Understanding Risk Management by Chris Trayhorn, Publisher of mThink Blue Book, April 1, 2003 Greater recognition of the correlation among the risks in energy marketing activities, asset management and operations, and the energy regulatory environment is necessary for companies to better manage risk. These interrelationships have a significant impact on business performance, financial results, and overall risk profile, so energy companies need to take an enterprise-wide view of risk management. To develop an effective enterprise risk management (ERM) framework, energy companies need to understand the key internal and external factors that determine exposure, identify the specific elements that affect their business, and define a management model focused on key risk-management processes and supporting infrastructure. A comprehensive framework should address the following key questions: • What are the external and internal risk drivers that impact the company’s overall risk profile? • What are the elements of risk created by the risk drivers and how can they be managed? • What is the best risk-management operating model to manage the elements of risk? Risk Drivers As in any business activity, risk in the energy industry arises from uncertainty. The ERM framework defines these uncertainties as risk drivers, and they can be divided into external drivers that are not within the company’s control and internal drivers that arise from within the company. External drivers for an energy company typically include prices and supplies in the energy markets, the national- and state-level regulatory environments, financial and regulatory reporting requirements, economic trends, and the types of customers the company serves and their associated risk profiles. An added layer of complexity has been added to these external drivers as energy companies begin to operate in multiple energy markets and/or in multiple regulatory jurisdictions. Internal drivers typically include the company’s business strategy, operating model, degree of capitalization, and risk tolerance. Business strategy is a key driver — for example, if the company’s strategy is to trade energy only as a hedge rather than for profit or for market-making objectives, this can significantly reduce the risks associated with trading operations. The risk tolerance of the organization, as determined by directors and management, is the linchpin between the business strategy and the actual measurement of the risk exposure of the enterprise. Elements of Risk — Financial Financial risk is defined as the set of risks impacting the overall financial performance and shareholder value creation capability of the company, including: • Market risk • Credit risk • Liquidity risk • Interest rate risk • Currency exposure Most financial risks are well-documented and do not require further description. But two types of financial risk merit special mention given the dynamics of today’s energy markets: Liquidity Risk In a wholesale market in which trading activity is significantly contracting, liquidity risk is an important area of financial risk that can be difficult to measure and manage. As the number of transactions and creditworthy counter-parties decreases across commodities and locations, the ability to trade out of existing unfavorable positions becomes a critical factor in maintaining value in a company’s trading books and assets. Liquidity risk must be managed in today’s market by monitoring the depth and breadth of the market; if the market shrinks significantly, then liquidity risk may increase to intolerable levels. Retail Credit Risk For those energy companies whose unregulated customer base includes retail commercial and industrial (C&I) customers, the credit risk profile of smaller C&I customers can be easily overlooked. But it is important to develop a deep understanding of the small customer base and the credit risk that these types of customers present — although each customer may be small, taken together they can present a substantial volume of risk. One key set of tools in this area is small-business credit-scoring models that provide late-payment and/or business-failure measures for companies that might otherwise pass through credit review screens. These models are commonplace in industries such as financial services, but in many cases have yet to be adopted by retail energy providers. Customer and geographic concentration can also present a considerable retail risk. If a significant portion of an energy company’s sales are concentrated in a single or small number of customers, or in a particular geographic region, the loss of one of these customers or a change in the local economy that affects companies in that area can have an adverse effect on the energy company. Figure 1: Energy Risk Management Framework Elements of Risk — Regulatory Regulatory risk is defined as the set of external regulatory actions and developments that can substantially impact the financial and operational performance of the company, including the revenue requirement, cost structure, and operational processes. Regulatory risk arising from a variety of regulatory bodies is often overlooked or insufficiently analyzed by energy companies, but must be addressed to maintain and enhance shareholder value. These agencies include such groups as FERC, state PUCs, the NRC, the SEC and various environmental agencies on the state and federal levels. With these many sources of regulatory risks, energy companies must carefully determine how they can actively prevent or mitigate the negative impacts that can result from changes in regulation. Companies should know the impact of the regulatory market model on their own business models, understand the regulatory climate in which they operate, and have a plan to shape regulatory policies that affect them. Most energy companies that are subject to regulation have a regulatory affairs group responsible for responding to these needs. Although these groups are usually effective in monitoring the regulatory environment, there are two typical problems with the way these groups operate: Isolation from Other Risk Management Regulatory risk monitoring and management have traditionally been conducted separately from the rest of the risk-management function in energy companies. But this isolation prevents the company from analyzing and managing regulatory risks in the context of the company’s overall risk profile — reducing the company’s ability to both understand how regulatory risks are affecting various activities and to engage in comprehensive risk hedging and management. Failure to