OGP Report No. 494 April 2014 International Association of Oil and Gas Producers Disclaimer Whilst every efort has been made to ensure the accuracy of the information contained in this publication, neither the OGP nor any of its members past present or future warrants its accuracy or will, regardless of its or their negligence, assume liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded. Consequently, such use is at the recipients own risk on the basis that any use by the recipient constitutes agreement to the terms of this disclaimer. Te recipient is obliged to inform any subsequent recipient of such terms. Copyright notice Te contents of these pages are Te International Association of Oil and Gas Producers. Permission is given to reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) the source are acknowledged. All other rights are reserved. Any other use requires the prior written permission of the OGP. Tese Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales. Disputes arising here fom shall be exclusively subject to the jurisdiction of the courts of England and Wales. Global experience Te International Association of Oil & Gas Producers has access to a wealth of technical knowledge and experience with its members operating around the world in many diferent terrains. We collate and distil this valuable knowledge for the industry to use as guidelines for good practice by individual members. Consistent high quality database and guidelines Our overall aim is to ensure a consistent approach to training, management and best practice throughout the world. Te oil and gas exploration and production industry recognises the need to develop consistent databases and records in certain felds. Te OGPs members are encouraged to use the guidelines as a starting point for their operations or to supplement their own policies and regulations which may apply locally. Internationally recognised source of industry information Many of our guidelines have been recognised and used by international authorities and safety and environmental bodies. Requests come from governments and non-government organisations around the world as well as from non-member companies. Publications Revision history Version Date Amendments 1 April 2014 First issued Integrating security in major projects - principles & guidelines OGP Report No. 494 April 2014 ii International Association of Oil and Gas Producers OGP Acknowledgements: Tis document was produced by OGPs Security Committee. iii Integrating security in major projects - principles & guidelines OGP Contents Introduction 1 Project management and security 1 1. Concept or initiation 2 2. Design and planning 4 3. Execution 6 4. Monitoring and control 7 5. Closure or look-back 8 iv International Association of Oil and Gas Producers OGP C o n c e p t D e s i g n E x e c u t i o n M o n i t o r i n g L o o k b a c k Operations C o m m i s s i o n i n g C o u n t r y
t h r e a t
a n a l y s i s R i s k
a s s e s s m e n t L o c a l
s e c u r i t y
s u r v e y N e w
a s s e s s m e n t C h a n g e
i n
t h r e a t s S e c u r i t y
p o l i c y
r e q u i r e m e n t s S e c u r i t y
r e q u i r e m e n t s A m e n d m e n t s
t o
s e c u r i t y
p l a n ? P r o j e c t
s e c u r i t y
p l a n S u b - c o n t r a c t o r
s e c u r i t y
p l a n C o n t r a c t o r
s e c u r i t y
p l a n P r o j e c t
s e c u r i t y
g u i d e l i n e s 1 Integrating security in major projects - principles & guidelines OGP Introduction Project management & security Troughout the oil and gas industry project management is a key and core skill, and critical for successful development of mineral resources. Tere are multiple project management models and methods, including individual processes developed for major operators as well as more generic, but no less useful, systems for smaller partners. What all have in common is a methodical and planned approach encompassing at least fve phases in a projects life cycle. Tese are: Concept or initiation; Design & planning; Execution; Monitoring & control; and Closure or look-back. For the purposes of this document we will use this fve-element model. Traditionally, security considerations have been brought into projects at a late stage, or even afer the commissioning of the completed facility. In recent years it has become increasingly apparent that there are considerable benefts in terms of cost, efciency and reliability to be gained if security is integrated into project management from the outset. Te industry has found that retro-ftting security hardware is both costly and time-consuming, and that almost inevitably the results are less than satisfactory. We strongly recommend that signifcant security risks and challenges should be factored in to early project decisions, including the key decision on whether to proceed with a project or not. Failure to appreciate, understand, or plan for signifcant security eventualities can have major repercussions for a project and its owner, and will almost always lead to signifcant avoidable cost increases and delay. In this document we will set out best practice, based on actual experience, for integrating security planning and execution into the project lifecycle. Views expressed are those of the OGP Security Committee, and do not necessarily refect those of individual member companies. 2 International Association of Oil and Gas Producers OGP 1. Concept or initiation 1.1 Security planning for any major project should commence as early as possible in the project cycle. Te level of security engagement will depend largely on the nature of the project, and on the geographical location(s) in which it will be conducted. Te overriding purpose of integrating security provision and planning is to ensure that the project can be completed without avoidable delay or additional costs. As always, the priority for security planning is the protection of life and prevention of injury, followed by the protection of the companys assets, reputation and property. As a general guideline, the following points should always be considered when determining the level of security engagement required in any given project: Te location of the completed project; Te location(s) of critical elements of the project, such as fabrication yards, and transportation and supply chain routes; Te availability of critical personnel or replacements for critical components or equipment; Te size and composition of workforce required at various stages of the project; Prevailing security conditions and threats in all of the above; Criticality of the project to the company/ies concerned. 