This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

Power & Utilities Spotlight — ERM roundtable addresses prevailing practices for identifying and managing risk

Published on: Apr 07, 2014

Download PDFIssue 8, April 2014

The Bottom Line

  • As part of its efforts to understand the risks and challenges faced by enterprise risk management (ERM) professionals and their organizations, Deloitte hosted a power and utilities (P&U) ERM roundtable in February 2014. Participants shared their views on various ERM-related topics, including “top risks,” “emerging risks,” strategic risk management, third-party risk management practices, capital project program oversight, and benchmarking related to ERM organizational structure and practices.
  • In Deloitte’s view, there are three primary categories of risk that may affect an organization: (1) calculated risks, (2) imposed risks, and (3) self-inflicted risks. Calculated risks result from an organization’s strategic and operational choices; imposed risks are associated with unavoidable external factors; and self-inflicted risks result from day-to-day operations, decisions, and behaviors of an organization’s team.
  • Understanding top risks is key to an effective ERM program. During the roundtable, the Deloitte ERM Energy and Resources leader and three industry ERM professionals facilitated a discussion of the top risks facing their companies. The discussion highlighted that it was important for companies to consider both broad and organization-specific factors when determining an approach for identifying and managing top risks.
  • An organization’s understanding of emerging risks can serve as a potential early-warning system for significant changes in the business, marketplace, and regulatory landscape. When searching for potential emerging risks, ERM professionals should use available internal and external data to better understand trends that might be indicative of these risks.
  • More than half of the roundtable participants believe that ERM is at least somewhat aligned with an organization’s strategy and almost one-third think that the two are strongly aligned. The roundtable discussion thus addressed successful tactics that participants have used to integrate ERM into their corporate strategy development activities to help protect and create value.
  • The global demand for energy and related infrastructure will strain talent, equipment, and resources domestically. As a result of this demand, U.S. companies may encounter risks as well as opportunities.

Beyond the Bottom Line

Overview

ERM continues to be critical for many business organizations, especially P&U companies. As part of its efforts to understand the risks and challenges faced by ERM professionals and their organizations, Deloitte’s Enterprise Risk and Compliance Management Services team has hosted a P&U ERM roundtable series for the past five years. The primary goal of this series is to discuss leading practices, trends, and innovative solutions related to ERM in the P&U sector.

Most recently, more than 40 ERM professionals from over 30 companies convened at Entergy’s corporate offices in New Orleans, Louisiana, to attend the February 2014 roundtable. Deloitte professionals, as well as ERM industry leaders, facilitated discussions about several issues that directly affect ERM professionals. Participants shared their views on defining, identifying, characterizing, monitoring, and reporting on “top risks” and “emerging risks.” Other risk management topics covered during the roundtable included strategic risk management, third-party risk management practices, capital project program oversight, and benchmarking related to ERM organizational structure and practices.

In addition, a keynote speaker offered his perspectives on (1) the current energy mix compared with the energy mix that is expected 25 years from now; (2) how the demand shift from mature economies to emerging economies may put pressure on global needs related to equipment, materials, and human capital; and (3) the supply needs in the United States and the factors that affect these needs.

Deloitte set the stage for the discussion by holding a brief pre-roundtable poll on the key attributes of an organization’s ERM environment. The poll questions covered four broad categories: (1) people, (2) integration, (3) processes, and (4) technologies. While some of the more relevant questions and related poll results were discussed in a separate session, many were incorporated into the overall theme of the roundtable.

Understanding Risk Categories

In Deloitte’s view, there are three primary categories of risk that may affect an organization: (1) calculated risks, (2) imposed risks, and (3) self-inflicted risks. The chart and discussion below summarize each of these risk categories, including their net effect, expected threats and rewards, and controllability.

Risk Categories

 pu issue 8

Calculated Risks

These risks result from an organization’s strategic and operational choices. Because they typically increase an organization’s opportunity, these risks generally provide value. However, calculated risks can occasionally pose a threat to an organization’s operations. Examples of calculated risks include entering new markets, introducing new products or services, capital expenditures, and adopting new technology.

Imposed Risks

These risks are associated with unavoidable external factors (e.g., a weather event or other catastrophe, regulatory changes, new laws) and therefore pose a threat to an organization. However, imposed risks can occasionally result in opportunities at an organization, thereby providing value. For example, a change in an energy mix resulting from a regulatory mandate (e.g., the need to produce 20 percent of all power by using renewable sources) may open up new opportunities for an organization (e.g., introduction of a new product or service based on solar energy), or a well-managed response to a catastrophic event may enhance the organization’s reputation among customers, regulators, and industry professionals.