Quantify Regulatory Risks Regulatory risks have traditionally been monitored and managed with little or no analytical rigor applied to risk measurement and management. Energy companies need to recognize that the impact of regulatory risks can be estimated and analyzed by building relatively simple models that: • Assign probabilities to the various potential outcomes for each regulatory scenario. • Quantify the financial impacts to the company for each regulatory scenario outcome. • Calculate the expected results and variance for each regulatory risk scenario. Such modeling provides a better understanding of the financial impacts of regulatory risks and can be combined with other risk modeling to allow for comprehensive risk hedging and management. Elements of Risk — Operational Operational risk is defined as the set of risks to energy company operations that can impact financial performance, customer reliability, ongoing operations and business continuity, safety/environmental performance, and overall company reputation. Focus areas typically include process capabilities and controls across the following areas: • Core operations, including generation, transmission, distribution, and customer care. • Key management and governance processes, including planning, forecasting, management information, and reporting. • Business continuity and disaster recovery. • Ongoing vulnerability, security, and safety exposure, particularly in the information technology and facilities areas. The risks associated with operations often arise from the management of physical assets (generation plants, pipelines, transmission and distribution assets, information technology, and facilities) associated with an energy company’s core operations. Key processes include outage management, asset management, field operations, and business continuity. Supporting process effectiveness and control is critical to managing risks across these processes. Of course, these processes are very diverse and they require specialized skill sets to perform, so they are not the primary responsibility of the risk-management function. Instead, they are the basis for a business partner role in which the risk-management function provides the framework, policies, and supporting infrastructure that enable the business to identify, manage, and balance operational risks within the context of overall corporate objectives and risk tolerance. Key to the success of the business partner approach, however, is the risk-management function’s leadership in the area of management information and performance reporting. The risk-management function must provide two key items to the operational areas: the risk-management guidance for developing risk metrics; and the means for timely and accurate reporting on those metrics. Risk-management staff need not be experts in, for example, outage management or field operations to contribute significantly to effective risk management in these areas. But they must be experts in translating the operational performance information provided by their operational colleagues into reasonable and measurable risk metrics. And they must develop the processes and systems to track and report on these operational risk metrics in a manner that is consistent with and integrated into the performance reporting for other areas of enterprise risk. Figure 2: Risk Management Trading Model An Operating Model In addition to understanding the drivers of risk and identifying potential risk exposure and areas of focus, effective risk-management programs clearly define an overall operating model. This operating model defines the role of the risk-management function, how it interacts with the business and other corporate functions, the key risk-management processes, and the supporting infrastructure and analytic requirements. An effective operating model focuses on a number of key objectives, including: • Outlining the overall risk-management strategy, objectives, and key policies for the company. • Defining the role and responsibilities of the risk-management organization, how it interfaces with the businesses, the key reporting relationships, and the skill-set requirements. • Identifying and defining risk-management processes, activities, and requirements. • Developing an effective infrastructure that provides information and insight into business risks. • Creating a comprehensive risk-management culture throughout the organization by aligning the risk-management function with business objectives. Once the operating model has been created, the risk-management organization can focus on developing a systematic method for addressing enterprise risks. An important consideration that runs throughout the risk management cycle is the establishment of risk-performance metrics. Once metrics are established, risk monitoring and performance analysis at the enterprise level becomes more manageable and focused. While these metrics must be reassessed on a periodic basis, once the organization accepts the tracking of financial, operational, and regulatory risk in terms of tangible and achievable performance metrics, the benefits to the risk culture for management and staff can be substantial. By building these metrics into a balanced scorecard that determines financial rewards, the organization verifies that incentives are aligned with risk-management priorities. To be most effective, risk management needs to be woven into the fabric of the organization. For energy companies, risk management cuts across the marketing, operations, and regulatory functions. Energy companies that recognize the interrelationships among the risks in each of these areas have the potential to become more effective at managing and balancing risks than those that view these related risks in isolation and can be more successful at instilling a risk-informed culture. The enterprise risk management framework provides a comprehensive approach for understanding, measuring, and managing risks across the organization and should be considered by any diverse energy company conducting business in today’s challenging energy markets. n Filed under: White Papers Tagged under: Utilities About the Author Chris Trayhorn, Publisher of mThink Blue Book Chris Trayhorn is the Chairman of the Performance Marketing Industry Blue Ribbon Panel and the CEO of mThink.com, a leading online and content marketing agency. He has founded four successful marketing companies in London and San Francisco in the last 15 years, and is currently the founder and publisher of Revenue+Performance magazine, the magazine of the performance marketing industry since 2002.