Start reviewing and responding to the postings of your classmates as early in the week as possible. Respond to at least two of your classmates. Participate in the discussion by asking a question, prov

CHAPTER 4 
Value and Risk 
Enterprise Risk Management at Statoil

ALF ALVINIUSSEN

Independent Consultant, Norway

HÅKAN JANKENSGÅRD

Researcher, Department of Business Administration and Knut Wicksell Centre for Financial Studies, Lund University, Sweden

The enterprise risk management (ERM) approach to managing a company's risks promises many benefits. A reading of the literature on the subject will tell you that ERM, among other things, will reduce the frequency of surprises, lead to better allocation of resources, improve risk response decisions, and reduce costly duplication of risk management activities (e.g., COSO 2004).

Many companies are finding out that these benefits don't always materialize easily. It turns out that implementing a holistic, enterprise-wide approach to risk management often challenges the organizational status quo. Powerful individuals and business units face a potential loss of autonomy and are asked to comply with new reporting requirements. “The way we've always done things around here” is no longer good enough, it may seem.

In companies where change is resisted, ERM is at risk of becoming an island, an isolated process whose outputs and opinions are largely ignored by decision makers. These so-called ghost ERM programs contribute little or nothing at all to enterprise value. In this chapter we use the experience of Statoil, a Norwegian oil and gas producer, for lessons about how to overcome these organizational challenges and make the potential benefits of ERM become reality.

At Statoil, understanding and managing risk are today considered core values. This principle has been duly integrated into the organization, and is inscribed in steering documents as well as in a booklet handed out to all employees, describing core values, corporate governance, the operating model, and corporate policies. The company has developed a sophisticated approach to ERM that centers on the principle of value creation. ERM is thoroughly embedded in the business units' way of doing things, and it appears to enjoy the wholehearted support of Statoil's executive officers and board of directors.

Statoil has, in other words, managed to make ERM into something that makes a real difference. To gain insights about the success factors behind this outcome, we will investigate how Statoil has dealt with the four main general tasks that fall on executives responsible for ERM: (1) make sure that there is an adequate process for identifying, managing, and reporting risks throughout the company; (2) act as a support function to business units in this work; (3) detect and counteract risk management decisions that are suboptimal for the company as a whole; and (4) analytically aggregate risks to support decision making concerning the company's total risk profile. The first two sections outline the history of ERM in Statoil, and the guiding principles that underpin it.

ERM AT STATOIL: A BRIEF HISTORY

Headquartered in Stavanger, Norway, Statoil is one of the world's top 10 oil and gas producers. In 2012, the company had revenues of 706 billion Norwegian krone, NOK (approximately 120 billion U.S. dollars, USD). In the same year, it had over 23,000 employees worldwide and produced 2,004 million barrels of oil equivalents per day. Known for its operational excellence, Statoil is the global leader in offshore oil production below water depths of 100 meters.

The company has a 40-year history as part of the Norwegian oil bonanza. Originally Statoil was the state-controlled company in the Norwegian model of retaining both publicly and privately owned exploration companies. The privately held company Saga Petroleum was acquired by the partly state-owned conglomerate Norsk Hydro in 2000. Norsk Hydro in turn merged its oil and gas division into Statoil in 2007. Statoil is now by far the largest producer on the Norwegian continental shelf.

In 2001, Statoil's shares were listed on the Oslo and New York stock exchanges. In early 2013, its market capitalization exceeded 80 billion USD. While the Norwegian state still owns 67 percent of the company, it operates independently of the state on strictly commercial principles.

After having sold its downstream and petrochemical businesses over the past few years, Statoil is today heavily focused on upstream activities (i.e., exploration and development of oil and gas reserves). Its three business areas focusing on development are divided according to geographical regions (Norway, International, and the United States, with the latter being much smaller). In addition, it has four more business areas focusing on marketing, technology, exploration, and strategy.

