Implementing ERM requires integrated approach

Nov. 15, 2004
Many oil and gas companies are revising their risk management procedures to establish company-wide approaches, termed enterprise risk management (ERM).

Many oil and gas companies are revising their risk management procedures to establish company-wide approaches, termed enterprise risk management (ERM). However, the industry as a whole does not have a good record in managing risks and opportunities systematically. The current drive for ERM is being led by the financial services sector with a compliance mindset. To be effective in improving corporate performance, ERM should integrate the many facets of financial, operational, and strategic risk and opportunity management in addition to addressing internal control, reporting, and compliance issues.

Click here to enlarge image

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), following a period of consultation from July 2003, published in late September 2004 its final framework for ERM (COSO-II Enterprise Risk Framework).1 Fig. 1 shows how justifications for the ERM framework link back to requirements for corporations to develop internal financial controls to satisfy financial compliance regulations associated with the US Securities and Exchange Commission (SEC) code of federal regulation (17 CFR).2

These regulations are being made more stringent by requirements of the Sarbanes-Oxley Act (SOX) of 2002 responding to scandalous corporate frauds of recent years and poor disclosure performances by some large corporations.3 The requirement for adequate internal financial controls can be traced further back to COSO's own Internal Controls Guidelines of 1992, as well as the Foreign Corrupt Practices Act (FCPA) of 1994. Internal financial control is also a key component of compliance in other jurisdictions, such as the combined code of corporate governance report, UK Financial Services Authority 2003, building on the Turnbull report of 1999.

Corporate preoccupation

The principles of the COSO-II Enterprise Risk Framework, with which we agree, emphasize the need for ERM to go far beyond internal financial controls and audit-related compliance. However, this has to some extent been sidelined by the preoccupation of corporate management, prompted by their financial advisers and auditors, with satisfying the above-mentioned statutory regulations and limiting their personal liabilities if things go wrong. But to be effective and improve corporate economic performance (as well as compliance), ERM must involve, and to a large extent be driven by, operational aspects of risk and opportunity management and assessment.

This need is illustrated by the right-hand influences identified in Fig. 1, which seem to be understated in the way that ERM framework implementation is currently being promoted within corporate entities. Perhaps the key phrase that integrates the financial and operational aspects required for effective ERM is "safeguarding of assets."

The financial disclosure aspect of "safeguarding of assets" obliges corporations to "provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of its assets that could have a material effect on its financial statements" (Sec. II-3 of the Final Rules, 17 CFR et al.).

However, "safeguarding" has different meanings in the financial disclosure context from the operational management context. At the general business risk management level "safeguarding" must broaden its focus significantly to integrate the full spectrum of corporate, financial, operational, and strategic issues relevant to asset management.

Determining what "safeguarding" means to its stakeholders and applying the ERM framework represent just the first steps toward establishing effective enterprise-wide risk management within an organization. To progress further toward successful ERM implementation, an organization must integrate into its detailed procedures the many facets of risk and opportunity analysis and complications in information flow and decision-making processes. This cannot be realistically achieved with a blinkered financial services and compliance mindset. It requires integrating the ERM framework with structured procedures rooted in the practical world of operational risk and opportunity management.

Yet pressure on organizations to adopt the ERM framework as a fundamental part of their risk management procedures is being promoted primarily by financial services consultancies. Indeed, many organizations now equate ERM with an audit requirement rather than something that is fundamentally beneficial to their operating activities and financial performance.

We question fundamentally whether the financial services sector has the requisite skills and experience to advise oil and gas companies (and those in other industries, for that matter) on the practical implementation of ERM at the levels where it can be most effective—i.e., the strategic and operated asset levels. Almost all of the eight "components" specified in the COSO-II ERM framework require detailed technical and commercial knowledge to be able to establish process and procedures meaningful for integrated ERM. Those eight components are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

Insight, subtleties

The financial services mindset alone is not equipped to provide adequate insight to the many complex, specialized, and rapidly evolving sectors of the international oil and gas industry, such as operations in deep water, LNG, gas-to-liquids, and others. Nor is it well placed to appreciate the subtleties of the geopolitical, strategic, and operational issues involved.

Yet these sectors are the recipients of a major share of the industry's international capital-investment budget. Several ERM framework components—such as event identification, risk assessment, and risk response—require in-depth knowledge, experience, and risk analysis techniques tailored to specific operational sectors. Such expertise, ERM tools, and techniques have to be developed with the involvement of the strategic planning and operating teams of an organization and be adapted and accepted by them, perhaps with guidance and training from technical and financial experts.

Implementation of ERM therefore requires a structured application of commercial, financial, asset portfolio, and technical risk analysis tools and techniques. It depends crucially upon the level of technical and commercial skills, experience, and commitment of the people involved at all levels of an organization, not just the financial and corporate divisions. Hence, the key to effective ERM is implementation of the COSO-II framework with an integrated, structured, and systematic approach across corporate, financial, operational, and strategic divisions, using proven specialized tools, techniques, and people communicating from both the top down and the bottom up.

References

1. Information about the developed ERM framework is available at www.erm.coso.org, with a September 2004 executive summary entitled Enterprise Risk Management—Integrated Framework available for download. A summary of the background to COSO and its ERM framework appeared in the Second Quarter 2004 edition of Oil & Gas Financial Journal, an online version of which is available through the Oil & Gas Journal Online Research Center, accessible at no charge by clicking "Online Research Center" on the home page of www.ogjonline.com.

2. Parts 210, 228, 229, 240, 249, 270, and 274.

3. SOX, passed by the US Congress and signed into law on July 30, 2002, is named for sponsoring Sens. Michael G. Oxley (R-Ohio) and Paul Sarbanes (D-Md.). It requires principal executives and financial officers to certify corporate financial and other information in quarterly and annual reports to the Securities and Exchange Commission. It also dictates how a company's management should assess internal controls and auditing standards. SOX is highly personal in the liability it creates for senior managers.

The authors

Click here to enlarge image

David Wood is an international energy consultant specializing in the integration of technical, economic, risk, and strategic portfolio evaluation and management. He received a BSc in geology from Leicester University (UK) and a PhD from Imperial College, London. Research and training concerning economics, portfolio, and risk analysis are key parts of his work. He is based in Lincoln, UK, but operates worldwide. His maintains a web site at www.dwasolutions.com and can be contacted by e-mail at [email protected].

Click here to enlarge image

Scott Randall is principal consultant in the enterprise risk management practice of Det Norske Veritas (DNV) Consulting, Houston. He received a BSc in civil engineering from Michigan Technological University and an MBA in International Management from Thunderbird. He has over 15 years of experience in international marketing, risk management, strategic planning, and infrastructure project development. His e-mail address is [email protected].