Month in and month out, in good times and bad, oil and gas companies face uncertainty in their exploration efforts. It's also difficult for them to project future commodity prices, determine the life span of discovered reserves and confront a host of other potential vulnerabilities. To succeed amidst such uncertainty, it's prudent that management regularly update its company-wide risk assessment.

Each update should analyze the effectiveness of existing controls and determine if refinements are needed. The significance of any newly identified vulnerability, such as a proposed local regulation that would greatly increase the cost of drilling close to a residential area, is evaluated to determine whether new controls are needed to mitigate that risk.

With each update, risk assessment becomes a more internalized discipline that, in the long run, will enhance the company's business objectives, culture and values.

It is the management team's "tone at the top" that nurtures continuous improvement. When it initiates and supports various means for preventing, detecting and reporting fraud, management affirms the importance of safeguarding the company and its assets.

By measuring its actions against high ethical standards, management establishes benchmarks for what constitutes acceptable behavior throughout the organization.

Management can prompt employees to be more diligent in recognizing and reporting corporate vulnerabilities by repeatedly emphasizing the importance of risk assessment.

Regular communication that shares necessary information with internal auditors and other individuals throughout the organization is important. Control responsibilities for entity risks and supporting processes should be defined and delegated to the right business units, departments and individuals. Such measures help prevent dangerous field incidents, inaccurate data entries for well outputs, and other operational or financial reporting risks.

Required documentation of control activities establishes audit trails and accountability.

Controls ought to be continually monitored to evaluate their effectiveness, and to determine whether any identified vulnerabilities present unacceptable risk. Control testing should occur throughout the year and the audit committee should be regularly informed about the company's risk-assessment efforts.

Staff members who are performing a company-wide risk assessment need to focus on the most crucial vulnerabilities facing the business, and rank them based on the likelihood of those risks occurring-and their potential impact.

A natural gas producer, for example, faces the possibility that an unseasonably mild winter in the northern U.S. will translate into less natural gas demand, thereby driving down gas prices in some of its downstream markets. The likelihood of such a scenario occurring is relatively high. However, the producer's actuarial analysis for future gas-price fluctuations accounts for this scenario occurring on a fairly regular basis. To further mitigate risk, it is likely the producer has signed fixed-price contracts as a hedge against falling prices.

If an oil and gas producer's coastal-area wells and infrastructure were to take a direct hit from a Category 5 hurricane, the impact would be catastrophic. The producer, though, has determined the likelihood of such a hurricane directly striking its facilities is very low.

Furthermore, the producer has taken a number of steps to mitigate risks associated with tropical storms or lesser hurricanes, including building its facilities to withstand higher-than-normal wind or water pressures, and operating as much of its business inland as possible.



Controlling cost

Such a top-down, risk-based focus that assesses the likelihood and impact of vulnerabilities complements the recently approved new standards issued by the Public Corporation Accounting Oversight Board (PCAOB) and SEC for complying with Sarbanes-Oxley 404.

The PCAOB and SEC recommend companies use both qualitative and quantitative measures to determine their potential risks.

With this process-level approach, significant accounts are regarded as quantitative risks due to the impact a financial reporting error can have on financial statements. Small, non-routine transactions or financial reporting processes, lacking the oversight provided by application or general IT controls, typically present a higher likelihood of error, and serve as examples of qualitative risks.

Following this approach throughout the organization enables management and the internal audit staff to assess the impact and likelihood of other risks. In today's environment, an oil and gas company with a significant increase in its production volumes would consider that increase a quantitative risk to the transportation vulnerabilities it faces, whether it ships its product by pipeline, rail, tanker or truck.

Likewise, if an E&P company has access to a limited number of drilling rigs, it must consider the qualitative risks of choosing to drill one location over another. This involves determining which locations will provide the greatest return, based on management's judgment and the available technical information.

When managers are updating company-wide risk, their tools include judgment and cumulative knowledge gained from past such efforts. These tools help them to determine which controls are most crucial and will merit continual attention.

At the process level, for example, an E&P company may have identified difficulties monitoring authorization-for-expenditures (AFE) line items against actual costs incurred while drilling. This problem may have led to additional unapproved expenses for pipe, labor, water, drilling, transportation or other well costs. Although mangers may have implemented new controls after that evaluation, to reduce the incidence of additional expenses being incurred without approval, such situations still occur.

In response, management could implement more stringent policies requiring business units, individuals or contractors to submit supplemental AFEs when initial AFE amounts appear insufficient. It could also consider installing new software and reporting capabilities that enable managers to more quickly evaluate these expenses as they are incurred.

For all process-level risks, the relevant employees should be participating to mitigate newly identified risks and determine their likelihood.

The risk-assessment update also must take into account and analyze environmental changes such as new regulatory requirements related to environmental protection, transportation, field safety or other issues. These may require management to demand additional compliance processes and related controls.

Outsourcing back-office functions can be very efficient, but managers should recognize that this also introduces potential risks to a company. Services previously performed in-house, such as joint-interest billing, transaction processing for various field services or payroll processing, merit scrutiny as well.

Has each vendor effectively mitigated risks that may impact the company? In particular, if new IT systems are brought in, managers should evaluate the risks of change-management controls.

At the corporate level, a variety of changes in the external environment likewise merit attention. Competitors within the upstream sector may pose stronger challenges than before. Fluctuating energy prices, adverse energy-industry publicity, changes in general U.S. economic conditions, natural disasters or political instability abroad are also examples of external risks that may affect a company.

After updating and refreshing company-wide risk assessments, management should keep the board of directors and the audit committee informed of its findings, and its plans to mitigate any risks deemed unacceptable. By planning for such changes in its internal and external environment with each risk assessment, the company reduces the chances of a major unreported event having an adverse impact.



Further improvement

Each risk assessment serves as a point on a continuum, and builds upon the knowledge gained and improvements made following previous assessments. For company-level assessments, a variety of existing models form a structure for analyzing risk. These include the traditional SWOT (strengths, weaknesses, opportunities and threats) analysis, or the COSO (Committee of Sponsoring Organizations of the Treadway Commission) frameworks for internal control or enterprise-risk management.

An oil or gas company may refine these frameworks with each assessment, supplement them by developing customized models to suit its own needs, or devise entirely new models to identify and evaluate risks.

With each update it becomes more important to monitor existing controls in comparison to implementing new ones. The earlier a company recognizes events or new conditions that require risk assessment, the sooner it can align its responses to its risk appetite and strategies.

Process improvements resulting from risk assessments yield residual productivity gains as well as reducing risk. Continually monitoring controls and documenting control efforts nurtures a corporate culture that values accuracy and accountability. This reduces the chances of the company being adversely affected by a significant unreported event.

Oil and gas companies operate within a highly cyclical industry with wide price spreads separating the high and low points of each cycle. That's why updating and refreshing risk assessments helps a company enhance its predictive analysis. A fresh assessment gives management greater insight as to where it stands in a particular cycle.