Summary — Risk, Controls, & Compliance

What Is Risk, Controls, and Compliance (RCC)?

Risk, Controls, and Compliance (RCC) is the systematic framework that energy companies use to identify what could go wrong, put safeguards in place to prevent or catch problems, and ensure that all required rules and standards are followed. In the natural gas industry, where large volumes of gas, high dollar values, strict safety requirements, and complex regulations converge, RCC is not optional — it is foundational to every department and every role.

The three pillars are deeply interconnected:

• Risk is the possibility that something bad could happen — a financial loss, a safety incident, a regulatory violation, or a reputational problem. Risk does not mean the problem will occur; it means there is exposure.
• Controls are the safeguards — rules, checks, processes, or automated systems — built to reduce the likelihood or impact of a risk materializing.
• Compliance means following both internal company policies and external laws and regulations. It is the required standard that companies must meet to remain trusted, legal, and operational.

A useful way to think about these together: Risk is leaving your front door unlocked (exposure exists). Controls are the deadbolt and security alarm (safeguards). Compliance is the local ordinance requiring landlords to maintain working locks (the required standard).

Without controls, risk grows unchecked. Without compliance, companies face fines and shutdowns. Without awareness of risk, people make uninformed decisions that can cascade into major problems.

Types of Risk in the Natural Gas Industry

Risk is not limited to dramatic events like explosions or market crashes. It exists at every step of the natural gas value chain — from production and transportation through trading, scheduling, measurement, and accounting. Understanding the distinct categories of risk allows companies to assign appropriate controls and monitoring responsibilities.

Operational Risk

Operational risk arises from mistakes, failures, or broken processes — typically caused by human error or system failure. Examples include:

• A scheduler entering the wrong pipeline delivery point
• A late nomination causing a delivery failure
• Equipment failure causing a pipeline shutdown
• Miscommunication between teams leading to scheduling conflicts

Operational risk often triggers other risk types. A single operational error — such as a meter misread — can simultaneously create financial exposure and a compliance issue.

Financial Risk

Financial risk refers to the exposure to monetary loss. In natural gas, this includes:

• A trader entering a deal at the wrong price (a "fat-finger" error)
• Buying gas at a high price and selling at a lower price
• Incorrect volume entries causing billing errors
• A customer failing to pay an invoice

Financial risk is closely tied to Mark-to-Market (MtM) reporting — the daily valuation of open positions to assess what the financial result would be if all trades were closed at current market prices.

Market Risk

Market risk comes from price volatility. Natural gas prices fluctuate due to weather, supply/demand shifts, storage levels, and geopolitical events. Key sub-types include:

• Basis risk: the difference in price between two geographic locations
• Hedge execution risk: using the wrong hedge ratio or over-hedging, which removes profit potential
• Fixed-rate deals becoming unprofitable when market prices move in the opposite direction

Companies manage market risk through hedging — locking in a price to protect against adverse market movement. Both the buyer and seller in a hedge each believe they will benefit, which is what makes the hedge mutually agreeable.

Credit Risk

Credit risk is the risk that a counterparty fails to fulfill a financial obligation. It breaks into two directions:

• Receivable (credit) risk: a customer fails to pay what is owed
• Payable (liquidity) risk: the company itself cannot meet its financial commitments

Companies manage credit risk through credit limits (maximum exposure allowed per counterparty) and liquidity limits (how much reliance is placed on a counterparty's credit). Real-time dashboards with automated alerts help risk teams monitor when limits are approached or breached.

Regulatory Risk

Regulatory risk occurs when rules are not followed, leading to fines, penalties, shutdowns, or loss of operating licenses. Examples include:

• Missing a required FERC filing
• Failing to submit a pipeline safety inspection report to PHMSA
• Violating contract delivery terms
• Missing an environmental reporting deadline

Regulatory risk is managed through compliance programs, audit trails, and documented approval workflows.

Environmental Risk

Environmental risk involves damage to land, water, air, or surrounding communities due to gas operations. Examples include gas leaks, spills, and emissions violations. Environmental risk carries both financial consequences (fines, remediation costs) and reputational consequences (loss of community trust, media exposure).

