SPE 108621

Development of a Security Process To Meet the Requirements of Oil and Gas

Companies in the Asia Pacific Region
Matthew Quin, Chevron

Copyright 2007, Society of Petroleum Engineers

This paper was prepared for presentation at the SPE Asia Pacific Health, Safety, Security and
Environment Conference and Exhibition held in Bangkok, Thailand, 1012 September 2007.
This paper was selected for presentation by an SPE Program Committee following review of
information contained in an abstract submitted by the author(s). Contents of the paper, as
presented, have not been reviewed by the Society of Petroleum Engineers and are subject to
correction by the author(s). The material, as presented, does not necessarily reflect any
position of the Society of Petroleum Engineers, its officers, or members. Papers presented at
SPE meetings are subject to publication review by Editorial Committees of the Society of
Petroleum Engineers. Electronic reproduction, distribution, or storage of any part of this paper
for commercial purposes without the written consent of the Society of Petroleum Engineers is
prohibited. Permission to reproduce in print is restricted to an abstract of not more than
300 words; illustrations may not be copied. The abstract must contain conspicuous
acknowledgment of where and by whom the paper was presented. Write Librarian, SPE, P.O.
Box 833836, Richardson, Texas 75083-3836 U.S.A., fax 01-972-952-9435.

Abstract

Security risks are behind some of the most pressing risk

management concerns of oil and gas companies in the
Asia Pacific region. However, the effective management
of security risks is generally not well understood by
business managers at all levels.
There is a strong requirement to develop a standard
process that allows oil and gas companies to both
manage security risks and meet their business
requirements in the various countries in which thy
operate. The process, once developed, needs to be
integrated into all relevant aspects of the business.
This paper will explain how this modern Security
Process is developed.
The Security Process should be developed as a core
feature of a companys operations management system,
allowing all levels of the organization to understand how
the management of security fits into the business
structure.
This provides legitimacy of the security process
throughout the company and promotes its integration
with other relevant aspects of the business, thus
providing critical links with other core functions such as
safety and crisis management.
Having a Security Process as an integral part of a
companys management system leads to greater
accountability and awareness of security at all levels of

management. This in turn leads to a more cost effective

allocation of resources, greater accountability of the
security function and a better overall understanding of
how to protect the companys people and assets.
Introduction

Energy Security is one of the most important issues

facing the world economy today, due to the dependence
of the worlds economy on oil. It is an issue that
captures the attention of governments, corporate entities
and citizens everywhere. The most common image of
energy security is that of meeting the increasing demand
for energy by ensuring a constant supply to consuming
nations. However, there is an aspect of energy security
that looks at the threats to the supply of energy to the
world, the protection of the energy supply systems, as
well as the physical protection of the people and assets
that make up those systems. This second aspect is very
much the subject of attention of security professionals
working within the oil industry. In an increasingly
uncertain environment for the oil industry, how do we as
security professionals, contribute to ensuring energy
security in the Asia-Pacific region?
This is certainly a challenging proposition in the post
9/11 environment.
Security departments have
traditionally not been seen as profit generators or
business drivers, and have therefore neither justified the
close attention of business managers, nor been well
understood by them. It was 9/11 that caused a major
shift, when major oil companies with operations in the
Asia-Pacific region started to more closely scrutinize
their security preparedness regarding the physical well
being of their personnel and assets. In a short period of
time, security departments had to transform themselves
from little known entities into credible and accountable
business units having to justify increasing numbers of
qualified personnel and expanding budgets to an
increasingly interested senior management.
Therefore, security departments of major oil companies
working in the Asia-Pacific region have had to adapt to

www.petroman.ir

SPE 108621

best serve the interests of one of the security professions

most challenging industries, within one of the worlds
most dynamic regions. The Asia-Pacific region has the
worlds fastest growing power sector and is likely to be a
growth engine of the worlds economy throughout this
century. Sources of energy in the Asia-Pacific region are
fast replacing the maturing fields in more traditional
regions, making security of the energy sources in this
region an important proposition. So how can we best
meet the requirements and expectations of companies
within the vitally important oil industry in one of the
fastest growing regions in the world?
This paper will outline what the author believes to be an
effective solution, which is to modernize the role of a
security department within the organization by
developing a business-related process that enables an oil
company to integrate its security function with all
relevant aspects of its business operations.

