Dealing with increasing risk exposure
Oil and gas companies – already heavily regulated – have been under increasing pressure over the past decade to improve corporate governance, manage risk and comply with new policies, laws and regulations imposed from a variety of directions, both external and internal.
To address these issues, companies typically establish independent new processes and controls. Unfortunately, these responses often result in redundant and duplicative manual controls as well as increased costs. Worse, the ability to manage risks across the organization usually is decreased, allowing new risks to develop and perhaps linger undetected for long periods of time.
Due to years of intense performance pressure, oil and gas companies are accustomed to working very hard to streamline and automate operational and financial processes. In the field, new technologies have been applied to improve success rates and reduce finding costs. But now, continuing past trends of layering new sets of governance, risk management, and compliance (GRC) controls onto operations already at capacity often produces resistance or a dilution of focus and effort.
This does not have to be the case. Based on our experience, energy companies can improve GRC functions significantly and enhance their ability to manage risk, while also streamlining and reducing overall GRC spend.
New layers
It is a fact of life that rapidly changing markets and the continuous stream of new laws and regulations require companies to define new policies and implement new procedures and controls throughout their organizations. Internal and external factors, as well as the pace at which the changes must be made, typically result in the new policies, procedures and controls being added onto the existing management structure (Fig. 1).
All too often, new policies are drafted, but the control efforts required for implementation are not embedded in the daily operational activities of the organization’s process owners. Thus, the new risk management or compliance activities are viewed by already overworked process owners as add-on responsibilities that will be performed only if and when there is extra time.
This scenario is repeated by risk owners all the way up and down the organization as new risk objectives or compliance requirements are established. Over time, this layering of “appendages” onto the core processes of the business creates a breeding ground for inefficiency that can lead to ineffectiveness.
Spiraling consequences
Ultimately, this ongoing spiral of change leads to more complex accountability, the growth of silos, inefficient communications, and decreased organizational transparency. The bottom line: There is a higher cost of control.
In addition, the change spiral creates even more significant management challenges, including:
- Poor alignment of strategy and risk management, which directly contributes to strategy execution failure.
- Vague objectives and incoherent control requirements, which set a “fuzzy” tone at the top with respect to articulating risk appetite and important control matters and ultimately contribute to an ineffective governance structure.
- Growth of silos, which produces a maze of risk and control activities, feeds a high-cost internal control structure, and generates overlapping resource demands (e.g., multiple self-assessment programs inundating process owners with requests).
- Gaps and overlaps in ownership of control responsibilities that drive missing, redundant, and duplicative internal controls.
- Fragmented and diffused reporting of risk and control data, which leads to a lack of transparency and uninformed decision-making.
- Mismatches of execution with stakeholder expectations, due to process owners perceiving that new GRC activities are putting a drag on required operational efficiency.
As a consequence, large-scale organizations often have difficulty assessing the impact of risks across the organization (Fig. 2).
GRC integration
Applying a GRC perspective to corporate management drives directors and senior managers to insist on integrating the oversight and management of roles, responsibilities, processes, methodologies and systems involved in governing the organization, and in managing risks and complying with internal policies and applicable laws and regulations.
An integrated perspective creates a separate, yet more cohesive emphasis that leads to greater transparency and a more cost-effective approach to managing risk and compliance. The components of GRC are:
The value proposition
Coordinating and integrating the GRC process can help an energy company reduce costs and increase overall risk management effectiveness by reducing complexity, redundancy, and making entity-level processes more efficient and effective in providing necessary oversight. For example, the value of an integrated approach is manifested in the following ways:
- Clearer articulation of objectives, roles, responsibilities, and accountabilities can lead to more effective risk and compliance process design as well as more manageable execution.
- Improved transparency into GRC performance through effective metrics, measures, and monitoring can lead to more effective risk-based decision-making and an increased ability to anticipate issues and reduce reaction time.
- Enhanced communication and improved prioritization of risks and spend can be achieved through an enterprise-wide common language.
- The implementation of a single system of control to prove compliance with laws, regulations, and internal policies is flexible enough to accommodate changes in the operating environment (Figure 3).
- Efforts to coordinate and integrate the GRC process also may result in increased confidence of stakeholders in the board and management through efficient identification and handling of stakeholder interests.
The overall results of these coordination and integration efforts are increased cost-effectiveness and reduced growth of GRC-related spend.
The risk perspective
Throughout the energy industry, process owners are concerned primarily with their operational responsibilities; typically, they do not view their activities from a risk perspective. As a consequence, compliance activities often are considered additional, unnecessary competitors for time and resources.
