Integrating security in major projects -

principles & guidelines

OGP Report No. 494
April 2014

International Association of Oil and Gas Producers

Publications
Global experience
The International Association of Oil & Gas Producers has access to a wealth of technical knowledge and
experience with its members operating around the world in many different terrains. We collate and distil
this valuable knowledge for the industry to use as guidelines for good practice by individual members.

Consistent high quality database and guidelines

Our overall aim is to ensure a consistent approach to training, management and best practice
throughout the world. The oil and gas exploration and production industry recognises the need to
develop consistent databases and records in certain fields. The OGP’s members are encouraged to
use the guidelines as a starting point for their operations or to supplement their own policies and
regulations which may apply locally.

Internationally recognised source of industry information

Many of our guidelines have been recognised and used by international authorities and safety and
environmental bodies. Requests come from governments and non-government organisations around the
world as well as from non-member companies.

Disclaimer
Whilst every effort has been made to ensure the accuracy of the information contained in this publication, neither the
OGP nor any of its members past present or future warrants its accuracy or will, regardless of its or their negligence, assume
liability for any foreseeable or unforeseeable use made thereof, which liability is hereby excluded. Consequently, such use
is at the recipient’s own risk on the basis that any use by the recipient constitutes agreement to the terms of this disclaimer.
The recipient is obliged to inform any subsequent recipient of such terms.

Copyright notice
The contents of these pages are © The International Association of Oil and Gas Producers. Permission is given to
reproduce this report in whole or in part provided (i) that the copyright of OGP and (ii) the source are acknowledged.
All other rights are reserved. Any other use requires the prior written permission of the OGP.

These Terms and Conditions shall be governed by and construed in accordance with the laws of England and Wales.
Disputes arising here from shall be exclusively subject to the jurisdiction of the courts of England and Wales.
Integrating security in major projects -
principles & guidelines
OGP Report No. 494
April 2014

Revision history
Version Date Amendments
1 April 2014 First issued
International Association of Oil and Gas Producers

Acknowledgements:

This document was produced by OGP’s Security Committee.

ii © OGP
 Integrating security in major projects - principles & guidelines

Contents

Introduction 1

Project management and security 1

1. Concept or initiation 2

2. Design and planning 4

3. Execution 6

4. Monitoring and control 7

5. Closure or look-back 8

© OGP iii
iv
Concept Design Execution Monitoring Lookback
Commissioning

Country threat analysis Change in threats

International Association of Oil and Gas Producers

Risk assessment Local security survey New assessment

Amendments to security plan?

© OGP
Security policy requirements Security requirements

Project security guidelines Project security plan

Contractor security plan
Sub-contractor security plan
Operations
 Integrating security in major projects - principles & guidelines

Introduction

Project management & security

Throughout the oil and gas industry project management is a key and core skill, and critical for
successful development of mineral resources. There are multiple project management models and
methods, including individual processes developed for major operators as well as more generic, but
no less useful, systems for smaller partners. What all have in common is a methodical and planned
approach encompassing at least five phases in a project’s life cycle. These are:

• Concept or initiation;

• Design & planning;

• Execution;

• Monitoring & control; and

• Closure or look-back.
For the purposes of this document we will use this five-element model.

Traditionally, security considerations have been brought into projects at a late stage, or even after the
commissioning of the completed facility. In recent years it has become increasingly apparent that there
are considerable benefits in terms of cost, efficiency and reliability to be gained if security is integrated
into project management from the outset. The industry has found that retro-fitting security hardware
is both costly and time-consuming, and that almost inevitably the results are less than satisfactory.

We strongly recommend that significant security risks and challenges should be factored in to early
project decisions, including the key decision on whether to proceed with a project or not. Failure to
appreciate, understand, or plan for significant security eventualities can have major repercussions
for a project and its owner, and will almost always lead to significant avoidable cost increases and
delay.

In this document we will set out best practice, based on actual experience, for integrating security
planning and execution into the project lifecycle.

Views expressed are those of the OGP Security Committee, and do not necessarily reflect those of
individual member companies.

© OGP 1
International Association of Oil and Gas Producers

1. Concept or initiation

1.1
Security planning for any major project should commence as early as possible in the project cycle. The
level of security engagement will depend largely on the nature of the project, and on the geographical
location(s) in which it will be conducted. The overriding purpose of integrating security provision and
planning is to ensure that the project can be completed without avoidable delay or additional costs. As
always, the priority for security planning is the protection of life and prevention of injury, followed by
the protection of the company’s assets, reputation and property.

