Power & Utilities Spotlight — An overview of Deloitte’s October 2013 P&U ERM roundtable

Published on: 19 Nov 2013

Download PDFIssue 6, November 2013

The Bottom Line

  • As part of its continuing efforts to understand the risks and challenges faced by enterprise risk management (ERM) professionals and their organizations, Deloitte hosted a power and utilities (P&U) ERM roundtable in October 2013. More than 50 ERM professionals from over 25 companies attended the roundtable and shared their views on various topics related to ERM for utilities.
  • Participants agreed that although most organizations recognize the importance of promoting risk culture, many have not established systems for continually monitoring changes in their risk culture and are therefore not in a position to proactively identify and respond to certain potential risks.
  • Although many participants use new and improved methods to quantify risk, most believe that a risk assessment should focus equally on qualitative factors, including an evaluation of the assumptions applied in a quantification model.
  • In discussing risk-based prioritization for initiatives and projects, participants agreed that there is a difference between a simple ranking of projects and a full-blown optimization that addresses project interdependencies, impact of deferral, alternative project versions, and other portfolio complexities.
  • Participants agreed that a clear definition of regulatory risks is essential to developing effective risk management practices.
  • ERM is a top priority for audit committees and boards of directors at utilities, which often ask risk owners for additional information about risks facing the organization. Participants also observed that audit committee members like to understand whether internal auditors test mitigation strategies and sometimes raise questions about the correlation between risks identified internally by ERM and those reported in a utility’s Form 10-K filing with the SEC.

Beyond the Bottom Line

This Power & Utilities Spotlight summarizes key takeaways from the three-day ERM roundtable hosted by Deloitte in October 2013.

Overview

ERM is a key function for many business organizations, especially P&U companies. As part of its continuing efforts to understand the risks and challenges faced by ERM professionals and their organizations, Deloitte’s Enterprise Risk and Compliance Management Services team has hosted a P&U ERM roundtable series for the past several years. The primary goal of this series is to discuss leading practices and innovative solutions related to ERM practices within the P&U sector.

More than 50 ERM professionals from over 25 companies convened at Pacific Gas and Electric’s Energy Center to attend the roundtable. Participants shared their views on ways to improve ERM strategies and policies at their organizations and in the P&U sector as a whole so that the industry can manage current — and mitigate future — risks such as catastrophes and natural disasters, operational failures, and cost overruns. Risk management topics covered at the roundtable included risk culture, risk quantification, risk-based prioritization of initiatives, regulatory risk management, and ERM reporting practices for audit committees and boards of directors.

Snapshot of Topics Discussed

Risk Culture

Deloitte introduced the topic of risk culture, which may be defined as employees’ general awareness, attitudes, and behavior related to risk and the management of risk within the organization. Roundtable participants expressed differing views on risk culture, including its elements and its role at an organization, but agreed that it (1) significantly influences the decisions employees make and (2) largely defines an entity’s ability to effectively manage risk. Facilitators of this session mentioned that utilities may consider using a risk culture framework to measure and monitor risk culture effectiveness as well as trends in risk management practices. A risk culture framework would typically be used to measure the following:

  • The risk management competence of an organization.
  • The organization’s structure and values.
  • How employees in an organization interact with others.
  • Employee motivation for managing risk.

Roundtable participants were encouraged to share their views on how they define and shape risk culture at their organizations. To lead off the discussion, facilitators asked participants whether their company’s management currently focuses on risk culture, with 45 percent of participants indicating it does and 38 percent indicating that their management understands the importance of risk culture but views it as a backburner issue.1 The remaining participants indicated that their management was not focusing on risk culture at this time. When asked whether they use a risk culture framework, 68 percent of roundtable participants indicated that they did not but about half of these respondents said that they saw value in doing so.

In addition, Deloitte facilitators shared fresh perspectives on identifying, measuring, and managing operational risk by leveraging extensive risk culture monitoring techniques developed via a recent Deloitte alliance with NASA. As part of this alliance, a framework and several tools for measuring risk culture effectiveness have been developed; these practices are currently being introduced to companies in various industries, including P&U.

Key Takeaways: Facilitators and participants agreed that an organization’s risk culture depends not only on the tone set by the board of directors but on the culture’s pervasiveness throughout the business and the ability of employees to identify and mitigate risk independently of an ERM function. Further, participants agreed that risk culture is an evolving concept that may be challenging to implement. Challenges may include reconciling multiple cultures located at both regulated and unregulated businesses in multiple geographic locations and jurisdictions.

