By Louis Caron, Leigh Parkinson, and Peter Sofarelli – RiskAdvisory (A division of SAS)
The exploration and production industry is slowly moving toward the realization that they need information technology systems to do more than assist them with drilling holes or transporting oil and gas. IT has facilitated operations, but it has not been viewed as an all-important decision-informing system for their financial transactions.
That is changing. Assessing credit risks, quantifying cash flow-at-risk and building what-if pricing scenarios are becoming more important to the industry. Ignoring these exposures can bring great peril but many E&P companies aren't equipped to assess the data that's available to them from inside their company in order to make decisions that could greatly affect their financial standing.
Simply put, sound financial management of E&P companies should include more sophisticated risk management information technology. While external regulations like Sarbanes-Oxley, FASB and Committee of Chief Risk Officers best practice standards may not specifically mandate robust risk management systems for E&P companies, there is a growing sense among the super-majors, like BP and Shell, that such systems are worthwhile.
Indeed, external forces that affect companies' ability to raise capital may demand that more risk management technology is employed. For evidence look no further than Standard & Poor's, the credit rating agency which created a methodology to evaluate energy companies' risk management as a factor contributing to their debt and credit ratings. That's sure to instill some degree of trepidation into the capital-intensive E&P industry.
Historically, E&P companies have invested minimally in their risk management systems by either procuring out-of-the-box systems or by building their own, often in a hodge-podge manner involving the extensive use of spreadsheets. Both options have their strengths and weaknesses.
Nonetheless, it is our belief that E&P companies have no choice but to evolve their information systems for risk management purposes. The first step, as we've seen in the utility industry, is consolidating data from disparate systems. Once the data is clean and maintained in real-time, there is an opportunity to integrate that data so that it creates meaningful, actionable information. Once E&P companies consolidate and integrate, they will likely find that they are sitting on a proverbial gold mine of actionable data.
Eventually the data could allow them to create advanced risk analysis and guide senior management's calculation of specific risk statistics. For instance, companies will be able to create what-if scenarios for those times when, say natural gas goes from $7 to $15 and then back to $5, or crude goes from $57 to $75 per barrel, all in a 12-month period. There's no end in sight for such extreme volatility, when threats of terrorism and war build speculative premiums into the world market's oil and gas prices. Or when, say, a Saudi oil minister issues a statement saying there's still at least a 150-year supply of crude.
The end-goal of modern risk management information systems isn't predicting every cause and effect for fluctuating markets. Instead, the end goal is to guide reasoned decisions using real-time data integration and manipulation. The end goal is to dispense with using historical, theoretical assessments or external forecast services. Today's volatile markets – and outside rating agencies – are increasingly demanding that capital-intensive E&P companies watch their cash flow-at-risk, a vitally important metric for company health. Building better scenarios for cash flow-at-risk should be a major catalyst to E&P companies' consideration of these new systems.
The decision tree
E&P companies considering new risk systems should evaluate their needs from a business perspective, both physical and financial, and a technology perspective of data, analytics and reporting. Depending on the size of an E&P company, there are four categories of systems from which to choose: in-house built (includes outsourced), configurable risk frameworks, black-boxes and a fourth category we will call a "grey-box."
• In-house systems start as a project with the (unrealistic) scope of meeting all user requirements -- the panacea of technology projects. From initial requirements to project planning through coding and delivery, the project typically turns out only a fraction of the desired functionality and often is over budget and over due. Another drawback of systems built in-house is the eventual, almost inevitable, lack of documentation. It is eventual and inevitable because during the build out, documentation is a "high" priority that never seems to be completed. Vendor supplied software has matured to a point where the in-house option, if chosen, is more of a political decision than a business decision forcing IT departments to justify their staffing decisions.
• A configurable risk framework is just that: a starting point that provides the plumbing (data integration layer), analytical tools (programming environment) and reporting (portal, web) to configure a risk solution that can meet a high percentage of user requirements. The focus is on the methodology (the "how") rather than reinventing the analytical wheel. Flexibility is paramount. Risk frameworks cannot be implemented part-time because they require strong project management skills and a committed project team.
• Black-boxes are systems and software that are purchased from a third-party vendor. They are well known to the industry but, because they are built by someone else, they lack transparency, something that is becoming more of an issue with the advent of Sarbanes-Oxley. Black-box solutions are "easier" to implement and provide a data model, canned analytics and reports. But, since each company's business model is as unique as a human fingerprint, it is hard to design a black-box system that can meet all user needs. A vendor will customize the solution to the point where the code stream essentially becomes an in-house build (effectively outsourcing) and difficult to support. Additionally the "canned" abilities of black-boxes make them laggards in terms of supporting all the new products and contracts.
• Grey boxes are similar to black-boxes but they have the additional feature of being configurable, or transparent, open-code solutions. A grey box combines black-box with a configurable risk framework to provide the benefits of each (rapid implementation, flexibility) while avoiding the pitfalls (build from scratch, lack of transparency). Grey boxes take a risk framework and add a methodology to calculate risk and in some instances provide a graphical user interface (GUI).
These categories are not mutually exclusive: many firms choose a best-of-breed approach combining any or all of the above. But again, the devil is in the details. In this case the details lie in the integration of the "breeds," a daunting task which can consume enormous amounts of scarce resources and bring a project and/or system to its knees.
To state the obvious, a risk strategy needs to incorporate both business and technology dimensions. The latter has a critical piece that is often overlooked: data integration. The focus of many risk projects is on how the analysis is generated and/or presented. In the end, though, an analysis/presentation focus is not valuable unless the basic data is integrated and verified. Additionally, any technology project which the firm undertakes must provide appropriate change management and business process re-engineering in order to ensure success.
About RiskAdvisory (A division of SAS)
RiskAdvisory is a leading provider of integrated risk solutions to energy companies operating in today's volatile energy commodity markets. Founded in 1995 by accomplished energy risk professionals, the company has provided risk software solutions, management consulting and educational services to more than 220 clients in the global energy sector. Headquartered in Calgary, Canada, RiskAdvisory produces software solutions that are used by a growing number of well-known energy companies. RiskAdvisory was acquired by business intelligence software leader SAS in 2003. www.riskadvisory.com