The document discusses risk management in oil and gas projects. It finds that traditional risk management often fails for such projects due to their unique challenges, including large scale, technology requirements, and sensitivity to market conditions. The highest rated risks for projects are found to be technological and scheduling, while for plant turnarounds the top risks relate to obtaining adequate resources. The document recommends establishing a common risk breakdown structure, holding cross-functional risk workshops, quantifying risks, using specialized risk management software, and clearly communicating high impact risks without mitigation plans.

1. 2007 AACE International Transactions
RISK.01
Why Traditional Risk Management Fails in the
Oil and Gas Sector:
Empirical Front-Line Evidence and Effective Solutions
Brett Schroeder and Jan A. Jackson
roject risk management has considerably matured DEFINING RISK MANAGEMENT
P over the last decade, a trend that has been prominent-
ly accelerated by highly publicized stories of corpo-
rate misconduct, globalization, new contractual risk
shifting vehicles, and last but not least, recently enacted regula-
tory requirements such as the 2002 Sarbanes-Oxley Act. Rather
The Essence of Risk
The nature of risk is uncertainty. Desired outcomes are inher-
ently under threat of failure or non-compliance because of
events that may occur during the project-, program-, or asset
than considering risk as simply one focus area among others, all life-cycles. Such events may vary in their degree of probabilistic
elements of project management, such as cost, time, or human occurrence, magnitude of impact (severity), and manageability.
resources are increasingly being analyzed from a risk perspec- Kerzner defines risk itself as “[a] measure of the probability and
tive. Energy projects, especially in the upstream sector are faced consequence of not achieving a defined project goal” [2].
with magnitudes, combinations, and sometimes even types of Consequently, risk management uses such variables as probabil-
risks commonly not experienced, at least not to the same ity and severity (impact) to typify risk and risk events for further
degree, in more traditional project concepts. Given such action (risk response) or other considerations. Nonetheless, the
unique challenges, common risk categories and traditional specific shortcomings of the traditional approach are rooted in
approaches to risk mitigation are insufficient for the oil and gas its ‘linear’ and sequential process thinking in regard to risk man-
sector. Any risk model or tool must be able to address specific agement. But even more sophisticated risk systems don’t seem
categories, based on certain risk areas. Despite major advances to deliver the desired results and frequently fail in their applica-
in risk planning and mitigation tools, new capital projects and tion for large and complex upstream projects. On its most basic
plant turnarounds (shutdowns) in the oil and gas sector contin- level risk may be described by various functional elements, uti-
ue to experience a high rate of failure. Based on initial data lizing the variables or terms just introduced:
reviews, interviews, and case studies, the specific causes for fail-
ure on these projects can be traced to the failure to effectively • Risk = ƒ (probability, impact) = exposure
manage risks that were identified during the planning phases. • Risk = ƒ (hazard, safeguard), or alternatively, ƒ(exposure,
Functionalizing risks provides a conceptual basis for sound manageability) [1].
evaluation of potential adverse impacts on the project.
Naturally, this type of assessment or consideration falls within A risk is therefore defined as any uncertainty that if it occurs
the risk evaluation element of an overall risk management would affect one or more project objectives. But inherent to any
process. Once all identified risks have been evaluated in terms economic endeavor, there are two kinds of risk:
of exposure and manageability, high-priority risks (typically
defined as rating ‘high’ on the exposure scale and/or ‘low’ on Threat: Any uncertainty that if it occurs would affect one or
manageability) may then be isolated for specific and detailed more objectives negatively.
review by respective stakeholders. Subsequently, output from Opportunity: Any uncertainty that if it occurs would affect one
the risk evaluation component of the risk management process or more objectives positively.
can be quantified as expected monetary values (EMV) or visu-
alized in Pareto-style graphics to display the most prevalent risksTeams often view all risks as negative events and the potential
for positive impacts are often under-estimated or not adequate-
rank-ordered. Specific areas for effectively utilizing quantified
risk values are some of the following: ly considered in the risk management process. This process is
the methodology of identifying, listing, assessing, prioritizing,
• determining contingency amounts; registering, and controlling risks, throughout the project life
• assessing deductible amounts for project-specific policies; cycle, by eliminating or reducing the probability of occurrence
and, and the potential impact caused by the threat [1].
• overall project NPV calculation.