Self-Inflicted Risks

These risks result from day-to-day operations, decisions, and behaviors of an organization’s team (e.g., poor judgment, compliance gaps). Although such risks do present a threat, they are generally more internally controllable than the other types of risks discussed above.

Snapshot of Topics Discussed

Top Risks and the Impact on ERM

Understanding top risks is key to an effective ERM program. During the roundtable, the Deloitte ERM Energy and Resources leader and three industry ERM professionals facilitated a discussion of the top risks facing their companies. Key topics of the session included (1) defining a top risk, (2) reasons why a risk is considered a top risk, (3) approaches for identifying top risks, (4) methods for handling and monitoring top risks, and (5) practices for reporting on top risks. The discussion highlighted that it was important for companies to consider both organization-specific and broad factors when determining an approach for identifying and managing top risks. Examples of organization-specific factors that companies should consider when identifying top risks may include prior experiences, local politics, service area, and weather conditions. Broad factors may include an organization’s stakeholders, objective, and business strategy.

An organization’s key stakeholders may influence its objectives, goals, and strategy related to the determination of top risks. For example:

  • Customers may be concerned about safe and reliable energy services.
  • Vendors and suppliers may be interested in maintaining a sustainable and profitable business relationship with an organization; thus, they may focus on an organization’s financial and operational performance.
  • The local community in the service territory may focus on environmental impact and sustainability of services.
  • Shareholders and investors may be interested in profit, return on investment, and growth.
  • Government and regulators may be interested in reliability, safety, and reporting transparency and prudence.

Key attributes for an organization to consider when defining its objectives, business strategy, and relevant risk areas include (1) its strategic priorities; (2) its risk culture;
(3) management’s approach and expectations; (4) regional politics, obligations,
and requirements; and (5) prior experiences with internally inflicted and externally imposed risks.

Key Takeaways: Companies may differ in their risk reporting practices. While certain companies may choose to categorize their risks into broad themes and groups, others may prefer management to provide detailed risk scenario reporting. Although most companies prioritize risks on the basis of their residual level, certain risks are so critical that even effective mitigating efforts do not influence the risk’s overall priority rating. For example, although companies spend millions of dollars to ensure that their services are safe and reliable, reliability risk is often considered a top risk.

Emerging Risks

The session began with a presentation of data on key aspects of emerging risks. For example, more than 90 percent of participants indicated that their organization has a process for identifying, monitoring, and reporting on emerging risks. Of these participants, about 60 percent assess emerging risks in combination with other risks and 33 percent assess emerging risks separately. When questioned about how many emerging risks they include within their risk inventories, about half the participants responded that they had less than three.

Facilitators highlighted that activities related to emerging risks can ultimately be an indicator of significant changes to the business and thus can often prompt an organization to reassess or update corporate strategy and take advantage of future business opportunities and prepare for threats (e.g., distributed generation, customers’ energy consumption behavior, federal and state energy policies).

The discussion then turned to different approaches to managing emerging risks. During this portion of the discussion, ERM professionals from two companies (labeled as Company A and Company B below) elaborated on their (1) definition of emerging risk, (2) identification of emerging risks, (3) process for managing and reporting on emerging risks, and (4) board reporting on emerging risks.

Definition of Emerging Risks

The two organizations had different perspectives on how the term “emerging risk” should be defined. Company A’s definition is very specific: “A risk which has been identified but is not defined well enough to fully understand the impact to the Company or to begin addressing long-term mitigation strategies.” In contrast, Company B does not have a definition that distinguishes emerging risks from other significant risks. Rather, Company B identifies, monitors, and reports on emerging risks in conjunction with other top strategic risks.

Identifying Emerging Risks

Similarly, each organization uses a different approach to identify emerging risks. Company A finds that external research and workshops are the best method of identifying emerging risks, whereas Company B uses a combined “top-down” and “bottom-up” approach (i.e., potential risks are identified at the executive and board-of-directors levels, ideas are generated at other levels of the organization, brainstorming sessions are conducted).

Process for Managing and Reporting on Emerging Risks

Each of the two organizations has its own methods for tracking and reporting on emerging risks. Company A uses a customized emerging-risk map that categorizes the risks by significance (e.g., medium or high risk) and by stages (e.g., preliminary, developing, advancing, and defined). In contrast, Company B employs a tiered approach that incorporates the organization’s emerging risks into its normal risk portfolio; under this approach, each risk is color-coded on the basis of its significance within a tiered structure.

