Oil and gas executives long have been well-acquainted with the obvious risks facing their companies. Spills, environmental damage, fires and employee accidents all can have severe consequences on a company's operations, reputation and bottom line, and executives rely on well-established policies and procedures to prevent or to mitigate the damage in the event of these mishaps.
Such events, as well as failing to access new economically recoverable reserves or underestimating the effects of political instability on international operations, are simply risks faced in the normal course of business.
But in today's post-Enron business environment, an informal approach focused solely on traditional oil and gas industry risk may be insufficient. Shareholders and regulators are demanding that companies take a closer look at their risks across all activities and operations, and clearly understand how those risks are to be addressed.
For example, the New York Stock Exchange now requires that audit committees of all of its listed companies identify how management recognizes and manages key risks to the organization.
This heightened awareness of risk is presenting new challenges to oil and gas executives, who in the past have tended not to focus the same attention on non-traditional risks. These non-traditional risks, however, can also have serious consequences if not dealt with appropriately by management.
Given these developments, oil and gas executives need to become more proactive and broaden their efforts of identifying, reporting and managing risk. In addition to satisfying new regulatory and shareholder demands, a more comprehensive approach to risk management can help leadership make better-informed decisions by understanding new and emerging risks, chart more effective business strategies and enhance shareholder value.
Enterprise risk management, or ERM, has often been viewed by oil and gas executives as something only for banks and insurance companies, or at least something for the finance or insurance department. But risk management is more than that. Ultimately, ERM helps management facilitate the everyday needs of running a business successfully, the corporate governance need of its board and the anticipation of regulatory and other compliance needs. Done properly, it is a structured and disciplined approach that aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties that companies face as they create value.
Many oil and gas companies are uncertain about how to translate the theory of ERM into concrete, practical action steps, and most have no tolerance for academic approaches to how they run their businesses. As important as ERM might be, it will never work unless it enables oil and gas companies to drive value in a way that they could not do otherwise.
More serious, however, is that oil and gas executives do not always have sufficient information about non-traditional risks to their business when making decisions or planning strategy. Obvious industry or regulatory-driven risks-environmental, health and safety issues, for example-have very defined processes associated with them, including assessment of risks, defined control processes and indicators, monitoring of those indicators, and frequent reporting to management and the board.
However, oil and gas companies often lack similar structure and process around non-traditional risks, and they rarely have a way of reporting to senior management and the board that pulls risk information together from across the various silos. These risks are many and may include the inability to successfully deliver major projects or attract new talent and retain key people, or the failure to successfully implement international management and information systems.
These non-traditional risks, if not adequately understood in the context of the organization's particular operations, can be "camouflaged" and result in damage as devastating to the company and brand as the risks more normally associated with oil and gas companies.
How, then, does an oil and gas company go about establishing a more effective and comprehensive risk-management approach? Fundamentally, ERM is comprised of "content" and "process." Content is the information about the nature of the risks, while process is the ongoing framework that needs to be established to ensure that timely and accurate information is received on key and emerging risks.
To begin with, the ERM "process" incorporates the following five elements:
• Risk governance-structure, strategy, approach and governance framework for developing, supporting and embedding ERM.
• Risk assessment-a process for identifying, assessing and categorizing relevant and timely risk information. An ongoing, company-wide risk-assessment process allows companies to consider the extent to which potential events have an impact on the achievement of objectives relative to their risk tolerance.
• Risk quantification and aggregation-ability to accurately measure and aggregate risk company-wide provides the information necessary to make prudent risk-management decisions. Quantitative methods enable management to understand which activities/businesses are adding or potentially eroding value.
• Monitoring and reporting-typically three "lines of defense" are established by companies for monitoring risk: self-monitoring within business units; central oversight through corporate management; and independent review (e.g. internal audit, and environmental, health and safety). Also integral is a clear process of reporting risk information to management, the board and external stakeholders.
• Risk and control optimization-ERM provides information that management can use to better allocate resources and capital away from risks that are over-managed to ones that need attention.
A first step
All oil and gas companies have some aspect of these five elements - however, their efforts are often reactive or confined to a particular issue or business unit (e.g. a strong focus and reporting on environmental, health and safety risk.). Executives in the energy industry need to become more proactive and broaden their focus of identifying, reporting and managing risk beyond individual silos, so that risk management becomes a more integrated part of their businesses' operations.