1.2 Having determined the factors to be considered in setting the level of security engagement in the project, it is now helpful to conduct the frst assessment of security-related risks that could adversely afect it. Risk assessment processes are adequately documented, and there are several methodologies to choose from. Te selected one should include an acceptable method of identifying threats, assessing the probability of a specifc threat afecting the project, and determining the impact on the project if it does. 1.3 For major or complex projects early investment of time and efort is conducting a thorough assessment of the prevailing threat environment surrounding all stages of the project should prove worthwhile. Te better the project team, and those responsible for security, and the better their understanding of real and potential security issues the better equipped they will be to mitigate them and complete the project successfully. 1.4 Proper security planning depends on good risk assessment, followed by a clear understanding of what measures are needed to reduce the threat, likelihood or impact of any given risk. Te most efective tool for monitoring progress in this respect is a risk register. Diferent project managers have diferent approaches to recording risks, sometimes in a number of diferent locations or registers. Experience shows us that the ideal situation is for the most signifcant security risks, e.g. those which could cause signifcant delay or additional cost, or have some other major impact, should be recorded in the main project risk register, where they can be reviewed regularly by project decision-makers. Where this is not possible, an acceptable alternative would be to maintain a specifc security risk register, but only 3 Integrating security in major projects - principles & guidelines OGP where the risk owner has either the authority to deal with the risk or has direct access to someone who does. It is not advisable to incorporate security risks in sub-sets of other risk registers where they might easily be overlooked. 1.5 Major projects can have a lifecycle of many years. Conditions and threats can and do change considerably during the life of a project, but rarely should such changes be entirely unforeseen. To be best prepared to meet changing security challenges an open-minded view of the threat environment and associated risks is advised. Consequently, it may be that risks are reassessed periodically, or certain trigger events can be identifed that initiate security risk reviews. We advise security professionals engaged in projects to develop agreed mechanisms to reassess risks during each and every stage of the process. 1.6 Efective security planning for major projects, and indeed in other industrial contexts, should have the best interests of the business at its core. In short, efective security planning will enable the business or project to succeed. To this end a rational appreciation of costs versus benefts should be clearly understood by security professionals and by management of both the project owner and any contractors involved. If the cost of security measures required ensuring the safety of personnel and protection of assets exceeds the value to the company of the project concerned it is better to understand this early in the planning cycle. For very high-value projects there may be complex considerations of ongoing benefts that would make investment in security measures worthwhile, but in any case the person responsible for security planning should be comfortable as a participant in the decision- making process. 1.7 Opportunities for early participation of security designers or architects exist during the concept or initiation phase of a project. Building in key features, such as safe-havens or access control equipment, can save signifcant cost and disruption later, as can selection of materials and design of facilities. 1.8 Finally, in the initiation stage of a project consideration should be given to the development of security management practices and procedures that allow for easy transition between the diferent stages of a project, and eventual incorporation within the security framework of the facility operator. Tis is best achieved through methodical documentation and reliance on common understanding of security practice. To this end early liaison between those responsible for security at difering stages and locations of the project can be seen as a sound investment of time and efort. 4 International Association of Oil and Gas Producers OGP 2. Design & planning 2.1 Security risk assessment should be a constant activity throughout the life of a project. Considerations may change periodically, but if done efectively during the concept and initiation phase the original risk assessment should serve as a good foundation throughout. It can be adapted to meet specifc circumstances, or to address specifc requirements at diferent phases of the project. For example, if there is a fabrication phase in a project that will entail deployment of company personnel to a remote location on a temporary basis, there may be a need to include an assessment of security risks to those personnel in the overarching risk assessment document. 2.2 As a project progresses the need for active monitoring of security risks will become greater, and more signifcant. Te recording and monitoring method developed in the initial project phase should continue, and the ideal situation would be where signifcant security risks are monitored and updated through the projects central risk register. 2.3 Te design phase of a project presents the best opportunity to include physical security considerations in the most cost-efective manner. For example, anti-piracy measures can be built in to ofshore platforms rather than added at a later date, or protective security measures can be designed into critical process components. It is advisable to have an understanding of the cost elements involved, and the likely diferences that would be encountered if necessary security measures needed to be retro-ftted rather than installed at the construction phase. Likely cost-savings might be found in amending the specifcation of materials in construction, utilisation of a planned workforce as opposed to remobilising one at a later stage, or reduced loss of operational availability of a facility. 2.4 If security measures are considered appropriate, it is advisable to engage the services of qualifed and experienced architects, engineers or designers with specialist security knowledge. Tese can ofen defne accurately the specifcations of materials for the design of a facility with specifc risks in mind. Specialisms can include blast and ballistic efect modeling where there is a risk of terrorism or violent attack, perimeter construction, or anti-piracy measures. 