What is the risk in the energy industry

Risk analysis and risk management in the energy industry

"More than just a scarcity of resources"
Security is a basic need that everyone feels differently for themselves. In this context, however, it should be seen that personal experiences have an influence on a person's risk awareness and behavior. This means that someone who has already been broken into three times has certainly developed a different sense of security and risk awareness than someone who lives in an area where the neighbors bring something instead of taking something away.
In this respect, it is important in a company and in its linguistic usage to develop a generally applicable understanding and measurable risk awareness. Unfortunately, over time, there have been enough examples of people or companies that have failed to meet these challenges. The already much-cited sinking of the Titanic and the environmental catastrophe in the Gulf of Mexico gained notoriety among the public.

Risks happen to us personally every day, but above all in companies. We are aware of this development and those of us who have already implemented risk management systems are sure to realize that risks that we recognized ten years ago as a strategic focus now have an impact on case law and corporate organizations. In this context, the example of KonTraG (law on control and transparency in the corporate sector) should be mentioned, which, as a collection of laws, brought with it 62 different changes to the law in the areas of the commercial law, the stock corporation law and the cooperative law. Section 91 / Paragraph 2 of the German Stock Corporation Act and Section 317 of the German Commercial Code (HGB), Paragraph 4 have proven to be of particular importance. Based on these paragraphs, it can be seen that the regulations have an impact on other companies and thus also apply to GmbHs and other corporations in case law. Companies are required to have a system for early risk detection and risk prevention.

Basel I and II are the result of media-effective corporate insolvencies such as Flowtext, Swissair, Holzmann, Kirch Gruppe or the Schneider case. These examples alone caused billions in damage and led to global alignment and the liberalization of the stock market. In addition, the Bank for International Settlements has prescribed the commercial banks how to deal with their credit terms. Not only the loan amount and term were relevant longer, but also the creditworthiness. Put simply, this means bad creditworthiness, higher risk, higher interest rates - good creditworthiness, low risk, low interest rates.

Thirdly, the development of the corporate governance guidelines should be mentioned as a term that includes a bundling of principles, rights and standards. And here, too, the rights and tasks of the statutory organs are regulated. This affects the board of directors, management and the supervisory board. In this combination, we are talking about value management or trust management

If we look at these developments in an interim conclusion, then we have the board of directors and managing directors who apply the principle of the prudent and conscientious businessman in their field of business. In addition to the pressure from the legislature to deal with risks and their effects if two of the following criteria are met, the company is obliged to implement risk management throughout the company.

What are the individual criteria:

  • The balance sheet total is greater than 3.5 million euros
  • The turnover is greater than 6.78 million euros
  • The companies have more than 50 employees

If the company fulfills two of these criteria, the board of directors and the management are responsible for action and a risk management system must be implemented.
If the company does not meet this responsibility, there is an organizational fault, the board of directors and management are liable.

For a company, however, the area of ​​responsibility for action is much larger and more extensive. In addition to these specifications, there are also the so-called soft facts. Loss of reputation, public credibility, weaknesses in the market position Caring for employees, responsibility for customers, seeing the brand profile as a company value, are all part of it.

For the field of the energy industry z. For example, the assignment to the critical infrastructure KRITIS area results in additional responsibility for action. This allocation is made by the federal government, which has defined various companies as an essential resource for the basic supply of the Federal Republic.
The energy sector is one of them. This area is stopped and, due to its special position, obliged to provide risk analyzes and risk management.

The energy industry of the future should conserve resources, safeguard the environment and climate compatibility, guarantee security of supply and minimize technical risks, while at the same time being economical and competitive.

Possible risks to the energy industry that challenge or endanger during this mission are certainly risky business transactions, incorrect accounting or violations of legal regulations. These are usually certified by the ranks of the auditors. However, it is also common practice that classic company risks (see graphic) are not taken into account in the risk portfolio.

