Boiled down to its bare essentials, “risk management” is not that hard a concept to understand. It requires identifying dangers, assessing the likelihood that they will happen, determining their potential impact, and deciding whether to take the plunge or play it safe.

The oil industry is no different than other industries in that it has to manage risk. The difference lies in the number of risks that need to be managed. Obviously there is the geological risk of drilling an expensive dry hole or encountering a dangerous gas kick while drilling. There is technical risk in terms of equipment failures as well as the traditional geological and engineering uncertainties. There is financial risk; regulatory risk; market risk; risk for the security of personnel; and above all risks associated with health, safety, and the environment. Managing all of these risks in an effective manner is an enormous challenge.

“Traditionally in risk management everything is very siloed,” said Guarav Kapoor, COO of MetricStream. “Each group is handling risk at the business level or at the functional level.” Kapoor and other experts hope to see this shift to risk management at the corporate level.

Enterprise risk management

Known as enterprise risk management (ERM), this concept is the purview of a few specialty consulting firms like MetricStream and HSE Technology Corp. Jason Rhoads, general manager of ERM Services and Solutions for the latter, said ERM is a “big animal.” “We try to separate the strategic side of ERM by working with executives and general managers to determine a technological roadmap of how to get to where they want to be with their enterprise,” he said. “It’s taking off little bites.” This approach, he added, is across the board – legal risk, reputational risk, operational risk, etc. “The roadmap of technologies could be 10 years out, and they start working with individual iterations to get there.” The company works with multiple software vendors to help oil and gas companies refine their risk management strategy. The goal is to centralize that strategy, allowing executives to identify and allocate assets to the high-risk areas of the organization. “You should be able to reallocate assets across your organization because it’s a company you are trying to run, not individual departments,” Rhoads said. Added Kapoor, “In the last three or four years we have been seeing a major shift toward what I call integration of risk management, which means that companies are starting to realize that the impact of one risk failure on another risk failure is very high. Let’s say the price of oil goes up and some currency fluctuates, and then there is an oil spill – the impact can be compounded 40 times.”

Up all night

This type of integrated approach can help managers sleep more soundly at night, Rhoads said. “You can put a system in place with Excel worksheets, Access databases, and forms, but the process doesn’t exist in technology; it exists among people, procedures, and policies,” he said. “You do training so people follow these policies and procedures.

“The system is an aid, but it’s not going to make people do their jobs.”

Current risk management software, he said, has action item management. “Being able to digitally assign action items, determine what needs to happen and why, determine what it is attached to, who needs to do it, and by when, will give a person a good night’s sleep. I think people are good at identifying what happened, what went wrong, and what was done, but when you get down to addressing corrective actions, that’s a gray area.”

The magnitude of the problem

How big a deal is risk management? Big enough that Michael Walls, a professor in the Division of Economics and Business at the Colorado School of Mines, has for many years taught a three-day course on “Managing Risks and Strategic Decisions in Petroleum Exploration and Production.” Walls’ course focuses on techniques for managing the entire complement of risks associated with the E&P sector. Using advanced techniques in decision analysis, sensitivity analysis, value of information, and portfolio management, Walls demonstrates how companies can take a comprehensive approach to risk management and prudent decision-making.

Yet even within this scope Walls said that companies need to refine their approach to risk. “Even today some companies think about valuation and petroleum issues in a deterministic fashion, meaning they are not considering the uncertainties they face; they are not thinking in a probabilistic or stochastic fashion,” Walls said. “Many firms have become much more sophisticated in thinking about the issues they face in a probabilistic way, thereby improving the quality of their E&P decisions. But there are still a lot of companies that have not adopted these techniques in a comprehensive manner.”

Often, he added, company analysts might understand probabilistic thinking, but their senior managers still approach problems and decision-making in a deterministic manner. “When I work with companies, I try to get them to think more probabilistically. They live in an uncertain world, and that’s what we’re trying to get them to better characterize.”

Walls agreed that risk management has to become part of the corporate culture, and he added that companies need to evaluate all of their risks and understand how they influence potential outcomes and performance. “Managers must consider the interaction between the risks that they face,” he said. “Just as individual investors try to reduce risk through diversification, E&P firms can construct diversified portfolios of E&P assets to reduce their exposure to risk.”

A simple example is a company whose assets are all natural gas. Their price risk and asset values fluctuate in direct correlation to the price of natural gas. Most companies reduce this risk by having more diversified portfolios. The same can be said of technical risk. A company with conventional projects in the Gulf of Mexico and unconventional projects in the Marcellus shale has uncorrelated technical risks because the geology is completely different in the two regions.

“Companies should try to capture some of these uncorrelated outcomes and properly mange assets to allow the firm to minimize its risks and preserve return,” he said. “To do that in a sophisticated way, you have to understand the risks that you face in each project, and you have to understand how project X correlates with project Y.”

How does a disaster like Macondo factor into the risk management scheme? “Macondo was one of those low-probability outcomes with a significantly high impact, and it’s so far out on the distribution curve that most of us don’t even think about it,” Walls said. “It’s clearly a lesson in why we should think about and better understand these low-probability, high-consequence events.

“As a manager, I’m trying to understand how a whole series of independent events all lined up perfectly to cause this to occur. In fact, there are uncertainty analysis techniques called rare-event simulations that allow us to better understand these kinds of risks and communicate their effects to decision makers.

“In the future there will be something in that set of events that will cause a company to catch it and keep it from happening again. It is all about providing clarity with regard to the uncertainty firms face and improving the quality of decisions under conditions of uncertainty.”