In the previous posts, I discussed how compliance management evolves — from spreadsheets to systems, and from legal registers to structured compliance frameworks.
But as many organisations in the Middle East are now experiencing, the challenge is no longer only about how compliance is managed.
It is also about what HSE compliance now includes.
A Shift in Scope
Traditionally, HSE teams have focused on:
- Environmental obligations
- Health and safety requirements
- Worker protection
- Emergency response
- Regulatory compliance linked to operations
That core responsibility has not changed.
What is changing is the scope around it.
Security-related scenarios are increasingly triggering HSE-related legal obligations, particularly in areas such as duty of care, workforce protection, emergency response, hazardous materials, environmental protection, and business continuity.
This is not about turning HSE teams into security specialists.
It is about recognising that, in the current regional environment, security-related events can create HSE compliance obligations that need to be identified, managed, audited, and evidenced.
This is not a theoretical shift.
As those of us living and working in the region know, it is now very real.
And increasingly, it is being reflected through legal and regulatory expectations.
From Security Risk to HSE Compliance Requirement
Historically, security was often treated primarily as a risk management function:
- Site security
- Access control
- Incident prevention
- Crisis response planning
But across the Middle East, certain security-related scenarios are now creating compliance expectations that overlap directly with HSE.
These may include:
- Duty of care obligations in security scenarios
- Emergency response requirements linked to security events
- Workforce protection and evacuation planning
- Controls around hazardous materials under security conditions
- Environmental protection during security-related incidents
- Business continuity planning
- Increasingly, elements of cybersecurity and information protection
At that point, the issue is no longer only security risk.
It becomes part of the broader HSE compliance framework.
Different Organisations, Same Challenge
This challenge applies across organisations of very different sizes.
In smaller companies, there may be only one HSE manager responsible for all aspects of HSE compliance, audits, contractor management, reporting, and corrective actions. Increasingly, that same person may also be expected to address security-related obligations where they affect worker safety, emergency response, or business continuity.
That adds pressure to teams that are already stretched.
In larger organisations, the structure may be different. There may be separate corporate teams for environment, safety, security, legal, and operations. At major sites, there may also be specialist support.
But not every site has specialists.
An office, warehouse, project site, or smaller regional operation may still rely on generalists to manage both HSE and security-related compliance requirements locally.
So the issue is not simply organisation size.
The issue is whether the organisation has a structured way to manage overlapping obligations consistently.
Where the Boundaries Start to Blur
In practice, these requirements do not always sit neatly within one function.
Take a simple example:
A site evacuation triggered by a security incident.
Is this an HSE responsibility?
A security responsibility?
An operational decision?
In reality, it may involve all three.
The same event may involve:
- Emergency response procedures
- Workforce accountability
- Communication protocols
- Regulatory reporting to multiple authorities — not only labour or environmental regulators, but potentially police, civil defence, security authorities, or other government bodies
- Contractor coordination
- Incident investigation and evidence management
And this last point is important.
An incident investigation involving a workplace accident is very different from an investigation involving a security event, such as a drone attack, sabotage, or hostile activity.
The fundamentals may change:
- Who leads the investigation
- Which authorities are notified
- How the scene is secured
- How evidence is collected and preserved
- What information can be shared internally or externally
- How findings are documented
- Whether the event triggers legal, security, insurance, environmental, HSE, or business continuity obligations
That means the compliance response is not only about having an incident procedure.
It is about understanding which type of incident has occurred, which obligations are triggered, and which process applies.
The Emerging Challenge
Most organisations already have some form of HSE management structure.
Many also have:
- Legal registers
- Audit processes
- Emergency response plans
- Security procedures
- Business continuity plans
- Contractor management systems
Individually, these may be well developed.
The challenge is that they are often managed separately.
As a result:
- Responsibilities overlap
- Ownership becomes unclear in practice
- Actions are not always coordinated
- Evidence is fragmented across systems
- Compliance status is difficult to see in one place
- HSE teams may be expected to manage new obligations without additional structure
This is where compliance becomes difficult — not because requirements are missing, but because they intersect.
A New Layer of HSE Compliance
What is emerging is not a replacement for HSE compliance.
It is an expansion of it.
One that:
- Cuts across HSE, security, operations, legal, and management
- Is often triggered by real-world events
- Requires coordinated response
- Needs to be auditable and demonstrable
- Must work for both smaller organisations and large multi-site companies
This is where legal registers, compliance audits, dashboards, and action plans become important.
Not as paperwork.
But as a way to structure responsibility, track obligations, and demonstrate compliance in practice.
What Comes Next
As these overlaps become more common, another issue starts to surface.
HSE and security-related responsibilities are often working toward the same outcome: protecting people, maintaining operations, meeting legal obligations, and demonstrating control.
But they are not always managed through the same structure.
That creates a new kind of gap.
Not necessarily in capability, but in coordination.
I’ll explore that in the next post.
