“We will be better equipped for a more competitive world – defending our democratic institutions and economy from state threats, terrorists, and organised crime groups while embracing innovation in science and technology to boost our national prosperity and strategic advantage”. Boris Johnson, The Integrated Review (Mar 2021).
These words spoken by Boris Johnson to describe a global Britain in a competitive age, were delivered through the ‘Integrated Review’ and designed to reinforce the UK’s, Security, Defence, Development, and Foreign Policy . The Integrated Review provides a detailed and critical analysis of the government’s vision for the UK’s role in the world over the next decade and the action required to be undertaken to meet that objective for 2025.
When I wrote this blog, events were unfolding in Mozambique, and whilst the initial reports were of a major security incident, I will not comment further until the details are more widely known. Suffice to say that the suitability of the security management plan and the ability of the security team to implement it will be addressed both in formal investigation and in the “court of social media”.
So, with that said the importance we place on reviewing strategies demonstrates to interested parties the value we place on our commitment and security of our people, environment, assets, and our reputation, not just as a nation but also within the corporate world and across organisations. A previous Inverroy blog by Toby Ingram discussed how COVID-19 had created a gap for exploitation by terrorism, to support that review process, we now discuss that space relative to the Oil and Gas industry, highlighting threats, future risk strategies and past incidents that shape the roles and responsibilities of security within it.
Frogmen and Rockets
Characteristically, it appears that as we review our strategies and reinforce our global rhetoric, our aggressors seek to do the same. The complexity the Oil and Gas industry faces when combatting terrorism, insurgency, and criminality is demonstrated by the plethora of security protocols and policies required to enable the continuity of production. This necessity is due to the frequently highlighted reports that demonstrate its fragility when specifically, targeted. An evolving threat stream that creates significant challenges requires horizon scanning and potentially over the horizon reconnaissance, but a coherent and sustainable plan requires lessons learned from errors made in the past.
The past 12 months has seen the continued ingenuity and guile of at times an invisible adversary. Attacks on underwater pipelines in Syria, whether state-sponsored or violent non-state aggressors (VNSA) delivered by frogmen , old fashioned sabotage, using rockets to bomb gas pipelines in Egypt , drone attacks targeting refineries in Riyadh  and the tangible targeting of industrial control system (ICS) computers through cyber-attacks .
The Future is Orange
This constantly changing landscape is no doubt a continuous headache for any security manager who is confronted by a consistent threat and risk environment within the UK or abroad; with that said, when was the last time you reviewed your crisis response plan and approach to risk? The recently updated 2013 edition of the Government’s Orange Book depicting the Management of Risk  describes how successful organisations manage risk effectively, enhance strategic planning and prioritisation, assist in achieving objectives, and strengthen the ability to be agile to respond to the challenges faced. As a security manager you incorporate layers of protection as a defence, therefore why not consider the same approach when it comes to integrating risk into your security management plan. Although the orange book highlights 13 individual areas of risk, underpinning them all, especially in today’s climate, and no surprise is ‘security’. The basic principles and concepts for management to follow incorporate as mentioned a layered approach utilising three lines of defence.
The First Line starts with management having primary ownership, responsibility, and accountability for identifying, assessing, managing risks and unexpected events. Their activities create and manage the hazards that can facilitate or prevent an organisation’s objectives from being achieved.
The Second Line of defence consists of functions and activities that monitor and promote effective risk management practices and facilitate the reporting of adequate risk-related information up and down the organisation. Through a risk-based approach to its work.
The Third Line, an independent internal audit function, provides an objective evaluation of how effectively the organisation assesses and manages its risks. A holistic cyclical process requiring information to generate and reinforce forward-thinking to combat a crisis.
The Higher the Reward the Greater the Risk?
Companies’ critical risks in petroleum investment and operations are highlighted by the Atlantic Council Global Energy Centre who look at eight categories of risk .
The rule of law
Sanctity of contract
Political criticism and reputational risks
Financial threats, corruption, and cyber attacks
Climate change – related risk is addressed primarily as a financial risk
Populist movements in petroleum-producing countries are treated separately. The volume of these risks is amplified and often most significant in developing countries with a high dependence on oil and gas revenues, weak public institutions, corruption and a poor record in enforcing the rule of law. (Let us look at the Algerian predicament).
