Plains Profile: Where Information Services meets Risk
In 2019 alone, $1.3 trillion was spent on transformation initiatives and upwards of 70% of these projects failed or their needs weren’t met. According to Al Lindseth, SVP of Technology, Process and Risk Management at Plains All American Pipeline, this is often due to factors upstream of technology: “Business people can approach transformation as a laundry list of technology projects. But their success is actually dependent on things like culture and behavior, starting with the leadership team, the processes, and the business design differences.”
It all started on a napkin
Greg Armstrong was CEO when Lindseth was thinking about joining the business. Enron and other trading firms in Houston had inquired, but a sit-down with Greg at a hotel bar resulted in discussions and strategies drawn plans on napkins; risk management and commercial strategies that ended up helping the company for years afterwards.
“I thought, ‘I need to work for this guy’. The story of what he and Harry [Pefanis] did and how they started the company, taking a risk building storage tanks when there was little economic incentive to store with where the market was at that time. The other rule Greg had was ‘never run out of cash!’, which I think is tied to some of those early years and experiences that they had.”
Lindseth came on board around the turn of the millennium, when the company had experienced a rogue trading loss from an employee who kept his positions hidden from management. Formerly a risk management consultant with PricewaterhouseCoopers, his first task as Corporate Risk Manager was to shape the right team and implement process redesign to deliver incremental changes and improvements throughout their risk management program.
In just over a year, the infectiously positive Lindseth would also assume control over IS & Operational Accounting in order to improve them, while building and strengthening the company's risk culture and technological capabilities. At the age of just 33, Lindseth would become one of PAA’s three SVPs, overseeing three areas: Technology, Process and Risk Management.
“Once I got the promotion to SVP, my plan was to continue the path of improvement, going group by group, department by department, modernizing the systems where it made sense and was worth the investment. The idea behind the title was to overhaul everything on top of a really strong business model and get a real jump on the competition.”
Riding the wave
After those initial bumps, for almost 12 years, in almost every single quarter, Plains met or beat earnings guidance. It hit double digit annual growth - turning into a Fortune 100 company. “The energy to redesign everything faded. Everyone was just too busy doing deals and acquisitions, myself included.” I had a process improvement group that marshalled the process optimization work through. And that became a project management organization with all the new system work arising from growth. The last number of years, as the energy industry downturn has caught up to midstream, the focus on streamlining and re-engineering to optimize has returned. We call it efficiency mode.”
Through the company’s growth period, Plains was able to protect the downside and capture upside in a way that made sense, through a lot of different and volatile supply/demand and price cycles, through its risk management program.
“There was a lot of volatility over that 12 year period that we were able to ride out, because of our program and the whole culture we created.”
“Plains is different from other organizations which have a separate CIO, CISO, or Chief Risk Officer. Here I'm the face to the board for all those functions.” There’s a lot of succession planning, delegation and leadership development constantly taking place so I can wear those different hats effectively. The business has a Canadian affiliate as well, where Dan Reinbold managed the IS organization historically, working closely with Al. Three years ago Plains decided to converge its US and Canadian entities. For this to work, IS had to converge first. Al put Dan over a converged IS North America group. With Dan reporting to him still, Lindseth moved into the role of senior-level influencer focused on those elements upstream of technology, to help broker and pave the way for these larger and more complicated projects.
“Dan took the traditional CIO role, focused on tech, with my support. He's done a great job. Getting the technology piece was critical. No one on the business side was going to be able to think about bringing together their applications or consolidating business processes if we didn’t get that right. It was table-stakes. People, process, culture and bringing business designs together: I took on that role. That’s how we split it up.”
Influencing the market through cybersecurity
Al kept the business risk side throughout all this. Lindseth also helped Plains build its cybersecurity abilities from the ground up using those same fundamental risk concepts, and the field, along with Plains program, continues to evolve. With cyber, for instance, Lindseth says there’s four main objectives: “You're trying to prevent an incident. You're trying to detect it as it happens. You're trying to respond to it. You're trying to predict it or get ahead of it. Looking at vulnerability threats and magnitude, you're using those same fundamental techniques that you use in business risk management. Lindseth has found his influence extending outside of the organization and into the community: “A rising tide lifts all boats in the oil and gas industry”. Greg Armstrong was the chairman of the National Petroleum Council and the former Plains’ CEO, for example, who pulled Al into a large NPC Report focused on midstream. Before COVID, Lindseth was invited up to the Department of Energy in Washington to present the recommendations from that Report. One component focused on technology and particularly cybersecurity, which got the most attention of the entire piece of work.
