Skip to content

Compliance in the Oil & Gas Industry

Few industries face as much compliance scrutiny as the oil & gas sector. Foremost is the risk of enforcement under anti-bribery laws such as the Foreign Corrupt Practices Act, but oil & gas businesses must also address compliance risks related to environmental laws, health and safety, bid-rigging on government projects, cybersecurity, and more.

To manage all that, oil & gas companies need a “full suite” compliance program — one versatile enough to address a wide range of risks and robust enough to do so on a global scale. In this post we’ll review what the sector’s principal compliance challenges are, what capabilities a company needs to have in place to address them, and the compliance program components that will get you there.

Key Compliance Challenges

The oil & gas sector has a host of compliance risks. The most significant are listed below.

Anti-corruption

Anti-corruption risk is a top compliance concern for any large business, but that is especially true in the oil & gas sector, which has been the target of more prosecutions under the Foreign Corrupt Practices Act than any other industry. The global nature of many oil & gas businesses also means they are subject to the U.K. Bribery Act, the Brazil Clean Companies Act, and other anti-corruption statutes around the world.

The risk is so high in this sector because oil & gas companies routinely need to work with state-owned enterprises (say, a joint venture with a state oil business) or deal with foreign officials while securing necessary permits and licenses. Those are facts of life in the oil & gas business that won’t change any time soon. 

Environmental 

Oil & gas extraction is a dirty business. Companies must meet exacting standards for pollution control, water usage, waste management, spill prevention, and more — and again, they must do all that in multiple jurisdictions around the world.

The singular example of this risk is BP, which suffered the Deepwater Horizon oil spill disaster in the Gulf of Mexico in 2010. BP alone paid $4.5 billion in civil and criminal penalties, plus another $7.8 billion to settle private civil litigation, plus a 16-month ban from bidding on new oil contracts with the U.S. government. 

Health & Safety

Oil & gas businesses can employ anywhere from dozens to tens of thousands of people, often working in harsh environments or with dangerous equipment. This means health and safety compliance is both a top priority and a complex challenge, given the myriad rules that apply to the industry across numerous national, state, and local jurisdictions.

Cybersecurity

Again, cybersecurity is a swiftly rising concern for every business, but that is especially the case for the oil & gas sector because it qualifies as critical infrastructure. This means cybersecurity attacks must be reported to the U.S. government within 72 hours of detection, and affected companies must then cooperate with federal regulators to stop the attack and investigate how it happened. (On a more practical level, cyber attacks also pose enormous operational risk for this sector; consider the Colonial Gas pipeline attack of 2021 that shut down gasoline stations for 100 million Americans for days.)  

And More

We could keep going. Oil & gas companies also have all the usual compliance risks too, such as financial reporting, workplace discrimination, data privacy, corporate sustainability disclosure, and more. 

Steps to Success

Given that huge range of compliance risks, and the potentially severe consequences for compliance failures, the corporate ethics and compliance function is crucial for oil & gas companies. While every company will need to develop its own unique compliance program, we can outline a few steps critical to success. 

Secure Support From Senior Management

A successful compliance program rests on the shoulders of the entire management team, not the chief compliance officer’s alone. The first step must always be to convince the board, senior executives, and leaders of First Line operations teams that a strong compliance program is both good for business and a powerful protective measure against regulatory enforcement. 

Perform a Strong Risk Assessment

Even within the high-risk world of oil & gas, not all risks are created equal. Compliance officers must be able to perform robust, comprehensive risk assessments to understand which risks are most pressing, given the company’s operations and the current state of your compliance program (which may not be good, or might come up short in specific areas). Only then can you begin the work of building a better program.

Nurture a Speakup Culture

A strong speakup culture provides the fuel that compliance programs consume: reports of misconduct, which need investigation and, where necessary, remediation. So compliance officers must also work to develop that speakup culture through training, an easy-to-use internal reporting system, thoughtfully designed incentive compensation programs, and disciplinary action for retaliation, and more. 

Craft Policies and Procedures

Policies and procedures both help employees understand what they should do to achieve compliance objectives, and demonstrate to regulators (and business partners, investors, consumers, and other stakeholder groups) that your business takes compliance and ethical conduct seriously. 

Moreover, as we noted above, the oil & gas industry works in a complicated global environment. Employees (and your company’s third parties) need guidance across a host of issues. Strong policies and procedures are vital for strong performance in this sector just as much as they’re vital for regulatory compliance.

Foster Accountability

Your compliance program must hold employees (and managers in particular) accountable for their ethical conduct and compliance-aware behavior. That means investigating reports fully, implementing appropriate discipline consistently, documenting those efforts, and sharing results to all stakeholders in a way that lets each one see that expectations for ethics and compliance are enforced.

Essential Compliance Solutions 

The previous section outlined steps compliance departments will need to take to succeed. We still need to consider the specific components of a compliance program that you’ll also need to implement. The most important are as follows:

Third-Party Due Diligence tools, to help your company understand the wide range of overseas agents, suppliers, joint venture business partners, and other third parties that roam around the oil & gas industry. Especially in high-corruption markets, these parties could pose severe compliance risks that your business will need to assess and manage. 

An Internal Reporting Hotline, to give employees (and other third parties, such as contractors) an easier way to bring compliance concerns to your attention. This is not simply a good business practice; most anti-corruption statutes and their attendant rules and regulations require some sort of internal mechanism. You won’t be in compliance without one.

Policy Management tools, to assure that all parts of your enterprise are operating from the same basic rulebook. For example, you should have a single policy for gifts and entertainment spent on government officials, and a single disciplinary policy for whistleblower retaliation. Policies need a common structure, plus regular review to assure that they are still fit for purpose. A single policy management tool can bring order to that endeavor across your entire organization.

Training to help employees understand what is or isn’t acceptable conduct on the job, and what to do when they encounter difficult ethical situations. 


Compliance programs need other components as well, such as a strong case management system and regular audits and testing of the program. Exactly how those components should operate will vary from one company to the next, but no compliance program will succeed without all components present — whether you’re in the oil & gas sector or any other line of business.


Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution