Skip to main content

Articles & Blogs

Three questions oil and gas companies should ask to improve their Operations Risk Management

Published Date
Author Bob Hooper

Three questions to get your oil and gas company’s risk management strategy into shape


Oil and gas companies can spend most of their time on a knife edge when it comes to managing risk.

Hazardous substances can damage facilities, people, or the environment, pipelines or machinery can break down, digital systems can be hacked… the list of risks feels almost infinite and ever-changing.

While inherent risks are common among process industries, oil and gas companies are no exception to elevated levels of risk. This heightened vulnerability stems from dealing with hazardous materials that have the potential to cause explosive reactions. Even a minor mistake during production could set off a chain reaction of severe consequences, leading to significant financial losses – not to mention the ethical, legal and human consequences associated with any such incident.

This is what makes operational risk management – or ORM – so crucial for the oil and gas industry.

However, mitigating the likelihood of consequences is a complicated task that involves balancing numerous interconnected business processes.

How do you know if your strategy is robust enough – or, more importantly, how can you catch any gaps in your strategy before risk becomes a reality?

In this blog, you’ll discover the three key questions that any oil and gas company should ask when managing operational risk and how you can use them to protect your business, your people and the wider environment.

Major sources of risk for oil and gas companies

Before we dive into ORM and those three questions, let’s take a look at what risk looks like for oil and gas companies.

In this industry, risk falls into five broad categories:

  • Risk to (and from) people – This covers both the risk that your people or the public will be injured by an incident and the risk that a person will damage your business or assets in some way – either intentionally through sabotage or unintentionally through human error.

  • Regulatory risk – Different parts of the industry are subject to very different regulations: for example, midstream companies in the U.S. must comply with regulations from the Department of Transportation, EPA, BLM, FERC, and a range of other agencies, while upstream companies must comply with maritime safety regulations imposed by the U.S. Coast Guard or BSEE. All of these regulations come with sizable consequences for non-compliance. The harder it is to track and prove compliance, the greater the risk of an incident and incurring a large fine.

  • Environmental risk – Every part of the industry, from upstream to downstream, can cause major environmental damage, not to mention that fossil fuel extraction and the subsequent use of carries a huge carbon footprint . This is a concern for the environment itself but also for your reputation with customers.

  • Financial risk – Profit margins in the industry tend to be razor thin, particularly for refineries. This means any incident which loses the company money – whether that’s damaged equipment, downtime due to an accident or a malfunction or fines for non-compliance – can be truly catastrophic.

  • Cyber threats – On average, cyber attacks caused oil and gas companies six days of disruption and $3.3 million of financial damage . The role that oil and gas companies play in the economy and in wider society makes them particularly attractive targets for any attacker looking to cause disruption or extract sensitive data – whether for political reasons or financial gain. As a result, O&G companies must be prepared to defend themselves against everything from DNS hijacking to data leaks and attacks on corporate VPNs.

Ensuring that your risk strategy effectively covers all of these risks can be tricky.

But addressing three – equally important – areas can have a major impact on the quality of your ORM strategy: optimizing training and hiring processes, building a culture of safety and using the right technology.

  1. Do the people on my team add to my risk or decrease it?

People are inherently unpredictable. Unlike machines, they have an unsettling tendency to do things that aren’t strictly logical – which means they’re one of your biggest sources of risk.

But they’re also the only way you can go about mitigating risk. Every measure you take will depend on your people doing the right thing, in the right way, at the right time.

So, your ORM strategy needs to be built around making it easier for your people to achieve operational excellence.

Do your people have the training they need to perform mission-critical procedures safely and correctly? Do they understand the importance of following your safety procedures? Is their training up to date?

You’ll need to carefully track every individual’s training and certifications – and make sure they receive the OSHA-required training they need every time they use a new piece of machinery, move to a new or move into a new position.

  1. Can cost pressures increase my risk?

Ask yourself: have you created an environment where people feel comfortable prioritizing minimizing risk? Do people at every level of seniority feel comfortable reporting potential risks, even if it means sacrificing productivity or reducing profits? Have you made it clear that it’s always better to investigate a potential risk, even if it turns out to be nothing?

Without careful consideration, it’s easy to fall into what Hopkins calls a ‘Culture of Denial’, where employees are more worried about paying lip service to safety than they are about actually following safe practices. In these cultures, people tend to cut corners and underestimate the likelihood that consequences may occur in instances where mitigating risk might lower productivity – often with devastating consequences.

  1. How am I leveraging technology to reduce risk in my operations?

Managing risk really means being ready for anything and anticipating the unlikely. It requires an almost supernatural ability to anticipate any outcome, understand every factor that influences an incident and implement a plan that addresses everything.

That kind of granularity isn’t possible without the right technology on your side.

But the best technology doesn’t just enable your ORM strategy; it upgrades it, making the process of risk management more effective, more responsive and easier to implement.

Let’s take a look at some examples of how technology can improve your ORM:

  • Digital twins allow you to visualize all of the potential risks and all of the measures you have taken to mitigate risk, bringing all of the relevant real-time information and documentation together on one platform.

  • Operation management systems (OMS) allow you to digitalize logbooks, handovers and near misses, MOCs, permits and LOTO, instead of relying on easily overlooked emails or paper documentation. This makes it significantly easier to ensure everyone always has the information they need to make the safest possible decision.

  • Knowledge management systems are an excellent way to improve your training and reduce your people’s reliance on memory or paper documents. A good KMS makes process documentation and training content instantly accessible via a phone or tablet, so the information is always there when your people need it.  

  • Centralized asset management systems make it easy for every employee to stay up to date with the condition of your assets. By storing everything from asset structures to work orders, these kinds of tools allow your people to make safer, more informed decisions when using any type of machinery.  

  • Process safety analytic systems simplify the management of process alarms, control loop performance, critical process boundaries and the safety systems and interlocks that you have implemented. This simplification allows for efficient monitoring of existing safety measures and quick identification of issues as they arise.

Safety, efficiency and control beyond ORM

Answering these three questions can be a powerful means of upgrading your ORM strategy. But implementing the right technology can allow you to go even further. At Hexagon, we help our partners use data and technology to achieve new levels of efficiency, visibility and control – empowering them to run more profitable, safe, and sustainable facilities.  

In our webinar ‘Smart Digital Reality™: Solutions for the Industrial Facilities.’’, we’ll show you how a holistic, unified digitalization strategy can:  

  • Improve asset availability 

  • Reduce maintenance costs 

  • Mitigate compliance and risk management and investigation efforts 

If you’re ready to take control and put your unused data to work, head here to watch the webinar.  

About the Author

Bob Hooper is a senior industry consultant at Hexagon with a successful track record in the development and implementation of operational excellence, lean manufacturing and reliability programs within the oil and gas, chemicals and consumer products industries. His areas of expertise include program management and change management, and he specializes in helping customers understand the intricacies and applications of a variety of digital technologies.

Profile Photo of Bob Hooper
More Content by Bob Hooper