ERM in Statoil got under way in 1996. Petter Kapstad, who has a background in banking, had been asked to systematize the management of risk in the finance department, which previously had been carried out in a fragmented and uncoordinated way. The result of Petter's work was that the risks managed by the finance department were measured and managed as a portfolio of risks with central oversight. The then CEO of Statoil, Harald Norvik, realized that the same principles could be applied to the whole company, and that there would be benefits to Statoil from managing its risks in an integrated way. Again, Petter was trusted with the task of leading the company in this direction.

While Statoil's executive officers were generally positive to the idea behind ERM, they still demanded to know “What is in it for us?” An important part of the answer to this question came from a project group that investigated the costs and benefits to Statoil from various financial transactions, mostly hedging and foreign exchange (FX) transactions going on in the company. Petter and his group were able to show that the number of transactions was staggeringly high, and that they were mostly based on a silo thinking that made no sense at all as seen from the corporate perspective. And, crucially, these transactions were not harmless or mere annoyances. They came at a substantial cost and seriously complicated the company's accounting as well as the management of exposures. This struck the senior executives as unacceptable. ERM had demonstrated the economic justification it needed. A clear mandate was given.

Early on in the project, Petter met and started working with Eyvind Aven, who shared the same vision of an enterprise-wide approach to risk management. Importantly, Eyvind had a background in economic analysis, which complemented Petter's experience from trading units. This fact made them bilingual in the sense that they knew the specific terminology and ways of doing things that were prevalent both in the company's high-profile trading units, as well as in its headquarters. Their ability to speak complementary languages and not being viewed as outsiders was to prove very useful, as many tough decisions lay ahead with people who had an interest in preserving the status quo.

An important early milestone in the implementation of ERM came in 1999, when the Risk Committee, a cross-disciplinary advisory body on risk, was formed. The idea behind creating this committee was to obtain a forum to which people could put proposals and general risk issues for analysis and recommendations. From the very beginning, the committee has been chaired by the chief financial officer (CFO). Its main task is to advise the executive managers and the CFO on risk issues, and is not part of the formal decision process. It consists of a broad range of professionals with different backgrounds, such as the head of strategy, the heads of the main trading units, the chief controllers of different business units, and the head of internal control, in addition to the head of the risk department who is responsible for the agenda and calling for meetings.

In 2000, the risk department was formally set up (headed by Petter Kapstad), and started work on developing a common methodology on risk, as well as continuing the work on developing the company's consolidated risk model that had been initiated two years earlier. The risk department, furthermore, has the overall responsibility for insurance and the captive insurance company. In 2005, the first enterprise-wide risk mapping process was rolled out.

ERM FOUNDATIONS

In the early stages of the project, it was decided that Statoil would not simply implement one of the existing blueprints for ERM. Nor did Petter and Eyvind want it to be, or it would be seen as another control function.1 They had something else in mind. They wanted a framework that made sense to Statoil, and that centered on the two basic goals of the company: to create value and to avoid accidents. Keeping people and the environment safe are the first priority and supersede any other objective.2 Beyond those basic objectives, however, risks are to be managed in a way that maximizes the value of the company. This insight has a number of implications, which are explored in this section.

To begin with, the focus on value affects the very way risk is defined in Statoil. According to Statoil's philosophy, which is widely communicated internally, risk encompasses not only downside risk but also upside potential. This philosophy has even found its way into the corporate directives of the company, which state that “risks shall be identified and analyzed, including both upside and downside impact.” On this dimension, existing off-the-shelf ERM frameworks were considered too oriented toward regulatory compliance and risk avoidance. The Statoil philosophy instead recognizes that risk taking is unavoidable, even necessary, to create value for shareholders.3 What matters is that the risks are well enough understood and found acceptable, given their downside risk and upside potential. Reflecting this thinking, the risk maps in Statoil have been developed to show probability and impact not only for the downside, which is the most common way of constructing these maps, but for the upside as well (see Exhibit 4.1).

Exhibit 4.1 Risk Map

Statoil's risk map captures both upside potential and downside risk for any given risk factor. On the x-axis is the probability of occurrence. On the y-axis is the impact figure, measured as the pretax impact on earnings (USD millions). Note that the impact is measured relative to the forecasted value of earnings. All reported risks will be considered twice in the map. The first is its potential contribution to upside potential (to be entered above the line), and the second is its contribution to downside risk (to be entered below the line). These two points are a summary, or synthesis, of the entire range of potential outcomes for the risk factor in question. For example, the risk factor denoted Risk A in the exhibit has a 5 percent probability that the outcome will be somewhat better than expected. However, there is a 10 percent probability of a fairly significant loss relative to the forecast (USD 200 million). For this particular risk, the downside risk is larger than the upside potential.

As already mentioned, value creation is the basic guiding principle for ERM in Statoil. That is demonstrated by the emphasis the company puts on viewing risks in a value chain perspective. In the corporate directives it is written that the company's approach is to “identify, evaluate, and manage risk related to the value chain to support achievement of our corporate objectives” (original emphasis). Statoil's value chain is outlined in Exhibit 4.2, showing how its main activities progress from upstream (oil exploration and development) to downstream (petroleum refinement) to market (selling its products into various global markets).

Exhibit 4.2 Statoil's Value Chain

Statoil's value chain consists of three main stages: the exploration and development of oil and gas reserves (upstream); the refinement of hydrocarbons into various petroleum products (downstream); and the selling of crude oil, gas, and refined products into different markets. The most important risks (“the risks that matter”) have been divided into two categories: market risks and operational risks.

What difference does the value chain perspective make? First, it serves as a clear signal to everybody involved (i.e., Statoil's employees and other stakeholders) that value creation is the metric being pursued through ERM, and it is the impact on Statoil's performance that ultimately counts. Statoil's thinking on this issue is that if ERM is limited to managing risks related to goal achievement in various business units, the result will be “satisficing” rather than value maximizing.4

Another important benefit of the value chain perspective relates to the fact that the large number of risks identified in the risk map can make it challenging to understand what is really going on. By sorting the risks into a value chain, one can more easily see the bigger picture and, through the lens of the company's business model, see how the different risk categories hang together. In other words, the value chain perspective allows Statoil to rework the knowledge about risk contained in the risk maps into something that is more analytically and logically coherent.

The concept of core risks further underlines the central role of value creation as a guiding principle for ERM in Statoil. To understand this concept, we need to go back to 2001, when the company's shares were listed.5 During the listing process, there were investors looking for arguments as to why they should invest in Statoil. Recognizing that investors were entitled to information about what exposures they were getting when they invested in Statoil shares, the company formulated the idea of core risks, understood as the risk exposures that an investor would expect, and even desire, to have from buying Statoil shares (the most important of which was the exposure to oil and gas prices). The core risks are owned by the CEO of the company and are coordinated centrally in the organization. One of the practical consequences of this is that trading mandates throughout the company have been substantially restricted and placed under central scrutiny. At the end of the day, this should increase the transparency and predictability of the risk exposures obtained by investing in Statoil shares, which lowers the risk premium investors attach to the company and hence also its cost of capital (Jankensgård, Hoffman, and Rahmat 2013).

ERM PROCESSES IN STATOIL TODAY

So far we have discussed the history of ERM in Statoil and the guiding principles underpinning it. We now turn to the more practical issues of what tasks executives need to address for ERM to work in practice and for its potential benefits to be realized. The first two tasks, covered in this section, are making sure there are adequate processes in place for managing risks throughout the organization, and acting as a support function to the business units as they go about this.

Let us dispel a potential misunderstanding. ERM does not imply that all risks should be managed, or owned, centrally in a company. While some risks certainly are managed centrally in Statoil (its core risks, as discussed in the previous section), the business areas are responsible for managing the large majority of the risks that arise in their lines of business.