managers to pay closer attention to recommendations

from security departments. Security managers are now
required to be familiar with business terms like cost
benefit analysis, cash flow, return on investment and the
project management cycle.
There have also been recent changes in the nature of the
threats that a security department must protect against.
Obviously, the most prominent threat to emerge has been
terrorism in its various forms global (jihadist),
regional, or local (separatist / issue-based). This threat
tends to represent a worst case scenario for the oil
industry and has been the main motivator behind
companies increasing their security preparedness in the
Asia-Pacific region post 9/11. Despite the lack of
evidence to suggest that the oil industry is or will be
specifically targeted in this region, the threat of terrorism
will continue to feature in oil companies risk analyses
for as long as the following sort of information remains
credible:

Statement of Theory and Definitions

Traditionally, security management has been defined by

traditional issues such as physical security, personnel
security, investigations and emergency practices.
Security managers in the Asia-Pacific region have often
come from law enforcement or military backgrounds,
with little or no experience in business management.
However, following 9/11, when new security risk
perspectives brought about a requirement for
organizations to justify higher operating costs for
security, business management principles have taken on
a greater emphasis in defining security management.
Security departments are now required to justify
increasing costs for personnel and equipment by using
good business planning and accounting principles.
Security managers are required to be more accountable,
by not only having to justify the expense of modern
security systems but also having to explain whether
security systems are producing their intended results.
Companies are often attracted by a vast array of modern
security equipment, which seems to offer an effective
solution to a whole range of security concerns. We have
all seen examples where large sums of money have been
spent on poorly developed security plans, leading to the
purchase of unnecessary and ineffective equipment.
Subsequently, the environment for the modern day
security manager is more complex and the theory and
definitions of security management have changed to
account for the convergence of security management
principles with business management principles. Terms
used in modern day security management are fast
changing to be more business focused than ever before.
Higher risks and higher prices are leading business

directives of Osama bin Laden to

target oil industries including wells,
pipelines, export platforms, fuel tankers
and anything that will affect oil supply
routes to the United States. These attacks
are to be on an international scale .1
In addition to the overarching threat of terrorism, there
are other common security-related threats that are high
on the list of risk management concerns among oil
companies. These include reputation issues (e.g. internal
controls and conflicts of interest), environmental risks
(e.g. sabotage), regulation and legal environment issues
(e.g. country legislation relating to the protection critical
infrastructure), business interruption, explosions and fire,
political risks, executive risks (e.g. executive protection)
and corporate responsibilities (e.g. adherence to human
rights by local law enforcement agencies).2 Each of
these issues has a relationship with the roles and
responsibilities of the companies security departments,
adding to the complexity of defining modern day
security management and its importance to the
organization. Protecting a company from internal fraud
and conflicts of interest and the legal requirements
surrounding support from a host countrys security
forces are examples of the complex demands being
placed on security departments by company
managements.
1

Abdul Hameed Bakier, Jamestown Foundation, Sawt alJihad Calls for Attacks on Western Energy Interests,
Copyright 1983-2007 The Jamestown Foundation.
2
Brewer, J, Damage to Reputation Gives Energy Giants
Sleepless Nights, Lloyds List, 12/9/2006.

www.petroman.ir

SPE 108621

Against this backdrop of change in the nature of security

management and threats to the oil industry, there is an
overriding requirement for security departments to
modernize their techniques and adapt their security
management approach to be more closely aligned with
the business planning cycle. The following section
outlines how this is best done.
Description and Application of the Process

Given the increased importance and expectations placed

on oil companies security departments, there is a strong
requirement to develop a security process which
provides an effective mechanism though which security
can be effectively managed. The security process should
be developed as a core feature of a companys operations
management system. This will ensure legitimacy and
enforceability of the security function throughout the
company and promote its integration with other relevant
aspects of the business, thus providing critical links with
other core functions and allowing all levels of the
organization to understand how the management of
security fits into the business structure.
The following steps describe how the security process
can best be put in place.
Obtain the Direction of Senior Management

