DAVID WOOD, DWA Energy Ltd.
In the wake of tougher regulations, many oil and gas companies have established or expanded risk management systems integrated company-wide, or enterprise risk management (ERM). Do such systems necessarily make companies better prepared to deal with low-likelihood, high-impact events?
The oil and gas industry does not have a very good track record in managing or responding to unexpected risks and opportunities in an integrated and systematic manner. Indeed, the ERM frameworks of several large multinational energy companies and service companies have been found wanting in the past decade when confronted by the impacts of unexpected yet high-impact events—natural disasters, corporate fraud, rogue trading, market collapse, industrial accidents causing fatalities and widespread environmental contamination, political and fiscal instability leading to asset expropriation, the dissatisfaction of communities and the protests of special interest groups.
This article addresses how ERM frameworks can be developed to strengthen internal controls and accountability, to safeguard the real asset portfolios of large organizations while, at the same time, not losing sight of the complex nature of uncertainty—risks and opportunities—associated with extreme events. Unfortunately, the drive over the past decade by the oil and gas industry to adopt ERM has been led primarily by the financial services sector, which can have a blinkered corporate governance, compliance and financial risk management mindset.
RISK ANALYSIS TECHNIQUES
To be effective at safeguarding an organization’s real assets and improving corporate performance, ERM frameworks need to integrate the many facets of financial, operational, geopolitical, fiscal and strategic risk and opportunity management impacting the real asset portfolio. Additionally, they must address internal control, governance, reporting and compliance issues.
Several quantitative risk analysis techniques, such as value at risk (VaR), use stochastic methodologies that have been shown to systematically underestimate the complex interactions of multiple and correlated risk exposures and the significance and potentially catastrophic impacts of low-probability events should they occur, such as Nassim Taleb’s “black swan” forecast that preceded the 2008 banking crisis and economic meltdown.1 For good reason, many companies are now skeptical of relying too much on such quantitative methods, regardless of the sophistication of their mathematical algorithms, to determine acceptable levels of risk exposure.
Low-likelihood, severe-impact events (extreme risks or catastrophes) are subject to significant levels of uncertainty, which are difficult to quantify accurately and are notoriously vulnerable to under-estimation by mathematical algorithms. However, failing to appreciate such exposures and developing appropriate contingency plans and emergency response plans can expose organizations to extreme financial losses, reputation damage and lost future opportunities (e.g., the Deepwater Horizon accident). Because uncertainty impacts assets and organizations in complex and non-linear ways, it helps to adopt rigorous approaches to evaluating uncertainties from both the real asset and corporate perspectives and developing meaningful contingency plans to respond to extreme events.
Many approaches to analyzing and categorizing risks and opportunities begin with two-dimensional risk profiles, maps or matrices. Scenario-based risk assessment can also be aided by such probability vs. consequence diagrams (e.g., Wood et al. 2007) identifying different grades of risk exposure and those requiring mitigation actions to reduce exposure. Such diagrams usually involve likelihood of occurrence (frequency or probability) on one axis and severity of impact on the other axis using semi-quantitative scores or fully quantitative probability and impact cost approximations.
Figure 1 illustrates generically some of the risks that oil and gas companies typically are required to manage and how they might be distributed on a probability-vs.-consequence diagram. The nature of the risks includes a wide range, e.g. operational, corporate, market and equipment. Typically, mitigation actions are likely to be designed to move specific risk exposures closer towards the origin in Fig. 1. Note that the extreme risk scenarios are located towards the bottom right and, because they are associated with very low probabilities of occurrence, often fall off the radar screen of operational managers who are focused on the more frequently occurring risk scenarios.
 |
| Fig. 1. Spectrum of oil and gas industry risk, likelihood vs. impact. Extreme risks form the low-likelihood/high-impact region and, in an operations environment, typically receive less attention than more frequently occurring risks. |
|
It generally aids analysis and mitigation strategies to use “bowtie” and/or “butterfly” diagrams that identify the links among events, their causes and potential outcomes.2 These diagrams help raise awareness that events associated with typical risk scenarios can have multiple outcomes from multiple causes.
Over years or decades, real projects tend to see only a few of the risk scenarios described in Figure 1 actually materialize into loss-causing incidents, Fig. 2. This can lead to a false sense of security, applying the flawed logic that if it has not happened historically then we don’t need to worry about it. If organizations only focus on the most likely risk scenarios, they will significantly underestimate the true level of the risk exposure. In scenario-based risk analysis, it is important to include some or all of the scenarios identified as extreme risks to develop more robust risk mitigation and response strategies.
 |
| Fig. 2. Risk exposures that are actively managed by industry tend to be a subset of a larger spectrum of risk exposure to potential events that could occur, but are deemed highly unlikely. |
|
MULTIDIMENSIONAL APPROACH
Another issue for the risk event scenarios identified in Figs. 1 and 2 is that corporate risk managers tend to gain more experience in dealing with the more commonly occurring risk scenarios towards the top left end of the distribution. On the other hand, industry regulators and the courts tend to address issues towards the bottom-right end of the distribution. Although the full spectrum of risk scenarios is there, the risk scenarios actually receiving most of the attention may be fewer than an independent risk analyst might expect.