Just because a business area has been designated the owner of a particular risk, however, doesn't mean that sound management of this risk automatically follows. Corporate management needs to ensure that risk management in the business units is of sufficient quality. Corporate management also has a legitimate right to be informed about the main risks in each business unit and what is done about them. These considerations lead us to what for many is the bread and butter of ERM, namely the process of identifying, mitigating, and reporting risks. For brevity, we will refer to this as the “risk mapping process.”

In Statoil, the risk mapping process follows a quarterly rhythm, which is the frequency at which the business units are required to update their risk maps. This is not just a numbers exercise. The units are expected to provide discussions and justifications for their assumptions, and explain what their policy on each main risk is. As part of the company's quarterly review meetings,6 they also meet with top management to discuss the status with regard to major risks. These two facts—providing written justifications and actually meeting with representatives of top management and the risk department—go a long way toward ensuring the quality of the outputs of this process (the probability-impact estimates). Since the business units know this lies ahead, they have every reason to do a good job preparing and thinking through their estimates of risks (and their mitigation actions). It also counteracts any tendency to think along the lines that “this risk certainly exists, but it surely will not happen during my time in office, so I will just do nothing.”

The risk department, in turn, writes a brief in response to the business units' risk maps, which is sent to executive management. Statoil's board of directors is also briefed on the risk profile on a quarterly basis, and they receive a condensed version of the risk map prepared by the risk department.

The risk department is not only a supervisor of the risk mapping process. It also provides support to business areas and helps spread best practices. It has the expertise and resources to assist business units in multiple ways from advice on how to manage a particular credit risk to suggesting a methodology for quantifying a certain market risk.

A useful example of the role of the risk department as a resource available to support business areas in their commercial activities comes from country risk. Statoil's risk department has, in collaboration with consultancy firm IHS Global Insight, developed a deep expertise in this area, which is of particular importance to a company active in many of the world's most risky countries. This effort has resulted in a large internal knowledge base on country risk, as well as a standardized methodology for evaluating country risk as part of new investment proposals. The business areas are able to draw on these resources, and work with the risk department to reach the appropriate policies for each country and new investment.

In the risk mapping process, rigorous quantification of probability and impact has been considered essential to make the risk maps useful to support decision making. Quantification brings a focus on the financial bottom line of the company, and makes it possible to compare different risks in a meaningful way. What one person would label a large risk may well be a small one to someone else, depending on references.

OPTIMIZING TOTAL RISK

The two tasks related to ERM discussed so far, the risk mapping process and the role of adviser to the business areas, are conceptually straightforward. The third, avoiding risk management decisions that are suboptimal for the company as a whole, is less so. To increase the understanding of the issue, we will discuss several practical examples in this section.

In Statoil, avoiding suboptimal decisions is also known as “optimizing total risk.” Optimization of total risk has been unyieldingly pursued by the ERM team, with several tangible benefits for the company. The value metric that underpins ERM in Statoil implies that it is the perspective of the company as a whole that should rule in practical situations where different individuals and business units may have differing views on how to proceed.

A straightforward example of possible suboptimal behavior concerns foreign exchange (FX) risk management. Consider a situation where one business unit is selling into a market where the product is quoted in U.S. dollars, and another unit is sourcing material priced in the same currency. Whereas each unit may have an incentive to manage its own exposure, what counts for the company as a whole is the net of these exposures. Lacking a central policy, risk could be overmanaged to the extent that managers of business units use FX derivatives to cover exposures that would cancel out from the perspective of the company. Apart from the burdensome accounting that derivatives cause, there are also significant direct costs from such overmanagement of risk. Statoil calculates that if two business areas simultaneously cover a USD 10 million exposure (by no means a large hedge by Statoil's standards), it would incur transaction costs of around NOK 180,000 (assuming a USD/NOK exchange rate of 6 and a bid-ask spread of 30 basis points). Since ERM was implemented, Statoil has withdrawn the ability of business units to set their own policy with regard to FX derivative usage. Besides avoiding the transaction costs just mentioned, a centralized FX derivative policy entails a number of other advantages, such as business units focusing on their core activities and an increased ability to coordinate the derivative policy with other corporate policies; see Jankensgård (2013) for a detailed discussion.

