Security and Resilience department activity starts with the proactive identification of business needs and requirements based on which we are responsible for designing and implementing an integrated framework of processes, regulations, tools, and technologies to enhance Security and Resilience across the Company value chain.
The Security and Resilience department establishes and maintains a sustainable protection of people, assets and reputation against intentional malicious threats and continuously improves organizational preparedness to respond and recover from serious incidents adequately.
The Quality Management System Certification obtained by OMV Petrom Group Security and Resilience organization in 2017 was maintained following the two annual surveillance audits and the recertification audit conducted by Lloyd’s Register Quality Assurance in February 2020. All these audits were successfully concluded without any nonconformities or improvement recommendations.
The Security function ensures the integration of the best security practices at the OMV Petrom level and supports business, not only through the delivery of its strategic objectives but also on an operational basis. A special focus is dedicated to managing the provision of operational security services and their effectiveness.
A unitary and structured approach, providing company-wide strategic direction addressing all security operations-related topics, is ensured through a centralized management of the security services under the Security and Resilience department. Thus, we ensure increased operating efficiency and compliance with national-specific legislation through country-wide risk-based and flexible security resources allocation.
The Resilience function enables the effective recovery of operations and the preservation of the OMV Petrom brand in case of a significant incident, minimizing potential negative impacts on our business and our people.
Our Security and Resilience services are in line with OMV Petrom Vision “ZERO harm – NO losses” that guides our behavior, actions, and decisions focused on three main directions:
► increase effectiveness and efficiency of our security operations by centrally managing the provisions of cross-divisional security operations;
► ensure the detection and prevention of significant business threats;
► develop resilience to respond and recover from events with negative impact and develop, maintain and continuously improve business continuity framework.
The key objectives for implementing the Security and Resilience strategy are:
► embed modern technologies into daily security operations as the basis for increased efficiency in threat detection and response (loss prevention) and ensure optimizations of the operational security;
► improve security and resilience behavioral competencies.
Risk-based resources allocation
We periodically conduct Security Risk Assessments (SRA) that allow us to identify and manage security issues. These assessments help identify and classify risks per location and allow the Security Team to evaluate the current mitigation measures in place and make the necessary adjustments. In 2020, the SRA process was focused on ensuring compliance with legal requirements and reviewing Security Risk evaluations for all OMV Petrom objectives using the Group-Wide Security Risk Assessment Tool, ACUMEN. For the legal compliance, in both Upstream and Downstream Business Divisions, a total number of 274 security risk assessments were delivered, performed for OMV Petrom S.A. and Marketing Division due to structural changes of the locations, business developments, or the legal period obligation.
For all OMV Petrom objectives, SRAs have been revised using ACUMEN, under the Corporate Security and Resilience department’s coordination and direct involvement.
Based on the revision of the Security Risk Assessments, the security concepts for commercial depots were revised from a technical, guarding and procedural perspective. The guarding component was calibrated to cope with each depot’s specific characteristics and threats, and both security and operational procedures were reviewed and updated, ensuring that those are harmonized with newly implemented Security Operations Centres’ (SOC) procedures for distance monitoring.
To enhance our capabilities in the area of SRA and ensure adoption of industry best practices, we have selected and made available for the business an external resource with know-how and capability to cover any requirement triggered by business changes or threat context.
Monitoring & Intervention services
To increase the protection of our people and goods in the filling stations network, in 2020 we improved the Monitoring & Intervention (M&I) security concept by including additional specialized services for addressing the specifics of OMV Petrom Marketing’s operational needs. This initiative followed the pilot project for testing a new M&I solution implemented at the end of 2019, together with the identified best practices during the market screening process.
As such, we adopted a threat-based approach to strengthen the protection of the high-risk filling stations. Thus, we developed dedicated security contractual KPI’s for periodical monitoring and increase of contractors’ performance. We contracted a new security service provider with the capabilities to deliver specific solutions in line with the evolution of the threat environment in the cities with significant security incidents in the filling stations network.
Managing Security Contractors
Protection of objectives, goods and valuables against any illicit actions that may affect the right to property, their material existence, as well as protection of persons against any hostile acts that may endanger life, physical integrity or health is a legal requirement stipulated under Law 333/2003.
In OMV Petrom, the operational security concept consists of a mix of components: guarding, technical security systems and procedural/organizational measures, which ensure deterrence, detection, prevention and response to intentional criminal threats against people, assets, operations and reputation.
The guarding component based on specialized security agents, certified according to Romanian Law, is a critical element to our protection concept and is carried out by private security contractors in accordance with local guarding plans in place, which are governed centrally by the Security and Resilience Department. In this regard, pedestrian patrols, fixed posts and roving patrols are ensuring guarding of our facilities against unauthorized access, thefts and any other material damages, defending personnel from harm.
In the challenging pandemic context, we ensured adequate field operations measures to respond to the specific threat evolutions, which maintained the security incidents rate similar to the previous years’ trend, with a significant decrease of 76% compared with the first half of the (2011-2020) decade.
In 2020, considering that the security personnel are one of the most exposed categories, getting in contact with hundreds of persons daily in access control points, specific measures were implemented for security contractors’ personnel.
Security operations response plans were developed with our security service providers to ensure proper health protection of security personnel and continuity measures to minimize disruption in security services provision, correlated with personnel unavailability in the epidemiological context.
During the pandemic, additional tasks have been added to security personnel, which successfully contributed to the overall efforts to prevent coronavirus spread among OMV Petrom employees and contractors.
In 2020, the security performance was evaluated at a high level of quality, as resulted from regular monitored Security Key Performance Indicators applicable in all security services contracts of OMV Petrom S.A., including for OMV Petrom Marketing contractors on the monitoring and intervention services.
The KPIs are collected and closely monitored through established internal processes such as security inspections, roving patrols, and security incidents reporting. In 2020, the operational security experts performed a total number of 629 security inspections in Upstream and Downstream, with more than 3,500,000 kilometers driven by the mobile patrols and 2,609 guarding posts verified. These activities ensure that legal and contractual requirements are followed and the security services rendered are at the highest quality standard.
Embedding technologies into security operations
Following our strategic objective to embed technologies in our daily security operations, we constantly assess opportunities to replace outdated equipment with new security systems with up-to-date digital technologies to Security Operations Centre for enhanced incident handling.
This approach focuses on ensuring an adequate protection level of the sites based on physical security systems to enable early detection and intruders’ recognition, efficient incident management acting simultaneously as a deterrent against intentional malicious threats.
In Upstream, cost-saving opportunities were identified by replacing man-guarding with technical solutions in selected guarded locations and ensure their monitoring into the Security Operations Centre Dispatch for an efficient response.
In 2020, we conducted projects to upgrade/update the security equipment in Petrobrazi, focusing on replacing 111 perimeter video surveillance cameras and replacing the access control system. We moved our security systems to digitalization, preparing for and considering the new potential business initiatives on expanding the benefits of the CCTV, such as artificial intelligence applications. New modern technologies were identified, and specific security solutions for each commercial depot were designed, contributing to an increased efficiency of protection level. The designed solutions will be considered for implementation in the upcoming years
SDG 3 Target 3d : Strengthen the capacity of all countries, in particular developing countries, for early warning, risk reduction and management of national and global health risks.
Based on past efforts to integrate security systems from Petrobrazi, fuel depots and UPstream sites, in the Security Operations Centre, we continued in 2020 to fully deploy the concept and migrate the SOC from the external security provider. In the 2020 pandemic context, we managed to build options to ensure redundancies for our Security Operations Centre through fast and flexible alternatives, such as back-up solutions, using on-site control rooms and security services providers’ Dispatch Centres, maintaining the monitoring and coordination capabilities during the unavailability of OMV Petrom SOC.
All the above initiatives are in line with the strategic direction of the Security and Resilience Department, which stands for a highly efficient protection concept with strong integration of local physical security measures with central Petrom-City SOC, thus significantly increasing the power to steer local resources in the event of a security breach.
Improve business continuity and crisis management
Resilience function is committed to continuously improving organizational preparedness, aiming to build efficient capabilities to respond to, recover from serious incidents and ensure business continuity in situations that generate operational disruptions.
As part of the legal requirement type of documentation, under the provisions of emergency situations and civil protection legislation, the response plans are comprehensive documents developed at the site level, as resulted from Risk Assessment at the county level released by authorities and specific legal requirements to address site related hazards (i.e., response plan in case of fire, evacuation plan, earthquake, etc.). The respective documentation clearly defines roles and responsibilities for the personnel onsite so that the technological installations are safely shut down, first intervention teams react depending on the type of incident and the people are evacuated in a safe manner to the muster points for ensuring a fast and efficient reaction in case of an emergency situation.
For every critical location, different types of response plans are developed, such as response plans in case of fire or explosion determined by different scenarios, response plans in case of earthquake, response plans in case of flooding or landslides.
A clear and specific part of the response plans is related to the training of personnel involved via classroom sessions and practical drills. The drills are conducted periodically as per the respective response plans’ provisions and are focused on evacuation and first response. The frequency is based on the risk category of the location and/or on the legal provisions that are applicable to the respective location; thus, it can vary from once / month to twice / year.
Part of the drills are performed in cooperation with the authorities and/or local communities’ representatives, depending on the type of the location in scope. Following each drill, lessons learned are captured and disseminated to the participants as part of the continuous improvement process.
