Desktop version

Home arrow Management


Receiving more than 400 risks from the administrative areas, consolidation was undertaken at a business line level to arrive at about 100 risks. This list was shared with compliance functions and corporate planning as well as considering various published resources and surveys to come to a final 10 risks. These risks were to be

MECO Corporate Risk Register Template

Exhibit 20.2 MECO Corporate Risk Register Template

Example of Risk Information Reviewed by the ERM Team

Exhibit 20.3 Example of Risk Information Reviewed by the ERM Team

presented to the Management Committee in an hour-long presentation for consideration and confirmation as being the company's top risks. The approach can be seen in Exhibit 20.4.

Risk Framework

While the top risks had been collected, consolidated, and reviewed by 2011, work also began in early 2011 to put together a proposed Risk Framework. This had not been part of the team's initial remit; however, it was felt that having a one-hour presentation with the Management Committee was too good an opportunity to pass up. By presenting this element to the Management Committee alongside the top risks as a way to ensure that an ongoing process of identifying risks was in place, this would add value to the presentation.

Risk Analysis and Consolidation Approach

Exhibit 20.4 Risk Analysis and Consolidation Approach

Risk Management Approach

The risk management approach that the risk management project team put together considered such things as which standards to adopt and how risk management would flow through the organization (ISO 31000 was the eventual decision due to the high regard for ISO in the Gulf region, which would support implementation of risk management in the long run).

The key documents that were drafted were risk policy, Risk Committee, risk maturity model, risk procedure, risk training material, and risk maturity matrix.

Risk Policy

The risk policy included key sections such as:

• Background and purpose

• Objectives

• Scope

• Definitions

• Policy statement

• Risk philosophy

A traffic light system had essentially been suggested within the framework in the form of a 5 x 5 risk matrix that would help identify the organization's key risks. The matrix is shaded to indicate high, medium, and low importance. See Exhibit 20.5 for the risk matrix. Although this is a good system to use, the organization's risk tolerance and appetite had not been reviewed or set.

In order to set a risk tolerance, there needs to be a top-level decision as to what should be managed and what should not. Some interviews and a short workshop to assess and set the risk appetite and various tolerance levels were therefore discussed among the risk project team, which led into further discussions relating to having a Risk Committee.

Risk Matrix

Exhibit 20.5 Risk Matrix

Internal Audit had already noted to the Management Committee in previous meetings that it was difficult to meet with the Management Committee and that in order to implement risk management the team would need access to an overarching body that could make decisions on behalf of the Management Committee. The risk management team could then, along with a Risk Committee, set the tolerance level for the organization as well as approve and make changes to any risk documentation that was being developed.

While other more scientific methods of setting a risk tolerance and appetite were available, they would have required more time and the use of consultants, which had already been ruled out by the Management Committee.

Risk Committee

The risk management team was keen to establish a Risk Committee. The team understood the importance of the Risk Committee in supporting the implementation of the Risk Framework should the Management Committee agree to implement it.

The Risk Committee would be the link between the corporate risk register and the business lines and would act as a filter for the Management Committee. Risks from the business line risk registers could feed into the Risk Committee for consideration toward the corporate risk register. Equally, any major project risks or joint venture (JV)/partner risks could feed through the Risk Committee, too.

Risk Maturity

The team agreed that in order to progress with risk management, consideration needed to be given as to where they were now and where they wanted to be in terms of risk maturity. Additional work was therefore undertaken to create a risk maturity model specific to MECO, which can be seen in Exhibit 20.6.

Risk Procedure

The risk procedure essentially expanded on the risk policy and gave a much more detailed account of the process of risk management, such as the traffic light system mentioned earlier in Exhibit 20.5, which was called a risk matrix.

The procedure also came with attachments such as: reporting structure, Risk Committee charter, assessment criteria (which expanded upon the 5×5 matrix and quantified it to an extent), example risk register, and example action plan.

Risk Training Material

The risk management team had been providing various training to the organization for some time, and it was agreed that something more formal should be put in place. First, training presentations were gathered from around MECO and consolidated into one agreed training presentation. Second, the team started the process of making it align with the Institute of Risk Management (IRM), which has a strong presence in the region as well as in Europe. The idea was to create training that would provide delegates with a certificate of attendance from the IRM to make it more attractive and beneficial. There were also tiers of training to be provided depending on the audience (managers, general staff, project managers, and risk coordinators).

Exhibit 20.6 MECO Risk Maturity Model

Requirements to Meet Various Levels of Maturity

Level 1: Undeveloped

Level 2: Formalized

Level 3: Established

Level 4: Embedded

Level 5: Optimized

Maturity Level Definitions

No structured approach for identifying and managing risks.

