With the increasing use of new technologies to reach natural resources in more hazardous and remote parts of the world comes an inherent increase in operational risk profile.
Resource-rich nations such as Africa are ever more aware of the value they are trading with international organisations. Labour relations are fraught with tension in some parts of the world and public opinion is often hostile to oil and gas companies even in places that rely on natural resources for their livelihood. Recently in the industry we have seen incidents in Africa that are uncontrollable by companies operating in the region, but are faced by all – How do companies manage risk in order to better mitigate such events?
While there is no doubt that executives are aware of the need to manage risk, the overarching risk programmes at many organisations in the oil and gas industry have not kept pace with the complexities of their operations. Often, risk only becomes a priority when there is a major incident or event that impacts them or another in the sector. Given the fast-changing environment, it is essential that risk management is embedded in the business to identify emerging exposures, monitor known risks, and keep executives and the board updated to make risk-informed decisions and take advantage of opportunities in the market.
Many oil and gas companies have had risk management or enterprise risk management processes for several years. However, risk management is often incorrectly positioned as a compliance function or a governance obligation, and is regarded as a mechanism solely for describing risks and communicating them to the Board. It is not seen as a strategic function, and is not part of the business planning cycle. Risk is very often left in silos and not brought together to enable a single-view of all categories of risk.
Enterprise-wide risks, particularly emerging threats in new markets, are those that are on the Board agenda to understand and manage, but a bottom-up assessment is important too. While historically companies have always invested in risk management activities to address those risks that are function-specific, such as exploration risks, production risks and financial risks, the challenge now is how to get all these initiatives integrated in a common framework to mitigate plans in order to strengthen decision-making.
A significant threat to the industry is geopolitical instability and the risks that may arise from this; not just the possibility of asset nationalisation, as recently seen in Argentina, but also predatory fines by a government in dire need of money. Mitigation of geopolitical risk means not only addressing the legal and contractual framework on which a transaction or operation is built, but also understanding the local political situation. Even anticipating shifts in the political landscape may not be sufficient to control their effects, however: being aware of upcoming political risk factors is one thing, but managing these risks in time to protect your assets or people is a different matter, especially in cases where the risks are predominantly security-related, such as in Algeria in January 2013.
Recent attacks on the industry have shown the real impact that cyber threat can have on the sector through leakage of commercially sensitive information, such as exploration data, and through malicious interference with industrial control systems - it is even now possible to divert a tanker from its course with the right equipment. Managing cyber security as a strategic risk, rather than an operational one, is an important step-change required across the industry to help in driving long-term risk reduction with quantifiable benefits.
Often cyber risks are not analysed deeply enough by undertaking scenario analysis to drive an understanding of the practical risk implications, the greatest vulnerabilities, quantification of the exposure, and detailed evaluation of how companies are monitoring and addressing the possibility of cyber attack, beyond simply ranking it as a top risk. Our work with the UK government on FTSE350 cyber risk management shows a need to rethink how cyber is reported upward to the Board, with more open and jargon-free metrics.
Third party risk
All businesses have to interact with third parties that present a range of potential integrity and reputational risks: from customers and suppliers through to agents and local or even globally strategic partners. The increased focus on regulatory compliance – particularly around anti-bribery and corruption legislation such as the UK Bribery Act and the US Foreign Corrupt Practices Act – mean that a sound understanding of counterparties, their ownership and modus operandi, can help prevent illegal activities for which the business may ultimately be liable. Thereby reducing the risk of public censure, fines or even executive prison time. A flexible, responsive third party risk management programme, based on appropriate levels of due diligence, is vital to managing an area of risk that is widely talked about but not always deeply understood.
Thinking about risk should be incorporated from the first step of the planning process to the very end, including such things as the lifecycle of the oilfield, labour relations, entry into new markets and so on. Too often, companies do not sufficiently analyse the practical implications of risks – leaving them described, for instance as geopolitical risk or cyber without fully examining the true exposure and readiness to prevent or respond in a manner that minimises adverse consequences and optimises opportunities. Seldom do companies fully assess the range of possibilities, measure the impact in financial terms of those scenarios, build-in accountability for monitoring for specific events with defined indicators, and ensure the effectiveness of mitigation plans for such exposures is assessed and reported. Armed with this kind of data, the company can determine if it is taking enough risk, as well as too much. Is a same-sized competitor valued more highly in the stock market because it is making better risk-informed decisions? The difference may be due to its careful, deliberate approach to investing in the midst of uncertainty.
Control functions and risk management must be properly aligned. Lack of skills, as well as a lack of knowledge or experience of how to bring about this form of integration, is a key obstacle to the convergence or integration of risk and control functions in oil and gas companies. Compliance, corporate governance, assurance, risk financing and so on need to converge, but the managers in these silos often are not willing to relinquish budget and perceived influence and power in the organisation. A single executive is needed who understands the broader issues of governance, risk management and compliance. KPMG recently helped a utility company to combine six risk-related departments into one division enabling the company to standardize risk-related functions and achieve good synergies – driving cost-savings and enhancing the effectiveness of the overall risk programme.
If risk management is regarded by leaders of the business as a pro forma exercise solely for the consumption of Board members, it will remain forever divorced from operational reality. The CEO must take the lead in helping the Board make risk-aware decisions at an enterprise level, while ensuring that managers lower down the hierarchy understand how their choices affect the risk profile of the company. Oil and gas companies often do a good job managing risks to health and safety and the environment, but these challenges tend to overshadow other risks that may be equally dangerous to the health of the company. Only by developing a more strategic approach and integrating the process of risk management into everyday business thinking can executives build a risk-aware culture.