RISK.01.1

2. 2007 AACE International Transactions
Figure 1 shows the life cycle of a risk. Once a risk is identified between all knowledge areas. More specifically, risk considera-
and included in a risk register it should undergo the following tions are to be applied in all disciplines comprehensively rather
process: than topically. Knowledge areas under discussion are:
• Assess the probability of the risk occurring and the potential • integration management;
impact on project or turnaround. • scope management;
• Determine whether the risk is “active” and therefore • time management;
requires further work. • cost management;
• Develop action plans for active risks to reduce the probabil- • quality management;
ity of occurrence or reduce its potential impact if the risk • human resources management;
were to occur. • communications management;
• Gain acceptance from other team members on the action • risk management; and
plans. And, • procurement management.
• Implement action plans and monitor the risk.
THE NATURE OF RISK FOR
Common approaches follow a sequential chain of activities to OIL AND GAS PROJECTS
address the identification of risks, their evaluation and
approach, and subsequently the continuous control mecha- The oil and gas industry is the world’s most capital-intensive
nisms to stay abreast of potentially adverse events. The PMBOK? industry and invests hundreds of billions annually in new proj-
Guide has devoted a full chapter to Project Risk Management ects and maintenance of existing facilities. The industry has
[3]. Conceptually, the PMI has integrated Risk Management as been using risk management techniques for several decades
one of nine project management knowledge areas into its project now but there has not been any systematic measure on how
management framework. Risk management is introduced as fol- effective these techniques have been in improving project or
lows: plant turnaround performance. Based on our work with several
large petroleum operators, we estimate that the rate of major
“Chapter 11, Project risk management, describes the process- project failure measured in terms of significant cost overruns
es concerned with conducting risk management on a project. (>20 percent), major schedule delay (>20 percent), or poor
It consists of the risk management planning, risk identifica- plant operability after startup is over 30 percent. The need to
tion, qualitative risk analysis, quantitative risk analysis, risk find and develop new fields is pushing the upstream sector to
response planning, and risk monitoring and control project the extremes in terms of both environment and technology. For
management processes.” the major western petroleum companies, there are few opportu-
nities to extract oil and gas with minimal risk any longer. This is
compounded by an industry-wide skilled-labour shortage.
This shortage of skilled labor appears to be having a particu-
larly adverse impact on turnarounds (shutdowns) in the refinery
sector. Plant turnarounds are the periodic and planned shut-
down of facilities to perform maintenance and/or install new
equipment. Figure 2 shows the performance of 36 recent high-
complexity refinery turnarounds. The average schedule delay is
more than 35 percent and the average cost overrun is 25 per-
cent. Perhaps more importantly, there is a large degree of vari-
ability in the performance as indicated by the bars which meas-
Figure 1— Risk Management Process
Two schools of thought exist regarding the definition of proj-
ect risk management as a separate knowledge area or discipline
within the project management framework. For one, it is
argued, that by elevating risk management to a distinct field
within the project management concept, it may gain in promi-
nence, acceptance, and deeper penetration among all project
stakeholders. Inversely, by defining project risk management as
a distinct area of focus, project participants may lose sight of
complex process interactions that necessarily need to take place Figure 2—Turnaround Performance Data
RISK.01.2

3. 2007 AACE International Transactions
ure plus one and minus one standard deviation. This means that ciency, several basic and overarching categories have been
turnarounds are highly unpredictable. introduced to capture all risks in a comparable manner.
The oil and gas industry is unique and is particularly complex
because of the following: Capital Projects
This analysis is based on nine major oil and gas projects. The
• management of numerous internal and external interfaces; combined number of risks identified within the reviewed risk
• magnitude and scale; registers amounted to 111 after eliminating entries that are too
• regional constraints; high-level, unspecific, or may not qualify within the framework
• technology stretch; and of this study. Subsequently, nine basic categories, such as mar-
• sensitivity to market conditions. ket/commercial, technology, and organizational have been cre-
ated to sort all qualified risks. Pursuant to the sorting, all cate-
As these trends gather momentum, risks to project and turn- gories have been counted to determine the rank order, or prior-
around execution will only increase. The use and implementa- ity, of each category within the project’s risk framework.
tion of risk management systems varies widely across the oil and Technology clearly topped the list, followed by planning/sched-
gas industry. Techniques range from simple spreadsheet-based ule and then organizational. Project teams are consistently
systems to more sophisticated enterprise-wide software systems. focused on ensuring that technical definition and design issues
For the most part, project teams are identifying and tracking are well-defined prior to the execution stage and tend to view
risks. However, effective quantification and implementation of these issues as the ones with both the highest probability of
response plans is lacking. occurrence and the highest impact. The primary concern of
these teams is to ensure that there is sufficient time to in the
Highest Rated Risks in the Oil and Gas Sector project definition phases to minimize the chances of late design
changes during detailed design or construction.
