Risk assessment & management enables companies to thrive amidst uncertainty

Assessing and managing risks are essential functions for any organization, but they are particularly vital concerns for companies operating within the upstream sector of the oil and gas industry.

Even with the best seismic technology and geological expertise, exploration presents considerable uncertainty. Actuarial analysis is needed to project the life spans of discovered reserves and their market value over several decades. Extracting that oil or gas demands greater investment, additional expertise, and greater exposure to possible liabilities and compliance requirements. While international economic and political events increasingly affect all businesses, such issues have long been concerns for oil and gas companies.

Due to such factors, the upstream sector of the oil and gas industry presents a higher degree of inherent risk than most industries, and companies operating in that sector generally maintain higher risk profiles than most corporations. Maintaining a higher risk profile, however, also heightens the importance of assessing and managing risks to ensure that any potential internal or external threats an entity faces do not exceed its risk appetite.

Risk assessment focus

Risk assessment reflects a greater emphasis on evaluating a company’s internal and external vulnerabilities. It is a top-down process that focuses first on the most crucial external and internal entity-level risks. With those risks assessed, management and the audit committee can then drill down to crucial processes that mitigate entity-level risks.

An entities risk assessment needs to focus on specific risks facing the organization. Such risk types may include inherent, financial, economic, operational, compliance, technology, reputation, investor, and regulatory risk. While checklists for upstream oil and gas companies help narrow the focus for gathering necessary information, the risk assessment process must recognize that each entity is unique and that no two organizations have identical risk profiles.

Companies differ, for example, in the geographic areas of their operations, with each presenting specific risk factors. A company’s downstream markets and the risks facing its customers likewise influence its risk profile. A gas company’s customers, for example, may be natural gas utilities serving northern states. Warmer than expected winter weather results in less natural gas consumed, leading to lower market prices and lower earnings for the upstream provider. External factors that can not be controlled often play a big part in the outcome of an organization’s activities but, if monitored, transactional steps can be deployed to lessen the impact.

The life spans and values of existing reserves vary among businesses, as do ongoing well operation expenses, debt loads, capital expenditures, and other measures of organizational health. A company’s risk assessments must reflect such disparate characteristics.

Various groups within the organization have some responsibility for assessing risk. Management has primary responsibility for entity-level risk assessment, but the audit committee needs to exercise oversight to ensure that the biggest threats facing the organization are recognized.

The internal audit staff and management share responsibility for assessing process-level risks and evaluating the effects of entity level risks on each critical process. Further, internal audit must disclose to the audit committee and the external auditors high risk areas and the steps taken to mitigate those risks.

Tools for assessing risk

There are a variety of frameworks or models available for identifying and assessing the unique risk factors facing an organization. The traditional SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis has been effectively used for years.

Within a SWOT analysis, an entity’s strengths may include significant existing reserves. A lack of recent discoveries may be a weakness. Opportunities could include exploration partnerships with other companies. Threats could include potentially costly litigation related to a field incident years earlier.

The COSO (Committee of Sponsoring Organizations of the Treadway Committee) Enterprise Risk Management Framework provides another means for assessing risks and selecting the most appropriate responses.

The COSO framework identifies strategic, operations, reporting, and compliance objectives as primary areas of concern. Strategic objectives relate to high-level goals, such as maintaining a reputation for exploration expertise.

Operations objectives relate to the effectiveness and efficiency of company operations, including performance and profitability goals that influence various decisions. Those objectives can include lowering the costs of extracting oil or gas from known reserves, thereby extending the profitable lifespan of those fields.

The reporting objectives aspect of the COSO framework extends beyond financial reporting and encompasses critical operational data required to make informed decisions. Such data includes timely reports regarding current well outputs and analysis of exploration efforts.

Oil and gas companies face an array of mandates for environmental protection, financial reporting, safety, and other concerns. The compliance objectives component of the COSO framework addresses those concerns.

By assessing risks in relationship to those organizational objectives, the company can choose the most appropriate response to each identified risk.

Responding to assessed risks

Each risk must be evaluated on the likelihood of it occurring, its potential impact, and its relationship to the company’s risk appetite. Based on such evaluations, the COSO framework lists avoidance, reduction, sharing, or acceptance as general responses to assessed risks.