Risk Quantification

Facilitators opened this session by providing an overview of the various risk analysis case studies and techniques available to ERM professionals, such as:

  • Qualitative analysis — An assessment of a risk’s characteristics or qualities by using calibrated scales that help entities determine items such as the likelihood of a risk event and its speed of onset, impact, or vulnerability.
  • Modeling and simulation — Building causal drivers into a model to allow an entity to determine the impact of various risks under various circumstances. Stochastic models allow an entity to develop probabilities in assessing risk and to perform a what-if scenario analysis.
  • Quantitative analysis — Companies use historical quantitative data and statistical techniques to forecast future results related to specific risks.

Today’s companies have an increasing number of tools for evaluating and forecasting risk probabilities. These tools include Bayesian belief networks, agent-based modeling, and system dynamic models. Many of these tools are now available as commercial off-the-shelf packages that are relatively inexpensive but can significantly enhance risk modeling capabilities and data visualization. Although certain roundtable participants indicated that they are relying more and more on modeling tools to assess risk, many indicated that they are still cautious about using models or simulations that may be
based on inherently subjective variables and assumptions. These participants typically stress the importance of the assumptions applied rather than the model’s results when reporting on risk to their board of directors or senior management. They therefore do not always view a quantitative analysis as superior to a qualitative analysis and caution against undue reliance on these results. These participants also highlighted the importance of effective response plans over risk quantification.

Industry participants discussed the risk analysis techniques and models they employ to evaluate risks at their organizations. One of the facilitators indicated that attempts to measure operational risks (which the facilitator defined as risks of loss from inadequate or failed processes, people, and systems or from external events) have been largely more qualitative than quantitative. However, this facilitator believed that P&U companies could improve their quantitative risk assessment models and metrics by looking to the insurance industry, which assesses risks that are similar to many of the operational risks facing utilities.

In addition, the facilitators gave specific examples of successful risk quantification efforts, including smart meter insurance coverage, use of real options to determine whether to proceed with construction of a nuclear power plant, insurance coverage for directors and officers, and modeling confidence bands in connection with earnings per share guidance (the last two examples were included in the presentation materials but were not discussed during the roundtable because of time constraints).

Although data sources continue to increase, it remains challenging to collect meaningful data to assess risks. Facilitators indicated that many organizations rely on internal data sources for their risk assessments. However, they also pointed out that reliable, bias-free external data can help companies improve their risk management. Facilitators suggested the sharing or pooling of operational risk data on external databases as possible ways of achieving this goal.

Key Takeaways: Participants agreed that the data sources, tools, and models available to quantify risks are increasing and that most utilities are continually refining their risk quantification methods. However, most participants also concurred that risk assessments should focus equally on a qualitative assessment of the assumptions applied as well as any inherent uncertainties in a quantification model.

Risk-Based Prioritization of Initiatives and Projects

Risk-based prioritization deals with the evaluation and prioritization of risks related to capital planning. The results of a poll of roundtable participants before the start of the event indicated that 80 percent thought they could improve their decisions about their portfolio of proposed capital and operations and maintenance (O&M) projects. In addition, 75 percent of participants believed regulatory and policy risks most affect their organization’s capital planning while only 11 percent believe the same was true of market risks. Facilitators shared an overview of the models, processes, and procedures they have implemented at their organizations to evaluate risk and optimize capital and O&M planning. One of the facilitators indicated that before making an investment decision and determining optimal capital allocation, his company considers corporate strategy, business values and tolerance, asset strategies, investment alternatives, and constraints. The facilitator also mentioned that his utility focuses on optimizing decisions rather than merely prioritizing them and that his company’s goal related to investment selection is to maximize risk mitigation and financial benefits while meeting predetermined financial constraints and dependencies.

One of the facilitators indicated that his company uses a risk matrix, among other tools, to evaluate the residual risk of each investment alternative by correlating the probability of a risk event with its potential consequences. Investment alternatives that are high-risk and could lead to significant consequences are avoided unless mitigation strategies are implemented to reduce the risk that these consequences will occur. The risk matrix also helps companies analyze whether the cost of mitigation strategies to reduce risk no longer makes an investment a viable or optimal choice. One of the facilitators mentioned that his utility’s optimization tools and procedures are fairly well developed and directly influence the utility’s budget and capital planning. In addition, the facilitator indicated that all investment decisions are vetted with the finance and operations team to ensure that they make sense on the basis of dependencies that may not have been part of the company’s optimization model.

Another facilitator described his company’s goal of linking project prioritization to business planning to increase the transparency and accountability of business decisions. The facilitator indicated that his utility’s ERM function is more aligned and better integrated with the business owners than it has been in the past, thereby empowering these individuals to consider risk-based prioritization in their investment decisions. The facilitator indicated that the utility employs a business scorecard that grades the major risks facing the organization under categories of strategy, finance, operations, people, and responsibility. The scorecard also indicates whether a risk is high, medium, or low and whether it is increasing or decreasing. The scorecard is used to communicate ERM’s view of the top risks faced by the organization to senior management and the board of directors and ultimately is part of the utility’s investment decisions and capital planning.