In fact, the situation is significantly more complex than can be illustrated by two-dimensional diagrams. Each risk scenario is multi-dimensional and non-linear, with some risk exposures strongly correlated or dependent upon each other. If we fail to consider some of the other dimensions, and limit ourselves to likelihood of occurrence and severity of impact, we will likely underestimate the true magnitude of our exposure to each scenario. Multi-dimensional analysis of risk exposure can be useful in drawing attention to characteristics of certain risk scenarios.
Figure 3 shows a radar diagram plotting six dimensions of risk exposure for an extreme risk scenario on a semi-quantitative analysis scale of zero to 10; where zero is minimum or no exposure and 10 reflects maximum exposure. There is no limit to the number of dimensions that might be included in such an analysis.
 |
| Fig. 3. Extreme risk exposure is a multidimensional issue, not the two-dimensional problem that is often used to quantify risk exposure. Some of the additional factors that influence the likely outcomes of extreme risk events are shown here. Multidimensional risk profiles help determine an organization’s level of preparedness to deal with specific extreme risk scenarios. |
|
In Fig. 3, there are four dimensions of the analysis not included in Figs. 1 and 2:
Frequency of exposure is different from likelihood of occurrence. For example, a normally unmanned production platform in the Gulf of Mexico is exposed to hurricane damage only during the hurricane season. Risk of loss of life on the platform due to a severe hurricane is limited in its exposure during the short periods during the hurricane season when maintenance personnel actually visit the platform.
Sophistication of contingency plans is often crucial in being able to rapidly respond to and deal with extreme risk scenarios when they materialize. The Macondo well blowout of April 2010 is a poignant example of inadequately developed contingency plans by the industry as a whole. The fact that no deepwater well-capping device was available to contain the blowout and deal with a malfunctioning blowout preventer for nearly three months and had to be manufactured “on-the-hoof” reflects poorly on the industry as a whole. No operating company or service company had considered such a scenario, or if they had, did not see the need to develop contingency plans. The fact that the Marine Well Containment Company (MWCC) was formed after the Macondo blowout and in one year had grown to more than 10 member companies suggests that none of those companies had adequate deepwater well-capping contingency plans in place prior to the blowout. Those companies operated about 70% of deepwater wells drilled in the Gulf of Mexico between 2007 through 2009. The reason there were no contingency plans is that—based on historical occurrences—there was no perceived problem.
The influence of regulators and the law is an important dimension, because if there are regulations or legal precedents associated with specific risk scenarios, then it is more likely that robust risk management options and mitigation strategies are already available.
The level of scrutiny by stakeholders, such as a community concerned about water pollution, also determines the level of attention an operator is likely to dedicate to a particular extreme risk scenario. Even if an operator’s assessments of the level of risk exposure to an extreme risk scenario are very low, if a stakeholder raises concerns about exposure to that event, then it is likely that the operator will dedicate more resources to mitigating that risk or developing robust contingency plans.
It is also helpful in risk analysis to divide uncertainties into “pure risks” and “speculative risks”, an approach used for many years by the insurance industry. Pure risk involves only a possibility of loss or no loss—there is no possibility of gain. They are associated in the oil and gas industry with safety, security and environmental hazards. Pure risk can be categorized for insurance purposes as personal, property, or legal risk, and it is possible to insure against their impacts.
On the other hand, speculative risks differ from pure risks in that they involve the possibility of profit or a loss (i.e., risk and opportunity). This characterizes most financial investments made by oil and gas companies. Most speculative risks are uninsurable, because they are undertaken willingly in the expectation of profitable outcomes. Organizations that are prepared to take speculative risks are, of course, essential for the economic development and growth of societies and communities, employment and the development of innovative technologies. Hence, it is crucial that organizations develop risk management strategies and frameworks that address not just minimizing the hazards of their exposure to pure risks, but also maximizing the benefits (financial and non-financial) from speculative risks while avoiding the potential losses or consequences of failure.
Integrating ERM frameworks and triple-bottom-line analysis techniques (i.e., profit, people and planet)3 into risk analysis and investment decision-making has potential to enhance performance of speculative risk taking in the oil and gas sector from a societal and environmental perspective. Indeed, triple bottom line integrated with ERM should help to justify or refute the basis for taking on extreme risk exposures particularly where some of the impacts of the extreme risk scenarios are concentrated on communities and/or the environment, Fig. 4.
 |
| Fig. 4. Triple-bottom-line principles require careful attention to full life cycle benefits and disadvantages of specific projects. The approach also requires addressing a project’s long-term impact on the local community. Performance needs to be measured against key performance indicators, predetermined by consultations with the project stakeholders. |
|
As highlighted here, shareholders and managers in oil and gas companies often focus on events with a greater likelihood of occurrence. When extreme events do occur, rare catastrophes on the downside or giant discoveries on the upside, official investigations are more likely to be focused on the outcomes of relatively unusual high-impact, low-likelihood events. Along with major disasters, giant oil and gas discoveries also grab the attention of legislators; in the latter case, they are usually concerned about appropriate levels of fiscal take, development of indigenous industry, levels of local employment and impacts on the local community. ERM systems, on the other hand, need to address the full spectrum of events to be able to manage day-to-day uncertainties and be in a position to respond.
