Effective security plan protects assets, manages risks

By Katie Mazerov, contributing editor

A well-planned security program can protect companies from piracy and terrorism, and the oil and gas industry must be prepared, Ronald Relf, chief of global security for Diamond Offshore Drilling, said at the IADC HSE and Training Conference & Exhibition, 7-8 February in Houston. “In this business, security now is what safety was 10 or 15 years ago,” he said.

In advocating strong security programs, Mr Relf stressed the importance of protecting lives and company assets, minimizing risk and legal action and preserving customer confidence and company reputation. “Protection of human life is the highest priority,” he said. “At Diamond, we have 5,000 people who travel worldwide, and it is a huge responsibility to keep them all alive and well. There are things going on in the world that, if we overlook them, we will pay a dear price.”

He continued: “In the offshore industry, for example, we are facing more potential security problems with mobile offshore drilling units (MODUs) than ever before.”

A comprehensive security program should be supported from the top down and address people, policy and technology – but should also be customized to fit an individual’s company’s culture and needs. Companies should determine the level of security needed and assess potential risks and threats. “This is the toughest question,” Mr Relf said. “It’s like a veil; we can’t see beyond it to see the next threat to put an effective plan in place. Elements of the plan should cover every operational location. The plan must remain flexible because it will change. Think of all the potential risks facing your company and your employees worldwide.”

It is also essential to create a policy review panel encompassing representatives from human resources, information systems, the legal department and key business units. “This is very important because you get buy-in from everyone in your operation,” he explained.  “We need to involve information systems, for example, because we are seeing cyber-threats to the industry surfacing. We don’t want people stealing our information.” 

A security program should cover three key elements, he said:

• Policy: standards, procedures, guidelines and practices;
• Security plan: physical security, crisis response, business impact assessment (BIA) and analytical risk management; and
• Security program manager: the person who has the ultimate responsibility for all security elements.

“When I first became involved in the oil and gas industry, crisis management in the Gulf of Mexico was built around hurricanes,” Mr Relf said. “In the Middle East, it was built around potential acts of terror and in Southeast Asia, piracy. If you operate worldwide, you have to look at each region to assess the risks and threats and find a way to include all these elements in a crisis management plan. ”

It is especially important to asses BIA risks and vulnerabilities, he said. “If you lose a rig or a crew or your ability to operate in a particular region, how will that impact your business from an economic and administrative perspective or any other critical area?”

Although programs should be tailored to a company’s culture, the basic structure should encompass several important aspects:

• Establish, identify and define security goals;
• Define roles and performance expectations;
• Define responsibilities; and
• Identify security management basics, including planning, a way to measure the effectiveness of the program and control of the program.

The basic elements of Diamond Offshore’s security program are diagramed in a “Span of Security Operations” that divides global security operations into three main areas:

• Protection of personnel: traveling, offshore and shore-based;
• Protection of assets: during transit and offshore; and
• Preservation of reputation: worldwide.

Checklists are a good way to get started, but instincts and knowledge are invaluable. Mr Relf advocates using an analytical risk management formula to assess risk by calculating threats, vulnerability and impact. “The bottom line is you want to become a harder target than the person next to you.”