View larger chart image
Most organizations start correctly by taking a top-down approach to risk assessment, identifying all the major risks and understanding their potential impact on corporate profit. Indeed, leading companies in this field undertake an enterprise-wide risk assessment at a high level, while delegating the management of operational issues such as compliance to a lower level. Similarly, commodity-price risk should be dealt with by the marketing and trading division. It is up to senior management to pull these strands together.
Enterprise-wide risks, particularly emerging threats, are those that are on the Board agenda to understand and manage, but a bottom-up assessment is important, too. Cyber security is a key risk, but it is often not analyzed deeply enough by undertaking scenario analysis. This analysis drives an understanding of the practical risk implications, the greatest vulnerabilities, quantification of the exposure, and a detailed evaluation of how we are monitoring and addressing the possibility of cyber attack, beyond simply ranking it as a top risk, says Wilson. Geopolitical risk is not just the possibility of asset nationalization, but also predatory fines by a government in dire need of money.
The risk scenario perceived as the greatest threat to the ENR industry is geopolitical instability (69 percent of respondents). However, in terms of issues, respondents said regulatory pressure was the biggest threat (53 percent). Regulatory pressure may have been interpreted broadly to include things such as predatory fines and risks associated with the environment and health and safety, which are perennial concerns in ENR. Companies face very large risks when venturing into countries they haven’t operated in before, says Wilson, particularly in terms of regulatory uncertainty. “Companies may try to do the right thing and can get tripped up by a government’s broad interpretation of the rules, or an absence of regulations, or a rule that’s unclear,” he argues.