KPC ERM Journey 2002 - 2012
Kuwait Petroleum Corporation The national oil company of Kuwait; Operates in Exploration and Production, Refining, Petrochemical and Transportation; Activities concentrated domestically with increasing growth overseas; Overseas expansion mostly through joint ventures and joint operations; Production currently in excess of 3,200,000 BPD and 1Bn SCFD of associated and free gas; Petrochemical business focused on poly-olefins, aromatics and glycols; Turnover – KD 29.085bn (2010/11) Assets – cKD 24bn (2010/11) Capex in fixed assets KD1.5bn (2010/11) Number of employees – c17 000
Why Implement ERM?
KOC – GC15/BS130 SHELL Brent Spar-rig disposal
KNPC – MAA Refinery Leading to
Business interruption; continuity of operations
Loss of reputation and market share
Engraining ERM into Business Performance • Objectives fulfilled KPC Performance
Risks effectively managed within Risk Tolerance levels Opportunities seized
• Performance Measures delivered KPMS remain within boundaries of Threshold to Stretch
How to link ERM roles and responsibilities into overall performance evaluation ?
• Recognition By stakeholders In Appraisal/Performance Review
Merit increases Bonus system Share in success Personal Satisfaction & Self Esteem
KPC ERM Journey Avanon OpRisk Suite OpRisk Reporting Module (ORM) Action Tracking Module (ATM)
Loss Tracking Module (LTM)
Self Assessmen t Module (SAM)
Indicator Rating Module (IRM)
Administration Management Module (AMM) Establish the Context Identify Risks Analyze Risks Integrate Risks Evaluate Risks Assess Risks
Monitor & Review
Communicate & Consult
Corporate Risk Management Department formed in 2002; essentially an insurance buyer of standard energy policies; Defined an Enterprise Risk Management (ERM) Strategy in 2005 based upon the principles of COSO and the AZ/NZS 4360: 2004 Risk Management Guidelines; Implemented first phase of strategy through 2006 and 2007 with following features: ERM Policy created; Subsidiaries implemented policy at subordinate level ERM Framework and procedures introduced; Semi qualitative risk matrix and risk register developed; Integrated processes adapted and deployed; Early risk quantification of some key risks; Resource growth and capability building; ERM Information System from Avanon introduced; Insurance programs continue to be adapted; In 2009 our ERM maturity was deemed to be comprehensive, but still some way from being strategic. A series of steps still to be taken to make risk a strategic issue. ERM 2030 Strategy developed in 2010 with implementation beginning September 2011.
Level 5 Strategic
Risk management is built into decision-making. The organization selectively seizes opportunities because of its special ability to exploit risks.
• Focus on value creation and preservation • Institutionalized • Confidence in ability to manage risks based on track record
Level 4 Integrated
Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units.
• Calculation of risk measures that can be aggregated • Risk treatment integrated and costs optimized
Risk management is enterprise-wide and encompasses all risk types including strategic and operational.
• Risks clearly linked to strategic objectives • Defined and documented • Forward looking • Clear accountability
Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance.
• Capabilities vary across BUs • No cross-BU coordination • Some expertise within limited number of risk types such as market, credit, or hazard
Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined.
