Communicating risk inside Saipem
a leading contractor in the oil and gas industry
Industrial Risk & Opportunities and Knowledge Management, Saipem S.p.A.
Saipem believes that the perception and evaluation of risk are highly affected by emotional and cognitive individual factors. Such influences can lead to inaccurate communication of the risk among stakeholders within the company. The adoption of a robust risk management methodology helps in reducing the influence of subjective perceptions. This methodology is supported by: (1) a clear structure of roles and responsibilities; (2) a corporate support function that disseminates risk-aware culture and analyzes project inputs; (3) a set of “golden rules” for each and every project to adhere to; and (4) an intranet-based tool extensively populated by project risks that provides a good overall view of the risk profile of the company as highlighted in a corporate report.
Saipem is a large, international turn-key contractor in the oil and gas service industry, with a diversified and well-balanced portfolio of contracts, with a strong focus on oil- and gas-related activities in remote areas and deepwater (Exhibit 1). Saipem is a market leader in the provision of engineering, procurement, project management, and construction services with distinctive capabilities in the design and execution of large-scale offshore and onshore projects and technological competencies. Saipem is organized in three business units: offshore, onshore, and drilling, and employs over 35,000 people comprised of more than 100 nationalities.
Exhibit 1 – The context
Saipem's business profile entails exposure to a broad, often interwoven range of risks due to the characteristics of the projects (i.e., complexity, multiple disciplines, harsh/remote environment, sophisticated technology, Capital Expenditure(Capex)-demanding leadership, large project scale, demanding clients, tight schedule constraints, lump-sum/turnkey contracts, maximization of local content, and a highly decentralized business model)
Risk Management Issues
Risk assessment means assigning values to two dimensions of an uncertainty: perceived probability of occurrence and estimated impact of objectives. Although impact can be defined in terms of quantifiable effects on objects, assessment of probability is more difficult in the absence of meaningful/significantly populated records.
Saipem's business is “project” oriented, and projects are always unique. Even though a significant number of records are available, statistics and trends in terms of occurrences are difficult to establish.
Research is available showing how difficult it is to give a universal meaning to probability. For instance, when we define an event as being “rare,” we have a very wide range of opinion as to what “rare” means, (from 4% to 30 % in Hillson's Describing Probability: The Limitation of Natural Language, 2005). Similarly, when we say an event is “probable,” some of us believe this mean a 50% chance of happening, whereas others believe it means a 99% chance of happening (Hillson, 2005).
By definition, risk perception assessment is personal and subject to emotional influence. Risk perception is also influenced by manageability, proximity, propinquity, urgency, and relatedness.
Impact definition, in a project context (unique nature), is most of the time difficult as well. Inaccuracy of the estimation of certain impacts and the unpredictability of others give little significance to the quantitative analysis that is fundamental information to communicate within the company.
What is Saipem's solution to this basic hesitation?
As a first step, Saipem established, in an indirect way, that their company risk appetite level should be based on the “golden rules.” These are best practices that reflect collective knowledge and experience, accumulated by the company through its national or international contracts. This document incorporates the lessons learned from previous projects and risk assessments. The compliance with these rules ensures the reduction of risk to a tolerable level and enhancement of opportunities to an optimum level and allows for better control if these rules are deviated from.
Second, Saipem has adopted a robust risk management methodology: simple, easy, proven by its wide adoption, and coordinated by a corporate function. In other words:
- diversity of opinion (each project team member has his or her own information),
- independence (each project team member's opinions are not influenced by others),
- decentralization (each project team member is specialized in his or her own area of business)
- together with a corporate aggregation methodology (a mechanism for turning private judgment into a collective decision)
These issues are considered by Saipem not a weakness of the methodology but the base of the collective wisdom (Jeames Surowiecki in The Wisdom of the Crowds, Doubleday, 2004). Individual risk perceptions correctly and progressively elaborated lead to a significant projects portfolio/company risk exposure.
Methodology, Organization, and Tools
This section describes the risk management process (Exhibit 2) applied in the Saipem Group at the project level (ISO 31000, “Risk management is tailored - Risk management is aligned with the organization's external and internal context and risk profile”(ISO, 2009, p 8).
Saipem's risk management methodology is supported by a set of tools to evaluate and manage the project risks and opportunities during the whole life cycle of the project, beginning from the prospect phase, following through to the proposal and execution phases, and then completed after the close-out phase, feeding the knowledge database (the analysis performed in each phase becomes input for the next one).
Exhibit 2 – Saipem risk management process as a continuum
The risk management process encompasses these five classical phases:
Analysis (both qualitative and quantitative)
Monitoring and Control
The Plan also includes the required involvement of the main vendors and subcontractors, partners, intra-group companies, and clients dedicated templates have been developed by the corporate function and are available to all the projects
During Identification there is emphasis on risks and opportunities that must be stated (cause - risk or opportunity - effect). The activity is implemented through workshops, interviews, “golden rules,” analysis, risk breakdown structure analysis, and retrieving information from past experiences.
