Holistic security risk management strategies for E&Ps: optimizing performance by reducing surface risk

Holistic security risk management strategies for E&Ps: optimizing performance by reducing surface... Abstract Exploration and production companies frequently partner with host countries that struggle to maintain political stability and eliminate security threats, making it difficult to develop security strategies to protect company employees and assets in country. Exploring this problem, we interview elite actors who populate germane risk management networks, providing a cross-section of perspectives as to how well upstream producers are crafting and implementing security risk management strategies. We construct a model of holistic security risk governance, and apply it to what our dataset reveals about firm performance in this area. Finally, we recommend ways in which industry-level responses can support exploration and production companies to reduce their risk and enhance their performance. 1. INTRODUCTION Exploration and production companies frequently partner with host countries that struggle to: (i) maintain political stability; (ii) guarantee sound governance; (iii) provide adequate transparency; (iv) eliminate security threats; and (v) meet human rights standards. These conditions make it difficult to develop security strategies to protect company employees and assets in country. As a response, we have interviewed elite actors who populate the risk management networks in question. The interviews provide a cross-section of perspectives as to how well upstream producers are crafting and implementing security risk management strategies. These perspectives provide a degree of corroboration that confirms that current incentives provide an opportunity to create a win–win scenario for companies and the public interest. Since business thinks primarily in the terms of economics and finance,1 it is practical to frame the risks posed by these operating environments in this manner. Key to understanding the valuation of an upstream producer is the calculation used to determine the expected gross revenues for a particular upstream project. The expected gross revenues equal the predicted future prices of the commodity multiplied by its expected future quantities of production over the project’s projected life cycle.2 Valuation analysts use reserve reports to assess the future quantities of production.3 These reports are the ‘foundation of valuation’ for establishing expected gross revenues.4 Above-ground threats to production, on-site employees and upstream infrastructure fall within the category of ‘surface risk’.5 A good definition of surface risk is ‘the variety of political, environmental, logistical, commercial or bureaucratic issues that may impact project performance’.6 Surface risk is a key consideration when establishing the present value of future cash flows, or discount rate, which is calculated by adding the costs of all risks associated with such production over the asset’s lifecycle.7 The discount rate is deducted from expected gross revenues to establish the value of the asset. Four economic rationales exist for investing in reducing security risk: (i) it prevents delays in exploration operations and production disruptions, increasing the net present value of assets; (ii) it reduces the predicted cost of surface risk, increasing the predicted value of future assets; (iii) since it directly impacts asset value, it also directly impacts the cost of capital; and (iv) it protects reputational capital, which is a governance-commodity directly linked to business certainty. Of the four, the fourth rationale is not as obvious as the others. Many countries’ government agencies, which are responsible for the oversight of exploration and production activities, are decentering their decision-making authority.8 Political mechanisms, such as ‘social license’, are granting local communities more discretion to craft the conditions in which energy projects will operate in their communities—including a significant voice as to whether or not projects go forward.9 This decentering of discretion reflects one way in which reputational capital is becoming as important as hard assets in determining company value.10 Some might challenge this claim, arguing that this decentering trend occurs mostly in advanced democracies, where complex above-ground operating environments tend not to exist. This point is largely true.11 However, the link between how an incident in one country can create a reputational cost for a project in another has been well documented.12 Accordingly, reputational effects can ‘travel in accidental and contingent ways’, affecting seemingly unrelated operations and projects.13 Accordingly, companies need to be clear-minded when assessing reputational risk, since the reputational effects of a security incident may ‘travel’, impacting other operations globally.14 In this way, reduction in reputational capital increases the risk of adverse governance conditions for other operations, reducing overall business certainty. Following this logic, oil and gas companies—even when acting solely as self-interested market actors attempting to maximize profit—ought to be placing evermore importance upon reducing surface risk, since it is an immediate impediment to: (i) greater profit; (ii) greater asset valuation; (iii) a lower cost of capital; and (iv) greater business certainty. These factors are core priorities for any business venture.15 In this way, surface risk generates market incentives, which ought to be compelling actors within the industry to do their utmost to mitigate this risk. Moreover, by mitigating this risk to maximize company value, an upstream producer just so happens to meet the standard of being a good corporate citizen.16 Such a perfect storm makes improving security risk management a ‘low hanging fruit’, creating shared value and social good.17 Some might be suspicious of such an honourable bargain, since it appears to sidestep the fundamental tension between ‘ethics and economic goals’.18 But being more pragmatically minded, we are less concerned by such considerations. The oil and gas industry can have an impact that reaches beyond its own operations. In a world that is no longer fearful of peak oil,19 companies have greater leverage over host states to reduce surface risk.20 Companies are in a stronger position to negotiate with host states to ensure that communities have the opportunity to share in the benefits of their operations. They are incentivized to do so, since the ‘local players’ may be the most important ‘domestic factors’ in the long-term relationships in country.21 Positive relations help to embed the company’s operations into local communities.22 When company operations also support communities, the perceived mutual benefit helps to ensure the welfare and safety of both local inhabitants and on-site employees.23 Accordingly, when the mutual benefit of operations is established, surface risk will be reduced, which necessarily enhances the value of company assets.24 As a result, oil and gas companies are well positioned to become ‘change agents’ within the footprints of their global operations.25 They can create opportunities for meaningful improvements to the lives of many through intelligent community investment.26 Furthermore, such efforts will increase their profits. Present global market conditions, market incentives and the law are aligning in this way so that the threats posed by complex above-ground operating environments are inspiring companies to affect real change by maximizing their financial performance.27 It is important to note that when the self-interested pursuit of profit has social utility beyond wealth maximization, as it does in this case, it is usually not merely dumb luck, but the tireless work of norm architects, who creatively use markets to improve institutional design.28 This article constructs a model of holistic security risk governance, then applies it to what our interview dataset revealed about firm performance in this area. It then recommends ways in which industry-level responses, such as from the Association of International Petroleum Negotiators (AIPN), can support firms to reduce surface risk in ways that enhance their profitability, while serving the public interest.29 The article is organized as follows: Section 2 explains our methodology, including the theoretical presumptions for our research as well as the interview process employed. Section 3 offers our recommendations and then compares them to the research results. In other words, we will first explain the model we believe will best mitigate surface risk, then investigate how this model compares to the picture of current industry practice that our interviews created. Our interviews revealed many exploration and production companies, especially smaller ones, are unaware of holistic risk management strategies. Moreover, they tended to adopt a responsive ad hoc—instead of a proactive strategic—approach to security risk management. Accordingly, Section 4 provides additional explanation of holistic risk management and how best to implement risk management strategies to security risk problems. Section 5 is our conclusion, which in part, recommends that the AIPN and other such industry groups ought to offer a number of new products to help exploration and production companies: (i) reduce surface risk; (ii) protect on-site employees and property; (iii) optimize wealth maximization of the industry; (iv) improve political stability of host countries and regions; and (v) significantly improve the lives of local inhabitants within the operational footprints of those companies. 2. METHODOLOGY Beyond employing a doctrinal analysis to the germane law and literature,30 we conducted a series of elite interviews with actors within the upstream oil and gas industry to learn about how companies manage security risk. The actors fell into one of four categories: A. Corporate B. Security Risk Management C. Legal D. Other Our interviews generally targeted two areas of interest: A. Organizational Structures B. Meta-Organizational Structures We assessed how companies manage these challenges by conducting a series of interviews. The interview process was designed to provide insight into how some within the oil and gas industry devise and then operationalize security risk management strategies. The interview methodology is based upon the theory that the business organization is a ‘self-referential’ collective action system.31 Its individual members coordinate activities to pursue profit in a manner that maximizes return through the control of risk over the duration of the venture.32 This theory sheds light upon how those within the organization think about their work, and thus how their company defines itself within its operating environment.33 The interviewer can gain insight into an organization’s ‘self-description’,34 which produces its ‘identity’,35 shapes its ‘culture’36 and informs its ‘capacity for action’37 by interviewing key individuals within the organization. Accordingly, we are using this sociolegal theory of the corporation as a basis for mapping the targeted business functions by gathering descriptions from germane business actors about their employer’s operations and their role within them. Applying this theory, we conducted interviews and then analysed the results to understand how organizations within the oil and gas industry manage security risks in complex above-ground operating environments. In particular, we engaged in a series of elite interviews. Such interviews are designed to gather information from interviewees holding power and influence within their social spheres.38 In our case, we were interviewing high-level corporate managers, security risk management specialists, lawyers specializing in supporting exploration and production field operations, and other such actors. In all, we interviewed 39 individuals, including: (i) 12 senior executive level managers (who work for a range of exploration and production companies from nano cap independent producers to international oil companies); (ii) seven risk management specialists (who work in a range of positions from heads of corporate social responsibility and global security at head offices to non-combative defensive private military and security companies); (iii) 17 lawyers (who work in a range of positions from general counsel at a corporate head office, to external legal counsel from Houston, London and Calgary, to external legal counsel from a range of in-country locations); and (iv) three interviewees who do not fit into the above categories. One is a managing director of a brokerage who advises exploration and production companies for insurance covering property and personal losses caused by security risks. One is a retired armed forces journalist whose writing focuses on private military operations. The last is a human rights compliance specialist who focuses upon extractive industries. Each of the interviews was a minimum of an hour, but some extended up to two hours. Elite interviews can be conducted in different ways,39 but we utilized a non-standardized, qualitative interview process.40 In such a process, the investigator lightly steers the interview by ‘encouraging the interviewee to structure’ accounts and define what is ‘relevant’ while still acquiring the targeted information from the encounter.41 The fundamentals of such interviewing are deceptively simple: ask open-ended questions to ascertain the full range of ideas, beliefs, values, attitudes and opinions of the interviewee on the topics within the research objectives.42 The difficulty is that to do it well, the investigator needs to improvise, adjusting to each interviewee’s response in the moment, a skill that is enhanced by substantive expertise, well-developed interpersonal skills and honed social instincts.43 Legal scholarship is familiar with such ‘semistructured interviews’ that do not follow a ‘fixed script’.44 The investigator must do exhaustive research before conducting elite interviews.45 Such interviews usually present the challenge of overcoming the asymmetry between the ‘obscure academic’ investigator and the ‘very powerful and self-assured’ interviewee.46 If the investigator is unprepared to have an intelligent conversation, asking naïve questions to conduct primary research, that investigator is doomed to not maximize the potential that the interviewee presents, missing out on valuable opportunities to gain insights and likely losing control over the course of the interview.47 Investigators need to have done their homework.48 When properly conducted, elite interviews are high-level conversations between individuals with established expertise. Conversations ought to shed light on particulars that cannot be confirmed from primary research.49 Interviews corroborate ‘what has been established from other sources’.50 They enhance the research by adding a ‘textural depth as well as empirical strength’ to the work.51 In this way, interviews breathe life into research, establishing how actual actors within particular processes think about the roles they play.52 Interviews can confirm how actors have used norms in past processes, helping to make sense of governance.53 In other words, they offer invaluable insight into the inner workings of decision-making processes.54 One challenge with the results of elite interviews is that it cannot be assumed that ‘as it is in the typical survey—that persons or categories of persons are equally important’.55 Approaching the data collected using a statistical analysis runs the risk of misrepresenting the material received.56 One might: (i) fail to capture the data’s ‘textural depth’;57 (ii) oversimplify its meaning;58 or (iii) draw correlations and conclusions that may not exist.59 Accordingly, the investigator may, in fact, be best served by focusing upon quality over quantity, helping them ‘to acquire a better picture of the norms, attitudes, expectations, and evaluations of a particular group’.60 Elite interviews usually present the challenge of a power asymmetry61 that favours the interviewee, and challenges the investigator.62 This can result in the investigator being too deferential and the interviewee controlling or dominating the interview.63 When combining elite interviews with the non-standardized interviewing process,64 the risk of not maximizing the opportunities the interview offers is increased.65 The expertise of the research team helped to mitigate this potential. In our assessment, the results of the interviews represent what can be gleaned from a successful series of candid conversations between industry insiders about how security risk management is conducted today in complex above-ground operating environments. 3. OUR VISION COMPARED TO THE RESULTS Organizational structure Our Vision Five types of exploration and production companies are core to upstream activities: National Oil Companies (NOCs), Government-Sponsored Enterprises (GSEs), International Oil Companies (IOCs), other Independent Producers (IPs) and Oilfield Service Companies (OSCs). From the 1950s to 1970s, many oil-rich countries nationalized oil and gas concessions and related assets,66 forming their own NOCs to manage them.67 In 2016, the NOCs of the Organization of the Petroleum Exporting Countries controlled about 73 per cent of the world’s proven reserves and produce 44 per cent of total world crude oil.68 A NOC is an extension of a government, which may share many of the organizational characteristics with a private exploration and production company, such as an IOC or a IP.69 However, although a NOC may look like an IOC or an IP superficially, the performance data of NOCs suggests that they are functionally different, being dramatically less efficient and less profitable as a group.70 GSEs, also called Hybrid NOCs, are again political entities, but are allowed to function more independently of their governments, and thus tend to perform more like for-profit organizations.71 Arguably, Statoil ($US 59,895 million in revenues72 and 21,581 employees in 201673) is the GSE that functions most like an IOC or an IP. IOCs are massive global multinational exploration and production companies, including Royal Dutch Shell ($272,156 million in revenues74 and 90,000 employees in 201675); ExxonMobil ($246,204 million in revenues76 and 72,600 employees in 201677), BP ($225,982 million in revenues78 and 79,800 employees in 201679) and Chevron ($131,118 million in revenues80 and 61,500 employees in 201681). Possibly added to this group is a number of privatized NOCs,82 whose claim to have transformed into fully private exploration and production companies is at best contested,83 such as Gazprom ($99,464 million in revenues84 and 462,400 employees in 201685). Some of the largest IPs are Repsol ($39,419 million in revenues86 and 25,917 employees in 201687), ConocoPhillips ($30,935 million in revenues88 and 15,900 employees in 201689) and Suncor ($23,217 million in revenues90 and 13,190 employees in 201691). These IPs represent the largest IPs, but hundreds of other IPs represent the range of other companies in this category, which include: (i) large-cap IPs (market capitalization of over $10 billion);92 (ii) mid-cap IPs (market capitalization of less than $10 billion and more than $2 billion);93 (iii) small-cap IPs (market capitalization under $2 billion but over $300 million);94 and (iv) micro-cap IPs (market capitalization of under $300 million, including nano-cap companies with a market capitalization of under $50 million).95 It is these companies, plus other IPs that are not publicly traded, which populate the majority of the exploration and production industry. Most of these smaller operators are not as vertically integrated as their giant industry associates, the IOCs.96 In 2017, a Market and Financial Analysis Team of the US Energy Information Administration took what was in their estimation to be a proportionate sample group of IPs by country to do a financial review of the global oil and natural gas industry.97 Their estimation suggested that 71 per cent of IPs were from the United States, 8 per cent from Canada, 10 per cent from Europe and 11 per cent from other countries.98 The final group of exploration and production companies that are core to upstream activities are OSCs. OSCs are service providers for the other four types of companies.99 These other exploration and production companies typically outsource their ‘day-to-day operational activities’ or technically specialized activities to them.100 OSCs offer upstream services spanning the life cycle of the well; ranging from initial exploration to final production. Some of these services include: seismic acquisition and processing; building drilling rigs; operating drilling rigs and associated support vehicles, vessels and aircraft; providing other drilling materials, equipment and specialized services; assessing formations; and assessing well performance.101 OSCs include large companies such as Schlumberger ($35,475 million in revenues102 and 95,000 employees in 2016103) and Halliburton ($23,633 million in revenues104 and 65,000 employees105 in 2016), but also many much smaller companies. Of the five types of companies outlined above, our focus is squarely on privately-owned exploration and production companies. To be precise, we are focused only upon IOCs and IPs. Although our comments as to organizational structures might well be very useful for NOCs and GSEs, we cannot claim that our opinions as to the optimal risk management function for business organizations, will necessarily be applicable to these more political actors.106 As for OSCs, our comments as to organizational structure ought to be squarely applicable to these business actors. However, OSCs, as service providers of exploration and production companies, hold a different place in the upstream industry than IOCs and IPs.107 Accordingly, our comment are not intended for OSCs. They are, at best, on the peripheral of our consideration. Moreover, our focus is not on all IOCs and IPs, only those engaging in upstream activities in complex above-ground operating environments. None of our interviewees had office headquarters located in such an environment. Although these IOCs and IPs range in size, they are all well-capitalized relative to many organizations in other industries. Many nano cap IPs will have the capacity to conduct international operations.108 In fact, of the firms we interviewed, one had a capitalization of less than eight million. That said, market and regulatory pressures appear to be pushing companies to need ever-greater levels of capitalization.109 All incorporated IOCs and IPs will have a board structure, but even unincorporated IOCs and IPs will have centralized management and an internal auditing function.110 The basic structure of any exploration and production company will consist of four main subdivisions from centralized management: exploration, production, marketing and administration.111 An exploration departments main responsibility is locating and acquiring oil and gas assets. Such departments tend to be populated by geologists and reservoir engineers.112 Some of this geological and geophysical work tends to be outsourced to OSCs.113 A production department—including facilities, drilling and completions—is responsible for field operations, including activities such as development drilling, hydraulic fracturing and secondary recovery.114 Again, some of these production activities tend to be outsourced to OSCs.115 The marketing department negotiates oil and gas sales and thus usually deals with some midstream concerns as well.116 The administrative function is responsible for managing human resources, internal systems, public relations, legal issues, financial issues, accounting and tax.117 The administrative function is often divided into a number of independent departmental silos, most commonly between financial and non-financial activities.118 More compartmentalization of administrative function is required in larger companies to achieve and sustain competitive advantage.119 Figure 1. View largeDownload slide Simple exploration and production company organizational structure. Figure 1. View largeDownload slide Simple exploration and production company organizational structure. Figure 2. View largeDownload slide Division of administration for security risk management at head office. Figure 2. View largeDownload slide Division of administration for security risk management at head office. IOCs and IPs with international operations ought to have more involved organizational structures than the basic departmental structure outlined above.120 Of the four basic departments, security risk management demands a division of administrative silos into focused array of risk management expertise creating the skeleton of the firm’s ‘risk management architecture’ at head office.121 Figure 3. View largeDownload slide Vertical integration to field site. Figure 3. View largeDownload slide Vertical integration to field site. Of the above six subdivisions of administrative function, only risk management will not map directly onto in-country operations. The risk management department is responsible for all the aspects of risk governance.122 Such responsibilities ought to include coordinating the firm’s holistic approach to risk management across all levels of the organization, and sustaining ‘a culture of risk awareness’.123 This department, depending on the size of the firm, will be populated with general risk management experts, who do not necessarily need to have the specific technical skillset for security risk management in this context.124 Their core responsibility is to take the knowledge generated by the other five departments, and strategically steer decision-making so that the organization achieves operational efficiency by taking reasonable measures to shield the firm from disruptions of operations resulting from materialized risks.125 All other subdivisions are head office’s interface with risk management in-country, including the specific field operations. Figure 4. View largeDownload slide Vertical integration of security risk communication. Figure 4. View largeDownload slide Vertical integration of security risk communication. The in-country manager oversees the country office, which ideally should be located in an area of political importance to facilitate good governmental relations.126 Each country office should have: (i) a security manager; (ii) a corporate social responsibility manager; (iii) a government relations manager; (iv) an operations manager; and (v) a legal department. Government relations and legal are largely managed through the country office; however, the security manager, corporate social responsibility manager and operations manager should each have a supervisor at the field site at all times. A key observation from the risk management literature is the importance of developing a ‘culture of risk awareness’ at all levels of the organization.127 The development of management systems, through shifts in departments and processes, is an important first step in achieving this end.128 Restructuring departments and specific processes ought to provide support for helping employees become more risk aware.129 The generation,130 articulation131 and framing132 of risk information needs to be optimized. The channeling of risk information to the firm’s decision-making centres is also critical.133 Not only does prioritizing communication of risk information ensure that directors and executives are informed, it also reflects the importance the firm places upon risk management.134 We recommend that the country manager reports all security risk information to all germane departments at head office. Moreover, direct lines of communication ought to exist between the country manager, the security supervisor, the in-country security manager, global security and risk management. All departments at head office need to use their expertise to assess the security risk information from the country manager and report their assessment to global security and the risk department. The above diagram outlines our recommended channels for communicating security risk information. When risk information is communicated to management, it needs to be explained in terms of identified threats to human life (and assets),135 not ‘economic constraints and opportunities’.136 If the Chief Risk Officer is presenting security risk information, the officer needs to be able to explain this information in terms that helps to create and sustain a ‘cultural system of norms, expectations, knowledge, and behavioral supports’ that properly calibrate the group perception of the security risk.137 In fact, the risk communicator ought to have an intimate understanding of the realities of security threats and be able to communicate such realities in a manner that conveys such understanding.138 Depending on the qualifications of the Chief Risk Officer and the nature of the risk information being communicated, the Head of Global Security may be the better risk communicator when presenting it to management. Either way, such reporting should be made to management in a face-to-face meeting to avoid miscommunication.139 The fact that the Chief Risk Officer (or the Head of Global Security) is well informed and reports on a recursive basis to executive management—and possibly the board of directors—ought to help increase the perceived importance of security risk management across all levels of the firm.140 Such prioritizing of risk ought to affect employee attitudes,141 but additional supports are needed. If a culture of risk awareness is to be achieved, employees need to ‘understand and internalize’ the vision of risk awareness and how their efforts are helping to achieve this vision.142 Directors and executives need to engage in ‘charismatic’ leadership strategies that inspire firm transformation.143 In particular, they need to: (i) communicate the vision of risk awareness at all levels;144 (ii) communicate support for initiatives that are helping to achieve this vision;145 (iii) celebrate success and achievement.146 Such a recommendation sounds like a blending of the ‘instant’ psychology and sociology that sometimes haunts the business management literature,147 but such management strategies, no matter how parochial they may sound, have been proven to create the incentives that help support the recommended organizational changes, leading to more optimal risk management throughout the firm.148 Accordingly, risk management needs to be an active process, which demands genuine engagement from top management down to all levels of the firm149 and cannot amount to a series of superficial gestures, such as solely relying on box checking auditing150 or making an existing corporate executive a Chief Risk Officer merely to appease capital markets.151 Genuine concern for risk management is critical to generating a culture of risk awareness.152 Inward looking rule compliance that fails to generate anxiety about risk will not inspire the dynamic learning necessary to cope with the ever-changing nature of risk.153 Risk must impact the function of ‘actors, norms and processes’154 in the firm in a manner that creates systemic irritation,155 which will drive the learning necessary to transform the self-description,156 identity157 and culture158 of the firm so that it has the ‘capacity’159 to optimally manage risk within its environment.160 In sum, structural changes at the organizational level, such as the creation of the office of the Chief Risk Officer, are a good start.161 Processes, such as communicating security risk in terms of lives not numbers, are also a good start.162 However, the most important dimension is the biases towards risk held by individuals, especially by top management.163 It is critical for security risk management to be taken seriously at all levels.164 A culture of risk awareness starts with ‘the tone from the top’ and works through the ranks.165 Proper organizational structure, complimented by the sound processes and strategic incentives suggested, help achieve this goal. Research results Profile of companies of interviewees Of our interviewees, 12 senior executives, six of seven risk management specialists166 and five of 17 lawyers all worked for at least one exploration and production company since 2006.167 Each of these interviewees is, or was, an employee for such companies. Some interviewees had worked for the same company, but possibly at different times. Some interviewees had worked for more than one such company and provided data for each. No data was used on comments about a company, if the interviewee had left said company before 2006. In all, 23 were considered companies in the interviews. Five were either IOCs or large cap IPs,168 meaning each had a market capitalization of over US$10 billion.169 Of these five, two were companies in which the interviewee did not currently work, but had worked for within the past 10 years. Five were mid cap or small cap IPs, meaning each had a market capitalization of less than US$10 billion and more than US$300 million.170 In fact, only one of the five was a small cap IP, and thus four companies had a market capitalization over US$2 billion.171 Of these five, three were companies in which the interviewee did not currently work, but had worked for within the past 10 years. Finally, 13 were either micro cap IPs or nano cap IPs, meaning each had market capitalization of under US$300 million.172 Of these 13, four were companies in which the interviewee did not currently work, but had worked for within the past 10 years. For present purposes, we are going to divide the 23 companies into two categories. IOCs, large cap IPs, mid cap, and small cap IPs are called ‘Large E&Ps’.173 Micro cap IPs and nano cap IPs are ‘Small E&Ps’.174 Large E&Ps have a market capitalization of over US$300 million, while small E&Ps have a market capitalization of under US$300 million. We assert that this is a significant distinction. Unless extraordinary circumstances prevail, most large E&Ps will have the operating capital to finance the full complement of organizational structures we envision for security risk management. However, the same presumption cannot be made for Small E&Ps, which may have significant assets on their books, but little liquid capital—especially considering the depressed markets for oil and gas. Capitalization of just under US$300 million may seem like a well-funded company, however the cost of drilling wells internationally in complex above-ground risk environments often is more expensive than drilling in North America, because of factors that include: (i) the need for an in-country office; (ii) little geological data available to the company prior to exploration; (iii) remoteness of site location; (iv) lack of infrastructure (roads, utilities, pipelines, etc.) around site location; (v) lack of trained human resources in-country; (vi) lack of exploration and production equipment in-country; and (vii) high security risk.175 Under such circumstances, drilling an initial producing well for US$2,000,000 would be under-priced, and the cost can be many multiples more. For instance, one of the interviewees, who worked for a large E&P, reported that his company had to paid over US$300,000 per month for security services, when drilling in a conflict zone. Accordingly, exploration and production expenses internationally can quickly stretch operational budgets thin for many Small E&Ps.176 In sum, our data sample has 23 companies: 10 are Large E&Ps and 13 are Small E&Ps. The main difference between our Large E&Ps and Small E&Ps is that the large ones can be assumed to have an operating budget large enough to afford the full complement of organizational structures and other resources we envision for security risk management, while the small ones may not. Risk organization at head office All of the Large and Small E&Ps have an operations department and a legal department at head office. Of the Large E&Ps, all had an international governmental relations department, and almost all had a corporate social responsibility department. However, only about half had a global security department, and only about half had a holistic risk department as we envision. The Large E&Ps inconsistently placed security risk management within their organizations. Frequently, security risk management was situated within the Health, Safety and Environment department (HSE). We opine that this is not optimal. Security risks are significantly different than the risks managed by HSE. In fact, HSE is not even situated within our organizational chart for security risk management. Ideally, security risk management is situated within a stand-alone global security risk department. Some companies situated it within its corporate social responsibility department. When the position of head of global security also exists within the corporate social responsibility department in question, we opine that this arrangement is reasonable. Of note, two of the larger Small E&Ps (Elite Small E&Ps) have an organizational structure that is comparable to the best practices of the Large E&Ps, which represent the industry leaders from our sample. Of the remaining Small E&Ps, very few had even one of the four listed departments. The results reflect that operational cost might be a significant factor for why the majority of Small E&Ps do not have the envisioned organizational structure at head office. However, two larger Small E&Ps had a full complement of organizational structures. Considering all but one of the Large E&Ps had a capitalization of over US$2 billion, the lack of organizational structure can be assumed to be for reasons other than financial capacity. Risk organization at in-country office All of the Large and Small E&Ps have a country manager and operations manager. Of the Large E&Ps, all