• Success depends on individuals • People are unaware of risks • Risks managed reactively
Level 3 Comprehensive
Level 2 Fragmented Level 1 Initial/Ad Hoc
SOURCE: Deloitte LLC
Ad Hoc / Initial Middle East NOCs Asia Pacific NOCs & Mineral Companies
Africa & Latin America NOCs US & Canada IOCs Europe IOCs & NOCs
• 1 - no ERM at corporate • 2 - no ERM at • ERM policies but no corporate programs at some subs • ERM programs at some subs
• 3 - purely • 4 - Performed qualitative qualitative assessments • Controls and • Looking to implement RAROC compliance driven
5 • 5 - Strategic-minded CEO seeks ERM to be strategic decisionning tool
6 7 8 • 6 - Qualitative analysis • No plans to move forward 10 11 12
15 16 • 15 & 16 are highly comprehensive • Correlate market risks • Don’t integrate financial and operational
• 17 - Perform risk mgmt for some risk types • Considered risk measures but taken no action
• 8 and 9 are minerals companies • 8 is implementing ERM system which will move to comprehensive • 9 has solid comprehensive programs, controls-focus
13 • 13 - Corporate program assessing all risk types, all business units • ERM system in place globally
• 10 – Currently focused on ERP implementation • 11 & 12 - controlsoriented risk mgmt • No systematic risk mgmt
• 7 - Strong HSE • Controls and compliance driven
• 14 - Top-down EaR model using DFA • No plans to improve
• 18 - Implemented a comprehensive but qualitative ERM program
• 19 - Pockets of advanced risk measurement capabilities • Not consistent across subs
22 • 22 - Was implementing ERM program until family feud caused restructuring and hold on program
21 • 20 is well known for strategic scenario planning to identify emerging risks and intends to overtake 21 • 21 integrates market and credit risk but not operational risks 23 • 23 - Known for EaR implementation and capital allocation applications across business units
The positioning of the companies on this page has been determined based on publicly available information, Deloitte published articles, articles by company representatives, and from speaking to subject matter experts who have experience from working with the companies. Due to the proprietary and strategically sensitive nature of the some of the information, the identities of individual companies has been protected.
Lessons Learned Support from the Executive is vital and has to be sustainable; Centralized, hybrid or decentralized approaches needs to be carefully considered at the outset. It can and does change with personality and regimes. Demonstrable benefits should outweigh and personal preferences; While decentralization imparts degrees of autonomy, it presents other difficulties where differing metrics, methods and processes are deployed. When a business comes to examine its portfolio and the integration of the sectors, inconsistencies are difficult to unwind. Going forward the group elected to proceed with a more centrally driven model; Project management is enhanced when there is a centrally driven model too â€“ especially with the resources and effort being coordinated across the group rather than independent of one another; Semi-quantification of risk and having an accompanying risk matrix was not sufficient to focus attention at what might be considered the major risks. Numbers were required to generate interest and impart relevance. Massive risk registers have limited utility; More work was required to take risk to the strategic level;
Centralized, Decentralized & Hybrid Risk Governance Models
Risk Management Responsibilities
Day-to-Day Risk Management
Risk Management Oversight
Risk Definition & Methodology
Risk Limits & Compliance
Centralized Hybrid De-Centralized
Primary responsibility for risk management resides in a centralized risk management function headed by a CRO.
Risk policies and strict guidelines are set by the central unit and are cascaded throughout the enterprise.
The central risk function works in association with risk management committees and reports to a senior executive of the entity.
Risk management oversight is performed by risk management committees in association with the centralized unit and report to senior executive of the firm.
The central risk function establishes uniform risk measurement definitions and procedures. It mandates the use of consistent methodologies across business units and risk types.
The central risk function sets risk appetite, tolerances, and limits and monitors compliance.
A centralized risk management information system is deployed across all business units.
Responsibility for risk management is shared by corporate and business unit risk management functions, each within defined spans of control.
A corporate risk policy is set by the central unit with supporting risk policies set by the operating units.
Operating units perform day-to-day risk management activities, subject to general policies set by central risk management unit as well as routine monitoring by that function.
Risk management oversight of corporate-level key risks is performed by senior management or a group-level committee. Business unit risk management committees monitor business unit key risks.
Business units adopt risk measurement definitions and risk methodology from guidelines in the corporate risk policy set by the central unit.
A group-level committee sets the parameters within which the business units operate. Business unit risk committees and management define risk tolerances and limits within the overall corporate risk appetite and oversee compliance.
Systems differ by business units and risk types. Grouplevel systems are in place to develop a portfolio view on risk
Primary responsibility for risk management resides in the business units.
Risk policies are set by the business units with no overarching risk policy set by corporate.
Operating units have primary day-to-day responsibility for risk management.
Risk management oversight is performed by the business units.
Risk measurement definitions and methodologies differ by business units.
Business unit managers or staff set risk limits and monitor compliance independently.
Systems differ by business units and risk types. No electronic feeds exist for the purposes of integrating or aggregating, measuring, monitoring, or reporting on a portfolio basis.
KPC ERM 2030 Strategy
Pros and Cons of Centralized & Decentralized Risk Governance Models A global, centralized approach to risk analysis can fail to identify specific risk levels in specific products, functions, or activities. Conversely, a functional, decentralized approach can miss consolidated risks. Risk-analysis methods which incorporate aspects of both approaches (centralized and decentralized, also known as hybrid) are more effective.
A review of the global organization may reveal risk concentrations not readily identifiable from the limited view of the business unit on a standalone basis. The consolidation of risk information allows the enterprise to identify, measure, and control its risks, while giving the necessary consideration to the breakdown of exposures by legal entity. Identified risks at one entity may be compensated for by offsetting exposures at another entity.
Policies, processes, procedures are standardized facilitating risk aggregation and reporting. Uniform risk measurement techniques allow direct comparison of risks across business units and risk types to create a group level risk profile. Simplicity of structure provides clear reporting lines and responsibilities.
Individual business unit risks vary and may not be modeled accurately by a single methodology. Can fail to identify specific risk levels in specific products, functions, or activities. Risk management personnel may not be familiar enough with the risks to assess them accurately or identify effective and efficient risk treatment.
Business unit staff are better placed to assess and select the risks that the group will assume. There is flexibility to define and analyze risks that may be unique to a specific business unit. Business units are empowered to make decisions that optimize their individual performance.
Decisions made in silos can unintentionally impact multiple units or result in exceeding the risk appetite of the group. A decentralized approach can miss risk interactions and result in a sub-optimized group risk portfolio.
KPC ERM 2030 Strategy
Transition to KPC 2030 ERM Strategy
KPC ERM program is designed to help Kuwaitâ€™s oil sector to better understand and take greater control of its risks
Key objectives of the KPC risk journey Achieve high certainty that the oil sector will meet the expectations of the State Ensure the availability of adequate funding to support oil sector capital expenditure Enable the oil sector to make a more fact-based and quantitative assessment of risk vs. return tradeoffs in its activities and projects
SOURCE: Team analysis
Strategic Directions (3)
Implement risk management best practices in all activities related to KPC businesses
Link strategic decision making process with risk management in all KPCâ€™s business areas and maximize their integration
Aggregate and manage risks as a portfolio
Strategic Objectives (8)
To integrate enterprise risk management into KPCâ€™s daily activities and those of its business partners
To ensure the optimal balance of risk and reward whilst pursuing KPCâ€™s objectives
To promote risk management culture where risk is everyoneâ€™s business from the Board to the field and plant
To recruit, develop, and deploy leading ERM practitioners
To implement risk management best practices in all activities related to KPC businesses
To link strategic decision making process with risk management in KPC business areas and maximize their integration
To aggregate and mange risks as a portfolio
To launch an ERM eminence building program.
Steering Committee (KPC-ROC)
Training & change Mgt.
Program Management Office
Technical methods and tools â€“ with external support Deploy @ Risk measures
Quantify Group Risks
Organizational methods and processes â€“ internally derived Quick hit enhancements
ERM embed in business
Optimized Risk Financing
Risk Management Competency
Access • • •
To solicit views and opinions on business challenges, risk perspectives and expected strategic outcomes. To secure demonstrable support on the ERM 2030 Strategy implementation. To share direction when shaping the future state of KPC risk management activities
Adequate Support •
Functional group personnel (operations, finance, marketing….etc.) will be needed to engage to a variable degree during the project and as demanded by each initiative.. Some resource may need to be committed extensively, but for a finite period, to an initiative where it directly involves that business unit and function: Data requirements will be considerable – swift release of business data (financial, performance, loss, marketing, planning, capital projects etc) will be needed to allow risk modeling to proceed in a timely manner.
