Page 1

KPC ERM Journey 2002 - 2012

Kuwait Petroleum Corporation The national oil company of Kuwait; Operates in Exploration and Production, Refining, Petrochemical and Transportation; Activities concentrated domestically with increasing growth overseas; Overseas expansion mostly through joint ventures and joint operations; Production currently in excess of 3,200,000 BPD and 1Bn SCFD of associated and free gas; Petrochemical business focused on poly-olefins, aromatics and glycols; Turnover – KD 29.085bn (2010/11) Assets – cKD 24bn (2010/11) Capex in fixed assets KD1.5bn (2010/11) Number of employees – c17 000
















Why Implement ERM?

KOC – GC15/BS130 SHELL Brent Spar-rig disposal

KNPC – MAA Refinery Leading to

Financial loss

Business interruption; continuity of operations


Loss of reputation and market share

Engraining ERM into Business Performance • Objectives fulfilled KPC Performance

 Risks effectively managed within Risk Tolerance levels  Opportunities seized

• Performance Measures delivered  KPMS remain within boundaries of Threshold to Stretch

ERM Performance

Personal Performance

How to link ERM roles and responsibilities into overall performance evaluation ?

• Recognition  By stakeholders  In Appraisal/Performance Review

• Reward    

Merit increases Bonus system Share in success Personal Satisfaction & Self Esteem

KPC ERM Journey Avanon OpRisk Suite OpRisk Reporting Module (ORM) Action Tracking Module (ATM)

Loss Tracking Module (LTM)

Self Assessmen t Module (SAM)

Indicator Rating Module (IRM)

Quants. (QTM)

Administration Management Module (AMM) Establish the Context Identify Risks Analyze Risks Integrate Risks Evaluate Risks Assess Risks

Treat Risks

Monitor & Review

Communicate & Consult

Corporate Risk Management Department formed in 2002; essentially an insurance buyer of standard energy policies; Defined an Enterprise Risk Management (ERM) Strategy in 2005 based upon the principles of COSO and the AZ/NZS 4360: 2004 Risk Management Guidelines; Implemented first phase of strategy through 2006 and 2007 with following features: ERM Policy created;  Subsidiaries implemented policy at subordinate level  ERM Framework and procedures introduced;  Semi qualitative risk matrix and risk register developed;  Integrated processes adapted and deployed;  Early risk quantification of some key risks;  Resource growth and capability building;  ERM Information System from Avanon introduced;  Insurance programs continue to be adapted; In 2009 our ERM maturity was deemed to be comprehensive, but still some way from being strategic. A series of steps still to be taken to make risk a strategic issue. ERM 2030 Strategy developed in 2010 with implementation beginning September 2011.



Level 5 Strategic

Risk management is built into decision-making. The organization selectively seizes opportunities because of its special ability to exploit risks.

• Focus on value creation and preservation • Institutionalized • Confidence in ability to manage risks based on track record

Level 4 Integrated

Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units.

• Calculation of risk measures that can be aggregated • Risk treatment integrated and costs optimized

Risk management is enterprise-wide and encompasses all risk types including strategic and operational.

• Risks clearly linked to strategic objectives • Defined and documented • Forward looking • Clear accountability

Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance.

• Capabilities vary across BUs • No cross-BU coordination • Some expertise within limited number of risk types such as market, credit, or hazard

Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined.

• Success depends on individuals • People are unaware of risks • Risks managed reactively

Level 3 Comprehensive

Level 2 Fragmented Level 1 Initial/Ad Hoc

SOURCE: Deloitte LLC


Ad Hoc / Initial Middle East NOCs Asia Pacific NOCs & Mineral Companies

Africa & Latin America NOCs US & Canada IOCs Europe IOCs & NOCs

Privately Held




• 1 - no ERM at corporate • 2 - no ERM at • ERM policies but no corporate programs at some subs • ERM programs at some subs



2030 Strategy



• 3 - purely • 4 - Performed qualitative qualitative assessments • Controls and • Looking to implement RAROC compliance driven

5 • 5 - Strategic-minded CEO seeks ERM to be strategic decisionning tool


6 7 8 • 6 - Qualitative analysis • No plans to move forward 10 11 12


15 16 • 15 & 16 are highly comprehensive • Correlate market risks • Don’t integrate financial and operational


