A Sustainable Enterprise Risk Management Program for Oil and Gas Companies

The successful implementation of a sustainable and robust Enterprise Risk Management (ERM) Program is critical for oil and gas companies. One key challenge is the integration of ERM principles with the standard business planning and decision making processes of companies to better manage complex and interrelated risks. The paper presents a methodology that combines the ERM principles promoted by both the International Standards Organization (ISO 31000) and the Committee of Sponsoring Organizations (COSO), to manage the wide variety of risks that are common to oil and gas companies. It includes examples on how it can be applied to the management of one of the top risks in the oil and gas industry, namely cyber risks.The methodology focuses on the integration of a bottoms up approach coupled with a strategic top level plan. This methodology allows for complex risks like cybersecurity, to be appropriately managed at various organizational levels within a company. Furthermore, it outlines the required governance structure and corporate level oversight that is needed for the management of interrelated risks. In addition, it sheds light on the role that risk management functions, like information security, can play in overseeing the management of such corporate level risks. The methodology is particularly effective in achieving cost and operational efficiencies that are introduced by the active involvement of risk management functions. Cost efficiencies include the reduction and removal of redundant and duplicated risk treatment actions across various organizational levels. Moreover, operational efficiencies are achieved by sharing best practices and enhancing relevant supporting processes to better address imminent risks.