Safety Risk

Safety risk involves physical harm to workers, communities, or assets. High-pressure releases, equipment failures, fires, and explosions are examples. Safety risk is always considered the highest-priority risk category. It is governed by regulations from bodies like PHMSA and OSHA, and managed through inspection regimes, alarm systems, and emergency response plans.

Cybersecurity Risk

Cybersecurity risk has grown significantly as natural gas operations have become increasingly digitized. Scheduling, trading, measurement, and pipeline control systems all rely on digital infrastructure. A breach could allow hackers to manipulate nomination data, disrupt operations, or steal sensitive information. Controls include two-factor authentication (2FA), automated backup systems, endpoint protection, and audit logs.

One Event, Many Risks

A critical concept is that a single mistake can trigger multiple risk categories simultaneously. For example:

• A meter misread → operational error → financial billing loss → compliance audit finding
• A suspicious login → cybersecurity breach → operational disruption → regulatory notification requirement

This interdependency is why companies track risk categories carefully and why cross-functional teams collaborate on risk management.

Risk Across the Value Chain

Different parts of the industry face different dominant risk profiles:

Understanding where risk concentrates helps companies assign monitoring responsibilities to the right roles.

What Are Controls?

A control is a rule, check, process, or system designed to prevent mistakes from occurring or to detect problems after they happen, before they escalate into major losses. Controls are not bureaucratic obstacles — they are safety nets that allow organizations to operate confidently at scale.

Everyday Analogies

• A seatbelt is a preventive control — it reduces injury if an accident occurs
• Spellcheck is a detective/preventive hybrid — it catches errors before submission
• Two-factor authentication (2FA) is a preventive control for unauthorized access

Types of Controls

Controls are classified along two dimensions:

By timing:

• Preventive controls stop problems before they occur. Example: a system that requires manager approval before a trade above a certain size is submitted.
• Detective controls find problems after they occur. Example: a daily P&L variance report that flags trades with unexpected margins.

By method:

• Manual controls are performed by a person. Example: a scheduler manually verifying that nominated volumes match contract quantities.
• Automated controls are performed by a system. Example: an ETRM system that automatically rejects a duplicate trade entry.

How Controls Are Built

Controls are not created arbitrarily — they are designed in response to identified risks:

1. Identify the risk (e.g., duplicate trades being entered)
2. Create a control (e.g., system blocks entries with duplicate trade IDs)
3. Test the control (e.g., run test entries to verify the block works)
4. Review periodically (e.g., quarterly review to confirm the control still functions as intended)

Controls must be reviewed regularly because processes change, systems are updated, and new risks emerge.

Controls by Role

Compliance — The Backbone of Trust

Compliance means following the required policies, laws, and standards that govern how a company operates. It is divided into two categories:

Internal Compliance

Internal compliance refers to rules created by the company itself. These are designed to keep work consistent, accurate, and auditable. Examples include:

• Approval workflows (e.g., two signatures required for invoices above $500,000)
• Data entry procedures
• Access permission controls
• Document retention policies

External Compliance

External compliance refers to laws and regulations set by government agencies and regulatory bodies. Violating these can result in fines, operational shutdowns, or license revocations. Examples include:

• FERC filing requirements for interstate gas sales and transport
• PHMSA pipeline safety inspection standards
• SOX financial reporting controls
• EPA emission and environmental standards

Major Regulatory Bodies

Key Legislation

• Sarbanes-Oxley Act (SOX, 2002): Enacted following corporate scandals (including Enron), SOX mandates corporate financial reporting and recordkeeping standards. Executives can face criminal penalties for signing off on materially false financial statements. SOX significantly spurred the growth of the Middle Office function, which acts as a control layer between trading/operations and accounting.
• Dodd-Frank Act (2010): Passed in response to the financial crisis, it increased transparency requirements for derivatives and hedging, including requirements for hedge transparency reports in ETRM systems.

Compliance in Daily Work

Every role carries compliance responsibilities:

• Schedulers follow FERC transport rules and contract delivery terms
• Traders adhere to desk limits and financial reporting controls
• IT teams maintain access logs required for SOX audits
• Operators follow PHMSA safety procedures
• Compliance officers monitor activity across all functions

The Middle Office: Controls and Compliance in Practice

The Middle Office is a function that has grown significantly in the natural gas industry, driven largely by the requirements of Sarbanes-Oxley. It sits between the trading/operations front end and the accounting back end, acting as a data filter and control layer.