• 17 - Perform risk mgmt for some risk types • Considered risk measures but taken no action

• 8 and 9 are minerals companies • 8 is implementing ERM system which will move to comprehensive • 9 has solid comprehensive programs, controls-focus

13 • 13 - Corporate program assessing all risk types, all business units • ERM system in place globally

• 10 – Currently focused on ERP implementation • 11 & 12 - controlsoriented risk mgmt • No systematic risk mgmt




• 7 - Strong HSE • Controls and compliance driven

• 14 - Top-down EaR model using DFA • No plans to improve


• 18 - Implemented a comprehensive but qualitative ERM program



• 19 - Pockets of advanced risk measurement capabilities • Not consistent across subs

22 • 22 - Was implementing ERM program until family feud caused restructuring and hold on program

21 • 20 is well known for strategic scenario planning to identify emerging risks and intends to overtake 21 • 21 integrates market and credit risk but not operational risks 23 • 23 - Known for EaR implementation and capital allocation applications across business units

The positioning of the companies on this page has been determined based on publicly available information, Deloitte published articles, articles by company representatives, and from speaking to subject matter experts who have experience from working with the companies. Due to the proprietary and strategically sensitive nature of the some of the information, the identities of individual companies has been protected.

Lessons Learned Support from the Executive is vital and has to be sustainable; Centralized, hybrid or decentralized approaches needs to be carefully considered at the outset. It can and does change with personality and regimes. Demonstrable benefits should outweigh and personal preferences; While decentralization imparts degrees of autonomy, it presents other difficulties where differing metrics, methods and processes are deployed. When a business comes to examine its portfolio and the integration of the sectors, inconsistencies are difficult to unwind. Going forward the group elected to proceed with a more centrally driven model; Project management is enhanced when there is a centrally driven model too – especially with the resources and effort being coordinated across the group rather than independent of one another; Semi-quantification of risk and having an accompanying risk matrix was not sufficient to focus attention at what might be considered the major risks. Numbers were required to generate interest and impart relevance. Massive risk registers have limited utility; More work was required to take risk to the strategic level;

Centralized, Decentralized & Hybrid Risk Governance Models

Risk Management Responsibilities

Risk Policies

Day-to-Day Risk Management

Risk Management Oversight

Risk Definition & Methodology

Risk Limits & Compliance

Information Systems

Centralized Hybrid De-Centralized

Primary responsibility for risk management resides in a centralized risk management function headed by a CRO.

Risk policies and strict guidelines are set by the central unit and are cascaded throughout the enterprise.

The central risk function works in association with risk management committees and reports to a senior executive of the entity.

Risk management oversight is performed by risk management committees in association with the centralized unit and report to senior executive of the firm.

The central risk function establishes uniform risk measurement definitions and procedures. It mandates the use of consistent methodologies across business units and risk types.

The central risk function sets risk appetite, tolerances, and limits and monitors compliance.

A centralized risk management information system is deployed across all business units.

Responsibility for risk management is shared by corporate and business unit risk management functions, each within defined spans of control.

A corporate risk policy is set by the central unit with supporting risk policies set by the operating units.

Operating units perform day-to-day risk management activities, subject to general policies set by central risk management unit as well as routine monitoring by that function.

Risk management oversight of corporate-level key risks is performed by senior management or a group-level committee. Business unit risk management committees monitor business unit key risks.

Business units adopt risk measurement definitions and risk methodology from guidelines in the corporate risk policy set by the central unit.

A group-level committee sets the parameters within which the business units operate. Business unit risk committees and management define risk tolerances and limits within the overall corporate risk appetite and oversee compliance.

Systems differ by business units and risk types. Grouplevel systems are in place to develop a portfolio view on risk

Primary responsibility for risk management resides in the business units.

Risk policies are set by the business units with no overarching risk policy set by corporate.

Operating units have primary day-to-day responsibility for risk management.

Risk management oversight is performed by the business units.

Risk measurement definitions and methodologies differ by business units.

Business unit managers or staff set risk limits and monitor compliance independently.