First class participation • • •
Engage and participation in the overall project management, execution and delivery; Initiative teams (as selected) to be of the highest calibre; Initiatives driven within each business and reports on the overall progress to the leadership; Security of resource from within the businesses as warranted by the project.
Risks, Risk Modeling and Metrics
Model top risk effects via quantitative risk model Risk assessment Cash flow at risk model
$55 Forward Curve 120 80 40 0
Capex Production disruption
Political ▪ Tax changes ▪ Nationalization
Quantitative risk model
Project valuation model
▪ Production ▪ Capex ▪ Opex
Risk return portfolio model
Industry has a limited set of project growth options. We characterised
Growth initiatives these with 28projects/Strategic projects covering 75% of industry growth potential NA Arctic gas
Norway oil U.K. oil
Canada oil sand
NA Steam flood US onshore gas
Mexico DW NOC redevelopment
Central Africa Oil
Working Draft - Last Modified 11/24/2006 4:22:00 AM
Mid East LNG Mid East GTL NOC bonusbuyback Oman oil
OECD Frontier Exploration
Non-OECD Frontier Exploration
Estimated 75% of future hydrocarbon resource types modelled
Source: USGS; McKinsey
SOURCE: McKinsey Risk Practice
KPC’s strategic directives (not exhaustive)…
▪ Increase crude production Upstream
to 4.0 mmbpd by 2020
▪ Increase non-assoc. gas ▪
prod. capacities to 2.1 Bcsf/d by 2020 …
KPMs help measure success of these directives….
▪ Profit margin ▪ ROACE ▪ … ▪ Cost of risk ▪ R&T spend vs. plan ▪ …
▪ Grow domestic refining Downstream
capacity to 1.4 mmbpd (new built) and subsequent 1,6 (tbc) mmbpd (enhancement of facilities) Increase refining complexity (CFP) …
▪ Human Capital attraction Midstream and others
Kuwaitization and stakeholders
▪ Free gas production ▪ Proven reserves ▪ …
▪ Fatal cases ▪ Environmental incidents ▪ … ▪ Percentage of Kuwaitis in KPC
▪ Share of Capex spent locally ▪ …
Ability to attain targets on KPMs are influenced by multiple risks
▪ Strategic project risk ▪ Political/regulatory ▪ Operational/technical
▪ Portfolio/business risk ▪ Financial risks (counterparty, liquidity, market)
Political/ regulatory risk 3 step approach to arrive at list of top 10 risks for KPC
Strategic project risk
▪ Evaluate high and
very high risks from bottom up KPC risk registry
▪ Compare with risks
most important to Oil and Gas industry in top-down review
1▪ External influence on key decisions 2▪ War or political instability in the region 3▪ Large project execution risks
4▪ Disruptions in hydrocarbon market due to demand shifts in import countries
5▪ Global crude/gas price volatility and related Financial risk country/credit risk (Counterparty, 6▪ Refining/petrochemical margins and related Liquidity, Market) FX risks
▪ Map risks against KPC strategic directives
7▪ HSSE and HR risks Operational/ technical risk
8▪ Operational risks leading to unplanned
shutdowns or other supply chain disruptions
9▪ New technologies risks 10 Company reserves
Risk measures chosen on the basis of KPC and K-Companies KPMs
Financial risk measures
For financial KPMs (e.g., ROACE), cash flow identified as main driver of uncertainty For non-financial KPMs, production and capacity levels identified as most impactful factors
Cash flow for KPC and Subsidiaries
Stakeholder and KPC cash flow
Nonfinancial risk measures
Probability distribution variable
Annual cash flow for next year(s) (operating cash flow)
Annual cash flow to both Kuwaiti government and KPC (remaining cash flow share)
Annual crude capacity
Annual associated and nonassociated gas production
Annual refining capacity
Rank risks based on contribution to total cash flow at risk, and quantifies diversification effect 5 year cash flows (2012-16) – KD mn Cash Flow @ Risk = Baseline – 5th Percentile
Risks Global crude/gas price volatility External influence on key decisions
Baseline refers to currently projected cash flows from the 5 Year plan from 2012-2016
Diversification results from low or negative correlation of various individual risks leading to total risk lower than sum of individual risks
Large project execution risks New technologies risks Refining/petrochemical prices Operational risks HSSE and HR risks Diversification
Total SOURCE: K-Company CFAR model – illustrative example. Team analysis
Several questions will come into focus over time
Key questions going forward
What are our options in dealing with the quantified risks? How can we incorporate these risk insights into the planning and decision-making process?