The critical first step is to obtain clear guidelines from

the companys senior management on the expected roles
of the security department within the organization. The
exact roles tend to vary from company to company. For
example, some companies senior management will
expect their security department to play a leading role in
investigations, while others will not want to involve the
security department in this work. The Security Director
will need to structure the department according to the
direction he receives, ensuring that he allocates an
adequate number of qualified corporate security staff in
each of the key areas of operations. Generally the
security departments roles will include process
development, asset and loss protection, investigating
security incidents, management consulting, audits and
reviews, contingency planning, crisis management,
executive protection, travel security and security
awareness training. Once the roles are agreed, a policy
statement should be disseminated throughout the
company to outline the security departments exact roles
and responsibilities.
This policy statement will
demonstrate the commitment of senior management for
the promotion of security throughout the whole
company.
Include the Security Function in the Organizations
Operations Management System

In order to clearly stipulate senior managements

expectations, the company should ensure that security

becomes a unique and separate element within the
organizations operations management system. It also
ensures legitimacy of the security function, which can
then be tied to a standard, enforceable process with a
corresponding allocation of resources and business
targets. Tieing the security process to the everyday
business operations of the company is a good way of
gaining the commitment to security from all levels of
management.
Develop the Security Process Guidelines

Once managements commitment and support has been

obtained, and a policy statement developed, the next step
is to develop the Security Process guidelines. These
need to be kept as simple as possible, outlining the key
elements of the security function and the means through
which those elements will be conducted. The process
guidelines should clearly stipulate how the operating
units within the company are expected to meet senior
managements expectations.
Guidelines must be
consistent throughout the organization. For example,
guidelines on standard security alert levels and the
protective measures expected at each alert level are
critical. Similarly, guidelines on the level and content of
plans and procedures are important. The critical element
for success in this step is to ensure that the Security
Process guidelines remain the same across the whole
organization.
Allocate the Process to the Appropriate Level of Business

A key aspect of making the Security Process relevant to

all parts of the company is to make an initial business
case for allocation of specific elements of the process to
the appropriate levels of business. This will depend on
the nature and size of the company and the complexity of
its financial structure. For an integrated oil company
with both Upstream and Downstream operations, this
will be a complicated step, requiring a great deal of
thought and planning. The company will need to decide
on some important higher level issues like
standardization of certain security systems (e.g. access
control and electronic security equipment), setting up
security reporting lines on a functional or geographical
basis and allocating responsibilities on a regional,
country or site specific basis. There is no standard
solution to allocating the various aspects of the Security
Process and the best fit will vary from company to
company. However, in the Asia-Pacific region, the
allocation of responsibilities will need to take account of
the unique differences of operating in each country. For
a smaller company with easily defined operations in only
one or a few countries, this step may be quite simple.
The critical element for success in this step is to aim for
costr effectiveness and to ensure that specific elements

www.petroman.ir

SPE 108621

of the process are allocated to a level with the

appropriate financial authority.
Develop Plans and Procedures to Achieve Results

There must be a common flow of expectations

throughout the whole security process, so that relevant
tasks are managed at an appropriate level. For this to be
successful, an effective method is to conduct top down
planning followed by bottom up reviews. For example,
if the organization is big enough, there is likely to be the
need for a number of regional or country level security
management plans linked to associated business plans.
In addition, there are a range of national and
international security requirements that must be
incorporated with a companys own security
management plans (e.g. maritime security regulations).
These plans need to be sufficiently detailed to deal with
the higher level tasks and regulatory requirements, while
at the same time allowing the all important site-specific
security plans to be as simple and effective as possible.
The success of the process can be measured by how
effectively the various elements of the security process
flow from the day-to-day management at the individual
facilities all the way to the top of the organization. A
good example to use is security incident reporting. If
this has been well formulated within the Security Process
and integrated effectively with other relevant business
and regulatory functions, there will be a streamlined
flow of information and coordination of incident
response activities from a particular facility to (if
necessary) the top of the organization.
Provide Sponsors for the Security Process From Within
Business Units

Once the Security Process has been tied to the relevant

levels of business, it is important to to enable the critical
link between the business function and the Security
Process to occur. This can be achieved by appointing
sponsors from within the business units who understand
their respective levels of business intimately. These
people should ideally be part of management teams with
appropriate financial authority. They should take on the
role of mentor of the security advisor or manager
responsible for the security process and ensure he has the
necessary resources. For example, if the security
manager responsible for part of the Security Process is
inexperienced as a project manager, the sponsor can
ensure that a project manager is allocated in support of
the security department at the relevant level. Or, if
investigative experience is lacking, the process sponsor
will be able to make a decision to outsource or hire in
that function.

