Value and Risk: Enterprise Risk Management at Statoil
Independent Consultant, Norway
Researcher, Department of Business Administration and Knut Wicksell Centre for Financial Studies, Lund University, Sweden
The enterprise risk management (ERM) approach to managing a company's risks promises many benefits. A reading of the literature on the subject will tell you that ERM, among other things, will reduce the frequency of surprises, lead to better allocation of resources, improve risk response decisions, and reduce costly duplication of risk management activities (e.g., COSO 2004).
Many companies are finding out that these benefits don't always materialize easily. It turns out that implementing a holistic, enterprise-wide approach to risk management often challenges the organizational status quo. Powerful individuals and business units face a potential loss of autonomy and are asked to comply with new reporting requirements. "The way we've always done things around here" is no longer good enough, it may seem.
In companies where change is resisted, ERM is at risk of becoming an island, an isolated process whose outputs and opinions are largely ignored by decision makers. These so-called ghost ERM programs contribute little or nothing at all to enterprise value. In this chapter we use the experience of Statoil, a Norwegian oil and gas producer, for lessons about how to overcome these organizational challenges and make the potential benefits of ERM become reality.
At Statoil, understanding and managing risk are today considered core values. This principle has been duly integrated into the organization, and is inscribed in steering documents as well as in a booklet handed out to all employees, describing core values, corporate governance, the operating model, and corporate policies. The company has developed a sophisticated approach to ERM that centers on the principle of value creation. ERM is thoroughly embedded in the business units' way of doing things, and it appears to enjoy the wholehearted support of Statoil's executive officers and board of directors.
Statoil has, in other words, managed to make ERM into something that makes a real difference. To gain insights about the success factors behind this outcome, we will investigate how Statoil has dealt with the four main general tasks that fall on executives responsible for ERM: (1) make sure that there is an adequate process for identifying, managing, and reporting risks throughout the company; (2) act as a support function to business units in this work; (3) detect and counteract risk management decisions that are suboptimal for the company as a whole; and (4) analytically aggregate risks to support decision making concerning the company's total risk profile. The first two sections outline the history of ERM in Statoil, and the guiding principles that underpin it.