Policies and processes being established.

RM is implemented into routine business processes.

A proactive approach to the management of risks exists at all levels of the operating company.

Continuous improvement and full range and cycle of program activities being accomplished.

Risk Management Element

To become "Formalized," the following must be achieved:

To become "Established," the following must be achieved:

To become "Embedded," the following must be achieved:

To become "Optimized," the following must be achieved:

Governance and Infrastructure

1.1.1 A Risk Management Plan does not exist for the organ ization/project,

1.1.2 Responsibility for risk management (RM) has not been established,

1.1.3 No provision for RM activity in the budget.

1.1.4 No review of the effectiveness of any RM activity,

1.1.5 No improvement process for RM.

1.1.6 No Risk Policy in place which is signed and approved by Management Committee (MC).

2.1.1 Risk reviews are scheduled for each business line.

2.1.2 Accountability and authority for RM is formalized.

2.1.3 Benefits of RM have been communicated by EBOD.

2.1.4 An ERM department has been established. Roles and responsibilities are clear with specific areas of responsibilities assigned (i.e., Business Continuity, Joint Ventures, Operations), Some overlapping and shared responsibilities are made clear (i.e., Corporate Risk Register information gathering and consolidation, etc.).

3.1.1 Documented methodology for RM within Admin Area plans and activity in place.

3.1.2 The benefits of RM have been communicated.

3.1.3 A risk committee has been established with a cross organizational remit.

3.1.4 Risk coordinators have the skills, training, and resources to deliver on RM expectations.

3.1.5 MC formally receives updates on RM effectiveness.

3.1.6 RM aligned and coordinated with related areas of activity (e.g., HSSE, insurance, crisis management, key projects, etc.).

3.1.7 Risk Management Information System (RMIS) that allows consolidation and interrogation of risks across the organization in place.

4.1.1 The RM and Policies and Procedures conform with and are referenced by

other local management processes, for example, a Project Management Plan.

4.1.2 A formal RM analysis is required on all projects/organizations as part of the initial estimation/approval process.

4.1.3 The RM process is fully integrated with all business processes, for example, Strategic Planning (business plan) and Budgeting.

4.1.4 MC & RM committee receive formal annual reports on the effectiveness of the RM framework, usually delivered by Internal Audit or a third party. This is based on set review criteria aligned to the RM policy and RM plan.

4.1.5 Risk Department has independent reporting lines.

4.1.6 Formal RM information system in place, which stores RM data centrally; used to develop shared risk and control.

5.1.1 Risk information forms a key input to decision-making processes and capital allocation across the Operating Company.

5.1.2 Improvements are formally monitored over time. Where requirements for improvement are identified, these are reported to the Operating Company Executive Management Committee as part of independent assurance activity and monitored.

5.1.3 The risk framework is formally examined in the event of significant change or when a loss occurs.

Identification and Prioritization

1.2.1 Risks are not formally captured across the organization.

1.2.2 Assessment (if performed) may not use a scoring scheme or may use inconsistent variables.

1.2.3 No defined measure of risk appetite.

2.2.1 Alternative methods for risk identification are considered when planning Risk Identification sessions.

2.2.2 The sources of knowledge to be used during risk identification are clearly identified (i.e., lessons learned logs, keywords, hazard identification prompt lists, and external functions/experts).

2.2.3 All business lines have a Risk Register which informs the Corporate Risk Register,

2.2.4 Corporate Risk Register in place.

3.2.1 Risks are categorized.

3.2.2 Risk owners are allocated for each risk,

3.2.4 Risk maps are used to illustrate assessment results.

3.2.5 Risks are centrally consolidated and challenge provided where appropriate.

3.2.6 Emerging risks are formally considered and evaluated.

3.2.7 All Admin Areas have a risk register which informs the Business Line Risk Register.

3.2.8 Risk Appetite is defined.

4.2.1 A team based approach is used to identify risks.

4.2.2 Risk identification exercises conducted outside regular schedule (in event of major changes).

4.2.3 All employees know who to report an emerging risk to, should one become apparent.

4.2.4 Risks are assessed in a quantified approach.

4.2.5 Opportunities are identified as part of the Risk Identification process and the risks of not pursuing opportunities are captured.

5.2.1 A risk assessment process is in place (developed and documented) that considers the relative riskiness of different options when making management decisions.