Key Middle Office responsibilities include:

• Monitoring MtM reports and financial positions
• Running volumetric balancing checks
• Enforcing pricing validations
• Managing credit limits and trader restrictions
• Comparing forecast vs. actual performance
• Maintaining audit trails for regulatory review

The guiding principle of Middle Office work: "If it doesn't look right — STOP and investigate."

Auditor Roles

Auditors — whether internal, external, jurisdictional, or governmental — evaluate whether controls are functioning properly. Controls are classified in three ways aligned with audit methodology:

• Detective controls: uncover existing issues in data
• Corrective controls: fix discovered issues
• Preventive controls: prevent future errors

All controls should align with GAAP (Generally Accepted Accounting Principles) and relevant regulations like SOX.

Spotting and Resolving Variance

Even with strong controls, discrepancies occur. A variance is a mismatch between what was expected and what actually happened. Variances are normal — ignoring them is dangerous.

Examples of Variances

• Scheduled volume: 10,000 MMBtu → Metered volume: 9,400 MMBtu
• Invoice total: $300,000 → System total: $315,000
• Planned delivery date: January 10 → Actual delivery date: January 12

Where Variances Occur

Variances can appear at many handoff points in the value chain:

• Nominations vs. meter readings
• Contract terms vs. trade entry
• System entries vs. customer invoices
• Forecast vs. actual usage
• Pipeline volumes vs. customer delivery

How Variances Are Detected

Companies use several tools to find mismatches early:

• Automated system alerts that flag when values fall outside expected ranges
• Daily reconciliation reports comparing multiple data sources
• Tolerance rules (e.g., variances ≤1% are acceptable; variances >1% require investigation)
• Exception reports that highlight only out-of-range items
• Audit trails that log every entry and change

Resolving Variance: The Process

1. Variance is flagged (by system alert or manual review)
2. Analyst checks system logs and entry records
3. Scheduler confirms original nominations
4. Contract team reviews applicable terms
5. Correction is issued or the difference is documented with justification

Every correction must be tracked and logged. Unauthorized manual adjustments to data are a compliance violation.

Roles in Variance Resolution

Mark-to-Market (MtM) Reporting

Mark-to-Market (MtM) is the process of valuing open trading positions at current market prices to determine what the financial result would be if all positions were closed today. It provides a daily snapshot of financial health.

MtM reporting feeds into the three core financial statements:

• Balance Sheet: Current financial position (assets, liabilities, equity) at a specific date
• Income Statement: Historical financial performance over a period (e.g., last quarter)
• Cash Flow Statement: Actual cash position and short-term forecast

MtM is particularly important for hedge valuation — it shows whether a hedge is gaining or losing value relative to the underlying market, allowing risk teams to assess whether the hedge strategy is performing as intended.

RCC in Action: The Full Cycle

RCC is not a one-time process — it is a continuous, repeating cycle:

1. Risk exists in operations, markets, regulations, and technology
2. Controls are built to reduce the likelihood and impact of risk
3. Monitoring occurs daily through reports, alerts, and reviews
4. Variance is detected when expected and actual results diverge
5. Investigation identifies root cause using logs, contracts, and data
6. Resolution corrects the error, adjusts records, and notifies affected parties
7. Audit verifies that the resolution was accurate and complete
8. Controls are updated to prevent recurrence

Case Example: The Billing Discrepancy

A billing report shows a $10,000 variance. The amount seems small, but investigation reveals a flawed pricing formula that affects hundreds of deals. The RCC cycle in action:

• Prevention: Invoice review rules and dual approval requirements were already in place; contract validation training existed
• Detection: Daily variance report surfaced the mismatch; an analyst noted margin misalignment
• Investigation: Contract reviewed; formula miskey discovered in the system template
• Resolution: Traders notified counterparties; invoices reissued; accounting booked adjustments; IT corrected the formula template; compliance logged the incident for internal audit

This example illustrates that small variances can be symptoms of systemic problems — and that early detection prevents much larger consequences.

Career and Role Connections

RCC is not confined to the compliance department. Every role in the natural gas industry involves RCC responsibilities:

Career paths in RCC include: internal audit, enterprise risk management, operations controls analysis, regulatory affairs, energy compliance law, and data/systems governance.