Managing Old Risks in New Circumstances

Q: In what ways have the events of 2020 changed your criteria for risk assessment and analysis?

A: As is the case with most if not all companies, the 2020 event that has dominated our internal processes and agenda has been the COVID-19 pandemic and the various manners in which it has taught us to find new ways in which to get work done. Marsh manages its activities through a client-centric policy, so we have been in constant communication with all of our clients throughout this extremely complicated year. Of course, this has had to be managed differently given the fact that the precautions that we have had to implement to prevent COVID-19 contagions preclude us from seeing our clients face-to-face as often as we usually would. This has had a significant influence on our assessment and analysis methods and criteria. For example, we used to be able to fly in experts from the US, Europe or Australia who could contribute to our activities through very specific and specialized technical knowledge. Obviously, this is not currently possible. At the same time, the fact that everybody is transitioning to fully digital platforms means that the sharing of knowledge has actually become more agile and faster despite these travel and contact limitations. As a supplier of professional services, we have had to learn a number of innovative approaches regarding digital introductions and presentations to new and prospective clients. 

The COVID-19 pandemic has introduced new levels to the conversation regarding Mexico’s risk profile. It is important to say, for the sake of context, that this is not the first time that this country has had to organize a response to a pandemic but it is unique in its degree of impact and dimension. No company had precedents that they could use to structure the way in which this pandemic changed their risk assessment practices, and since it is one of Marsh’s jobs to provide those same companies foundations in which to base those practices, we had to work extensively with all of those companies, particularly those that suffered the most obvious consequences, such as companies in the aviation and tourism sectors. Losses needed to be calculated in a different manner. However, we would say that the country’s risk profile remains in a similar state despite the hardening of consequences brought about by the pandemic. 

Q: How have events both previous and contemporary to the COVID-19 pandemic, such as 2019’s ransomware attack on PEMEX, changed risk assessment practices in the oil and gas sector?

A: Certainly, the importance of cybersecurity has only increased throughout these times, especially since home office measures have made companies rely much more on their digital platforms, not only in terms of their relationship to their employees but also in terms of their value proposition to their clients. Cybercriminals know this and have intensified their activity accordingly. The case you cite was well-known due to its visibility but we know of many more cases that stretch through and beyond the oil and gas sector to the financial services and banking sectors.

Public awareness of this issue must increase in Mexico. Marsh tries to communicate to our clients constantly of the many ways in which we can support them in this regard. This is not the kind of issue that one can be easily or directly shielded against through a regular insurance policy or agreement. It is also not an issue that is exclusive to the IT department but, instead, a subject that must be discussed in boardrooms and executive committees. Beyond firewalls and similar technologies, protocols must be implemented and all risks contemplated, particularly when it comes to the handling of data. For example, let us say that a pipeline operator does not have a full registry of everybody who could have access to its SCADA systems. Their assets and infrastructure could be damaged directly, and this could easily result in a serious industrial accident or attack, such as an explosion. Billions of dollars in damage could be caused by a lack of appropriate protocols regarding who possesses which access data.

COVID-19 has only heightened these stakes. Without comprehensive risk administration practices tailored to each company and their assets, companies are vulnerable to all of this. One of the things that we tell clients regarding cybersecurity is that it is no longer a matter of if one of these attacks will happen to you, but when. The question then becomes how to handle the reality of the contingencies that this ongoing or that future attacks will cause.   

Q: How does the state of PEMEX create a ripple effect across the risk assessment landscape of Mexico’s oil and gas industry?

A: There is no point in pretending that PEMEX’s predominant position in the industry has changed lately. Many of the companies that are a part of its ecosystem of suppliers and service providers or orbit it in some way or another are our clients, so we have witnessed this effect firsthand. However, I will say that PEMEX’s risk assessment and administration practices are at the same time benefited by this government’s close supervision of the NOC and the large role that it plays in the administration’s policy agenda. At the same time, many of the issues that the industry is burdened with are more connected to the limited capacity with which regulators have been able to perform their regular duties due to precautions derived from COVID-19 than to PEMEX. Delivery times have been extended and launch dates have been delayed as a direct result. We know this because we have supported our clients through the modifications to insurance programs that these delays have created a need for. Regulators in Mexico have managed to provide some degree of new digital tools to better deal with this situation but many processes are still quite complex and difficult to finalize. Thankfully, the long-term and capital-intensive nature of oil and gas investments has, to a certain degree, shielded the sector from larger risks that could severely impede the sector’s ongoing development.

Marsh Brockman and Schuh is the world’s leading company in insurance consulting and risk management. With offices in 130 countries, including Mexico, its oil and gas practice offers personalized solutions for all aspects of the industry.