Right-sizing ERM for oilfield services companies
Joseph (Jody) R. Allred, CPA, CISA, Weaver, Fort Worth
Commodity prices on the international market rise and fall, driving expansions and declines for companies throughout the energy industry. Compliance and environmental concerns need continual attention. Despite considerable technological advances in exploration and production activities, locating and exploiting sources of oil and gas still presents considerable difficulties and uncertainties. Field operations require considerable capital investment, and fluctuating interest rates strongly influence current and future profitability. The possibility of a catastrophic incident remains a constant threat, too.
Oilfield services companies face many risks. To mitigate those vulnerabilities, Enterprise Risk Management (ERM) should be built into the culture and management philosophy of every oilfield service company. Oilfield services companies make decisions about their geographical operations, the services they provide, the methods they employ, their quality and safety standards, etc. These enterprise-wide, strategic decisions are often made passively, with little participation, but instinctively include components of ERM such as risk tolerance, objective setting, risk identification, and risk assessment.
By bringing ERM concepts into managements' decision making process, the effort is enhanced for the benefit of the company and documentation is established around the risk decision considerations.
Right-sizing the effort
In a right-sized effort, oilfield services companies can address risks associated with cyclical price trends, changes in labor sources, labor rates, equipment availability, compliance issues, workplace safety, environmental protection, and other crucial concerns. ERM also helps ensure achievement of objectives, and identifies opportunities for competitive advantage.
ERM focuses attention on the following activities and questions:
- Defining strategic objectives: Where are we going?
- Risk identification: What can go wrong?
- Risk assessment: How significant is a risk?
- Risk response: Should the risk be accepted, mitigated, or avoided?
- Risk monitoring: Is something really being done about the risk?
Risk – the potential of an adverse event or lost opportunity – is always present. One company may outsource various Health, Safety, Environment (HSE) training activities. Another company may contract for payroll, benefits administration and other human resources functions, while another business may contract for various engineering services. In each instance, ERM enables organizations to identify, assess and manage the risks associated with relying upon other entities to provide crucial services. That allows the company to realize the benefit of lower costs without ignoring risks associated with such outsourcing.
The questions ERM poses are simple and straightforward. So, why does implementing ERM seem like a daunting challenge?
ERM has been difficult to implement primarily because companies approach it as a massive project. Initially, combining distributed risk management efforts is a big job. It takes time to migrate from the old risk management model that often involved diverse, independently operated functional areas to one that is holistically managed and owned by a specific functional area, such as the Chief Compliance Officer, internal audit, the CFO, Legal Counsel, or the COO's office.
However, ERM should be a phased, evolutionary process that focuses first on strategic objectives, the highest entity-level risks and supporting process-level risks. This means that ERM is not 'implemented', but built into an organization over time typically beginning with a risk assessment effort that builds into an integrated ERM function.
Using this right-sized method, the effort gradually filters outward into organization while keeping the scope manageable.
While ERM does not eliminate functional area efforts, a realignment of authority, accountability, and responsibility establishes greater risk management timeliness, consistency, efficiency and effectiveness. The holistic perspective provides the basis for managing risk across the organization, rather than assessing risk in a vacuum.
Establishing agreed upon organizational objectives is integral in identifying risk but may be the most difficult component. As a model, the ERM effort is typically pictured with the ERM COSO cube. However, to view a right-sized effort, the cube can actually be pictured as a declining effort represented by an inverted triangle overlayed on the components defined in the ERM COSO cube.
The broad top of the triangle represents the efforts around assessing and understanding the internal environment and the narrow bottom point represents the more focused efforts of monitoring. At each stage, critical elements are identified to be addressed in the next, thus continuously narrowing the scope of the effort.
Understanding the internal environment is critical to risk assessment. A clear understanding of the basis of how risk is viewed within the organization must be established, including the company's risk appetite. Every organization has a risk tolerance that dictates how it responds to risk. Intelligent risk response decisions are the ultimate goal. A startup fishing tool company, established oilfield supply house, and multinational oilfield servicing company all have very different profiles and their internal environment and risk appetite will vary widely as well.
Defining strategic objectives: Where are we going?
Oilfield service companies have unique objectives. Those objectives may be based on the geographical areas, customer size, financial strength and other characteristics, the specific services and areas of expertise it offers, or various other factors. Defining those objectives helps leaders recognize the most crucial exposures. The definition of critical strategic objectives hinges upon the established understanding of internal environment and risk appetite.
Risk identification: What can go wrong?
A broad range of risks impacting critical strategic objectives should be identified. Each risk is linked to the critical strategic objectives thus narrowing the scope of risks identified. Those risks may include market price trends, existing or new compliance requirements, environmental hazards, labor markets, equipment cost and availability, international economic conditions, difficulties facing large customers, or other external vulnerabilities.
Internal vulnerabilities may include field safety, IT security exposures, proliferation of expertise, cost overruns, and other concerns.
Risk assessment: How significant is a risk?
