Background and objectives
Our client operates major onshore oil and gas fields. The company has an enterprise risk management (ERM) framework that Broadleaf helped to develop and implement. Changes in the structure of the company and its operating environment required the risk assessment to be brought up to date.
The objectives of the risk assessment were to:
- Provide useful input to line managers in the company
- Focus on improving productivity and responsiveness to changing risks
- Assist the audit and assurance function in developing an Internal Audit Plan that was clearly focused on risks and critical controls.
We conducted risk assessment workshops for 12 operating and support units. There was excellent participation and commitment from the business units.
Risk identification in the workshops was based on initial risk registers derived from:
- Risk registers developed in previous risk assessments
- The current business plan
- Questionnaires sent to all units before the workshops.
Having risk registers developed in advance enabled us to conduct the workshops effectively and focus them on the more important risks.
A set of key elements was tailored for each specific business unit to provide a structure for the risk register and the workshop. Each workshop followed the same structure. For each key element in turn:
- The initial risks were reviewed and a concerted effort was made to identify further risks and include them in the review. However, as all the workshops were relatively short, the focus was on the most important matters, and no attempt was made to identify all the less-important risks.
- Threats and opportunities in the risk register were reviewed and revised, and the controls were updated. Additional threats and opportunities were identified and included in the register.
- The effectiveness of the controls was assessed for each risk, using an agreed control effectiveness scale. Control effectiveness is a relative measure of the actual level of control that is currently present and achieved, compared to the level of control that is reasonably achievable for a company like this for a particular risk.
- The consequences of each risk were assessed, using the company’s ERM scales, taking into account the current controls and their effectiveness.
- The likelihood of that level of consequences arising was assessed using the ERM scales, taking into account the current controls and their effectiveness.
- The consequence and likelihood ratings were combined to generate a level of risk.
- The potential exposure for each risk was assessed using the ERM consequence scale. Potential exposure is the maximum possible impact on the company if all the controls were to fail.
The workshop process is illustrated in Figure 1.
Threats and opportunities
Table 1 summarises the risks by their risk levels, showing the number of risks with each combination of consequence and likelihood rating. Risks in the top-right area of Table 1, where the consequences and the likelihoods are both high, were the focus of risk treatment attention by line managers (Figure 2).
Options for improvement include:
- Risk avoidance and opportunity seeking, by doing something new or different
- Changing the likelihood, by reducing it (risk prevention) for threats or raising it for opportunities
- Changing the consequences, by reducing the negative impacts of threats and enhancing the positive impacts of opportunities
- Risk and opportunity sharing, by transforming the threat or opportunity into a different kind of risk, for example in a contract
- Risk and opportunity tolerance, by retaining a risk through an explicit decision and monitoring as appropriate.
Control improvement opportunities
Table 2 summarises the risks by their levels of risk and their control effectiveness. Risks in the lower right area of Table 2 received attention for control improvement by line managers (Figure 3). Risks in this area have higher risk levels but the controls are not as good as they could be for a company like this.
Monitoring and assurance
Table 3 summarises the risks by their level of risk and their potential exposure if all the controls failed to work as intended. Risks in the upper left area of Table 3 received attention for assurance activities such as inspections, reviews and monitoring by line managers and assurance providers, as the controls are important here for maintaining the lower level of risk. The controls for these risks were included in the Internal Audit Plan.
Some risks were common across different parts of the company, indicating concerns that were broader than just one unit. For example:
- The recruitment and retention of personnel in sufficient numbers and of the required quality was a major concern for all units. However, it was agreed that rather than perform the same analysis for each unit, the risks would be assessed and recorded in the human resources team workshop.
- Failure of gas or oil flow lines, trunk lines and transfer lines was a common risk, whether due to integrity problems or accidents. This was seen as a high risk by all the operating areas and the integrity team.
Each common risk was addressed by a group with knowledge and responsibilities consistent with the parts of the business the risk affected. They assessed it from a company wide perspective and formulated treatments in that context.