Ops Risk Survival Guide: Three Lessons Bankers Need to Learn from Oil & Gas Risk Management

Posted by Brian Barnier, ValueBridge Advisors

I’ll spare you the photo of the camel in the desert from my trips to the oil & gas fields. For those of you who have been in my CPE classes on risk management and other presentations, you know that I bring an industrial view to ops risk in financial services. You’ve heard me talk about scenarios for “real threats to real operations,” not just compliance record-keeping. Industrial firms have spent decades learning what bankers have just been encountering in the past few years. In this post, we’ll look at just three of many valuable lessons to learn from the oil & gas industry.

When I started working in oil & gas, I received my risk management training – what to do when the siren sounds. Then I heard about how to get out of a helicopter that crashes at sea. With that sense of “real threats” let’s look at just three points:

1. In my teaching, I stress the need for an end-to-end process view of risk management. Yet, I’m told by banking attendees that “that’s not how our reporting forms are set up.” This is a “collision with reality” for bankers when they realize what is happening in the industrial (or telecom, or medical , aerospace or…) world. In financial services, there are loan applications, payments, straight through processing for transactions, ATMs and such. In oil & gas, there are pipelines. In pipeline safety, they look at factors such as third-party damage, corrosion, equipment failures, and human “unsafe acts.” They look at frequency and impact (although they use terms like “cause” and “consequence”). With an industrial heritage, they are also focused on thoughts like “high cause areas” and the ability to detect potential problems (such as corrosion). The pipeline analysis is end to end, but is not restricted to just the pipes. It also looks at the facilities through which the pipes run (like data centers in banks) and the environment through which the pipes pass (environmentally sensitive wilderness or high population areas).
Action: Make your risk scenario analysis more end-to-end, not just regulatory snippets. Look at delivering an actual product to a customer (like gas to a house).

2. Oil & gas firms are far more concerned about the role played by people (internal people in daily work, not just fraud) – whether in detecting, causing, planning or responding. People can do bad things and good things. Even when they do a “good thing” and detect a problem, they can still do a “bad thing” and respond the wrong way. The oil & gas industry is concerned about the quality of decision making in all stages of risk activity. They look at everything from fatigue to quality of training. This is applied BOTH to people involved in risk management planning and response AND to the actual operational teams. By contrast, many banks are just starting to learn the importance of the entire process of risk management (from identification to fixing to preventing). As one risk officer told me “I can’t run a risk department with a bunch of compliance retreads.” In banking, if the goal was neat reporting paperwork, then compliance skills were the answer. However, as we’ve seen in stories from Bank of America and Countrywide this week, risk is more than compliance. In banks, the “consequence” used to be a fine. Now the world has learned it is about collapsed institutions and massive unemployment. In oil & gas, they’ve long known that failure means world oil price moves when a facility is down, environmental disaster, displaced people and even death.
Action: Skill up your people, improve your risk governance. Send your people to training, hire mentoring services, get your people certified. In these cost-constrained times, mentoring is a highly cost efficient option and a smart decision. As Fred Winegust posted in his blog entry, you simply must start if you are ever going to reach your objective.

3. The view of risk is more directly tied to business performance. We’ve already noted that it is not just about compliance. Risk is about “risk-return.” Risk management is the ability to take more risk more safely in pursuit of return. If the refinery or pipeline is down, the costs are not just in fines and repairs. There is also a very direct impact on revenue. Not only will the oil company lose, but competitors will distinctly benefit. Risk is deeply tied with quality control. Improved quality reduces cost, improves flexibility and increases competitive options. (We’ll talk more about this in future blogs about other industries.) This business performance focus can carry you forward in spite of the potential regulatory confusions noted by my colleague, Rod Nelsestuen, in his posting.
Action: Rethink your risk metrics. Sit down with your corporate annual report or internal scorecard (financial, operational, strategic and customer satisfaction metrics). With paper and pencil, align current or create new risk measures to each of those business measures.

In summary, everyone knows that operational risk is newer than other types of risk in financial services. What many financial services people don’t know is how far financial services is behind other industries. Take time to apply just these three lessons from oil & gas.

What do you think? Are you already applying some of these approaches? If so, good for you! Why do you think others struggle to get to where you are? If you are not using these lessons, is it because you were unaware or is there some hurdle you are facing? Share your thoughts and post a comment. If you would like to reply to me personally or ask a question, feel free to do so at briangbarnier @ gmail.com (remove the spaces).

Best,

Brian

P.S. Will you be at the World Conference on Disaster Management in Toronto in June? If so, feel free to look me up. I’ll be teaching a session on Business Continuity Governance.

About the author: Brian Barnier, CGEIT, is an advisor, teacher, writer and researcher on risk-return value management. He teaches CPE classes and speaks at a range of conferences, writes for business and technology publications, and serves on multiple industry practices committees regarding risk, business process and IT value. He has worked in a range of industries and, in doing so, helps cross-pollinate his clients with the best of the best in risk management.


This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.