To integrate an individual process into an overall GRC infrastructure, management should evaluate the process and control activities from a risk perspective, correlating the risks into various scenarios:
- Establish important assumptions about risk by articulating the elements and exposures the organization should be concerned about at the individual process level.
- Identify the primary factors that contribute to increasing the level of risk or exposure to noncompliance.
- Define metrics that allow the company to monitor both the leading measures that may indicate an increased level of risk or exposure to compliance issues, and the lagging measures that can indicate either positive or negative risk management or compliance trends.
A process example– oil transportation by truck
Let us apply this approach to a typical operational activity: Many onshore field operators must contract with a third party to transport their oil production by truck from the field battery to the point of sale at the terminal, a relatively straightforward activity.
From a risk perspective, the operator might look at issues such as site risks, including fencing, road quality, layout and turning capability; maintenance risks on the road, or related to vehicles, valves, meters and seals; and driving routes and driver training. Additional processes also can be described from a risk perspective, with prioritized risk scenarios.
Leading measures also should be identified and tracked. In this case, maintenance statistics and training can provide indicators that the prioritized risk scenarios are being managed appropriately. Lagging measures such as accident rates, spillage, and unplanned repairs can be analyzed to indicate whether risk or compliance trends are increasing or decreasing.
These redesigned processes and measurements now can be embedded directly into the operational activities of the process owner in the field in a coordinated manner. Management can be confident that the risks and compliance issues have been identified and the ability to assess environmental, health, and safety issues with regard to product movement has been incorporated at the source, with indicators that can feed back through the overall GRC infrastructure.
No risk management system can pinpoint the precise date and time of an equipment failure in the field, or even a sudden change in commodity prices. The objective is to enhance the ability to estimate, at the source, circumstances or occurrences that indicate a potential increase in the level of risk or noncompliance, and determine that actions being taken reflect either an increase or a decrease in the level of risk or noncompliance.
In addition, changing operating conditions cannot be overlooked. As part of the overall GRC process, management needs to periodically reassess these identified risk scenarios and recalibrate the scenarios and metrics with operational activities, new requirements, and evolving market conditions to ensure existing risk scenarios and measures remain appropriate.
Immediate next steps
Protiviti recommends that energy companies address their risk management challenges through the following six steps:
- Establish single risk assessment: Outline a single risk assessment approach based on the definition of the following dimensions: risk assessment perspective, risk assessment process and risk assessment methodology. A common language and uniform process is one of the keys to an integrated approach.
- Rationalize the issue base: Establish appropriate governance to ensure a due care process, with proper checks and balances, to analyze, sort, prioritize and establish accountability for issues. Accountability for results adds teeth to any improvement effort.
- Implement a global key control framework: Align compliance and control frameworks to fit one common process framework. This will help realize cost benefits as well as produce focused risk management and regulatory compliance by removing overlaps in updating, reporting, and testing of controls.
- Improve risk assurance: Address the respective roles and responsibilities across the entity, the interdependencies between them, and the interlinked processes, procedures, methodologies, and other activities. Formalize cooperation, collaboration, and communication between the corporate functional activities and the process owners responsible for managing risk and compliance issues. Strengthen the communication and information-sharing arrangements at various organizational levels. This step includes a determination of the current state of the entity-level control environment to ascertain how the organization establishes the discipline for viewing, addressing, and communicating risks and controls at the entity level. The absence of such discipline is a telling indicator.
- Implement an integrated system for assessing risk and tracking issues: Integrate the current risk management and compliance systems, based on functionality analysis and a feasibility study. Create a collaborative environment in order to capture all relevant user needs and requirements from the functions and processes involved and minimize the inefficiencies driven by silos.
- Integrate risk reporting: Develop requirements for integrated risk reporting that feeds into an enterprise risk management (ERM) dashboard; doing so enables enterprise-wide risk management. The objective is to create real transparency into what matters most.
Through these steps, it is important to quantify GRC spend and understand where costs are being incurred and why. These steps help determine the level of redundancy or omission in the responsibilities and execution of corporate functional activities for risk management and compliance, and rationalize more efficient and effective controls and monitoring at the entity and process levels.
Focused implementation efforts are the key to helping energy companies improve their overall risk management capabilities while reducing compliance costs. It is time for energy companies to step back and take a fresh look at their GRC activities.
About the author
David Johnson [[email protected]] is a managing director at Protiviti and the global leader of Protiviti’s Energy & Utility Industry practice, working with energy asset owners, producers, utilities and power generators, natural gas and crude oil traders in all facets of their operations. He can be reached at (713) 314-5020.