Simon Constant-Glemas, VP Corporate and UK Country Controller at Shell
There are few industries more risky (in terms of the obvious risks, at least) than the oil and gas sector. These companies typically work in dangerous environments, often in unstable regions (in terms of both geography and politics) and are subject to the unpredictable variances of commodity prices and exchange rates. As a result, risk reporting is both a critical and contentious subject for the oil and gas sector, as was brutally illustrated by BP’s Deepwater Horizon disaster in the Gulf of Mexico in 2010.
The disaster focused everyone’s mind on risk and risk reporting, particularly in the extractive industries. There has definitely been an increased focus around risk since Deepwater Horizon, because it was such a significant event. That and the financial crisis have made everyone more risk-aware.
I am aware of investors’ desire for more information about risks, but a more considered approach should be taken. Addressing all possible risks in a risk report would be counterproductive – more comprehensive risk reporting doesn’t mean better risk reporting. We employ more than 100,000 people in 70 countries, so any risk that’s applicable to a large multinational would apply to us. It is much better to provide a concise overview of the key risks inherent in the business that are most likely to prevent the achievement of its objectives.
One area where risk reporting might be constrained is where disclosure could be perceived to damage competitive advantage. I don’t think competitive advantage is an issue – you can strike a balance between referencing risk and not giving away critical information. We need to be careful sometimes about things like risks around a particular transaction but the vast majority of the time some information will be in the public domain already and so, if necessary, a more generic reference can be made. Suggestions that companies should try to quantify the potential impact of major accidents and events, though, are more difficult to address.
The fundamental question is whether a risk report can ever helpfully highlight the risks of rare but catastrophic events – analysts argue that an attempt to quantify the financial impact of a disaster on the Deepwater Horizon scale would be useful but understandably, this is something that organisations themselves are reluctant to do.
It’s the Black Swan effect – it rarely happens but when it does, the impact is massive. The difficult conversations about Black Swan events do take place within a company, but specifically disclosing all of the details in a risk report is another thing altogether. If you put a dark lens on everything and, for instance, try to quantify what the financial impact of a very rare disaster could be, you could scare away a lot of investors.
The nature of black swan events means that it is difficult to think about what the impact of an event could possibly be, let alone put a reliable figure on it, but I strongly believe that a thorough consideration of everything that could possibly go wrong is an important part of good risk management, even if the full details are not disclosed publicly. I do wonder if enough thinking goes on around rare events – I suspect that not enough people considered the probability of the entire inter-bank lending system grinding to a halt overnight before the financial crisis happened.
The main problem discussing Black Swan events in a risk report is that the context of probability is difficult to get across. Ideally a risk report should contain enough detail to start the necessary conversation between stakeholder and management. The quality element of risk reporting comes down to the conversation about risk that takes place, and that conversation should start with the risk report. A detailed discussion about risk is more likely to come out in a discussion between the CEO or finance director and analysts and other stakeholders – the annual report is not really the place to go into that sort of detail.
It is these conversations that are the most valuable to stakeholders, and also why more frequent risk reporting would not be particularly helpful. A certain amount of risk is strategic and it would feel more like crisis management if risk reporting was carried out more frequently than it is today. The crystallisation of an emerging risk or emergence of a new risk would certainly warrant disclosure but risk reporting should not be confused with robust and timely management information.
There are parallels to be drawn here with the increased regulation faced by multinationals since the financial crisis. There has been a huge increase in it since the financial crisis and the question is whether that drives better risk management or not. There have certainly been unintended consequences – at Shell we are captured by criteria that are not intended for us, simply because we are large. In my view it has the potential to distract organisations from good risk management.
My main concern is the raft of new regulatory requirements could result in organisations seeing risk reporting as just another tick-boxing exercise, rather than driving better risk management. We have to be careful that we’re not reporting on risk in order to satisfy a process, but that risk management is used effectively as a way to differentiate the business. In the past risk management was focused on mitigation, but today it is part of adding value to the organisation.