During the past 10 years, oil, mining, and other resource-based industries have been impacted by a significant shift in public attitudes and policymakers' waning appetite for risk-taking. Events ranging from massive oil spills and tsunamis to nuclear meltdowns have drawn increased scrutiny worldwide. Stakeholders are more and more concerned about the adverse impact that failed risk management functions have on the environment, employees, and the bottom line.
While risk-taking remains a fundamental component of the growth and competitiveness of any business, the way corporations identify and manage their internal and external risks has become increasingly important to shareholders, governments, capital markets, and the general public – and critical to the sustainable growth of today's global businesses.
A broad spectrum of regulations, standards, and policies have set out to govern the risk management activities of global industries, such as Basel I, II, & III; Committee of Sponsoring Organizations; ISO 31000; the US Occupational Safety and Health Administration's Process Safety Management; and the Bureau of Ocean Energy Management, Regulation and Enforcement's Safety and Environmental Management System. Many of these, however, fall short by only providing a tactical outline of what should be done, not a strategic prescription for how to manage risk in a large, complex business.
Risk management is a series of five steps that are employed when managing any risk in any department of any business. (Image courtesy of Dyadem)(Images courtesy of Nabors Industries Ltd.)
The inherent challenge with these management models is that risk is being approached from a single perspective. For most major corporations, risks fall into one of two categories, financial or operational, with each representing a vital component of a company's overall risk profile. Typically, finance is responsible for credit, market, and insurance risks, while operations is responsible for HSE, capital projects, IT, human resources, quality, etc. Unfortunately, traditional "enterprise" risk practices have focused primarily on financially based risks and have ignored, if not dismissed, risks from other areas of the business. True enterprise risk management (ERM) examines risk exposure across both finance and operational silos to identify unforeseen, unwanted events that may be lurking in the business and that could have a material negative impact on corporate goals. In addition, enterprise risk management is rapidly evolving within major corporations by extending beyond reactive fulfillment of compliance requirements to proactively strive for strategic competitive advantages. Organizational leaders from the boardroom to the plant floor are fuelling this evolutionary shift by recognizing that better risk management practice results in real, tangible business benefits, including:
Lower cost of capital;
Improved ability to achieve corporate goals and objectives;
Better, more reliable relationships with the capital markets;
Improved corporate reputation;
Lower operational costs; and
Better regulatory and community relations. But to achieve these benefits, companies must treat risk holistically across the entire business – including opera- tional risks as well as financial ones – and reaching beyond compliance.
Fundamentally, enterprise risk management starts with three questions:
"What are the risks to my business?"
"What controls do I have in place to mitigate those risks?"
"Are those controls working?"
To effectively manage risk, every manager must be able to answer these questions on a day-to-day basis. To achieve this goal, organizations must have a core process for identifying and understanding their risks and determining how they are being addressed.
Five steps to success
Fundamentally, risk management is a straightforward series of five steps. These same five steps are employed when managing any risk in any department of any business.
The simplicity of this process is what makes a true ERM solution valuable and manageable.
Step 1 is risk identification. Risk ID is the cornerstone of an effective ERM program because a risk has to be identified before it can be managed. There are thousands of ways to identify risks, but whatever the methodology used, it must be accurate.
Step 2 is risk analysis. An organization must understand the impact of a risk on its objectives and goals. A functional ERM solution enables identified risks to be evaluated in terms of an organization's risk appetite. Risk matrices, scoring models, and materiality thresholds contribute to the level of impact a particular risk may have on business.
Step 3 is control identification. A company has to determine what is currently being done to manage risks and what else can be done to further minimize them. This step is crucial for compliance and providing confidence to stakeholders that a company is in control of critical risks.
For many, this is a serious challenge. Many organizations are very good at steps 1 and 2, but when it comes to determining what they are actually doing to control their risks and who is responsible for that control, they fall down. A working ERM solution provides senior management with traceability and accountability to improve their risk control process.
Step 4 is implementation of control. Control implementation and control assurance are vital to the ongoing viability of a business. For many organizations, an audit is the first indication that there is a problem with control. A robust ERM solution provides the ability to ensure controls are properly assigned, accepted, and implemented, providing accountability and governance over risk control.
Step 5 is monitoring and reporting. For many companies, this is the risk assurance or governance issue. It is the ability to determine if commitments are being kept and if risk management processes are working. This step is critical for continuous improvement. An organization should be able to determine if the controls it has in place are in fact reducing its risk, if the company is meeting its goals, if departments are lagging, or if critical actions are not being completed.
This step answers that critical question, "Are my controls working?" and enables organizations to learn from experience, track performance, and improve operations.
The competitive advantage
Identifying, understanding, and mitigating key risks are critical to sustainable growth in today's complex global markets. Investment banks are looking for more reliable bets. Governments are looking for better business partners. Communities are looking for safer places to work.
A corporation in control of its risks provides these benefits and has a tremendous advantage over its competition in the race for resources.
Recommended Reading
Russia Orders Companies to Cut Oil Output to Meet OPEC+ Target
2024-03-25 - Russia plans to gradually ease the export cuts and focus on only reducing output.
US Leads Global Oil Production for Sixth Straight Year-EIA
2024-03-11 - The Energy Information Administration says it is unlikely that the record will be broken by another country in the near term.
Global Oil Demand to Grow by 1.9 MMbbl/d in 2024, Says Wood Mac
2024-02-29 - Oil prices have found support this year from rising geopolitical tensions including attacks by the Iran-aligned Houthi group on Red Sea shipping.
Oil Rises After OPEC+ Extends Output Cuts
2024-03-04 - Rising geopolitical tensions due to the Israel-Hamas conflict and Houthi attacks on Red Sea shipping have supported oil prices in 2024, although concern about economic growth has weighed.
Oil Dips as Demand Outlook Remains Uncertain
2024-02-20 - Oil prices fell on Feb. 20 with an uncertain outlook for global demand knocking value off crude futures contracts.