Oil, Gas Industry Seeks to Address New Face of Risk
The risks facing today's oil and gas industry have grown in number and complexity, with companies having little time in some cases to sit and think before they react, according to a panel of industry officials at the IHS CERAWeek conference Wednesday in Houston.
The industry not only faces risks on new fronts such as cyberattacks, such as the one experienced by Saudi Aramco last year, but its process of how companies deal with governments and how it defines political risks has changed, said Bob Fryklund, vice president of energy research at IHS, who moderated the panel.
On one side of political risk is expropriation of assets, and the other, regime change, such as the recent death of Hugo Chavez and realm of uncertainty it brings. Geopolitical events such as last year's uprising in Libya add an additional layer of risk.
"We need to think of these risks in the totality, not just the initial reaction," Fryklund commented.
The oil and gas industry faces uncertainty above and below ground, said Repsol Chief Operating Officer Nemesio Fernandez-Cuesta. Above the ground, the company has recently faced changes to tax laws in all of the countries it operates worldwide.
Repsol is seeing the trend of higher taxes with higher resource prices as countries seek more tax revenues for their governments. In Spain, the government has said that it would raise taxes if oil is found in the Canary Islands, Fernandez-Cuesta. The attitude of ”resources for the people” is also showing up in changing fiscal and other terms, with increased local content requirements or, in the case of Mexico, requirements that reserves cannot be removed.
Oil and gas companies also must deal with growing geopolitical risk, which Repsol faced when it had to evacuate its workers and shut down operations in Libya last year. The company's evacuation of workers and shutdown of operations proved that its risk system was well organized, Fernandez-Cuesta.
On its Argentina operations, Fernandez-Cuesta said the company met with Argentina's energy ministry in late November to discuss Argentina's takeover of YPF SA. Late last year, the company filed suit at the World Bank's arbitration tribunal seeking $10.5 billion from Argentina for its expropriation of 51 percent of YPF last May, the Financial Times reported Dec. 4, 2012.
"Change is the new reality," said Fernandez-Cuesta, adding that oil and gas companies must cooperate with government agencies and operate under the law.
Diversity of assets is key not only for oil and gas operators, but also to offshore contractors and other players so companies are not exposed solely to one market.
"You can't have a balance sheet in only one country," said Fernando-Cuesta.
The oil and gas industry also faces cyberattacks at an average rate of 2.4 million times per week, and even though most companies think they aren't being attacked, they are, said Kristin Lovejoy, general manager of IBM's security services division.
The good news is that the oil and gas industry is not at the top of the list, but ranks seventh among industries facing cyberattacks, said Lovejoy. However, the oil and gas industry is relatively immature in its ability to identify and mitigate cybersecurity risks compared with industries that are heavily regulated due to government mandates, such as the real estate industry. The Patriot Act mandate requires such industries that could be used as vectors for terrorism or fraud to be able to identify these potential threats, Lovejoy noted.
The growing emphasis on technology research and development within the industry means oil and gas companies must think of the risks when opening up their systems. Investment in technology and worker education are not enough, said Lovejoy, noting that companies must decide what data should be protected and apply the proper level of control on the right assets, rather than across the board.
Opportunists, or script kitties, pose the biggest source of cybersecurity risk to the oil and gas industry. These hackers launch cyberattacks for the sake of launching an attack. Sophisticated hackers such as terrorists, cartels or even national governments posing the second biggest risk, Lovejoy commented. Disgruntled employees and social activists are the third and fourth largest sources of cyberattacks.
Cyberattacks happen because of poor computer hygiene habits, Lovejoy said, such as:
- end users who double-click links they shouldn't
- weak password or default password use
- insecure computer configuration
- use of legacy hardware and software
- lack of basic network security
The evolving risks facing the oil and gas industry are also changing the duties of managers at oilfield service company Schlumberger Ltd., said Satish Pai, executive vice president of operations at Schlumberger. A large part of oilfield service company line manager's job was operational risk for service companies, including environmental and safety issues. While managing these risks is still important, an effective line manager must also master managing security, geopolitical and IT risks, which are playing a bigger role in a manager's job.
"The amount of time before something happens, before something becomes a full-blown crisis, passes quickly," Pai commented, leaving no time for managers to sit and contemplate the issue as news reports, social media and email mean managers must have an answer to a crisis quickly.
To address these risks, the company has adopted a crisis management system and runs periodic desktop drills that run up to the board level to prepare for sudden crises. The company maps those risks according to country of operation, business functions, research and development centers and product lines, said Pai. Each year, the company identifies the top 10 risks Schlumberger faces at the time.
In countries where Schlumberger has more than 1,000 employees, the company's system allows it to quickly determine which workers are in that country and information on their next of kin. The company then uses text messaging to disperse information quickly.
Saipem sees diversification as key to mitigating risks, said its CEO Umberto Vergine. To ensure the company is not too dependent on one region of the world the engineering, procurement and construction contractor (EPC) has built a global engineering network. The company also seeks to control the traditional contractor risks by controlling the critical EPC phases, and has acquired engineering expertise and a specialized fleet to gain this control.
While local content can pose a risk for oil and gas companies, local content has been a cornerstone of Saipem's business philosophy. Vergine noted that 70 percent of the company's 45,000 global employees were hired locally, and this deep engagement in the countries it operates in have proven successful for the company.
Protecting its team and doing the job for which it is contracted are Saipem's two main priorities, said Vergine, adding that the company won't enter a country where it can't do both. Developing a security plan and hiring the best security available are also key to Saipem's business plan, Vergine noted.
When asked what the greatest risk was facing the oil and gas industry, the panel of four was split on cyber and political risk.
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.