Enterprise-Wide Risk Management

The type, scope, and frequency of both internal and external risks facing the
energy and utility industry have increased significantly. To meet business objectives,
business leaders must now address new and different forms of business risks. Some
utilities have been able to successfully identify and manage risks during these
turbulent times, but unforeseen events and ever-changing market conditions fundamentally
altered other companies.

Many utilities today face difficulty managing their portfolio of regulated
and unregulated businesses. Traditional risks, within the core-regulated business,
typically include weather, commodity, and supply risks. These risks have for
the most part been successfully mitigated through regulatory devices and managed
through strong internal programs.

The redefined regulatory environment has created some of the new risk factors
that have emerged over the past several years. Retail competition created new
business opportunities to which some utilities funneled significant funding.
With these opportunities came additional risks for market participants that
included customer loyalty, pricing pressures, and regulatory uncertainty. With
lean budgets, low margins, and high expectations, the required risk management
and detailed mitigation plans were often neglected or omitted.

Recent events have compounded risks in the energy and utility industry and
highlighted the vulnerability of the industry’s employees and physical assets
to threats and terrorism. In addition, under the Sarbanes-Oxley Act of 2002,
corporations face harsher civil and criminal penalties if they misrepresent
or incorrectly state their financial earnings. Regulators are pressing companies
for better and more transparent risk reporting and for more formal, integrated,
and comprehensive risk plans.

The message to management and board of directors of both public and private
companies is clear: The bar has been raised and earnings surprises are not acceptable.
It is the responsibility of the board and the executive management team to ensure
that rigorous internal control and risk-management policies, practices, and
procedures are in place and are continuously updated and modified.

In this new and more volatile marketplace, the formulation of a comprehensive
enterprise-wide risk-management strategy (ERM) is a key to business success
and stability. Enterprise-wide risk management is the means to apply active
risk management to all of the risks facing an organization. Many companies understand
this new imperative; a recent survey conducted by The Economist Intelligence
Unit and MMC Enterprise Risk found that 41 percent of companies have some form
of ERM. The survey also found that companies using ERM are more confident in
their ability to manage risk.

Business Objectives

Risk is the level of exposure, both known and unknown, to market uncertainties
that the organization must understand, identify, and effectively manage as it
executes its strategies to successfully achieve its business objectives. In
order for most energy companies to meet their goals and objectives, they must
face new challenges and take greater risks. However, if the risk-management
process is flawed, the company could suffer in the competitive marketplace.

Traditionally, companies adapted a silo approach to risk management. Responsibility
for managing various types of risk was assigned to the business or functional
unit with the greatest exposure. Business risk was assigned to the operating
units; insurable or transferable risk to the corporate risk-management department;
financial risks (market, interest rate, and so on) to treasury; and compliance
risk to legal. In traditional approaches, companies focused primarily on easily
measurable risks. Undefined or ambiguous risks, such as strategic and operational
risks, were often not coordinated or were overlooked. The risk-management strategy
for the individual risk was usually tacked onto existing business processes
without a uniform approach or a common risk language.

Enterprise-wide risk management is a disciplined and integrated approach that
supports the alignment of strategy, process, people, and technology. It allows
corporations to identify, prioritize, and effectively manage their critical

Enterprise-wide risk management allows the company to identify the risks they
must: transfer through insurance or hedging programs; accept as is; reduce through
rigorous management practices; or simply reject by eliminating the process,
a product, or a geographical zone. Companies can effectively utilize risk as
a competitive weapon and not view it as a threat.

The cornerstone of this process is the creation of an infrastructure that is
the foundation for future work, including:

• Creation of corporate governance and oversight boards
• Explicit description of the company’s risk culture and risk propensity
• Policies and procedures to steer the process
• Common risk language to facilitate management
• Tools, techniques, and methodology to support ERM

The process can be individually tailored to each organization, but will contain
the basic steps necessary to identify, analyze, mitigate, and monitor the risks.
It is used to assess risks and can be applied to the organization as a whole,
to individual business areas, to processes, or to any other initiative where
a focus on the existing or potential critical risks is needed. As this process
is continuously executed within various parts of an organization, the resulting
information and data must be shared and used to continually improve not only
the process, but the effectiveness of the company in managing its risks.

For each key risk in the company, there is a process that continuously identifies,
prioritizes, and manages risk. The first step is for risk owners to identify,
assess, and prioritize the business risks facing the company. After the risks
have been sorted, management analyzes those risks that pose significant threats
or opportunities to the company and then creates strategies to best exploit
or avoid these risks. The strategies are based upon the company’s unique competencies
to manage certain kinds of risk.

Once the strategy has been developed, the company implements processes to measure
performance against the plan, monitors activities against policy, and reports
on the results to executive management and the board. The final piece in the
process is aggregation of the results across the major risk categories and the
integration into the decision-making process.

A critical part of all of these steps is the alignment of critical risks with
the organization’s strategies, goals, and objectives. This allows the organization
to understand, prioritize, and reach consensus on strategic objectives for either
the company as a whole or a specific business process within the company. This
will ensure that the risk-assessment process will be focused on those critical
risks that have the potential to either directly or indirectly impact the company’s
ability to achieve those objectives or to adversely affect the company’s ability
to take advantage of new opportunities.

