Power & Utilities Spotlight — Addressing a board’s changing expectations for managing risk

Published on: 12 Oct 2017

Download PDF

The Bottom Line

  • As the power and utilities (P&U) sector continues to experience change (i.e., evolving regulatory requirements, changing customer behaviors and demands, and increased focus on decentralization of the grid), enterprise risk management (ERM) professionals are expected to help their organization prepare to respond to and take advantage of this change and assist with managing their boards' increasing expectations in terms of monitoring and reporting on uncertainties.
  • Leading practices in the industry are evolving to include aligning ERM with strategy, establishing a strong risk culture, and enhancing transparency in risk reporting by leveraging the updated COSO1 ERM framework.
  • Advanced ERM capabilities (such as bow-tie analysis, key risk indicators (KRIs), and a risk correlation framework) provide a platform for establishing (1) deeper insights into dependencies and shifts and (2) current and emerging enterprise level risks. The emerging practices allow an entity to make more disciplined, risk-informed decisions to maximize the potential for both value protection and value creation for the organization's stakeholders.

Beyond the Bottom Line


Deloitte has been hosting a risk management roundtable series for the P&U sector for the past nine years. The primary goals of this series are to discuss lessons learned, identify trends, promote innovation, perform benchmarking/studies, facilitate networking within the industry, advance risk management practice, and enhance the value of the ERM function.

The most recent roundtable was held in April 2017 at the Deloitte & Touche office in New York. Deloitte and more than 30 risk professionals representing more than 20 companies discussed (1) the changing nature of the industry, (2) the updated COSO ERM framework, (3) how boards should respond to change, (4) how to enable a more advanced ERM program, and (5) key ERM tools and techniques. In addition, during an open session, participants shared how their risk management functions are helping achieve their organization's strategic objectives and discussed the role of the risk function in managing strategic risks.

Even though the maturity levels of the participant companies' ERM programs varied, common themes emerged in the discussions, including (1) how ERM can provide value in identifying and addressing emerging risks in the sector and (2) that an effective ERM program focuses on advanced risk management capabilities, such as predictive risk analysis.

industry perspective

Industry Perspective

To kick off the roundtable, an executive discussed the implications for the P&U sector of uncertainties such as new regulations, rapidly changing technology, betterinformed customers, and greater stakeholders' expectations. Unprecedented events, such as severe hurricanes, continue to weigh on the minds of industry leaders, while business model changes such as digitalization pose both risks and opportunities.

To manage the more nebulous risks, industry leaders must understand risk level, outcomes, and how to address the outcomes as they unfold. Investment decisions should correspond to risk mitigation efforts on the basis of the company's risk appetite.

Although the sector is experiencing increased pressure, utilities still have the advantage that electricity demand is a "need," not a "want." Consumers want clean energy, affordability, reliability, and customization but are still very much reliant on utilities and the grid as their primary source of electricity. As consumers shift to being more informed, it becomes even more important for leaders to challenge biases and the status quo.

Understanding uncertainties and incorporating risk into strategic decisions will be critical for the success of P&U entities in the current changing landscape.

New COSO ERM Framework and the Board's Role in Addressing Risk

The new COSO ERM framework emphasizes the alignment of risk with strategy by focusing on five key components: risk governance and culture; risk, strategy, and objective setting; risk in execution; risk information, communication, and reporting; and monitoring ERM performance. The new framework simplifies the ERM definition, renews the focus on integration, emphasizes value, and examines the role of culture.

The key differences from COSO's 2004 framework include the (1) elevation of the role of ERM when an entity is setting and executing strategy, (2) alignment of performance and ERM, (3) use of better reporting techniques, and (4) promotion of data analytics use. These changes are primarily in response to the increasing complexity of the P&U risk universe, the emergence of new risks, and the shifting priorities that boards have in responding to risk.

The new COSO ERM framework supports the growing emphasis in risk management on an entity's making risk-informed decisions when shaping its strategy. Approximately 64 percent of roundtable participants viewed strategy as the best component addition to the new framework. The alignment of risk with strategy elevates the role of risk in leadership's conversations; emphasizes the connections among risk, strategy, and value; and provides a new lens for evaluating how risk informs strategic decisions.

Throughout the roundtable, participants discussed how a company's value is measured not just by its financial performance but also by the confidence investors and consumers have in the company's management. Understanding strategic risk and impact on total shareholder value are critical to understanding total consequences and severity of strategic risk.

industry perspective

Industry Perspective

Strategic risks can present themselves as simultaneous risks and opportunities. As a participant noted, one strategic risk of concern is business model risk: "What investments you make today have an impact. You don't want stranded assets.” An effective strategic risk program can support a board's ability to respond to changing operating environments, emerging risks, and complex capital decisions.

Key takeaway

Key Takeaways

  • An effective strategic risk framework can provide actionable insights, influence business resiliency, and help sustain market value.
  • The new COSO ERM framework promotes long-awaited discussion on how risk culture can be measured to improve risk awareness and how it can inspire desired behaviors.

How a Strong ERM Program Can Help

Boards are searching for innovative ways to manage emerging risks, and they consider risk to be an integral part of strategic business decisions. Some of the questions being asked include:

    • How can we find the unexpected before it finds us?
    • How prepared is our company for the risks and opportunities that lie ahead?
    • How should we define our appetite and tolerance for risk?

The ERM function has the ability to become an informed business partner in the quest to answer these questions by facilitating the right conversations, providing actionable insights, enhancing risk alignment throughout the organization, and challenging the biases and assumptions of internal stakeholders. However, the ERM program must be well integrated and aligned with the rest of the organization for this to happen. In a roundtable poll, not a single participant felt that his or her company's ERM efforts were well integrated, while 22 percent felt that the efforts were not integrated at all.