As a general guideline, the following points should always be considered when determining the level
of security engagement required in any given project:

• The location of the completed project;

• The location(s) of critical elements of the project, such as fabrication yards, and transportation
and supply chain routes;

• The availability of critical personnel or replacements for critical components or equipment;

• The size and composition of workforce required at various stages of the project;

• Prevailing security conditions and threats in all of the above;

• Criticality of the project to the company/ies concerned.

1.2
Having determined the factors to be considered in setting the level of security engagement in the
project, it is now helpful to conduct the first assessment of security-related risks that could adversely
affect it. Risk assessment processes are adequately documented, and there are several methodologies to
choose from. The selected one should include an acceptable method of identifying threats, assessing
the probability of a specific threat affecting the project, and determining the impact on the project if
it does.

1.3
For major or complex projects early investment of time and effort is conducting a thorough assessment
of the prevailing threat environment surrounding all stages of the project should prove worthwhile.
The better the project team, and those responsible for security, and the better their understanding of
real and potential security issues the better equipped they will be to mitigate them and complete the
project successfully.

1.4
Proper security planning depends on good risk assessment, followed by a clear understanding of what
measures are needed to reduce the threat, likelihood or impact of any given risk. The most effective
tool for monitoring progress in this respect is a risk register. Different project managers have different
approaches to recording risks, sometimes in a number of different locations or registers. Experience
shows us that the ideal situation is for the most significant security risks, e.g. those which could cause
significant delay or additional cost, or have some other major impact, should be recorded in the main
project risk register, where they can be reviewed regularly by project decision-makers. Where this is
not possible, an acceptable alternative would be to maintain a specific security risk register, but only

2 © OGP
 Integrating security in major projects - principles & guidelines

where the risk owner has either the authority to deal with the risk or has direct access to someone who
does. It is not advisable to incorporate security risks in sub-sets of other risk registers where they might
easily be overlooked.

1.5
Major projects can have a lifecycle of many years. Conditions and threats can and do change
considerably during the life of a project, but rarely should such changes be entirely unforeseen. To be
best prepared to meet changing security challenges an open-minded view of the threat environment
and associated risks is advised. Consequently, it may be that risks are reassessed periodically, or certain
trigger events can be identified that initiate security risk reviews. We advise security professionals
engaged in projects to develop agreed mechanisms to reassess risks during each and every stage of the
process.

1.6
Effective security planning for major projects, and indeed in other industrial contexts, should have
the best interests of the business at its core. In short, effective security planning will enable the
business or project to succeed. To this end a rational appreciation of costs versus benefits should be
clearly understood by security professionals and by management of both the project owner and any
contractors involved. If the cost of security measures required ensuring the safety of personnel and
protection of assets exceeds the value to the company of the project concerned it is better to understand
this early in the planning cycle. For very high-value projects there may be complex considerations
of ongoing benefits that would make investment in security measures worthwhile, but in any case
the person responsible for security planning should be comfortable as a participant in the decision-
making process.

1.7
Opportunities for early participation of security designers or architects exist during the concept or
initiation phase of a project. Building in key features, such as safe-havens or access control equipment,
can save significant cost and disruption later, as can selection of materials and design of facilities.

1.8
Finally, in the initiation stage of a project consideration should be given to the development of security
management practices and procedures that allow for easy transition between the different stages of
a project, and eventual incorporation within the security framework of the facility operator. This
is best achieved through methodical documentation and reliance on common understanding of
security practice. To this end early liaison between those responsible for security at differing stages
and locations of the project can be seen as a sound investment of time and effort.

© OGP 3
International Association of Oil and Gas Producers

2. Design & planning

2.1
Security risk assessment should be a constant activity throughout the life of a project. Considerations
may change periodically, but if done effectively during the concept and initiation phase the original
risk assessment should serve as a good foundation throughout. It can be adapted to meet specific
circumstances, or to address specific requirements at different phases of the project. For example, if
there is a fabrication phase in a project that will entail deployment of company personnel to a remote
location on a temporary basis, there may be a need to include an assessment of security risks to those
personnel in the overarching risk assessment document.

2.2
As a project progresses the need for active monitoring of security risks will become greater, and more
significant. The recording and monitoring method developed in the initial project phase should
continue, and the ideal situation would be where significant security risks are monitored and updated
through the project’s central risk register.

2.3
The design phase of a project presents the best opportunity to include physical security considerations
in the most cost-effective manner. For example, anti-piracy measures can be built in to offshore
platforms rather than added at a later date, or protective security measures can be designed into
critical process components. It is advisable to have an understanding of the cost elements involved,
and the likely differences that would be encountered if necessary security measures needed to be
retro-fitted rather than installed at the construction phase. Likely cost-savings might be found in
amending the specification of materials in construction, utilisation of a planned workforce as opposed
to remobilising one at a later stage, or reduced loss of operational availability of a facility.

