It is no surprise that the oil and gas industry is a high-risk one. Between health and safety concerns, reputational risks, cyber-attacks, reliance on a complicated supply chain, and more, oil and gas companies need to be ahead of the game when managing risks and building resilience. Yet, organizations in all industries are finding that a traditional, one-size-fits-all approach to third-party risk management (TPRM) is no longer able to combat complex challenges and an evolving vendor landscape. Instead, taking a holistic approach to TPRM is necessary to ensure that operations are secure, personnel is safe, and products are delivered to market on time.
Oil and Gas Industry Risks: The Pandemic Effect
In an industry that already faces an array of high risks, the recent pandemic has placed increased strain on oil and gas operators who have faced collapsing oil prices, worldwide disruptions due to border closures, and oilfield service equipment (OFSE) supplier delays. Many OFSE suppliers filed for bankruptcy during the pandemic, causing further disruptions.
Despite the headaches that this event has caused, it has also proved an opportunity to implement innovative organizational changes. The pandemic has allowed companies to re-think the way they do business, address their risks, and be selective when partnering with suppliers, allowing for greater resilience. This shift demands a more holistic way of thinking and collaboration across the organization, encompassing executives, risk, procurement, legal, compliance, and other functions.
By taking a holistic approach to third-party risks, those in the oil and gas industry can:
Boost time and cost efficiencies
Have holistic, multidimensional coverage of risks
Increase transparency into third parties’ investments and activities
Build cyber resilience
Establish best practices throughout the supply chain
Examining Supplier Risks in the Oil and Gas Industry
According to Gartner research, 60% of organizations have over 1,000 suppliers. Due to the complex nature of oil and gas exploration, production, distribution, etc., supply chains and their risks are more complex than most industries and organizations. Supply chain disruption was a massive impact of the pandemic for oil and gas companies when prices dropped below $20 a barrel, the lowest since 9/11. This caused many operators to halt work and cut costs which reduced cost production 30%.
These impacts are long-reaching and caused not only ripples but massive disruptions along the entire value chain. According to oil and gas studies conducted by BCG,
“Our findings indicate that operators are often failing to recognize the level of financial distress in their supply chains. Many are still using the traditional cost-cutting measures that they’ve used in previous crises. But this time, these measures are not only inadequate for achieving the depth of cuts needed to break even, but they are also jeopardizing their suppliers’ continued existence.”
In addition to supply chain disruptions due to the pandemic effect, oil and gas companies must also act on enhanced cybersecurity threats facing their operations. For ransomware alone, the first half of this year has seen an increase of 102% in incidents compared to the same time last year. The average cost of each attack is over $300,000 and in total, ransomware cost companies $20 billion in 2020 – 75% higher than 2019. One of the most noteworthy and disruptive events recently occurred in May of 2021 when Colonial Pipelines informed the public that it had experienced a major ransomware attack and had halted all systems. As a major supplier of 45% of the East Coast’s gasoline, this halt in operations led to panic, gas price increases, and an acknowledgment of the vulnerability of aging infrastructure. This type of disruption affects everyone involved along the value chain, not just the direct target of the cyberattack.
These enhanced supply chain and cyber risks seen in recent years by no means eliminate traditional risks facing oil and gas companies. These include third-party risks arising from regulatory standards, technology, political and geological risks, and more. Risk management programs must be able to wrap their arms around these, as well as emerging risks on the horizon.
World Economic Forum’s Recommendations for Managing Third-Party Risks
In order to help oil and gas companies take an agile approach to supplier risks, the World Economic Forum has released a set of recommendations for managing third-party risks. Highlights of this include:
Recommendation 1: Create cybersecurity baseline requirements for third parties based on:
Clear roles and responsibilities
Established access controls
Management of critical assets
Implementation of change and configuration management
Requiring secure-by-design/by-default systems
Maintaining response and recovery mechanisms through BCM and disaster recovery planning
Protection of critical information that aligns with policies
Physical and operational security
Implementation of a secure development lifecycle for products and tools
Supporting vulnerability management and patching
Recommendation 2: Create and implement an evaluation approach that depends on the level of risk that suppliers, products, and services bring to your organization through a combination of different evaluation criteria and methods. This evaluation should depend on scoring ratings, shared assessments, industry certifications, and internal assessments.
Recommendation 3: Ensure that continuous monitoring is in place for all third parties depending on their level of risk. Do this by making sure mutually agreed-upon cybersecurity contractual terms and conditions are established, assess if additional terms are necessary based on internal inherent risk approaches or segmentation criteria. Be sure to also engage with subject matter experts familiar with risks, as well as legal departments throughout the negotiation process.
Recommendation 4: Continuously collaborate with supply chain stakeholders to identify and mitigate cyber risks together. Do this through:
Setting up regular reviews of each third party’s risks
Reviewing continuous monitoring activities
Defining criteria that would trigger additional audit or assessment activities (and automate this process)
Ensure that cybersecurity is included in reviews with third parties
Have defined reporting mechanisms in order to have a performance scorecard
Best Practices for Taking a Holistic Approach to TPRM
Due to the interconnectivity of all industries, supply chain stakeholders must work together with TPRM professionals to take a holistic approach to mitigate emerging risks, streamline processes and increase transparency throughout the organization. In addition to the World Economic Forum’s recommendations, Aravo also offers some best practices to get this process started:
Really know your supply chain:
Before you can manage third-party risks, you need to gain a complete understanding of who your vendors are, how dependent you are on them, and what exactly they bring to your table. Identifying all of your suppliers and what they do is critical for understanding the risks and vulnerabilities they can pose, whether they be upstream, midstream, or downstream. In addition to the suppliers that you have direct contracts with, it is also important to know your fourth parties and nth parties- i.e., your third parties’ subcontractors and potential risks they can bring.
Work together to eliminate silos:
Traditionally, many risk-related functions were siloed from other areas of the business, such as compliance, procurement, legal, etc. With enhanced risks on the horizon, continuing to isolate functions, processes, and technology leaves you vulnerable to supplier and other risks. By integrating or centralizing formerly siloed processes such as third-party risks, supply chain functions, and more, oil and gas professionals can gain greater security and resilience for their organization.
Get the support you need:
Gaining executive support is critical for pushing a holistic culture, collaborating, and for managing enhanced third-party risks. Make sure that you have management sponsorship and support. This helps build trust between operators and suppliers and encourages new, innovative ways of thinking.
Re-think how you approach procurement:
Where in the past, a one-size-fits-all practice for managing suppliers may have met the status quo, this is no longer the case. Procurement wizards should also be thinking holistically within their job functions and incorporating overall company strategy, relationship management, and collaboration between departments into their priorities. This allows teams to get an overarching view of suppliers, which pose heightened risks to organizations, and how to create customized processes where needed.
Don’t forget about financial health:
Operators need a more holistic view of the financial health of their suppliers to be able to identify risks early and react quickly. Make sure financial health models are up to date. This can be done through continuous monitoring, ongoing due diligence, and risk assessments so that information and data are viewed in real-time, rather than being months out of date.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.
Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.