Risk mitigation — is it worth it?
James McLeod-Hatch, AKE Ltd., London
As this article is being penned, Russia is engaged in geological exploratory work in an attempt to prove that vast portions of the Arctic are in fact part of the Russian continental shelf. If Russia succeeds in proving this, it will be in a supreme position to exploit natural resources from the Arctic, especially – as the wisdom goes – as global warming and climate change mean that the retreating ice pack will expose new areas for exploration and development. These activities show not only the competition for resources – they also indicate the extent to which energy companies are now prepared to travel to areas and regions that might once have been considered too risky.
Increasingly, the notion of risk is being countenanced in its original conception, namely in its physical manifestation of danger to operations, most notably to physical and human assets; and companies are coming to see the management of risk as an essential part of their operations. This is a laudable development, although it is likely that companies leading this charge have been motivated mainly by a financial incentive: simply put, it was only once physical risk began to impact on the financial health of an entity did the concept of risk mitigation become a critical one.
There are perhaps two main theatres where this has been most obvious: Iraq and Nigeria. In Iraq, companies attempting to pump oil out of the country have been consistently thwarted through explosive attacks on pipelines. In Nigeria, energy companies have had to deal with the increasing threat of having staff abducted by local groups, often with a very tangible dent in their profitability as they are forced to shut down operations in response to threats and actual abductions.
Such problems are reflected not only in the financial statements of the companies directly involved, but the repercussions are felt around the world as energy traders react to the news, and the unit price of the traded commodity changes accordingly.
Risk mitigation – a claimed or tangible benefit?
Previously, the concept of weaving political and security risk mitigation into a company ethic was conceived in much the same terms as the Emperor’s Clothes: a considerable expense with no overt and tangible external difference. The measure of success of splashing out on risk mitigation could only be determined by nothing happening; but immediately this allows for naysayers to contend that nothing would have happened even if no risk reduction strategies had been adopted.
But times are changing, and, much like terrorism insurance, which was seen as a luxury before 9/11 (US risks are now subject to the Terrorism Risk Insurance Act – TRIA), more and more companies are wising up to the strategic benefits of rolling out risk mitigation across their operations. Indeed, it could well be that in certain industries in the future, security audits will carry as much gravitas and will affect how a company operates in much the same way a financial audit does currently.
However, as is often the case, it will likely take the discovery of gross negligence in a large entity before changes can be affected. For example, the scandal with BCCI in the 1990s and other instances of serious mismanagement created the need for reviews on corporate governance. These concerns are now addressed in the Turnbull Report, which prescribes a number of practices that are suggested to be adopted. However, the adoption of these is not mandatory; the practices are merely presented as best practice.
Companies are essentially required now to show compliance with Turnbull, as to not do so would create such a lack of comfort among the auditors that they might feel unable to sign off a financial audit. Essentially, there is now no good reason not to comply with Turnbull.
This is how AKE views political and security risk mitigation: there is no reason why it should not be adopted. Expense is often cited as the primary reason – but if a $2,000 training course can prevent a $200,000 operating loss, is there not sound financial reasoning behind adopting such a strategy? Similar problems were likely encountered when the financial community began to offer new forms of insurance – originally the insurance market was kickstarted by the particular need of a particular group (those involved in shipping wishing to protect their losses at sea), but soon Lloyd’s was offering cover for all manner of risks.
Ask a company now to forgo the expense of property insurance, preferring to take their chances of a total loss in the instance of a fire, for instance, and they would consider the offer to be completely insane. Ask a company to forgo employer liability insurance, and they would likely report you for breaking the law.
As attitudes change over time, then, companies are prepared to take on more expense in proving that they operate under codes of best practice. Often companies even use the fact that they are complying with recommended (but not mandatory) regulations for marketing purposes, as it distinguishes them from their competition and boosts their overall credibility.
