Understanding Risk Management

Greater recognition of the correlation among the risks in energy marketing activities,
asset management and operations, and the energy regulatory environment is necessary
for companies to better manage risk. These interrelationships have a significant
impact on business performance, financial results, and overall risk profile, so
energy companies need to take an enterprise-wide view of risk management.

To develop an effective enterprise risk management (ERM) framework, energy
companies need to understand the key internal and external factors that determine
exposure, identify the specific elements that affect their business, and define
a management model focused on key risk-management processes and supporting infrastructure.

A comprehensive framework should address the following key questions:

• What are the external and internal risk drivers that impact the company’s
overall risk profile?
• What are the elements of risk created by the risk drivers and how can
they be managed?
• What is the best risk-management operating model to manage the elements
of risk?

Risk Drivers

As in any business activity, risk in the energy industry arises from uncertainty.
The ERM framework defines these uncertainties as risk drivers, and they can
be divided into external drivers that are not within the company’s control and
internal drivers that arise from within the company.

External drivers for an energy company typically include prices and supplies
in the energy markets, the national- and state-level regulatory environments,
financial and regulatory reporting requirements, economic trends, and the types
of customers the company serves and their associated risk profiles. An added
layer of complexity has been added to these external drivers as energy companies
begin to operate in multiple energy markets and/or in multiple regulatory jurisdictions.

Internal drivers typically include the company’s business strategy, operating
model, degree of capitalization, and risk tolerance. Business strategy is a
key driver — for example, if the company’s strategy is to trade energy
only as a hedge rather than for profit or for market-making objectives, this
can significantly reduce the risks associated with trading operations. The risk
tolerance of the organization, as determined by directors and management, is
the linchpin between the business strategy and the actual measurement of the
risk exposure of the enterprise.

Elements of Risk — Financial

Financial risk is defined as the set of risks impacting the overall financial
performance and shareholder value creation capability of the company, including:

• Market risk
• Credit risk
• Liquidity risk
• Interest rate risk
• Currency exposure

Most financial risks are well-documented and do not require further description.
But two types of financial risk merit special mention given the dynamics of
today’s energy markets:

Liquidity Risk

In a wholesale market in which trading activity is significantly contracting,
liquidity risk is an important area of financial risk that can be difficult
to measure and manage. As the number of transactions and creditworthy counter-parties
decreases across commodities and locations, the ability to trade out of existing
unfavorable positions becomes a critical factor in maintaining value in a company’s
trading books and assets.

Liquidity risk must be managed in today’s market by monitoring the depth and
breadth of the market; if the market shrinks significantly, then liquidity risk
may increase to intolerable levels.

Retail Credit Risk

For those energy companies whose unregulated customer base includes retail
commercial and industrial (C&I) customers, the credit risk profile of smaller
C&I customers can be easily overlooked. But it is important to develop a deep
understanding of the small customer base and the credit risk that these types
of customers present — although each customer may be small, taken together
they can present a substantial volume of risk.

One key set of tools in this area is small-business credit-scoring models that
provide late-payment and/or business-failure measures for companies that might
otherwise pass through credit review screens. These models are commonplace in
industries such as financial services, but in many cases have yet to be adopted
by retail energy providers.

Customer and geographic concentration can also present a considerable retail
risk. If a significant portion of an energy company’s sales are concentrated
in a single or small number of customers, or in a particular geographic region,
the loss of one of these customers or a change in the local economy that affects
companies in that area can have an adverse effect on the energy company.

Figure 1: Energy Risk Management Framework

Elements of Risk — Regulatory

Regulatory risk is defined as the set of external regulatory actions and developments
that can substantially impact the financial and operational performance of the
company, including the revenue requirement, cost structure, and operational
processes. Regulatory risk arising from a variety of regulatory bodies is often
overlooked or insufficiently analyzed by energy companies, but must be addressed
to maintain and enhance shareholder value. These agencies include such groups
as FERC, state PUCs, the NRC, the SEC and various environmental agencies on
the state and federal levels.

With these many sources of regulatory risks, energy companies must carefully
determine how they can actively prevent or mitigate the negative impacts that
can result from changes in regulation. Companies should know the impact of the
regulatory market model on their own business models, understand the regulatory
climate in which they operate, and have a plan to shape regulatory policies
that affect them.

Most energy companies that are subject to regulation have a regulatory affairs
group responsible for responding to these needs. Although these groups are usually
effective in monitoring the regulatory environment, there are two typical problems
with the way these groups operate:

Isolation from Other Risk Management

Regulatory risk monitoring and management have traditionally been conducted
separately from the rest of the risk-management function in energy companies.
But this isolation prevents the company from analyzing and managing regulatory
risks in the context of the company’s overall risk profile — reducing the
company’s ability to both understand how regulatory risks are affecting various
activities and to engage in comprehensive risk hedging and management.