“We looked at operational technology (OT). IT business systems are more likely to get attacked, but you can have a much greater magnitude and severity of an attack on an operational technology system. These forms the backbone of industrial control systems, handling uptime, reliability, safety, compliance. This would result in much larger economic or physical disruption and impact environmental health and safety.”
With OT cyber, there are many overlaps to Al’s focus on non-technology elements. “With all energy companies, you’ve got many different factors in trying to apply modern technology, cyber or otherwise, in the field like remote areas, user adoption issues and historical ways of doing the work. These projects are very complicated and difficult to pull off. And if you don't deal with a lot of those foundational elements, so that you have organizational readiness to take this on, to optimize the work process, and lead people through the change, it's very difficult to succeed. This is a transformational change for those groups.”
According to Lindseth, technology is there to help to enhance things, but it doesn't make up for poor processes or team or individual ineffectiveness. A combination of bringing legacy habits and practices together with more modern behaviors is necessary when trying to use data to improve decision-making.
“You must empower those people and give them more authority. It's much bigger than just technology,” he said.
“I'm also on the board of the Oil and Natural Gas Information Sharing and Analysis Centre (ONG-ISAC). Every critical infrastructure sector has one of these and they are really important entities. We could be doing a lot more with them. The idea is that if a member company gets hit, they provide the threat intel to the other member companies.”
Risk assessment in action
Lindseth has always approached IT using the tools of a business risk manager. “It’s just what I know.” For example, he was in charge of a major trucking project, where he and the project manager sat down and figured out the 15 to 20 things that they could do to improve the odds of success of the project. Then, Lindseth suggested they quantify how much they could improve, helping them to prioritize.
“We picked certain ones and we executed them. Our initial assessment estimated putting these risk mitigation strategies in place would increase the odds of success by 70%. The quantification put the project after risk mitigation strategies were put in place at a 95% success vs an estimated 25% success had we not executed those actions. It’s difficult to know how it would have ended up for certain, but I am confident without those extra steps it would have been a failure.”
“This was a dual mode, satellite and Code Division Multiple Access (CDMA) implementation to gather key data from our trucking fleet. The CDMA didn’t reach in a lot of areas and satellite was problematic with the amount of data we were transmitting. We went above and beyond because we knew what a large issue that was - measures like putting WiFi at the truck stations, actually talking to the carrier to try and influence their rollout plan. We built a lot more data push into our dispatch program so the data would get transmitted when the trucks were most likely to be at the main yard. If we had not done that, we would have had about 35% of our truck fleet in North America that would not be able to send critical data at the right times. The trucks would have been sitting a lot longer. Time is money. It would have been a real problem,” said Lindseth.
Over the years, the business has used stress testing, experience analysis on the business side and reports that show what the impact is to hedging programs and other commercial activities. Al has done this on the IS side as well. “For example, we took a number of different scenarios that would trigger our disaster recovery program, such as fires, flooding, power outages and hurricanes and factored results of those scenarios into recovery time objectives and recovery point objectives, then weaved these exercises into the architecture of the program.”
Computex and modern infrastructure
Plains has relied on a lot of trusted partners over the years, which it views as an extension of its team. It's all about achieving the goals, according to Lindseth.
“If you think about the ecosystem that we're in, forecasts before COVID had 50% of S&P 500 companies going out of business within 10 years. The average tenure of an S&P 500 company was 40 years in 1977. By 2027, it's expected to be 12 years. Companies need to be hyper-focused on their business model and their design and identifying disruptors and managing those to get ahead of them, if they want to be around in 10 years. Partners and the skills and perspectives they bring are a huge part of doing that,” he added.
“For example, Computex has been a huge help to us over the years. They helped us design and implement our data center and did the same thing around our disaster recovery program.”
Other areas Computex have been involved include a redesign of the Plains field networks: “They've been a great partner, very flexible. We accomplished pretty significant things in a very short amount of time.” said Lindseth.
Houston as a technological hive
Unlike Silicon Valley, where it is high risk and potentially high reward, there's a lot of companies in Houston that are highly profitable, but haven't gotten the most out of technology. Lindseth believes it really increases the opportunity and also decreases the risk.
“The city is set up to have a great trajectory over the next 10 years, I think it'll continue to be the energy capital of the world, even as it transitions into renewables. And part of the value of collaborating is diversifying into other industries and seeing how they do things just a little bit different. I speak and collaborate a great deal, both in oil and gas and outside of it. I’ve learned a lot that way, and there's ample opportunity to do that here.” said Lindseth.