So, what are the components of risk mitigation, and what benefits might they bring? These will now be discussed in the following sections, which will introduce the holy trinity of risk mitigation: Intelligence, Training, and Security.
Intelligence
There are a variety of internal and external factors that may negatively impact an energy business, from physical illness or mental stress, to climate, crime, terrorism, liability, corporate image, community relations, nationality, and politics. These elements may not always work in concert (although they rarely occur in complete isolation from one another), and only some of these factors might potentially affect a company – an appraisal of these should therefore be the first buttress of any risk mitigation strategy.
AKE has championed the “intelligence-led” approach to security, as it allows all subsequent measures to be relevant and cost-effective. Imagine spending thousands on a security fence only to discover that underpaid guards are prepared to let people through the gates if presented with a large enough bribe; or installing security cameras at vast expense, but not taking the time to find out if the security personnel are qualified or capable to use them once they are installed; or paying for anti-malarial drugs when it turns out that malaria does not even affect the proposed area of operations.
Therefore, before the first employee has even set foot in the hostile region, intelligence should be conducted:
- What are the climatic conditions?
- Should employees be given special protective clothing?
- Are there any health issues in the region – is a course of vaccination necessary?
- What are the local security concerns – are there armed and hostile militias operating in one’s prospective region?, and
- What about the larger political and security concerns – will one’s newly acquired and/or refurbished assets simply be seized by a new revolutionary government?
By posing as many questions as can be conceived and attempting to answer them, an indication as to the likely success of a project will be obtained before there has been any exposure to risk. Again, there are strong parallels to the insurance industry: often PML (Probable Maximum Loss) studies are performed on assets before insurers will even write the risk, so that they are fully appreciative of what their liability might be in a worse-case scenario. So therefore should preliminary intelligence be conducted in the form of risk assessments; and once operations have begun, a continued intelligence feed should be sought so that new and emerging issues can be countenanced from the earliest possible stage.
Another advantage of intelligence being conducted ahead of deployment is that it allows potential risks to be identified and then converted into mitigation. For example, it has been discovered that there is a hostile community militia operating in a proposed area of operations, which has previously shown dissatisfaction in being excluded from projects by attacking them – how can the risk from this be reduced?
One possible solution would be to involve them in the project – for example by asking the militiamen to provide security. By giving them a vital (and suitably remunerated) role they will feel included and suitably rewarded. Intelligence is vital in identifying factors that can be turned to one’s advantage.
Training
Once intelligence has been conducted about a project, the necessary preparations may be made in order for operations to commence. Perhaps the most important aspect of preparation is that of training.
It is amazing the extent to which companies believe their assets to be limited to property, plant, fixtures, and fittings. Arguably, the most important asset to a company is its employee-base. Without them, all the fixed assets in the world can be owned but no economic benefit will ever be derived from them. Investing in one’s employees will only have a positive effect, while a failure to do so will have just the opposite effect and may even result in accusations of negligence, or worse, actual litigation.
Sending one’s employees into any environment without the correct training is like sending a car off the production line without an undercoat. It is far more likely that the car will corrode, become damaged, or need replacing than a suitably-primed counterpart. Hence investing in training will prepare employees suitably for the environment – not only will they be able to sidestep avoidable risks (for example, discovering a device planted on a vehicle after being given an introduction on how to search a vehicle), they will also retain the mental benefits of the training. They will feel more confident and assured in their activities, and they will feel that their company values their input – which will have the tangible advantage of high staff retention for the company.
One of the aspects of operating in hostile environments is that it is incredibly stressful on employees. If some of their fears can be allayed ahead of deployment, this will reduce the risk of them leaving their position ahead of schedule due to the stresses encountered in the job.
Especially in the energy industry, the cost of re-hiring and re-training personnel to fill a specific role can be a considerable burden on a company, so keeping staff rotation to a minimum is highly desirable. The duty of care shown to employees by giving them comprehensive training will give extra satisfaction not only to the employees themselves, but also to the shareholders of the company and also current and prospective clients.