5.2.2 Risk quantification takes into account the impact on other parts of the organization.

5.2.3 Key risk indicators (KRI) are developed for each risk,

Risk Treatment

1.3.1 Any risk identified is unlikely to have treatment specified, funded or tracked to completion.

2.3.1 All key risks have associated action plans.

2.3.2 Control effectiveness is formally assessed.

3.3.1 RiskTreatment is planned and monitored.

3.3.2 Assessment of effectiveness of proposed treatment is performed for all key risks (e.g., cost-benefit analysis, Delphi style workshop, etc.).

3.3.3 Business Continuity Management implementation in place and working with ERM department.

4.3.1 The project/organization has specific financial provision to cover contingency (fallback) plans and risk treatment strategies.

4.3.2 MC understand contingency (fallback) actions for Key Risks.

4.3.3 The allocation of funds for risk treatment is aligned with management priorities and decisions.

4.3.5 Cross business treatment plans are developed and coordinated where applicable.

5.3.1 An effective "three lines of defense" model is in place and fully integrated with all business processes ensuring that those responsible for taking risk are supported/enabled to manage.

5.3.2 The risk treatment process if fully integrated with the Operating Company's management processes.

5.3.3 The allocation of funds for risk-treatment actions is in alignment with management priorities and decisions.

Reporting and Monitoring

1.4.1 There is no formal process for key risk reviews.

1.4.2 There is no formal risk escalation procedures/ processes in place.

1.4.3 There is no organizational-wide communication on RM.

2.4.1 Business Line Risk Reporting has been established.

2.4.2 The risk register is reviewed and updated in accordance with the RM Policy and Procedure.

2.4.3 There is a formal mechanism for escalating risk.

2.4.4 Each risk treatment action has a target completion date which is actively and routinely tracked.

2.4.5 Those individuals with RM responsibilities are regularly provided with RM communications.

3.4.1 There is a defined process to review and report risk status and KRIs, using standard reports, to key stakeholders up and down the organization.

3.4.2 Risk Dashboards in place.

3.4.3 Regular communication on "risk status" is distributed to key stakeholders and interested parties as defined in the RM Policy and Procedures.

3.4.3 Alignment between RM and internal audit process,

3.4.5 RM process and output informs annual internal audit plan (risk based audit).

4.4.1 RM is a standing agenda item in MC meetings and discussion is documented.

4.4.2 Risks and risk treatment actions are actively and routinely tracked and financial provisioning is adjusted as risks expire.

4.4.3 There is a formal RM communication plan that addresses both internal and external communication requirements,

4.4.4 Regular testing and documentation of crisis management plans aligned to key risks,

4.4.5 Management and the RM committee receive formal annual reports on the effectiveness of the FM framework, usually delivered by Internal Audit or a third party.

5.1.5 The risk monitoring and control system is fully integrated with the Operating Company's control systems, monitoring programs, cost management and time management processes.

5.1.2 Responsibilities for each element of the risk management process have been allocated and integrated into the performance evaluation processes.

Risk Culture

1.5.1 RM training has not been provided to any employee.

2.5.1 RM training is provided to those with responsibility for RM.

2.5.2 RM policies and procedures are formally documented.

2.5.3 RM is owned at entity level.

3.5.1 Tailored RM training is proactively provided to all individuals.

3.5.2 RM guidance (manuals, policies/procedures) readily available to all employees (e.g., intranet).

4.5.1 RM training, relevant to their role, is embedded in the personal development plans of relevant individuals.

4.5.2 RM performance indicators are included in personal goals.

4.5.3 Development of open, challenging, and learning-based risk culture.

5.5.1 The development and setting of business objectives is completely aligned with the application of the RM process.

5.5.2 RM communication is completely integrated with the organization's overall communication plan.

5.5.3 RM communication to external stakeholders is used to instill confidence in the robustness of the organization.

Exhibit 20.7 Simplified Risk Matrix

Risk Maturity Matrix

The risk maturity matrix was to be the key to the future success of risk management implementation. It would provide requirements and a road map to implementing risk management successfully throughout the organization based on the ISO 31000 model. It provided for a five-phase approach with clear and practical requirements to progression that any part of the organization could follow.

Based on the points within the matrix, a self-assessment was carried out in order to map out MECO's current maturity levels. These were presented in a simplified risk matrix in order to present the findings to the Management Committee, which can be found in Exhibit 20.7. The same methodology was used to measure and benchmark what maturity levels other oil and gas organizations had reached. This was mapped in a graphic that would be used to encourage top management to support ERM in order to reach similar maturity levels as competitors. The benchmark can be found in Exhibit 20.8.

Exhibits 20.9, 20.10., 20.11, and 20.12 provide lists of potential corporate risks that have been identified by other companies (Shell and BP) and organizations (E&Y and AON), which apply to the energy and chemical industries.

< Prev   CONTENTS   Next >

Related topics