Board Reporting on Emerging Risks

The two companies have similar approaches for reporting on emerging risks to the board of directors. At Company A, the ERM organization reports to the ERM committee of the board of directors on a quarterly basis. The ERM committee is chaired by the chief risk officer and consists of business unit presidents, the CFO, and the executive vice president and general counsel. Similarly, Company B’s ERM organization discusses emerging risks on a biweekly basis with the risk management committee (RMC). The RMC then, on a quarterly basis, conducts reviews of the organization’s top-risk mitigation strategies, reporting the results of its reviews to the board’s audit and risk management committee.

Key Takeaways:An organization’s understanding of emerging risks can serve as a potential early-warning system for significant changes in the business (e.g., operations, technology), marketplace, and regulatory landscape. When searching for potential emerging risks, ERM professionals should use available internal and external data to better understand signals and trends that might be indicative of new or emerging risks. Some companies are using tools (e.g., risk sensing) to proactively identify trends related to emerging risks.

There are a number of possible approaches for identifying emerging risks, including a top-down, bottom-up, or combined approach. Similarly, companies use various approaches to monitor emerging risks (e.g., some companies use a separate process, while others consider emerging risks to be part of the organization’s overall risk assessment and monitoring process). Regardless of the specific approach they use, ERM professionals should have a process in place for systematically identifying and monitoring emerging risk considerations within their organizations.

Strategic Risk Management

The facilitator outlined the following four risk categories that should be addressed as part of strategic risk management:

  • Risks to the strategy — Risks that might prevent the execution of an organization’s strategy. ERM can help companies identify potential risks related to meeting strategic objectives.
  • Risks of the strategy — The strategy itself may present a risk. For example, the business model assumptions underlying the strategy may either change or no longer be valid. By using ERM, companies can challenge, stress-test, and monitor trends related to the strategy’s underlying assumptions.
  • Risks from the strategy — Risks that might result from the execution of the strategy, including potential unforeseen consequences.
  • Risks that strategy is not aligned — Misalignment of individual goals, objectives, or organization functions and business units with strategic initiatives, underlying assumptions, and risk management practices throughout an organization.

More than half of the roundtable participants believe that ERM is at least somewhat aligned with strategy and almost one-third think that the two are strongly aligned. The roundtable discussion thus addressed successful tactics that participants have used to integrate ERM into their strategic development to help optimize value creation and protection. Successful integration of ERM will depend on its expansion to various levels of an organization (i.e., not only within the corporation but within the various business functions/units) and on whether it can be used to monitor business model risk in addition to more traditional risks.

Key Takeaways: Incorporating ERM into an organization’s strategy process is a practical step in the optimization of ERM value. To embed ERM within the strategic planning process, companies may need to change their current ERM structure and competencies as well as reassess their existing ERM program’s practices and capabilities. Most roundtable participants conceded that while their ERM programs generally focus on risks to their organization’s strategy, not as much effort is spent on supporting and monitoring risks of or risks from the strategy activities.

Third-Party Risk Management

Third-party risk management is the process that an organization uses to evaluate and manage the risks associated with its contractors, consultants, vendors, and suppliers (collectively, “vendors”). Vendor management presents both an operational and a strategic risk to an organization, especially in significant, capital-intensive projects. Risks associated with vendor management may include quality, safety, financial health/long-term viability, ethics, financial performance, meeting objectives and service levels, and invoicing in compliance with contractual agreements. Because vendor management is addressed at various levels of an organization, it is important for organizations to have appropriate coordination and monitoring mechanisms in place. Organizations should also have a process in place for identifying vendors that pose the greatest financial, operational, and reputational risks.

Approach to Vendor Management

One facilitator discussed her view on vendor management and shared the process employed by her ERM team. One of the most important components of her approach is establishing a corporate culture in which management is involved in all aspects of the planning and execution of capital projects, including risk identification. The second important part of her approach is incorporating the vendors themselves into the organization’s culture by including them in the project plan and oversight structure. In fact, in some instances, the vendors themselves were made the responsible party in the project plan. By assimilating vendors into the organization’s culture and holding them accountable, her organization has seen a noticeable improvement in project efficiency
and cost control.

