The oil and gas industry is characterized by a high level of risk, so the assumption is E&P companies are comfortable with risk management and are experts at identifying, assessing, and managing risks inherent in the business. However, in the wake of the Deepwater Horizon incident in the Gulf of Mexico (GoM), people have questioned the efficacy of risk management procedures. How good are E&P companies at identifying and managing risk? What factors influence the effectiveness and efficiency of E&P companies’ risk management programs? How should E&P companies think about risk management moving forward?

People assume risk management and insurance are one and the same. Insurance is important, but true risk management goes beyond it. Risk should be viewed as a comprehensive enterprise risk management program in which insurance can play a cost-effective role.

Enterprise risk management
Enterprise risk management is not a bureaucratic compliance exercise. This perception has been furthered by legislation such as the Sarbanes-Oxley Act in the US and similar regulatory responses in other countries, which have been ineffective in helping companies better manage risks. Why have regulatory responses to financial crises – starting with the failure of Enron a decade ago – failed to prevent future crises? Some people blame the accounting industry, wondering why the auditors were unable to predict meltdowns. Accountants and auditors report what has happened in the past. They cannot prevent management from making bad business decisions.

Risk management should not be viewed negatively. Companies must take risks to earn profits and achieve objectives – the essence of the capitalist system. Simply, the success of a business enterprise depends on choosing the right risks to take and then managing those risks as effectively as possible.
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), authors of the internal control framework now widely used as the basis for most internal control programs, issued Enterprise Risk Management – Integrated Framework (ERM). The framework provides a comprehensive basis for risk management across an enterprise, incorporating not only financial reporting risk but also the risks within a company’s strategy, operations, and compliance with laws and regulations. More was needed to help companies effectively manage their business risks. However, some companies still have not fully embraced the idea. ERM framework is a tool to help companies choose the right risks to take, better manage those risks, and create more profitable businesses.

Risk identification
One step in ERM is comprehensive and ongoing identification of risks. Companies often equate risk management to buying insurance. Every company has insurance for various risks, but several do not truly understand the comprehensive risks involved.

Reviewing operational and regulatory risks is important. As environments become more challenging and complex, broader and deeper technical expertise is required to fully understand operational risks. Majors and large independents have in-house access to this type of expertise, while middle-market E&P companies might need to look to outside experts for risk identification assistance.

Industry players often claim they are subject to a rigorous regulatory environment. Compared to other highly regulated industries such as financial services and pharmaceuticals, however, E&P regulations are considered light. Regulatory landscape is changing due to recent events affecting the GoM and the current US administration’s efforts to transform energy policy. Companies should closely monitor the regulatory environment to identify emerging risks.

Risk assessment
Risks need to be assessed once a comprehensive list of risks has been identified. Risk assessment involves evaluating the potential magnitude and likelihood of each liability. Recent events have indicated the magnitude of impact can range from minor equipment damage during a storm to the Deepwater Horizon tragedy. Companies should consider not only the direct impact of risk, such as loss of equipment and value of oil spilled, but other related impacts, such as environmental fines, liability claims, containment and cleanup costs, and new regulatory requirements.

For the past two decades, the industry track record regarding operational risk likelihood has been good. However, as oil and gas become harder to locate and produce, operating environments become more challenging and unpredictable. A possible uptick in operational and safety incidents could occur in the future.

Risk response
Once risks have been identified and assessed, companies should determine the appropriate risk response. Risk responses fall into four broad categories: avoidance, acceptance, reduction, and sharing. A combination of techniques usually is the best response. Insurance typically is the first response that comes to mind, but it is not risk management. Insurance is most effective when treated as a last resort. Failure to use other techniques, such as managing risks internally, will result in paying higher premiums for insurance coverage, more uninsured losses, and adverse impacts to the business.

Taking risks is necessary to reap rewards; avoidance of risk altogether should not be an option. However, risk avoidance can be useful in choosing the right risks to take and avoiding those that are too risky, unmanageable, or inconsistent with company mission and strategy. Risk avoidance can mean not drilling in deep water or not doing business in unpredictable countries.

Risk acceptance or retention is accepting the loss from a risk when it occurs, for example, unhedged commodity prices, uninsured risks, insurance deductibles, and potential loss over the insured amount. Risks cannot be 100% transferred to a third party. Unless risks are avoided completely, some risks always are retained and need to be reduced and managed.

Risk reduction is putting mechanisms in place to manage identified risks so the magnitude and likelihood of impact are reduced. For example, offshore personnel receive safety training before they are allowed onboard rigs to reduce risk of injury or death. Inherent risk is the level of risk that exists before risk reduction techniques are applied, whereas residual risk is the level of risk that remains after techniques are applied. Once identified risks have been reduced to the lowest levels practicable, residual risk can be transferred or shared.

Risk sharing is sharing loss from a risk with a third party. Joint ventures (JVs) are common practice for sharing risk, but operating risks of a JV still have to be managed. JV partners with non-operated interests are not insulated from the risks and liabilities of the operator; JV partners with non-operated interests generally are responsible for a share of all operating costs, including cleanup costs in the event of a spill.

Anadarko Petroleum Corp., a 25% JV partner with BP in the Macondo well in the GoM, still is named in lawsuits related to the event. It has borne 25% of well costs and is experiencing the same lost revenues as the operator due to the spill. JV partners with non-operated interests should consider their responsibilities are for ensuring the operator is effectively managing risks and operating safely as well as what ability and tools they have to hold the operator accountable. Joint operating agreements should be reviewed to ensure non-operating partners are protected from gross negligence by the operator.

Insurance
Insurance plays an important role as the last-resort risk response option. Some risks simply are too great in magnitude or too difficult to manage and, therefore, must be insured. As E&P becomes more complex, insurance companies should adapt to meet needs. New lines of insurance are being created to insure emerging risks, and insurance companies are focusing on specific energy-related needs. Torus Insurance is a technical lines insurer specializing in large, complex risks focusing on the energy sector. Offering a range of insurance programs understanding the risks energy companies face, Torus directly responds to a growing risk landscape.

Offshore insurance premiums continue to rise. Moody’s Investors Service recently noted insurance premiums for deepwater rigs have increased by up to 50% since the Deepwater Horizon incident, and insurance costs for shallow-water operating rigs have increased by 15% to 25%. To manage insurance costs, companies can use techniques such as technical analysis and benchmarking of their policy premiums, deductibles, liability limits, and total cost of risk versus companies in their peer group.

Companies can manage insurance costs by using ERM as a tool to optimize deployment of risk capital. Companies that proactively identify and manage risks can retain larger amounts of risk, increasing deductibles to reduce premiums and, overall, free capital to spend on insuring potentially catastrophic risks.

E&P companies are accustomed to high levels of risk taking, but the risk profile is rising: increasingly difficult operating environments, tighter regulations, and geopolitical risk indicate companies should thoroughly review their risk management programs. Enterprise risk management techniques can help companies better understand and manage their risks, optimize deployment of risk capital throughout the organization, and become more profitable.

Acknowledgement
Rick Baty with Insgroup contributed to this article.