Establishing a clear understanding of what the ERM function accomplishes is critical to achieving this alignment and integration. Only 7 percent of the roundtable participants indicated that their stakeholders really understand the role ERM plays and how it brings value to the organization, while 86 percent felt that some stakeholders understood the role but that more education was still necessary. In describing the progress of his company's ERM program within the past few years, one participant noted that adopting certain leading practices helped elevate the role of risk, including setting a "tone at the top” and increasing the focus on risk quantification.

industry perspective

Industry Perspective

One engineering lead from a P&U company shared his experience of how ERM can successfully partner with a business unit. His team has been focused on managing the risk of manhole explosions and has used ERM principles and processes to monitor, report on, and mitigate this risk.

By understanding the factors that increase the risk of manhole explosions (e.g., lack of maintenance and poor monitoring capabilities), the engineering team is better able to track the risk and determine where to prioritize its resources. In addition, a thorough tracking of mitigation efforts and risk levels allows for accurate and consistent reporting to leadership, which maintains a strong interest in this risk because of the major potential impacts to safety, brand, and reputation.

Key takeaway

Key Takeaways

  • A strong ERM program should include (1) a solid foundation with formal risk governance; (2) defined processes and procedures with clear roles, responsibilities, and expectations; and (3) a clear taxonomy and definitions.
  • Developing well-thought-out scenarios designed to highlight unexpected risks allows organizations to consider the likelihood and potential impact of strategic risks.
  • "Stress testing” the assumptions underlying new strategies or initiatives can assist companies in understanding unintended consequences of certain decisions.
  • An ERM program that can help a company frame, assess, and manage risks to its business model and strategic objectives can improve the company's resilience and its ability to monitor market shifts and trends for proactive reporting to executive leadership.

Enabling More Effective Risk Response and Monitoring of Risk Trends

As companies' risk programs mature and function less as risk repositories, the bow-tie analytical approach can serve as a structured platform for identifying the root causes, trigger drivers, and consequences of strategic risk. The value of using this approach comes from its ability to bring together cross-functional stakeholders to frame the risk and to enable knowledge transfer, which promotes buy-in.

A key component of this approach is an entity's ability to monitor risk trends (i.e., KRIs) that help measure the potential presence, state, or trend of a risk condition. KRIs should reflect objective measurement rather than subjective judgment, be readily understood and communicated, and have values that are comparable over time. Seventy-two percent of participants polled are seeing demand in their organizations for the ERM function to facilitate discussions about KRIs. When they are effectively designed and used, they have predictive value and can act as early-warning signals about the possible change in an organization's risk profile.

Many organizations track metrics of some kind, though KRIs are often confused with KPIs (key performance indicators). The graphic above helps illustrate the difference between the two.

While ERM professionals in the P&U sector continue to advance their risk practices, risk correlation is beginning to be recognized as a valuable tool, although only 31 percent of the participant companies incorporate risk correlations within their ERM assessments. Participants have found the biggest challenges in initiating such discussions are lack of resources and stakeholder engagement.

industry perspective

Industry Perspective

One participant discussed how his company implemented a risk correlation framework for its top 10 enterprise risks by building onto the bow-tie approach. The root causes and drivers the company identified through the bow-tie process helped show interdependencies among multiple subrisks. The pilot program that was introduced at one of the business units avoided workshop "fatigue” by incorporating risk correlation discussions into the risk assessment process. Deploying a defined framework to identify potential interdependencies within the overall risk portfolios helped optimize the allocation of resources for mitigation and response plans.

Key takeaway

Key Takeaways

  • ERM professionals leverage KRIs and bow-tie analysis ("deep dive”) to provide a structured approach to managing key enterprise risks.
  • Many roundtable participants use or plan to use deep dives to showcase the value of their ERM programs and to demonstrate their ability to bring together an organization's various functions in developing (1) comprehensive insight into risks, (2) transparent linkage and potential gaps related to risk mitigation strategies, (3) meaningful ways to monitor risk trending, and (4) an understanding of the levels of risk correlation or interaction.
  • Outcomes of bow-tie analysis such as KRIs are used for various levels of reporting and "dashboarding" throughout organizations.


Risk is an inherent part of business — it is unavoidable, but it can be addressed if an entity proactively manages uncertain events. Leading ERM programs enable risk-informed decisions and look to align with strategic planning to understand the risks that could affect key business decisions. For an ERM program to be effective, support from senior leadership and the board is vital to ensure that a culture of risk management permeates throughout the organization.

Thinking Ahead

The Deloitte P&U sector team will continue to monitor current and future risk-related activities as well as host roundtable events that give P&U risk professionals an opportunity to share prevailing practices with others in the industry. The next risk management roundtable will be held in October 2017.

For more information about this roundtable series, please send an e-mail to the P&U team at nationalutilitiesermroundtable@deloitte.com or reach out directly to Dmitriy Borovik at dborovik@deloitte.com.


If you have questions about this publication, please contact the following Deloitte industry professionals:

Dmitriy Borovik
Managing Director
Deloitte & Touche LLP
+1 212 436 4109

Brian Murrell
Deloitte & Touche LLP
+1 212 436 4805

Asma Qureshi
Senior Manager
Deloitte & Touche LLP
+1 212 436 7659


1 Committee of Sponsoring Organizations of the Treadway Commission's Internal Control — Integrated Framework.


Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.