Following the risk assessment process, the ERM group prepares an annual ERM report on risk assessment and risk management that is presented to the Board’s Audit Committee. The ERM report includes a risk register that identifies risk categories and assigns a significance rating based on the likelihood of occurrence and the potential impacts.
Our Chief Executive Officer (CEO) is responsible to the Board for reporting and leadership on risk categories, while executive officers and senior leadership members address specific risk items and risk mitigation in their core areas of responsibility. The Board’s standing committees monitor critical risks and receive regular updates from management on those risks.
Business Continuity and Crisis Management
Halliburton has robust plans and procedures in place to guarantee the continuity of our business operations in the event of a crisis or an emergency. We have an established tiered crisis response model, including our Global Crisis Management Plan, that sets out procedures to execute strong command and control of emergency response activities for a variety of scenarios, including site-specific incidents and pandemics. Following the emergence of the COVID-19 pandemic in early 2020, we utilized our tiered response model, with our corporate crisis team monitoring the evolving situation across all core departments, including health and safety, IT infrastructure and supply chain, and providing guidance to support local response plans and ensure the health and safety of our employees and contractors.
In alignment with our tiered crisis response model, every Halliburton facility has a local emergency response plan that encompasses detailed requirements for emergency response, including evacuation plans and medical response. Halliburton provides access to medical care for all employees, no matter where they are working around the world. All employees involved in emergency response receive mandatory training on their responsibilities during these events and on procedures that include annual drills.
Our Risk Management Sustainability Commitments:
- Continue with a leading governance model to ensure enhanced collaboration among and between critical units within the Company to best assess risk, identify opportunities for risk mitigation, and improve visibility to key stakeholders across the organization.
- Streamline risk categories, risk identification, and risk management to ensure best alignment with Halliburton strategy and critical focus is placed on what matters most.
Global IT Infrastructure
Halliburton has made substantial investments in our global Information Technology (IT) infrastructure to advance our digital capabilities, drive additional business agility and reduce capital expenditures. In 2020, we announced a new five-year strategic agreement with Microsoft and Accenture to advance the Company’s digital capabilities in Microsoft Azure, including migrating all Halliburton physical data centers to Azure’s cloud-based digital platform, which is enterprise-grade and offers global scale. This migration will provide sustainability benefits through the expected closing of all data centers in 2022, resulting in reduced energy use and removal of environmental impacts associated with the use of refrigerants.
The move to a cloud-based platform will enable us to provide additional digital capabilities to customers, using machine learning and artificial intelligence tools. These investments will also further leverage our open architecture approach to software delivery, and accelerate the deployment of new technology and applications, including System and Organization Controls (SOC) 2 compliance, for overall system reliability and enhanced security.
Halliburton recognizes that global attacks on corporate IT systems have increased in frequency and sophistication, and we have invested significant resources to protect our IT systems and our data. Our IT infrastructure and security practices generally align with industry security standards, such as the International Organization for Standardization (ISO) 27001 and the National Institute of Standards and Technology (NIST) 800-53 standards. We regularly assess our cybersecurity program against the NIST Cybersecurity Framework and provide annual updates to the Board of Directors.
Our comprehensive cybersecurity program includes robust endpoint protection, detection and response; network, cloud and mobile security; and 24-hour monitoring, threat detection and incident response. User access to Company data and applications is protected using multifactor authentication, which provides a high level of security when working remotely. We conduct regular external testing of Company systems and security protocols, and the Landmark Public Cloud Infrastructure successfully underwent a SOC 2 Type 1 audit for Security and Availability.
Halliburton subscribes to design philosophies such as “Defense in Depth” and “Zero Trust” to protect our computing assets, networks, data and users. Our approach helped enable a smooth transition to the work-from-home requirements put in place as part of the Company’s COVID-19 response.
All Halliburton personnel with access to Company systems (including suppliers) receive mandatory annual training on cybersecurity and on data privacy policies and procedures. This training covers information security best practices and the Company’s information handling policies. Phishing simulation campaigns are also conducted throughout the year. Depending on their specific job function, certain personnel may be required to take additional security awareness training.
Our data privacy practices comply with applicable data privacy regulations throughout our global operations, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) and the Nigeria Data Protection Regulation (NDPR). The Board’s Audit Committee is responsible for monitoring the Company’s compliance with these regulations. Halliburton actively monitors for emerging data security regulations to align with developing standards.
The safety of our employees and contractors is paramount at Halliburton, and we have robust systems and procedures in place to mitigate and protect against workplace security risks. Our security team, through its Global Security Operations Centre and a broad network of security specialists, actively monitors global security conditions and geopolitical developments on a real-time basis. This approach allows us to swiftly respond and manage developing security risks and disruptive events that may pose a threat to our assets or to the continuity of our operations. In certain risk environments, additional security measures are implemented.
Halliburton invests significant time and effort to ensure that all security operations are conducted in a responsible manner and that security providers comply with our standards of ethics and integrity, including our commitment to human rights and the security of local communities. The small number of security providers who provide armed services are contractually obligated to comply with the Voluntary Principles on Security and Human Rights (VPSHR) and the United Nations’ Basic Principles on the Use of Force and Firearms by Law Enforcement Officials.
Halliburton abides by the VPSHR and expects all our vendors and service providers to comply with these principles. All third-party security providers with access to the Company’s internal systems are required to have formal training on the Halliburton COBC every two years.
In 2020, as part of our commitment to workplace security, Halliburton began developing a new Security Management System (SMS). This new system is intended to further reduce risk to critical assets (such as personnel, facilities, sensitive equipment and proprietary information) by enhancing corporate security procedures and other internal measures to improve overall organizational resilience. The SMS is also expected to provide a more consistent evaluation and implementation of physical security standards and controls across the Company.