The response plan is also a critical component of the Incident Management concept, implemented in OMV Petrom Group at the operational level, to support the local management team’s decision-making process based on accurate, structured and reliable information received from the site level in a systematic manner.
At the strategic level, Crisis Management Plan, implemented in OMV Petrom Group, sets up the arrangements for efficient communication with local communities as part of the stakeholders’ management process. During the preparing stage, the surrounding communities are proactively informed, via different communication channels, on any type of changes in the operational environment that could potentially impact them.
In case of an emergency situation, the Communication Department, which is part of the Crisis Management Team, ensures a coordinated response to media and other stakeholders.
For every critical location, in case of an emergency situation, an audio alarm is triggered so that people can react as they were trained. If the situation escalates, an emergency cell is convoked by the authorities, gathering representatives from different institutions, including the operator and the communities.
One of the roles of this emergency cell is to ensure that the communication channel between OMV Petrom and surrounding communities is maintained throughout the crisis.
Providing support for the organization to efficiently manage the pandemic crises generated by the COVID-19, was the main focus of the Resilience function during 2020.
The main goals were to ensure:
► health for our employees, contractors, and clients;
► continue to provide energy for country needs;
► financial health of our Company.
Proactively, the Resilience function coordinated a cross-divisional working group, which initiated the first response measures from the very early phases of COVID-19 spread in Romania. A very fast coordinated reaction made available a work from home framework and the needed IT infrastructure to support the process.
Initial efforts were concentrated to develop pandemic scenarios and general assumptions, best practice response strategies, tools, and templates for Business Continuity Plans (BCP) to manage the pandemic consequences. Specific support was provided for the business in identifying business continuity measures, thus ensuring a cross-divisional unitary approach regarding the development of divisional BCPs.
As such, there were defined and implemented, at both divisional and site levels, joint plans including – incident/emergency response measures and business continuity measures, in strict correlation with the epidemiological evolution.
Once the Crisis Management Team (CMT) and Emergency Management Team (EMT) were activated, the Resilience function guided them on processes related to integrated coordination on behalf of the Corporate functions. In this regard, tools and processes were developed and permanent support to the business was ensured by active participation in the CMT and EMT. A very important aspect was to ensure smooth communication and transparency between CMT and EMT for efficient information sharing between strategical and tactical levels. Response measures defined during CMT meetings were constantly shared and transmitted for implementation through the joint emergency response and business continuity plans at site levels.
Resilience Function undertook additional tasks to ensure business continuity and crisis management, know-how transfer to our contractors through a set of “Minimum requirements in the context of COVID-19”, Common Information Picture (CIP) tool developed and maintained for CMT during the periodical meetings, accurate monitoring for COVID-19 evolution and related impact in OMV Petrom, best practice sharing with other critical players within the energy sector, support in developing the guidelines that enabled the managers to act in line with Company instructions in different COVID-19 related situations.
Changing culture towards security and resilience in OMV Petrom
The Security and Resilience (S&R) Department is committed to foster the S&R culture within the organization to increase awareness on S&R topics and principles among our employees.
To support this endeavour, one specific focus of 2020 was to promote a package of five security awareness e-learning modules that were made available throughout the Group for all employees, focusing on 5 security skills such as having a security mind-set, physical protection, travel security, incident management and reporting of the security incidents.
|Status 2020||► The Quality Management System was recertified by Lloyd’s Register Quality Assurance, confirming the professionalism of the services delivered to our Business Units.|
► The deployment of automation and technologies is a strategic objective in delivering the Security and Resilience mission by embedding modern technologies into daily security operations to increase efficiency. In 2020 a special focus was on the Petrobrazi refinery and selected operational locations in Upstream.
► Ensured legal compliance and risk-based measures implementation for all Company sites through provision of Security Risk Assessments (SRAs), the context of an increased necessity triggered by business fast dynamics.
► Improved employees’ awareness of security and resilience principles and behaviours by promoting a package of six security awareness e-learning modules having in scope how to prevent, prepare and react in case of a security incident.
|Action plan to achieve the targets||► Continue to embed modern technologies into daily security operations as a basis for increased efficiency in threat detection and response (loss prevention) and ensure optimizations of the operational security.|
► Strengthen Resilience support for the business to improve Crisis and Emergency Preparedness and efficient Business Continuity framework.
► Embed Security principles and practices into employees’ and contractors’ daily activities towards an increased level of awareness and security-specific competencies.
► Continuous improvement of the S&R Quality Management System – including its recertification by Lloyd’s Register Quality Assurance and thus, reassuring OMV Petrom Business Units of our commitment to continuously deliver services to the highest standards, as well as integration of other ISO management system standards requirements, especially ISO 28001 regarding security management systems for the supply chain.