Our second example of potential suboptimization concerns the hedging of oil and gas exposures. Prior to ERM, business units used to have fairly generous mandates to hedge their exposures to these market prices. This created a potential problem from the perspective of the company as a whole. Besides complicating the assessment of net exposures on the corporate level, the business units were basing their hedging decisions on criteria that were disconnected from the goal of maximizing value. What drove a unit's decision to hedge was instead a desire to lock in prices when they were above the price that was assumed when targets were set for the year, but to leave them unhedged otherwise. If the business plan had assumed an oil price of $100 and it later climbed to $115, the unit could use a derivative contract to lock in this level, which ensured it would beat the target and could collect a bonus for the year. As mentioned earlier, these mandates have been gradually reined in and subjected to strict limits set centrally in the organization.

A third example of a business unit optimizing its own risk/return with the result being suboptimal decisions for the company overall comes from Statoil's captive insurance unit. Previously this unit sought to justify its existence as a stand-alone unit by showing robust profits. In so doing, it benefited greatly from the implicit guarantee provided by Statoil's credit rating and strong balance sheet. From the perspective of ERM, this is incorrect. Rather, the captive should be a tool for Statoil in optimizing total risk. Today the captive does this. The insurance policy of Statoil now targets the things that matter: the really big risks related to business continuation. That is, the insurance program focuses on the risks that really could throw Statoil off course, and ignores (i.e., self-insures) the lesser risks that ultimately have no significance for Statoil's ability to meet its overall objectives.

TOTAL RISK OPTIMIZATION: LESSONS LEARNED

Optimizing total risk may sound simple in principle. Indeed, it is one of the supposed core principles of ERM. ERM texts routinely contain phrases like “avoid duplicating costly risk management activities” and emphasize this as one of the main benefits of ERM (as opposed to a silo or decentralized approach to risk management).

In reality, optimizing total risk is not so easily achieved. A key reason for this is that it threatens the established way of doing things. Powerful units and individuals may have little interest in conforming to ERM because it reduces their autonomy and requires a change in how they work. Some deeply rooted habits may need to change. As a result, many will resist, which may prevent an ERM program from lifting off the ground.

Consider also the way the ability to manage risk hangs together with the system for performance measurement used by the company. Let's say a business unit is evaluated on its earnings before interest and taxes (EBIT). Since the unit is responsible for its own result, it seems only reasonable that it should have the freedom to manage the risk exposures related to it. However, this conflicts with the legitimate goal of headquarters to centralize management of FX risk or other core risks (e.g., oil prices) given the substantial benefits of a centralized approach (as discussed earlier). Hence, we have a conflict between the desire to centralize risk management and the way the company measures the performance of its business units.

So how do you succeed in making the ERM mind-set take root despite these potential problems? A few factors stand out in Statoil. For example, the company has ensured that key performance indicators (KPIs) and balanced scorecards that the company uses to evaluate its business units are, to the extent possible, unaffected by the centrally managed core risks we introduced earlier. This is a very important principle, because it resolves many of the potential conflicts of interest that could arise from centralizing risk management. As mentioned, energy prices and exchange rates could greatly impact the company (e.g., its EBIT), which could create incentives for the business units to manage these risks. In Statoil, however, the performance measures used have been designed to exclude the impact of these external factors. This means that the company achieves central management of these risks but largely avoids the discontent that could result from business units having to live with large risk exposures.