Once identified, risks must be assessed. Because the risk identification phase may be broad, the potential impact or likelihood of many risks identified may not present significant exposure. A preliminary review of the identified risks by knowledgeable participants prior to the formal risk assessment can scope the risk assessment to focus on the crucial risk events.
The risk assessment phase is crucial and forms the basis for everything to follow. Appropriate definitions, rules, instruction and training must be established around the assessment to ensure valid input on the identified risks. The risk assessment data obtained can then be evaluated to determine if there are trends that vary from expectation to identify outliers and bad data within the assessment results.
Risk response: Should the risk be accepted, mitigated, or avoided?
Leaders then determine the most appropriate risk response for each assessed exposure. Responses include accepting, mitigating, or avoiding risk.
The risk response stage is where significant right-sizing can occur to ensure emphasis is placed on the most important risks. Each risk event should be reviewed first for risk response plans already in place to mitigate additional effort. Only risks with no existing response plan receive an original response. Risk acceptance depends upon the organization's risk tolerance, which is unique to each company.
An oilfield services company may rely upon projections regarding future commodity prices to predict the strength of their market in future periods. Individual companies may vary in setting a future pricing threshold on which it bases decisions to act upon or avoid plans that require significant capital investment outlays.
For one company, its projections regarding future market strength may signify that prices will decline to a level that makes expansion plans an unacceptable risk. Another company's projections may reach the same future market strength conclusions. That company, however, has a slightly higher risk threshold, so it accepts the risks that accompany the projected market decline.
Within a particular oil or gas field, the risk threshold may determine which identified production scenarios require the immediate attention of company managers, and perhaps the involvement of individuals with highly specialized areas of expertise. Ongoing controls to mitigate risks can include data analysis, physical inspections, audits and training. Real-time data transfers, dashboard report displays and other technological tools aid in mitigating risks. Such controls should be established only for exposures that would significantly impair the organization's achievement of objectives.
A company may evaluate the various risks associated with maintaining international operations. Those risks may include increased regulatory pressure from foreign governments, as well as potential political instability. There are also general concerns associated with maintaining and overseeing company activities thousands of miles away amidst a vastly different culture.
The company, though, may utilize various online news services to keep abreast of changes in foreign regulatory and political climates. It may install and utilize online portals to receive and send information among field offices located in disparate areas. The company may enjoy a strong reputation among local elected officials and area business leaders. It may employ local individuals that help further strengthen various relationships. Due to those factors, the company accepts all of the risks associated with operating abroad.
Another company, though, may decide that while international markets present opportunities, it needs to measure the risks that accompany operating in foreign countries. Those mitigation efforts include entering into partnerships and various joint venture agreements with companies based in those various countries. The company also contracts with various agents to represent its interests. By taking such actions, the company mitigates risks it faces in operating in other countries.
For other companies, efforts to mitigate risks may center upon internal activities. To mitigate safety risks, the company may define environmental and health dangers and establish processes and daily procedures for site safety orientation, use of protective gear, proper lockout/tagout steps, and well control measures. Training courses may be scheduled, with documentation for courses taken and completed. Regular testing for blood pathogens, hearing loss, and alcohol or drug use may be required, with test results recorded.
Onsite audits may provide another layer of protection, as may standards that dictate the potential for catastrophic incident. Such monitoring may indicate the speed and degree of involvement required by managers. By taking such steps, the company mitigates the various environmental and health threats it faces.
Various applications and analytical tools provide means for monitoring current production and evaluating the value of reserves. Bubble maps, well log displays and other report data enable managers to oversee current field production and identify anomalies or trends that may require further attention. Decline curve analysis and similar tools likewise enable managers to more accurately assess the value of remaining reserves and devise production forecasts.
In extremely high risk situations, or instances where a risk does not align with objectives, organizations may avoid risk entirely by exiting an activity. Offshore exploration and production, for example, may present too many risks for an oilfield services company accustomed to serving onshore customers. Offshore activities present a vast set of engineering challenges than what the company faces. There are also different compliance requirements, different environmental concerns, and different workplace safety issues. Hurricanes or other natural disasters pose threats. The potential liability exposure may be much larger than the company wishes to address.
ERM is present in all of these scenarios as a management tool to define the problem and the appropriate outcome within the risk framework.
Risk monitoring: Is something really being done about the risk?
Finally, risk monitoring is applied to situations where a failure could produce a material or devastating impact to the organization. Oilfield service operations present the potential for considerable personal danger, as well as widespread environmental damage. Various means of oversight help a company avoid facing such consequences. Monitoring may include establishing appropriate controls and then implementing periodic internal audits, real time data mining, or other efforts to ensure operations remain in tolerance.
Change continually confronts oilfield services companies. Broad economic changes influence high-level decisions. New competitors emerge. With periodic reviews of the risk management scope, oilfield services company managers can utilize ERM to continuously identify and respond efficiently, consistently, and effectively to risks and opportunities that accompany change.
About the Author
More Oil & Gas Financial Journal Current Issue Articles
More Oil & Gas Financial Journal Archives Issue Articles
View Oil and Gas Articles on PennEnergy.com