A first step in this process is enhancing the organization's risk-governance structure by establishing a management risk committee (or risk council), which can bring the issue of ERM in front of leadership, the board audit committee and other board committees. With the lead risk executive reporting to the CEO, the risk council should include individuals who oversee key areas within operations and support, such as operations, strategy/corporate development, legal, human resources, compliance, finance and information technology.
The risk council's first goal is to identify and prioritize the organization's key risks (i.e. build risk "content"). Key risks are those that could potentially affect the company's strategy, its business model or its financial and operational performance. These key risks should be prioritized using criteria such as the likelihood of the risks occurring and the potential consequences to the company should they occur.
Next, risk should be organized into categories such as strategic risk, compliance risk or operations risk to enhance understanding of the primary risk areas facing the company. Leaders can then determine how the risk may affect variables including profitability, market share and reputation. Consequently, they are better able to understand and manage the risk, based on whether it is:
• Controllable-a risk occurrence that management can reduce or prevent;
• Uncontrollable-a risk occurrence that management cannot prevent but it can detect as well as manage the risk consequence;
• Discrete-a one-time event that impacts business objectives within a discrete timeframe but may recur; and
• Ongoing-an iterative event that affects business objectives over an indefinite timeframe.
Identifying key risks will help the organization understand and assign accountability: who owns the risks, how effectively these are currently being managed, and how the risks are being monitored. A key benefit often realized through ERM is a reduction in spending on risk management and monitoring activities by consolidating risk management projects into a centralized focus with more clearly defined monitoring responsibilities allocated for the various monitoring functions, such as internal audit and compliance.
With risks identified and assigned an owner, companies can decide on their vision for the ongoing risk-management "process." Depending on the needs of the organization, its particular risks, and gaps in the current risk management efforts, there are varying approaches that can be taken. An organization's approach, and the choices it reflects, affects the extent to which it makes ERM part of its governance and business operations.
An organization's approach to ERM can be broken down into three variables: basic, mature and advanced. For example:
• Basic-helps an organization remain in compliance. The organization has identified its top risks and has prioritized and addressed its compliance risks.
• Mature-is deployed as a management process. The organization has a process for managing risk and a governance framework that supports the process. It manages compliance risk against strategic goals.
• Advanced-is embedded in the strategic framework. Senior leaders use risk information as the basis for decision-making and ERM is aligned with performance measurement.
Theory to tool
ERM has evolved from a largely theoretical concept to a highly practical tool. Now, many business leaders are beginning to recognize ERM's value and practical applicability as a way of responding to business or governance changes and stakeholder demands, thus improving the management of identified risks and creating a sustainable process for gaining competitive advantage.
To be sure, there is no "cookie cutter" answer to ERM-each company needs to approach managing risk in a way that is tailored to its unique culture, operations, strategies and the key risk and opportunities each face. For oil and gas companies in particular, for it to work, ERM cannot be a separate, added bureaucracy. ERM needs to be integrated with the company's business practices and processes.
As ERM becomes more imbedded in a company's operations, the more benefits it will offer companies in terms of empowering executives to make well-informed and strategic business decisions, resulting in opportunities to grow profitability and enhance shareholder value.
Michael A. Wilson is a partner in KPMG's Southwest Advisory practice based in Houston, and the Southwest lead partner for Enterprise Risk Management services. He has 15 years of audit and advisory experience to organizations in a variety of industries.
Recommended Reading
Infrastructure Firm HASI Makes Executive Leadership Changes
2025-02-18 - HA Sustainable Infrastructure Capital Inc. announced four executive leadership appointments, effective March 1.
Expand Appoints Dan Turco to EVP of Marketing, Commercial
2025-02-13 - Expand Energy Corp. has appointed industry veteran Dan Turco as executive vice president of marketing and commercial.
Imperial Appoints New President, CEO Following Brad Corson’s Retirement
2025-02-13 - Imperial’s board of directors has appointed Exxon Mobil’s John Whelan as president effective April 1 and to assume the roles of chairman and CEO on May 8.
Italy's Intesa Sanpaolo Adds to List of Banks Shunning Papua LNG Project
2025-02-13 - Italy's largest banking group, Intesa Sanpaolo, is the latest in a list of banks unwilling to finance a $10 billion LNG project in Papua New Guinea being developed by France's TotalEnergies, Australia's Santos and the U.S.' Exxon Mobil.
Trump Nominates E&P Advocate Sgamma to Head Bureau of Land Management
2025-02-12 - If confirmed by the Senate, Kathleen Sgamma, president of the Western Energy Alliance, would oversee management of approximately 245 million acres of surface lands.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.