The Saipem identification workshop involves the project team members (e.g., project manager, technical manager, discipline leads, project control, and contract manager). After an individual session (20 minutes) of private and independent work where all are invited to write risks and give a qualitative assessment, the meeting is spent sharing the risks identified within the team and defining the risk owners for each of them. This is a primary moment when the collective wisdom is exploited: identification, qualitative evaluation, and risk owner definition are not individual issues but are collective decisions (as the successive step).
Risk Analysis is the process used to evaluate the potential risks have expected impacts, both in terms of qualitative analysis (for initial risks screening in terms of criticality) and quantitative analysis (expected economical impact associated to each risk/opportunity) for each identified risk
Saipem adopts two different approaches for the calculation of the project net risk value:
The arithmetical approach (simplifying assumptions are that each risk occurs and occurs with an impact equal to the expected value): the output is a numerical value
The Monte Carlo simulation approach: the typical output provided by the Monte Carlo simulation is a cumulative probability-impact curve of risks.
Response Planning is the core step of the Saipem methodology, with the final goal of triggering in each individual a proactive attitude to regularly identify and mitigate his or her activity risks. Again, the deliverables of the activity should be a collective and shared decision. Monitoring and Control activities follow as parts of a continuous process
Roles and Responsibilities
At the Corporate Level
Saipem operates through a complex and integrated structure of approximately 200 companies worldwide that manage “projects” everywhere in offshore, onshore, and drilling companies. Due to this distinctive characteristic, the application of the risk methodology needs to be coordinated and optimized by a corporate function “industrial risk and opportunity and knowledge management” that is the “owner” of the methodology and assist the top management in the definition of risk management strategy. The role also includes spreading awareness of the methodology to build a company-wide culture, to provide consultancy, assistance, and advice to business units/projects and issue the monthly risk management report (highlights)
At the Project Level
The risk management organization comprises the following roles: project manager, risk engineer, the appointed risk owners, project team members
The project manager is responsible for the risks and he or she gives a continuous commitment on risk management to the whole project team as well.
The risk engineer coordinates the application of the risk management methodology on the project. He or she is a “facilitator” and has no responsibilities in managing the risks
The risk owners are project team members appointed by the project manager and responsible for managing assigned risks.
Project team members are required to cooperate in the implementation of the risk management activities
Risk Management Tool
Saipem has adopted a proprietary intranet tool, accessible from any company/project/site/yard of the group. The strategic plan of the risk management function was to have a unique tool in order to standardize and guide the application of the methodology.
The software allows users to populate a database containing risk-related information on the projects. Information includes the qualitative and quantitative evaluation of risks, probability, and impact level on project costs, performance, and schedule; it allows recording a risk response plan with detailed actions.
The system compiles, organizes, and classifies inputs (in a flexible way, reflecting various user levels of involvement) that can be used to produce various reports such as risk register, risk response planning, and other specific reports (e.g., Monte Carlo analysis). It can provide information for the users based on return of experience recorded in the knowledge database area and aggregated information for the corporation
Managing Risk Communication
In a company like Saipem, whose core business is project management, the know-how is not sufficient, but knowing how to share and manage risks, is equally important.
The methodology has also studied how to break the vicious circle that interferes with the channels of communication: we think that improving risk perception and knowledge in our people, at the project level but also at the corporate level, will improve the company's results.
Initially, the risk identification workshop is the “communication tool” used to share risks within the project team; then, during the project life cycle the risk review meetings, performed regularly on a monthly basis and managed by the risk engineer, are the events that allow project team members to update risk information and be informed on the status of risks.
Exhibit 3 – Risk communication in the Saipem Group
To maintain a good communication flow between the different stakeholders, different reports at different levels are prepared and shared through the intranet tool:
- at the project level (internal) such as, risk register, risk response planning, and risks sheets
- at the corporate level (outside the project: corporate and business units), such as monthly highlights report, prepared by the corporate function
Furthermore, corporate function contributes to spreading awareness of a company's risk management culture through regular visits on projects and supporting them in the application of the methodology (Exhibit 3), and in the coordination of the dedicated community of practice.
Corporate Reporting (“Risk Highlights”)
The final step of the Saipem risk management activity is a structured report of statistics prepared by the corporate function based on data compiled by all the group's companies and projects. This is a report specifically dedicated to top management (corporate and business unit manager), is issued every month, and is called “Risk Highlights.”
It is elaborated from data extracted from the Risk Management Intranet Tool. For this reason “evangelism” (education of the concerned parties on the methodology and on the use of the intranet tools) is essential:
- Projects not using the intranet tool cannot be addressed;
- Projects not updating the intranet tool affect the representation at an aggregate level.
It is worth noting that the legitimacy of the assessment of risks rests with the project team's judgment.
Elaborating data from projects in the execution phase only, the report gives an answer to the fundamental question: “How much is at risk on our current forecast?” The report aims to be the trigger for further detailed analysis and/or working focused group originated by emerging trends and/or the information highlighted.