Beyond established KPIs and scorecards, work has also been done to make taking the best decision for Statoil the normal and expected thing for an employee. Obvious though the foregoing may sound, many units are, for often quite understandable reasons, very focused on meeting their own targets and consequently do not see beyond the border of their unit. The ERM team has, however, sought to make it part of anyone's job description to think in terms of Statoil's net benefit. People have been made aware that this is expected of them.

Another success factor in this regard has been to spend significant amounts of time beforehand thinking about what the ERM should ultimately look like, and why. Petter and Eyvind call this “doing one's homework.” Having a coherent set of arguments ready to defend a particular measure meant to optimize Statoil's total risk has made it much easier to stand firm when people resisted change.

The Statoil experience also illustrates the importance of getting the Risk Committee right. If not done the right way, such a committee will continue in old tracks and look at risks in a silo fashion. Attendance will be low and the committee's utterances will carry little weight. If done right, however, it will develop into an effective ERM champion whose recommendations are widely respected and translated into action.

The Statoil Risk Committee today is indeed a guardian of Statoil's best interests in matters related to risk. It effectively functions as an ERM filter in which difficult questions are voiced and resolved. Policies that were earlier set in isolation in a particular department now have to pass through the Risk Committee. For example, Statoil's FX policy is prepared by the finance department, but needs to be thoroughly discussed and supported in the Risk Committee.

A useful example of the committee's role in resolving issues related to total risk optimization comes from the process of setting performance KPIs and scorecards for business units (as discussed earlier). Wrongly formulated targets are seen as a threat to total risk optimization, because they may encourage a behavior that runs counter to this goal. The Risk Committee counteracts such tendencies by checking if a particular target makes sense and is compatible with Statoil's overall best interests, a loop that in Statoil is referred to as “pressure testing” the targets.

What accounts for Statoil's success in turning the Risk Committee into an ERM champion? The importance of having the unwavering support of key individuals in the executive team cannot be overstated here. Moreover, setting up an interesting agenda with a certain content of education (especially in the early days of the program) seems to have been a key success factor for the Statoil Risk Committee. The Statoil experience also shows that the committee should remain a specialist forum, and that one should stay away from attempts to integrate it with top management. Ultimately the Risk Committee needs to remain an advisory body, not an executive one, though it needs to carry enough status to be seen as the real arbiter on risk-related issues in the company.

RISK AGGREGATION

Developing risk maps and assembling the risk register produces a lot of information about risks, in qualitative as well as in quantitative terms. The simple fact that these processes are in place provides some reassurance that the risks are recognized and given proper attention. This is a goal in and of itself.

While in many ways essential to an ERM program, risk maps are largely static devices that don't allow codependencies between risks to be taken into account in any meaningful way. As a straightforward example, consider the relationship between the oil price and the USD/NOK exchange rate. Given the oil dependency of the Norwegian economy, this exchange rate tends to be sensitive to the price of oil, which is quoted in USD. Over the decades, this has provided Norwegian oil companies with a natural hedge: A lower oil price tends to weaken the Norwegian krone, as less oil revenue needs to be converted into NOK. Such dynamic relationships are hard to capture in a risk map, yet they are highly relevant to the risk management strategies of these companies.

Nor do the risk maps easily translate into an overall estimate of the uncertainty in the firm's future performance, as expressed through financial bottom lines such as earnings, liquidity, or balance sheet ratios. These shortcomings of the risk maps bring us to the fourth task facing the executives responsible for an ERM program: aggregating the firm's portfolio of risks into some indicator, or metric, that can guide the company's executive team (and board of directors) in matters related to the firm's overall risk profile.

Alviniussen and Jankensgård (2009) argue that most ERM programs today are detached from the analytical work of predicting and managing the firm's financial position. Not taking into account the firm's financial situation means that, despite the ERM effort to identify and quantify risks, an estimate of aggregate risk continues to elude companies implementing ERM. In the enterprise risk budgeting (ERB) approach proposed by these authors, the risk register is integrated with the firm's financial planning process to generate risk-adjusted forecasts of important enterprise-level indicators of performance and financial health.

