This article was first published in the March 2012 UK edition of Accounting and Business magazine.
Walking through the Shell headquarters in The Hague is like taking a tour through the company’s 200-year history. Cleaving the building is a grand staircase, which divides a modern 1980s structure from the original Renaissance-style edifice built in 1915. An old diesel pump stands guard by the main entrance, belying the company’s beginnings as a one-man antiques and oriental seashell dealership in London’s East End.
The thriving oil and gas business now employs 93,000 people in more than 90 countries, is active in 36 different industries and made a profit of US$31.185bn (around £20bn) in 2011. The Dutch royal family owns a small shareholding – less than 1% – a throwback to the 1907 merger between the London-based Samuel family’s Shell Transport and Trading Company, which had grown from that seashell dealership into a flourishing oil exporting business, and the Royal Dutch Petroleum Company, its main competitor at the time.
Shell’s operations are twofold: the exploration and extraction of crude oil and natural gas, and the refining business. The latter converts crude oil into fuels, lubricants and bitumen. Shell also produces biofuels and invests in solar and wind energy, as well as carbon capture and storage. With projects in countries as far afield as Oman, Iraq, Nigeria, Canada and Australia, it has a complicated web of interests to manage.
‘Shell operates worldwide, and oil and gas is an extremely risky and complex business, so you’ve got to understand the dynamics of the external environment, be it political, regulatory, economic and technical,’ explains Calvin Chiu, a governance, risk and controls (GRC) adviser in Shell’s central finance section.
Originally from Shanghai, Chiu works in a team of 12 in Shell’s corporate HQ in The Hague, which he describes as ‘the centre of risk management’ for the company. ‘We’re the custodians of the financial part of the Shell control framework and we actively interact with internal audit, external audit, the IT community, financial controllers, community financing and business financing projects,’ he says. ‘I usually deal with a network of governance, risk and control managers and deliver results through them.’
Chiu has helped steer a major overhaul of Shell’s controls framework in his five years at the company. The project was spurred by the introduction of the Sarbanes-Oxley Act in the US, which set strict new standards for corporate governance in the wake of the Enron, Tyco and WorldCom financial scandals.
‘We looked at our control framework to streamline it, make it leaner and meaner,’ he says. ‘We managed to reduce the number of controls from 46,000 five years ago to about 13,000 today, with a core of less than 2,000 – for a company the size of Shell this is a very impressive achievement.’ He is proud of the project, which he says has created a sort of ‘Enterprise One’ mentality. He adds: ‘We have upstream business, downstream business, and all these businesses organise themselves as if they’re independent companies, but by implementing this control framework we managed to glue these different organisations together.’
The evolution of the control framework coincided with the creation of centres in Kuala Lumpur, Chennai, Manila, Glasgow and Krakow, effectively migrating and centralising large parts of the finance function to Shell locations worldwide. The centres provide an array of services, such as accounting, reporting, management information and inventory management, to Shell companies across the globe. The effort to ‘standardise and simplify the financial control framework’ is part of the migration, Chiu says. ‘However, when you operate all these controls in an offshore environment, then you talk about very different risk profiles.’
Rui Bastos, Shell’s head of corporate and IT audit, enumerates some of the challenges faced by a company that spans multiple continents, time zones and sectors: ‘The variety of topics crossing my desk is phenomenal. One day it’s cloud computing security concerns, the next how to manage controls in the shared service centre or how we deal with physical security in high-risk locations. We also operate in more than 30 different industry sectors, so we are impacted by most major pieces of financial or regulatory legislation around the world.’
Bastos, who is Portuguese and South African, came to Shell from auditor Ernst & Young. He also oversees the operational logistics of Shell’s almost 400 audits a year, conducted with the help of more than 200 Shell internal auditors all over the world. Shell’s internal audit function operates out of four main hubs in Kuala Lumpur, Houston, London and Nigeria.