2.4
If security measures are considered appropriate, it is advisable to engage the services of qualified and
experienced architects, engineers or designers with specialist security knowledge. These can often
define accurately the specifications of materials for the design of a facility with specific risks in mind.
Specialisms can include blast and ballistic effect modeling where there is a risk of terrorism or violent
attack, perimeter construction, or anti-piracy measures.

2.5
The design phase also allows for the inclusion of measures to reduce the impact of a security incident
should it occur; enhanced safety and life-support facilities for example. Often such facilities are
stipulated by international regulations, but there may be opportunities to enhance or amend the
specifications to a level above the regulatory requirements. For example, provision of one safe haven
or citadel might be a requirement, but the risk assessment indicates that one or more additional safe
havens, perhaps smaller in scale would provide better protection for personnel in the event of an
emergency. Similarly, it might be preferable to build in facilities that would allow for shelter in place
for an extended period above the minimum specified by regulations.

2.6
In a similar vein, inclusion of electronic devices and communication equipment, or wiring to facilitate
their use, should be considered at the design stage. The ability to communicate with the outside world,
or to control or shut down a facility from inside a safe haven can significantly reduce the impact of a
major security incident.

4 © OGP
 Integrating security in major projects - principles & guidelines

2.7
With many facilities there is severe pressure on accommodation space when it becomes operational. If a
risk assessment indicates that addition of security personnel in certain circumstances might be needed
to reduce a risk, consideration can be given at the design stage to supplementary accommodation,
either permanent or temporary, being made available from time to time.

2.8
The design and planning phase of a project is the time when thorough examination of project plans
can be made to identify requirements for specific security plans at various stages of development and
execution of a project. For example, there may be a need to transport items to the project site that are
very difficult to replace, in which case attention should be given to security risks that could result
in the loss, damage or delay of the items concerned. Often such items might be large and require
seaborne transportation through hostile waters, in which case appropriate marine security plans
should be agreed with all parties concerned. Similarly, as mentioned in paragraph 2.1 above, there
may be fabrication yards in remote locations that produce critical items for the project. Security at
these locations would probably be the responsibility of the site managers, but there is an opportunity
to minimise risks to the project through security liaison and collaboration.

2.9
Another example of a project security risk that might need specific planning and attention might
be supply chain fraud and integrity of components and materials. Major projects are attractive
opportunities for criminals or unscrupulous businesses seeking to make or maximise profit. The
design and planning stage of a project should be the time when appropriate due diligence enquiries
are made on prospective suppliers, and the right audit and materials approval rights are built-in to
contracts to prevent fraud and material substitutions.

2.10
This collaboration can often be encouraged or facilitated by including security provisions in contracts
with suppliers, fabricators, and shippers. Capturing security provisions in contracts at the design
phase reduces confusion and conflict at later stages, and consequently reduces unplanned cost and
delay. Typical inclusions in contracts to mandate security as a consideration can include a requirement
to share security plans and allow security audits, or to collaborate in the form of a security oversight
group made up of the companies concerned in the project. The utility of these contractual agreements
cannot be overstated when it comes to executing projects in higher risk environments.

2.11
A significant risk to major projects is industrial unrest and labour relations. These can cause significant
delay and additional costs, as well as endangering individuals and reputations. It is advisable therefore
to include security planning in mobilisation and demobilisation plans at the planning stage.

2.12
Finally, the project planning stage is the appropriate time to consider long-term security provision
for the project facility and for its transfer to operational status once the project is concluded. It is
important that processes and equipment involved in security provision are compatible with the
security structures put in place by the eventual operator.

© OGP 5
International Association of Oil and Gas Producers

3. Execution

3.1
Without doubt, the most demanding and complex period of any project is the execution phase. This
is when all the preparation and planning are put to the test, and when variations can occur at short
notice. Advice to security practitioners can be summarised briefly: review your previous assessments
and planning, and implement them. Consequently, this section of the document is short.

3.2
If recorded properly, security risks would be monitored both by security professionals and by the
project management team and any adjustments or remedial action would be generated by the risk
monitoring process. The aim during a dynamic phase is always to reduce security risks to acceptable
levels by minimising or removing one or more of the three components: threat, likelihood or impact.

3.3
Deployment of a dedicated security professional as a member of the project team is desirable, but
not always possible. Across the industry there are examples of utilising non-security personnel as
the responsible person on a project, with appropriate support from the project company or project
management team. There are also examples of a security professional being deployed to cover security
together with other roles where they are qualified and competent to do so. For example, a security
manager might also be responsible for travel, accommodation and logistics, or a supply chain manager
might also have the security portfolio. The important factor is the project owner’s commitment to
the security of the project, and its successful and timely completion. If security has been properly
engaged during the concept and design and planning stages, the execution phase should present few
unexpected challenges. Where this has not been the case, and there are security risks, those responsible
for security in the project-owning company may need to condense all the steps recommended in the
early phases into the execution phase.