To address the concerns voiced in the previous paragraph, companies need to take a more analytical and quantitative approach to risk management. In practical terms this implies building a model that combines the company's many different risks into a probability distribution for some bottom line considered important, such as earnings or its debt-to-assets ratio. From such a probability distribution, summary risk statistics can be obtained—for example, the loss in earnings associated with a certain probability (this measure is known as earnings at risk). Generally, this approach requires some form of simulation methodology (e.g., Monte Carlo simulation).

Statoil's corporate risk model, briefly introduced earlier in this chapter, is based on these principles. It contains a sophisticated methodology for estimating the amount of variability in the firm's main risk exposures, based on historical time series, as well as estimates of the tendency of these risks to co-vary. It lets the user select an output from a list and, within a few minutes' time, obtain a probability distribution for this variable. Moreover, the user can learn what the probability distribution would look like under an alternative course of action. For example, the model allows the user to overlay the probability distribution for net income with a second distribution that takes into account a certain risk management strategy (e.g., buying put options covering a certain fraction of the company's net exposure to the oil price). Such an overlay is illustrated in Exhibit 4.3.

Exhibit 4.3 Comparing Different Risk Profiles

Statoil's risk model allows the company to produce a probability distribution for various financial parameters considered important, such as earnings or return on assets employed. The obtained probability distribution can be used to derive summary risk statistics of the company's overall risk. In this graph, the base case outcome distribution (the darker line) for net income is compared with what it would look like if the company implemented a large-scale hedge of the oil price (the lighter line). The values of net income on the x-axis have been deliberately hidden. The vertical dashed line represents the value of net income associated with the 5th percentile of the probability distribution, a measure commonly referred to as net income at risk (or earnings at risk).

THE FRONTIERS

Part of the philosophy of ERM in Statoil is never to lean back and consider the job done. While the progress in achieving the necessary buy-in for new approaches is gradual and sometimes slow, the frontiers are pushed ever forward. Decision makers around the company need to have their worldviews challenged, as the thinking goes, and to be provoked into new ways of looking at things.

One area where work is currently being done is giving the concept of risk appetite a content that is meaningful to Statoil. Risk appetite is commonly construed as the amount of risk exposure a company is willing to retain in order to pursue the upside potential it considers appropriate and desirable. True to its tradition of quantifying risk, Statoil frames risk appetite in terms of several quantitative risk measures. The variable, return on capital employed (ROCE), is one of the performance indicators that Statoil considers useful in this regard since it sums up the net effect of a large number of risk exposures. Risk appetite in Statoil is about formulating, for a given upside, how large of a potential shortfall, or tail risk, Statoil is willing to accept in terms of a particular performance indicator; see Jankensgård (2010) for a discussion about constructing shortfall risk measures in an ERM context.

Another area where Statoil is pushing the frontiers concerns the relationship between ERM and strategy. As part of this project, the ERM team has developed estimates of how different strategic paths would contribute to different risk categories, such as reservoir risk, implementation risk, market risk, or risks related to health, safety, and environment. Depending on which strategic path is considered, the composition of the company's overall portfolio of risk would gradually shift in a particular direction (see Exhibit 4.4). This initiative is about clarifying the nature of this impact and making senior decision makers aware of the consequences of their strategic decisions.

Exhibit 4.4 ERM and Strategic Risk

This graph illustrates how different strategic paths would, if implemented by management and the board of directors, impact the overall composition of Statoil's portfolio of risks. Each bar represents a strategic path, and the shadings indicate the relative importance of different types of risk (country risk, market risk, implementation risk, and so on). The y-axis shows the expected risk (probability/impact) associated with each strategic path on both the upside and the downside. Note that certain risk categories appear on both the upside and the downside, and that these impacts need not be equally large. This asymmetry is at hand also for market risk, due to differences in marginal taxation across different income levels for oil companies. In the final decision making, the risk profile of each strategy path would have to be compared with the estimated investment outlays and the expected return on investment (not shown in the graph).

