The world is in a race against time to net zero, but the energy industry is juggling multiple priorities. How can it deliver value to stakeholders and investors, while addressing demands for greener, cleaner, and more affordable energy from governments and consumers?
As part of KPMG’s Unlocking the Energy Transition series, our industry experts discussed the crucial question of how the energy transition can cater to net zero in a sustainable and secure way and the steps needed to enable a frictionless risk strategy.
In this session, we explored three key risk areas:
- UK regulation and controls
- Cyber security
- Managing third-party risks
The regulatory landscape
In May 2023, the UK witnessed a significant overhaul of its corporate governance code. Effective in January 2025, board directors are required to make explicit attestations of effective controls over all material risks, not just financial risks. The revision includes mandatory reporting on sustainability measures, progress towards net-zero, and operational risks across the value chain. It will extend to health and safety, marketing, and cyber security practices too.
Osama Rabbani, Partner, Risk Consulting at KPMG, explains: “This broad revision applies to every premium-listed company in the UK. A frictionless risk strategy, that defines your risk appetite in each area, and which informs the level of materiality that you set for your controls, is essential.”
Public-interest entities are also applicable to the revisions to resilience statements. Introduced by statutory instrument, companies with revenues of more than £750m and 750 employees are impacted. Designed to restore public trust, companies must outline their resilience plans for the next three to five years, up from one year previously. They must model potential scenarios that could impact resilience and detail risk management and mitigation controls.
Cybersecurity and trust
The energy and natural resources sector are a prime target for both cybercriminals intent on disrupting national security and hacktivists opposed to energy projects.
To protect vital energy supply chains and critical services, the revised Network, and Information Systems (NIS) directive, known as NIS2, raises the bar for cyber security measures and reporting.
NIS2 brings more sectors and smaller organisations into its scope, including outsourced IT and managed services providers. It introduces stricter oversight and new reporting and information-sharing mechanisms.
Sanctions for compliance breaches — €10m fine or 2% of total worldwide annual turnover — remains. NIS2 comes into effect in 2024, prompting organisations to remind executives of their responsibilities in assessing cyber security risk and their liability in the event of non-compliance.
However, companies are going beyond the parameters set down in regulation. They are revisiting their own controls to transform their operations. A large oil refinery based in Saudi Arabia (a petrochemical company with a plant in Saudi Arabia), served as a wake-up call in 2017. Attackers infiltrated via the IT infrastructure, found their way into the operational technology (OT) network, and infected the electricity safety systems at the plant.
Dr Jayne Goble, Director in security at KPMG, says: “This attack prompted companies worldwide to revisit their transformation plans for a combined IT and OT environment, to review vulnerabilities, enhance incident response procedures and protect critical assets and processes.”
Organisations are proactively reassessing risk controls too and striving for more efficient and effective security operations across their IT and OT environments. Automation is playing a crucial role in both reducing costs and improving identification and management of vulnerabilities.
Managing Third Party supplier ecosystems
In regulated markets, like the energy sector, third-party risk management (TPRM) is critical for identifying, assessing, monitoring, and managing risks along the supply chain.
However, many companies’ TPRM programmes are still at an early stage, focused primarily on reputational and conduct risks, such as bribery and fraud. More advanced organisations broaden their risk universe to include political, technological, and environmental risks. They strive for a single view of risk across the supply chain.
Roy Waligora, Partner in Enterprise Risk, predicts a shift toward a more integrated risk approach, with TPRM becoming a strategic tool. However, significant investment and effort are needed. He cites the findings of a KPMG survey[1] of more than 1,200 TPRM professionals across six sectors and 16 countries. “While 85% of respondents say management recognises TPRM as a strategic priority, it is not yet being used strategically,” he explains.
[1] Third Party Risk Management Outlook 2022