had a governmental relations manager and legal department. Most of the Large E&Ps also had external in-country lawyers, but none dealt with security concerns. Almost all Large E&Ps have a corporate social responsibility manager. However, only about half have a security manager. The Elite Small E&Ps have an organizational structure comparable to the best Large E&Ps. Of the remaining Small E&Ps, very few had even one of the four listed departments. For these companies, the country manager would be responsible for the governmental relations, corporate social responsibility, and security. For such small E&Ps, legal issues that needed to be address in-country were generally handled by external lawyers in-country. The results reflect that operational cost might be a significant factor for why the majority of Small E&Ps do not have the envisioned organizational structure. The Elite Small E&Ps had a full complement of organizational structures. Considering the capitalization of the Large E&Ps in our sample, the lack of organizational structures at the company level can be assumed to be for reasons other than financial capacity. Risk organization at the field site All of the Large and Small E&Ps have an exploration and production supervisor. Of the Large E&Ps, most companies have a security supervisor on the ground to oversee and/or coordinate with private and/or public security services. Over half of the Large E&Ps have a Corporate Social Responsibility Representative, which provides ongoing communications with communities within the footprint of the company’s operations. The Elite Small E&Ps have an organizational structure that is comparable to the best Large E&Ps. Of the remaining Small E&Ps, the country manager, and what additional capacity that existed at the country office level, dealt with field site issues and coordinate with the exploration and production supervisor on the ground. The results reflect that operational cost might be a significant factor for the lack of organizational structure for Small E&Ps. However, considering the organizational structure of the Elite Small E&Ps, any lack of such structures for Large E&Ps can be assumed to be for reasons other than financial capacity. Channels for communication of risk information The degree to which both Large and Small E&Ps lack to organizational structure impacts the capacity companies have to communicate risk information in the manner that we envision. It also impacts organizational response to security risk. Moreover, the quality of the risk information will also be impacted, since the spectrum of specializations we envision to be necessary to properly interpret and manage the security risk cannot be assumed to exist within the organizations. Summary and conclusion The key takeaway from this section is that—at least for Large E&Ps—the main factor for not having a full complement of organizational structures to optimize security risk management is not the lack of financial resources. We glean that the main factors that are the cause, include: (i) little responsiveness to trends in the business risk management literature and also industry best practice; (ii) a need for greater dissemination of industry knowledge about holistic risk management strategies; and (iii) a failure to appreciate the value proposition that optimizing security risk represents. Industry leaders provide excellent models in this area. Although all Large E&Ps appreciate that they need a specialization in government relations, operations, and legal at both head office and in-country, it is surprising that a small but significant portion of Large E&Ps still do not fully appreciate the necessity of community relations. As one interviewee, who was head of global security—not corporate social responsibility—noted: ‘community relations is the most important dimension of mitigating security risk’. As will be argued later, community relations require community investment, and such investment must be intelligently managed by corporate social responsibility experts with expertise in corporate–community relations, if it is going to ensure strong community relations.177 Without corporate social responsibility expertise at the head office, the country office and at the field site, it is less likely to be achieved.178 We were surprised to find that almost half of the companies did not have either a risk department as we envision nor a global security at head office. That said, a greater number of Large E&Ps had a security manager in-country. This finding leads to the conclusion that, as compared to industry leaders, they are: (i) not prioritizing security and risk enough, since they are not giving these areas separate departments with significant status at the head office; and (ii) may not have adequate expertise in both security and risk at the head office. Small E&Ps represent a different challenge—cost. Generally, such companies have operations and legal department at the head office; a country manager, operations manager with outside legal counsel in-country; and an exploration and production supervisor in the field. All risk and security issues are handled by these divisions with little specialized expertise. We opine that this arrangement will not adequately manage security risk, and might increase it in some cases. Since reputation is a shared asset between all E&Ps in the industry, strategies need to be devised at the industry level to help Small E&Ps reduce their risk exposure by decreasing the operational cost of security risk mitigation. For instance, the AIPN is uniquely placed to coordinate such efforts through: (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts. Since we argue that reducing surface risk represents significant financial value, and that the measures envisioned will reduce surface risk, greater dissemination of best practices as well as of its value needs to occur throughout the industry. This reasoning is reinforced by the surprising number of interviewees, who had never heard of the concept of holistic risk management, and the number of Small E&Ps that adopted a responsive ad hoc—instead of a proactive strategic—approach to security risk management. Without such dissemination of industry knowledge, greater appreciation of the value proposition, which optimizing security risk represents, will not happen in a timely manner. Meta organizational structure Our vision Although internal shifts in firm structure represent an important first step, more is needed to optimize security risk management. An IP or IOC will not meaningfully reduce surface risk until it establishes relationships with other actors outside of the company, constructing a ‘multi-actor’ alliance for security risk management around the organization.179 Our recommendations for holistic organizational change extend beyond the boundaries of the firm.180 The concept of the business network is not new. In 1963, Stewart Macauley interviewed 68 businessmen and lawyers from 43 companies and five law firms.181 He was attempting to determine when contractual rights were exercised in inter-firm relations, finding that business people tended to leave the contract in the drawer and engage in informal business exchanges.182 Macauley’s work opened the imagination to the concept of network theory,183 inspiring legal scholars, economists and sociologists to look deeper into the nature of inter-firm behaviour. For instance, in the 1990s Walter Powell argued: When the items exchanged between buyers and seller possess qualities that are not easily measured, and the relations are so long-term and recurrent that it is difficult to speak of the parties as separate entities, can we still regard this as a market exchange? When the entangling of obligation and reputation reaches a point that the actions of the parties are interdependent, but there is no common ownership or legal framework, do we need a new conceptual tool kit to describe and analyze this relationship? Surely this patterned exchange looks more like a marriage than a one-night stand, but there is no marriage license, no common household, no pooling of assets. In the language I employ below, such an arrangement is neither a market transaction nor a hierarchical governance structure, but a separate, different mode of exchange, one with its own logic, a network.184Today, the best network theory encourages observers to embrace the complexity of networks and not force explanation upon the data collected.185 For instance, Bruno Latour encourages scholars to ‘slow down’186 so as to be able to not ‘simplify in advance the task of assembling’187 an understanding of such networks. Accordingly, we resist adopting a grand theory, in hopes of avoiding the traps188 of theorizing about the ‘forces’189 that may operate within such ‘network architecture’.190 Instead, we simply point to actors that ought to form this ‘multi-actor’ alliance.191 We acknowledge that complexity could be added at this juncture, but we are bracketing it, because it is unnecessary to address directly, considering the nature of this work. We hang our analysis on the concept of meta-organization, which is conceptually straightforward and has been used as a lens to understand networks in the oil and gas industry.192 Meta-organization in this context has been defined as ‘a very board range of structures that belong to the universe of firms, political institutions, and non-profit organizations’.193 In this section, we identify the key actors that need to contribute to an exploration and production company’s security risk governance network if it is going to have the meta-organization support essential to optimize its risk management. First, industry groups are an important part of a company’s meta-organization. For instance, the AIPN provides meta-organizational support to a company’s network capacity by creating standard form contracts and distributing such contracts and other knowledge throughout the industry.194 Although standard form contracts have certain disadvantages, they also: (i) reduce transaction costs; (ii) provide greater legal certainty as to terms; (iii) reduce agency costs; (iv) increase business certainty through standardizing business relationships; (v) distribute industry knowledge and experience with opt-out and opt-in provisions; and (vi) provide additional regulatory functions by normalizing industry activities.195 If the AIPN were to create security risk products—such as a series of country/region specific security due diligence checklists, a model memorandum of understanding for security services with host states, a model community benefit agreement, and a model security provisions for the AIPN’s existing model form with independent contractors—it would greatly enhance the capacity of E&Ps to manage security risk by standardizing inter-firm relations through introducing contractual norms. Such inter-firm relations include partnerships with communities within their operational footprint, host governments and OSCs.196 Second, other exploration and production companies also form part of a company’s meta-organization. For instance, IOCs have been identified as adopting the general strategy of focusing on ‘long-term strategic planning and related decisions’ in-house, while outsourcing the ‘day-to-day operational activities’ to OSCs.197 As a result, OSCs have placed themselves in the industry as ‘technology providers assuming technical risks’, while IOCs maintain the responsibilities of being the operators.198 This strategy has been framed as a larger problem. Outsourcing to OSCs has become such standard practice that IOCs have allowed their control over technology to ‘erode’ to the point that host states ‘no longer’ have to rely on IOCs for exploration and production.199 They can ‘simply bring in’ a OSC themselves, neutralizing a ‘major advantage the IOCs previously had when bidding for upstream acreage’.200 Moreover, an OSC’s economic horizon is typically focused on the next job or project, and not necessarily a 40-year economic relationship with a government and/or local community. Such outsourcing illustrates one aspect of a security issue within the meta-organization that will demand attention when at play. Will an OSC rely on existing security? Or will it bring its own security? If so, how will security operations be coordinated. In most cases, OSCs ought to rely on the existing security instead of adding complexity and risk to security operations. That said, this option may be rejected, depending on the circumstances. Moreover, OSCs do not have the same ‘coalition’ with the host government as the E&P; it is a less ‘stable’ relationship, since the OSC’s horizon in-country is for a much shorter term than its E&P client.201 Thus, using a OSC potentially represents a significant agency cost in a spectrum of security risk management scenarios, since cooperative game theory suggests that OSCs, as rational actors, are more likely to select the ‘best choice’ for themselves over the choice that maximizes the ‘mutual advantage’ of the members of its employer’s meta-organization.202 The AIPN could craft a number of additional security provisions for field service contracts to help reduce the agency costs associated with IOCs and IPs outsourcing to OSEs. However, OSCs are not the only firms that form part of a company’s meta-organization, other IPs and IOCs do as well. For instance, some oil and gas contracts create business relationships between exploration and production companies, in particular through the use of Farmout Agreements, Royalty Agreements, Unitization Agreements and Joint Operating Agreements (JOA).203 Although these agreements create tighter inter-firm relations than would exist in the market, the meta-organization issues are already well addressed by these agreements. For instance, in a JOA, the appointment of a single operator for the business venture, plus the allocation of risk between the project’s partners reduces the meta-organizational issues to the organizational level.204 Having said this, standard form JOAs do not, at present, directly articulate standards incumbent on operators for field security operations. Similarly, standard form JOAs do not have outward looking provisions to encourage operators to coordinate with neighbouring operators, who are running operations on adjacent blocks. Such provisions could encourage: (i) a collective approach to corporate–community relations within their combined operational footprint; and (ii) shared training and synchronized operation of on-site security. We predict that such coordinated approaches would reduce surface risk. Another way that IPs and IOCs form part of a company’s meta-organization is through the operation of reputational capital. Reputational capital has become a shared asset between all exploration and production companies, including SOCs, NOCs and GSEs. It has been documented how reputational effects can ‘travel in accidental and contingent ways’, affecting seemingly unconnected exploration and production activities globally.205 The mismanagement of security risk by any one of these actors can trigger a reputational effect across the industry or upon one or more companies, even when they have no connection with the mismanagement in question. In fact, our interviewees acknowledged the potential for random impacts of reputational effects in such ways. Accordingly, the shared nature of reputational capital makes its management a collective concern for all exploration and production companies, and ought to trigger collective responses to improve standards across the industry. Again, industry groups such as the AIPN are well positioned at the meta-organizational level to up industry standards, coordinating such efforts through: (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts.206 Third, host governments also form part of a company’s meta-organization. The E&P company will negotiate or bid for the exploration and development rights with the host country.207 The nature of the relationship between the firm and the government, in particular the firm’s bargaining power relative to the government, can be defined by a number of factors including the firm’s: (i) size; (ii) technological competence and knowledge; (iii) reputation; (iv) capacity for input sourcing for materials; (v) capacity for output sourcing for sales and distribution; (vi) staffing policies; and (vii) political activity in-country.208 The host governments can structure the relationship with the firm in a number of ways; a common way is a production sharing agreement.209 In this way, the host government and the firm are business partners. Beyond being business partners, the firm is subjected to the government’s policies and regulations when operating in the country, creating another layer to the relationship that is similar to any other state–citizen relationship.210 The host government of the state is responsible for: (i) policing such crimes as kidnapping, murder and robbery; (ii) providing essential services; (iii) maintaining sovereignty over its borders; and (iv) maintaining internal political stability.211 Meanwhile, the firm, like the citizen, has the obligation to respect the rule of law.212 Of course, one could comment that we have ‘forgotten why’ exploration and production companies expanded operations into ‘developing countries in the first place’.213 We acknowledge this spotty history, yet reject such cynical approaches to corporate social responsibility as counterproductive to the opportunity that presents itself at this time and in this context. To explain, we have made a strong business case that the corporate administration of citizenship exists,214 and the expectations for corporate social responsibility are not at all too high, despite what some claim.215 New ‘constituencies of stakeholders’ are being created by institutional designs that are transforming firms into governance partners with host states.216 We, like others, believe the incentives are in place for significant change; positive synergies between host countries and firms have been noted.217 New opportunities for host governments to partner with firms exist today.218 For instance, opportunities exist to leverage both public and private investment in social and physical infrastructure,219 which will help to ensure that the firm has the positive and enduring presence it needs in-country to reduce surface risk.220 With healthy symbiotic relationships between host governments and firms, both parties can benefit while solidifying strong community relations.221 Fourth, local communities form part of a company’s meta-organization. The history of corporate–community relations in Nigeria stands as a dire warning for what can happen if an E&P partners with a host state in a manner that neglects communities, resulting in the perpetual marginalization and exclusion of ‘community participation within the decision-making process’ while making said communities ‘bear the full brunt of oil production’.222 In 2004, Chevron Texaco reported to have lost more than $750 million as a result of community strife and oil pipeline bunking.223 Things got a lot worse. By the end of the decade, a violent campaign of young men under the banner of ‘Movement for the Emancipation of the Niger Delta’ had ‘crippled crude production and drove international oil companies offshore’.224 Even after community relations started to stabilize, Shell was still losing 40,000 to 60,000 barrels of oil a day from theft in 2013, costing the company approximately $3.5–5 million dollars (USD) each day.225 After tolling the cost of disruption, E&Ps invested heavily in community development to mend relations. Observers noted that such community relations investment tended to lack ‘in-build sustainability mechanisms’, and had ‘poor community participation in project design, implementation and monitoring’.226 As a result, their efforts merely engendered ‘a culture of dependency’ which did little to improve their reputation with these communities.227 No one would refute that Niger Delta represents a barely mitigated disaster, which cost the oil and gas industry billions of dollars and deeply tarnished its reputation.228 Much thought and focus has been given to ‘corporate-community conflict’ in the oil and gas industry since the mishandling of community relations in the Niger Delta, appreciating that the wide range of costs associate with such conflict can be high.229 Today, corporate–community engagement is not merely ensuring that communities are financially compensated, since it is appreciated that Kaldor–Hicks-style justice230 will fall short of maintaining good corporate–community relations.231 The best thinking appreciates that ‘when communities play active, participatory roles and lead the way in identifying and prioritizing their development needs while being supported by corporate organizations and development partners, a sense of ownership and participation is created’ which can sustain a strong corporate–community relationship.232 In other words, community members need to feel empowered in the corporate–community relationship and believe that they are partners with the company in the project.233 Moreover, there is no ‘single-solution’ to the challenge of building and sustaining such relationships, it takes ongoing engagement, which is honest, culturally sensitive and pragmatic.234 The costs of corporate–community conflict in areas such as the Niger Delta powerfully demonstrate that the days of superficial corporate social responsibility ought to be at an end.235 Moreover, E&Ps ought to be aware of: (i) how ‘communities are actively shaped and reshaped’ by their corporate-community initiatives;236 and thus (ii) how the proper management of such initiatives are intimately connected to their future profitability. Fifth, civil society forms part of a company’s meta-organization. For some time, E&Ps have operated in a transnational environment in which standards for company behaviour, such as those provided by the Voluntary Principles for Security and Human Rights, have represented a form of ‘private governance’ at the global level.237 Moreover, this complex normative environment goes well ‘beyond the dualistic categories of voluntary and mandatory’.238 Whether or not transnational civil society networks have an impact is not in question. Transnational civil society networks do have an impact—the question is how transnational civil society ought to impact global governance.239 For years, observers have been predicting that civil society ‘stands at the cusp’ of ‘unprecedented’ opportunities.240 Although some in civil society are starting to enjoy the fruits of their labour, these global governance frontiers are still very wild, unwieldy, and difficult to manage.241 However, the combinations of market mechanisms and corporate social responsibility architectures are gaining traction,242 representing some of the best examples of intelligent institutional design today.243 And yet the mapping of such governance reveals there is much work to be done, considering the ‘multitude of overlapping and sometimes inconsistent’ combinations of ‘network-design’ in the global ether.244 In the field of security risk management for exploration and production companies, there are a number of examples of civil society ‘getting it right’.245 Organizations such as IPIECA,246 Shift,247 the Geneva Centre for the Democratic Control of Armed Forces,248 the International Committee of the Red Cross,249 and the Institute for Human Rights and Business250 are providing invaluable support, guidance and decision-making capacity to IOCs and IPs. Such organizations are offering these businesses the tools they need to help devise security risk governance strategies that reduce surface risk, while upholding human rights standards in practice.251 These elements of civil society ought to be active participants in the meta-organizations in question. Sixth, security services, whether provided by the host states military or through private companies, form the final piece of a company’s meta-organization. The literature on the relationship between the firm and host country as the military provider is sparse at best. We will provide examples of two different worst-case scenarios of when the host country as the military provider fails. The first is the 2013 In Amenas gas facility hostage crisis.252 The second is the incidents that gave rise to the Choc v Hudbay Minerals Inc. transnational civil litigation.253 The first example is the In Amenas gas facility hostage crisis, which is considered an ‘unprecedented attack’ on an oil and gas facility.254 The hostage situation turned deadly when the Algerian government unilaterally decided not to negotiate with the terrorists, indiscriminately unleashing helicopter gunship fire on the terrorists, killing the terrorists but also killing the foreign workers, who were being used as human shields.255 In all, 40 employees and all of the terrorists were killed in the three-day siege.256 The joint venture was allowed few military resources and granted little access to military intelligence by the host country.257 As a result, its limited risk management processes were not integrated in key ways to the Algerian military response strategy.258 The readers of Statoil’s report on the incident are left with the impression that the government was circumspect of foreign companies, and might have been better served if it overcame such wariness.259 Instead, it is clear that the joint venture had few real options to better safeguard against such terrorist attacks in the future, other than hoping that the Algerian military will better manage the security threats posed by Mali and Libya.260 The second example occurred in Guatemala. In 2004 Skye Resources purchased the Fenix nickel project. The operation was on the traditional land of Indigenous Mayan peoples, who were forced to relocate back in the 1960s.261 In 2006, Skye Resources attempted to reopen the mine, but by this time Mayans were repopulating their traditional area. Conflict ensued between Skye Resources’ subsidiary (backed by the Guatemalan police and military) and the Indigenous community in question.262 In 2007, the mine’s employees, the police and the military allegedly sexually violated 11 indigenous women to crush protests.263 Subsequently, Hudbay Minerals purchased Skye Resources and knowingly assumed of its liabilities for the alleged incident.264 Then, in 2009, the Chief of Security for the mine allegedly directed his security personnel to attack one of the Indigenous leaders with machetes before the security officer reportedly executed the Indigenous leader by shooting him in the head at close range.265 Both examples represent nightmare scenarios for an IOC or IP. In practice, it is rare that host states as military providers pose risks like those presented above. In fact, all things considered, the majority of our interviewees prefer to have a competent host government as the military provider over a private provider. That said, an E&P needs to be aware of the risks created when host governments act as the military provider. It is important to note that the option to have private armed security is not always an option open to an E&P.266 Regulation often prohibits private armed security. When permitted, a spectrum of private military and security services exist for protecting in-country employees and assets.267 Private military companies (PMCs) come in four basic varieties: (i) Combat Offensive PMCs; (ii) Combat Defensive PMCs; (iii) Non-Combat Offensive PMCs; and (iv) Non-Combat Defensive PMCs.268 Combat Offensive PMCs are the companies that are most controversial269 because of their willingness to ‘engage in combat operations’ and thus their ‘proximity to violence’.270 Combat Defensive PMCs are what IOCs and IPs use to provide security for their assets and personnel.271 Arguably even Halliburton, on occasion, have fallen under the definition of a Non-Combat Defensive PMC or Non-Combat Offensive PMC, by providing private military logistics.272 Research shows that these ‘PMC entrepreneurs’ are distancing ‘their trade from that of traditional mercenaries’ by professionalizing within the business world as ‘legitimate paraprofessionals’.273 That said, whether it is best to have a PMC or the host government provide security services will be a highly fact-sensitive decision. Moreover, in many cases, the firm may not have the discretion to make that decision. Regardless of whether security is provided by a PMC or the host government, it is essential that the E&P makes all possible attempts to have strong formal and informal relations with the security provider so that security risk management strategies, processes, cultures and responses are fully integrated between the firm and said provider.274 In other words, a top priority of any E&P is to have a good personal rapport with—or full control over—the commanding officer of either the public or private forces providing security, so as to ensure that security risk management is being optimized.275 In fact, middle ground between a good rapport and full control is sometimes established to address situations where the latter is not possible and the former is not efficacious. Such middle ground could take the form of enhanced reporting, auditing and training. A final aspect of security is the provision of military intelligence. E&Ps should be able to rely on the host country to help provide this service:276 however, this information always ought to be crossed vetted through a number of different intelligence sources.277 In one interview, we were told that the intelligence of one African government was so unreliable that E&Ps flocked through informal channels to leaked intelligence gathered by the Chinese People's Liberation Army in-country. This example reflects the market for, and demand to find, reliable information by diligent E&Ps. Figure 5. View largeDownload slide Holistic risk governance. Figure 5. View largeDownload slide Holistic risk governance. The six basic pieces of a company’s meta-organization provide a rough sketch of our vision for a holistic model of risk governance. If this alliance of actors can work together as a team, they ought to be able to reduce surface risk. Effective co-operation between this spectrum of public and private actors creates a sound foundation for risk management that will harness a diversity of opinions and a broad alignment of interests. Such holistic risk governance has considerable advantages when coping with the complex risk problems in question. Research results Industry groups, industry leaders and other firms Large E&Ps and the Elite Small E&Ps, which have adequate security risk management strategies, appreciated that the mismanagement of security could lead to reputational effects that could impact the profitability of their firm. Some of the interviews from these E&Ps speculated that if adequate risk management measures were not in place, it would likely be due to either—or both—of the following two factors: (i) lack of financial resources; and (ii) lack of expert knowledge about security risk management. Such interviewees also agreed that if industry groups took initiatives that reduced the cost of security risk management and/or increased the level of expert knowledge, it would directly benefit their firm. Some Small E&Ps claim that cost is the primary barrier to employing a full complement of security risk management strategies. We assert that lack of knowledge is also a factor. Some interviewees from Large E&Ps and many from Small E&Ps did not have an adequate understanding of the nature of holistic risk management. Additionally, they had an inadequate understanding of security risk management and the value proposition that improving security risk management presented to their firm. To be fair, many from this group believed that security risk is a serious problem, identifying that security risks could result in work stoppages, injury to employees and loss of assets. However, beyond production disruptions and loss of assets, reducing surface risk will also increase the value of their assets, reduce their cost of capital, and enhance their capacity for equity and debt financing by improving business certainty. We are thus suspicious as to whether or not such interviewees fully appreciate the value proposition in question. If they appreciated the true value of improving security risk management, we predict that some would revise their opinion that cost presents a serious barrier. We are not suggesting that, for many Small E&Ps, cost is not a significant barrier, only that it is a good investment in any company’s future. We concluded that both the perceived cost and lack of knowledge are the primary barriers to greater security risk management across the industry. A picture that can be constructed from the interviews is of a diverse collection of security risk management strategies, which are being employed by many Small E&Ps. Such strategies tend to: (i) lack sufficient expert support; (ii) be devised ad hoc from site-to-site; and (iii) plan to respond to risks when they materialize, but are not doing enough to prevent them from materializing. For these reasons, we conclude that our results indicate—albeit from a small sample—that a significant number of Small E&Ps, and a few Large E&Ps, are not fully seizing upon the opportunities they have to prevent security risks materializing into security and reputational problems. This conclusion deserves greater research and also industry concern. We are convinced that greater involvement of industry groups, such as the AIPN, can help improve firm performance in this area across the oil and gas industry. Moreover, industry groups are well-positioned to facilitate knowledge transfers between industry leaders and other firms, which are in need of such expertise by (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts. Finally, industry leaders appear to see the value to themselves in assisting their industry groups achieve this end. Host governments All interviewees agreed that it was difficult—if not improbable—for even Large E&P companies to sign a memorandum of understanding with a host government, which would lay out the E&P’s rights to, and the host government’s obligations to provide, armed security. That being said, one interviewee outlined a strategy used by a Large E&P to navigate this challenge. The E&P in question negotiated with the host government to pay it directly for security services. The interviewee asserted that the payment framed the relationship as service provider-client, not as sovereign-guest. This framing as client granted the E&P significant leverage over the provision of security services—particularly the standards for such services. We cannot speculate on whether or not this sort of arrangement would play out similarly in different scenarios. For instance, this strategy is more likely to work for an IOC than it is for a nano cap IP. Company relations with host states has been a priority within the industry for many years. All of the Large E&Ps, and many of the Small E&Ps, are very experienced with host state relations. A number of interviewees noted that the nature of company–country relations is changing. They provided stories of the increasing de-centeredness of governance and the rise of the local community as a more significant political actor in-country.278 Accordingly, a general consensus among industry leaders was that an in-country risk management strategy that relied solely upon strong relations with the host state cannot adequately reduce risk exposure and that community relations are becoming ever more important. In fact, it was suggested that corporate–community relations are more important than company-state relations in some countries. This observation is supported by the fact that all industry leaders have some form of in-country community relations capacity, which is distinct from its in-country governmental relations capacity. All interviewees agreed that it is difficult to generalize about governmental relations, since government behaviour can vary widely from country-to-country. Some interviewees told stories about how the quality and cooperation of government relations in a single country can change radically on the local, state and federal levels. Thus, some explained that a governmental relations strategy is not a one-dimensional proposition in some countries. The smooth operation of a security risk management strategy may need to be negotiated with a number of more, or less, independent layers of government, which have different allocations of power. For instance, one interviewee provided a hypothetical scenario where three different levels of government each had a de facto exclusive control over three different forms of security: military, paramilitary and police services. To add to this complexity, each level of government had poor communication and coordination. Also, at times, they exhibited signs of competition, jealousy and hostility towards each other. The interviewee posed the question: ‘How does an E&P provide adequate holistic risk management when faced with such challenges?’ The interviewee did not have an answer, but this hypothetical reflected the reality that E&Ps can face when dealing with host governments. Even at the federal level, different departments may operate as small independent fiefdoms. One interviewee explained how his E&P had to interface with the Ministry of Energy for a production sharing contract; the Ministry of Defense for armed security; and the Ministry of Interior for internal policing matters. All three ministries exhibited poor communication between one another, forcing the E&P to coordinate the services provided by the Ministries. In sum, interviewees generally took time to explain the difficulties E&Ps face when attempting to coordinate holistic risk management strategy with host countries. Community relations Industry leaders invested many resources into devising an intelligent corporate–community relations strategy. They are convinced that the first step to a successful security risk management strategy is such relations. They see corporate–community relations as a cost-effective way to mitigate security risk. By comparison, most Small E&Ps failed to appreciate the full importance of strong corporate–community relations. Industry leaders did not conflate governmental relations with corporate–community relations. For instance, they invested in separate governmental and community relations departments and personnel at head office, the in-country office and the field site. In addition, they explained that E&P had to be sensitive to the relationship between the community and the government. In some cases, it was opined that if a community was happy, so was the government, and the government’s encouragement could help forge positive corporate–community relations. An interviewee noted that this was the case in Turkey, outside the areas influenced by the Partiya Karkerên Kurdistan. However, others reported that the opposite dynamic also can be at play between a local community and the government. In these cases, cooperating with the government or appearing to be allied with the government might have a significant negative impact on a community’s opinion of the company, and could raise security risks rather than lower them. An interviewee noted that an E&P might have to navigate such a country-community dynamic in Northern Kenya, Somaliland or the Niger Delta. Interviewees noted a number of examples of initiatives that foster stronger corporate–community relations, including providing equity shares in projects, hiring locals and awarding contracts to local firms. A couple of interviewees from industry leaders warned about the dangers of engaging in public–private infrastructure projects in communities with host governments. An interviewee provided the example of building a hospital, which relied on a government promise that it would provide the medical services to the community after the hospital was built. When the government did not fulfil its promise, the hospital was transformed from an example of the E&P’s good will to a symbol of the history of broken promises. Instead of building corporate–community relations, the hospital severely damaged them. At the field level, another interviewee suggested that identifying the correct contact within a local community is critical to developing effective corporate–community relations. It was added that the right attributes for this individual are highly fact dependent, but can include such factors as their tribal or family affiliations, religion, education and native tongue. Some interviewees also noted that such relations had to extend to communities on the peripheral of the E&P’s operational footprint. As a general rule, it was also suggested that the E&P should not give preferential treatment to one local group over another, since long-held rivalries and tensions can be inflamed by such acts, unintentionally undermining fragile intercommunity relations. For instance, an interviewee used the example of electing to operate portable medical units over building hospitals, since such portable services prevent jealousies between communities by avoiding the perception that the E&P is favouring one community over another. In sum, the industry leaders understand that community investment must be intelligent and strategic. They appreciate that it must provide long-term benefits and reflect a company’s genuine commitment to the community. However, it is noteworthy that the interviewees failed to mention that providing local communities a sense of ownership over the E&P operations was an important aspect of cultivating strong corporate–community relations. The literature suggests that by providing communities with opportunities to share in decision-making over E&P projects, communities feel empowered and have a sense of meaningful ownership over the projects and their lives. This point was emphasized in the literature as being of critical importance to corporate–community relations.279 Civil society Since all interviewees are concerned with reputational risk and acknowledge the importance of corporate social responsibility, greater opportunities appear to be available for actors from civil society to partner in risk governance networks. That said, small E&Ps were largely unaware of any institutional supports and guidance from actors in civil society. For instance, except for the Elite E&Ps, none of the Small E&Ps were aware of the Guiding Principles on Business and Human Rights,280 the Voluntary Principles on Security and Human Rights,281 or the IPIECA’s Voluntary Principles on Security and Human Rights: Implementation Guidance Tools.282 Interviewees from Large E&Ps did a better job of identifying these instruments, but beyond recognizing the name, few knew their suggested guidelines or how to implement them. In fact, we were surprised that civil society was not playing a larger role at present, leading to the conclusion that our dataset may not be presenting us with a complete picture of existing risk governance networks. Security services Industry leaders agreed that head of global security ought to have military training, if not a successful military career. The same was true for an in-country security manager and the onsite security supervisor: that is, if the operations in question demand armed security, rather than merely policing. Some opined that non-military personnel would not likely fully appreciate the nuances of military training, tactics, and strategy, and that non-military personnel might not be granted the same level of respect by many host-state military officers. All interviewees noted that armed security being allowed in-country is a key consideration. All interviewees reported that, in their experience, that private unarmed security is always permitted by governments in-country. If private armed security is permitted, all interviewees reported that three options for the provision of security existed: (i) private security; (ii) government security; or (iii) some combination of both private and government security. The majority of interviewees preferred government provided security, while a minority preferred private security. The interviewees, who populated the minority position, were all employed by Small E&Ps in active conflict zones. This preference for private security may be due to the extreme risk in such areas, or possibly to the fact that Small E&Ps appear to have weaker relations with host governments. Both are probably true, but the literature supports the later conclusion.283 Many interviewees repeated the fact that the choice of security options is highly fact specific, since security conditions can vary widely from region-to-region, from country-to-country and from area-to-area within a single country. Interviewees reported that field security risks arranged from policing petty crimes to operating in a de facto warzone. Accordingly, armed security is absolutely necessary in some cases, but unnecessary in others. One interviewee warned that using personnel from a Combat Defensive PMC to police thievery ‘is like using a sledge hammer to kill a fly’, adding such misuse of security personnel can create new security risks. For instance, corporate–community relations may suffer from what communities may perceive as overkill. In fact, a majority of interviewees agreed that, when the situation calls for unarmed security, it ought to be the preferred option over armed security. A number of interviewees noted that using unarmed security—when prudent to do so—reduced the security risk. For instance, one interviewee told of an incident where a local community member engaged in an argument with a member of an E&P’s security team, only for the security officer to settle the matter by shooting and killing the local. Although the officer was from the host country’s military, the incident severely damaged corporate–community relations. The morale of the story is that electing for unarmed security, when possible, prevents such incidences from occurring, or at least from damaging the reputation of the E&P. A number of interviewees from Larger E&Ps and Elite Small E&Ps reported that when using armed security, government-provided security—as a general rule—minimized the reputational risks of employing such forces. The consensus reason for this reputational effect was that the government usually is perceived as controlling security as part of its sovereign right, and thus tended to bear the majority of the reputational risk of said security. Some reported that another advantage of electing to use government security is that it helps to facilitate productive relationships with host governments in other areas. A general consensus was that when governments provide security, the E&P can expect said security to be military or paramilitary forces, not police officers. Some interviewees noted that government security can give the E&P less control over the personnel and training, since government security will respond to the military chain of command, not the E&P. An interviewee warned that electing to use government security can have a significant negative impact on corporate-community relations and sometimes ‘make a bad situation worse’, if the relations between the host government and local communities are poor. Some interviewees noted that, in many regions, the cost of government security is built into the exploration and development arrangement between the E&P and the host country. An interviewee noted a case where government security was provided in exchange for community investment. Finally, there are situations where a company contracts the government to provide security for a fee. For instance, one interviewee noted that, in some countries from the Caucuses, such security contracts represent a significant addition to state revenue. As mentioned, another interviewee described how a Large E&P elected to pay the government for security services, which helped to frame its relation with the government as one of client and service provider. It was reported that this framing granted the E&P greater control over the standard of services provided. Those that report to prefer government provided security, usually also noted that private security created greater reputational risk, since the E&P is perceived as having direct control over the security forces in the event of an incident. In fact, all interviewees agreed that electing for private security granted E&Ps greater control over security risk management. Interestingly, some interviewees held the opinion that the reputational cost of a mismanaged security incident would impact the E&P more than the Combat Defensive PMC. Ergo, some interviewees believed that Combat Defensive PMCs are less risk adverse than E&P companies. The literature asserts that PMCs are attempting to transform into ‘legitimate paraprofessionals’,284 we believe this perception may not be accurate. However, it still creates a positive incentive structure and should help protect human rights. Some interviewees noted that private security personnel can be sourced and hired locally, or be the personnel of PMCs. The decision to hire locally or to hire a PMC is like other such decisions—highly fact specific. A number of interviewees suggested that—depending on the facts—corporate–community relations, can be improved by hiring security locally, and that this choice will reduce security risk, even when the security personnel are less skilled. An interviewee reasserted that hiring security locally can be most beneficial when the security team is unarmed. Interviewees also asserted that an E&P is less likely to combine armed private and armed government personnel in a single security team. Some interviewees warned that such combinations will add greater complexity to security operations, which can lead to confusion within the command structure, breakdowns in channels of communication, misperception as to roles, and avoidance of responsibilities. That said, some interviewees noted that such a hybrid could still be the best option given a particular fact scenario on the ground. Conclusion Approaches to security risk management vary widely. It is troublesome to find that the data indicates most Small E&Ps, and a minority of Large E&Ps, still adopt an ad hoc approach that largely reacts to security risks as they materialize, instead of an approach that proactively mitigate security risks at the meta-organizational level. Frequently, Small E&Ps reported relying on a single security expert. We opine that this strategy poses significant reputational risk to all members of the industry in largely unforeseeable ways. On the other hand, the majority of Large E&Ps and the Elite Small E&Ps already appreciate the costs and benefits of engaging in security risk management strategies at the meta-organizational level. They: (i) prioritize host state relations; (ii) prioritize community relations; (iii) show appropriate concern over reputational effects at an industry level, knowing they ‘travel in accidental and contingent ways’285; (iv) agree that the industry as a whole ought to develop strategies to help Small E&Ps better mitigate security risk; and (v) agree that standard form contracts offer one example of how industry can help Small E&Ps, by: (i) reducing information asymmetries regarding security risk management across the industry; (ii) standardizing relationships within their risk networks; and (iii) decreasing the cost of security risk mitigation. Small E&Ps were less equipped to deal with security problems than Large E&Ps. In our estimation, Small E&Ps also were exposed to higher surface risk, because they did not have strong enough ties to local communities and/or host states. Moreover, Small E&Ps did not identify this higher risk exposure in these terms. In addition, to the degree that a holistic multi-actor alliance for security risk existed to assist them in mitigating surface risk, Small E&Ps tended to be unaware that such support existed. 4. ADDITIONAL COMMENTS ON OPERATIONALIZING HOLISTIC SECURITY RISK MANAGEMENT Enterprise Risk Management (ERM) has emerged as an innovative model for business management, although some have strong reservations about its true value.286 There is no ‘agreement regarding the underlying theoretical foundation for ERM’,287 yet this holistic approach to risk management does have a distinctive application.288 To start, ERM assesses risk.289 The risk assessment method required will be dictated by the specific risk in question. A risk could fall under a number of different categories, which include: (i) strategic risk;290 (ii) compliance risk;291 (iii) operational risk;292 (iv) financial risk;293 (v) reputational risk;294 and/or (vi) some industry-specific risk category such as geological risk295 or surface risk.296 At this point, many of the risks can be understood in tangible terms (ie actual procedures, real people and hard assets), and thus are grounded in the ‘social and natural environment’ of the firm.297 All risks have one commonality: each represent a potential bar to maximizing profit for the firm. Accordingly, within a traditional risk management process, such seemingly incomparable risks demanded a number of risk identification, measurement, monitoring and reporting processes that operated in separate silos of expertise within the organization.298 Accordingly, on an operational level, companies tended to have multiple risk management processes, which functioned in relative isolation from one another.299 ERM is a holistic approach, because it channels all of the isolated risk management processes into a single risk calculus.300 To do so, it first financializes all risks,301 giving each a value in monetary terms so that all risk can be relativized with all other types of risks through pricing.302 In other words, ERM translates all risks into ‘economic constraints and opportunities’,303 so that they can be understood using a financial cost-benefit calculus that fits neatly with present corporate governance thinking.304 What is most unique about ERM is that after pricing all of the risks, it groups them into a single risk management process, which analyses the risks as a single unit using the same process demanded by portfolio theory.305 Put differently, ERM hedges each financialized risk against the others to develop a strategy that balances risks in a manner that maximizes firm returns while minimizing the risk of loss.306 ERM provides a method to understand a diverse collection of seemingly unrelated risks with singularity. To operationalize this process, firm structure changes to accommodate the ‘complex integration of risks across the firm’.307 In particular, companies must adopt new forms of risk-related governance mechanisms, such as chief risk officer positions, so that all firm risks can be ‘integrated’ into a ‘single message to senior executives’.308 The shift in risk focus, combined with the internal structural change, tends to transform the firm, inspiring ‘a culture of risk-awareness throughout’.309 This particular ‘marriage of corporate governance and risk management’ by ERM has been called ‘risk governance’ within the business literature.310 The ERM-inspired culture of risk-awareness enhances the understanding of risks facing the firm.311 This perspective offers the insight necessary to design more intelligent profit-making strategies.312 ERM-inspired culture does not hinder the sort of risk taking that fuels firm performance. Moreover, when reputational risks are properly priced in this calculus, it shifts towards better ‘corporate citizenship’,313 which in turn ought to impact how a company ‘treats and is treated by, other organizations or other social partners’.314 Although ERM has many advantages, we still bracket the issue of whether or not its attempts to ‘unite the risk management process’315 through ‘financialization’316 is a superior form of risk management for present purposes,317 because of the inherent dangers of pricing human life as part of a profit-making strategy.318 A number of critical voices prudently warn against the exclusive use of ‘technocratic narratives’,319 and the need for ‘humanistic’320 ones, to help ensure that the ‘calculations of utility’321 do not blind decision makers when human rights are at stake.322 That said, our vision is similar to ERM. We endorse the development of ‘a culture of risk-awareness’323 that impacts ‘corporate citizenship’324 in a manner that improves the relationships between oil and gas companies and their ‘social partners’.325 In fact, we believe that such a holistic risk culture is absolutely essential to any holistic security risk management system. However, we push the definition of risk governance further than the ERM literature suggests, endorsing its broader and more generally accepted understanding.326 In this sense, risk governance extends beyond the business organization to embrace ‘multi-actor alliances’, which includes the company, the oil and gas industry as a whole, the host state, communities within the operational footprint, and other actors from the public sphere and civil society.327 Each of these actors provides one connection within the web of risk governance. This form of broad holistic governance connects an organizational ‘culture of risk-awareness’328 with an institutional ‘multi-actor’329 alliance for security risk management. Forging co-operation between this spectrum of public and private actors creates a diverse institutional platform of risk governance330 that allows for a ‘diversity’ of opinions and alignment of interests that has ‘considerable advantages’ when coping with ‘complex, uncertain and ambiguous risk problems’.331 Holistic risk governance at a the meta-organizational level grants opportunities for learning that are critical for success.332 Accordingly, companies cannot optimize their management of the germane security risk problems,333 unless key players within the security governance network contribute to, and broadly support, the risk management strategies in question.334 This is especially true for Small E&P, who ‘may be less aware of, or lack the capacity to meet’, the challenges that security risk problems pose.335 An effective security risk management system requires the co-operation of a broad range of participants to be successful. However, even if an E&P constructs such a security risk governance network, these efforts will not be enough to meaningfully reduce surface risk. For such strategies and plans to be effective, they must be communicated and operationalized across all units, disciplines and levels of the organization,336 as well as at strategic points within the security risk governance network.337 In addition, a mere ‘box-checking’ approach is inadequate, as Michael Power explained such ‘box-checking’ offers ‘a cognitively comfortable world which focuses inwards on routine systems and controls’.338 He continued that while many ‘at the operational level prefer this less ambiguous and more rule-based world, it is also a rather dangerous generalised and standardized orientation for organizations’.339 As an alternative to the ‘formal “comfort” of auditing’, Power suggested a method that ‘is loosely related to what financial regulators call stress-testing’.340 This method removes risk managers from the ‘cognitively comfortable world’ of the ‘box checking’ and places them into a ‘scenario analysis’ world ‘in which participants from different disciplines in an organization can collectively track the trajectory of potential decisions and events’.341 For present purposes, the stress-testing would recursively drill the security response network using a series of risk scenarios, which have the highest probability of occurring. The analysis of such drills ought to expose the limitations and failures of the security response, creating opportunities for learning.342 The key strength of this approach, as Power explained, is that such ‘stress-testing’ produces organizational ‘anxiety’, not ‘comfort’, and that such anxiety is not produced by ‘concern for legitimacy’ as defined by rule-based compliance, but by the organizational ‘uncertainty’ over its performance in the stress-test in question.343 In this way, the stress-testing is a focused learning tool, which leads to more dynamic, measured and practiced responses to security risk.344 Such training will not be altogether unfamiliar to military officers, who employ similar methods to drill soldiers by placing them in a range of life-or-death scenarios, so that when under fire,345 strategic responses playout as planned.346 In our vision holistic risk governance, such stress-testing will occur at both the organizational and meta-organizational levels, leading to better prescriptions for, and operationalization of, coordinated reactions to security threats. The broad holistic collaboration between a spectrum of actors to form risk management networks, which we envisioned based on studies done in other risk management contexts,347 has not yet fully captured the imagination of many E&Ps—that said, the observation is based on our admittedly limited dataset. Although industry leaders are making strides towards holistic meta-organizational security risk strategies, we are convinced that much greater gains are possible to optimize risk strategies and significantly reduce surface risk. More research into this area is certainly merited. 5. CONCLUSION Holistic risk governance strategies hold the potential to achieve the creative capacity to better assess, manage and mitigate surface risk in complex above-ground operating environments.348 Our interviewees from industry leaders all agree that proactive attempts to prevent security risk from materializing is key and that reacting to such security risk when it materializes—even when it is done successfully—is largely missing the point. Our interviews indicate that the majority of Small E&Ps have not learned this lesson. Accordingly, while industry leaders have vastly improved security risk strategies since the incidences in the Niger Delta, they are still subject to the reputational risks created by those who are slow to innovate. Accordingly, many industry leaders, who were interviewed, were concerned by this fact and appeared willing to support initiatives to enhance industry learning in this area. We are convinced that the investment of industry resources to this end will pay generous dividends. For instance, we are convinced that a more holistic security risk management system will: (i) reduce surface risk; (ii) protect on-site employees and property; (iii) optimize wealth maximization of the industry; (iv) improve political stability of host countries and regions; and (v) significantly improve the lives of local inhabitants within the operational footprints of those companies. It bears repeating that although the E&P is the hub of this holistic risk management network, it cannot optimize the management of security risk problems without the co-operation and support of others as outlined above. We are convinced that knowledge is the greatest barrier to significant reductions in surface risk. Advancements in security risk management will both reduce reputational risk and increase reputational capital. Our research indicates that even if a Small E&P cannot afford the full complement of security risk management tools outlined in this article, the intelligent investment of its limited resources will be rewarded handsomely. Moreover, the cost of security risk management can be greatly reduced by greater industry support. We are convinced that improving the security risk management of Small E&Ps, and others who are progressing slowly, will benefit the industry as a whole. The AIPN is ideally place within the industry to help to overcome these knowledge barriers. It can also lower the cost of security risk management by helping to standardize multi-actor alliances. Other groups from civil society and elsewhere, such as IPEICA and the International Association of Oil & Gas Producers, could also assist in the endeavour. Such efforts will enhance financial performance of E&Ps, help alleviate poverty in many areas of the world, and save lives. Greater coordination of holistic security risk management at the meta-organizational level will not only promote good corporate citizenship, while making sound business sense, but our dataset reflects that it is something industry leaders in this area desire. Greater support by the AIPN and others can provide the global coordination necessary to facilitate these ends. That said, the responsibility for change rest with industry members, not its industry groups. In particular, we recommend a programme of inquiry at the industry level to research the development of a number of tools to help E&Ps: A security due diligence checklist for new country or region entry: This checklist would provide standardized rigour for identifying risks. It would also provide guidance as to how to evaluate the risks within the context of a number of suggested mitigants. This checklist could be used in parallel with any operations planning so as to align the two processes for inclusion in the relevant work programs and budgets. A model form memorandum of understanding for use by E&Ps and host governments for the provision of security services: This model would help standardize security protocols globally, and reduce the cost of security risk management. Although our research indicated that host governments resist such agreements historically, if drafted with their guidance, we hope that they would see its merit. Ideally, the benefits would result in an accretive adoption that would win over even more reticent states, but even a modest gain on this front would be significant. A model form Security Services Agreement for security for use by E&Ps and private security providers: This model also would help standardize security protocols globally, and reduce the cost of security risk management. The literature indicates that many PMCs want to transform into ‘legitimate paraprofessionals’.349 Therefore, we predict that their industry leaders will not only endorsed the development of such an agreement, but that they would make constructive contributions in its development. A model form community benefit agreement: Although our interviews reflected the fact that corporate-community relations are highly fact specific, we are convinced that an agreement framework that embeds current industry best practice could steer E&Ps towards intelligent community investment, optimizing one of the most important elements of any security risk management strategy. A set of model form security provisions for inclusion in other field service contracts: Such provisions would help standardize the deployment of security services for the benefit of both E&Ps and OSCs. A set of model form security provisions for inclusion in model form JOAs: Such provisions would help standardize the security services for the benefit of all E&Ps in such joint ventures. We would like to thank the Association of International Petroleum Negotiators and Stikeman Elliott LLP, whose generous research fellowships made this work possible. We would also like to thank Douglas Purcell, James Coleman, and our assistants (Temi Onifade, Melissa Arseniuk, Paul Reid, Laura Scott, Drew Yewchuk and Christopher Kuhman). Footnotes 1 See generally, Peter F Drucker, The Concept of the Corporation (new ed, Transaction Publishers 1996); and Michael E Porter, Competitive Strategy: Techniques for Analyzing Industries and Competitors (Free Press 1998). 2 Charlotte J Wright and Robert M Cornell, ‘Fair Market Value and Valuation Methods of Oil and Gas Properties’ (2014) 33 Petroleum Accounting & Financial Management J 55, 68. 3 ibid 58. 4 ibid 58. 5 CRK Moore, ‘Perspectives on the Valuation of Upstream Oil and Gas Interests: An Overview’ (2009) 2 JWEL & B 24, 32. 6 ibid 32. Moreover, it is also useful to review what a risk constitutes in the rubric of field security operations. It is a complex question. Discretely, field security risk could present in the form of assault, kidnapping, murder, terrorism, vandalism, theft, insurrection/riot and violent state suppression of unrest. These risks are often quantified in terms of likelihood and severity when judging whether investment in a given area is even practicable. The risk to a petroleum company of vandalism may be less pronounced that the reputational risk of a murder perpetrated against a citizen of the host state. The risks various enormously from country to country and are informed by a complex interaction of factors, such as: history, politics, race, language, economics, crime, policing, labour relations, infrastructure investment, literacy, poverty, pollution, health and even the constitutional division of governmental authorities. 7 ibid 35–37. Also see Wright and Cornell (n 2) 58. Also take into consideration the Petroleum Risk Manager rating system, see Alexander Van de Putte, David F Gates and Ann K Holder, ‘Political Risk Insurance as an Instrument to Reduce Oil and Gas Investment Risk and Manage Investment Returns’ (2012) 4 JWEL & B 284, 287–88. 8 Barry Barton and Michael Goldsmith, ‘Community and Sharing’ in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 34. Also see Thomas Sikor, Eva Barlösius and Waltina Scheumann, ‘Introduction: Public-Private Relations and Key Policy Issues in Natural Resource Governance’ in Thomas Sikor (ed), Public and Private in Natural Resource Governance (1st edn paperback, Taylor & Francis 2016) 5–15. 9 In the Canadian context, Rowland J Harrison, former member of Canada’s National Energy Board, remarked on the impacts of social licence in a public lecture he gave at the Faculty of Law at the University of Alberta on 10 March 2015. For a written version of the speech, see Rowland J Harrison, Social License to Operate the Good, the Bad, the Ominous (13 March 2017) Canadian Association of Petroleum Landmen online: <http://landman.ca/2017/03/13/social-license-operate/> accessed 19 December 2017. For impacts in the US context, see Don Smith, ‘Social License to Operate in the Unconventional Oil & Gas Development Sector: The Colorado Experience’ in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 123–24. 10 Neil Gunningham, Robert A Kagan and Dorothy Thornton, ‘Social License and Environmental Protection: Why Businesses Go Beyond Compliance’ (2004) 29 L & Social Inquiry 307, 320 (foreseeing the present reality of the connections between reputational cost, future profits, project approvals and community opinion). 11 For a review of the literature in this field, see Fenner L Stewart, ‘The Corporation, New Governance, and the Power of the Publicization Narrative’ (2014) 21 Ind J Global L Studies 513, 517–33. In the context of natural resources governance, see Sikor, Barlösius and Scheumann (n 8) 5–15. 12 Felicitas Weber and Olivia Watson, ‘Human Rights and The Extractive Industry’ (United Nations Principles for Responsible Investment 2015), Principles for Responsible Investment online: <https://www.unpri.org/download_report/8530> at 6, accessed 19 December 2017. 13 Michael Power and others, ‘Reputational Risk as a Logic of Organizing in Late Modernity’ (2009) 30 Organization Studies 201, 317. 14 ibid 217. 15 William Klein, John Coffee and Frank Partnoy, Business Organization and Finance: Legal and Economic Principles (11th edn, Foundation Press 2010) 1–4. 16 Although mainly an expectation of a number of transnational corporate social responsibility frameworks, it has also been captured in law in countries such as Canada, consider BCE Inc v 1976 Debentureholders, 2008 SCC 69, [2008] 3 SCR 560, [66] & [81]. 17 Jacob Dahl Rendtorff, ‘Creating Shared Value as Institutionalization of Ethical Responsibilities of the Business Corporation as a Good Corporate Citizen in Society’ in Josef Wieland (ed), Creating Shared Value—Concepts, Experience, Criticism (Springer 2017) 130. 18 ibid 130. 19 See Robert L Hirsch, Roger Bezdek and Robert Wendling, ‘Peaking of World Oil Production: Impacts, Mitigation, & Risk Management’ U.S. Department of Energy (February 2005), U.S. Department of Energy <https://www.netl.doe.gov/publications/others/pdf/Oil_Peaking_NETL.pdf> accessed 19 December 2017. 20 And yet, although producers now have more upstream options, the lower prices are also causing instability in state economically dependent on oil and gas revenue, which foreseeable leads to greater surface risk regardless of greater state cooperation. For more state instability in this context, see Willem L Auping and others, ‘The Geopolitical Impact of the Shale Revolution: Exploring Consequences on Energy Prices and Rentier States’ (2016) 98 Energy Policy 390, 398 (contemplating the links between the oil glut created by the shale revolution and impacts upon the stability of state reliant upon oil and gas revenues). 21 Douwe Tideman and others, Government-facing Strategy for Oil And Gas Companies: Developing a Productive Relationship with Host Governments (Booz & Company 2012), PriceWaterhouseCooper online <https://www.strategyand.pwc.com/media/file/Strategyand_Government-facing-strategy-for-oil-and-gas.pdf> 5, accessed 19 December 2017. 22 This may be a somewhat contentious claim, if one is of the belief that today’s market logic cannot lead to a significant or genuine embedding of corporate function into social practice. For more, see Rendtorff (n 17) 130. 23 Emphasis is placed upon ‘helps’ because of the complexity of relationships that can exist between companies, host governments, communities. For more, see Audrey C Cash, ‘Corporate social Responsibility and Petroleum Development in Sub-Saharan Africa: The Case of Chad’ (2012) 37 Resources Policy 144. For more successful applications, consider Tideman and others (n 21). But also, consider Lila Barrera-Hernandez and others, ‘Conclusion’, in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 432. Also consider Kathryn McPhail, ‘How Oil, Gas, and Mining Projects Can Contribute to Development’ (2000) 37(4) Finance and Development, International Monetary Fund online <http://www.imf.org/external/pubs/ft/fandd/2000/12/mcphail.htm> accessed 19 December 2017. 24 Moore (n 5) 35–37; also see Wright and Cornell (n 2) 58. 25 Robert J Bies and others, ‘Corporations as Social Change Agents: Individual, Interpersonal, Institutional, and Environmental Dynamics’ (2007) 32 Academy of Management Rev 788, 789 (arguing that firms can ‘capitalize on opportunities to improve stakeholder relationships through corporate social responsibility’ in ways that transform into great profitability). 26 Thaddeus Chidi Nzeadibe, Chukwuedozie Kelechukwu Ajaero and Mary Basil Nwoke, ‘Rethinking Corporate-community Engagement in the Petro-economy of the Niger Delta’ (2015) 36 Singapore J Tropical Geography 376, 377. 27 Bies and others (n 25) 789. 28 For more on such institutional design, see Fenner L Stewart, ‘Behind the Cloak of Corporate Social Responsibility: Safeguards for “Private” Participation within Institutional Design’ (forthcoming 2018) 24 Ind J Global Legal Studies. 29 David Levi-Faur, ‘Regulatory Capitalism and the Reassertion of the Public Interest’ (2009) 27 Policy & Society 181, 181–83. 30 For more on doctrinal analysis, see Richard A Posner, ‘The Present Situation in Legal Scholarship’ (1981) 90 Yale L Rev 1113. 31 Gunther Teubner, ‘Enterprise Corporatism: New Industrial Policy and the “Essence” of the Legal Person’ (1988) 36 Am J Comp L 130, 131–32. 32 Klein, Coffee and Partnoy (n 15) 2–3. 33 Dirk Baecker, ‘The Form of the Firm’ (2006) 13(2) Organization 109, 113–14. 34 Teubner (n 31) 137. 35 Baecker (n 33) 114. 36 ibid 114–15. 37 Teubner (n 31) 138. 38 Erica Schoenberger, ‘Self-Criticism and Self-Awareness in Research: A Reply to Linda McDowell’ (1992) 44 The Professional Geographer 215, 217. 39 David Richards, ‘Elite Interviewing: Approaches and Pitfalls’ (1996) 16 Politics 199, 201. 