CONCLUSION

In Statoil, understanding and managing risk is today considered a core value of the company that is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization's work processes, and its Risk Committee has managed the transition from a silo mentality to promoting Statoil's best interests in areas where risk needs to be considered. The company has introduced the concept of core risks, which are the risk exposures that the company needs to manage consistently vis-à-vis its investors and which therefore require central management. In several areas where risk management used to be pursued in a silo fashion, based on incentives existing locally in the organization, risk is now optimized from the perspective of the company as a whole. ERM in Statoil is not a control function aimed at minimizing risk, but dedicated to the goal of maximizing enterprise value given both downside risk and upside potential.

Achieving these outcomes is by no means trivial, because it challenges the organizational status quo and forces people to think and act differently with regard to risk. Statoil's success in achieving these outcomes is largely explained by the diligent work of a few key individuals, who consistently over many years have pursued a risk management program that maximizes the value of the company as a whole, as well as the strong support of the executive officers and directors. The ERM program has involved changing people's attitudes toward risk, and making Statoil's enterprise value the metric that people are ultimately expected to pursue. It has also involved thoughtfully changing the performance evaluation systems in ways that address the potential conflicts of interest that result from centralizing risk management.

QUESTIONS

1. Why might it be in a firm's best interest to centralize the management of some risks but not others?

2. Describe why the organizational status quo might lead to resistance to ERM implementation. How can this potential resistance be overcome?

3. How do you succeed in making sure that the risk committee really turns into an ERM champion, as opposed to continuing in a silo mentality?

4. What are the costs and benefits of integrating the ERM risk register in the firm's financial model to obtain “risk-adjusted” financial forecasts?

5. What are the key financial risk factors that a company could encounter?

6. What should limit Statoil's capacity to invest in profitable new oil projects, that is, take on new risks?

7. For which risk factors would it be advisable to use Monte Carlo simulation to quantify the distribution of outcome?

8. In what cases would it be relevant for an oil company to consider effects of correlation between risk factors in quantifying risk?

NOTES

1 This is not to suggest that internal audit has been excluded from the ERM process. On the contrary, internal audit has been strongly supportive of ERM and has contributed valuable resources to it.2 This is underscored by the fact that the risks related to health, safety, and environment are the responsibility of a separate corporate function (Corporate Safety).3 Statoil's internal communication puts it this way: “We live by taking risks.”4 The term satisfice was introduced by the American researcher and Nobel laureate Herbert Simon in 1956. It refers to a decision-making strategy that seeks to achieve an acceptable outcome, as opposed to the optimal outcome, which requires expending more time and effort.5 Statoil's shares were simultaneously listed on the New York Stock Exchange.6 The quarterly review meetings are occasions in which top management meets with business areas to discuss the unit's performance vis-à-vis previously agreed targets. This refers to the unit's overall financial performance as well as specific key performance indicators. Risk is therefore only one of several issues on the agenda for these quarterly reviews.

REFERENCES

1. Alviniussen, A., and H. Jankensgård. 2009. “Enterprise Risk Budgeting: Bringing Risk Management into the Financial Planning Process.” Journal of Applied Finance 19, 178–192.

2. COSO. 2004. Enterprise Risk Management—Integrated Framework. New York: Committee of Sponsoring Organizations of the Treadway Commission.

3. Jankensgård, H. 2010. “Measuring Corporate Liquidity Risk.” Journal of Applied Corporate Finance22, 103–109.

4. Jankensgård, H. 2013. “Does Centralization of FX Derivative Usage Impact Firm Value?” European Financial Management, forthcoming.

5. Jankensgård, H., K. Hoffman, and D. Rahmat. 2013. “Derivative Usage, Risk Disclosure, and Firm Value.” Financial Management Association Europe Conference Paper.