Failure to Quantify Regulatory Risks

Regulatory risks have traditionally been monitored and managed with little
or no analytical rigor applied to risk measurement and management.

Energy companies need to recognize that the impact of regulatory risks can
be estimated and analyzed by building relatively simple models that:

• Assign probabilities to the various potential outcomes for each regulatory
• Quantify the financial impacts to the company for each regulatory scenario
• Calculate the expected results and variance for each regulatory risk

Such modeling provides a better understanding of the financial impacts of regulatory
risks and can be combined with other risk modeling to allow for comprehensive
risk hedging and management.

Elements of Risk — Operational

Operational risk is defined as the set of risks to energy company operations
that can impact financial performance, customer reliability, ongoing operations
and business continuity, safety/environmental performance, and overall company

Focus areas typically include process capabilities and controls across the
following areas:

• Core operations, including generation, transmission, distribution, and
customer care.
• Key management and governance processes, including planning, forecasting,
management information, and reporting.
• Business continuity and disaster recovery.
• Ongoing vulnerability, security, and safety exposure, particularly in
the information technology and facilities areas.

The risks associated with operations often arise from the management of physical
assets (generation plants, pipelines, transmission and distribution assets,
information technology, and facilities) associated with an energy company’s
core operations. Key processes include outage management, asset management,
field operations, and business continuity. Supporting process effectiveness
and control is critical to managing risks across these processes.

Of course, these processes are very diverse and they require specialized skill
sets to perform, so they are not the primary responsibility of the risk-management
function. Instead, they are the basis for a business partner role in which the
risk-management function provides the framework, policies, and supporting infrastructure
that enable the business to identify, manage, and balance operational risks
within the context of overall corporate objectives and risk tolerance.

Key to the success of the business partner approach, however, is the risk-management
function’s leadership in the area of management information and performance
reporting. The risk-management function must provide two key items to the operational
areas: the risk-management guidance for developing risk metrics; and the means
for timely and accurate reporting on those metrics.

Risk-management staff need not be experts in, for example, outage management
or field operations to contribute significantly to effective risk management
in these areas. But they must be experts in translating the operational performance
information provided by their operational colleagues into reasonable and measurable
risk metrics. And they must develop the processes and systems to track and report
on these operational risk metrics in a manner that is consistent with and integrated
into the performance reporting for other areas of enterprise risk.

Figure 2: Risk Management Trading Model

An Operating Model

In addition to understanding the drivers of risk and identifying potential
risk exposure and areas of focus, effective risk-management programs clearly
define an overall operating model. This operating model defines the role of
the risk-management function, how it interacts with the business and other corporate
functions, the key risk-management processes, and the supporting infrastructure
and analytic requirements.

An effective operating model focuses on a number of key objectives, including:

• Outlining the overall risk-management strategy, objectives, and key
policies for the company.
• Defining the role and responsibilities of the risk-management organization,
how it interfaces with the businesses, the key reporting relationships, and
the skill-set requirements.
• Identifying and defining risk-management processes, activities, and requirements.
• Developing an effective infrastructure that provides information and
insight into business risks.
• Creating a comprehensive risk-management culture throughout the organization
by aligning the risk-management function with business objectives.

Once the operating model has been created, the risk-management organization
can focus on developing a systematic method for addressing enterprise risks.

An important consideration that runs throughout the risk management cycle is
the establishment of risk-performance metrics. Once metrics are established,
risk monitoring and performance analysis at the enterprise level becomes more
manageable and focused. While these metrics must be reassessed on a periodic
basis, once the organization accepts the tracking of financial, operational,
and regulatory risk in terms of tangible and achievable performance metrics,
the benefits to the risk culture for management and staff can be substantial.
By building these metrics into a balanced scorecard that determines financial
rewards, the organization verifies that incentives are aligned with risk-management

To be most effective, risk management needs to be woven into the fabric of
the organization. For energy companies, risk management cuts across the marketing,
operations, and regulatory functions. Energy companies that recognize the interrelationships
among the risks in each of these areas have the potential to become more effective
at managing and balancing risks than those that view these related risks in
isolation and can be more successful at instilling a risk-informed culture.

The enterprise risk management framework provides a comprehensive approach
for understanding, measuring, and managing risks across the organization and
should be considered by any diverse energy company conducting business in today’s
challenging energy markets. n