A business may decide that the various risks associated with offshore exploration are beyond its tolerable risk threshold. Many upstream oil and gas companies do not entertain offshore drilling opportunities. Similarly, a company may evaluate the risks associated with exploration in Canada or Alaska and determine that the risks exceed its risk appetite. To avoid those risks, the entity chooses to operate only within the lower 48 states.

Price fluctuations are a continual risk for oil and gas companies. To reduce that risk, a business could enter in a fixed-swap agreement or utilize another derivative instrument to receive a set price for a specified volume of oil or gas, regardless of market changes.

Through exploratory efforts, a company may determine that an area contains considerable potential oil reserves, but that the complexity involved in managing those reserves exceeds its risk appetite. It chooses to share that risk by taking on a partner whose expertise or size enable it to fully exploit those reserves.

A gas company may also decide that a risk it faces, such as the cost of complying with various local requirements for operating close to a residential area, is a risk it can accept.

Refreshing and updating risk assessments

Corporations operate in dynamic environments, particularly companies within the upstream sector of the oil and gas industry. To ensure that risk management efforts remained aligned with a company’s risk appetite, risk assessments should be conducted annually.

The internal audit plan should be developed based on the annual risk assessment to provide coverage over high and moderate risk areas. Internal audit is used to ensure means of mitigation are deployed and operating effectively. Testing and monitoring by the internal audit staff can be done throughout the year. Those efforts include ensuring that activities conform to applicable compliance statutes, that transactions are accurate and the data used for making decisions is reliable, that controls are maintained to deter fraud and other improprieties, and that all processes adhere to established corporate policies.

Joint interest auditing also assures that operations in which the company has a partnership or contractual relationship with other corporations are conducted fairly, accurately, and in compliance with agreed-upon terms.

Judgment and cumulative knowledge from past risk assessment efforts can determine which internal controls are most crucial and merit continual attention. A company may determine, for example, that its continual emphasis on safety reduces the risk of a worker being injured in an oil field accident. Higher than normal well operating expenses in the past for one field can likewise indicate that those field operations require greater scrutiny.

Changes that arise during the year, such as a natural disaster, improving or declining economic conditions, or passage of new compliance requirements, will prompt a shift in an entity’s risk assessment.

Continual benefits of assessing and managing risk

Each business is unique in the risks it faces, and the COSO framework highlights long-term benefits entities gain from continually assessing and managing risks.

Risk assessment and management assure that a company’s risk appetite remains in alignment with its business strategies. While identifying vulnerabilities, risk assessment and management also illuminates opportunities, opportunities the organization may have missed without such thorough examination.

Growth, risk, and return are integrated objectives. Not pursuing growth may yield a higher current rate of return, but places the company at risk for future declines in return. Pursuing growth can put current and future return at risk, while avoiding risk altogether threatens growth and future return. Managing risks helps managers recognize those relationships and tradeoffs, and strike the proper balance among those objectives.

Companies operating in the upstream sector of the oil and gas industry face market volatility, shifting regulatory and political climates, and other risks. Assessing the potential impact and likelihood of such risks greatly enhances a company’s ability to prepare and react properly when such scenarios happen. Such preparation also reduces the chances of operational losses and surprises occurring.

Assessing and managing risks enables an entity to deploy an integrated response toward risks. A particular oil reserve, for example, may offer considerable long-term potential while also presenting substantial risks. Greater insurance coverage can mitigate liability concerns, while derivative and hedge agreements can lessen the impact of changes in interest rates or market prices for barrels of oil. Other contractual relationships and partnerships can further reduce the risks associated with operating those reserves.

Businesses must be selective in choosing how to properly allocate funds among various operational units and in determining what ventures merit capital. That is especially crucial within the upstream sector of the oil and gas industry where companies must make significant investments amidst considerable uncertainty regarding future earnings potential. Assessing and managing risks enables an entity to more effectively rationalize its capital for the greatest long-term return.

Oil and gas companies will always confront higher levels of risk than many other businesses. Being able to continually assess and manage risks provides a means for not only surviving, but prospering amidst such uncertainty.

About the Author