Link a Security Risk Assessment Process with the Business

Planning Cycle

Once the guidelines and support mechanisms are in place

at the relevant levels, it is time for the security
department to demonstrate its skill sets. As with other
areas of business operations, a risk assessment is used to
commence the Security Process. There needs to be a
realistic and accurate understanding of the security risks
facing the company at each relevant level (e.g. in a
particular region, country and location). The more this
can be incorporated into the organizations wider risk
assessment methodology the better. For example, the
same risk matrix scoring system should be used, to allow
business managers to understand how security risks rate
against more traditional safety and environmental risks.
Importantly, annual security risk assessments should be
timed to coincide with the business planning cycle, so
that key recommendations can be inserted into the
annual business plan and budgeted accordingly. Once
inserted
into
the
business
plan,
security
recommendations can then be accurately tracked and
reviewed by the relevant levels of management.
Involve Security in New Projects

For new major projects, it is important that a security

advisor or manager is involved from the projects
beginning, as part of the project management team. This
is an excellent way of demonstrating managements
commitment to the Security Process and of enhancing
the business management skills of the security staff
involved. It also promotes integration in key areas, such
as between security, government affairs and community
relations. Within the Asia-Pacific region, it is not
uncommon for critical points within the project
management cycles of major projects to involve at least
one of these three areas of the business. Therefore, once
these relationships are developed within an effective
project management environment, they can be very
effectively used to manage potentially sensitive
community issues and carry the project forward to
implementation.
Integrate the Security Process with Other Critical
Processes

In addition to linking the Security Process with the

community relations and government affairs roles, it is
important to integrate security with other key areas of
the business, such as emergency management, incident
investigations and reporting, risk management,
compliance and facility design and construction.
Coordination is required to ensure that plans and
procedures are integrated also, which is something that
can be stipulated in the Security Process guidelines.

www.petroman.ir

SPE 108621

Provide a Means of Reporting on the Process

Review the Process and Aim for Continual Improvement

Since the Security Process is linked with the business

planning cycle, there is an important responsibility to
accurately report on the success or otherwise of process
implementation. The Security Process guidelines should
clearly detail the means by which the process can be
measured and verified. This can be achieved through
accurate reporting of security expenditure, an internal
and external audit program, as well as the use of metrics
to measure such things as the number of recordable
security incidents or some pre-determined value adding
indicators. Demonstrating the ability to accurately report
on things like total expenditure and the number and
nature of incidents is one of the key benchmarks of the
success of the overall process.

As with any business process, it is important to

constantly review the Security Process to see if it is
meeting its objectives. Once again, a bottom up
approach is recommended, starting with site specific
plans and procedures. There needs to be a logical and
effective flow of information and procedures from the
critical assets all the way through the organization. This
is difficult to achieve in reality and there will always be
a need to improve the process. But the keys to success
are the ability to increase employee awareness of
everyday security requirements and integrate the security
function with other critical business functions. This is
where the hard work to create well integrated security
plans and procedures pays off.

Develop an Employee Security Awareness Program

Conclusion

Developing an employee awareness program is a critical

element of the entire Security Process, since employees
at all levels need to be fully engaged to make the process
work. One of the objectives of the Security Process
should be to raise the awareness of security in the daily
lives of employees, whether at the workplace or away
from it. In general, it is felt that employees remain
largely unaware of security issues in their areas, or their
roles and responsibilities relating to security. They
therefore need to develop a security culture that is akin
to their safety culture, which is generally well ingrained
within the culture of oil companies. The program should
be kept simple, focusing on basic issues such as the
nature of security threats, how to report incidents and
what to do in the event of a security incident. Whether
or not employees understand and support the Security
Process is a true litmus test of its success. Therefore,
there should be a means of gaining feedback from
employees as part of process evaluation.

With energy security becoming an ever more important

issue in the Asia-Pacific region, senior operations and
risk managers of oil companies have become
increasingly aware of the business drivers for a sound
security process. Security departments are now seen as
essential elements of an oil companys business
operations in the region. Therefore, in order to be
prepared for the subsequent increased expectations,
security departments should ensure they are intrinsically
linked with the companys operations management
system, so that security considerations become part of
the companys everyday operations.
This paper has outlined the steps required to achieve
success in developing a modern security process that is
effectively linked to the companys business planning
model.

www.petroman.ir