requirement, but the risk assessment indicates that one or more additional safe
havens, perhaps smaller in scale would provide better protection for personnel in the event of an
emergency. Similarly, it might be preferable to build in facilities that would allow for shelter in place
for an extended period above the minimum specifed by regulations.
2.6
In a similar vein, inclusion of electronic devices and communication equipment, or wiring to facilitate
their use, should be considered at the design stage. Te ability to communicate with the outside world,
or to control or shut down a facility from inside a safe haven can signifcantly reduce the impact of a
major security incident.
5
Integrating security in major projects - principles & guidelines
OGP
2.7
With many facilities there is severe pressure on accommodation space when it becomes operational. If a
risk assessment indicates that addition of security personnel in certain circumstances might be needed
to reduce a risk, consideration can be given at the design stage to supplementary accommodation,
either permanent or temporary, being made available from time to time.
2.8
Te design and planning phase of a project is the time when thorough examination of project plans
can be made to identify requirements for specifc security plans at various stages of development and
execution of a project. For example, there may be a need to transport items to the project site that are
very difcult to replace, in which case attention should be given to security risks that could result
in the loss, damage or delay of the items concerned. Ofen such items might be large and require
seaborne transportation through hostile waters, in which case appropriate marine security plans
should be agreed with all parties concerned. Similarly, as mentioned in paragraph 2.1 above, there
may be fabrication yards in remote locations that produce critical items for the project. Security at
these locations would probably be the responsibility of the site managers, but there is an opportunity
to minimise risks to the project through security liaison and collaboration.
2.9
Another example of a project security risk that might need specifc planning and attention might
be supply chain fraud and integrity of components and materials. Major projects are attractive
opportunities for criminals or unscrupulous businesses seeking to make or maximise proft. Te
design and planning stage of a project should be the time when appropriate due diligence enquiries
are made on prospective suppliers, and the right audit and materials approval rights are built-in to
contracts to prevent fraud and material substitutions.
2.10
Tis collaboration can ofen be encouraged or facilitated by including security provisions in contracts
with suppliers, fabricators, and shippers. Capturing security provisions in contracts at the design
phase reduces confusion and confict at later stages, and consequently reduces unplanned cost and
delay. Typical inclusions in contracts to mandate security as a consideration can include a requirement
to share security plans and allow security audits, or to collaborate in the form of a security oversight
group made up of the companies concerned in the project. Te utility of these contractual agreements
cannot be overstated when it comes to executing projects in higher risk environments.
2.11
A signifcant risk to major projects is industrial unrest and labour relations. Tese can cause signifcant
delay and additional costs, as well as endangering individuals and reputations. It is advisable therefore
to include security planning in mobilisation and demobilisation plans at the planning stage.
2.12
Finally, the project planning stage is the appropriate time to consider long-term security provision
for the project facility and for its transfer to operational status once the project is concluded. It is
important that processes and equipment involved in security provision are compatible with the
security structures put in place by the eventual operator.
6
International Association of Oil and Gas Producers
OGP
3. Execution
3.1
Without doubt, the most demanding and complex period of any project is the execution phase. Tis
is when all the preparation and planning are put to the test, and when variations can occur at short
notice. Advice to security practitioners can be summarised briefy: review your previous assessments
and planning, and implement them. Consequently, this section of the document is short.
3.2
If recorded properly, security risks would be monitored both by security professionals and by the
project management team and any adjustments or remedial action would be generated by the risk
monitoring process. Te aim during a dynamic phase is always to reduce security risks to acceptable
levels by minimising or removing one or more of the three components: threat, likelihood or impact.
3.3
Deployment of a dedicated security professional as a member of the project team is desirable, but
not always possible. Across the industry there are examples of utilising non-security personnel as
the responsible person on a project, with appropriate support from the project company or project
management team. Tere are also examples of a security professional being deployed to cover security
together with other roles where they are qualifed and competent to do so. For example, a security
manager might also be responsible for travel, accommodation and logistics, or a supply chain manager
might also have the security portfolio. Te important factor is the project owners commitment to
the security of the project, and its successful and timely completion. If security has been properly
engaged during the concept and design and planning stages, the execution phase should present few
unexpected challenges. Where this has not been the case, and there are security risks, those responsible
for security in the project-owning company may need to condense all the steps recommended in the
early phases into the execution phase.