Plan Now to Save Explaining Later
In 2013 Al Qaeda in the Islamic Maghreb (AQIM) attacked the In Amenas gas plant, the largest wet gas development project in Algeria . The project included developing four primary gas fields in the Illizi Basin in south-eastern Algeria and the associated gas processing facility generating $4 billion annually. The joint venture partnership (JVP) consisting of BP, Statoil and Sonatrach found themselves faced with an event, although not inconceivable, proved very unexpected and unprepared for. Contributing factors to this were constrained security controls dictated by host nation policy and ‘Resource Nationalism’ whereby people and governments’ tendency to assert control over natural resources located on their territory . All of this impacting upon the JVP and their ability to win the hearts and minds campaign of the local populace; instead, it disrupted tribal dynamics and embedded regional mistrust which was influenced by a propaganda war by the AQIM which was pivotal to achieving their aim and facilitating what has been the worst attack on an Oil and Gas installation to date resulting in 39 foreign hostages from nine different countries that were killed during the attack. A further seven hostages died in a final assault to end the standoff.
Walk a mile in the shoes of the security manager
Since In Amenas, overall security protocols have been improved significantly across the globe and the impact upon local economies lessened. Although the frequency of attacks against oil and gas infrastructures is relatively high, the severity is not so, in fact they are most often shallow, but here is a sobering thought, did you know that UK nationals are more susceptible to attack in areas of heightened risk . So, with that in mind as an in-country security manager, have you reviewed, practiced and validated your security management plan recently? Does everyone know what to do when it all goes wrong?
“UK nationals are at greater risk of attack and kidnap in areas of recent conflict or instability” The National Crime Agency (2021)
Considerations when operating within the UK or abroad:
Do you have a civil unrest, terrorist, kidnap for ransom and natural disaster plan?
When did you review your infrastructure plan?
Have you considered threat assessments, vulnerability studies, employees screening and layered approaches to protection/defence?
Do you have an evacuation plan? Do you have the capability to remove employees from danger and quickly?
What environment are you operating in? Consider remote facilities, such as offshore facilities and installations.
Transport on standby for evacuation, because evacuations are rare, Libya (2011)  the transport available may be infrequent also.
Consider arrangements with national or local military and civilian companies.
If operating offshore due to the number of employees involved, the use of maritime vessels and aviation may be required.
Communication and coordination, including host government, military and security personnel, the response plan must ensure each component knows what to do and how they feature in the overall plan.
We didn’t say we told you so, but….
With all disasters and crises, and something we are experiencing at this very moment is that you stand a better chance of surviving, almost quite literally and reputationally, if you have a plan before it occurs. More importantly, the ability to be forewarned from lessons identified to forearm you for the future aids foresight to balance a host of integrated and complex issues addressing them with a holistic approach that prioritises objectives and gains buy-in from everyone.
If you would like assistance with your risk management, crisis response or security planning, then speak to our team at Inverroy | Crisis Management Consultants.
1. The Integrated Review 2021 – GOV.UK (www.gov.uk)
2. Syria blackout after alleged ‘terrorist’ pipeline attack (24newshd.tv)
3. Critical Energy Infrastructures under attack… (updated) – SEMED ENERGY DEFENSE
4. Fire at Saudi Arabia oil facility after drone attack | Business and Economy News | Al Jazeera
5. Ransomware attacks are now targeting industrial control systems | ZDNet
6. The Orange Book (publishing.service.gov.uk)
7. Key Risks Companies Face in Petroleum Investment and Operations (eBook, 2017) [WorldCat.org]
8. Terrorist Outbidding: The In Amenas Attack – Combating Terrorism Center at West Point (usma.edu)
9. Resource nationalism – GOV.UK (www.gov.uk)
10. Kidnap and extortion – National Crime Agency
11. Prime Minister praises military effort in Libyan evacuations – GOV.UK (www.gov.uk)
ABOUT THE AUTHOR:
Senior Consultant, specialising in Security and Business Continuity