What are the challenges to using the model in our day-today business? What is our risk tolerance level? How much cash flow at risk is acceptable?
Governance, Transformation and Change
Benefits of Good Risk Governance Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that are less so. The Association of British Insurers has collected extensive data on corporate performance and risk governance practices and has demonstrated that companies adhering to sound risk governance practices are indeed realizing higher returns and lower volatility (ABI , Governance and Performance in Corporate Britain, 2008). Risk governance brings a number of benefits to the organization. The list below was compiled by the Institute of Chartered Accountants of England and Wales (ICAEW). They include: Greater likelihood of achieving objectives; Higher share price over the long term; Greater likelihood of successful change initiatives; Lower cost of capital; Early mover into new and profitable business areas; Reduced insurance premiums; Achievement of competitive advantage; Less business interruption; and Achievement of compliance and regulatory requirements.
Source: McKinsey Global Survey â€“ Governance Since the Economic Crisis , July 2011
Boards optimize the risk exposure for the company by taking ownership of understanding the business strategy for future growth and protection of existing assets, obtaining reasonable assurance from management that there are capable people, processes and systems to effectively manage the business and the associated risks, and actively communicating appropriate tone at the top. This, in turn, fosters risk awareness and clear risk ownership. SOURCE: KPC ERM 2030 Strategy , 2010
Limitations of Risk Governance and ERM Businesses across the globe are realizing the benefits of designing and implementing a robust ERM program to inform decision making within the organization. Whilst it may be easy to understand what ERM is and what it can do for KPC, it is also equally important to understand exactly what it is not. Some common misconceptions may be corrected by understanding what ERM is limited in achieving. These limitations include: 1. Risk management will not make decisions for the organization. ERM can assist managers and executives in making informed decisions. However, these decisions will be limited by the amount and quality of data available, by the skills and experience of the staff performing the risk analysis, by the understanding of management of the business, and by the transparency and effectiveness of the communication channels for reporting the risk analysis results. Management judgment therefore continues to be important when taking decisions 2. Risk management will not guarantee freedom from all risk. While it is only possible to predict most negative consequences to a business, an ERM program can help the Board, senior management, and staff be prepared for an adverse event. As stated in the introduction, to eliminate risk is to eliminate opportunity. For this reason and others, while some risks may be mitigated or avoided, other risks may be accepted or seized upon by the organization.
3. Risk management will not guarantee that accidents will not happen. Where humans are involved in the operation of an organization there is always the possibility that a mistake may happen. It is envisaged that by assessing risks relevant to decision-making processes that these decisions are more informed, and therefore the consequences of a mistake will not breach risk tolerance levels.
SOURCE: KPC ERM 2030 Strategy , 2010
Business risk dashboard (5-year) Contribution to State KD bn 40 36 35
Stochastic risks – Contribution to State at risk
15 2011/1212/13 13/14 14/15 15/16 16/17 Scenario risks – Impact on mean contribution to State
3- Large project execution risk
KD bn, discounted (2011/12 – 16/17)
1- External influence (Approval delay risk)
6c- Foreign exchange volatility
15 2011/1212/13 13/14 14/15 15/16 16/17
KD bn, discounted (2011/12 – 16/17) 5a- Global crude and gas volatility
Stochastic risks – Cash flow probability distribution
16 15 2011/12 12/13 13/14 14/15 15/16 16/17
Crude production capacity 40
Disruption in hydrocarbon market
Contribution to State (KD Billion)
SOURCE: K Company CFAR model
Thank You firstname.lastname@example.org