"By giving organizations and their supply chains an integrated framework and best practices for greater resiliency, standards can address a range of operational risk management from anticipating, assessing and preparing for risk."
Abdulaziz F. Al-Khayyal
Senior vice president, Industrial Relations, Saudi Aramco
Lt. General Dhahi Khalfan Tamim, distinguished guests, ladies and gentlemen:
It is a special pleasure to join you for the third annual ASIS International Middle East Security Conference, as the good work we began at the initial conference builds momentum. Saudi Aramco is very proud of its 36-year association with ASIS International, and on behalf of the company I appreciate this opportunity to share with you some thoughts on organizational resiliency.
Today, I will discuss how the implementation of global standards will allow for the scaled and phased implementation of maturing security programs in a market-driven economy. We will look at how compliance helps us perform to the demands of the market and deliver prosperity, transparency, accountability and functionality.
We’ll also consider these issues from a regional context, to show how the Middle East can achieve these things and be a leader in organizational resiliency.
There was a time not so long ago, ladies and gentlemen, when business and industry took a straightforward, conventional view of security. We perceived it in the most literal terms: the uniformed guard in the office lobby, or stationed at the company gates.
In this mindset, security was further compartmentalized as the province of a narrow margin of businesses requiring specialized security personnel – like financial institutions or very large commercial and industrial enterprises. Even within those boundaries, it was common to limit the scope of security further still, to applications like asset protection or loss prevention.
As a result, security was often a secondary, supporting measure –thus it was largely reactive, working to contain harm more than to prevent it.
Today, we know that security has vital applications for every type of business and industry, and covers a full spectrum of activities and interests. In fact, part of our message at this conference must be for business and industry to move away from such arbitrary limitations toward a comprehensive approach.
Ladies and gentlemen, a paradigm that might have been appropriate even two decades ago has been rendered obsolete, as globalization, technology, interconnectivity, information and automation affect how each of us does business today.
And this dynamic, rapid-change environment in which we all operate adds urgency to our security activities. Our ever-shrinking, high-tech world, where time and distance barriers are virtually erased, creates vulnerabilities even as it affords convenience, speed and other business benefits.
In such a world, relegating operational risk management to line-item status actually elevates the likelihood of disruption – especially in a tight economy, when many companies tend to see security as an expense, rather than an investment.
This reality, my friends, is why we have the organizational resiliency standard.
By giving organizations and their supply chains an integrated framework and best practices for greater resiliency, standards can address a range of operational risk management from anticipating, assessing and preparing for risk; to preventing, mitigating and managing it … a strategy that takes us all the way through to continuity and recovery.
The first step on the path to resiliency is rethinking the equation:
Risk equals threat plus consequences, plus vulnerability.
When risk is inherent, the question becomes how much risk is acceptable, and how we are going to manage it, given finite resources.
That question is best addressed by taking a 360-degree view of business, and finding where our vulnerabilities and threats lie.
Of course, when we think about drivers impacting our security management mindset, man-made threat is the first big-change element that comes to mind. But rethinking security management means taking the broadest survey from an all-hazards approach.
Why? Two reasons: because we tend to overlook the obvious, and because success can breed complacency.
Consider natural risk. If your building catches fire, insurance can cover the replacement of furnishings, equipment and the building itself. But what kind of plan is in place to ensure the continuity of your operations, and the protection of your human, physical, intangible, and environmental assets, while matters are being sorted out?
The elements don’t have to destroy outright to adversely affect operations.
A broken water pipe that floods your offices may seem a relatively minor inconvenience until you consider where your people are going to sit and do their work. Or a road construction crew digging on the street could inadvertently cut a fiber-optic line, wiping out your Internet, telephone and cellular access for hours, through no fault of your own – but disrupting business, nonetheless.
Clearly, if we are to achieve sustainable operations, our security master plan must incorporate crisis management planning to ensure competitiveness and performance.
Continuing that 360-degree view, we see how information, technology and connectivity – the very advances and conveniences that have revolutionized how the world does business – also place us at greater risk.
Malicious attempts to access private information or resources – the gamut of network scanning or data sniffing, hacking, virus attacks, email spoofing and spamming – can result in compromised and corrupted data, interrupted operations and lost assets.
When the virtual realm is driven by rapid change, and the speed-to-market mentality does not allow for policies and processes to catch up to technology, the threat of sabotage grows. All the more reason for agile, proactive security measures that are interwoven into operations at every level.
Seemingly mundane events, if dealt with proactively, can be contained as a manageable inconvenience or interruption, rather than a costly, protracted, or even catastrophic event.
However, physical and environmental harm are only part of the damage that can result when security is not fully integrated into operations.
Reputational embarrassment – damage to the company brand – can devastate the bottom line every bit as much, and spread beyond the individual organization to affect the field or industry – and even governments.