On closer inspection, the subject of operational risks easily contains 100 - 150 different risk definitions that have more or less influence on the risk structure and risk strategy. Technical risks or the area of ​​high-risk crime are of great importance with enormous consequences. At first glance, crime as a risk area in an energy company appears to be far removed from energy industry practice, but at second glance and with the assignment of the area of ​​industrial espionage to the risk area of ​​crime, it is gaining in importance.

Information from public newsletters of the Federal Office for the Protection of the Constitution indicate that the energy industry has become a focus of Russian industrial espionage. Countries that work in particular with regenerative and new energy sources are the focus of Russian awareness-raising activities.

Risks are therefore not always just the classic ones, as we recognize them at first glance, but also mean the possibility of an undesirable event occurring. The example shows once again how important dynamic risk management is. A continuous consideration of risks in the sense of a cycle is advisable here and supports sustainability through a cycle in which the respective risks are checked again and again. An active early warning system is created to recognize risks, which opens up the opportunity to counter the risk in a targeted and conscious manner. The term risk should be seen in connection with an opportunity. This so-called risk cycle serves as the basis for risk and opportunity management and can also be found in various standardized procedures. (AS / NSZ 4360, ONR 49000)

Risks are generally measured using two parameters, the probability of occurrence "What can happen?" and the extent of the damage. "What can happen?" This approach makes it easy to visualize risks. Here it is of crucial importance for an overall picture of the company risks to apply a three-dimensional view. This approach results from the identification of the risks across the observation levels (e.g. starting in the business area up to the group structure), the observation areas (e.g. production areas, projects) and the risk factors (such as e.g. business risks, negligence, Routine).

A picture of the current risk situation of your own company is created. Depending on the complexity of the organization in the company and the size of the company, a risk definition of 100 - 150 points can quickly come together. Risks with a low probability of occurrence and a high degree of damage but also risks with a low degree of damage and a high degree of occurrence are found, so that the next step in risk management is to aim for a reduction in the risk.

Ideally, you follow a defined risk strategy that has already been defined in advance. Tried and tested, described and customary risk strategies are to be avoided, reduced, passed on or the risk taken by oneself.

Passing on as a strategy is, for example, a classic insurance topic - or the creation of general terms and conditions. The graphic shows "doing nothing" represents a "high risk", "avoiding" a low risk.

Probably the most frequently used way to counter risks in practice is to reduce a risk through organizational or technical measures. This makes it possible to start directly with the cause of the risk and work towards reducing the probability of damage occurring. In this context, most companies unfortunately find for themselves that there is a lack of a consistent and holistic organization for processing the topics and management focal points. This can certainly also explain the fact that there are reinsurers who have proven on the basis of data collections that large and very large losses are never caused by individual faults. Through the interaction of at least two events, each of which appears harmless in itself and this has possibly always been present, their connection was not foreseen and this had nothing to do with each other. This was almost always a human error and therefore a system failure.

One possible solution to prevent this type of system failure is to set up or convert an organizational form into a "Corporate Security Management System", a system with which those responsible place the risks of your company on three pillars.

Risk management as a pillar and sub-area of ​​this management system forms the most important part of the management system, since with the right understanding and correct procedures, damage or dangers must not even occur. The function is designed for prevention. The second pillar is security management, which, as an operational part, has to bear the everyday burden of security precautions or the processing of measures. The exact burden this is based on the findings and conclusions of risk management. The third pillar is crisis management. Trained teams react to an "event" with the aim of limiting damage, protecting those affected or avoiding damage to the company's image. Crisis management is ultimately the reaction to events that should have been dealt with beforehand.

The area of ​​risk management is the part of the work to which companies are obliged, safety management is the area that is needed for risk control and crisis management as a "fire brigade system" has become part of good practice. Corporate security management understood in this way is the roof of risk, but above all also opportunities management. It guarantees competitiveness, secures lending according to Basel II, protects the company and its organs from civil law claims for damages, public claims through official orders, criminal and regulatory prosecution and lowers the process costs for holistic support.