The final component includes the integration of the results with other management
processes, such as strategic planning, major capital projects, mergers and acquisitions,
and new product development. A common failure of many efforts is the inability
to integrate ERM into the existing management processes. In the absence of such
integration, it can be perceived as a standalone practice without relevance
to company’s critical processes.

Figure 1: Enterprise-wide Risk Management Framework

As risks continue to be identified and assessed across the organization, the
value to management is the ability to review and analyze consolidated risk data
in order to gain a company-wide perspective on specific risk issues or groups
of risks. Risk mitigation strategies can also be reviewed for gaps, duplication
of effort, or for best practices.

Risk output can be utilized as a key driver for strategic planning, identifying
possible initiatives needed to mitigate risks that can impair management’s ability
to meet key objectives. The risk-management process and metrics can also be
integrated with existing quality or process-improvement processes to identify
possible process-improvement projects or to create a more robust quality process.

However, ERM is more than a process for avoiding unfavorable outcomes; it is
anticipatory and proactive. It provides a process and a prospective to actively
support the realization of the company’s strategic objectives. It is not an
obstacle to taking risk. On the contrary, it allows companies to assume additional
risks. After implementing an ERM approach, management fully understands all
critical risks and how they can be proactively managed. It provides them with
tools and techniques to balance realistically the risk/return trade-offs and
to seize quickly the market opportunities.

A common misconception is that it transfers the responsibility for risk from
the line managers to a centralized, bureaucratic unit. The opposite is true.
A universal principle is that risk must be managed by the business unit that
incurs it. A properly functioning system ensures that the line managers understand
their risk management responsibilities, are given the tools to manage the risk
effectively, and are compensated based upon the success of their efforts.

An effective program should have three long-term objectives:

• Optimize the costs and efficiencies of risk management programs. The
new program should eliminate unnecessary controls, consolidate mitigation programs
across all functions, and focus the risk transfer and financing activities.

• Improve business performance. The new program should better align a company’s
risk programs with strategic objectives, provide more accurate measurement and
monitoring techniques, and reduce the volatility of outcomes.

• Establish a sustainable competitive advantage. It would give managers
the tools and processes to identify favorable risk-taking opportunities and
to quickly pursue them.

Organizational Structure

The board and senior management must actively and publicly support the program.
Without the guidance and devotion of upper management, the process will undoubtedly
fail. In addition, the process must be integrated into every aspect of an organization’s
business. If it occurs only within certain departments, the efforts could become
siloed, gaps could occur, there could be a breakdown in the approach, and the
company would not realize the benefits.

To achieve effective results, there needs to be an organized structure allowing
for open communication and discussion, cogent analysis and timely reporting,
and resolute decision-making. Each participant must have an unambiguous and
precise understanding of management responsibilities. Some of the key responsibilities

• The Board of Directors oversees the ERM process. Directors approve
the policies and procedures and the company’s risk tolerances and overall risk
strategy. In the new Sarbanes-Oxley world, a critical role will be to provide
more hands-on oversight to management.

• Executive Management defines the risk priorities; establishes the policies
and procedures and risk-measurement systems; and ensures the alignment of business
planning, risk strategies, and policies.

• The Risk Management Committee should define the roles of those involved.
The committee should establish ways to measure the success of the process. Once
the process is functioning, a key role of the committee should be to collectively
make decisions to manage, mitigate, accept, or transfer the critical risks.

• Risk Owners: Business line managers identify the risk within their
practices and assist executive management in risk prioritization and measurement.

The chief risk officer owns the process and is responsible for overseeing its
day-to-day operation. This officer is vital to the success of the solution because
he should be fully devoted to ensuring the alignment of the process with the
company’s business strategies and objectives. The officer should be responsible
for developing communication and training programs; implementing a common risk
language; designing policies for the plan’s operations; developing management
reports and performance measures; and implementing supporting change programs
and technology support. This chief risk officer:

• Doesn’t directly own responsibility for managing specific risks (other
than the risk he is presently assigned), but operates in a consultative and
collaborative manner.

• Works with others to understand, identify, assess, and improve the

• Supports the board, executive committee, and key operating managers
responsible for managing and monitoring risks.

• Prepares consolidated business risk reports (i.e., collects, aggregates,
summarizes, and assesses data regarding risk exposures and performance).

Plan Benefits

As a result of implementing an ERM program, senior management can expect the
following benefits:

• Improved Risk Assessment. It will provide an organization with a means
to understand, identify, and prioritize risks. Through risk mapping, management
will have better knowledge of its critical risks and their potential impact
on the company.

• Increased Risk Awareness. Because associates will have common language
for describing risk and its potential effects, the company will be able to address
uncertainties in a timely fashion before challenges, such as class action lawsuits,
explode and disrupt business.

• Reduced Number of Risk Incidents. An integrated ERM process will reduce
the number of risk incidents because management will be better equipped to handle
emerging challenges.

• Improvement in Risk Measures. Because an ERM process requires more
rigorous risk management, management will have more quantifiable measures of
risk exposures. This will result in better pricing and better capital allocation

• Increased Competitive Advantage. Because a company with an ERM will
be more aware of its risks and opportunities, it will maintain a competitive
edge. It will be better equipped to handle challenges in a changing environment.