40 Lewis Anthony Dexter, Elite and Specialized Interviewing (European Consortium for Political Research Press 2012) 18. 41 ibid 18. 42 ibid 4. 43 For instance, consider Brian C Rathbun, ‘Interviewing and Qualitative Field Methods: Pragmatism and Practicalities’ in Janet M Box-Steffensmeier, Henry E Brady and David Collier (eds), Oxford Handbook of Political Methodology (OUP 2008) 685–701. 44 Avlana Eisenberg, Expressive Enforcement (2014) 61 UCLA L Rev 858, fn 103. Also see Herbert M Kritzer, ‘Seven Dogged Myths Concerning Contingency Fees’ (2002) 80 Washington ULQ 739, 742–43; Leslie C Levin, ‘The Ethical World of Solo and Small Law Firm Practitioners’ (2004) 41 Houston L Rev 309, 318; and Mark C Miller, ‘A Legislative Perspective on the Ohio, Massachusetts, and Federal Courts’ (1995) 56 Ohio State LJ 235, 240. 45 Oisin Tansey, ‘Process Tracing and Elite Interviewing: A Case for Non-probability Sampling’ (2007) 40 Political Science & Politics 765, 766. 46 Schoenberger (n 38) 766. 47 Richards (n 39) 201. 48 Tansey (n 45) 766. 49 ibid 767. 50 ibid 766. But also see Darren G Lilleker, ‘Interviewing the Political Elite: Navigating a Potential Minefield’ (2003) 23 Politics 207, 208. 51 ibid 208. 52 Tansey (n 45) 766. 53 Richards (n 39) 200. 54 Lilleker (n 50) 208. 55 Dexter (n 40) 19. 56 ibid 19. 57 Lilleker (n 50) 208. 58 Dexter (n 40) 19. 59 ibid 19. 60 ibid 21. 61 Schoenberger (n 38) 217. 62 Richards (n 39) 200. 63 ibid 201. 64 Dexter (n 40) 18. 65 ibid 4. 66 Daniel Yergin, The Quest: Energy, Security, and the Remaking of the Modern World (Penguin 2011) 110–11. 67 Coby van der Linde, The State and the International Oil Market: Competition and the Changing Ownership of Crude Oil Assets (Springer 2000) 97. 68 US Energy Information Administration, Oil: Crude and Petroleum Products Explained (US Energy Information Administration), EIA online: <https://www.eia.gov/energyexplained/index.cfm?page=oil_where> accessed 19 December 2017. 69 Peter R Hartley and Kenneth B Medlock, ‘Changes in the Operational Efficiency of National Oil Companies’ (2013) 34 Energy J 27, 28, 55–56. 70 ibid 28, 55–56. 71 Joseph Hilyard, The Oil & Gas Industry: A Nontechnical Guide (PennWell 2012) 229. 72 Forbes, Fortune Global 500, Forbes online: <http://fortune.com/global500/2016/list> accessed 19 December 2017. 73 Forbes, Fortune Global 500: Statoil, Forbes online: <http://fortune.com/global500/2016/statoil/> accessed 19 December 2017. 74 Fortune Global 500 (n 72). 75 Forbes, Fortune Global 500: Royal Dutch Shell, Forbes online: <http://fortune.com/global500/2016/royal-dutch-shell/> accessed 19 December 2017. 76 Fortune Global 500 (n 72). 77 Forbes, Fortune Global 500: ExxonMobil, Forbes online: <http://fortune.com/global500/2016/exxon-mobil/> accessed 19 December 2017. 78 Fortune Global 500 (n 72). 79 Forbes, Fortune Global 500: PB, Forbes online: <http://fortune.com/global500/2016/pb/> accessed 19 December 2017. 80 Fortune Global 500 (n 72). 81 Forbes, Fortune Global 500: Chevron, Forbes online: <http://fortune.com/global500/2016/chevron/> accessed 19 December 2017. 82 Hilyard (n 71) 227. 83 For instance, see Catherine Locatelli, ‘The Russian Gas Industry: Challenges to the “Gazprom Model”?’ (2014) 26 Post-Communist Economies 53, 54. 84 Fortune Global 500 (n 72). 85 Forbes, Fortune Global 500: Gazprom, Forbes online: <http://fortune.com/global500/2016/gazprom/> accessed 19 December 2017. 86 Fortune Global 500 (n 72). 87 Forbes, Fortune Global 500: Repsol, Forbes online: <http://fortune.com/global500/2016/repsol/> accessed 19 December 2017. 88 Fortune Global 500 (n 72). 89 Forbes, Fortune Global 500: ConocoPhillips, Forbes online: <http://fortune.com/global500/2016/global500/conoco-phillips/> accessed 19 December 2017. 90 Fortune Global 500 (n 72). 91 Forbes, Fortune Global 500: Suncor, Forbes online: <http://fortune.com/global500/2016/suncor/> accessed 19 December 2017. 92 InvestSnips, Large-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-large-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 93 InvestSnips, Publicly Traded Mid-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-mid-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 94 InvestSnips, Small-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-small-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 95 InvestSnips, Micro-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-micro-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 96 Hilyard (n 71) 230. 97 EIA Market and Financial Analysis Team, Financial Review of the Global Oil and Natural Gas Industry 2016 (US Energy Information Administration 2017), EIA online: <https://www.eia.gov/finance/review/pdf/financial_2016.pdf> accessed 19 December 2017. 98 ibid. 99 Basak Beyazay-Odemis, The Nature of the Firm in the Oil Industry: International Oil Companies in Global Business (Routledge 2016) 42–44. 100 ibid 44. 101 Hilyard (n 71) 230. 102 Fortune Global 500 (n 72). 103 Forbes, Fortune Global 500: Schlumberger, Forbes online: <http://fortune.com/global500/2016/schlumberger/> accessed 19 December 2017. 104 Fortune Global 500 (n 72). 105 Forbes, Fortune Global 500: Halliburton, Forbes online: <http://fortune.com/global500/halliburton/> accessed 19 December 2017. 106 Hartley and Medlock (n 69) 28, 55–56. 107 Beyazay-Odemis, (n 99) 42–44. 108 A small-cap IP has a market capitalization under two billion dollars but over 300 million dollars, see ‘Small-Cap IP’ (n 94), a micro-cap IP has a market capitalization of under $300 million, and a nano-cap IP has a market capitalization of under $50 million, see ‘Micro-Cap IP’ (n 95). 109 For instance, consider Markham Hislop ‘Want to Start a Junior Oil Company? It’ll Cost You $100 Million: Juniors are Getting Larger, Better Capitalized and Will Soon Only Work in the Very Best Production Areas’, Alberta Oil Magazine (October 28, 2017) online: <https://www.albertaoilmagazine.com/2016/10/juniors-getting-larger-better-capitalized-will-soon-work-best-production-areas/> accessed 19 December 2017. 110 Klein, Coffee and Partnoy (n 15) 5, 21–31. 111 Dennis R Jennings, Joseph B Feitin and Horace R Brock, Petroleum Accounting: Principles, Procedure & Issues (5th ed, Processional Development Institute 2000) 40. 112 ibid 40. 113 Beyazay-Odemis (n 99) 42–44. 114 Jennings, Feitin and Brock (n 111) 40. 115 Beyazay-Odemis (n 99) 43–44. 116 Jennings, Feitin and Brock (n 111).40–41. 117 ibid 41. 118 ibid 41. 119 For some fundamental wisdom about how business organization and processes are used to develop sound strategies to achieve and sustain competitive advantage, see John Child, Organization: Contemporary Principles and Practice (2nd edn, Wiley 2015) 7–21. 120 Child ibid at 7–21; also see Jennings, Feitin and Brock (n 111) 40–41. 121 For more on risk architecture as a foundation for core risk processes and operations within an organization, see Paul Hopkin, Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management (4th edn, The Institute of Risk Management 2017) 244–47. 122 Sara A Lundqvist, ‘Why Firms Implement Risk Governance—Stepping Beyond Traditional Risk Management to Enterprise Risk Management’ (2015) 34 J of Accounting & Public Policy 441, 442. 123 ibid 442. Also see Bromiley and others, ‘Enterprise Risk Management: Review, Critique, and Research Directions’ (2015) 48(4) Long Range Planning 265, 268. For further consideration of the importance of a “culture of risk-awareness”, consider Thomas L Barton, William G Shenkir and Paul L Walker, Making Enterprise Risk Management Pay Off (Financial Times Press 2002) 1–2. Also note that there can be a high degree of overlap between these departments, most notably risk management and corporate social responsibility. 124 Such skillsets include devising and implementing strategic community relations, negotiating with government actors, navigating foreign legal systems and complex normative environments, and neutralizing, degrading, disrupting or defeating potential physical threats to individuals and assets. 125 Hopkin (n 121) 228. 126 For more of the importance and strategies for building strategic relationship with host countries, see generally Douwe Tideman and others (n 21). 127 Lundqvist (n 122) 442. Also see Shenkir and Walker (n 122) 1–2. 128 Torben Juul Andersen, Maxine Garvey and Oliviero Roggi, Managing Risk and Opportunity: The Governance of Strategic Risk-Taking (OUP 2014) 162–63. 129 Anil Naira and others, ‘Enterprise Risk Management as a Dynamic Capability: A Test of its Effectiveness During a Crisis’ (2014) 35 Managerial & Decision Economics 555, 556. 130 For more on how risk information needs to be generated in ways that inspire anxiety and learning about risk (such as stress testing) and not comfort and compliance towards risk (such as box checking and auditing), see Michael Power, ‘The Risk Management of Nothing’ (2009) 34 Accounting, Organizations & Society 849, 852. 131 For how risk information is priced and applied to the calculus of finances, see Lundqvist (n 122) 442; Bromiley and others (n 123) 268; and Natascha van der Zwan, ‘Making Sense of Financialization’ (2014) 12 Socio-Economic Rev 99, 100–3. And for the dangerous of financializing risks that impact human rights, see The Corporation and Governance (n 18) 547–49; and Thomas Nagel, Mortal Questions (CUP 1979) 59. 132 For more on the add complexities of the framing of risk, see Jennifer Blaskovich and Eileen Z Taylor, ‘By the Numbers: Individual Bias and Enterprise Risk Management’ (2011) 13(1) J Behavioral & Applied Management 5, 6–8. 133 Lundqvist (n 122) 442; Kevin Ruck and Mary Welch, ‘Valuing Internal Communication; Management and Employee Perspectives’ (2012) 38 Public Relations Rev 294, 294–96; Mark Laycock, Risk Management At The Top: A Guide to Risk and its Governance in Financial Institutions (Wiley 2014) 102; and Erik Banks, Risk Culture: A Practical Guide to Building and Strengthening the Fabric of Management (Palgrave Macmillan 2012) 68. 134 For the importance of managements treatment of risk, see Laycock, ibid 102. 135 Baecker (n 33) 116. 136 ibid 116. 137 Clifford W Scherer and Hichang Cho, ‘Social Network Contagion Theory of Risk Perception’ (2003) 23 Risk Analysis 261, 262. 138 Consider Julian Talbot and Miles Jakeman, Security Risk Management Body of Knowledge (Wiley 2009) 3–14. 139 For more on the potential negative impacts upon team performance when face-to-face communication is replaced by computer-mediated communication, see generally Nancy J Stone, ‘Media Richness, Team Behaviors, and Task Complexity on Team Performance’ (2014) 58 Proceedings of the Human Factors and Ergonomics Society Annual Meeting 1381. 140 Lundqvist (n 122) 444. For instance, consider Kevin Ruck and Mary Welch, ‘Valuing Internal Communication; Management and Employee Perspectives’ (2012) 38 Public Relations Rev 294, 294–96. 141 For more on the individual bias towards risk as variables, see Blaskovich and Taylor (n 132) 6–8. 142 Brian P Niehoff, Cathy A Enz and Richard A Grover, ‘The Impact of Top-Management Actions on Employee Attitudes and Perceptions’ (1990) 15 Group & Organization Studies 337, 338. 143 For instance, consider the role of transformational and charismatic leadership in create bonds that inspire organizational change, see Bruce J Avolio and Francis J Yammarino, ‘Introduction to, and Overview of, Transformational and Charismatic Leadership’ in Bruce J Avolio and Francis J Yammarino (eds), Transformational and Charismatic Leadership: The Road Ahead: Monographs in Leadership and Management) (10th Anniversary edn, Emerald Group Publishing 2013) xxvii. 144 Niehoff, Enz and Grover (n 142) 338. 145 James Combs and others ‘How Much Do High-Performance Work Practices Matter? A Meta-Analysis of Their Effects on Organizational Performance’ (2006) 59 Personnel Psychology 501, 503, 524. 146 ibid 503 and 524. 147 Bruno Latour, Reassembling the Social: An introduction to Actor-Network Theory (OUP 2005) 50. 148 Combs and others (n 145) 503 and 524; Niehoff, Enz and Grover (n 142) 338; Laycock (n 133) 102; and Avolio and Yammarino (n 143). 149 Laycock (n 133) 102. 150 Power, ‘Risk Management of Nothing’ (n 130) 852. 151 Christopher L Culp, The Risk Management Process: Business Strategy and Tactics (Wiley 2002) 234. 152 Andersen, Garvey and Roggi (n 128) 162–63. 153 Power, ‘Risk Management of Nothing’ (n 130) 852. But also consider Audrey Schriefer and Michael Sales, ‘Creating Strategic Advantage with Dynamic Scenarios’ (2006) 34 Strategy & Leadership 31, 34; and Thomas Cooper, Alex Faseruk and Shazli Khan, ‘Examining Practitioner Studies to Explore ERM and Organizational Culture’ (2013) 14(1) J Management Policy & Practice 53, 64. 154 Peer Zumbansen, ‘Defining the Space of Transnational Law: Legal Theory, Global Governance, and Legal Pluralism’ (2012) 21 Transnatl L & Contemp Probs 305, 308. 155 Power, ‘Risk Management of Nothing’ (n 130) 852. 156 Teubner (n 31) 137. 157 Baecker (n 33) 114. 158 ibid 114–15. 159 Teubner (n 31) 138. 160 Niklas Luhmann, ‘Operational Closure and Structural Coupling: The Differentiation of the Legal System’ (1991) 13 Cardozo L Rev 1419, 1432–34. 161 Lundqvist (n 122) 443. 162 Power, ‘Risk Management of Nothing’ (n 130) 852. 163 Laycock (n 133) 102. 164 Andersen, Garvey and Roggi (n 128) 162–63. 165 Laycock (n 133) 102. But also see Banks (n 133) 68. 166 The remaining risk management specialists work or have worked for non-combative defensive private military and security companies. 167 The remaining lawyers are all external counsel from firms based in North American, Latin America, Europe, Africa and Middle East. 168 One was actually a SOE, but for the purpose of this article, we are treating it as though it was IOCs. We are mindful of the potential difference in organizational culture of a hybrid verses a publically traded company. 169 Large-Cap Oil & Gas Exploration and Production Companies (n 92). 170 Mid-Cap Oil & Gas Exploration and Production Companies (n 93) Also see Small-Cap Oil & Gas Exploration and Production Companies (n 94). 171 Mid-Cap Oil & Gas Exploration and Production Companies, ibid. 172 Micro-Cap Oil & Gas Exploration and Production Companies (n 9). 173 Larger E&P means ‘large exploration and production company’. 174 Small E&P means ‘small exploration and production company’. 175 For a detailed explanation of the cost of exploration and production, consider Nadine Bret-Rouzaut and Jean-Pierre Favennec, Oil and Gas Exploration and Production: Reserves, Cost, Contracts (trans. Jonathan Pearse, Technip 2011) 121–70. But also consider US Energy Information Administration, Trends in U.S. Oil and Natural Gas Upstream Costs (US Energy Information Administration 2016), EIA online <https://www.eia.gov/analysis/studies/drilling/pdf/upstream.pdf> accessed 19 December 2017. 176 For example, our smallest E&P had a market capitalization of under US$8-million. Also see Hislop (n 109). 177 Nzeadibe, Ajaero and Nwoke (n 26) 377. 178 ibid 377. 179 Ortwin Renn, Andreas Klinke and Marjolein van Asselta, ‘Coping with Complexity, Uncertainty and Ambiguity in Risk Governance: A Synthesis’ (2011) 40 Ambio 231, 231. 180 Héloïse Berkowitz and Hervé Dumez, ‘The Concept of Meta-Organization: Issues for Management Studies’ (2016) 32 European Management Rev 149, 149–52. For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Héloïse Berkowitz, Marcelo Buscheli and Hervé Dumez, ‘Collectively Designing CSR Through Meta-Organizations: A Case Study of the Oil and Gas Industry’ (2017) J Business Ethics 754, 754–55. 181 Stewart Macaulay, ‘Non-Contractual Relations in Business: A Preliminary Study’ (1963) 28 American Sociological Rev 55, 55. 182 ibid 61. 183 Li-Wen Lin and Josh Whitford, ‘Conflict and Collaboration in Business Organizations’ in Jean Braucher, John Kidwell and William C Whitford (eds), Revisiting the Contracts Scholarship of Stewart Macaulay: On the Empirical and the Lyrical (Hart 2013) 191–93. 184 Walter W Powell, ‘Neither Market nor Hierarchy: Network Forms of Organization’ in Michael Handel (ed), The Sociology of Organizations: Classic, Contemporary, and Critical Readings (Sage 2002) 315. 185 Latour (n 147) 49–50. 186 ibid 14. 187 ibid 50. 188 For a different idea of the traps of network theory and the dangers of ‘oversocializing’ or ‘undersocializing’ business relations, see Mark Granovetter, ‘Economic Action and Social Structure: The Problem of Embeddedness’ (1985) 91 American J Sociology 481, 487. 189 Latour (n 147) 49–50. 190 Brian Uzzi, ‘Social Structure and Competition in Interfirm Networks: The Paradox of Embeddedness’ (1997) 42 Administrative Science Q 35, 36. 191 Renn, Klinke and van Asselta (n 179) 231. For instance, consider how the even very practical guides to business acknowledge the challenges of cross border organization, decentralization, outsourcing and alliance building are leading to ‘growing flexibility and permeability of the boundaries of firms’, see Child (n 119) 10–17. For a more theoretical perspective on the nature of the firm’s ‘boundaries’, see Peer Zumbansen, ‘The New Embeddedness of the Corporation: Corporate Social Responsibility in the Knowledge Society’ in Peer Zumbansen and Cynthia A Williams (eds), The Embedded Firm: Corporate Governance, Labor, and Finance Capitalism (CUP 2011) 145. 192 For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Berkowitz, Buscheli and Dumez (n 167) 754–55. Also see Berkowitz and Dumez (n 167) 149–52. 193 Berkowitz, Buscheli and Dumez (n 167) 149. 194 For examples of such contracts, see Association of International Petroleum Negotiators, Model Contracts, AIPN online at < https://www.aipn.org/model-contracts/> accessed 19 December 2017. 195 For more consider Mark R Patterson, ‘Standardization of Standard-Form Contracts: Competition and Contract Implications’ (2010) 52 William & Mary L Rev 327, 331–35. 196 A good introduction to the operation of standard form contracts as a form of transnational law, see Joanne P Braithwaite, ‘Standard Form Contracts as Transnational Law: Evidence from the Derivatives Markets’ (2012) 75 Modern L Rev 779, 779–84. 197 Beyazay-Odemis (n 99) 43. 198 ibid 43. 199 Paul Stevens, International Oil Companies the Death of the Old Business Model (The Royal Institute of International Affairs 2016), Chatham House online: <https://www.chathamhouse.org/sites/files/chathamhouse/publications/research/2016-05-05-international-oil-companies-stevens.pdf> 16, accessed 19 December 2017. 200 ibid 16. 201 Georgios Chalkiadakis, Edith Elkind and Michael Wooldridge, ‘Cooperative Game Theory: Basic Concepts and Computational Challenges’ (2012) 27 IEEE Intelligent Systems 86, 86. 202 ibid 86. 203 A Timothy Martin and J Jay Park, ‘Global Petroleum Industry Model Contracts Revisited: Higher, Faster, Stronger’ (2010) 3 JWEL & B 4, 4–5. 204 For instance, consider Leanne Desbarats, ‘Limiting Damages for Loss of Profits and Loss of Production Under the AIPN 2012 Model Form International Operating Agreement’ (2014) 7 JWEL & B 256. But also see Wilson Woods, ‘The Effects of Exculpatory Clause in Joint Operating Agreements: What Protections Do Operators Really Have in the Oil Patch?’ (2005) 38 Tex Tech L Rev 212, 212–17. 205 Power and others (n 13) 217. 206 For more on how to build ‘proper exchange architecture’ for information sharing between competition business organization, see Joakim Kembro, Kostas Selviaridis and Dag Näslund, ‘Theoretical Perspectives on Information Sharing in Supply Chains: a Systematic Literature Review and Conceptual Framework’ (2014) 19 Intl J Supply Chain Management 609, 612. For examples of cooperation between IOCs to reduce risk in other contexts, consider Kim Talus, Scott Looper and Steven Otillar, ‘Lex Petrolea and the Internationalization of Petroleum Agreements: Focus on Host Government Contracts’ (2012) 5 JWEL & B 181. Also see Patterson (n 182) 331–35; and Martin and Park (n 203) 4. 207 Andrew C Inkpen and Michael Moffett, The Global Oil & Gas Industry: Management, Strategy & Finance (Pennwell 2011) 21. 208 Chul W Moon and Augustine A Lado, ‘MNC-Host Government Bargaining Power Relationships: A Critique and Extension within the Resource-Based View’ (2000) 26 J Management 85, 90–89. 209 Inkpen and Moffett (n 207) 21. 210 ibid 21. 211 Surya Rajan and Shree Vikas, Simplified Country Risk Assessments for Global Petroleum Investments, (Society of Petroleum Engineers 2008) 6. 212 Inkpen and Moffett (n 207) 21. 213 Gavin Hilson, ‘Corporate Social Responsibility in the Extractive Industry: Experiences from Developing Countries’ (2012) Resources Policy 131, 132. 214 Dirk Matten and Andrew Crane, ‘Corporate Citizenship: Toward an Extended Theoretical Conceptualization’ (2005) 30 Academy of Management Review 166, 175. 215 Hilson (n 200) 132. 216 Matten and Crane (n 214) 176. But also see Barton and Goldsmith (n 8) 34; Sikor, Barlösius and Scheumann (n 8) 5–15; and Gunningham, Kagan and Thornton (n 10) 320. 217 Consider Tideman and others (n 2); Barton and Goldsmith (n 8) 34; and Barrera-Hernandez and others (n 23). 218 Barton and Goldsmith (n 8) 34. 219 Barrera-Hernandez and others (n 23) 432. But also consider McPhail (n 23); Cash (n 23); Tideman and others (n 21). 220 Tideman and others (n 21) 6. 221 ibid 6. 222 Uwafiokun Idemudia and Uwen E Ite, ‘Corporate-Community Relations in Nigeria’s Oil Industry: Challenges and Imperatives’ (2006) 13 Corporate Social Responsibility & Environmental Management 194, 200. 223 ibid 196. 224 The Economist, Who are the Niger Delta Avengers? (1 July 2016), The Economist online: <https://www.economist.com/blogs/economist-explains/2016/07/economist-explains> accessed 19 December 2017. 225 The Guardian, £1bn a Month: the Spiralling Cost of Oil Theft in Nigeria (5 October 2013), The Guardian online: <https://www.theguardian.com/global-development/2013/oct/06/oil-theft-costs-nigeria> accessed 19 December 2017. 226 Idemudia and Ite (n 222) 196. 227 ibid 196. 228 For instance, consider Peter Maass’s popular characterization of the oil and gas industry’s activities in Nigeria, see Peter Maass, Crude World: The Violent Twilight of Oil (Knopf 2009) 53–80. 229 Rachel Davis and Daniel Franks, Costs of Company-Community Conflict in the Extractive Sector (Harvard Kennedy School 2014) 11, 15–16, Harvard Kennedy School online: <https://sites.hks.harvard.edu/m-rcbg/CSRI/research/Costs%20of%20Conflict_Davis%20%20Franks.pdf> accessed 19 December 2017. 230 Idemudia and Ite (n 222) 196. 231 ibid 196. 232 Nzeadibe, Ajaero and Nwoke (n 26) 377. 233 Moonhee Cho and Maria De Moya, ‘Empowerment as a Key Construction for Understanding Corporate Community Engagement’ (2016) Intl J Strategic Communication 272. 234 Luc Zandviet and Mary Anderson, Getting it Right: Making Corporate Community Relations Work (Routledge 2009) 8. 235 Davis and Franks (n 216) 15–16; and Idemudia and Ite (n 222) 196. 236 Glenn Banks and others, ‘Conceptualising Corporate Community Development’ (2016) 37 Third World Q 245, 257. 237 Cynthia A Williams, ‘Civil Society Initiatives and Soft Law in the Oil and Gas Industry’ (2004) 36 NYU J Intl L & Pol 457, 461. 238 ibid 462. 239 Ann M Florini and PJ Simmons, ‘What the World Needs Now?’ in Ann M Florini (ed), The Third Force: The Rise of Transnational Civil Society (Brookings Institution Press 2000) 4. 240 John D Clark, Worlds Apart: Civil Society and the Battle for Ethical Globalization (Earthscan 2003) 4. 241 For instance, consider Martin Koch, ‘Non-State and State Actors in Global Governace’ in Bob Reinalda (ed), The Ashgate Research Companion to Non-State Actors (Ashgate 2011). 242 For instance, consider Patricia Crifo and Vanina D Forget, ‘The Economics of Corporate Social Responsibility: A Firm-Level Perspective Survey’ (2014) 29 J Economic Surveys 112; Michele V Gee and Sue M Norton, ‘Corporate Social Responsibility: Strategic and Managerial Implications’ (2013) 10 J Leadership, Accountability and Ethics 37; Jedrzej George Frynas, Beyond Corporate Social Responsibility—Oil Multinationals and Social Challenges (CUP 2009); Sylvia Maxfield, ‘Reconciling Corporate Citizenship and Competitive Strategy: Insights from Economic Theory’ (2008) 80 J Business Ethics 367; Ans Kolk and Jonatan Pinkse, ‘Multinationals’ Political Activities on Climate Change’ (2007) 46 Business & Society 201; and Abagail McWilliams, Donald S Siegel and Patrick M Wright, ‘Corporate Social Responsibility: Strategic Implications’ (2006) 43 J Management Studies 1. 243 See generally Stewart, ‘Private’ Participation within Institutional Design (n 29). 244 Luc Fransen, ‘The Politics of Meta-Governance in Transnational Private Sustainability Governance’ (2015) 48 Policy Science 293, 314. 245 Clark (n 227) 4. 246 For instance, see IPIECA, Responsible security, IPIECA online at <http://www.ipieca.org/our-work/social/responsible-security/> accessed 19 December 2017. 247 For instance, its collaboration with the Institute for Human Right and Business, see Shift and Institute for Human Right and Business, Oil and Gas Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights (European Commission 2013) Institute for Human Right and Business online: <https://www.ihrb.org/pdf/eu-sector-guidance/EC-Guides/O&G/EC-Guide_O&G.pdf> accessed 19 December 2017. 248 For instance, its collaboration with IPIECA, see IPIECA, Host Country Security Assessment Guide, IPIECA online: <http://www.ipieca.org/resources/good-practice/host-country-security-assessment-guide/> accessed 19 December 2017. 249 ibid. 250 For instance, see ‘Oil and Gas Sector Guide on Business and Human Rights’ (n 247). 251 For instance, see ‘Security Assessment Guide’ (n 235). 252 Statoil ASA, The In Amenas Attack: Report of the investigation into the terrorist attack on In Amenas. Prepared for Statoil ASA’s board of directors (Statoil ASA 2013) 55–57, Statoil online <https://www.statoil.com/content/dam/statoil/documents/In%20Amenas%20report.pdf> accessed 19 December 2017. 253 Choc v Hudbay Minerals Inc, 2013 ONSC 1414, 116 OR (3d) 674. 254 BBC, Algerian Gas Plant Siege: Military's Role Questioned (12 September 2013), BBC online <http://www.bbc.com/news/world-africa-24064143> accessed 19 December 2017. 255 ‘In Amenas Attack Report’ (n 252) 28–31. 256 ‘Algerian Gas Plant Siege’ (n 254). 257 ‘In Amenas Attack Report’ (n 252) 55–57. 258 ibid 44–45, 48–49, 70–72. 259 ibid 48–49, 70–72. 260 ibid 3, 44–45, 48–49, 70–72. 261 Susana C Mijares Peña, ‘Human Rights Violations by Canadian Companies Abroad: Choc v Hudbay Minerals Inc’ (2014) 5 Western J L Studies 3, 9. But also Hudbay Minerals (n 240) [9]. 262 Hudbay Minerals (n 240) [5]; and Mijares Peña (n 261) 10. 263 Hudbay Minerals ibid [5]. 264 Hudbay Minerals ibid [9]; and Mijares Peña (n 248) 10. 265 Hudbay Minerals ibid [6]; and Mijares Peña (n 248) 11. Also consider Chilenye Nwapi, ‘Resource Extraction in the Courtroom: The Significance of Choc v. Hudbay Minerals Inc for the Future of Transnational Justice in Canada’ (2014) 14 Asper Review of International Business and Trade Law 121. 266 For instance, Statoil was not permitted by the Algerian government to have private armed security in-country, see ‘In Amenas Attack Report’ (n 252) 43, 45, 48. 267 For an interesting exploration of the transnational governance of private military and security, see Deborah D Avant, ‘Pragmatic Networks and Transnational Governance of Private Military and Security Services’ (2016) 60 Intl Studies Q 330. For a different vantage point of the governance of private security, see Adam White, ‘The New Political Economy of Private Security’ (2011) 16 Theoretical Criminology 85. For an example of such private services, see Thales, Security Solutions for the Oil & Gas Industry, Thales Group online: <https://www.thalesgroup.com/sites/default/files/asset/document/capability_sheet_oil_gas_06-06.pdf> accessed 19 December 2017. 268 Mark Fulloon, ‘Non-State Actor: Defining Private Military Companies’ (2015) 27 Strategic Review for Southern Africa 29, 34. 269 Jeremy Scahill, Blackwater: The Rise of the World’s Most Powerful Mercenary Army (Nation Books 2007) 41–48; and Peter J Hoffman, ‘Private Military and Security Companies’ in Thomas G Weiss and Rorden Wilkinson (eds), International Organization and Global Governance (Routledge 2014) 394–95. 270 Fulloon (n 255) 34–35. 271 ibid 39–40. 272 Alan Axelrod, Mercenaries: A Guide to Private Armies and Private Military Companies (Sage 2013) 287. 273 Katherine E McCoy, ‘Organizational Frames for Professional Claims: Private Military Corporations and the Rise of the Military Paraprofessional’ (2012) 59 Social Problems 322, 338. 274 For instance, see the recommendations of the ‘In Amenas Attack Report’ (n 252) 75–78. 275 Otherwise, the IOC and IP may lose control over the provision of security. That said, in some cases, there may be very little a company can do. Consider ‘In Amenas Attack Report’ (n 252). 276 However, this is not always the case. For instance, Algerian government resisted sharing intelligence information with Statoil, see ‘In Amenas Attack Report’ (n 252) 43, 55–57, 71–73. 277 Note the careful explanations for the lack of ‘tactical warning’ prior to the terrorist attack on the gas facility at In Amenas, see ‘In Amenas Attack Report’ (n 252) 55–57, 71–73. For more of private intelligence services, see Veerle Pashley and Marc Cools, ‘Private Intelligence Services: Their Activities and Role in Public-military Intelligence Strategies’ in Marc Cools and others (eds), Cahier Inlichtingenstudies 7 (Maklu 2017) 131–35. For examples, see McKinsey & Company, Defense & Security, McKinsey & Company online: <https://www.mckinsey.com/industries/public-sector/how-we-help-clients/defense-and-security> accessed 19 December 2017. Also see Black Cube, Sectors We Serve, Black Cube online: <https://www.blackcube.com/sectors-we-serve/> accessed 19 December 2017. 278 For more on the decentering of governance in the context of natural resource development, consider Barton and Goldsmith (n 8). For more on the decentering of governance, see generally Stewart ‘“Private” Participation within Institutional Design’ (n 34); Stewart ‘The Corporation and Governance’ (n 18); John Braithwaite, Regulatory Capitalism: How it Works, Ideas for Making it Work Better (Edward Elgar 2008); Julia Black, ‘Critical Reflections on Regulation’ (2002) 27 Australian J L Philosophy 1; Peer Zumbansen, ‘Law After the Welfare State: Formalism, Functionalism, and the Ironic Turn of Reflexive Law’ (2008) 56 American J Comparative L 769; and David Levi-Faur, ‘The Global Diffusion of Regulatory Capitalism’ (2005) 598 Annals of the American Academy of Policy & Social Science 12. 279 For instance, see Nzeadibe, Ajaero and Nwoke (n 26) 377. 280 United Nations, Guiding Principles on Business and Human Rights (New York and Geneva: United Nations 2011) Office of the High Commissioner for Human Rights online <http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf> accessed 19 December 2017. 281 The Voluntary Principles on Security and Human Rights (2000), Voluntary Principles online <http://www.voluntaryprinciples.org/what-are-the-voluntary-principles/> accessed 19 December 2017. 282 IPIECA, Voluntary Principles on Security and Human Rights: Implementation Guidance Tools (IPIECA 2012) IPIECA online <http://www.ipieca.org/resources/good-practice/voluntary-principles-on-security-and-human-rights-implementation-guidance-tools/> accessed 19 December 2017. 283 Moon and Lado (n 208) 89–90. 284 McCoy (n 273) 338. 285 Power and others (n 13) 217. 286 For instance, see Power, ‘Risk Management of Nothing’ (n 130) 849–50. 287 Lundqvist (n 122) 442. 288 ibid 442. Also see Bromiley and others (n 123) 268; that said, there is also a broad notion of ‘risk governance’ in the political science world as well, but it is a distinctively different concept, see Marjolein BA van Asselta and Ortwin Renn, ‘Risk governance’ (2011) 14 J Risk Research 431, 434–36. 289 Bromiley and others (n 123) 268. 290 For more, see generally Philip Bromiley, Devaki Rau and Devaki McShane, ‘Can Strategic Risk Management Contribute to Enterprise Risk Management? A Strategic Management Perspective’ in TJ Andersen (ed), The Routledge Companion to Strategic Risk Management (Routledge 2016). 291 Saloni Ramakrishna, Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services (John Wiley & Sons 2016) 211–16. 292 Michael Power, ‘The Invention of Operational Risk’ (2005) 12 Rev Intl Political Economy 577, 578–80. 293 For a general introduction, see Peter F Christoffersen, Elements of Financial Risk Management (2nd edn, Elsevier 2012) 3–16. 294 Jan Bebbington, Carlos Larrinaga and Jose M Moneva, ‘Corporate Social Reporting and Reputation Risk Management’ (2008) 21 J Accounting, Auditing & Accountability 338, 339–41. 295 SB Suslick and DJ Schiozer, ‘Risk Analysis Applied to Petroleum Exploration and Production: An Overview’ (2004) 44 J Petroleum Science and Engineering 1, 3–7. 296 Moore (n 5) 35–37. Also see Wright and Cornell (n 2) 58. 297 Baecker (n 33) 116. 298 Lundqvist (n 122) 443–44. 299 ibid 443–44. 300 ibid 443–44. 301 van der Zwan (n 131) 100–3. 302 Lundqvist (n 122) 442. Also see Bromiley and others (n 123) 268. 303 Baecker (n 33) 116. 304 Ronald Coase, ‘The Problem of Social Cost’ (1960) 3 J L & Economics 1, 15–19. 305 Lundqvist (n 122) 442. Also see Bromiley and others (n 123) 268. 306 Harry M Markowitz, ‘Foundations of Portfolio Theory’ (1991) 46 J Finance 469, 470–71. 307 Lundqvist (n 122) 443. 308 ibid 444. 309 ibid 442. 310 ibid 442. 311 ibid 444. 312 Markowitz (n 306) 470–71. For more on the classic notion of the links between risks and profits, consider Frank H Knight, Risk, Uncertainty and Profit (1st reprint edn, Dover 2006) 21–48. 313 Andrew Crane and Dirk Matten, Business Ethics: Managing Corporate Citizenship and Sustainability in the Age of Globalization (4th edn, OUP 2016) 67–77. 314 Baecker (n 33) 114. 315 Lundqvist (n 122) 442. 316 van der Zwan (n 131) 100–3. 317 For a significant trashing of the concept, consider Power, ‘Risk Management of Nothing’ (n 130) 849–50. 318 Although finance is the language of business, there are significant dangers to reducing a risk in the real world to a dollar value. For concerns about this in governance generally, see Stewart ‘The Corporation and Governance’ (n 18) 547–49. 319 ibid 545. 320 ibid 545. 321 Nagel (n 131) 59. 322 Stewart, ‘The Corporation and Governance’ (n 18) 545–49. But also see Kerry Rittich, ‘Functionalism and Formalism: Their Latest Incarnations in Contemporary Development and Governance Debates’ (2005) 55 University of Toronto L J 853, 855–56. Also see Mae Kuykendall, ‘No Imagination: The Marginal Role of Narrative in Corporate Law’ (2007) 55 Buffalo L Rev 537, 555. 323 Lundqvist (n 122) 442. 324 Crane and Matten (n 313) 67–77. 325 Baecker (n 33) 114. 326 See generally, Renn, Klinke and van Asselta (n 179). 327 ibid 231. 328 Lundqvist (n 122) 442 and Baecker (n 33) 114. 329 Renn, Klinke and van Asselta (n 179) 231. For more on the role of corporation in modern governance networks, see Stewart, ‘The Corporation and Governance’ (n 18) 517–21. For a slightly different framing of the same phenomenon, see Berkowitz and Dumez (n 167) 149–52. For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Berkowitz, Buscheli and Dumez (n 167) 754–55. 330 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 167) 149–52; and Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 167) 754–55. 331 Renn, Klinke and van Asselta (n 179) 231. 332 For more on how new governance challenges tend to transcends organizational boundaries, see Stewart, ‘The Corporation and Governance’ (n 18) 517–21. Also, consider Stephen J Ball and Carolina Junemann, Networks, New Governance and Education (Policy Press 2012) 1–7; and William H Simon, ‘New Governance Anxieties: A Deweyan Response’ (2010) 2010 Wis L Rev 727, 729–30. 333 Moore (n 5) 35–37. Also see Wright and Cornell (n 2) 58. 334 Renn, Klinke and van Asselta (n 179) 231. 335 Oil and Gas Sector Guide on Business and Human Rights (n 234) 9. 336 For an introduction to the importance of knowledge sharing within an organization and how to formal organization can facilitate this end, see Nicolai J Foss, Kenneth Husted and Snejina Michailova, ‘Governing Knowledge Sharing in Organizations: Levels of Analysis, Governance Mechanisms, and Research Directions’ (2010) 47 J Management Studies 455, 456–59. 337 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 90) 151; and Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 90) 764–65. 338 Power, ‘Risk Management of Nothing’ (n 130) 852. 339 ibid 852. 340 ibid 852. 341 ibid 852. 342 Consider the learning process outlined by Schriefer and Sales (n 153) 34. 343 Power, ‘Risk Management of Nothing’ (n 130) 852. 344 Schriefer and Sales (n 153) 34. 345 Consider the ‘In Amenas Attack Report’, see Statoil ASA (n 252). 346 For examples of such training, consider RM Gagne, ‘Military Training and Principles of Learning’ (1962) 17 American Psychologist 83; Curtis J Bonk and Robert A Wisher, Applying Collaborative and e-Learning Tools to Military Distance Learning: A Research Framework (United States Army Research Institution for the Behavioural and Social Sciences 2000), PublicationShare.com online: <http://www.publicationshare.com/docs/Dist.Learn(Wisher).pdf> accessed 19 December 2017; and Sean Robson and Thomas Manacapilli, Enhancing Performance Under Stress: Stress Inoculation Training for Battlefield Airmen (Rand Corporation 2014) Rand Corporation online: <https://www.rand.org/content/dam/rand/pubs/research_reports/RR700/RR750/RAND_RR750.pdf> accessed 19 December 2017. 347 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 90) 149–52; Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 90) 754–55; Stewart ‘“Private” Participation within Institutional Design’ (n 34); Stewart, ‘The Corporation and Governance’ (n 18) 517–21; and Renn, Klinke and van Asselta (n 179) 231. 348 Renn, Klinke and van Asselta (n 179) 231. 349 McCoy (n 273) 338. © The Author(s) 2018. Published by Oxford University Press on behalf of the AIPN. All rights reserved. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Journal of World Energy Law and Business Oxford University Press

Holistic security risk management strategies for E&Ps: optimizing performance by reducing surface risk

Loading next page...
 
/lp/ou_press/holistic-security-risk-management-strategies-for-e-ps-optimizing-gcY7FWDmgK
Publisher
Oxford University Press
Copyright
© The Author(s) 2018. Published by Oxford University Press on behalf of the AIPN. All rights reserved.
ISSN
1754-9957
eISSN
1754-9965
D.O.I.
10.1093/jwelb/jwx041
Publisher site
See Article on Publisher Site

Abstract

Abstract Exploration and production companies frequently partner with host countries that struggle to maintain political stability and eliminate security threats, making it difficult to develop security strategies to protect company employees and assets in country. Exploring this problem, we interview elite actors who populate germane risk management networks, providing a cross-section of perspectives as to how well upstream producers are crafting and implementing security risk management strategies. We construct a model of holistic security risk governance, and apply it to what our dataset reveals about firm performance in this area. Finally, we recommend ways in which industry-level responses can support exploration and production companies to reduce their risk and enhance their performance. 1. INTRODUCTION Exploration and production companies frequently partner with host countries that struggle to: (i) maintain political stability; (ii) guarantee sound governance; (iii) provide adequate transparency; (iv) eliminate security threats; and (v) meet human rights standards. These conditions make it difficult to develop security strategies to protect company employees and assets in country. As a response, we have interviewed elite actors who populate the risk management networks in question. The interviews provide a cross-section of perspectives as to how well upstream producers are crafting and implementing security risk management strategies. These perspectives provide a degree of corroboration that confirms that current incentives provide an opportunity to create a win–win scenario for companies and the public interest. Since business thinks primarily in the terms of economics and finance,1 it is practical to frame the risks posed by these operating environments in this manner. Key to understanding the valuation of an upstream producer is the calculation used to determine the expected gross revenues for a particular upstream project. The expected gross revenues equal the predicted future prices of the commodity multiplied by its expected future quantities of production over the project’s projected life cycle.2 Valuation analysts use reserve reports to assess the future quantities of production.3 These reports are the ‘foundation of valuation’ for establishing expected gross revenues.4 Above-ground threats to production, on-site employees and upstream infrastructure fall within the category of ‘surface risk’.5 A good definition of surface risk is ‘the variety of political, environmental, logistical, commercial or bureaucratic issues that may impact project performance’.6 Surface risk is a key consideration when establishing the present value of future cash flows, or discount rate, which is calculated by adding the costs of all risks associated with such production over the asset’s lifecycle.7 The discount rate is deducted from expected gross revenues to establish the value of the asset. Four economic rationales exist for investing in reducing security risk: (i) it prevents delays in exploration operations and production disruptions, increasing the net present value of assets; (ii) it reduces the predicted cost of surface risk, increasing the predicted value of future assets; (iii) since it directly impacts asset value, it also directly impacts the cost of capital; and (iv) it protects reputational capital, which is a governance-commodity directly linked to business certainty. Of the four, the fourth rationale is not as obvious as the others. Many countries’ government agencies, which are responsible for the oversight of exploration and production activities, are decentering their decision-making authority.8 Political mechanisms, such as ‘social license’, are granting local communities more discretion to craft the conditions in which energy projects will operate in their communities—including a significant voice as to whether or not projects go forward.9 This decentering of discretion reflects one way in which reputational capital is becoming as important as hard assets in determining company value.10 Some might challenge this claim, arguing that this decentering trend occurs mostly in advanced democracies, where complex above-ground operating environments tend not to exist. This point is largely true.11 However, the link between how an incident in one country can create a reputational cost for a project in another has been well documented.12 Accordingly, reputational effects can ‘travel in accidental and contingent ways’, affecting seemingly unrelated operations and projects.13 Accordingly, companies need to be clear-minded when assessing reputational risk, since the reputational effects of a security incident may ‘travel’, impacting other operations globally.14 In this way, reduction in reputational capital increases the risk of adverse governance conditions for other operations, reducing overall business certainty. Following this logic, oil and gas companies—even when acting solely as self-interested market actors attempting to maximize profit—ought to be placing evermore importance upon reducing surface risk, since it is an immediate impediment to: (i) greater profit; (ii) greater asset valuation; (iii) a lower cost of capital; and (iv) greater business certainty. These factors are core priorities for any business venture.15 In this way, surface risk generates market incentives, which ought to be compelling actors within the industry to do their utmost to mitigate this risk. Moreover, by mitigating this risk to maximize company value, an upstream producer just so happens to meet the standard of being a good corporate citizen.16 Such a perfect storm makes improving security risk management a ‘low hanging fruit’, creating shared value and social good.17 Some might be suspicious of such an honourable bargain, since it appears to sidestep the fundamental tension between ‘ethics and economic goals’.18 But being more pragmatically minded, we are less concerned by such considerations. The oil and gas industry can have an impact that reaches beyond its own operations. In a world that is no longer fearful of peak oil,19 companies have greater leverage over host states to reduce surface risk.20 Companies are in a stronger position to negotiate with host states to ensure that communities have the opportunity to share in the benefits of their operations. They are incentivized to do so, since the ‘local players’ may be the most important ‘domestic factors’ in the long-term relationships in country.21 Positive relations help to embed the company’s operations into local communities.22 When company operations also support communities, the perceived mutual benefit helps to ensure the welfare and safety of both local inhabitants and on-site employees.23 Accordingly, when the mutual benefit of operations is established, surface risk will be reduced, which necessarily enhances the value of company assets.24 As a result, oil and gas companies are well positioned to become ‘change agents’ within the footprints of their global operations.25 They can create opportunities for meaningful improvements to the lives of many through intelligent community investment.26 Furthermore, such efforts will increase their profits. Present global market conditions, market incentives and the law are aligning in this way so that the threats posed by complex above-ground operating environments are inspiring companies to affect real change by maximizing their financial performance.27 It is important to note that when the self-interested pursuit of profit has social utility beyond wealth maximization, as it does in this case, it is usually not merely dumb luck, but the tireless work of norm architects, who creatively use markets to improve institutional design.28 This article constructs a model of holistic security risk governance, then applies it to what our interview dataset revealed about firm performance in this area. It then recommends ways in which industry-level responses, such as from the Association of International Petroleum Negotiators (AIPN), can support firms to reduce surface risk in ways that enhance their profitability, while serving the public interest.29 The article is organized as follows: Section 2 explains our methodology, including the theoretical presumptions for our research as well as the interview process employed. Section 3 offers our recommendations and then compares them to the research results. In other words, we will first explain the model we believe will best mitigate surface risk, then investigate how this model compares to the picture of current industry practice that our interviews created. Our interviews revealed many exploration and production companies, especially smaller ones, are unaware of holistic risk management strategies. Moreover, they tended to adopt a responsive ad hoc—instead of a proactive strategic—approach to security risk management. Accordingly, Section 4 provides additional explanation of holistic risk management and how best to implement risk management strategies to security risk problems. Section 5 is our conclusion, which in part, recommends that the AIPN and other such industry groups ought to offer a number of new products to help exploration and production companies: (i) reduce surface risk; (ii) protect on-site employees and property; (iii) optimize wealth maximization of the industry; (iv) improve political stability of host countries and regions; and (v) significantly improve the lives of local inhabitants within the operational footprints of those companies. 2. METHODOLOGY Beyond employing a doctrinal analysis to the germane law and literature,30 we conducted a series of elite interviews with actors within the upstream oil and gas industry to learn about how companies manage security risk. The actors fell into one of four categories: A. Corporate B. Security Risk Management C. Legal D. Other Our interviews generally targeted two areas of interest: A. Organizational Structures B. Meta-Organizational Structures We assessed how companies manage these challenges by conducting a series of interviews. The interview process was designed to provide insight into how some within the oil and gas industry devise and then operationalize security risk management strategies. The interview methodology is based upon the theory that the business organization is a ‘self-referential’ collective action system.31 Its individual members coordinate activities to pursue profit in a manner that maximizes return through the control of risk over the duration of the venture.32 This theory sheds light upon how those within the organization think about their work, and thus how their company defines itself within its operating environment.33 The interviewer can gain insight into an organization’s ‘self-description’,34 which produces its ‘identity’,35 shapes its ‘culture’36 and informs its ‘capacity for action’37 by interviewing key individuals within the organization. Accordingly, we are using this sociolegal theory of the corporation as a basis for mapping the targeted business functions by gathering descriptions from germane business actors about their employer’s operations and their role within them. Applying this theory, we conducted interviews and then analysed the results to understand how organizations within the oil and gas industry manage security risks in complex above-ground operating environments. In particular, we engaged in a series of elite interviews. Such interviews are designed to gather information from interviewees holding power and influence within their social spheres.38 In our case, we were interviewing high-level corporate managers, security risk management specialists, lawyers specializing in supporting exploration and production field operations, and other such actors. In all, we interviewed 39 individuals, including: (i) 12 senior executive level managers (who work for a range of exploration and production companies from nano cap independent producers to international oil companies); (ii) seven risk management specialists (who work in a range of positions from heads of corporate social responsibility and global security at head offices to non-combative defensive private military and security companies); (iii) 17 lawyers (who work in a range of positions from general counsel at a corporate head office, to external legal counsel from Houston, London and Calgary, to external legal counsel from a range of in-country locations); and (iv) three interviewees who do not fit into the above categories. One is a managing director of a brokerage who advises exploration and production companies for insurance covering property and personal losses caused by security risks. One is a retired armed forces journalist whose writing focuses on private military operations. The last is a human rights compliance specialist who focuses upon extractive industries. Each of the interviews was a minimum of an hour, but some extended up to two hours. Elite interviews can be conducted in different ways,39 but we utilized a non-standardized, qualitative interview process.40 In such a process, the investigator lightly steers the interview by ‘encouraging the interviewee to structure’ accounts and define what is ‘relevant’ while still acquiring the targeted information from the encounter.41 The fundamentals of such interviewing are deceptively simple: ask open-ended questions to ascertain the full range of ideas, beliefs, values, attitudes and opinions of the interviewee on the topics within the research objectives.42 The difficulty is that to do it well, the investigator needs to improvise, adjusting to each interviewee’s response in the moment, a skill that is enhanced by substantive expertise, well-developed interpersonal skills and honed social instincts.43 Legal scholarship is familiar with such ‘semistructured interviews’ that do not follow a ‘fixed script’.44 The investigator must do exhaustive research before conducting elite interviews.45 Such interviews usually present the challenge of overcoming the asymmetry between the ‘obscure academic’ investigator and the ‘very powerful and self-assured’ interviewee.46 If the investigator is unprepared to have an intelligent conversation, asking naïve questions to conduct primary research, that investigator is doomed to not maximize the potential that the interviewee presents, missing out on valuable opportunities to gain insights and likely losing control over the course of the interview.47 Investigators need to have done their homework.48 When properly conducted, elite interviews are high-level conversations between individuals with established expertise. Conversations ought to shed light on particulars that cannot be confirmed from primary research.49 Interviews corroborate ‘what has been established from other sources’.50 They enhance the research by adding a ‘textural depth as well as empirical strength’ to the work.51 In this way, interviews breathe life into research, establishing how actual actors within particular processes think about the roles they play.52 Interviews can confirm how actors have used norms in past processes, helping to make sense of governance.53 In other words, they offer invaluable insight into the inner workings of decision-making processes.54 One challenge with the results of elite interviews is that it cannot be assumed that ‘as it is in the typical survey—that persons or categories of persons are equally important’.55 Approaching the data collected using a statistical analysis runs the risk of misrepresenting the material received.56 One might: (i) fail to capture the data’s ‘textural depth’;57 (ii) oversimplify its meaning;58 or (iii) draw correlations and conclusions that may not exist.59 Accordingly, the investigator may, in fact, be best served by focusing upon quality over quantity, helping them ‘to acquire a better picture of the norms, attitudes, expectations, and evaluations of a particular group’.60 Elite interviews usually present the challenge of a power asymmetry61 that favours the interviewee, and challenges the investigator.62 This can result in the investigator being too deferential and the interviewee controlling or dominating the interview.63 When combining elite interviews with the non-standardized interviewing process,64 the risk of not maximizing the opportunities the interview offers is increased.65 The expertise of the research team helped to mitigate this potential. In our assessment, the results of the interviews represent what can be gleaned from a successful series of candid conversations between industry insiders about how security risk management is conducted today in complex above-ground operating environments. 3. OUR VISION COMPARED TO THE RESULTS Organizational structure Our Vision Five types of exploration and production companies are core to upstream activities: National Oil Companies (NOCs), Government-Sponsored Enterprises (GSEs), International Oil Companies (IOCs), other Independent Producers (IPs) and Oilfield Service Companies (OSCs). From the 1950s to 1970s, many oil-rich countries nationalized oil and gas concessions and related assets,66 forming their own NOCs to manage them.67 In 2016, the NOCs of the Organization of the Petroleum Exporting Countries controlled about 73 per cent of the world’s proven reserves and produce 44 per cent of total world crude oil.68 A NOC is an extension of a government, which may share many of the organizational characteristics with a private exploration and production company, such as an IOC or a IP.69 However, although a NOC may look like an IOC or an IP superficially, the performance data of NOCs suggests that they are functionally different, being dramatically less efficient and less profitable as a group.70 GSEs, also called Hybrid NOCs, are again political entities, but are allowed to function more independently of their governments, and thus tend to perform more like for-profit organizations.71 Arguably, Statoil ($US 59,895 million in revenues72 and 21,581 employees in 201673) is the GSE that functions most like an IOC or an IP. IOCs are massive global multinational exploration and production companies, including Royal Dutch Shell ($272,156 million in revenues74 and 90,000 employees in 201675); ExxonMobil ($246,204 million in revenues76 and 72,600 employees in 201677), BP ($225,982 million in revenues78 and 79,800 employees in 201679) and Chevron ($131,118 million in revenues80 and 61,500 employees in 201681). Possibly added to this group is a number of privatized NOCs,82 whose claim to have transformed into fully private exploration and production companies is at best contested,83 such as Gazprom ($99,464 million in revenues84 and 462,400 employees in 201685). Some of the largest IPs are Repsol ($39,419 million in revenues86 and 25,917 employees in 201687), ConocoPhillips ($30,935 million in revenues88 and 15,900 employees in 201689) and Suncor ($23,217 million in revenues90 and 13,190 employees in 201691). These IPs represent the largest IPs, but hundreds of other IPs represent the range of other companies in this category, which include: (i) large-cap IPs (market capitalization of over $10 billion);92 (ii) mid-cap IPs (market capitalization of less than $10 billion and more than $2 billion);93 (iii) small-cap IPs (market capitalization under $2 billion but over $300 million);94 and (iv) micro-cap IPs (market capitalization of under $300 million, including nano-cap companies with a market capitalization of under $50 million).95 It is these companies, plus other IPs that are not publicly traded, which populate the majority of the exploration and production industry. Most of these smaller operators are not as vertically integrated as their giant industry associates, the IOCs.96 In 2017, a Market and Financial Analysis Team of the US Energy Information Administration took what was in their estimation to be a proportionate sample group of IPs by country to do a financial review of the global oil and natural gas industry.97 Their estimation suggested that 71 per cent of IPs were from the United States, 8 per cent from Canada, 10 per cent from Europe and 11 per cent from other countries.98 The final group of exploration and production companies that are core to upstream activities are OSCs. OSCs are service providers for the other four types of companies.99 These other exploration and production companies typically outsource their ‘day-to-day operational activities’ or technically specialized activities to them.100 OSCs offer upstream services spanning the life cycle of the well; ranging from initial exploration to final production. Some of these services include: seismic acquisition and processing; building drilling rigs; operating drilling rigs and associated support vehicles, vessels and aircraft; providing other drilling materials, equipment and specialized services; assessing formations; and assessing well performance.101 OSCs include large companies such as Schlumberger ($35,475 million in revenues102 and 95,000 employees in 2016103) and Halliburton ($23,633 million in revenues104 and 65,000 employees105 in 2016), but also many much smaller companies. Of the five types of companies outlined above, our focus is squarely on privately-owned exploration and production companies. To be precise, we are focused only upon IOCs and IPs. Although our comments as to organizational structures might well be very useful for NOCs and GSEs, we cannot claim that our opinions as to the optimal risk management function for business organizations, will necessarily be applicable to these more political actors.106 As for OSCs, our comments as to organizational structure ought to be squarely applicable to these business actors. However, OSCs, as service providers of exploration and production companies, hold a different place in the upstream industry than IOCs and IPs.107 Accordingly, our comment are not intended for OSCs. They are, at best, on the peripheral of our consideration. Moreover, our focus is not on all IOCs and IPs, only those engaging in upstream activities in complex above-ground operating environments. None of our interviewees had office headquarters located in such an environment. Although these IOCs and IPs range in size, they are all well-capitalized relative to many organizations in other industries. Many nano cap IPs will have the capacity to conduct international operations.108 In fact, of the firms we interviewed, one had a capitalization of less than eight million. That said, market and regulatory pressures appear to be pushing companies to need ever-greater levels of capitalization.109 All incorporated IOCs and IPs will have a board structure, but even unincorporated IOCs and IPs will have centralized management and an internal auditing function.110 The basic structure of any exploration and production company will consist of four main subdivisions from centralized management: exploration, production, marketing and administration.111 An exploration departments main responsibility is locating and acquiring oil and gas assets. Such departments tend to be populated by geologists and reservoir engineers.112 Some of this geological and geophysical work tends to be outsourced to OSCs.113 A production department—including facilities, drilling and completions—is responsible for field operations, including activities such as development drilling, hydraulic fracturing and secondary recovery.114 Again, some of these production activities tend to be outsourced to OSCs.115 The marketing department negotiates oil and gas sales and thus usually deals with some midstream concerns as well.116 The administrative function is responsible for managing human resources, internal systems, public relations, legal issues, financial issues, accounting and tax.117 The administrative function is often divided into a number of independent departmental silos, most commonly between financial and non-financial activities.118 More compartmentalization of administrative function is required in larger companies to achieve and sustain competitive advantage.119 Figure 1. View largeDownload slide Simple exploration and production company organizational structure. Figure 1. View largeDownload slide Simple exploration and production company organizational structure. Figure 2. View largeDownload slide Division of administration for security risk management at head office. Figure 2. View largeDownload slide Division of administration for security risk management at head office. IOCs and IPs with international operations ought to have more involved organizational structures than the basic departmental structure outlined above.120 Of the four basic departments, security risk management demands a division of administrative silos into focused array of risk management expertise creating the skeleton of the firm’s ‘risk management architecture’ at head office.121 Figure 3. View largeDownload slide Vertical integration to field site. Figure 3. View largeDownload slide Vertical integration to field site. Of the above six subdivisions of administrative function, only risk management will not map directly onto in-country operations. The risk management department is responsible for all the aspects of risk governance.122 Such responsibilities ought to include coordinating the firm’s holistic approach to risk management across all levels of the organization, and sustaining ‘a culture of risk awareness’.123 This department, depending on the size of the firm, will be populated with general risk management experts, who do not necessarily need to have the specific technical skillset for security risk management in this context.124 Their core responsibility is to take the knowledge generated by the other five departments, and strategically steer decision-making so that the organization achieves operational efficiency by taking reasonable measures to shield the firm from disruptions of operations resulting from materialized risks.125 All other subdivisions are head office’s interface with risk management in-country, including the specific field operations. Figure 4. View largeDownload slide Vertical integration of security risk communication. Figure 4. View largeDownload slide Vertical integration of security risk communication. The in-country manager oversees the country office, which ideally should be located in an area of political importance to facilitate good governmental relations.126 Each country office should have: (i) a security manager; (ii) a corporate social responsibility manager; (iii) a government relations manager; (iv) an operations manager; and (v) a legal department. Government relations and legal are largely managed through the country office; however, the security manager, corporate social responsibility manager and operations manager should each have a supervisor at the field site at all times. A key observation from the risk management literature is the importance of developing a ‘culture of risk awareness’ at all levels of the organization.127 The development of management systems, through shifts in departments and processes, is an important first step in achieving this end.128 Restructuring departments and specific processes ought to provide support for helping employees become more risk aware.129 The generation,130 articulation131 and framing132 of risk information needs to be optimized. The channeling of risk information to the firm’s decision-making centres is also critical.133 Not only does prioritizing communication of risk information ensure that directors and executives are informed, it also reflects the importance the firm places upon risk management.134 We recommend that the country manager reports all security risk information to all germane departments at head office. Moreover, direct lines of communication ought to exist between the country manager, the security supervisor, the in-country security manager, global security and risk management. All departments at head office need to use their expertise to assess the security risk information from the country manager and report their assessment to global security and the risk department. The above diagram outlines our recommended channels for communicating security risk information. When risk information is communicated to management, it needs to be explained in terms of identified threats to human life (and assets),135 not ‘economic constraints and opportunities’.136 If the Chief Risk Officer is presenting security risk information, the officer needs to be able to explain this information in terms that helps to create and sustain a ‘cultural system of norms, expectations, knowledge, and behavioral supports’ that properly calibrate the group perception of the security risk.137 In fact, the risk communicator ought to have an intimate understanding of the realities of security threats and be able to communicate such realities in a manner that conveys such understanding.138 Depending on the qualifications of the Chief Risk Officer and the nature of the risk information being communicated, the Head of Global Security may be the better risk communicator when presenting it to management. Either way, such reporting should be made to management in a face-to-face meeting to avoid miscommunication.139 The fact that the Chief Risk Officer (or the Head of Global Security) is well informed and reports on a recursive basis to executive management—and possibly the board of directors—ought to help increase the perceived importance of security risk management across all levels of the firm.140 Such prioritizing of risk ought to affect employee attitudes,141 but additional supports are needed. If a culture of risk awareness is to be achieved, employees need to ‘understand and internalize’ the vision of risk awareness and how their efforts are helping to achieve this vision.142 Directors and executives need to engage in ‘charismatic’ leadership strategies that inspire firm transformation.143 In particular, they need to: (i) communicate the vision of risk awareness at all levels;144 (ii) communicate support for initiatives that are helping to achieve this vision;145 (iii) celebrate success and achievement.146 Such a recommendation sounds like a blending of the ‘instant’ psychology and sociology that sometimes haunts the business management literature,147 but such management strategies, no matter how parochial they may sound, have been proven to create the incentives that help support the recommended organizational changes, leading to more optimal risk management throughout the firm.148 Accordingly, risk management needs to be an active process, which demands genuine engagement from top management down to all levels of the firm149 and cannot amount to a series of superficial gestures, such as solely relying on box checking auditing150 or making an existing corporate executive a Chief Risk Officer merely to appease capital markets.151 Genuine concern for risk management is critical to generating a culture of risk awareness.152 Inward looking rule compliance that fails to generate anxiety about risk will not inspire the dynamic learning necessary to cope with the ever-changing nature of risk.153 Risk must impact the function of ‘actors, norms and processes’154 in the firm in a manner that creates systemic irritation,155 which will drive the learning necessary to transform the self-description,156 identity157 and culture158 of the firm so that it has the ‘capacity’159 to optimally manage risk within its environment.160 In sum, structural changes at the organizational level, such as the creation of the office of the Chief Risk Officer, are a good start.161 Processes, such as communicating security risk in terms of lives not numbers, are also a good start.162 However, the most important dimension is the biases towards risk held by individuals, especially by top management.163 It is critical for security risk management to be taken seriously at all levels.164 A culture of risk awareness starts with ‘the tone from the top’ and works through the ranks.165 Proper organizational structure, complimented by the sound processes and strategic incentives suggested, help achieve this goal. Research results Profile of companies of interviewees Of our interviewees, 12 senior executives, six of seven risk management specialists166 and five of 17 lawyers all worked for at least one exploration and production company since 2006.167 Each of these interviewees is, or was, an employee for such companies. Some interviewees had worked for the same company, but possibly at different times. Some interviewees had worked for more than one such company and provided data for each. No data was used on comments about a company, if the interviewee had left said company before 2006. In all, 23 were considered companies in the interviews. Five were either IOCs or large cap IPs,168 meaning each had a market capitalization of over US$10 billion.169 Of these five, two were companies in which the interviewee did not currently work, but had worked for within the past 10 years. Five were mid cap or small cap IPs, meaning each had a market capitalization of less than US$10 billion and more than US$300 million.170 In fact, only one of the five was a small cap IP, and thus four companies had a market capitalization over US$2 billion.171 Of these five, three were companies in which the interviewee did not currently work, but had worked for within the past 10 years. Finally, 13 were either micro cap IPs or nano cap IPs, meaning each had market capitalization of under US$300 million.172 Of these 13, four were companies in which the interviewee did not currently work, but had worked for within the past 10 years. For present purposes, we are going to divide the 23 companies into two categories. IOCs, large cap IPs, mid cap, and small cap IPs are called ‘Large E&Ps’.173 Micro cap IPs and nano cap IPs are ‘Small E&Ps’.174 Large E&Ps have a market capitalization of over US$300 million, while small E&Ps have a market capitalization of under US$300 million. We assert that this is a significant distinction. Unless extraordinary circumstances prevail, most large E&Ps will have the operating capital to finance the full complement of organizational structures we envision for security risk management. However, the same presumption cannot be made for Small E&Ps, which may have significant assets on their books, but little liquid capital—especially considering the depressed markets for oil and gas. Capitalization of just under US$300 million may seem like a well-funded company, however the cost of drilling wells internationally in complex above-ground risk environments often is more expensive than drilling in North America, because of factors that include: (i) the need for an in-country office; (ii) little geological data available to the company prior to exploration; (iii) remoteness of site location; (iv) lack of infrastructure (roads, utilities, pipelines, etc.) around site location; (v) lack of trained human resources in-country; (vi) lack of exploration and production equipment in-country; and (vii) high security risk.175 Under such circumstances, drilling an initial producing well for US$2,000,000 would be under-priced, and the cost can be many multiples more. For instance, one of the interviewees, who worked for a large E&P, reported that his company had to paid over US$300,000 per month for security services, when drilling in a conflict zone. Accordingly, exploration and production expenses internationally can quickly stretch operational budgets thin for many Small E&Ps.176 In sum, our data sample has 23 companies: 10 are Large E&Ps and 13 are Small E&Ps. The main difference between our Large E&Ps and Small E&Ps is that the large ones can be assumed to have an operating budget large enough to afford the full complement of organizational structures and other resources we envision for security risk management, while the small ones may not. Risk organization at head office All of the Large and Small E&Ps have an operations department and a legal department at head office. Of the Large E&Ps, all had an international governmental relations department, and almost all had a corporate social responsibility department. However, only about half had a global security department, and only about half had a holistic risk department as we envision. The Large E&Ps inconsistently placed security risk management within their organizations. Frequently, security risk management was situated within the Health, Safety and Environment department (HSE). We opine that this is not optimal. Security risks are significantly different than the risks managed by HSE. In fact, HSE is not even situated within our organizational chart for security risk management. Ideally, security risk management is situated within a stand-alone global security risk department. Some companies situated it within its corporate social responsibility department. When the position of head of global security also exists within the corporate social responsibility department in question, we opine that this arrangement is reasonable. Of note, two of the larger Small E&Ps (Elite Small E&Ps) have an organizational structure that is comparable to the best practices of the Large E&Ps, which represent the industry leaders from our sample. Of the remaining Small E&Ps, very few had even one of the four listed departments. The results reflect that operational cost might be a significant factor for why the majority of Small E&Ps do not have the envisioned organizational structure at head office. However, two larger Small E&Ps had a full complement of organizational structures. Considering all but one of the Large E&Ps had a capitalization of over US$2 billion, the lack of organizational structure can be assumed to be for reasons other than financial capacity. Risk organization at in-country office All of the Large and Small E&Ps have a country manager and operations manager. Of the Large E&Ps, all had a governmental relations manager and legal department. Most of the Large