The Information Age that makes widespread, immediate communication possible also carries the risk of devastation detectable only after the damage has been done. A quick look at the headlines on any given day provides ample evidence; Wikileaks and Anonymous are just two examples.
The news delivers constant reminders that today, when anyone on the street can use a phone to capture an event as it unfolds and immediately post video and images to the Web, an organization not guided by standards of transparency, integrity, accountability and good corporate citizenship operates in peril.
The tragic Macondo well incident in the Gulf of Mexico was devastating on many levels: the loss of human life, foremost; the environmental harm that affected the lives and livelihoods of states along the Gulf, and the harm to animals and ecosystems. This catastrophe resulted in tremendous financial loss, and the reputational harm touched the global petroleum industry by association.
In all truth, when trouble can arise despite our best intentions, the only course of action is preparedness.
At Saudi Aramco, for example, preparedness includes putting contingency plans into a real-world environment through proactive emergency drills in keeping with industry best practices.
This kind of planning has the additional benefit of aiding transparency – both as an auditing and governance tool, but also for the credibility conveyed, and good will generated, by open, balanced and impartial business operations.
My friends, when we compare the traditional, silo security paradigm we talked about earlier with the integrated security model, it makes sense to weave security into every aspect of our operations.
Perhaps the most fundamental step toward integration is cultivating a security culture: and like any meaningful business policy, it has to start at the top.
Security must have the endorsement of executive leadership, who not only communicate it throughout the ranks, but also enforce it.
It stands to reason, therefore, that the chief executive officer must also be the chief security officer.
This is not to suggest that the boss should run the security program; clearly, that’s what you, the security professionals, are there for. What this visible leadership does is give every employee a stake in protecting the company’s critical assets. It affirms that skimping on security will in fact carry a devastating cost.
Such visible leadership also brings us back again to transparency, which equals operational integrity.
The interwoven security model is also manifested in training and development.
Security certifications are important because they are the competency benchmark, helping everyone speak the language of security standards that apply to private industry and government alike.
Training is a bold step that all of us should be taking.
So in short, there are four criteria for integrating security into our operations:
- The application of global standards across the board for an integrated approach;
- The commitment of leadership to security as a matter of policy, and as the foundation of a security culture;
- Training and certification, and
- Applying security to all activities as part of operational excellence.
All of these measures take the enterprise from the reactive level of enforcement to the proactive level of engagement, conveying the leanness and agility to protect assets and maximize functionality, and by extension, profits.
Ladies and gentlemen, risk is inevitable. Thus it is incumbent on us to develop mitigating tools and strategies specific to the organization for a quick, effective response.
A maturing security master plan – a living, adaptive, business-friendly program that is implemented in phases to create and capture value for our companies – serves us no matter what challenges come our way.
Each cycle can bring us to a new level of complexity in preparedness and continuity management – and therefore to a higher level of leadership.
And that leadership is especially important for the Middle East.
The eyes of the world are on our region, ladies and gentlemen. As economic growth shifts toward Asia, we matter; given our importance to world energy, we matter. Our needed, and expected, contributions to the global economy hinge on our ability to manage the challenges of protecting our assets.
Today, I hope that all of us will seize this chance to develop enterprises with the ability to withstand tumultuous events while delivering sustainable growth and social opportunity.
Thank you for your kind attention.
Abdulaziz F. Al-Khayyal is Senior Vice President, Industrial Relations. He was appointed to this position September 1, 2007. As head of the Industrial Relations business line, he is responsible for many of the company’s most vital support operations, including human resources and training, safety and security, government and public relations, community services, and medical services.
Al-Khayyal joined the company in 1981 as an engineer. He has held a variety of managerial positions in oil and gas operations and maintenance. In 1991, he was appointed Director of Personnel, and in 1993 he was appointed President of Saudi Petroleum International, Inc., New York. In 1994, he was appointed President of the Petron Corporation, Saudi Aramco’s refining joint venture in the Philippines. On his return to the Kingdom, Al-Khayyal was appointed Vice President of Sales and Marketing, and then Vice President, Employee Relations and Training, and then Vice President, Corporate Planning, in 1998.
In 2000 he was appointed Senior Vice President, International Operations. In 2003, he became Senior Vice President, Refining, Marketing and International. In 2004, Al-Khayyal was appointed to the Board of Directors of Saudi Aramco and to Petro Rabigh in 2005. He currently holds the position of Chairman of the Board of Directors of Petro Rabigh.
Al-Khayyal is a graduate of the University of California, Irvine, where he received a B.S. degree in Mechanical Engineering in 1977 and a Master’s degree in Business Administration in 1979. He attended the company’s Management Development Seminar in 1986 and the Advanced Management Program at the University of Pennsylvania in 1995.