The Weekly Reflektion 09/2023

25. February 2023

Individual risk and overall risk are different concepts that need to be managed with different processes and be handled separately.

Do you assume that if the individual risks identified in the risk register are managed then the overall risk requirement is satisfied?

Risk management and risk reduction is the foundation for the Norwegian PSA regulations. In the Activities regulations §29 the following is stated:

“When scheduling activities on the individual facility, the responsible party shall ensure that important risk contributors are kept under control, both individually and overall.“

How §29 of the Activities regulations should be interpreted and fulfilled has led to many discussions over the yearsregarding how operators satisfy the control of both individual risks, and overall risk, and if the processes are successful. What is the difference between individual risks and overall risk?

For an approach to this question, we turned to Google:

Overall risk is not just sum of individual risks you have identified in the project, but it also includes other sources of uncertainties.

Overall project risk represents the exposure of stakeholders to the implications of variations in project outcome, both positive and negative.

For overall risk the question is, “How risky is my project?” and the answer does not usually come from a risk register. Instead of wanting to know about specific risks, the project sponsor is concerned about the overall riskiness of the project.

While a project will have multiple individual risks associated with it, overall project risk is a unitary concept: each project has a single given level of overall risk at any point in time.

The assessment of whether the overall risk is acceptable is therefore the basis for the decision to go/no go for the project/activity. The assessment of the overall risk is however not just an assessment that all the individual risks can be managed.

I came across two recent cases where the difference between overall risk and individual risk was illustrated nicely. Before drilling a production well, a prediction of a range of pore pressure was provided by the subsurface department. These were based on the formations that were expected to be penetrated. The casing design could manage both the high case and the low case, therefore constituted a robust solution. However, there was underlying uncertainty in the geological column, and, when drilled, different formations than those predicted were encountered. These formations were in pressure communication with deeper formations leading to an actual pore pressure significantly outside the predicted envelope. This resulted in the well having to be abandoned after taking a kick. There were uncertainties in both pore pressure and in the geological column, but these were handled individually, rather than combined and as an input to theoverall risk. Was the project aware of both these uncertainties, or were they given a pore pressure with an uncertainty range, and an associated expected geological column?

Another example was from a well being drilled in an area that was subject to polar lows forming quickly and moving south to the well location. The well was planned without riser margin in one section with the mitigating action of weighing up before suspending the well in case the weather deteriorated. During drilling the polar low came in more quickly than expected, the rig was having equipment problems when pulling out of hole, and insufficient time had been allowed to retreat to a safe position. There was no time to pull out to pick up the hang-off tool, and the shear rams were closed on the well without riser margin being compensated for. The individual risks were identified and considered manageable however some of these occurred simultaneously a critical situation arose.

A process where the possible combinations of identified risks come to pass at the same time may give you a different picture than assessing the likelihood, consequences and uncertainties associated with each individual risk, but it demands a different process. How does your organisation handle overall risk?