In the early stages of the project, it was decided that Statoil would not simply implement one of the existing blueprints for ERM. Nor did Petter and Eyvind want it to be, or it would be seen as another control function. They had something else in mind. They wanted a framework that made sense to Statoil, and that centered on the two basic goals of the company: to create value and to avoid accidents. Keeping people and the environment safe are the first priority and supersede any other objective. Beyond those basic objectives, however, risks are to be managed in a way that maximizes the value of the company. This insight has a number of implications, which are explored in this section.
To begin with, the focus on value affects the very way risk is defined in Statoil. According to Statoil's philosophy, which is widely communicated internally, risk encompasses not only downside risk but also upside potential. This philosophy has even found its way into the corporate directives of the company, which state that "risks shall be identified and analyzed, including both upside and downside impact." On this dimension, existing off-the-shelf ERM frameworks were considered too oriented toward regulatory compliance and risk avoidance. The Statoil philosophy instead recognizes that risk taking is unavoidable, even necessary, to create value for shareholders. What matters is that the risks are well enough understood and found acceptable, given their downside risk and upside potential. Reflecting this thinking, the risk maps in Statoil have been developed to show probability and impact not only for the downside, which is the most common way of constructing these maps, but for the upside as well (see Exhibit 4.1).
Statoil's risk map captures both upside potential and downside risk for any given risk factor. On the x-axis is the probability of occurrence. On the y/-axis is the impact figure, measured as the pretax impact on earnings (USD millions). Note that the impact is measured relative to the forecasted value of earnings. All reported risks will be considered twice in the map. The first is its potential contribution to upside potential (to be entered above the line), and the second is its contribution to downside risk (to be entered below the line). These two points are a summary, or synthesis, of the entire range of potential outcomes for the risk factor in question. For example, the risk factor denoted Risk A in the exhibit has a 5 percent probability that the outcome will be somewhat better than expected. However,
Exhibit 4.1 Risk Map
Exhibit 4.2 Statoil's Value Chain
there is a 10 percent probability of a fairly significant loss relative to the forecast (USD 200 million). For this particular risk, the downside risk is larger than the upside potential.
As already mentioned, value creation is the basic guiding principle for ERM in Statoil. That is demonstrated by the emphasis the company puts on viewing risks in a value chain perspective. In the corporate directives it is written that the company's approach is to "identify, evaluate, and manage risk related to the value chain to support achievement of our corporate objectives" (original emphasis). Statoil's value chain is outlined in Exhibit 4.2, showing how its main activities progress from upstream (oil exploration and development) to downstream (petroleum refinement) to market (selling its products into various global markets).
Statoil's value chain consists of three main stages: the exploration and development of oil and gas reserves (upstream); the refinement of hydrocarbons into various petroleum products (downstream); and the selling of crude oil, gas, and refined products into different markets. The most important risks ("the risks that matter") have been divided into two categories: market risks and operational risks.
What difference does the value chain perspective make? First, it serves as a clear signal to everybody involved (i.e., Statoil's employees and other stakeholders) that value creation is the metric being pursued through ERM, and it is the impact on Statoil's performance that ultimately counts. Statoil's thinking on this issue is that if ERM is limited to managing risks related to goal achievement in various business units, the result will be "satisficing" rather than value maximizing.
Another important benefit of the value chain perspective relates to the fact that the large number of risks identified in the risk map can make it challenging to understand what is really going on. By sorting the risks into a value chain, one can more easily see the bigger picture and, through the lens of the company's business model, see how the different risk categories hang together. In other words, the value chain perspective allows Statoil to rework the knowledge about risk contained in the risk maps into something that is more analytically and logically coherent.
The concept of core risks further underlines the central role of value creation as a guiding principle for ERM in Statoil. To understand this concept, we need to go back to 2001, when the company's shares were listed. During the listing process, there were investors looking for arguments as to why they should invest in Statoil. Recognizing that investors were entitled to information about what exposures they were getting when they invested in Statoil shares, the company formulated the idea of core risks, understood as the risk exposures that an investor would expect, and even desire, to have from buying Statoil shares (the most important of which was the exposure to oil and gas prices). The core risks are owned by the CEO of the company and are coordinated centrally in the organization. One of the practical consequences of this is that trading mandates throughout the company have been substantially restricted and placed under central scrutiny. At the end of the day, this should increase the transparency and predictability of the risk exposures obtained by investing in Statoil shares, which lowers the risk premium investors attach to the company and hence also its cost of capital (Jankensg&rd, Hoffman, and Rahmat 2013).
-  This is not to suggest that internal audit has been excluded from the ERM process. On the contrary, internal audit has been strongly supportive of ERM and has contributed valuable resources to it.
-  This is underscored by the fact that the risks related to health, safety, and environment are the responsibility of a separate corporate function (Corporate Safety).
-  Statoil's internal communication puts it this way: "We live by taking risks."
-  The term satisfice was introduced by the American researcher and Nobel laureate Herbert Simon in 1956. It refers to a decision-making strategy that seeks to achieve an acceptable outcome, as opposed to the optimal outcome, which requires expending more time and effort.
-  Statoil's shares were simultaneously listed on the New York Stock Exchange.