2.5 Te design phase also allows for the inclusion of measures to reduce the impact of a security incident should it occur; enhanced safety and life-support facilities for example. Ofen such facilities are stipulated by international regulations, but there may be opportunities to enhance or amend the specifcations to a level above the regulatory requirements. For example, provision of one safe haven or citadel might be a requirement, but the risk assessment indicates that one or more additional safe havens, perhaps smaller in scale would provide better protection for personnel in the event of an emergency. Similarly, it might be preferable to build in facilities that would allow for shelter in place for an extended period above the minimum specifed by regulations. 2.6 In a similar vein, inclusion of electronic devices and communication equipment, or wiring to facilitate their use, should be considered at the design stage. Te ability to communicate with the outside world, or to control or shut down a facility from inside a safe haven can signifcantly reduce the impact of a major security incident. 5 Integrating security in major projects - principles & guidelines OGP 2.7 With many facilities there is severe pressure on accommodation space when it becomes operational. If a risk assessment indicates that addition of security personnel in certain circumstances might be needed to reduce a risk, consideration can be given at the design stage to supplementary accommodation, either permanent or temporary, being made available from time to time. 2.8 Te design and planning phase of a project is the time when thorough examination of project plans can be made to identify requirements for specifc security plans at various stages of development and execution of a project. For example, there may be a need to transport items to the project site that are very difcult to replace, in which case attention should be given to security risks that could result in the loss, damage or delay of the items concerned. Ofen such items might be large and require seaborne transportation through hostile waters, in which case appropriate marine security plans should be agreed with all parties concerned. Similarly, as mentioned in paragraph 2.1 above, there may be fabrication yards in remote locations that produce critical items for the project. Security at these locations would probably be the responsibility of the site managers, but there is an opportunity to minimise risks to the project through security liaison and collaboration. 2.9 Another example of a project security risk that might need specifc planning and attention might be supply chain fraud and integrity of components and materials. Major projects are attractive opportunities for criminals or unscrupulous businesses seeking to make or maximise proft. Te design and planning stage of a project should be the time when appropriate due diligence enquiries are made on prospective suppliers, and the right audit and materials approval rights are built-in to contracts to prevent fraud and material substitutions. 2.10 Tis collaboration can ofen be encouraged or facilitated by including security provisions in contracts with suppliers, fabricators, and shippers. Capturing security provisions in contracts at the design phase reduces confusion and confict at later stages, and consequently reduces unplanned cost and delay. Typical inclusions in contracts to mandate security as a consideration can include a requirement to share security plans and allow security audits, or to collaborate in the form of a security oversight group made up of the companies concerned in the project. Te utility of these contractual agreements cannot be overstated when it comes to executing projects in higher risk environments. 2.11 A signifcant risk to major projects is industrial unrest and labour relations. Tese can cause signifcant delay and additional costs, as well as endangering individuals and reputations. It is advisable therefore to include security planning in mobilisation and demobilisation plans at the planning stage. 2.12 Finally, the project planning stage is the appropriate time to consider long-term security provision for the project facility and for its transfer to operational status once the project is concluded. It is important that processes and equipment involved in security provision are compatible with the security structures put in place by the eventual operator. 6 International Association of Oil and Gas Producers OGP 3. Execution 3.1 Without doubt, the most demanding and complex period of any project is the execution phase. Tis is when all the preparation and planning are put to the test, and when variations can occur at short notice. Advice to security practitioners can be summarised briefy: review your previous assessments and planning, and implement them. Consequently, this section of the document is short. 3.2 If recorded properly, security risks would be monitored both by security professionals and by the project management team and any adjustments or remedial action would be generated by the risk monitoring process. Te aim during a dynamic phase is always to reduce security risks to acceptable levels by minimising or removing one or more of the three components: threat, likelihood or impact. 3.3 Deployment of a dedicated security professional as a member of the project team is desirable, but not always possible. Across the industry there are examples of utilising non-security personnel as the responsible person on a project, with appropriate support from the project company or project management team. Tere are also examples of a security professional being deployed to cover security together with other roles where they are qualifed and competent to do so. For example, a security manager might also be responsible for travel, accommodation and logistics, or a supply chain manager might also have the security portfolio. Te important factor is the project owners commitment to the security of the project, and its successful and timely completion. If security has been properly engaged during the concept and design and planning stages, the execution phase should present few unexpected challenges. Where this has not been the case, and there are security risks, those responsible for security in the project-owning company may need to condense all the steps recommended in the early phases into the execution phase. 