3.4
Apart from the ongoing risk assessment process and implementation of security plans, there may be
requirements in the execution phase to respond to changes, planned and unplanned, or to emergencies
or incidents. To that end, it is advisable to practice drills and procedures with security personnel, e.g.
guards, or government security forces as appropriate, bearing in mind local laws, company policies and
the provisions of the Voluntary Principles on Security and Human Rights as applicable. In addition,
it is important for the person responsible for security to be aware of developments on the project, and
of any circumstances that could affect the security risk assessment, for example dissatisfaction among
elements of the workforce. There should always be contingency plans in place to deal with arising
situations, ideally considered in advance and included in the overall security planning package. If this
is not the case, it is important that those responsible for security have the appropriate experience and
leadership to respond rationally and proportionally to the situation in question.

6 © OGP
 Integrating security in major projects - principles & guidelines

4. Monitoring & control

4.1
The fourth phase of a project, for the purposes of this document the Monitoring & control phase, is
the period of consolidation and quality assurance that takes place between the execution of a project
and the commissioning of the finished product. In many ways this can be a period of increased risk;
especially of there have been cost overruns or delays. It will also be the period in which unscrupulous
individuals may wish to cause delay in order to extend contracts or increase revenue, or to extract
additional benefits from the project owner. In any event, it is a time when security awareness and
vigilance should be maintained at an appropriate level.

4.2
The risk assessment that has been constantly monitored and updated throughout the project remains
the key element to maintaining the correct security posture at this stage. Some risks will have been
eliminated, such as those pertaining to transportation and fabrication, while others, such as those
concerning workforce demobilisation or the physical protection of critical assets will come to the
fore. It is advisable to update security processes and procedures to meet changing risks, ideally in a
manner that is planned and designed to facilitate the transition from project to operational status of
the facility. As such, the operational security risk environment of the facility concerned becomes more
prominent and relevant to security planning and practice during this phase.

4.3
As the project prepares for the transition to operations, so the security function should also be
preparing for it. This might include inducting new personnel, or training security providers from the
operational facility on aspects of the project. If security assessment and planning has been conducted
as advised in this document there should be no untoward surprises and the transition will be smooth.
Where there is any kind of disconnect between the security elements of the project and the operation
it may be necessary to implement some remedial action to ensure the continued security of project
personnel and assets. This is especially true if the project is now located in a relatively high risk area
controlled by the operator, and protected by his security provisions. The remedial action referred to
might include, for example, inclusion of the operator’s security function in project security meetings,
and vice-versa, or conducting a joint review of project and operation security procedures to ensure that
there are no unresolved conflicts or contradictions.

4.4
Among the preparatory tasks for transition during this phase, the following are examples of the kinds
of issue that might be considered:

• Defining and monitoring security performance metrics;

• Developing ongoing standard operating procedures to aid full integration with the operation;

• Adapting security plans to meet any remaining project deviations; and

• Defining critical components of security infrastructure if changes are needed.

© OGP 7
International Association of Oil and Gas Producers

5. Closure or look-back

5.1
The final project phase entails bringing the project to a close, handing it over to the operation, and
reviewing each phase retrospectively to identify opportunities for improvements in future projects,
and to rectify any perceived flaws in project planning or execution. It is advisable to follow this path
from the security perspective, as much as from any other.

5.2
One suggested method for achieving a comprehensive look-back is to reconvene the security oversight
group referred to in paragraph 2.10 above, or to capture feedback obtained from its members at the
relevant time. This, coupled with examination of risk assessments and any security incidents that
occurred would provide an efficient narrative against which to measure the effectiveness of the security
planning employed.

8 © OGP
For further information and publications, please visit our website at:

www.ogp.org.uk
About us:

OGP is a global organisation that has been active for 209-215 Blackfriars Road
London SE1 8NL
nearly 40 years, facilitating continual improvement in United Kingdom
upstream (exploration and production) health safety and Telephone: +44 (0)20 7633 0272
Fax: +44 (0)20 7633 2350
environmental issues as well as improvements in engineering
and operations. OGP, with offices in London and Brussels, 165 Bd du Souverain
represents publicly-traded private and state-owned oil and gas 4th Floor
B-1160 Brussels, Belgium
companies, field service companies and industry associations. Telephone: +32 (0)2 566 9150
Its members produce more than half of the world’s oil and Fax: +32 (0)2 566 9159

over one-third of its gas. More information about OGP Website: www.ogp.org.uk
and the production of gas from shale can be found at: e-mail: [email protected]
http://www.ogp.org.uk