Systems differ by business units and risk types. No electronic feeds exist for the purposes of integrating or aggregating, measuring, monitoring, or reporting on a portfolio basis.

KPC ERM 2030 Strategy

Pros and Cons of Centralized & Decentralized Risk Governance Models A global, centralized approach to risk analysis can fail to identify specific risk levels in specific products, functions, or activities. Conversely, a functional, decentralized approach can miss consolidated risks. Risk-analysis methods which incorporate aspects of both approaches (centralized and decentralized, also known as hybrid) are more effective.

A review of the global organization may reveal risk concentrations not readily identifiable from the limited view of the business unit on a standalone basis. The consolidation of risk information allows the enterprise to identify, measure, and control its risks, while giving the necessary consideration to the breakdown of exposures by legal entity. Identified risks at one entity may be compensated for by offsetting exposures at another entity.

Centralized Pros

• •


• •


Policies, processes, procedures are standardized facilitating risk aggregation and reporting. Uniform risk measurement techniques allow direct comparison of risks across business units and risk types to create a group level risk profile. Simplicity of structure provides clear reporting lines and responsibilities.

Individual business unit risks vary and may not be modeled accurately by a single methodology. Can fail to identify specific risk levels in specific products, functions, or activities. Risk management personnel may not be familiar enough with the risks to assess them accurately or identify effective and efficient risk treatment.

• •

Business unit staff are better placed to assess and select the risks that the group will assume. There is flexibility to define and analyze risks that may be unique to a specific business unit. Business units are empowered to make decisions that optimize their individual performance.

Decisions made in silos can unintentionally impact multiple units or result in exceeding the risk appetite of the group. A decentralized approach can miss risk interactions and result in a sub-optimized group risk portfolio.

KPC ERM 2030 Strategy


Transition to KPC 2030 ERM Strategy

KPC ERM program is designed to help Kuwait’s oil sector to better understand and take greater control of its risks

Key objectives of the KPC risk journey Achieve high certainty that the oil sector will meet the expectations of the State Ensure the availability of adequate funding to support oil sector capital expenditure Enable the oil sector to make a more fact-based and quantitative assessment of risk vs. return tradeoffs in its activities and projects

SOURCE: Team analysis

Strategic Directions

Strategic Objectives

Strategic Initiatives

Strategic Directions


Strategic Directions (3)


Implement risk management best practices in all activities related to KPC businesses


Link strategic decision making process with risk management in all KPC’s business areas and maximize their integration


Aggregate and manage risks as a portfolio

Strategic Objectives


Strategic Objectives (8)


To integrate enterprise risk management into KPC’s daily activities and those of its business partners


To ensure the optimal balance of risk and reward whilst pursuing KPC’s objectives


To promote risk management culture where risk is everyone’s business from the Board to the field and plant


To recruit, develop, and deploy leading ERM practitioners


To implement risk management best practices in all activities related to KPC businesses


To link strategic decision making process with risk management in KPC business areas and maximize their integration


To aggregate and mange risks as a portfolio


To launch an ERM eminence building program.


Program Org.

Steering Committee (KPC-ROC)

Training & change Mgt.

Program Management Office

Technical methods and tools – with external support Deploy @ Risk measures

Quantify Group Risks

Aggregate risks

Risk appetite

Project RAROC

Capital allocation


Organizational methods and processes – internally derived Quick hit enhancements


ERM embed in business

Risk Governance

Optimized Risk Financing

Risk Management Competency

Eminence Building



Access • • •

To solicit views and opinions on business challenges, risk perspectives and expected strategic outcomes. To secure demonstrable support on the ERM 2030 Strategy implementation. To share direction when shaping the future state of KPC risk management activities

Adequate Support •

Functional group personnel (operations, finance, marketing….etc.) will be needed to engage to a variable degree during the project and as demanded by each initiative.. Some resource may need to be committed extensively, but for a finite period, to an initiative where it directly involves that business unit and function: Data requirements will be considerable – swift release of business data (financial, performance, loss, marketing, planning, capital projects etc) will be needed to allow risk modeling to proceed in a timely manner.

First class participation • • •

Engage and participation in the overall project management, execution and delivery; Initiative teams (as selected) to be of the highest calibre; Initiatives driven within each business and reports on the overall progress to the leadership; Security of resource from within the businesses as warranted by the project.