REGULATORY COMPLIANCE
Following the demise of Enron and subsequent regulation mandated by the US Sarbanes Oxley Act (2002), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the Enterprise Risk Management Integrated Framework in 2004. Many oil and gas companies have since developed ERM systems based upon the COSO and other frameworks. However, the financial risk-and-compliance mindset with which some companies have implemented these systems led to questions about the effectiveness of such systems at managing the full spectrum of risks to which oil and gas companies were exposed.4,5 DWA Energy has developed a trapezoidal framework focused on effective ERM implementation to address the handling of extreme risks, Fig. 5.
 |
| Fig. 5. ERM systems by oil and gas companies should include clear requirements to prepare for the handling of extreme risk events. This should include a level of disclosure to stakeholders sufficient to create confidence that preparations to deal with extreme risk are robust and fit-for-purpose. |
|
This ERM framework has at its core multi-directional communication systems facilitating efficient reporting and documentation of the risk management process. Reporting and transparency also underpin information flow to stakeholders outside the management of the organization, such as shareholders, statutory bodies, communities and the media—all key to effective compliance and establishing credibility for the ERM system. In relation to management of extreme risks that may never materialize, credible and transparent contingency planning is essential. Contingency plans should incorporate robust systems and appropriate allocation of resources to develop effective crisis management centers and emergency response procedures covering a wide range of potential disaster scenarios. Establishing the credibility of such plans with a wide range of stakeholders requires a level of transparency and openness that some oil and gas companies are hesitant to embrace. The aforementioned Marine Well Containment Co. is an example of how the public announcement of membership in a collaborative emergency response effort is likely to increase stakeholder interest.
Whatever is done to optimize risk and opportunity performance in an organization should be clearly disclosed to the board of directors or senior officers of an organization, along with its shareholders and employees, and be available for scrutiny by an investigator or regulator. To this extent at least, all ERM frameworks employed and information generated by them should be obvious and easily understood by all of these different parties. It is always better to focus on forecasting, preventing or exploiting potential extreme events than be seen as reacting to them and trying to manage responses in an ad hoc manner. A robust ERM framework incorporating scenario planning for extreme events should enable organizations to be better prepared if such events do occur.
The key phrase that integrates the financial and operational aspects of ERM is “safeguarding of assets.” Figure 6 illustrates some of the recent legislation, regulation and best-practice guidelines that influence how companies organize their internal financial controls and reporting. The recent Dodd-Frank Act (2010) involving changes to financial regulations in the US, and the UK Bribery Act (2010) and UK Corporate Governance Code (2010), illustrate how the compliance and corporate governance landscape continuously evolves and places additional requirements on large organizations, including oil and gas companies, to demonstrate that they are adapting their control systems to these new requirements.
 |
| Fig. 6. Effective ERM implementation requires careful attention to legislation, regulation and corporate governance. However, for an oil and gas company it also requires an integrated approach focused on its full real asset portfolio, not just internal financial controls. |
|
Many of these legislative and regulatory changes require ERM frameworks and implemented systems to be updated and expanded. It is easy for companies to become preoccupied with financial controls and corporate governance in this regard. For oil and gas companies, this is a mistake. In addition to establishing robust internal financial controls, oil and gas companies need to focus specifically on safeguarding their real asset portfolio. It is in those real assets that many of the exposures to extreme risks lie and need to be addressed with robust contingency planning. Implementation of ERM systems requires an integrated corporate, financial, strategic and operational asset mindset rather than a blinkered compliance-and-reporting mindset. The real asset portfolio and its exposure to extreme risk needs to be part of that integrated ERM. From the foregoing analysis, the author concludes that oil and gas companies could improve their performance with respect to mitigating or dealing with extreme risk exposures by a more integrated approach, bringing together traditional portfolio management techniques, triple-bottom-line analysis of decision-making and ERM. 
LITERATURE CITED
1 Taleb, Nassim N., The Black Swan, 2007.
2 Wood, David A., Lamberson, Greg, and Mokhatab, Saeid. “Project risk: A key consideration for upstream project management,” World Oil, September 2007.
3 Elkington, John. Cannibals with Forks: The triple bottom line of 21st Century Business, 1997.
4 Wood, David A. and Randall, Scott. “Implementing enterprise risk management (ERM) requires integrated approach,” Oil & Gas Journal, Nov. 15, 2004.
5 Wood, David A. and Randall, Scott. “Implementing ERM - 1: The importance of perspective,” Oil & Gas Journal, March 21, 2005.
THE AUTHORS
|
 |
DAVID WOOD is the Principal Consultant of DWA Energy Ltd, UK, specializing in the integration of technical, economic, risk and strategic information to aid portfolio evaluation and project management decisions. Dr. Wood has more than 30 years of international oil and gas experience spanning technical and commercial operations, contract evaluation and senior corporate management. / dw@dwasolutions.com |
|
