10/29/2018. THOUGHTWARE Energy. Enterprise Risk Management for Energy Companies. Brian Matlock, CPA Ken Hirsch Charlie Wright, CPA, CIA, CISA

Size: px

Start display at page:

Download "10/29/2018. THOUGHTWARE Energy. Enterprise Risk Management for Energy Companies. Brian Matlock, CPA Ken Hirsch Charlie Wright, CPA, CIA, CISA"

Gloria Black
5 years ago
Views:

1 THOUGHTWARE Energy Enterprise Risk Management for Energy Companies Brian Matlock, CPA Ken Hirsch Charlie Wright, CPA, CIA, CISA October 29,

TO RECEIVE CPE CREDIT Individuals Participate in entire webinar Answer polls when they are provided Groups Group leader is the person who registered & logged on to the webinar Answer polls when they

2 TO RECEIVE CPE CREDIT Individuals Participate in entire webinar Answer polls when they are provided Groups Group leader is the person who registered & logged on to the webinar Answer polls when they are provided Complete group attendance form Group leader sign bottom of form Submit group attendance form to within 24 hours of webinar If all eligibility requirements are met, each participant will be ed their CPE certificate within 15 business days of webinar Agenda for Today s Webinar Implications of energy risks on enterprise risk management Disruptive technologies Cyclicality Geopolitical implications Commodity price volatility Pipeline takeaway Aging of the workforce Review a framework to help manage critical risks 2

3 Enterprise Risks Geopolitical Tension Disruptive Technologies Regulatory Change & Scrutiny Commodity Price Volatility Succession Planning/Talent Management Cyberthreats Resistance to Change Information Security/Privacy Pipeline Takeaway Disasters Operations Competitive Responses Regional Price Differentials Mergers & Acquisitions Cyclicality Supply Chain Why ERM? An effective ERM program provides a number of benefits Understand & document the highest-priority risks Compare & contrast board & management perspectives Identify emerging risks Gain comfort that risks are being properly mitigated 3

4 Enterprise Risks Geopolitical Tension Disruptive Technologies Regulatory Change & Scrutiny Commodity Price Volatility Succession Planning/Talent Management Cyberthreats Resistance to Change Information Security/Privacy Pipeline Takeaway Disasters Operations Competitive Responses Regional Price Differentials Mergers & Acquisitions Cyclicality Supply Chain Disruptive Technologies AI Blockchain Robotics Autonomous Vehicles 3D Printing Advanced Materials Internet of Things Energy Storage Cloud Computing Virtual Reality Process Automation Software as a Service 4

Top 10 Disruptors to Watch Blockchain expands beyond

white-collar employees 3D printing speed & scale

commercial Internet of things continues to expand

Genetic breakthroughs Wearables & implantables

5 Top 10 Disruptors to Watch Blockchain expands beyond currency BOTs become viable AI encroaches on white-collar employees 3D printing speed & scale expands Virtual & augmented reality become commercial Internet of things continues to expand Battery capacity & recharge capability increases Genetic breakthroughs Wearables & implantables become more common Cyberthreats & security tools proliferate Don t Become a Dinosaur 5

6 No Ordinary Disruption Accelerated Technology Emerging Markets Global Demographics Industrial Revolution X 3,000 Connectivity Enterprise Risks Geopolitical Tension Disruptive Technologies Regulatory Change & Scrutiny Commodity Price Volatility Succession Planning/Talent Management Cyberthreats Resistance to Change Information Security/Privacy Pipeline Takeaway Disasters Operations Competitive Responses Regional Price Differentials Mergers & Acquisitions Cyclicality Supply Chain 6

7 New COSO ERM Framework Risk Management Principles 7

8 COSO ERM Framework Emphasizes value, integration & culture Creating, preserving & realizing value Risk management integrated into strategy development & organizational performance Culture affects risk decision making COSO ERM Framework Does not replace the 2013 Internal Control Integrated Framework The two frameworks are distinct & complementary Both use components & principles Commonalities of internal control to enterprise risk management are not repeated 8

9 RISK & ERM Definitions Risk Possibility that events will occur & affect the achievement of strategy & business objectives Enterprise Risk Management Culture, capabilities & practices, integrated with strategy & execution that organizations rely on to manage risk preserving & realizing value ISO Recently updated Not designed to provide certification Micro or macro level 9

10 Four Steps to Implement ERM Documented understanding of risks Prioritization & analysis of risks Integration of ERM into day-to-day processes Governance & oversight Four Steps to Implement ERM Step One Understand your risks & document them in an easy-to-understand format 10

11 Documentation Name Definition Scope Why is this a risk? Owner Risk management activities Risk issues or gaps Fixes in progress Four Steps to Implement ERM Step Two Risks should be analyzed & prioritized to compare across functions & year-over-year 11

12 Metrics Financial Impact 1. < $50 million 2. $50 < $500 million 3. $500 million < $1 billion 4. $1 billion < $5 billion 5. > $5 billion Likelihood 1. Highly unlikely 2. Somewhat unlikely 3. Neutral 4. Somewhat likely 5. Highly likely Preparedness 1. Very prepared 2. Prepared 3. Neutral 4. Unprepared 5. Very unprepared Velocity 1. Greater than one year 2. One year 3. Weeks to months 4. Days to weeks 5. Hours to days Financial Impact Scale Qualitative Definition Quantitative 1. Very low Operations unaffected, but monitoring < $1 million 2. Low $1 million < $5 Consequences of event tangible, need changes million 3. Moderate Operational changes required immediately $5 million < $10 million 4. High Significant changes needed immediately $10 million < $25 million 5. Very high Core mission impaired, operationally disabling > $25 million 12