Risks, Risk Modeling and Metrics

Model top risk effects via quantitative risk model Risk assessment Cash flow at risk model



▪ ▪

$55 Forward Curve 120 80 40 0

Capex Production disruption

Political ▪ Tax changes ▪ Nationalization


Quantitative risk model

Company portfolio

Project valuation model

Company-bycompany profiles

▪ Production ▪ Capex ▪ Opex


Risk return portfolio model

Industry has a limited set of project growth options. We characterised

Growth initiatives these with 28projects/Strategic projects covering 75% of industry growth potential NA Arctic gas

Norway oil U.K. oil

Canada oil sand

U.K. gas

Russia non-PSC

NA Steam flood US onshore gas

Mexico DW NOC redevelopment

Nigeria DW

Central Africa Oil

Working Draft - Last Modified 11/24/2006 4:22:00 AM

Mid East LNG Mid East GTL NOC bonusbuyback Oman oil


Malaysia DW

Angola DW

OECD Frontier Exploration

Non-OECD Frontier Exploration

Estimated 75% of future hydrocarbon resource types modelled

Source: USGS; McKinsey

SOURCE: McKinsey Risk Practice



KPC’s strategic directives (not exhaustive)…

▪ Increase crude production Upstream

to 4.0 mmbpd by 2020

▪ Increase non-assoc. gas ▪

prod. capacities to 2.1 Bcsf/d by 2020 …

KPMs help measure success of these directives….



▪ Profit margin ▪ ROACE ▪ … ▪ Cost of risk ▪ R&T spend vs. plan ▪ …

▪ Grow domestic refining Downstream

▪ ▪

capacity to 1.4 mmbpd (new built) and subsequent 1,6 (tbc) mmbpd (enhancement of facilities) Increase refining complexity (CFP) …

Production/ capacity


▪ Human Capital attraction Midstream and others

and retention

▪ …

Kuwaitization and stakeholders

▪ Free gas production ▪ Proven reserves ▪ …

▪ Fatal cases ▪ Environmental incidents ▪ … ▪ Percentage of Kuwaitis in KPC

▪ Share of Capex spent locally ▪ …

Ability to attain targets on KPMs are influenced by multiple risks

▪ Strategic project risk ▪ Political/regulatory ▪ Operational/technical

▪ Portfolio/business risk ▪ Financial risks (counterparty, liquidity, market)

Top risks

Political/ regulatory risk 3 step approach to arrive at list of top 10 risks for KPC

Strategic project risk

▪ Evaluate high and

very high risks from bottom up KPC risk registry

▪ Compare with risks

most important to Oil and Gas industry in top-down review

Portfolio/business risk

1▪ External influence on key decisions 2▪ War or political instability in the region 3▪ Large project execution risks

4▪ Disruptions in hydrocarbon market due to demand shifts in import countries

5▪ Global crude/gas price volatility and related Financial risk country/credit risk (Counterparty, 6▪ Refining/petrochemical margins and related Liquidity, Market) FX risks

▪ Map risks against KPC strategic directives

7▪ HSSE and HR risks Operational/ technical risk

8▪ Operational risks leading to unplanned

shutdowns or other supply chain disruptions

9▪ New technologies risks 10 Company reserves

Risk measures

Risk measures chosen on the basis of KPC and K-Companies KPMs

Financial risk measures

For financial KPMs (e.g., ROACE), cash flow identified as main driver of uncertainty For non-financial KPMs, production and capacity levels identified as most impactful factors

Cash flow for KPC and Subsidiaries

Stakeholder and KPC cash flow

Crude capacity

Nonfinancial risk measures

Gas production

Refining capacity

Probability distribution variable

Annual cash flow for next year(s) (operating cash flow)

Annual cash flow to both Kuwaiti government and KPC (remaining cash flow share)

Annual crude capacity

Annual associated and nonassociated gas production

Annual refining capacity


Rank risks based on contribution to total cash flow at risk, and quantifies diversification effect 5 year cash flows (2012-16) – KD mn Cash Flow @ Risk = Baseline – 5th Percentile

Risks Global crude/gas price volatility External influence on key decisions


Baseline refers to currently projected cash flows from the 5 Year plan from 2012-2016

Diversification results from low or negative correlation of various individual risks leading to total risk lower than sum of individual risks

Large project execution risks New technologies risks Refining/petrochemical prices Operational risks HSSE and HR risks Diversification

Total SOURCE: K-Company CFAR model – illustrative example. Team analysis

Several questions will come into focus over time

Key questions going forward

What are our options in dealing with the quantified risks? How can we incorporate these risk insights into the planning and decision-making process?