E&Ps also had external in-country lawyers, but none dealt with security concerns. Almost all Large E&Ps have a corporate social responsibility manager. However, only about half have a security manager. The Elite Small E&Ps have an organizational structure comparable to the best Large E&Ps. Of the remaining Small E&Ps, very few had even one of the four listed departments. For these companies, the country manager would be responsible for the governmental relations, corporate social responsibility, and security. For such small E&Ps, legal issues that needed to be address in-country were generally handled by external lawyers in-country. The results reflect that operational cost might be a significant factor for why the majority of Small E&Ps do not have the envisioned organizational structure. The Elite Small E&Ps had a full complement of organizational structures. Considering the capitalization of the Large E&Ps in our sample, the lack of organizational structures at the company level can be assumed to be for reasons other than financial capacity. Risk organization at the field site All of the Large and Small E&Ps have an exploration and production supervisor. Of the Large E&Ps, most companies have a security supervisor on the ground to oversee and/or coordinate with private and/or public security services. Over half of the Large E&Ps have a Corporate Social Responsibility Representative, which provides ongoing communications with communities within the footprint of the company’s operations. The Elite Small E&Ps have an organizational structure that is comparable to the best Large E&Ps. Of the remaining Small E&Ps, the country manager, and what additional capacity that existed at the country office level, dealt with field site issues and coordinate with the exploration and production supervisor on the ground. The results reflect that operational cost might be a significant factor for the lack of organizational structure for Small E&Ps. However, considering the organizational structure of the Elite Small E&Ps, any lack of such structures for Large E&Ps can be assumed to be for reasons other than financial capacity. Channels for communication of risk information The degree to which both Large and Small E&Ps lack to organizational structure impacts the capacity companies have to communicate risk information in the manner that we envision. It also impacts organizational response to security risk. Moreover, the quality of the risk information will also be impacted, since the spectrum of specializations we envision to be necessary to properly interpret and manage the security risk cannot be assumed to exist within the organizations. Summary and conclusion The key takeaway from this section is that—at least for Large E&Ps—the main factor for not having a full complement of organizational structures to optimize security risk management is not the lack of financial resources. We glean that the main factors that are the cause, include: (i) little responsiveness to trends in the business risk management literature and also industry best practice; (ii) a need for greater dissemination of industry knowledge about holistic risk management strategies; and (iii) a failure to appreciate the value proposition that optimizing security risk represents. Industry leaders provide excellent models in this area. Although all Large E&Ps appreciate that they need a specialization in government relations, operations, and legal at both head office and in-country, it is surprising that a small but significant portion of Large E&Ps still do not fully appreciate the necessity of community relations. As one interviewee, who was head of global security—not corporate social responsibility—noted: ‘community relations is the most important dimension of mitigating security risk’. As will be argued later, community relations require community investment, and such investment must be intelligently managed by corporate social responsibility experts with expertise in corporate–community relations, if it is going to ensure strong community relations.177 Without corporate social responsibility expertise at the head office, the country office and at the field site, it is less likely to be achieved.178 We were surprised to find that almost half of the companies did not have either a risk department as we envision nor a global security at head office. That said, a greater number of Large E&Ps had a security manager in-country. This finding leads to the conclusion that, as compared to industry leaders, they are: (i) not prioritizing security and risk enough, since they are not giving these areas separate departments with significant status at the head office; and (ii) may not have adequate expertise in both security and risk at the head office. Small E&Ps represent a different challenge—cost. Generally, such companies have operations and legal department at the head office; a country manager, operations manager with outside legal counsel in-country; and an exploration and production supervisor in the field. All risk and security issues are handled by these divisions with little specialized expertise. We opine that this arrangement will not adequately manage security risk, and might increase it in some cases. Since reputation is a shared asset between all E&Ps in the industry, strategies need to be devised at the industry level to help Small E&Ps reduce their risk exposure by decreasing the operational cost of security risk mitigation. For instance, the AIPN is uniquely placed to coordinate such efforts through: (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts. Since we argue that reducing surface risk represents significant financial value, and that the measures envisioned will reduce surface risk, greater dissemination of best practices as well as of its value needs to occur throughout the industry. This reasoning is reinforced by the surprising number of interviewees, who had never heard of the concept of holistic risk management, and the number of Small E&Ps that adopted a responsive ad hoc—instead of a proactive strategic—approach to security risk management. Without such dissemination of industry knowledge, greater appreciation of the value proposition, which optimizing security risk represents, will not happen in a timely manner. Meta organizational structure Our vision Although internal shifts in firm structure represent an important first step, more is needed to optimize security risk management. An IP or IOC will not meaningfully reduce surface risk until it establishes relationships with other actors outside of the company, constructing a ‘multi-actor’ alliance for security risk management around the organization.179 Our recommendations for holistic organizational change extend beyond the boundaries of the firm.180 The concept of the business network is not new. In 1963, Stewart Macauley interviewed 68 businessmen and lawyers from 43 companies and five law firms.181 He was attempting to determine when contractual rights were exercised in inter-firm relations, finding that business people tended to leave the contract in the drawer and engage in informal business exchanges.182 Macauley’s work opened the imagination to the concept of network theory,183 inspiring legal scholars, economists and sociologists to look deeper into the nature of inter-firm behaviour. For instance, in the 1990s Walter Powell argued: When the items exchanged between buyers and seller possess qualities that are not easily measured, and the relations are so long-term and recurrent that it is difficult to speak of the parties as separate entities, can we still regard this as a market exchange? When the entangling of obligation and reputation reaches a point that the actions of the parties are interdependent, but there is no common ownership or legal framework, do we need a new conceptual tool kit to describe and analyze this relationship? Surely this patterned exchange looks more like a marriage than a one-night stand, but there is no marriage license, no common household, no pooling of assets. In the language I employ below, such an arrangement is neither a market transaction nor a hierarchical governance structure, but a separate, different mode of exchange, one with its own logic, a network.184Today, the best network theory encourages observers to embrace the complexity of networks and not force explanation upon the data collected.185 For instance, Bruno Latour encourages scholars to ‘slow down’186 so as to be able to not ‘simplify in advance the task of assembling’187 an understanding of such networks. Accordingly, we resist adopting a grand theory, in hopes of avoiding the traps188 of theorizing about the ‘forces’189 that may operate within such ‘network architecture’.190 Instead, we simply point to actors that ought to form this ‘multi-actor’ alliance.191 We acknowledge that complexity could be added at this juncture, but we are bracketing it, because it is unnecessary to address directly, considering the nature of this work. We hang our analysis on the concept of meta-organization, which is conceptually straightforward and has been used as a lens to understand networks in the oil and gas industry.192 Meta-organization in this context has been defined as ‘a very board range of structures that belong to the universe of firms, political institutions, and non-profit organizations’.193 In this section, we identify the key actors that need to contribute to an exploration and production company’s security risk governance network if it is going to have the meta-organization support essential to optimize its risk management. First, industry groups are an important part of a company’s meta-organization. For instance, the AIPN provides meta-organizational support to a company’s network capacity by creating standard form contracts and distributing such contracts and other knowledge throughout the industry.194 Although standard form contracts have certain disadvantages, they also: (i) reduce transaction costs; (ii) provide greater legal certainty as to terms; (iii) reduce agency costs; (iv) increase business certainty through standardizing business relationships; (v) distribute industry knowledge and experience with opt-out and opt-in provisions; and (vi) provide additional regulatory functions by normalizing industry activities.195 If the AIPN were to create security risk products—such as a series of country/region specific security due diligence checklists, a model memorandum of understanding for security services with host states, a model community benefit agreement, and a model security provisions for the AIPN’s existing model form with independent contractors—it would greatly enhance the capacity of E&Ps to manage security risk by standardizing inter-firm relations through introducing contractual norms. Such inter-firm relations include partnerships with communities within their operational footprint, host governments and OSCs.196 Second, other exploration and production companies also form part of a company’s meta-organization. For instance, IOCs have been identified as adopting the general strategy of focusing on ‘long-term strategic planning and related decisions’ in-house, while outsourcing the ‘day-to-day operational activities’ to OSCs.197 As a result, OSCs have placed themselves in the industry as ‘technology providers assuming technical risks’, while IOCs maintain the responsibilities of being the operators.198 This strategy has been framed as a larger problem. Outsourcing to OSCs has become such standard practice that IOCs have allowed their control over technology to ‘erode’ to the point that host states ‘no longer’ have to rely on IOCs for exploration and production.199 They can ‘simply bring in’ a OSC themselves, neutralizing a ‘major advantage the IOCs previously had when bidding for upstream acreage’.200 Moreover, an OSC’s economic horizon is typically focused on the next job or project, and not necessarily a 40-year economic relationship with a government and/or local community. Such outsourcing illustrates one aspect of a security issue within the meta-organization that will demand attention when at play. Will an OSC rely on existing security? Or will it bring its own security? If so, how will security operations be coordinated. In most cases, OSCs ought to rely on the existing security instead of adding complexity and risk to security operations. That said, this option may be rejected, depending on the circumstances. Moreover, OSCs do not have the same ‘coalition’ with the host government as the E&P; it is a less ‘stable’ relationship, since the OSC’s horizon in-country is for a much shorter term than its E&P client.201 Thus, using a OSC potentially represents a significant agency cost in a spectrum of security risk management scenarios, since cooperative game theory suggests that OSCs, as rational actors, are more likely to select the ‘best choice’ for themselves over the choice that maximizes the ‘mutual advantage’ of the members of its employer’s meta-organization.202 The AIPN could craft a number of additional security provisions for field service contracts to help reduce the agency costs associated with IOCs and IPs outsourcing to OSEs. However, OSCs are not the only firms that form part of a company’s meta-organization, other IPs and IOCs do as well. For instance, some oil and gas contracts create business relationships between exploration and production companies, in particular through the use of Farmout Agreements, Royalty Agreements, Unitization Agreements and Joint Operating Agreements (JOA).203 Although these agreements create tighter inter-firm relations than would exist in the market, the meta-organization issues are already well addressed by these agreements. For instance, in a JOA, the appointment of a single operator for the business venture, plus the allocation of risk between the project’s partners reduces the meta-organizational issues to the organizational level.204 Having said this, standard form JOAs do not, at present, directly articulate standards incumbent on operators for field security operations. Similarly, standard form JOAs do not have outward looking provisions to encourage operators to coordinate with neighbouring operators, who are running operations on adjacent blocks. Such provisions could encourage: (i) a collective approach to corporate–community relations within their combined operational footprint; and (ii) shared training and synchronized operation of on-site security. We predict that such coordinated approaches would reduce surface risk. Another way that IPs and IOCs form part of a company’s meta-organization is through the operation of reputational capital. Reputational capital has become a shared asset between all exploration and production companies, including SOCs, NOCs and GSEs. It has been documented how reputational effects can ‘travel in accidental and contingent ways’, affecting seemingly unconnected exploration and production activities globally.205 The mismanagement of security risk by any one of these actors can trigger a reputational effect across the industry or upon one or more companies, even when they have no connection with the mismanagement in question. In fact, our interviewees acknowledged the potential for random impacts of reputational effects in such ways. Accordingly, the shared nature of reputational capital makes its management a collective concern for all exploration and production companies, and ought to trigger collective responses to improve standards across the industry. Again, industry groups such as the AIPN are well positioned at the meta-organizational level to up industry standards, coordinating such efforts through: (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts.206 Third, host governments also form part of a company’s meta-organization. The E&P company will negotiate or bid for the exploration and development rights with the host country.207 The nature of the relationship between the firm and the government, in particular the firm’s bargaining power relative to the government, can be defined by a number of factors including the firm’s: (i) size; (ii) technological competence and knowledge; (iii) reputation; (iv) capacity for input sourcing for materials; (v) capacity for output sourcing for sales and distribution; (vi) staffing policies; and (vii) political activity in-country.208 The host governments can structure the relationship with the firm in a number of ways; a common way is a production sharing agreement.209 In this way, the host government and the firm are business partners. Beyond being business partners, the firm is subjected to the government’s policies and regulations when operating in the country, creating another layer to the relationship that is similar to any other state–citizen relationship.210 The host government of the state is responsible for: (i) policing such crimes as kidnapping, murder and robbery; (ii) providing essential services; (iii) maintaining sovereignty over its borders; and (iv) maintaining internal political stability.211 Meanwhile, the firm, like the citizen, has the obligation to respect the rule of law.212 Of course, one could comment that we have ‘forgotten why’ exploration and production companies expanded operations into ‘developing countries in the first place’.213 We acknowledge this spotty history, yet reject such cynical approaches to corporate social responsibility as counterproductive to the opportunity that presents itself at this time and in this context. To explain, we have made a strong business case that the corporate administration of citizenship exists,214 and the expectations for corporate social responsibility are not at all too high, despite what some claim.215 New ‘constituencies of stakeholders’ are being created by institutional designs that are transforming firms into governance partners with host states.216 We, like others, believe the incentives are in place for significant change; positive synergies between host countries and firms have been noted.217 New opportunities for host governments to partner with firms exist today.218 For instance, opportunities exist to leverage both public and private investment in social and physical infrastructure,219 which will help to ensure that the firm has the positive and enduring presence it needs in-country to reduce surface risk.220 With healthy symbiotic relationships between host governments and firms, both parties can benefit while solidifying strong community relations.221 Fourth, local communities form part of a company’s meta-organization. The history of corporate–community relations in Nigeria stands as a dire warning for what can happen if an E&P partners with a host state in a manner that neglects communities, resulting in the perpetual marginalization and exclusion of ‘community participation within the decision-making process’ while making said communities ‘bear the full brunt of oil production’.222 In 2004, Chevron Texaco reported to have lost more than $750 million as a result of community strife and oil pipeline bunking.223 Things got a lot worse. By the end of the decade, a violent campaign of young men under the banner of ‘Movement for the Emancipation of the Niger Delta’ had ‘crippled crude production and drove international oil companies offshore’.224 Even after community relations started to stabilize, Shell was still losing 40,000 to 60,000 barrels of oil a day from theft in 2013, costing the company approximately $3.5–5 million dollars (USD) each day.225 After tolling the cost of disruption, E&Ps invested heavily in community development to mend relations. Observers noted that such community relations investment tended to lack ‘in-build sustainability mechanisms’, and had ‘poor community participation in project design, implementation and monitoring’.226 As a result, their efforts merely engendered ‘a culture of dependency’ which did little to improve their reputation with these communities.227 No one would refute that Niger Delta represents a barely mitigated disaster, which cost the oil and gas industry billions of dollars and deeply tarnished its reputation.228 Much thought and focus has been given to ‘corporate-community conflict’ in the oil and gas industry since the mishandling of community relations in the Niger Delta, appreciating that the wide range of costs associate with such conflict can be high.229 Today, corporate–community engagement is not merely ensuring that communities are financially compensated, since it is appreciated that Kaldor–Hicks-style justice230 will fall short of maintaining good corporate–community relations.231 The best thinking appreciates that ‘when communities play active, participatory roles and lead the way in identifying and prioritizing their development needs while being supported by corporate organizations and development partners, a sense of ownership and participation is created’ which can sustain a strong corporate–community relationship.232 In other words, community members need to feel empowered in the corporate–community relationship and believe that they are partners with the company in the project.233 Moreover, there is no ‘single-solution’ to the challenge of building and sustaining such relationships, it takes ongoing engagement, which is honest, culturally sensitive and pragmatic.234 The costs of corporate–community conflict in areas such as the Niger Delta powerfully demonstrate that the days of superficial corporate social responsibility ought to be at an end.235 Moreover, E&Ps ought to be aware of: (i) how ‘communities are actively shaped and reshaped’ by their corporate-community initiatives;236 and thus (ii) how the proper management of such initiatives are intimately connected to their future profitability. Fifth, civil society forms part of a company’s meta-organization. For some time, E&Ps have operated in a transnational environment in which standards for company behaviour, such as those provided by the Voluntary Principles for Security and Human Rights, have represented a form of ‘private governance’ at the global level.237 Moreover, this complex normative environment goes well ‘beyond the dualistic categories of voluntary and mandatory’.238 Whether or not transnational civil society networks have an impact is not in question. Transnational civil society networks do have an impact—the question is how transnational civil society ought to impact global governance.239 For years, observers have been predicting that civil society ‘stands at the cusp’ of ‘unprecedented’ opportunities.240 Although some in civil society are starting to enjoy the fruits of their labour, these global governance frontiers are still very wild, unwieldy, and difficult to manage.241 However, the combinations of market mechanisms and corporate social responsibility architectures are gaining traction,242 representing some of the best examples of intelligent institutional design today.243 And yet the mapping of such governance reveals there is much work to be done, considering the ‘multitude of overlapping and sometimes inconsistent’ combinations of ‘network-design’ in the global ether.244 In the field of security risk management for exploration and production companies, there are a number of examples of civil society ‘getting it right’.245 Organizations such as IPIECA,246 Shift,247 the Geneva Centre for the Democratic Control of Armed Forces,248 the International Committee of the Red Cross,249 and the Institute for Human Rights and Business250 are providing invaluable support, guidance and decision-making capacity to IOCs and IPs. Such organizations are offering these businesses the tools they need to help devise security risk governance strategies that reduce surface risk, while upholding human rights standards in practice.251 These elements of civil society ought to be active participants in the meta-organizations in question. Sixth, security services, whether provided by the host states military or through private companies, form the final piece of a company’s meta-organization. The literature on the relationship between the firm and host country as the military provider is sparse at best. We will provide examples of two different worst-case scenarios of when the host country as the military provider fails. The first is the 2013 In Amenas gas facility hostage crisis.252 The second is the incidents that gave rise to the Choc v Hudbay Minerals Inc. transnational civil litigation.253 The first example is the In Amenas gas facility hostage crisis, which is considered an ‘unprecedented attack’ on an oil and gas facility.254 The hostage situation turned deadly when the Algerian government unilaterally decided not to negotiate with the terrorists, indiscriminately unleashing helicopter gunship fire on the terrorists, killing the terrorists but also killing the foreign workers, who were being used as human shields.255 In all, 40 employees and all of the terrorists were killed in the three-day siege.256 The joint venture was allowed few military resources and granted little access to military intelligence by the host country.257 As a result, its limited risk management processes were not integrated in key ways to the Algerian military response strategy.258 The readers of Statoil’s report on the incident are left with the impression that the government was circumspect of foreign companies, and might have been better served if it overcame such wariness.259 Instead, it is clear that the joint venture had few real options to better safeguard against such terrorist attacks in the future, other than hoping that the Algerian military will better manage the security threats posed by Mali and Libya.260 The second example occurred in Guatemala. In 2004 Skye Resources purchased the Fenix nickel project. The operation was on the traditional land of Indigenous Mayan peoples, who were forced to relocate back in the 1960s.261 In 2006, Skye Resources attempted to reopen the mine, but by this time Mayans were repopulating their traditional area. Conflict ensued between Skye Resources’ subsidiary (backed by the Guatemalan police and military) and the Indigenous community in question.262 In 2007, the mine’s employees, the police and the military allegedly sexually violated 11 indigenous women to crush protests.263 Subsequently, Hudbay Minerals purchased Skye Resources and knowingly assumed of its liabilities for the alleged incident.264 Then, in 2009, the Chief of Security for the mine allegedly directed his security personnel to attack one of the Indigenous leaders with machetes before the security officer reportedly executed the Indigenous leader by shooting him in the head at close range.265 Both examples represent nightmare scenarios for an IOC or IP. In practice, it is rare that host states as military providers pose risks like those presented above. In fact, all things considered, the majority of our interviewees prefer to have a competent host government as the military provider over a private provider. That said, an E&P needs to be aware of the risks created when host governments act as the military provider. It is important to note that the option to have private armed security is not always an option open to an E&P.266 Regulation often prohibits private armed security. When permitted, a spectrum of private military and security services exist for protecting in-country employees and assets.267 Private military companies (PMCs) come in four basic varieties: (i) Combat Offensive PMCs; (ii) Combat Defensive PMCs; (iii) Non-Combat Offensive PMCs; and (iv) Non-Combat Defensive PMCs.268 Combat Offensive PMCs are the companies that are most controversial269 because of their willingness to ‘engage in combat operations’ and thus their ‘proximity to violence’.270 Combat Defensive PMCs are what IOCs and IPs use to provide security for their assets and personnel.271 Arguably even Halliburton, on occasion, have fallen under the definition of a Non-Combat Defensive PMC or Non-Combat Offensive PMC, by providing private military logistics.272 Research shows that these ‘PMC entrepreneurs’ are distancing ‘their trade from that of traditional mercenaries’ by professionalizing within the business world as ‘legitimate paraprofessionals’.273 That said, whether it is best to have a PMC or the host government provide security services will be a highly fact-sensitive decision. Moreover, in many cases, the firm may not have the discretion to make that decision. Regardless of whether security is provided by a PMC or the host government, it is essential that the E&P makes all possible attempts to have strong formal and informal relations with the security provider so that security risk management strategies, processes, cultures and responses are fully integrated between the firm and said provider.274 In other words, a top priority of any E&P is to have a good personal rapport with—or full control over—the commanding officer of either the public or private forces providing security, so as to ensure that security risk management is being optimized.275 In fact, middle ground between a good rapport and full control is sometimes established to address situations where the latter is not possible and the former is not efficacious. Such middle ground could take the form of enhanced reporting, auditing and training. A final aspect of security is the provision of military intelligence. E&Ps should be able to rely on the host country to help provide this service:276 however, this information always ought to be crossed vetted through a number of different intelligence sources.277 In one interview, we were told that the intelligence of one African government was so unreliable that E&Ps flocked through informal channels to leaked intelligence gathered by the Chinese People's Liberation Army in-country. This example reflects the market for, and demand to find, reliable information by diligent E&Ps. Figure 5. View largeDownload slide Holistic risk governance. Figure 5. View largeDownload slide Holistic risk governance. The six basic pieces of a company’s meta-organization provide a rough sketch of our vision for a holistic model of risk governance. If this alliance of actors can work together as a team, they ought to be able to reduce surface risk. Effective co-operation between this spectrum of public and private actors creates a sound foundation for risk management that will harness a diversity of opinions and a broad alignment of interests. Such holistic risk governance has considerable advantages when coping with the complex risk problems in question. Research results Industry groups, industry leaders and other firms Large E&Ps and the Elite Small E&Ps, which have adequate security risk management strategies, appreciated that the mismanagement of security could lead to reputational effects that could impact the profitability of their firm. Some of the interviews from these E&Ps speculated that if adequate risk management measures were not in place, it would likely be due to either—or both—of the following two factors: (i) lack of financial resources; and (ii) lack of expert knowledge about security risk management. Such interviewees also agreed that if industry groups took initiatives that reduced the cost of security risk management and/or increased the level of expert knowledge, it would directly benefit their firm. Some Small E&Ps claim that cost is the primary barrier to employing a full complement of security risk management strategies. We assert that lack of knowledge is also a factor. Some interviewees from Large E&Ps and many from Small E&Ps did not have an adequate understanding of the nature of holistic risk management. Additionally, they had an inadequate understanding of security risk management and the value proposition that improving security risk management presented to their firm. To be fair, many from this group believed that security risk is a serious problem, identifying that security risks could result in work stoppages, injury to employees and loss of assets. However, beyond production disruptions and loss of assets, reducing surface risk will also increase the value of their assets, reduce their cost of capital, and enhance their capacity for equity and debt financing by improving business certainty. We are thus suspicious as to whether or not such interviewees fully appreciate the value proposition in question. If they appreciated the true value of improving security risk management, we predict that some would revise their opinion that cost presents a serious barrier. We are not suggesting that, for many Small E&Ps, cost is not a significant barrier, only that it is a good investment in any company’s future. We concluded that both the perceived cost and lack of knowledge are the primary barriers to greater security risk management across the industry. A picture that can be constructed from the interviews is of a diverse collection of security risk management strategies, which are being employed by many Small E&Ps. Such strategies tend to: (i) lack sufficient expert support; (ii) be devised ad hoc from site-to-site; and (iii) plan to respond to risks when they materialize, but are not doing enough to prevent them from materializing. For these reasons, we conclude that our results indicate—albeit from a small sample—that a significant number of Small E&Ps, and a few Large E&Ps, are not fully seizing upon the opportunities they have to prevent security risks materializing into security and reputational problems. This conclusion deserves greater research and also industry concern. We are convinced that greater involvement of industry groups, such as the AIPN, can help improve firm performance in this area across the oil and gas industry. Moreover, industry groups are well-positioned to facilitate knowledge transfers between industry leaders and other firms, which are in need of such expertise by (i) hosting events; (ii) offering training; and (iii) embedding best practices in model form contracts. Finally, industry leaders appear to see the value to themselves in assisting their industry groups achieve this end. Host governments All interviewees agreed that it was difficult—if not improbable—for even Large E&P companies to sign a memorandum of understanding with a host government, which would lay out the E&P’s rights to, and the host government’s obligations to provide, armed security. That being said, one interviewee outlined a strategy used by a Large E&P to navigate this challenge. The E&P in question negotiated with the host government to pay it directly for security services. The interviewee asserted that the payment framed the relationship as service provider-client, not as sovereign-guest. This framing as client granted the E&P significant leverage over the provision of security services—particularly the standards for such services. We cannot speculate on whether or not this sort of arrangement would play out similarly in different scenarios. For instance, this strategy is more likely to work for an IOC than it is for a nano cap IP. Company relations with host states has been a priority within the industry for many years. All of the Large E&Ps, and many of the Small E&Ps, are very experienced with host state relations. A number of interviewees noted that the nature of company–country relations is changing. They provided stories of the increasing de-centeredness of governance and the rise of the local community as a more significant political actor in-country.278 Accordingly, a general consensus among industry leaders was that an in-country risk management strategy that relied solely upon strong relations with the host state cannot adequately reduce risk exposure and that community relations are becoming ever more important. In fact, it was suggested that corporate–community relations are more important than company-state relations in some countries. This observation is supported by the fact that all industry leaders have some form of in-country community relations capacity, which is distinct from its in-country governmental relations capacity. All interviewees agreed that it is difficult to generalize about governmental relations, since government behaviour can vary widely from country-to-country. Some interviewees told stories about how the quality and cooperation of government relations in a single country can change radically on the local, state and federal levels. Thus, some explained that a governmental relations strategy is not a one-dimensional proposition in some countries. The smooth operation of a security risk management strategy may need to be negotiated with a number of more, or less, independent layers of government, which have different allocations of power. For instance, one interviewee provided a hypothetical scenario where three different levels of government each had a de facto exclusive control over three different forms of security: military, paramilitary and police services. To add to this complexity, each level of government had poor communication and coordination. Also, at times, they exhibited signs of competition, jealousy and hostility towards each other. The interviewee posed the question: ‘How does an E&P provide adequate holistic risk management when faced with such challenges?’ The interviewee did not have an answer, but this hypothetical reflected the reality that E&Ps can face when dealing with host governments. Even at the federal level, different departments may operate as small independent fiefdoms. One interviewee explained how his E&P had to interface with the Ministry of Energy for a production sharing contract; the Ministry of Defense for armed security; and the Ministry of Interior for internal policing matters. All three ministries exhibited poor communication between one another, forcing the E&P to coordinate the services provided by the Ministries. In sum, interviewees generally took time to explain the difficulties E&Ps face when attempting to coordinate holistic risk management strategy with host countries. Community relations Industry leaders invested many resources into devising an intelligent corporate–community relations strategy. They are convinced that the first step to a successful security risk management strategy is such relations. They see corporate–community relations as a cost-effective way to mitigate security risk. By comparison, most Small E&Ps failed to appreciate the full importance of strong corporate–community relations. Industry leaders did not conflate governmental relations with corporate–community relations. For instance, they invested in separate governmental and community relations departments and personnel at head office, the in-country office and the field site. In addition, they explained that E&P had to be sensitive to the relationship between the community and the government. In some cases, it was opined that if a community was happy, so was the government, and the government’s encouragement could help forge positive corporate–community relations. An interviewee noted that this was the case in Turkey, outside the areas influenced by the Partiya Karkerên Kurdistan. However, others reported that the opposite dynamic also can be at play between a local community and the government. In these cases, cooperating with the government or appearing to be allied with the government might have a significant negative impact on a community’s opinion of the company, and could raise security risks rather than lower them. An interviewee noted that an E&P might have to navigate such a country-community dynamic in Northern Kenya, Somaliland or the Niger Delta. Interviewees noted a number of examples of initiatives that foster stronger corporate–community relations, including providing equity shares in projects, hiring locals and awarding contracts to local firms. A couple of interviewees from industry leaders warned about the dangers of engaging in public–private infrastructure projects in communities with host governments. An interviewee provided the example of building a hospital, which relied on a government promise that it would provide the medical services to the community after the hospital was built. When the government did not fulfil its promise, the hospital was transformed from an example of the E&P’s good will to a symbol of the history of broken promises. Instead of building corporate–community relations, the hospital severely damaged them. At the field level, another interviewee suggested that identifying the correct contact within a local community is critical to developing effective corporate–community relations. It was added that the right attributes for this individual are highly fact dependent, but can include such factors as their tribal or family affiliations, religion, education and native tongue. Some interviewees also noted that such relations had to extend to communities on the peripheral of the E&P’s operational footprint. As a general rule, it was also suggested that the E&P should not give preferential treatment to one local group over another, since long-held rivalries and tensions can be inflamed by such acts, unintentionally undermining fragile intercommunity relations. For instance, an interviewee used the example of electing to operate portable medical units over building hospitals, since such portable services prevent jealousies between communities by avoiding the perception that the E&P is favouring one community over another. In sum, the industry leaders understand that community investment must be intelligent and strategic. They appreciate that it must provide long-term benefits and reflect a company’s genuine commitment to the community. However, it is noteworthy that the interviewees failed to mention that providing local communities a sense of ownership over the E&P operations was an important aspect of cultivating strong corporate–community relations. The literature suggests that by providing communities with opportunities to share in decision-making over E&P projects, communities feel empowered and have a sense of meaningful ownership over the projects and their lives. This point was emphasized in the literature as being of critical importance to corporate–community relations.279 Civil society Since all interviewees are concerned with reputational risk and acknowledge the importance of corporate social responsibility, greater opportunities appear to be available for actors from civil society to partner in risk governance networks. That said, small E&Ps were largely unaware of any institutional supports and guidance from actors in civil society. For instance, except for the Elite E&Ps, none of the Small E&Ps were aware of the Guiding Principles on Business and Human Rights,280 the Voluntary Principles on Security and Human Rights,281 or the IPIECA’s Voluntary Principles on Security and Human Rights: Implementation Guidance Tools.282 Interviewees from Large E&Ps did a better job of identifying these instruments, but beyond recognizing the name, few knew their suggested guidelines or how to implement them. In fact, we were surprised that civil society was not playing a larger role at present, leading to the conclusion that our dataset may not be presenting us with a complete picture of existing risk governance networks. Security services Industry leaders agreed that head of global security ought to have military training, if not a successful military career. The same was true for an in-country security manager and the onsite security supervisor: that is, if the operations in question demand armed security, rather than merely policing. Some opined that non-military personnel would not likely fully appreciate the nuances of military training, tactics, and strategy, and that non-military personnel might not be granted the same level of respect by many host-state military officers. All interviewees noted that armed security being allowed in-country is a key consideration. All interviewees reported that, in their experience, that private unarmed security is always permitted by governments in-country. If private armed security is permitted, all interviewees reported that three options for the provision of security existed: (i) private security; (ii) government security; or (iii) some combination of both private and government security. The majority of interviewees preferred government provided security, while a minority preferred private security. The interviewees, who populated the minority position, were all employed by Small E&Ps in active conflict zones. This preference for private security may be due to the extreme risk in such areas, or possibly to the fact that Small E&Ps appear to have weaker relations with host governments. Both are probably true, but the literature supports the later conclusion.283 Many interviewees repeated the fact that the choice of security options is highly fact specific, since security conditions can vary widely from region-to-region, from country-to-country and from area-to-area within a single country. Interviewees reported that field security risks arranged from policing petty crimes to operating in a de facto warzone. Accordingly, armed security is absolutely necessary in some cases, but unnecessary in others. One interviewee warned that using personnel from a Combat Defensive PMC to police thievery ‘is like using a sledge hammer to kill a fly’, adding such misuse of security personnel can create new security risks. For instance, corporate–community relations may suffer from what communities may perceive as overkill. In fact, a majority of interviewees agreed that, when the situation calls for unarmed security, it ought to be the preferred option over armed security. A number of interviewees noted that using unarmed security—when prudent to do so—reduced the security risk. For instance, one interviewee told of an incident where a local community member engaged in an argument with a member of an E&P’s security team, only for the security officer to settle the matter by shooting and killing the local. Although the officer was from the host country’s military, the incident severely damaged corporate–community relations. The morale of the story is that electing for unarmed security, when possible, prevents such incidences from occurring, or at least from damaging the reputation of the E&P. A number of interviewees from Larger E&Ps and Elite Small E&Ps reported that when using armed security, government-provided security—as a general rule—minimized the reputational risks of employing such forces. The consensus reason for this reputational effect was that the government usually is perceived as controlling security as part of its sovereign right, and thus tended to bear the majority of the reputational risk of said security. Some reported that another advantage of electing to use government security is that it helps to facilitate productive relationships with host governments in other areas. A general consensus was that when governments provide security, the E&P can expect said security to be military or paramilitary forces, not police officers. Some interviewees noted that government security can give the E&P less control over the personnel and training, since government security will respond to the military chain of command, not the E&P. An interviewee warned that electing to use government security can have a significant negative impact on corporate-community relations and sometimes ‘make a bad situation worse’, if the relations between the host government and local communities are poor. Some interviewees noted that, in many regions, the cost of government security is built into the exploration and development arrangement between the E&P and the host country. An interviewee noted a case where government security was provided in exchange for community investment. Finally, there are situations where a company contracts the government to provide security for a fee. For instance, one interviewee noted that, in some countries from the Caucuses, such security contracts represent a significant addition to state revenue. As mentioned, another interviewee described how a Large E&P elected to pay the government for security services, which helped to frame its relation with the government as one of client and service provider. It was reported that this framing granted the E&P greater control over the standard of services provided. Those that report to prefer government provided security, usually also noted that private security created greater reputational risk, since the E&P is perceived as having direct control over the security forces in the event of an incident. In fact, all interviewees agreed that electing for private security granted E&Ps greater control over security risk management. Interestingly, some interviewees held the opinion that the reputational cost of a mismanaged security incident would impact the E&P more than the Combat Defensive PMC. Ergo, some interviewees believed that Combat Defensive PMCs are less risk adverse than E&P companies. The literature asserts that PMCs are attempting to transform into ‘legitimate paraprofessionals’,284 we believe this perception may not be accurate. However, it still creates a positive incentive structure and should help protect human rights. Some interviewees noted that private security personnel can be sourced and hired locally, or be the personnel of PMCs. The decision to hire locally or to hire a PMC is like other such decisions—highly fact specific. A number of interviewees suggested that—depending on the facts—corporate–community relations, can be improved by hiring security locally, and that this choice will reduce security risk, even when the security personnel are less skilled. An interviewee reasserted that hiring security locally can be most beneficial when the security team is unarmed. Interviewees also asserted that an E&P is less likely to combine armed private and armed government personnel in a single security team. Some interviewees warned that such combinations will add greater complexity to security operations, which can lead to confusion within the command structure, breakdowns in channels of communication, misperception as to roles, and avoidance of responsibilities. That said, some interviewees noted that such a hybrid could still be the best option given a particular fact scenario on the ground. Conclusion Approaches to security risk management vary widely. It is troublesome to find that the data indicates most Small E&Ps, and a minority of Large E&Ps, still adopt an ad hoc approach that largely reacts to security risks as they materialize, instead of an approach that proactively mitigate security risks at the meta-organizational level. Frequently, Small E&Ps reported relying on a single security expert. We opine that this strategy poses significant reputational risk to all members of the industry in largely unforeseeable ways. On the other hand, the majority of Large E&Ps and the Elite Small E&Ps already appreciate the costs and benefits of engaging in security risk management strategies at the meta-organizational level. They: (i) prioritize host state relations; (ii) prioritize community relations; (iii) show appropriate concern over reputational effects at an industry level, knowing they ‘travel in accidental and contingent ways’285; (iv) agree that the industry as a whole ought to develop strategies to help Small E&Ps better mitigate security risk; and (v) agree that standard form contracts offer one example of how industry can help Small E&Ps, by: (i) reducing information asymmetries regarding security risk management across the industry; (ii) standardizing relationships within their risk networks; and (iii) decreasing the cost of security risk mitigation. Small E&Ps were less equipped to deal with security problems than Large E&Ps. In our estimation, Small E&Ps also were exposed to higher surface risk, because they did not have strong enough ties to local communities and/or host states. Moreover, Small E&Ps did not identify this higher risk exposure in these terms. In addition, to the degree that a holistic multi-actor alliance for security risk existed to assist them in mitigating surface risk, Small E&Ps tended to be unaware that such support existed. 4. ADDITIONAL COMMENTS ON OPERATIONALIZING HOLISTIC SECURITY RISK MANAGEMENT Enterprise Risk Management (ERM) has emerged as an innovative model for business management, although some have strong reservations about its true value.286 There is no ‘agreement regarding the underlying theoretical foundation for ERM’,287 yet this holistic approach to risk management does have a distinctive application.288 To start, ERM assesses risk.289 The risk assessment method required will be dictated by the specific risk in question. A risk could fall under a number of different categories, which include: (i) strategic risk;290 (ii) compliance risk;291 (iii) operational risk;292 (iv) financial risk;293 (v) reputational risk;294 and/or (vi) some industry-specific risk category such as geological risk295 or surface risk.296 At this point, many of the risks can be understood in tangible terms (ie actual procedures, real people and hard assets), and thus are grounded in the ‘social and natural environment’ of the firm.297 All risks have one commonality: each represent a potential bar to maximizing profit for the firm. Accordingly, within a traditional risk management process, such seemingly incomparable risks demanded a number of risk identification, measurement, monitoring and reporting processes that operated in separate silos of expertise within the organization.298 Accordingly, on an operational level, companies tended to have multiple risk management processes, which functioned in relative isolation from one another.299 ERM is a holistic approach, because it channels all of the isolated risk management processes into a single risk calculus.300 To do so, it first financializes all risks,301 giving each a value in monetary terms so that all risk can be relativized with all other types of risks through pricing.302 In other words, ERM translates all risks into ‘economic constraints and opportunities’,303 so that they can be understood using a financial cost-benefit calculus that fits neatly with present corporate governance thinking.304 What is most unique about ERM is that after pricing all of the risks, it groups them into a single risk management process, which analyses the risks as a single unit using the same process demanded by portfolio theory.305 Put differently, ERM hedges each financialized risk against the others to develop a strategy that balances risks in a manner that maximizes firm returns while minimizing the risk of loss.306 ERM provides a method to understand a diverse collection of seemingly unrelated risks with singularity. To operationalize this process, firm structure changes to accommodate the ‘complex integration of risks across the firm’.307 In particular, companies must adopt new forms of risk-related governance mechanisms, such as chief risk officer positions, so that all firm risks can be ‘integrated’ into a ‘single message to senior executives’.308 The shift in risk focus, combined with the internal structural change, tends to transform the firm, inspiring ‘a culture of risk-awareness throughout’.309 This particular ‘marriage of corporate governance and risk management’ by ERM has been called ‘risk governance’ within the business literature.310 The ERM-inspired culture of risk-awareness enhances the understanding of risks facing the firm.311 This perspective offers the insight necessary to design more intelligent profit-making strategies.312 ERM-inspired culture does not hinder the sort of risk taking that fuels firm performance. Moreover, when reputational risks are properly priced in this calculus, it shifts towards better ‘corporate citizenship’,313 which in turn ought to impact how a company ‘treats and is treated by, other organizations or other social partners’.314 Although ERM has many advantages, we still bracket the issue of whether or not its attempts to ‘unite the risk management process’315 through ‘financialization’316 is a superior form of risk management for present purposes,317 because of the inherent dangers of pricing human life as part of a profit-making strategy.318 A number of critical voices prudently warn against the exclusive use of ‘technocratic narratives’,319 and the need for ‘humanistic’320 ones, to help ensure that the ‘calculations of utility’321 do not blind decision makers when human rights are at stake.322 That said, our vision is similar to ERM. We endorse the development of ‘a culture of risk-awareness’323 that impacts ‘corporate citizenship’324 in a manner that improves the relationships between oil and gas companies and their ‘social partners’.325 In fact, we believe that such a holistic risk culture is absolutely essential to any holistic security risk management system. However, we push the definition of risk governance further than the ERM literature suggests, endorsing its broader and more generally accepted understanding.326 In this sense, risk governance extends beyond the business organization to embrace ‘multi-actor alliances’, which includes the company, the oil and gas industry as a whole, the host state, communities within the operational footprint, and other actors from the public sphere and civil society.327 Each of these actors provides one connection within the web of risk governance. This form of broad holistic governance connects an organizational ‘culture of risk-awareness’328 with an institutional ‘multi-actor’329 alliance for security risk management. Forging co-operation between this spectrum of public and private actors creates a diverse institutional platform of risk governance330 that allows for a ‘diversity’ of opinions and alignment of interests that has ‘considerable advantages’ when coping with ‘complex, uncertain and ambiguous risk problems’.331 Holistic risk governance at a the meta-organizational level grants opportunities for learning that are critical for success.332 Accordingly, companies cannot optimize their management of the germane security risk problems,333 unless key players within the security governance network contribute to, and broadly support, the risk management strategies in question.334 This is especially true for Small E&P, who ‘may be less aware of, or lack the capacity to meet’, the challenges that security risk problems pose.335 An effective security risk management system requires the co-operation of a broad range of participants to be successful. However, even if an E&P constructs such a security risk governance network, these efforts will not be enough to meaningfully reduce surface risk. For such strategies and plans to be effective, they must be communicated and operationalized across all units, disciplines and levels of the organization,336 as well as at strategic points within the security risk governance network.337 In addition, a mere ‘box-checking’ approach is inadequate, as Michael Power explained such ‘box-checking’ offers ‘a cognitively comfortable world which focuses inwards on routine systems and controls’.338 He continued that while many ‘at the operational level prefer this less ambiguous and more rule-based world, it is also a rather dangerous generalised and standardized orientation for organizations’.339 As an alternative to the ‘formal “comfort” of auditing’, Power suggested a method that ‘is loosely related to what financial regulators call stress-testing’.340 This method removes risk managers from the ‘cognitively comfortable world’ of the ‘box checking’ and places them into a ‘scenario analysis’ world ‘in which participants from different disciplines in an organization can collectively track the trajectory of potential decisions and events’.341 For present purposes, the stress-testing would recursively drill the security response network using a series of risk scenarios, which have the highest probability of occurring. The analysis of such drills ought to expose the limitations and failures of the security response, creating opportunities for learning.342 The key strength of this approach, as Power explained, is that such ‘stress-testing’ produces organizational ‘anxiety’, not ‘comfort’, and that such anxiety is not produced by ‘concern for legitimacy’ as defined by rule-based compliance, but by the organizational ‘uncertainty’ over its performance in the stress-test in question.343 In this way, the stress-testing is a focused learning tool, which leads to more dynamic, measured and practiced responses to security risk.344 Such training will not be altogether unfamiliar to military officers, who employ similar methods to drill soldiers by placing them in a range of life-or-death scenarios, so that when under fire,345 strategic responses playout as planned.346 In our vision holistic risk governance, such stress-testing will occur at both the organizational and meta-organizational levels, leading to better prescriptions for, and operationalization of, coordinated reactions to security threats. The broad holistic collaboration between a spectrum of actors to form risk management networks, which we envisioned based on studies done in other risk management contexts,347 has not yet fully captured the imagination of many E&Ps—that said, the observation is based on our admittedly limited dataset. Although industry leaders are making strides towards holistic meta-organizational security risk strategies, we are convinced that much greater gains are possible to optimize risk strategies and significantly reduce surface risk. More research into this area is certainly merited. 5. CONCLUSION Holistic risk governance strategies hold the potential to achieve the creative capacity to better assess, manage and mitigate surface risk in complex above-ground operating environments.348 Our interviewees from industry leaders all agree that proactive attempts to prevent security risk from materializing is key and that reacting to such security risk when it materializes—even when it is done successfully—is largely missing the point. Our interviews indicate that the majority of Small E&Ps have not learned this lesson. Accordingly, while industry leaders have vastly improved security risk strategies since the incidences in the Niger Delta, they are still subject to the reputational risks created by those who are slow to innovate. Accordingly, many industry leaders, who were interviewed, were concerned by this fact and appeared willing to support initiatives to enhance industry learning in this area. We are convinced that the investment of industry resources to this end will pay generous dividends. For instance, we are convinced that a more holistic security risk management system will: (i) reduce surface risk; (ii) protect on-site employees and property; (iii) optimize wealth maximization of the industry; (iv) improve political stability of host countries and regions; and (v) significantly improve the lives of local inhabitants within the operational footprints of those companies. It bears repeating that although the E&P is the hub of this holistic risk management network, it cannot optimize the management of security risk problems without the co-operation and support of others as outlined above. We are convinced that knowledge is the greatest barrier to significant reductions in surface risk. Advancements in security risk management will both reduce reputational risk and increase reputational capital. Our research indicates that even if a Small E&P cannot afford the full complement of security risk management tools outlined in this article, the intelligent investment of its limited resources will be rewarded handsomely. Moreover, the cost of security risk management can be greatly reduced by greater industry support. We are convinced that improving the security risk management of Small E&Ps, and others who are progressing slowly, will benefit the industry as a whole. The AIPN is ideally place within the industry to help to overcome these knowledge barriers. It can also lower the cost of security risk management by helping to standardize multi-actor alliances. Other groups from civil society and elsewhere, such as IPEICA and the International Association of Oil & Gas Producers, could also assist in the endeavour. Such efforts will enhance financial performance of E&Ps, help alleviate poverty in many areas of the world, and save lives. Greater coordination of holistic security risk management at the meta-organizational level will not only promote good corporate citizenship, while making sound business sense, but our dataset reflects that it is something industry leaders in this area desire. Greater support by the AIPN and others can provide the global coordination necessary to facilitate these ends. That said, the responsibility for change rest with industry members, not its industry groups. In particular, we recommend a programme of inquiry at the industry level to research the development of a number of tools to help E&Ps: A security due diligence checklist for new country or region entry: This checklist would provide standardized rigour for identifying risks. It would also provide guidance as to how to evaluate the risks within the context of a number of suggested mitigants. This checklist could be used in parallel with any operations planning so as to align the two processes for inclusion in the relevant work programs and budgets. A model form memorandum of understanding for use by E&Ps and host governments for the provision of security services: This model would help standardize security protocols globally, and reduce the cost of security risk management. Although our research indicated that host governments resist such agreements historically, if drafted with their guidance, we hope that they would see its merit. Ideally, the benefits would result in an accretive adoption that would win over even more reticent states, but even a modest gain on this front would be significant. A model form Security Services Agreement for security for use by E&Ps and private security providers: This model also would help standardize security protocols globally, and reduce the cost of security risk management. The literature indicates that many PMCs want to transform into ‘legitimate paraprofessionals’.349 Therefore, we predict that their industry leaders will not only endorsed the development of such an agreement, but that they would make constructive contributions in its development. A model form community benefit agreement: Although our interviews reflected the fact that corporate-community relations are highly fact specific, we are convinced that an agreement framework that embeds current industry best practice could steer E&Ps towards intelligent community investment, optimizing one of the most important elements of any security risk management strategy. A set of model form security provisions for inclusion in other field service contracts: Such provisions would help standardize the deployment of security services for the benefit of both E&Ps and OSCs. A set of model form security provisions for inclusion in model form JOAs: Such provisions would help standardize the security services for the benefit of all E&Ps in such joint ventures. We would like to thank the Association of International Petroleum Negotiators and Stikeman Elliott LLP, whose generous research fellowships made this work possible. We would also like to thank Douglas Purcell, James Coleman, and our assistants (Temi Onifade, Melissa Arseniuk, Paul Reid, Laura Scott, Drew Yewchuk and Christopher Kuhman). Footnotes 1 See generally, Peter F Drucker, The Concept of the Corporation (new ed, Transaction Publishers 1996); and Michael E Porter, Competitive Strategy: Techniques for Analyzing Industries and Competitors (Free Press 1998). 2 Charlotte J Wright and Robert M Cornell, ‘Fair Market Value and Valuation Methods of Oil and Gas Properties’ (2014) 33 Petroleum Accounting & Financial Management J 55, 68. 3 ibid 58. 4 ibid 58. 5 CRK Moore, ‘Perspectives on the Valuation of Upstream Oil and Gas Interests: An Overview’ (2009) 2 JWEL & B 24, 32. 6 ibid 32. Moreover, it is also useful to review what a risk constitutes in the rubric of field security operations. It is a complex question. Discretely, field security risk could present in the form of assault, kidnapping, murder, terrorism, vandalism, theft, insurrection/riot and violent state suppression of unrest. These risks are often quantified in terms of likelihood and severity when judging whether investment in a given area is even practicable. The risk to a petroleum company of vandalism may be less pronounced that the reputational risk of a murder perpetrated against a citizen of the host state. The risks various enormously from country to country and are informed by a complex interaction of factors, such as: history, politics, race, language, economics, crime, policing, labour relations, infrastructure investment, literacy, poverty, pollution, health and even the constitutional division of governmental authorities. 7 ibid 35–37. Also see Wright and Cornell (n 2) 58. Also take into consideration the Petroleum Risk Manager rating system, see Alexander Van de Putte, David F Gates and Ann K Holder, ‘Political Risk Insurance as an Instrument to Reduce Oil and Gas Investment Risk and Manage Investment Returns’ (2012) 4 JWEL & B 284, 287–88. 8 Barry Barton and Michael Goldsmith, ‘Community and Sharing’ in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 34. Also see Thomas Sikor, Eva Barlösius and Waltina Scheumann, ‘Introduction: Public-Private Relations and Key Policy Issues in Natural Resource Governance’ in Thomas Sikor (ed), Public and Private in Natural Resource Governance (1st edn paperback, Taylor & Francis 2016) 5–15. 9 In the Canadian context, Rowland J Harrison, former member of Canada’s National Energy Board, remarked on the impacts of social licence in a public lecture he gave at the Faculty of Law at the University of Alberta on 10 March 2015. For a written version of the speech, see Rowland J Harrison, Social License to Operate the Good, the Bad, the Ominous (13 March 2017) Canadian Association of Petroleum Landmen online: <http://landman.ca/2017/03/13/social-license-operate/> accessed 19 December 2017. For impacts in the US context, see Don Smith, ‘Social License to Operate in the Unconventional Oil & Gas Development Sector: The Colorado Experience’ in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 123–24. 10 Neil Gunningham, Robert A Kagan and Dorothy Thornton, ‘Social License and Environmental Protection: Why Businesses Go Beyond Compliance’ (2004) 29 L & Social Inquiry 307, 320 (foreseeing the present reality of the connections between reputational cost, future profits, project approvals and community opinion). 11 For a review of the literature in this field, see Fenner L Stewart, ‘The Corporation, New Governance, and the Power of the Publicization Narrative’ (2014) 21 Ind J Global L Studies 513, 517–33. In the context of natural resources governance, see Sikor, Barlösius and Scheumann (n 8) 5–15. 12 Felicitas Weber and Olivia Watson, ‘Human Rights and The Extractive Industry’ (United Nations Principles for Responsible Investment 2015), Principles for Responsible Investment online: <https://www.unpri.org/download_report/8530> at 6, accessed 19 December 2017. 13 Michael Power and others, ‘Reputational Risk as a Logic of Organizing in Late Modernity’ (2009) 30 Organization Studies 201, 317. 14 ibid 217. 15 William Klein, John Coffee and Frank Partnoy, Business Organization and Finance: Legal and Economic Principles (11th edn, Foundation Press 2010) 1–4. 16 Although mainly an expectation of a number of transnational corporate social responsibility frameworks, it has also been captured in law in countries such as Canada, consider BCE Inc v 1976 Debentureholders, 2008 SCC 69, [2008] 3 SCR 560, [66] & [81]. 17 Jacob Dahl Rendtorff, ‘Creating Shared Value as Institutionalization of Ethical Responsibilities of the Business Corporation as a Good Corporate Citizen in Society’ in Josef Wieland (ed), Creating Shared Value—Concepts, Experience, Criticism (Springer 2017) 130. 18 ibid 130. 19 See Robert L Hirsch, Roger Bezdek and Robert Wendling, ‘Peaking of World Oil Production: Impacts, Mitigation, & Risk Management’ U.S. Department of Energy (February 2005), U.S. Department of Energy <https://www.netl.doe.gov/publications/others/pdf/Oil_Peaking_NETL.pdf> accessed 19 December 2017. 20 And yet, although producers now have more upstream options, the lower prices are also causing instability in state economically dependent on oil and gas revenue, which foreseeable leads to greater surface risk regardless of greater state cooperation. For more state instability in this context, see Willem L Auping and others, ‘The Geopolitical Impact of the Shale Revolution: Exploring Consequences on Energy Prices and Rentier States’ (2016) 98 Energy Policy 390, 398 (contemplating the links between the oil glut created by the shale revolution and impacts upon the stability of state reliant upon oil and gas revenues). 21 Douwe Tideman and others, Government-facing Strategy for Oil And Gas Companies: Developing a Productive Relationship with Host Governments (Booz & Company 2012), PriceWaterhouseCooper online <https://www.strategyand.pwc.com/media/file/Strategyand_Government-facing-strategy-for-oil-and-gas.pdf> 5, accessed 19 December 2017. 22 This may be a somewhat contentious claim, if one is of the belief that today’s market logic cannot lead to a significant or genuine embedding of corporate function into social practice. For more, see Rendtorff (n 17) 130. 23 Emphasis is placed upon ‘helps’ because of the complexity of relationships that can exist between companies, host governments, communities. For more, see Audrey C Cash, ‘Corporate social Responsibility and Petroleum Development in Sub-Saharan Africa: The Case of Chad’ (2012) 37 Resources Policy 144. For more successful applications, consider Tideman and others (n 21). But also, consider Lila Barrera-Hernandez and others, ‘Conclusion’, in Lila Barrera-Hernandez and others (eds), Sharing the Costs and Benefits of Energy and Resource Activity (OUP 2016) 432. Also consider Kathryn McPhail, ‘How Oil, Gas, and Mining Projects Can Contribute to Development’ (2000) 37(4) Finance and Development, International Monetary Fund online <http://www.imf.org/external/pubs/ft/fandd/2000/12/mcphail.htm> accessed 19 December 2017. 24 Moore (n 5) 35–37; also see Wright and Cornell (n 2) 58. 25 Robert J Bies and others, ‘Corporations as Social Change Agents: Individual, Interpersonal, Institutional, and Environmental Dynamics’ (2007) 32 Academy of Management Rev 788, 789 (arguing that firms can ‘capitalize on opportunities to improve stakeholder relationships through corporate social responsibility’ in ways that transform into great profitability). 26 Thaddeus Chidi Nzeadibe, Chukwuedozie Kelechukwu Ajaero and Mary Basil Nwoke, ‘Rethinking Corporate-community Engagement in the Petro-economy of the Niger Delta’ (2015) 36 Singapore J Tropical Geography 376, 377. 27 Bies and others (n 25) 789. 28 For more on such institutional design, see Fenner L Stewart, ‘Behind the Cloak of Corporate Social Responsibility: Safeguards for “Private” Participation within Institutional Design’ (forthcoming 2018) 24 Ind J Global Legal Studies. 29 David Levi-Faur, ‘Regulatory Capitalism and the Reassertion of the Public Interest’ (2009) 27 Policy & Society 181, 181–83. 30 For more on doctrinal analysis, see Richard A Posner, ‘The Present Situation in Legal Scholarship’ (1981) 90 Yale L Rev 1113. 31 Gunther Teubner, ‘Enterprise Corporatism: New Industrial Policy and the “Essence” of the Legal Person’ (1988) 36 Am J Comp L 130, 131–32. 32 Klein, Coffee and Partnoy (n 15) 2–3. 33 Dirk Baecker, ‘The Form of the Firm’ (2006) 13(2) Organization 109, 113–14. 34 Teubner (n 31) 137. 35 Baecker (n 33) 114. 36 ibid 114–15. 37 Teubner (n 31) 138. 38 Erica Schoenberger, ‘Self-Criticism and Self-Awareness in Research: A Reply to Linda McDowell’ (1992) 44 The Professional Geographer 215, 217. 39 David Richards, ‘Elite Interviewing: Approaches and Pitfalls’ (1996) 16 Politics 199, 201. 40 Lewis Anthony Dexter, Elite and Specialized Interviewing (European Consortium for Political Research Press 2012) 18. 41 ibid 18. 42 ibid 4. 43 For instance, consider Brian C Rathbun, ‘Interviewing and Qualitative Field Methods: Pragmatism and Practicalities’ in Janet M Box-Steffensmeier, Henry E Brady and David Collier (eds), Oxford Handbook of Political Methodology (OUP 2008) 685–701. 44 Avlana Eisenberg, Expressive Enforcement (2014) 61 UCLA L Rev 858, fn 103. Also see Herbert M Kritzer, ‘Seven Dogged Myths Concerning Contingency Fees’ (2002) 80 Washington ULQ 739, 742–43; Leslie C Levin, ‘The Ethical World of Solo and Small Law Firm Practitioners’ (2004) 41 Houston L Rev 309, 318; and Mark C Miller, ‘A Legislative Perspective on the Ohio, Massachusetts, and Federal Courts’ (1995) 56 Ohio State LJ 235, 240. 