‘We’re a microcosm of the entire Shell organisation,’ says Bastos. ‘We work with integrated audit teams of finance, IT, upstream, downstream, and the other specialty skills required to deliver a specific audit. We have a specialised data analytics team that support internal audits, investigations, regulatory compliance and our continuous auditing activities.
‘We’re also asked to play an advisory role on a variety of topics, given our broad exposure to Shell through our audits. The broad audit coverage allows us to provide very good insights into how a variety of activities are happening on the ground.’
He says that this kind of knowledge is crucial for internal audit to add value: ‘You are called on to discuss a variety of topics with Shell senior management and the audit committee, which requires good insights on what is happening in all levels of the organisation. These insights are key to understanding the consequences of the issue for the rest of the organisation, but also to help shape how the organisation moves forward. From an internal audit perspective, it is both extremely impactful, but also personally very rewarding.’
Spreading these kinds of insights and know-how around the business is part of Shell’s ethos, Chiu says. He transfers the skills he has gleaned from working in corporate HQ to young professionals in the new business service centres, although anyone in the finance function can apply for extra training at any point in their careers. Chiu, in fact, went on a four-month stint to the Dubai office to write the 2012 regional business plan. ‘Shell very much encourages people to move on – almost demands that people move on once every four years to take on different challenges,’ he says.
Finance professionals can hone their skills in Shell’s ‘open university’, which offers classroom and remote learning. Bastos adds that internal audit adds to the available finance training with targeted audit and leadership skills training via individual development plans. ‘You’re rotating through a variety of audits every year, in essence accelerating your exposure to very different parts of the organisation,’ he says. ‘This exposure gives you a better appreciation of the link between risk and control and what it takes to make a large company like Shell succeed.’
And training is becoming even more important given the radical changes afoot for audit and governance, and the finance function in general. ‘The classical audit approach is changing radically,’ says Bastos. ‘We’re dealing with new realities today; we’re far more information-intensive than we’ve ever been. Our position within the organisation and wider society is changing as well – the concept of risk is no longer just economic risk.’
After Enron, WorldCom and Tyco, GRC professionals have to ‘make risk part of the top agenda of senior management’, Chiu says. ‘Risk and compliance is not a bureaucracy; it contributes to your bottom line. BP’s market value was wiped out by a third immediately following the Gulf of Mexico spill.’
He draws a contrast between his role in governance, risk and control with the internal audit function: ‘Internal audit looks at the events that have already taken place in the past, whereas GRC – and Rui may dispute this – is more forward-looking.’
And Bastos does indeed disagree. He says that internal audit in Shell has ‘been at the forefront of identifying many of the emerging risks and helped trigger the necessary changes in Shell to manage these risks’.
It’s an aspect of the role that will be even more central to internal audit in the future. ‘When you look at the way internal audit is moving, it’s increasingly having to predict the impacts of emerging internal and external challenges, and to assess how formal corporate control frameworks but also softer controls (such as corporate culture) will cope, and how the organisation responds.
‘Audit skills will need to continue evolving in this direction. Providing this level of insight will require a higher level of business expertise and knowledge, being able to translate risk and control issues in terms not only of financial but also of social, political and environmental implications.’
Chiu agrees, adding that finance professionals are becoming more integral to business. ‘They are or they should be trusted business partners in the organisation,’ he says.
Sarah Collins, journalist
2007: Head of corporate and IT audit, Shell.
2006: Partner, technology and security risk services, at Ernst & Young, subsequently assurance and advisory business services partner.
1992: Chief financial officer at PA Cargo.
Education: FCCA with honours degrees in finance, accounting and IT audit, and an MBA from Insead.
2006: Adviser on governance, risk and controls at Shell. In 2011 spent six months in Dubai, dealing with planning, economics and reporting for Middle East and North Africa. Due to move to group strategy and planning as financial planning analyst.
2000: Various finance roles at Cisco Systems, including financial reporting, processes, systems and Sarbanes-Oxley audit and compliance.
1996: Business planning and marketing at China Eastern Airlines.
Education: BSc in environmental science and engineering, and an MBA from Bradford University. Qualified as ACCA in 2010.