Based on a database of risk registers we have identified what
type of risks both project and turnaround teams are consistently Turnarounds
rating as the most severe prior to the execution stage. In total, This analysis is based on 15 large-scale refinery turnarounds.
more than 25 risk registers of differing magnitude and granular- The combined number of risks form these registers total over
ity have been evaluated and sorted to reveal the dominant 300. The highest-rated risk categories deal with obtaining ade-
sources of perceived project risks in these sectors. For the most quate resources in a timely manner. The top rated category is
part, these teams used similar methodologies and tools to cate- technical support, followed closely by contracting and labor.
gorize projects within a common risk breakdown structure Both categories are a reflection of the challenges being faced by
(RBS) as well as an applicable work breakdown structure large-scale refinery turnarounds in attracting enough skilled
(WBS). Individual project teams tend to slightly differ on their labor. In addition, turnaround teams are having increasing diffi-
interpretation of risk categories and to which element within culty obtaining adequate internal technical support from other
the RBS the risk should be allocated. To overcome such defi- disciplines during the shutdown to deal with day-to-day prob-
Table 1— Project Risk Rating (Rated in Order of Severity)
RISK.01.3

4. 2007 AACE International Transactions
Table 2—Turnaround Risk Rating (Rated in Order of Risk Severity)
lems and troubleshoot issues, particularly during the critical developing response plans. This turnaround also included
startup period. a large portion of capital work. The risks of effectively inte-
grating the capital work were identified early by senior team
members, but these risks were never adequately understood
OIL AND GAS CASE STUDIES or addressed by site management.
In the last year there have been striking examples of the some- Both the Sakhalin II project and the refinery turnaround had
times catastrophic risks faced in the industry: implemented risk management processes and systems. Still,
they experienced a series of unexpected events that caught their
• Sakhalin II is a new offshore platform under construction management teams by surprise, resulting in major failures. Our
on Russia’s Pacific coast and is the largest integrated oil and experience in working with and reviewing hundreds of capital
gas project in the world, with total resources of some 4 bil- projects and turnarounds indicates that there are systematic
lion barrels oil equivalent. Last year it was announced that flaws in how most teams are implementing risk management
the forecasted project costs would more than double from processes in practice. The net effect is that the risk management
$10 billion to $22 billion due to high raw material costs and within these teams is lacking rigor and is not central to the daily
contractor overruns. Additional factors that have been cited management of the project. Typically, managing the risk regis-
as sources of the large overrun include unrealistically low ter is delegated to a junior staff person without the authority or
contingency in the cost estimates, lack of hedging for for- relationships to ensure that risks are being effectively evaluated
eign currency losses, and the difficulty of operating in such and managed. This paper will suggest a series of steps that, we
a remote location. The project has also been characterized believe, will help improve the effectiveness and hopefully help
by disputes with the Russian government over potential reduce the rate of major failures in the oil and gas sector.
environmental violations. In December 2006, Shell, the
operator and leading shareholder in the development, sold EFFECTIVE RISK MANAGEMENT
most of their stake in the project to Gazprom after pressure TOOLS AND TECHNIQUES
from the government.
Establish a Common Risk Breakdown Structure (RBS)
• A client of ours recently executed a refinery-wide turn-
around estimated at more than 500,000 worker-hours with Table 3 provides risk breakdown structures (RBS) for both
a planned duration of 40 days. The duration more than capital projects and turnarounds in the oil and gas sector. These
doubled to 81 days and the costs increased by 30 percent. categories provide a logical way to group risks. The consistent
Moreover, the turnaround was characterized by a below structure can also help teams analyze risks across a portfolio and
average safety performance and had a safety recordable rate facilitate the sharing of risks across different functional areas.
of 0.93. The turnaround had developed a risk register but Reviewing previous RBSs allows teams to learn from experience
never effectively followed up by assigning risk owners and and better understand the systematic threats that need to be
RISK.01.4

5. 2007 AACE International Transactions
Table 3—Risk Breakdown Structure
addressed during the risk identification stage. Moreover, teams ues since this will erode the quality of the risk rating and will
should be able to identify what action plans were implemented preclude further analysis and quantification of project risks.
and assess their level of effectiveness. Importantly, the quantification of risks enables team members
to perform some cost-benefit analysis. That is, to answer the
HOLD CROSS-FUNCTIONAL question on what response plans, if effective, will have potential-
RISK IDENTIFICATION EVENTS ly the largest benefits on mitigating threats to project value?
Risk identification and assessment workshops have proven to Avoid Over-Reliance on Simple Spreadsheet and Adopt
be one of the single most important steps within the risk man- Systems That Allow for Detailed Real Time Tracking and
agement process for the oil and gas sector. In planning for such Visualization
workshops specific attention is given to the attendee list, which
should reflect the broad spectrum of all project or turnaround Most project and turnaround teams in the oil and gas sector
stakeholders. These workshops provide a unique opportunity for have adopted spreadsheets to maintain risk registers. There is
team members to not only identify potentially adverse issues nothing inherently wrong with the use of spreadsheets, but their
arising from their area of responsibility, but also allow these use tends to concentrate the risk management process to a sin-
team members to develop and crystallize essential interdepen- gle individual and preclude the cross-functional dialogue that
dencies among various threats. Insomuch, risk workshops will should be a key part of the risk process. The use of specialized
add to the connectivity of the individual disciplines and reveal risk management software systems should make this process eas-
possible misalignment among team members on certain risk ier since the risk register can be accessed and reviewed by vari-
expectations. It is recommended that several team workshops ous team members.
are held prior to the execution phase. These team workshops
may have at times various foci other than risk, depending on Develop Response Plans and Clearly Communicate High
area or discipline under discussion (e.g., planning status, team Impact – Low Probability Risks That do not Have Mitigation
alignment, etc.), but should at a minimum feature a review or Plans
discussion of the current status of risk assessments and risk-relat-
ed action plans. Many teams do a good job at identifying and quantifying risks
It has proven helpful to conduct post-execution assessments of and capturing them in a risk register. However, in our experi-
ence many teams fail to complete the risk management cycle by
specific risk actions taken in preparation for and during the proj-
ect. The results of such feedback measures ensure effective ‘les- developing the appropriate response plans. Developing
sons learned’ application for future use. The cause–and-effect response plans for each risk may appear overwhelming for large
intelligence gathered in such a format will prove invaluable in registers. If this is the case, the team needs to prioritize on the
planning for the next major project. high-impact and high-probability risks and ensure that at a min-
imum these are addressed with a response plan. The team also
QUANTIFY IMPACT VALUES AND PROBABILITIES needs to communicate the low probability risks that have high
impact on project objectives that do not have mitigation meas-
Team members should express probabilities and impacts as a ures in place. These are the threats that often result in cata-
single number (eg. $10 MM, 5 months, etc.), or as a distribution strophic failure.
(eg. min=$5, likely= $10 MM, max=$20 MM). Using quantita-
tive numbers to express impact creates better alignment and
consistency in how risks are rated among team members. Teams
need to avoid qualitative assessments that are not linked to val-
RISK.01.5

6. 2007 AACE International Transactions
• Review the Risk Register as Part of Regular Team
Meetings
Make the review of the risk register a regular part of the week-
ly or monthly team meetings. This ensures that the risk process
remains central to the management and communication
processes.
• Minimize Risks Through Improved Project Definition
The fundamental cause of most failure is poor planning and
front-end loading. Risks can be minimized through excellent
definition. This should be the aim of every project and turn-
around team.
• Re-evaluate Risks Periodically
Teams need to hold periodic cross-functional risk events to
update the register with new threats and opportunities and re-
assess existing risks.
The above actions will not resolve all the issues with effective
implementation of risk management, but they do provide a
checklist of actions for teams that hopefully will instill more
rigor and value in the risk management process.
REFERENCES
1. Hillson, “Measuring Changes in Risk Exposure,” The
Measured, Vol. 4, Issue 3, Fall 2004
2. Kerzner, Project Management, A Systems Approach to
Planning, Scheduling, and Controlling, 8th ed., 2003,
Chapter 17.1
3. A Guide To The Project Management Body of
Knowledge, (PMBOK? Guide), 3rd ed., 2004, Chapter 11
– Project Risk Management
Brett R. Schroeder
Asset Performance Networks, LLC
3 Bethesda Metro Center, 925
Bethesda, MD 20814, US
Phone: +1.240.683.1001
Jan A. Jackson
Asset Performance Networks, LLC
3 Bethesda Metro Center, 925
Bethesda, MD 20814, US
Phone: +1.240.683.1001
RISK.01.6