(76b) Managing Operational Risk in an Enterprise Risk Management Framework

Chevron has a structured approach to enterprise risk management that is aligned to ISO31000 and consistent with industry best practices including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Risks are assessed across the full scope of the enterprise within thirteen categories.  These categories address all aspects of our business - operational, legal, strategic, financial, stakeholder, etc.   Each category of risk has a senior management risk owner who is responsible for generating the assessment and reporting on the adequacy of the safeguards and systems in place to manage the risks.  The risk review focuses on specific hypothetical/potential high consequence events that could be material at the corporate level, even if they have a low probability of occurrence.    The enterprise risk process helps to assure that risks are managed at appropriate levels across Chevron and that sufficient safeguards are embedded in our business processes. 

Our enterprise assessments have consistently identified Operational risk, particularly the potential for a major process incident, as a significant component of the overall enterprise risk profile.  Operational risk is important both as an individual risk category and because an operational incident can impact other categories of risk such as stakeholder, legal, and legislative.   Therefore, our ability to assess and manage operational risks at a detailed level is foundational to overall enterprise risk management.  

At Chevron, the operational risk component of enterprise risk management is informed by a comprehensive health, environment and safety (HES) risk management process.  Our HES risk management process requires that detailed qualitative and quantitative risk assessments are performed on complex assets that have the potential for high consequence process safety events.   These assets span a diverse operational and project portfolio that includes upstream, midstream and downstream facilities with varying age and in a range of operating environments.  The output of these risk assessments is a facility specific risk profile for each asset.  These facility risk profiles directly support enterprise risk management by identifying the facilities and scenarios that have the potential to be material at the corporate level and the safeguards that are in place to prevent these scenarios.   Individual facility assessment information is aggregated to qualitatively characterize the nature and extent of operational risk exposures for the enterprise.   The safeguards, including management systems, which mitigate these risks, are also described along with the status of continuous improvements.     

Our qualitative approach to Operational risk, based on a foundation of quantitative and qualitative risk assessment and managed within an enterprise risk management framework, has improved risk understanding and stewardship.   However, as our portfolio has expanded and become more complex, we have been developing means to continually improve risk management.  This paper will discuss our current approach to risk management and will highlight some of the latest additions to our toolbox, including quantitative analysis approaches to support risk comparison and aggregation, and ultimately risk reduction.  This focus on risk reduction will enable improved operational risk management.