3.4 Apart from the ongoing risk assessment process and implementation of security plans, there may be requirements in the execution phase to respond to changes, planned and unplanned, or to emergencies or incidents. To that end, it is advisable to practice drills and procedures with security personnel, e.g. guards, or government security forces as appropriate, bearing in mind local laws, company policies and the provisions of the Voluntary Principles on Security and Human Rights as applicable. In addition, it is important for the person responsible for security to be aware of developments on the project, and of any circumstances that could afect the security risk assessment, for example dissatisfaction among elements of the workforce. Tere should always be contingency plans in place to deal with arising situations, ideally considered in advance and included in the overall security planning package. If this is not the case, it is important that those responsible for security have the appropriate experience and leadership to respond rationally and proportionally to the situation in question. 7 Integrating security in major projects - principles & guidelines OGP 4. Monitoring & control 4.1 Te fourth phase of a project, for the purposes of this document the Monitoring & control phase, is the period of consolidation and quality assurance that takes place between the execution of a project and the commissioning of the fnished product. In many ways this can be a period of increased risk; especially of there have been cost overruns or delays. It will also be the period in which unscrupulous individuals may wish to cause delay in order to extend contracts or increase revenue, or to extract additional benefts from the project owner. In any event, it is a time when security awareness and vigilance should be maintained at an appropriate level. 4.2 Te risk assessment that has been constantly monitored and updated throughout the project remains the key element to maintaining the correct security posture at this stage. Some risks will have been eliminated, such as those pertaining to transportation and fabrication, while others, such as those concerning workforce demobilisation or the physical protection of critical assets will come to the fore. It is advisable to update security processes and procedures to meet changing risks, ideally in a manner that is planned and designed to facilitate the transition from project to operational status of the facility. As such, the operational security risk environment of the facility concerned becomes more prominent and relevant to security planning and practice during this phase. 4.3 As the project prepares for the transition to operations, so the security function should also be preparing for it. Tis might include inducting new personnel, or training security providers from the operational facility on aspects of the project. If security assessment and planning has been conducted as advised in this document there should be no untoward surprises and the transition will be smooth. Where there is any kind of disconnect between the security elements of the project and the operation it may be necessary to implement some remedial action to ensure the continued security of project personnel and assets. Tis is especially true if the project is now located in a relatively high risk area controlled by the operator, and protected by his security provisions. Te remedial action referred to might include, for example, inclusion of the operators security function in project security meetings, and vice-versa, or conducting a joint review of project and operation security procedures to ensure that there are no unresolved conficts or contradictions. 4.4 Among the preparatory tasks for transition during this phase, the following are examples of the kinds of issue that might be considered: Defning and monitoring security performance metrics; Developing ongoing standard operating procedures to aid full integration with the operation; Adapting security plans to meet any remaining project deviations; and Defning critical components of security infrastructure if changes are needed. 8 International Association of Oil and Gas Producers OGP 5. Closure or look-back 5.1 Te fnal project phase entails bringing the project to a close, handing it over to the operation, and reviewing each phase retrospectively to identify opportunities for improvements in future projects, and to rectify any perceived faws in project planning or execution. It is advisable to follow this path from the security perspective, as much as from any other. 5.2 One suggested method for achieving a comprehensive look-back is to reconvene the security oversight group referred to in paragraph 2.10 above, or to capture feedback obtained from its members at the relevant time. Tis, coupled with examination of risk assessments and any security incidents that occurred would provide an efcient narrative against which to measure the efectiveness of the security planning employed. For further information and publications, please visit our website at: www.ogp.org.uk 209-215 Blackfriars Road London SE1 8NL United Kingdom Telephone: +44 (0)20 7633 0272 Fax: +44 (0)20 7633 2350 165 Bd du Souverain 4th Floor B-1160 Brussels, Belgium Telephone: +32 (0)2 566 9150 Fax: +32 (0)2 566 9159 Website: www.ogp.org.uk e-mail: reception@ogp.org.uk OGP is a global organisation that has been active for nearly 40 years, facilitating continual improvement in upstream (exploration and production) health safety and environmental issues as well as improvements in engineering and operations. OGP, with ofces in London and Brussels, represents publicly-traded private and state-owned oil and gas companies, feld service companies and industry associations. Its members produce more than half of the worlds oil and over one-third of its gas. More information about OGP and the production of gas from shale can be found at: http://www.ogp.org.uk About us:
PMP Exam Prep: Master the Latest Techniques and Trends with this In-depth Project Management Professional Guide: Study Guide | Real-life PMP Questions and Detailed Explanation | 200+ Questions and Answers
The Complete Project Management Exam Checklist: 500 Practical Questions & Answers for Exam Preparation and Professional Certification: 500 Practical Questions & Answers for Exam Preparation and Professional Certification
The PMP Project Management Professional Certification Exam Study Guide - PMBOK Seventh 7th Edition: Proven Methods to Pass the PMP Exam With Confidence - Complete Practice Tests With Answers