45 Oisin Tansey, ‘Process Tracing and Elite Interviewing: A Case for Non-probability Sampling’ (2007) 40 Political Science & Politics 765, 766. 46 Schoenberger (n 38) 766. 47 Richards (n 39) 201. 48 Tansey (n 45) 766. 49 ibid 767. 50 ibid 766. But also see Darren G Lilleker, ‘Interviewing the Political Elite: Navigating a Potential Minefield’ (2003) 23 Politics 207, 208. 51 ibid 208. 52 Tansey (n 45) 766. 53 Richards (n 39) 200. 54 Lilleker (n 50) 208. 55 Dexter (n 40) 19. 56 ibid 19. 57 Lilleker (n 50) 208. 58 Dexter (n 40) 19. 59 ibid 19. 60 ibid 21. 61 Schoenberger (n 38) 217. 62 Richards (n 39) 200. 63 ibid 201. 64 Dexter (n 40) 18. 65 ibid 4. 66 Daniel Yergin, The Quest: Energy, Security, and the Remaking of the Modern World (Penguin 2011) 110–11. 67 Coby van der Linde, The State and the International Oil Market: Competition and the Changing Ownership of Crude Oil Assets (Springer 2000) 97. 68 US Energy Information Administration, Oil: Crude and Petroleum Products Explained (US Energy Information Administration), EIA online: <https://www.eia.gov/energyexplained/index.cfm?page=oil_where> accessed 19 December 2017. 69 Peter R Hartley and Kenneth B Medlock, ‘Changes in the Operational Efficiency of National Oil Companies’ (2013) 34 Energy J 27, 28, 55–56. 70 ibid 28, 55–56. 71 Joseph Hilyard, The Oil & Gas Industry: A Nontechnical Guide (PennWell 2012) 229. 72 Forbes, Fortune Global 500, Forbes online: <http://fortune.com/global500/2016/list> accessed 19 December 2017. 73 Forbes, Fortune Global 500: Statoil, Forbes online: <http://fortune.com/global500/2016/statoil/> accessed 19 December 2017. 74 Fortune Global 500 (n 72). 75 Forbes, Fortune Global 500: Royal Dutch Shell, Forbes online: <http://fortune.com/global500/2016/royal-dutch-shell/> accessed 19 December 2017. 76 Fortune Global 500 (n 72). 77 Forbes, Fortune Global 500: ExxonMobil, Forbes online: <http://fortune.com/global500/2016/exxon-mobil/> accessed 19 December 2017. 78 Fortune Global 500 (n 72). 79 Forbes, Fortune Global 500: PB, Forbes online: <http://fortune.com/global500/2016/pb/> accessed 19 December 2017. 80 Fortune Global 500 (n 72). 81 Forbes, Fortune Global 500: Chevron, Forbes online: <http://fortune.com/global500/2016/chevron/> accessed 19 December 2017. 82 Hilyard (n 71) 227. 83 For instance, see Catherine Locatelli, ‘The Russian Gas Industry: Challenges to the “Gazprom Model”?’ (2014) 26 Post-Communist Economies 53, 54. 84 Fortune Global 500 (n 72). 85 Forbes, Fortune Global 500: Gazprom, Forbes online: <http://fortune.com/global500/2016/gazprom/> accessed 19 December 2017. 86 Fortune Global 500 (n 72). 87 Forbes, Fortune Global 500: Repsol, Forbes online: <http://fortune.com/global500/2016/repsol/> accessed 19 December 2017. 88 Fortune Global 500 (n 72). 89 Forbes, Fortune Global 500: ConocoPhillips, Forbes online: <http://fortune.com/global500/2016/global500/conoco-phillips/> accessed 19 December 2017. 90 Fortune Global 500 (n 72). 91 Forbes, Fortune Global 500: Suncor, Forbes online: <http://fortune.com/global500/2016/suncor/> accessed 19 December 2017. 92 InvestSnips, Large-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-large-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 93 InvestSnips, Publicly Traded Mid-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-mid-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 94 InvestSnips, Small-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-small-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 95 InvestSnips, Micro-Cap Oil & Gas Exploration and Production Companies, InvestSnips online: <http://investsnips.com/list-of-publicly-traded-micro-cap-oil-gas-exploration-and-production-companies/> accessed 19 December 2017. 96 Hilyard (n 71) 230. 97 EIA Market and Financial Analysis Team, Financial Review of the Global Oil and Natural Gas Industry 2016 (US Energy Information Administration 2017), EIA online: <https://www.eia.gov/finance/review/pdf/financial_2016.pdf> accessed 19 December 2017. 98 ibid. 99 Basak Beyazay-Odemis, The Nature of the Firm in the Oil Industry: International Oil Companies in Global Business (Routledge 2016) 42–44. 100 ibid 44. 101 Hilyard (n 71) 230. 102 Fortune Global 500 (n 72). 103 Forbes, Fortune Global 500: Schlumberger, Forbes online: <http://fortune.com/global500/2016/schlumberger/> accessed 19 December 2017. 104 Fortune Global 500 (n 72). 105 Forbes, Fortune Global 500: Halliburton, Forbes online: <http://fortune.com/global500/halliburton/> accessed 19 December 2017. 106 Hartley and Medlock (n 69) 28, 55–56. 107 Beyazay-Odemis, (n 99) 42–44. 108 A small-cap IP has a market capitalization under two billion dollars but over 300 million dollars, see ‘Small-Cap IP’ (n 94), a micro-cap IP has a market capitalization of under $300 million, and a nano-cap IP has a market capitalization of under $50 million, see ‘Micro-Cap IP’ (n 95). 109 For instance, consider Markham Hislop ‘Want to Start a Junior Oil Company? It’ll Cost You $100 Million: Juniors are Getting Larger, Better Capitalized and Will Soon Only Work in the Very Best Production Areas’, Alberta Oil Magazine (October 28, 2017) online: <https://www.albertaoilmagazine.com/2016/10/juniors-getting-larger-better-capitalized-will-soon-work-best-production-areas/> accessed 19 December 2017. 110 Klein, Coffee and Partnoy (n 15) 5, 21–31. 111 Dennis R Jennings, Joseph B Feitin and Horace R Brock, Petroleum Accounting: Principles, Procedure & Issues (5th ed, Processional Development Institute 2000) 40. 112 ibid 40. 113 Beyazay-Odemis (n 99) 42–44. 114 Jennings, Feitin and Brock (n 111) 40. 115 Beyazay-Odemis (n 99) 43–44. 116 Jennings, Feitin and Brock (n 111).40–41. 117 ibid 41. 118 ibid 41. 119 For some fundamental wisdom about how business organization and processes are used to develop sound strategies to achieve and sustain competitive advantage, see John Child, Organization: Contemporary Principles and Practice (2nd edn, Wiley 2015) 7–21. 120 Child ibid at 7–21; also see Jennings, Feitin and Brock (n 111) 40–41. 121 For more on risk architecture as a foundation for core risk processes and operations within an organization, see Paul Hopkin, Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management (4th edn, The Institute of Risk Management 2017) 244–47. 122 Sara A Lundqvist, ‘Why Firms Implement Risk Governance—Stepping Beyond Traditional Risk Management to Enterprise Risk Management’ (2015) 34 J of Accounting & Public Policy 441, 442. 123 ibid 442. Also see Bromiley and others, ‘Enterprise Risk Management: Review, Critique, and Research Directions’ (2015) 48(4) Long Range Planning 265, 268. For further consideration of the importance of a “culture of risk-awareness”, consider Thomas L Barton, William G Shenkir and Paul L Walker, Making Enterprise Risk Management Pay Off (Financial Times Press 2002) 1–2. Also note that there can be a high degree of overlap between these departments, most notably risk management and corporate social responsibility. 124 Such skillsets include devising and implementing strategic community relations, negotiating with government actors, navigating foreign legal systems and complex normative environments, and neutralizing, degrading, disrupting or defeating potential physical threats to individuals and assets. 125 Hopkin (n 121) 228. 126 For more of the importance and strategies for building strategic relationship with host countries, see generally Douwe Tideman and others (n 21). 127 Lundqvist (n 122) 442. Also see Shenkir and Walker (n 122) 1–2. 128 Torben Juul Andersen, Maxine Garvey and Oliviero Roggi, Managing Risk and Opportunity: The Governance of Strategic Risk-Taking (OUP 2014) 162–63. 129 Anil Naira and others, ‘Enterprise Risk Management as a Dynamic Capability: A Test of its Effectiveness During a Crisis’ (2014) 35 Managerial & Decision Economics 555, 556. 130 For more on how risk information needs to be generated in ways that inspire anxiety and learning about risk (such as stress testing) and not comfort and compliance towards risk (such as box checking and auditing), see Michael Power, ‘The Risk Management of Nothing’ (2009) 34 Accounting, Organizations & Society 849, 852. 131 For how risk information is priced and applied to the calculus of finances, see Lundqvist (n 122) 442; Bromiley and others (n 123) 268; and Natascha van der Zwan, ‘Making Sense of Financialization’ (2014) 12 Socio-Economic Rev 99, 100–3. And for the dangerous of financializing risks that impact human rights, see The Corporation and Governance (n 18) 547–49; and Thomas Nagel, Mortal Questions (CUP 1979) 59. 132 For more on the add complexities of the framing of risk, see Jennifer Blaskovich and Eileen Z Taylor, ‘By the Numbers: Individual Bias and Enterprise Risk Management’ (2011) 13(1) J Behavioral & Applied Management 5, 6–8. 133 Lundqvist (n 122) 442; Kevin Ruck and Mary Welch, ‘Valuing Internal Communication; Management and Employee Perspectives’ (2012) 38 Public Relations Rev 294, 294–96; Mark Laycock, Risk Management At The Top: A Guide to Risk and its Governance in Financial Institutions (Wiley 2014) 102; and Erik Banks, Risk Culture: A Practical Guide to Building and Strengthening the Fabric of Management (Palgrave Macmillan 2012) 68. 134 For the importance of managements treatment of risk, see Laycock, ibid 102. 135 Baecker (n 33) 116. 136 ibid 116. 137 Clifford W Scherer and Hichang Cho, ‘Social Network Contagion Theory of Risk Perception’ (2003) 23 Risk Analysis 261, 262. 138 Consider Julian Talbot and Miles Jakeman, Security Risk Management Body of Knowledge (Wiley 2009) 3–14. 139 For more on the potential negative impacts upon team performance when face-to-face communication is replaced by computer-mediated communication, see generally Nancy J Stone, ‘Media Richness, Team Behaviors, and Task Complexity on Team Performance’ (2014) 58 Proceedings of the Human Factors and Ergonomics Society Annual Meeting 1381. 140 Lundqvist (n 122) 444. For instance, consider Kevin Ruck and Mary Welch, ‘Valuing Internal Communication; Management and Employee Perspectives’ (2012) 38 Public Relations Rev 294, 294–96. 141 For more on the individual bias towards risk as variables, see Blaskovich and Taylor (n 132) 6–8. 142 Brian P Niehoff, Cathy A Enz and Richard A Grover, ‘The Impact of Top-Management Actions on Employee Attitudes and Perceptions’ (1990) 15 Group & Organization Studies 337, 338. 143 For instance, consider the role of transformational and charismatic leadership in create bonds that inspire organizational change, see Bruce J Avolio and Francis J Yammarino, ‘Introduction to, and Overview of, Transformational and Charismatic Leadership’ in Bruce J Avolio and Francis J Yammarino (eds), Transformational and Charismatic Leadership: The Road Ahead: Monographs in Leadership and Management) (10th Anniversary edn, Emerald Group Publishing 2013) xxvii. 144 Niehoff, Enz and Grover (n 142) 338. 145 James Combs and others ‘How Much Do High-Performance Work Practices Matter? A Meta-Analysis of Their Effects on Organizational Performance’ (2006) 59 Personnel Psychology 501, 503, 524. 146 ibid 503 and 524. 147 Bruno Latour, Reassembling the Social: An introduction to Actor-Network Theory (OUP 2005) 50. 148 Combs and others (n 145) 503 and 524; Niehoff, Enz and Grover (n 142) 338; Laycock (n 133) 102; and Avolio and Yammarino (n 143). 149 Laycock (n 133) 102. 150 Power, ‘Risk Management of Nothing’ (n 130) 852. 151 Christopher L Culp, The Risk Management Process: Business Strategy and Tactics (Wiley 2002) 234. 152 Andersen, Garvey and Roggi (n 128) 162–63. 153 Power, ‘Risk Management of Nothing’ (n 130) 852. But also consider Audrey Schriefer and Michael Sales, ‘Creating Strategic Advantage with Dynamic Scenarios’ (2006) 34 Strategy & Leadership 31, 34; and Thomas Cooper, Alex Faseruk and Shazli Khan, ‘Examining Practitioner Studies to Explore ERM and Organizational Culture’ (2013) 14(1) J Management Policy & Practice 53, 64. 154 Peer Zumbansen, ‘Defining the Space of Transnational Law: Legal Theory, Global Governance, and Legal Pluralism’ (2012) 21 Transnatl L & Contemp Probs 305, 308. 155 Power, ‘Risk Management of Nothing’ (n 130) 852. 156 Teubner (n 31) 137. 157 Baecker (n 33) 114. 158 ibid 114–15. 159 Teubner (n 31) 138. 160 Niklas Luhmann, ‘Operational Closure and Structural Coupling: The Differentiation of the Legal System’ (1991) 13 Cardozo L Rev 1419, 1432–34. 161 Lundqvist (n 122) 443. 162 Power, ‘Risk Management of Nothing’ (n 130) 852. 163 Laycock (n 133) 102. 164 Andersen, Garvey and Roggi (n 128) 162–63. 165 Laycock (n 133) 102. But also see Banks (n 133) 68. 166 The remaining risk management specialists work or have worked for non-combative defensive private military and security companies. 167 The remaining lawyers are all external counsel from firms based in North American, Latin America, Europe, Africa and Middle East. 168 One was actually a SOE, but for the purpose of this article, we are treating it as though it was IOCs. We are mindful of the potential difference in organizational culture of a hybrid verses a publically traded company. 169 Large-Cap Oil & Gas Exploration and Production Companies (n 92). 170 Mid-Cap Oil & Gas Exploration and Production Companies (n 93) Also see Small-Cap Oil & Gas Exploration and Production Companies (n 94). 171 Mid-Cap Oil & Gas Exploration and Production Companies, ibid. 172 Micro-Cap Oil & Gas Exploration and Production Companies (n 9). 173 Larger E&P means ‘large exploration and production company’. 174 Small E&P means ‘small exploration and production company’. 175 For a detailed explanation of the cost of exploration and production, consider Nadine Bret-Rouzaut and Jean-Pierre Favennec, Oil and Gas Exploration and Production: Reserves, Cost, Contracts (trans. Jonathan Pearse, Technip 2011) 121–70. But also consider US Energy Information Administration, Trends in U.S. Oil and Natural Gas Upstream Costs (US Energy Information Administration 2016), EIA online <https://www.eia.gov/analysis/studies/drilling/pdf/upstream.pdf> accessed 19 December 2017. 176 For example, our smallest E&P had a market capitalization of under US$8-million. Also see Hislop (n 109). 177 Nzeadibe, Ajaero and Nwoke (n 26) 377. 178 ibid 377. 179 Ortwin Renn, Andreas Klinke and Marjolein van Asselta, ‘Coping with Complexity, Uncertainty and Ambiguity in Risk Governance: A Synthesis’ (2011) 40 Ambio 231, 231. 180 Héloïse Berkowitz and Hervé Dumez, ‘The Concept of Meta-Organization: Issues for Management Studies’ (2016) 32 European Management Rev 149, 149–52. For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Héloïse Berkowitz, Marcelo Buscheli and Hervé Dumez, ‘Collectively Designing CSR Through Meta-Organizations: A Case Study of the Oil and Gas Industry’ (2017) J Business Ethics 754, 754–55. 181 Stewart Macaulay, ‘Non-Contractual Relations in Business: A Preliminary Study’ (1963) 28 American Sociological Rev 55, 55. 182 ibid 61. 183 Li-Wen Lin and Josh Whitford, ‘Conflict and Collaboration in Business Organizations’ in Jean Braucher, John Kidwell and William C Whitford (eds), Revisiting the Contracts Scholarship of Stewart Macaulay: On the Empirical and the Lyrical (Hart 2013) 191–93. 184 Walter W Powell, ‘Neither Market nor Hierarchy: Network Forms of Organization’ in Michael Handel (ed), The Sociology of Organizations: Classic, Contemporary, and Critical Readings (Sage 2002) 315. 185 Latour (n 147) 49–50. 186 ibid 14. 187 ibid 50. 188 For a different idea of the traps of network theory and the dangers of ‘oversocializing’ or ‘undersocializing’ business relations, see Mark Granovetter, ‘Economic Action and Social Structure: The Problem of Embeddedness’ (1985) 91 American J Sociology 481, 487. 189 Latour (n 147) 49–50. 190 Brian Uzzi, ‘Social Structure and Competition in Interfirm Networks: The Paradox of Embeddedness’ (1997) 42 Administrative Science Q 35, 36. 191 Renn, Klinke and van Asselta (n 179) 231. For instance, consider how the even very practical guides to business acknowledge the challenges of cross border organization, decentralization, outsourcing and alliance building are leading to ‘growing flexibility and permeability of the boundaries of firms’, see Child (n 119) 10–17. For a more theoretical perspective on the nature of the firm’s ‘boundaries’, see Peer Zumbansen, ‘The New Embeddedness of the Corporation: Corporate Social Responsibility in the Knowledge Society’ in Peer Zumbansen and Cynthia A Williams (eds), The Embedded Firm: Corporate Governance, Labor, and Finance Capitalism (CUP 2011) 145. 192 For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Berkowitz, Buscheli and Dumez (n 167) 754–55. Also see Berkowitz and Dumez (n 167) 149–52. 193 Berkowitz, Buscheli and Dumez (n 167) 149. 194 For examples of such contracts, see Association of International Petroleum Negotiators, Model Contracts, AIPN online at < https://www.aipn.org/model-contracts/> accessed 19 December 2017. 195 For more consider Mark R Patterson, ‘Standardization of Standard-Form Contracts: Competition and Contract Implications’ (2010) 52 William & Mary L Rev 327, 331–35. 196 A good introduction to the operation of standard form contracts as a form of transnational law, see Joanne P Braithwaite, ‘Standard Form Contracts as Transnational Law: Evidence from the Derivatives Markets’ (2012) 75 Modern L Rev 779, 779–84. 197 Beyazay-Odemis (n 99) 43. 198 ibid 43. 199 Paul Stevens, International Oil Companies the Death of the Old Business Model (The Royal Institute of International Affairs 2016), Chatham House online: <https://www.chathamhouse.org/sites/files/chathamhouse/publications/research/2016-05-05-international-oil-companies-stevens.pdf> 16, accessed 19 December 2017. 200 ibid 16. 201 Georgios Chalkiadakis, Edith Elkind and Michael Wooldridge, ‘Cooperative Game Theory: Basic Concepts and Computational Challenges’ (2012) 27 IEEE Intelligent Systems 86, 86. 202 ibid 86. 203 A Timothy Martin and J Jay Park, ‘Global Petroleum Industry Model Contracts Revisited: Higher, Faster, Stronger’ (2010) 3 JWEL & B 4, 4–5. 204 For instance, consider Leanne Desbarats, ‘Limiting Damages for Loss of Profits and Loss of Production Under the AIPN 2012 Model Form International Operating Agreement’ (2014) 7 JWEL & B 256. But also see Wilson Woods, ‘The Effects of Exculpatory Clause in Joint Operating Agreements: What Protections Do Operators Really Have in the Oil Patch?’ (2005) 38 Tex Tech L Rev 212, 212–17. 205 Power and others (n 13) 217. 206 For more on how to build ‘proper exchange architecture’ for information sharing between competition business organization, see Joakim Kembro, Kostas Selviaridis and Dag Näslund, ‘Theoretical Perspectives on Information Sharing in Supply Chains: a Systematic Literature Review and Conceptual Framework’ (2014) 19 Intl J Supply Chain Management 609, 612. For examples of cooperation between IOCs to reduce risk in other contexts, consider Kim Talus, Scott Looper and Steven Otillar, ‘Lex Petrolea and the Internationalization of Petroleum Agreements: Focus on Host Government Contracts’ (2012) 5 JWEL & B 181. Also see Patterson (n 182) 331–35; and Martin and Park (n 203) 4. 207 Andrew C Inkpen and Michael Moffett, The Global Oil & Gas Industry: Management, Strategy & Finance (Pennwell 2011) 21. 208 Chul W Moon and Augustine A Lado, ‘MNC-Host Government Bargaining Power Relationships: A Critique and Extension within the Resource-Based View’ (2000) 26 J Management 85, 90–89. 209 Inkpen and Moffett (n 207) 21. 210 ibid 21. 211 Surya Rajan and Shree Vikas, Simplified Country Risk Assessments for Global Petroleum Investments, (Society of Petroleum Engineers 2008) 6. 212 Inkpen and Moffett (n 207) 21. 213 Gavin Hilson, ‘Corporate Social Responsibility in the Extractive Industry: Experiences from Developing Countries’ (2012) Resources Policy 131, 132. 214 Dirk Matten and Andrew Crane, ‘Corporate Citizenship: Toward an Extended Theoretical Conceptualization’ (2005) 30 Academy of Management Review 166, 175. 215 Hilson (n 200) 132. 216 Matten and Crane (n 214) 176. But also see Barton and Goldsmith (n 8) 34; Sikor, Barlösius and Scheumann (n 8) 5–15; and Gunningham, Kagan and Thornton (n 10) 320. 217 Consider Tideman and others (n 2); Barton and Goldsmith (n 8) 34; and Barrera-Hernandez and others (n 23). 218 Barton and Goldsmith (n 8) 34. 219 Barrera-Hernandez and others (n 23) 432. But also consider McPhail (n 23); Cash (n 23); Tideman and others (n 21). 220 Tideman and others (n 21) 6. 221 ibid 6. 222 Uwafiokun Idemudia and Uwen E Ite, ‘Corporate-Community Relations in Nigeria’s Oil Industry: Challenges and Imperatives’ (2006) 13 Corporate Social Responsibility & Environmental Management 194, 200. 223 ibid 196. 224 The Economist, Who are the Niger Delta Avengers? (1 July 2016), The Economist online: <https://www.economist.com/blogs/economist-explains/2016/07/economist-explains> accessed 19 December 2017. 225 The Guardian, £1bn a Month: the Spiralling Cost of Oil Theft in Nigeria (5 October 2013), The Guardian online: <https://www.theguardian.com/global-development/2013/oct/06/oil-theft-costs-nigeria> accessed 19 December 2017. 226 Idemudia and Ite (n 222) 196. 227 ibid 196. 228 For instance, consider Peter Maass’s popular characterization of the oil and gas industry’s activities in Nigeria, see Peter Maass, Crude World: The Violent Twilight of Oil (Knopf 2009) 53–80. 229 Rachel Davis and Daniel Franks, Costs of Company-Community Conflict in the Extractive Sector (Harvard Kennedy School 2014) 11, 15–16, Harvard Kennedy School online: <https://sites.hks.harvard.edu/m-rcbg/CSRI/research/Costs%20of%20Conflict_Davis%20%20Franks.pdf> accessed 19 December 2017. 230 Idemudia and Ite (n 222) 196. 231 ibid 196. 232 Nzeadibe, Ajaero and Nwoke (n 26) 377. 233 Moonhee Cho and Maria De Moya, ‘Empowerment as a Key Construction for Understanding Corporate Community Engagement’ (2016) Intl J Strategic Communication 272. 234 Luc Zandviet and Mary Anderson, Getting it Right: Making Corporate Community Relations Work (Routledge 2009) 8. 235 Davis and Franks (n 216) 15–16; and Idemudia and Ite (n 222) 196. 236 Glenn Banks and others, ‘Conceptualising Corporate Community Development’ (2016) 37 Third World Q 245, 257. 237 Cynthia A Williams, ‘Civil Society Initiatives and Soft Law in the Oil and Gas Industry’ (2004) 36 NYU J Intl L & Pol 457, 461. 238 ibid 462. 239 Ann M Florini and PJ Simmons, ‘What the World Needs Now?’ in Ann M Florini (ed), The Third Force: The Rise of Transnational Civil Society (Brookings Institution Press 2000) 4. 240 John D Clark, Worlds Apart: Civil Society and the Battle for Ethical Globalization (Earthscan 2003) 4. 241 For instance, consider Martin Koch, ‘Non-State and State Actors in Global Governace’ in Bob Reinalda (ed), The Ashgate Research Companion to Non-State Actors (Ashgate 2011). 242 For instance, consider Patricia Crifo and Vanina D Forget, ‘The Economics of Corporate Social Responsibility: A Firm-Level Perspective Survey’ (2014) 29 J Economic Surveys 112; Michele V Gee and Sue M Norton, ‘Corporate Social Responsibility: Strategic and Managerial Implications’ (2013) 10 J Leadership, Accountability and Ethics 37; Jedrzej George Frynas, Beyond Corporate Social Responsibility—Oil Multinationals and Social Challenges (CUP 2009); Sylvia Maxfield, ‘Reconciling Corporate Citizenship and Competitive Strategy: Insights from Economic Theory’ (2008) 80 J Business Ethics 367; Ans Kolk and Jonatan Pinkse, ‘Multinationals’ Political Activities on Climate Change’ (2007) 46 Business & Society 201; and Abagail McWilliams, Donald S Siegel and Patrick M Wright, ‘Corporate Social Responsibility: Strategic Implications’ (2006) 43 J Management Studies 1. 243 See generally Stewart, ‘Private’ Participation within Institutional Design (n 29). 244 Luc Fransen, ‘The Politics of Meta-Governance in Transnational Private Sustainability Governance’ (2015) 48 Policy Science 293, 314. 245 Clark (n 227) 4. 246 For instance, see IPIECA, Responsible security, IPIECA online at <http://www.ipieca.org/our-work/social/responsible-security/> accessed 19 December 2017. 247 For instance, its collaboration with the Institute for Human Right and Business, see Shift and Institute for Human Right and Business, Oil and Gas Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights (European Commission 2013) Institute for Human Right and Business online: <https://www.ihrb.org/pdf/eu-sector-guidance/EC-Guides/O&G/EC-Guide_O&G.pdf> accessed 19 December 2017. 248 For instance, its collaboration with IPIECA, see IPIECA, Host Country Security Assessment Guide, IPIECA online: <http://www.ipieca.org/resources/good-practice/host-country-security-assessment-guide/> accessed 19 December 2017. 249 ibid. 250 For instance, see ‘Oil and Gas Sector Guide on Business and Human Rights’ (n 247). 251 For instance, see ‘Security Assessment Guide’ (n 235). 252 Statoil ASA, The In Amenas Attack: Report of the investigation into the terrorist attack on In Amenas. Prepared for Statoil ASA’s board of directors (Statoil ASA 2013) 55–57, Statoil online <https://www.statoil.com/content/dam/statoil/documents/In%20Amenas%20report.pdf> accessed 19 December 2017. 253 Choc v Hudbay Minerals Inc, 2013 ONSC 1414, 116 OR (3d) 674. 254 BBC, Algerian Gas Plant Siege: Military's Role Questioned (12 September 2013), BBC online <http://www.bbc.com/news/world-africa-24064143> accessed 19 December 2017. 255 ‘In Amenas Attack Report’ (n 252) 28–31. 256 ‘Algerian Gas Plant Siege’ (n 254). 257 ‘In Amenas Attack Report’ (n 252) 55–57. 258 ibid 44–45, 48–49, 70–72. 259 ibid 48–49, 70–72. 260 ibid 3, 44–45, 48–49, 70–72. 261 Susana C Mijares Peña, ‘Human Rights Violations by Canadian Companies Abroad: Choc v Hudbay Minerals Inc’ (2014) 5 Western J L Studies 3, 9. But also Hudbay Minerals (n 240) [9]. 262 Hudbay Minerals (n 240) [5]; and Mijares Peña (n 261) 10. 263 Hudbay Minerals ibid [5]. 264 Hudbay Minerals ibid [9]; and Mijares Peña (n 248) 10. 265 Hudbay Minerals ibid [6]; and Mijares Peña (n 248) 11. Also consider Chilenye Nwapi, ‘Resource Extraction in the Courtroom: The Significance of Choc v. Hudbay Minerals Inc for the Future of Transnational Justice in Canada’ (2014) 14 Asper Review of International Business and Trade Law 121. 266 For instance, Statoil was not permitted by the Algerian government to have private armed security in-country, see ‘In Amenas Attack Report’ (n 252) 43, 45, 48. 267 For an interesting exploration of the transnational governance of private military and security, see Deborah D Avant, ‘Pragmatic Networks and Transnational Governance of Private Military and Security Services’ (2016) 60 Intl Studies Q 330. For a different vantage point of the governance of private security, see Adam White, ‘The New Political Economy of Private Security’ (2011) 16 Theoretical Criminology 85. For an example of such private services, see Thales, Security Solutions for the Oil & Gas Industry, Thales Group online: <https://www.thalesgroup.com/sites/default/files/asset/document/capability_sheet_oil_gas_06-06.pdf> accessed 19 December 2017. 268 Mark Fulloon, ‘Non-State Actor: Defining Private Military Companies’ (2015) 27 Strategic Review for Southern Africa 29, 34. 269 Jeremy Scahill, Blackwater: The Rise of the World’s Most Powerful Mercenary Army (Nation Books 2007) 41–48; and Peter J Hoffman, ‘Private Military and Security Companies’ in Thomas G Weiss and Rorden Wilkinson (eds), International Organization and Global Governance (Routledge 2014) 394–95. 270 Fulloon (n 255) 34–35. 271 ibid 39–40. 272 Alan Axelrod, Mercenaries: A Guide to Private Armies and Private Military Companies (Sage 2013) 287. 273 Katherine E McCoy, ‘Organizational Frames for Professional Claims: Private Military Corporations and the Rise of the Military Paraprofessional’ (2012) 59 Social Problems 322, 338. 274 For instance, see the recommendations of the ‘In Amenas Attack Report’ (n 252) 75–78. 275 Otherwise, the IOC and IP may lose control over the provision of security. That said, in some cases, there may be very little a company can do. Consider ‘In Amenas Attack Report’ (n 252). 276 However, this is not always the case. For instance, Algerian government resisted sharing intelligence information with Statoil, see ‘In Amenas Attack Report’ (n 252) 43, 55–57, 71–73. 277 Note the careful explanations for the lack of ‘tactical warning’ prior to the terrorist attack on the gas facility at In Amenas, see ‘In Amenas Attack Report’ (n 252) 55–57, 71–73. For more of private intelligence services, see Veerle Pashley and Marc Cools, ‘Private Intelligence Services: Their Activities and Role in Public-military Intelligence Strategies’ in Marc Cools and others (eds), Cahier Inlichtingenstudies 7 (Maklu 2017) 131–35. For examples, see McKinsey & Company, Defense & Security, McKinsey & Company online: <https://www.mckinsey.com/industries/public-sector/how-we-help-clients/defense-and-security> accessed 19 December 2017. Also see Black Cube, Sectors We Serve, Black Cube online: <https://www.blackcube.com/sectors-we-serve/> accessed 19 December 2017. 278 For more on the decentering of governance in the context of natural resource development, consider Barton and Goldsmith (n 8). For more on the decentering of governance, see generally Stewart ‘“Private” Participation within Institutional Design’ (n 34); Stewart ‘The Corporation and Governance’ (n 18); John Braithwaite, Regulatory Capitalism: How it Works, Ideas for Making it Work Better (Edward Elgar 2008); Julia Black, ‘Critical Reflections on Regulation’ (2002) 27 Australian J L Philosophy 1; Peer Zumbansen, ‘Law After the Welfare State: Formalism, Functionalism, and the Ironic Turn of Reflexive Law’ (2008) 56 American J Comparative L 769; and David Levi-Faur, ‘The Global Diffusion of Regulatory Capitalism’ (2005) 598 Annals of the American Academy of Policy & Social Science 12. 279 For instance, see Nzeadibe, Ajaero and Nwoke (n 26) 377. 280 United Nations, Guiding Principles on Business and Human Rights (New York and Geneva: United Nations 2011) Office of the High Commissioner for Human Rights online <http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf> accessed 19 December 2017. 281 The Voluntary Principles on Security and Human Rights (2000), Voluntary Principles online <http://www.voluntaryprinciples.org/what-are-the-voluntary-principles/> accessed 19 December 2017. 282 IPIECA, Voluntary Principles on Security and Human Rights: Implementation Guidance Tools (IPIECA 2012) IPIECA online <http://www.ipieca.org/resources/good-practice/voluntary-principles-on-security-and-human-rights-implementation-guidance-tools/> accessed 19 December 2017. 283 Moon and Lado (n 208) 89–90. 284 McCoy (n 273) 338. 285 Power and others (n 13) 217. 286 For instance, see Power, ‘Risk Management of Nothing’ (n 130) 849–50. 287 Lundqvist (n 122) 442. 288 ibid 442. Also see Bromiley and others (n 123) 268; that said, there is also a broad notion of ‘risk governance’ in the political science world as well, but it is a distinctively different concept, see Marjolein BA van Asselta and Ortwin Renn, ‘Risk governance’ (2011) 14 J Risk Research 431, 434–36. 289 Bromiley and others (n 123) 268. 290 For more, see generally Philip Bromiley, Devaki Rau and Devaki McShane, ‘Can Strategic Risk Management Contribute to Enterprise Risk Management? A Strategic Management Perspective’ in TJ Andersen (ed), The Routledge Companion to Strategic Risk Management (Routledge 2016). 291 Saloni Ramakrishna, Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services (John Wiley & Sons 2016) 211–16. 292 Michael Power, ‘The Invention of Operational Risk’ (2005) 12 Rev Intl Political Economy 577, 578–80. 293 For a general introduction, see Peter F Christoffersen, Elements of Financial Risk Management (2nd edn, Elsevier 2012) 3–16. 294 Jan Bebbington, Carlos Larrinaga and Jose M Moneva, ‘Corporate Social Reporting and Reputation Risk Management’ (2008) 21 J Accounting, Auditing & Accountability 338, 339–41. 295 SB Suslick and DJ Schiozer, ‘Risk Analysis Applied to Petroleum Exploration and Production: An Overview’ (2004) 44 J Petroleum Science and Engineering 1, 3–7. 296 Moore (n 5) 35–37. Also see Wright and Cornell (n 2) 58. 297 Baecker (n 33) 116. 298 Lundqvist (n 122) 443–44. 299 ibid 443–44. 300 ibid 443–44. 301 van der Zwan (n 131) 100–3. 302 Lundqvist (n 122) 442. Also see Bromiley and others (n 123) 268. 303 Baecker (n 33) 116. 304 Ronald Coase, ‘The Problem of Social Cost’ (1960) 3 J L & Economics 1, 15–19. 305 Lundqvist (n 122) 442. Also see Bromiley and others (n 123) 268. 306 Harry M Markowitz, ‘Foundations of Portfolio Theory’ (1991) 46 J Finance 469, 470–71. 307 Lundqvist (n 122) 443. 308 ibid 444. 309 ibid 442. 310 ibid 442. 311 ibid 444. 312 Markowitz (n 306) 470–71. For more on the classic notion of the links between risks and profits, consider Frank H Knight, Risk, Uncertainty and Profit (1st reprint edn, Dover 2006) 21–48. 313 Andrew Crane and Dirk Matten, Business Ethics: Managing Corporate Citizenship and Sustainability in the Age of Globalization (4th edn, OUP 2016) 67–77. 314 Baecker (n 33) 114. 315 Lundqvist (n 122) 442. 316 van der Zwan (n 131) 100–3. 317 For a significant trashing of the concept, consider Power, ‘Risk Management of Nothing’ (n 130) 849–50. 318 Although finance is the language of business, there are significant dangers to reducing a risk in the real world to a dollar value. For concerns about this in governance generally, see Stewart ‘The Corporation and Governance’ (n 18) 547–49. 319 ibid 545. 320 ibid 545. 321 Nagel (n 131) 59. 322 Stewart, ‘The Corporation and Governance’ (n 18) 545–49. But also see Kerry Rittich, ‘Functionalism and Formalism: Their Latest Incarnations in Contemporary Development and Governance Debates’ (2005) 55 University of Toronto L J 853, 855–56. Also see Mae Kuykendall, ‘No Imagination: The Marginal Role of Narrative in Corporate Law’ (2007) 55 Buffalo L Rev 537, 555. 323 Lundqvist (n 122) 442. 324 Crane and Matten (n 313) 67–77. 325 Baecker (n 33) 114. 326 See generally, Renn, Klinke and van Asselta (n 179). 327 ibid 231. 328 Lundqvist (n 122) 442 and Baecker (n 33) 114. 329 Renn, Klinke and van Asselta (n 179) 231. For more on the role of corporation in modern governance networks, see Stewart, ‘The Corporation and Governance’ (n 18) 517–21. For a slightly different framing of the same phenomenon, see Berkowitz and Dumez (n 167) 149–52. For a literature review of research studying Meta-Organization and Corporate Social Responsibility in the oil and gas industry, see Berkowitz, Buscheli and Dumez (n 167) 754–55. 330 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 167) 149–52; and Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 167) 754–55. 331 Renn, Klinke and van Asselta (n 179) 231. 332 For more on how new governance challenges tend to transcends organizational boundaries, see Stewart, ‘The Corporation and Governance’ (n 18) 517–21. Also, consider Stephen J Ball and Carolina Junemann, Networks, New Governance and Education (Policy Press 2012) 1–7; and William H Simon, ‘New Governance Anxieties: A Deweyan Response’ (2010) 2010 Wis L Rev 727, 729–30. 333 Moore (n 5) 35–37. Also see Wright and Cornell (n 2) 58. 334 Renn, Klinke and van Asselta (n 179) 231. 335 Oil and Gas Sector Guide on Business and Human Rights (n 234) 9. 336 For an introduction to the importance of knowledge sharing within an organization and how to formal organization can facilitate this end, see Nicolai J Foss, Kenneth Husted and Snejina Michailova, ‘Governing Knowledge Sharing in Organizations: Levels of Analysis, Governance Mechanisms, and Research Directions’ (2010) 47 J Management Studies 455, 456–59. 337 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 90) 151; and Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 90) 764–65. 338 Power, ‘Risk Management of Nothing’ (n 130) 852. 339 ibid 852. 340 ibid 852. 341 ibid 852. 342 Consider the learning process outlined by Schriefer and Sales (n 153) 34. 343 Power, ‘Risk Management of Nothing’ (n 130) 852. 344 Schriefer and Sales (n 153) 34. 345 Consider the ‘In Amenas Attack Report’, see Statoil ASA (n 252). 346 For examples of such training, consider RM Gagne, ‘Military Training and Principles of Learning’ (1962) 17 American Psychologist 83; Curtis J Bonk and Robert A Wisher, Applying Collaborative and e-Learning Tools to Military Distance Learning: A Research Framework (United States Army Research Institution for the Behavioural and Social Sciences 2000), PublicationShare.com online: <http://www.publicationshare.com/docs/Dist.Learn(Wisher).pdf> accessed 19 December 2017; and Sean Robson and Thomas Manacapilli, Enhancing Performance Under Stress: Stress Inoculation Training for Battlefield Airmen (Rand Corporation 2014) Rand Corporation online: <https://www.rand.org/content/dam/rand/pubs/research_reports/RR700/RR750/RAND_RR750.pdf> accessed 19 December 2017. 347 Berkowitz and Dumez, ‘Concept of Meta-Organization’ (n 90) 149–52; Berkowitz, Buscheli and Dumez, ‘Meta-Organization in the Oil and Gas Industry’ (n 90) 754–55; Stewart ‘“Private” Participation within Institutional Design’ (n 34); Stewart, ‘The Corporation and Governance’ (n 18) 517–21; and Renn, Klinke and van Asselta (n 179) 231. 348 Renn, Klinke and van Asselta (n 179) 231. 349 McCoy (n 273) 338. © The Author(s) 2018. Published by Oxford University Press on behalf of the AIPN. All rights reserved.

Journal

Journal of World Energy Law and BusinessOxford University Press

Published: Mar 1, 2018

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 12 million articles from more than
10,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Unlimited reading

Read as many articles as you need. Full articles with original layout, charts and figures. Read online, from anywhere.

Stay up to date

Keep up with your field with Personalized Recommendations and Follow Journals to get automatic updates.

Organize your research

It’s easy to organize your research with our built-in tools.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve Freelancer

DeepDyve Pro

Price
FREE
$49/month

$360/year
Save searches from Google Scholar, PubMed
Create lists to organize your research
Export lists, citations
Read DeepDyve articles
Abstract access only
Unlimited access to over
18 million full-text articles
Print
20 pages/month
PDF Discount
20% off