13 Likelihood Scale Definition 1. Highly unlikely Not likely to occur within the next 10 years 2. Somewhat unlikely Not likely to occur within the year 3. Neutral May occur within the year 4. Somewhat likely May occur within the quarter 5. Highly likely May occur within the week Velocity Scale Definition 1. Very slow Greater than one year 2. Slow One year 3. Medium Weeks to months 4. Rapid Days to weeks 5. Very rapid Hours to days 13

14 Control Effectiveness (Preparedness) Scale Definition 1. Very prepared Controls reduce risk likelihood &/or impact 95 percent 2. Prepared Controls reduce risk likelihood &/or impact 75 percent 3. Neutral Controls reduce risk likelihood &/or impact 50 percent 4. Unprepared Controls reduce risk likelihood &/or impact 25 percent 5. Very unprepared Controls reduce risk likelihood &/or impact 5 percent Potential Risk Prioritization YEAR-OVER-YEAR COMPARISON PRIORITIZED BY CURRENT YEAR Current Year RISK LEGEND 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. 14

15 Potential Risk Prioritization YEAR-OVER-YEAR COMPARISON PRIORITIZED BY CURRENT YEAR Current Year Prior Year RISK LEGEND 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. Likelihood RISK LEGEND Highlight outliers 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. 15

16 Control Effectiveness (Preparedness) Highlight unexpected high- & low-rated risks RISK LEGEND 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. Financial Impact RISK LEGEND Why is leadership not aligned with the board & front line? 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. 16

17 Velocity Front-line employees rated velocity different for a number of these risks why? RISK LEGEND 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. Overall Risk Map Average Financial Impact > Size of Bubble = Unpreparedness Average Likelihood RISK LEGEND 1 Commodity price volatility 2 Global macro conditions 3 Strategic 4 Cyberattacks 5 Data privacy 6 Regulatory compliance 7 Speed of tech changes 8 Pipeline takeaway 9 Workforce age 10 Recruitment, retention 11 Differentials 12 Supply chain 13 Financial 14 Etc. 17

Four Steps to Implement ERM Step Three Develop ongoing process to identify changes & emerging risks Integrated Ongoing Process ERM is not a one-time project, it should be

18 Four Steps to Implement ERM Step Three Develop ongoing process to identify changes & emerging risks Integrated Ongoing Process ERM is not a one-time project, it should be ongoing Identify trends, changes & emerging risks Update documentation periodically assessing risk often Develop periodic review processes Develop risk awareness through organization 18

Integrated Ongoing Process Regular discussion with anonymous input leads to impactful changes Organizational changes to improve facility

revenue compared to natural gas revenue Objectives Invest $1 billion in oily assets in 2019 Divest natural gas (50%) Consolidate divisions in 2020

19 Integrated Ongoing Process Regular discussion with anonymous input leads to impactful changes Organizational changes to improve facility engineering Initiated corporate focus on data management Example Mapping of Strategy to Risk Profile & Appetite Strategy Increase percentage of oil revenue compared to natural gas revenue Objectives Invest $1 billion in oily assets in 2019 Divest natural gas (50%) Consolidate divisions in 2020 Risks Risk 1 Production is lower than expected Risk 2 Natural gas asset sales lower than expected Risk 3 Natural gas asset sales take more time than expected 19

20 Example Mapping of Strategy to Risk Profile & Appetite Goal is to achieve a specific performance level while keeping risk within targeted risk appetite Four Steps to Implement ERM Step Four Governance & Oversight 20

21 Governance, Oversight & Communication Customize an ERM framework Establish roles & responsibilities Tone at the top & culture Create a committee of risk owners & subject matter experts Determine purpose of ERM process & cadence of meetings Send strong messages about risk management Example Framework Optimize Monitor Communicate Identify Risks Business Goals & Objectives Document Analyze Assess Integrate Action 21

22 Example Framework Departmental Risk Management Activities Appetite & tolerance Business processes Dedicated functions Teams & committees Risk management Example Framework ERM Governance ERM vision/purpose Board & executive oversight Roles & responsibilities Steering committee(s) 22

23 Example Framework Integration Culture Common terminology Change management Communication Training Example Framework Enterprisewide Activities Periodic enterprise risk assessment As-needed subject matter expert discussions Board reviews Executive management reviews 23

Establish Governance & Framework Systems, Tools & Dashboards Heavily fragmented market for systems & tools ERP/GRC systems ERM dedicated systems

24 Establish Governance & Framework Systems, Tools & Dashboards Heavily fragmented market for systems & tools ERP/GRC systems ERM dedicated systems Other applications with bolt-on modules Many organizations use Word/Excel/PowerPoint Customized dashboards provide effective monitoring capabilities 24

25 Are You Capitalizing on ERM? Conclusion ERM is maturing but still varies dramatically The energy industry is an inherently risk business There are four steps to implementation of a practical framework Understand & document your risks Prioritize your risks Establish governance & oversight processes Integrate enterprise risk management throughout the organization 25

26 Continuing Professional Education (CPE) Credit BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered CPE CREDIT CPE credit may be awarded upon verification of participant attendance For questions, concerns or comments regarding CPE credit, please the BKD Learning & Development Department at training@bkd.com 26

27 27