Managing Risk Through IT

31 August 2005 (Last Updated August 31st, 2005 18:30)

Recent reports have shown record earnings by oil and gas companies. Ernst & Young's Steven Pegolo and Donald Gauci advise investing the extra revenue in IT.

Managing Risk Through IT

It's a problem all companies should be so fortunate to face: What should we do with all of this cash? An extended period of high commodity prices has helped many oil and gas companies realise record revenues, earnings, and cash flows. A recent industry survey by energy research firm John S Herold reported that cash flows for public oil and gas companies increased 24% and exceeded capital expenditures for the fourth year in a row in 2004.

Some companies have used this cash to acquire their peers or add new properties to their portfolios. Others have aggressively reduced debt and repurchased stock. Many have done all of the above and are still looking for capital investment opportunities.

In an environment where prudent capital investment opportunities are harder to find, but cash is still plentiful, the professionals in Ernst & Young's Oil and Gas Technology and Security Risk Services group believe that now is the time for energy companies to consider investing in an area that may have been overlooked for some time: their IT environments.

There are three ingredients in effective risk management: people, processes, and technology. Together with investments in people and processes, upgrading, consolidating or integrating IT systems can ultimately increase efficiencies, reduce costs and, most importantly, reduce risk.

Historically, the energy industry has not harnessed the power of IT to the extent that many other industries have. As a result, many energy companies are ill-equipped to manage a new generation of risks or efficiently implement new regulations.

These new risks and regulations, together with the potential for cost savings, make now the perfect time for energy companies to take an in-depth look at the people, processes, and technology they use to acquire, process, store, and disseminate information. They may discover that it’s time to make some changes, and perhaps some significant investments, in their IT environments.

THE TRADITIONAL IT MODEL

The growth over the past few decades in technologies such as 3D and 4D seismic imaging technology, horizontal drilling, and deepwater production proves that companies in the capital-intensive energy industry will spare no expense investing in tools that will find and extract hydrocarbons more quickly and efficiently.

But this willingness to invest in exploration and production technology traditionally has not extended to back-office IT. Oil and gas companies tend to view capital expenditures as a zero-sum game: any money spent on IT is money that isn't spent on getting resources out of the ground.

"Now is the time for energy companies to consider investing in an area that may have been overlooked for some time: their IT environments."

This aversion to investment in non-core technology is compounded by the cyclical nature of the business. During lean times, when cash is scarce, IT expenditures move even further down the list of priorities.

Conversely, when commodity prices are high, the thirst for one more drop of oil can become unquenchable. Thus IT is frequently considered a 'necessary evil' rather than a powerful tool that can turn information into knowledge, knowledge that can help companies mitigate risk while being more efficient and effective in their operations.

Prior to the advent of sophisticated energy trading programmes, access to real-time data across the enterprise was often not considered as critical as it was in other industries. Also, information was mainly tied to activity at physical facilities, rigs, pipelines, refineries, instead of virtual activities such as commodity trading and hedging.

In this environment, a project manager needed access only to information on how his or her assets were performing, and the ability to share it with others on a need to know basis.

The location of the majority of the world's hydrocarbon reserves also plays a role in the oil industry's record of limited IT investment. Many countries with brisk onshore exploration activity have, at least until recently, lacked the technical infrastructure to support the secure, real-time distribution of large amounts of data. And the difficulties of data distribution from offshore locations are obvious.

Today, these and other reasons for avoiding significant IT investment no longer apply. Yet old habits die hard, and many energy companies continue to run legacy systems that receive the minimum upgrades and investments necessary to keep them working. As a result, energy companies often employ systems that decrease efficiency, increase costs, and lead to increased risk.

THE NEW RISK ENVIRONMENT

There are numerous reasons why now is the time for many energy companies to consider upgrading IT systems, but one of them trumps all others: energy companies have never before encountered risk portfolios as multifaceted as the ones they face today.

Ironically, many of the new risks facing energy companies have been brought about by new businesses and new technologies that have had overall positive effects on the industry. Consider energy trading. For most energy companies, this operation is the newest business venture and source of revenue and risk. But security is often lacking, with traders having unlimited access to financial and operational systems.

Technologies and tools such as Supervisory Control and Data Acquisition (SCADA), the internet, satellite communications, and wireless networking offer both reward and risk. The ability to manage and monitor remote facilities via SCADA technology and the internet has brought tremendous efficiency to many energy company operations.

These technologies make it easier not only to run one's own operations, but also to share data with third parties. Because it is capital intensive, energy production is a highly collaborative effort, and the ability to share data has made collaboration easier.

Today, for example, the production and scheduling systems of refineries are integrated with those of various third parties such as trucking and rail companies, suppliers, and vendors. This permits feedstock to be delivered just in time and ensures that transportation for finished product is ready when needed.

While this interconnectedness, both within the enterprise and externally, is a boon to productivity, it also presents numerous risks. The President's Information Technology Advisory Committee (PITAC) was appointed to study the vulnerabilities of the USA’s IT infrastructure. In a recent report, it concluded that its IT infrastructure is 'highly vulnerable to premeditated attacks with potentially catastrophic effects'. The PITAC report went on to highlight the new opportunities and new risks offered by
'ubiquitous interconnectedness':

Ubiquitous interconnectedness, first exhibited by the internet and further extended in local area networks, wide area networks, and wireless and hybrid networks, has generated whole new industries, rejuvenated productivity in older ones, and opened new avenues for discourse and education, and an unprecedented era of collaborative science and engineering discovery worldwide. That is indeed good news.

The bad news is that ubiquitous interconnectivity provides the primary conduit for
exploiting vulnerabilities on a widespread basis. Despite efforts in recent years to add security components to computing systems, networks, and software, the acts of a hostile party, whether a terrorist, an adversary nation, organised crime, or a mischievous hacker, can propagate far and wide, with damaging effects on a national or international scale.

The systems implication for energy companies is obvious: the more systems required to run these important operations, the more access points there will be. Consolidation and integration of systems will provide fewer access points, making it easier to manage risk.

MAKING COMPLIANCE EASIER

There is also the issue of regulatory compliance. Companies that have recently completed their first go-around with Sarbanes-Oxley Section 404 compliance undoubtedly have a better understanding of the processes they have in place for financial controls, and where their greatest risks exist.

"The location of the majority of the world's hydrocarbon reserves also plays a role in the oil industry's record of limited IT investment."

It is also likely that they have a greater appreciation for the role that integrated, consolidated IT systems can play in testing those controls and mitigating risks. Some may have come to the painful realisation that their current IT infrastructure makes testing and compliance cumbersome and expensive and, worse, actually increases risk.

Companies running multiple systems each with its own processes, procedures, support staff, and hardware, must test each one individually. So it stands to reason that the more common processes and systems a company employs across the enterprise, the more cost effective it is to test controls and comply with regulations. More important, bringing processes under a common, centralised system reduces the number of access points, which in turn reduces the chance for human error, or fraud.

Ernst & Young’s energy company client portfolio includes companies with varying degrees of IT integration. One large oilfield services company had recently completed a year-long project of IT upgrades and integration as Section 404 compliance efforts began.

Though this company’s compliance was still a complicated endeavour that required significant investment of resources, it was made much easier by its recent IT investment. Companies that run multiple, dispersed systems have had a much more difficult time documenting and testing their financial controls.

Although risk mitigation and regulatory compliance are the primary reasons to consider systems upgrades, integration, and consolidation, cost savings is another reason to do so. The less dispersed IT infrastructure and applications are, the fewer resources are required to maintain them. Even consolidating servers from five or six locations to three or four can save significant amounts of money.

In today’s environment of high commodity prices, when energy companies don’t get full credit for revenue growth and are evaluated more on their ability to control operating costs, this expense-saving opportunity is worth considering.

SHORT TERM OR LONG TERM?

Back to the original question: What should companies in the oil patch do with their excess cash? The choices are numerous. Increase their reserves through mergers with peers or selective property acquisitions. Reduce debt. Repurchase stock. Increase or initiate a dividend. Upgrade facilities or other hard assets. Or invest in IT infrastructure. Each of these choices would benefit shareholders.

The question is one of perspective, particularly related to time. Mergers and acquisitions could be immediately accretive to earnings. Share repurchases provide an instant boost to earnings per share. Upgrading a company’s IT infrastructure, on the other hand, is a longer-term investment. In the long run, however, such an investment might provide the most benefit to shareholders, providing a powerful tool to manage risk and add value for years to come.