What are the challenges to using the model in our day-today business? What is our risk tolerance level? How much cash flow at risk is acceptable?

Governance, Transformation and Change

Benefits of Good Risk Governance Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. The Association of British Insurers has collected extensive data on corporate performance and risk governance practices and has demonstrated that companies adhering to sound risk governance practices are indeed realizing higher returns and lower volatility (ABI , Governance and Performance in Corporate Britain, 2008). Risk governance brings a number of benefits to the organization. The list below was compiled by the Institute of Chartered Accountants of England and Wales (ICAEW). They include: Greater likelihood of achieving objectives; Higher share price over the long term; Greater likelihood of successful change initiatives; Lower cost of capital; Early mover into new and profitable business areas; Reduced insurance premiums; Achievement of competitive advantage; Less business interruption; and Achievement of compliance and regulatory requirements.

Source: McKinsey Global Survey – Governance Since the Economic Crisis , July 2011

Boards optimize the risk exposure for the company by taking ownership of understanding the business strategy for future growth and protection of existing assets, obtaining reasonable assurance from management that there are capable people, processes and systems to effectively manage the business and the associated risks, and actively communicating appropriate tone at the top. This, in turn, fosters risk awareness and clear risk ownership. SOURCE: KPC ERM 2030 Strategy , 2010

Limitations of Risk Governance and ERM Businesses across the globe are realizing the benefits of designing and implementing a robust ERM program to inform decision making within the organization. Whilst it may be easy to understand what ERM is and what it can do for KPC, it is also equally important to understand exactly what it is not. Some common misconceptions may be corrected by understanding what ERM is limited in achieving. These limitations include: 1. Risk management will not make decisions for the organization. ERM can assist managers and executives in making informed decisions. However, these decisions will be limited by the amount and quality of data available, by the skills and experience of the staff performing the risk analysis, by the understanding of management of the business, and by the transparency and effectiveness of the communication channels for reporting the risk analysis results. Management judgment therefore continues to be important when taking decisions 2. Risk management will not guarantee freedom from all risk. While it is only possible to predict most negative consequences to a business, an ERM program can help the Board, senior management, and staff be prepared for an adverse event. As stated in the introduction, to eliminate risk is to eliminate opportunity. For this reason and others, while some risks may be mitigated or avoided, other risks may be accepted or seized upon by the organization.

3. Risk management will not guarantee that accidents will not happen. Where humans are involved in the operation of an organization there is always the possibility that a mistake may happen. It is envisaged that by assessing risks relevant to decision-making processes that these decisions are more informed, and therefore the consequences of a mistake will not breach risk tolerance levels.

SOURCE: KPC ERM 2030 Strategy , 2010

Business risk dashboard (5-year) Contribution to State KD bn 40 36 35


23 19




36 35

30 24










25 20




23 19









Stochastic risks – Contribution to State at risk











15 2011/1212/13 13/14 14/15 15/16 16/17 Scenario risks – Impact on mean contribution to State


War/political instability




3- Large project execution risk


Cumulative risk



KD bn, discounted (2011/12 – 16/17)

1- External influence (Approval delay risk)




6c- Foreign exchange volatility











15 2011/1212/13 13/14 14/15 15/16 16/17

KD bn, discounted (2011/12 – 16/17) 5a- Global crude and gas volatility



5th percentile




Stochastic risks – Cash flow probability distribution





16 15 2011/12 12/13 13/14 14/15 15/16 16/17

5th percentile

Gas production




Crude production capacity 40



95th percentile

Disruption in hydrocarbon market




Contribution to State (KD Billion)

SOURCE: K Company CFAR model

Diversification Total

13 22

Company Reserves


Thank You