3.4
Apart from the ongoing risk assessment process and implementation of security plans, there may be
requirements in the execution phase to respond to changes, planned and unplanned, or to emergencies
or incidents. To that end, it is advisable to practice drills and procedures with security personnel, e.g.
guards, or government security forces as appropriate, bearing in mind local laws, company policies and
the provisions of the Voluntary Principles on Security and Human Rights as applicable. In addition,
it is important for the person responsible for security to be aware of developments on the project, and
of any circumstances that could afect the security risk assessment, for example dissatisfaction among
elements of the workforce. Tere should always be contingency plans in place to deal with arising
situations, ideally considered in advance and included in the overall security planning package. If this
is not the case, it is important that those responsible for security have the appropriate experience and
leadership to respond rationally and proportionally to the situation in question.
7
Integrating security in major projects - principles & guidelines
OGP
4. Monitoring & control
4.1
Te fourth phase of a project, for the purposes of this document the Monitoring & control phase, is
the period of consolidation and quality assurance that takes place between the execution of a project
and the commissioning of the fnished product. In many ways this can be a period of increased risk;
especially of there have been cost overruns or delays. It will also be the period in which unscrupulous
individuals may wish to cause delay in order to extend contracts or increase revenue, or to extract
additional benefts from the project owner. In any event, it is a time when security awareness and
vigilance should be maintained at an appropriate level.
4.2
Te risk assessment that has been constantly monitored and updated throughout the project remains
the key element to maintaining the correct security posture at this stage. Some risks will have been
eliminated, such as those pertaining to transportation and fabrication, while others, such as those
concerning workforce demobilisation or the physical protection of critical assets will come to the
fore. It is advisable to update security processes and procedures to meet changing risks, ideally in a
manner that is planned and designed to facilitate the transition from project to operational status of
the facility. As such, the operational security risk environment of the facility concerned becomes more
prominent and relevant to security planning and practice during this phase.
4.3
As the project prepares for the transition to operations, so the security function should also be
preparing for it. Tis might include inducting new personnel, or training security providers from the
operational facility on aspects of the project. If security assessment and planning has been conducted
as advised in this document there should be no untoward surprises and the transition will be smooth.
Where there is any kind of disconnect between the security elements of the project and the operation
it may be necessary to implement some remedial action to ensure the continued security of project
personnel and assets. Tis is especially true if the project is now located in a relatively high risk area
controlled by the operator, and protected by his security provisions. Te remedial action referred to
might include, for example, inclusion of the operators security function in project security meetings,
and vice-versa, or conducting a joint review of project and operation security procedures to ensure that
there are no unresolved conficts or contradictions.
4.4
Among the preparatory tasks for transition during this phase, the following are examples of the kinds
of issue that might be considered:
Defning and monitoring security performance metrics;
Developing ongoing standard operating procedures to aid full integration with the operation;
Adapting security plans to meet any remaining project deviations; and
Defning critical components of security infrastructure if changes are needed.
8
International Association of Oil and Gas Producers
OGP
5. Closure or look-back
5.1
Te fnal project phase entails bringing the project to a close, handing it over to the operation, and
reviewing each phase retrospectively to identify opportunities for improvements in future projects,
and to rectify any perceived faws in project planning or execution. It is advisable to follow this path
from the security perspective, as much as from any other.
5.2
One suggested method for achieving a comprehensive look-back is to reconvene the security oversight
group referred to in paragraph 2.10 above, or to capture feedback obtained from its members at the
relevant time. Tis, coupled with examination of risk assessments and any security incidents that
occurred would provide an efcient narrative against which to measure the efectiveness of the security
planning employed.
For further information and publications, please visit our website at:
www.ogp.org.uk
209-215 Blackfriars Road
London SE1 8NL
United Kingdom
Telephone: +44 (0)20 7633 0272
Fax: +44 (0)20 7633 2350
165 Bd du Souverain
4th Floor
B-1160 Brussels, Belgium
Telephone: +32 (0)2 566 9150
Fax: +32 (0)2 566 9159
Website: www.ogp.org.uk
e-mail: reception@ogp.org.uk
OGP is a global organisation that has been active for
nearly 40 years, facilitating continual improvement in
upstream (exploration and production) health safety and
environmental issues as well as improvements in engineering
and operations. OGP, with ofces in London and Brussels,
represents publicly-traded private and state-owned oil and gas
companies, feld service companies and industry associations.
Its members produce more than half of the worlds oil and
over one-third of its gas. More information about OGP
and the production of gas from shale can be found at:
http://www.ogp.org.uk
About us: