Presented by:

E&P logo

Editor's note: This article appears in the new E&P newsletter. Subscribe to the E&P newsletter here

For many companies working in the oil and gas sector, operational risk management has been guided primarily by compliance with regulations. On the surface, this seems like a reasonable approach. After all, regulations are not arbitrary. They have been developed to address specific issues, and quite often the introduction of more stringent regulations is the result of incidents that reveal weaknesses in the status quo. Regulatory guidelines set expectations for established risks, but there are no such guidelines for emerging risks that arise as technology within the industry evolves.

After the Ocean Ranger semisubmersible sank on the Grand Banks offshore Newfoundland in 1982, the Canadian government reorganized to provide better oversight, emergency training became mandatory, rig designs were improved, and search and rescue equipment was upgraded. Similarly, the Piper Alpha disaster in the U.K. North Sea in 1988, which resulted in 167 people losing their lives, led to the U.K. Offshore Safety Act 1992, making companies responsible for securing the safety, health and welfare of offshore workers. 

Regulations are developed methodically to address specific issues, and as they mature, they improve operational safety. Compliance is nonnegotiable, and companies invest in programs that meet regulatory requirements because it is a prerequisite for doing business. When there are no regulations in place, however, managing operational risk becomes more complicated. The expense is not required, so investment in risk management must be weighed in terms of cost and benefit. Instead of being the cost of doing business, risk management becomes an issue of return on investment. 

The rapidly changing operating environment compounds the operational risk management challenge. Digitization is a case in point. Oil and gas companies have invested heavily in digitization to capture real-time data, which can be leveraged to facilitate operational insights. Knowing more about how equipment is operating not only enables faster and better decision-making, but it allows companies to better maintain physical assets. 

Unfortunately, while improved data-gathering enhances the ability to manage assets and resources, it also broadens the interface between IT, which focuses on data, and operational technology (OT), the computing and communication systems that manage, monitor, and control physical devices and industrial operations. The increasing number of contact points between IT and OT being introduced by technologies that expand interconnectivity to improve operations creates a dramatically larger attack surface for potential hackers. 

According to an IBM Security report, “X-Force Threat Intelligence Index 2020,” this breakdown of system segregation has opened the door to cyberattacks on industrial control systems, with the number of incidents increasing more than 2,000% from 2018 to 2019. In fact, in 2019 the number of events targeting OT assets was greater than the sum of the incidents recorded in the previous three years. 

It is evident that cybersecurity has become a business imperative, but regulations lag behind the pace of change. Deterring cyberattacks and managing cybersecurity are critical, but the way forward is anything but clear for a lot of companies. 

The best course of action in many cases is to obtain the support of engineering and risk management experts who can objectively evaluate the company’s status and work within its culture to develop solutions that support safer, more reliable assets and operations. That means assessing the regulatory landscape and ensuring the company is prepared for impending changes. It means asking probing questions about connectivity and data usage and introducing artificial intelligence and machine learning solutions. 

There is much at stake in this “new normal,” and the conditions continue to change. How successfully a company manages its operational risk will be a key factor in determining its future profitability and growth.


May 13, 2021: How to Deliver Data-driven Value to Offshore Operators

Nov. 13, 2020: Digital Predictive Analysis for Remaining Life of Offshore Assets