Risk management highlights are structured on the following levels:
Corporate highlights are issued to top management and reflect an aggregation, at the corporate level, of risks and opportunities
Business units (e.g., onshore, offshore, drilling) highlights are issued to the relevant managers and reflect a detailed aggregation at the business units/asset level of risks and opportunities.
Here is the following the main output of the highlights (the plot, tables, and graphs shown in this paper are illustrative).
Backlog Covered and Expected Value Trends
Among the basic information that the report gives, we present this pie chart (Exhibit 4a); it renders the percentage of Saipem backlog covered by projects using the risk intranet tool and is a measurement of the dissemination of the methodology.
Exhibit 4 – Backlog covered and expected value trends
Each sector of the pie chart represents the amount of backlog in each of the three business units and, in each slice, the backlog of the ongoing projects not adopting the risk methodology and intranet tool (shadowed area).
The main projects with backlog, not covered by the intranet tool, are highlighted.
Another fundamental piece of information given by the report is the plot in Exhibit 4b, which shows the trends of corporate risks, opportunities, and net risks.
Backlog versus Risk
In this section, the report proposes the trend of the ratio between the amount of net risk and backlog, giving an idea of the exposure of the corporation in relation to its future commitments.
A section of the report is dedicated to the top ten active risks in terms of expected value and maximum cost impact (Exhibit 5).
Exhibit 5 – Top ten risk
The expected value table prioritizes the main risks in terms of expected value, taking into account both the probability of occurrence and cost impact in case of occurrence. Cost impact is the weighted average of the impact range estimated by the project, according to different event type (Exhibit 5a).
The maximum cost impact table highlights the “maximum” impact foreseen (without considering the probability of occurrence) by the project for the specific risks in case of occurrence, highlighting the worst scenario (Exhibit 5b).
Projects and Country Expected Value Graph
The following portion of the report classifies the corporate risks in terms of the project and its geographical area.
The “Tornado Graph” (Exhibit 6a) shows the project's risks (red) and opportunities (green), sorted by decreasing risk value. It highlights the projects with the major amount of risks (and opportunities).
Exhibit 6 – Projects and country expected value graph
The pie charts (Exhibit 6b) show how the risks and opportunities expected values are distributed among countries (i.e., project site location); they highlight the main country area of attention.
Risk and Opportunity as per Risk Breakdown Structure
In this section, we highlight the most influencing “sources of risks and opportunities.”
Exhibit 7 – Tornado graph
The “expected value” Tornado Graph (Exhibit 7a) shows the most important risk areas, classified according to the second level of the risk breakdown structure and sorted by decreasing risk value.
The “number of hits vs. expected value” Tornado Graph (Exhibit 7b) shows for each risk area the numbers of hits (in red) and related expected value (in blue) to draw attention to any pathogen factors (i.e., how many times the risks and opportunities are linked with the risk areas).
Net Risk Expected Value Distribution
Exhibit 8 shows a typical Monte Carlo graph used in the report to display the corporate and business unit net risk expected value. This is especially meaningful compared with a single arithmetical value due to the difficulty in assessing both the probability and impact of risk.
Exhibit 8 – Monte Carlo simulation output
Project Risk Register Updating Indicator
The report ends with the graphs in this section (Exhibits 9 and 10). They capture, in terms of business unit and project, the frequency of update of the risk register, which, in other words, “gives” the level of reliability for the corporate risk report. The tables/plot (Exhibit 9) indicate the percentage of projects that have not updated their risk register in the last 60 days.
Exhibit 9 – Business unit updating indicator trend
These tables (Exhibit 10) indicate the risk register update at a project level and the depth of the project risk analysis.
Exhibit 10 – Project update and completeness indicators
The authors have illustrated how Saipem considers individual perception of risk not a point of weakness but the strength of a collective wisdom that provides a truthful message to the company's board. This is how the project population communicates its perception of risk to the decision-making individuals.
This is made possible with a tool broadly distributed and extensively exploited within the group, a corporate function able to aggregate a huge amount of data and a structured report of meaningful statistics.
Giorgino, M., & Travaglini, F. (2008). Il risk management nelle imprese italiane, Il Sole 24 ORE S.p.A. – Milan, Italy.
Hillson, D. (2005). Describing probability: The limitation of natural language, Original published as a part of the PMI Global Congress 2005 EMEA Proceedings – Edinburgh, United Kingdom.
ISO 31000, (2009). Risk management: Principles and guideline. Geneva, Switzerland.
Project Management Institute. (2008). A guide to the project management body of knowledge (PMBOK® Guide)—Fourth edition. Newtown Square, PA: Author.
Project Management Institute. (2009). Practice standard for project risk management. Newtown Square, PA: Author.
Surowiecki, J., (2004). The wisdom of the crowds. New York, NY: Doubleday, Anchor
© 2010, Lorenzo Fossati, Andrea Lasagni, Alessandro Saini
Originally published as a part of 2011 PMI Global Congress Proceedings – Dublin, Ireland