Using Data Analytics to Monitor Third Parties

Deloitte professionals offered their perspective on ways to enhance vendor management by using data analytics to monitor and evaluate vendor-related costs and operational activities. For example, many organizations have established a contract compliance monitoring function to address risks related to whether vendors/suppliers are invoicing in accordance with contractual terms and whether invoiced goods and services have been received. The goal of such measures is to identify not only potential overcharges but also opportunities to add or enhance processes or controls to reduce the risk of future overcharges. In addition to their internal functions, companies can take advantage of various vendor management services offered by third-party service organizations.

Data analytic tools can help companies more efficiently and effectively identify discrepancies in vendor charges. The results of data analytics can help companies improve their processes and controls related to procurement, operations, and finance and optimize their risk identification, management, monitoring, and reporting practices.

Holistic Approach to Project Management

The final topic discussed during this session was the emerging practice of assessing whether there is sufficient oversight and governance in a project. The overall purpose of this approach is to identify characteristics that may need to be modified, implemented, monitored, or enforced so that a project can achieve its goals. While organizations can employ internal project data to perform such an analysis, they may also consult third-party service organizations, which may use a large database of project benchmark attributes to help management manage risk and highlight areas where additional controls may be required.

Key Takeaways: Organizations can use vendor audits that include data analytics to improve the efficiency and effectiveness of their monitoring of vendor and project risks. In addition, a vendor’s “conversion” to an organization’s culture may further optimize the efficiencies, quality, and cost management efforts of the organization’s vendors and service providers. Alignment of ERM practices with vendor management activities may enable an organization to use a more systematic, consistent, and proactive approach in managing, monitoring, and reporting on third-party risks.

Strategic Risks and Opportunities in Energy

One of the keynote speakers, Deloitte’s P&U U.S. Sector leader, offered his views on strategic risks and opportunities in energy. His discussion focused on the expected global demand for energy in 25 years but also addressed domestic energy demand during that same time frame.

Global Demand on the Horizon

The keynote speaker began by comparing the expected future energy mix with the current one:

Current MixFuture Mix (25 Years)
Fuel%Fuel%
Coal 34 Oil 30–33
Oil 26 Natural Gas 25–30
Natural Gas 23 Coal 17–20
Biofuel 9 Nuclear 7–10
Nuclear 3 Biofuel 5–8
Hydroelectric 2 Renewables 3–7
Renewables 1 Hydroelectric 2–3

The table illustrates, for example, that while coal, oil, and natural gas are expected to remain the top three energy sources in 2040, oil is expected to supplant coal as the dominant source and use of coal is expected to drop significantly.

On a related note, energy infrastructure will have a different look. Developed countries are likely to have a mature infrastructure whereas emerging countries will still be expanding and developing their production, transmission, and distribution systems. The global demand for energy and related infrastructure will strain talent, equipment, and resources domestically. As a result of this demand, U.S. companies may encounter risks as well as opportunities.

In preparing for potential risks, U.S. companies should consider the following key questions:

  • How will expansion elsewhere affect a domestic company’s ability to obtain components or other infrastructure-related materials from our suppliers? Who will be the suppliers of these components?
  • What impact will global development have on available talent? Where will this talent be located?
  • Which buyers are competing with U.S. companies? How will this competition affect pricing and availability?

While considering and mitigating risks associated with the increased global development and demand are of paramount importance, it is equally important for domestic companies to develop a strategy to prepare for the effects of the increased demand on talent, equipment, and resources. Further, domestic companies might want to consider whether there are any related business opportunities that might align with their strategic vision.

Domestic Demand in 25 Years

Despite the ever-increasing use of technology in North America, the demand for energy is expected to flatten out 25 years from now. While this may appear counterintuitive, technological improvements and changes in consumer practices are expected to result in greater efficiency and reduced energy usage. For example, the continued development and use of smart components and analytic algorithms are expected to increase efficiency, asset longevity, and cost trends related to operations and maintenance, which will curtail the need for more energy. Similarly, material science is expected to continue to improve energy efficiency (e.g., the introduction of system-smart nanotechnology, advanced energy-friendly materials, and better lubricants).

Key Takeaways: Companies should consider how future trends (e.g., energy mix changes) may affect the strategic risks they face and adapt accordingly. Further, companies should consider potential opportunities that may result from the increased global demand for talent, equipment, and resources. In doing so, companies may identify calculated risks that ultimately generate value. ERM professionals should attempt to facilitate, identify, monitor, and report on these risks.

Thinking Ahead

The Deloitte P&U industry team will continue to monitor current and future ERM-related activities. The next ERM roundtable is tentatively scheduled for October 2014. For more information about this roundtable series, please contact us at nationalutilitiesermroundtable@deloitte.com.

Download

Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.