It should also be noted that training is not limited to fanciful preparation for “what-if” scenarios: around 50% of the majority of AKE’s training courses, for example, are devoted to medicine. It is far more likely that personnel will suffer downtime from a bout of food poisoning than from being attacked by guerrillas. Therefore, coaching them in the basics of food hygiene will be of far more utility than teaching them escape and evasion techniques.
Too often training companies are concentrating on mitigating against exotic risks, when the time would be better spent on teaching people about more “mundane” matters. How to stop a bleeding wound; how to identify a safe buffet; how not to offend a local host during Ramadan – it is precisely these sorts of issues that can be dealt with in training, and it is these sorts of issues which are most likely to be encountered in day-to-day operations.
Security
It is only after the intelligence and training buttresses of a risk mitigation strategy have been put in place that one starts to look at physical measures to improve security. All too often just the opposite approach is taken by so-called “risk mitigation companies” that believe the cornerstone to secure operations is measured by body armor and belts of ammo. Indeed, this can be a destructive approach to take – often such high-profile security measures do nothing other than mark one out as a potential target. Low-profile security measures can often be dramatically more effective.
The physical security of an operation can be improved with systems, equipment, and personnel. A common preliminary step in devising physical security measures is to perform a security audit of existing security measures, to identify weaknesses and areas for improvement – after all, why spend a fortune on reinforcing one’s main gate when the back door is the most vulnerable point of access?
Again, the performance of a security audit falls under the heading of “intelligence” – performing the audit does not actually improve the security of the asset in itself, but it will indicate the steps needed to make the improvements.
Having identified areas for improvement, physical security measures can be adopted. CCTV could be installed, if it is considered necessary – and only if there is staff available that know how to use it, and do use it. A large barrier or wall could be built to improve employee safety in a particular location – but only if the employee works and lives exclusively in that location (otherwise potential attackers will merely wait until the employees are outside the safe confines of the barrier and attack them then).
Security personnel could also be employed in a close-protection role, if circumstances really dictate the need for this – all of these potential solutions will be considered and implemented as appropriate following an intelligence-led appraisal of existing security systems.
Integrated risk mitigation
Even if a company subscribes to the three buttresses of risk mitigation and appreciates the actual benefits to operations that these can bring, it has to adopt an approach to security that is complete and consistent across the company. A structure must be established within the company that deals with security, and this must be able to interface with external actors such as partner companies, local security, or national government (but it must not be reliant on these external actors taking control in a crisis).
The structure must be robust and have built-in redundancy, without being inefficient – it is no good if all of one’s contingency planning is the sole preserve of a particular manager who happens to be on holiday when a crisis occurs. Unfortunately, the delegation of security-related responsibilities within a company structure is absent. Often this falls between Risk Managers, Health and Safety, Security and Human Resources.
Risk is varied and affects all aspects of a business and requires co-operation and input from all levels. Although tempting to consider it as an afterthought, an effective risk management strategy should be woven into the very fabric of the company.
The integrated approach to risk mitigation thus hinges not only on having an awareness of risk throughout the entire company; it also relates to using the three buttresses of risk mitigation in concert to effectively reduce an entity’s exposure to the perils it will likely encounter. If such an approach is adopted, there will be benefits to the company that will far outweigh the expenses associated with implementing the measures. OGFJ
About the author
James McLeod-Hatch [[email protected]] is a senior intelligence analyst with AKE Ltd., a risk management and intelligence consultancy headquartered in London. He graduated from Oxford University with a BA (Hons) in modern languages (Russian) and philosophy. He also holds an MA degree in Russian studies from University College, London, where he specialized in the post-Soviet economy and organized crime in Russia. He has worked in the textile industry in Kyrgyzstan and in a joint venture shipping company in the Russian Far East. He has experience in accountancy and speaks fluent Russian and French.