Key Takeaways: During the presentation, a question was raised about the process each participant’s organization uses to grade or rank risks. Certain participants indicated that they allow the business owners affected by such risks to perform the ranking exercise themselves, while others applied a more top-down approach in which the ERM function identifies risks through periodic discussions with the business owners. Certain participants also mentioned they occasionally review any available evidence to confirm business owners’ risk-related responses. It became clear that participants’ processes for identifying and evaluating risk varied, although most agreed that building better relationships and collaborating with business owners was vital to the success of the ERM function.

Participants agreed that there is a difference between a simple ranking of projects and full-blown optimization that addresses project interdependencies, impact of deferral, alternative project versions, and other portfolio complexities. Currently, companies may consider and rank potential projects on the basis of their risks, but an optimization model would help them determine which portfolio provides the “biggest bang for the buck” by increasing profitability and strategic alignment while managing and mitigating risk. Models used to assess risk provide important information to help with the optimization process; however, excessive reliance on a model’s results may negatively affect capital planning, and companies should consider scenario planning and qualitative factors as well.

Facilitators also stressed the importance of ERM and risk-based decision-making tools for multistage investment projects, with which companies have the option of continuing to invest in, postpone, or abandon a project as it progresses. Various models may be employed to value the options an entity has at each stage of a project. Facilitators highlighted the uncertainties and assumptions that go into developing these tools and stressed that any results a model or tool yields should typically provide a range of outcomes on the basis of changing variables rather than a single consequence. The development of tools to aid in evaluating the risks associated with multistage projects may help companies determine whether to continue with a project or invest in other projects that may be less risky and have shorter lead times to profitability.

Key Takeaways: Facilitators observed that since portfolio optimization involves making difficult trade-offs, it is important to define the implications of declining to fund a project (i.e., determining the opportunity cost) so that they can better understand such a decision and its impact on an optimization analysis. In addition, facilitators once again highlighted the importance of balancing and understanding all risks in an organization by considering their direct impact on the allocation of capital and, ultimately, on a company’s success. Roundtable participants also agreed that improved interaction and collaboration between an organization’s ERM, operations, and finance is critical to ensuring that capital planning is risk-adjusted and optimized.

Regulatory Risk Management

Although participants’ definitions of regulatory risk varied, all agreed that it encompassed the risk that potential regulatory changes pose for a utility’s operations and its ability to serve customers safely, reliably, and affordably. Participants from three utilities formed a panel to discuss regulatory risk and its impacts in the context of the ERM framework lifecycle, which consists of the following seven steps::

    1. Establishing context — Identifying the factors that may affect the organization’s operations and its ability to meet its objectives.
    2. Identifying risks — Generating a comprehensive list of the relevant risks with their causes and scenarios.
    3. Analyzing risk — Gathering relevant data to help companies evaluate and potentially treat risks.
    4. Evaluating risk — Determining the relative importance of risks that the organization faces and setting priorities accordingly.
    5. Integrating risk — Developing an enterprise-level risk profile reflecting correlations and portfolio effects and expressing impacts.
    6. Monitoring and reviewing risks — Monitoring the effectiveness of risk treatment strategies and enabling cross-functional communication of existing and emerging risks.
    7. Communicating and consulting on risks — Ensuring that the ERM program meets stakeholder expectations and enables periodic and consistent communication.

Establishing Context

Roundtable participants discussed recent events, such as the gas pipeline explosion in San Bruno and the earthquake that affected the nuclear plant at Fukushima in Japan, which not only have demonstrated the immediate and drastic impact one event can have on the regulatory environment but also have highlighted the need for utilities to implement a robust ERM system that focuses on safety and risk mitigation. Participants agreed that it is not possible to manage all uncertainties related to regulatory risk, but many have been more vigilant in the wake of these disasters in implementing programs to mitigate these risks. One of the panelists indicated that to some extent these events have shaped the generation strategy of his utility by influencing management to invest in resources that are subject to less regulatory scrutiny. Another panelist mentioned the challenges her company faces in managing regulatory risk because it is owned by a foreign enterprise that has operations in several countries. The regulatory rules in each of these territories are often different, and it is not always feasible to use the same approach to evaluate and assess regulatory risk. Participants also discussed the effect of rate reductions on return on equity and the impact this has on their ability to effectively manage regulatory risk.

Identifying Risks

Panelists and participants shared the processes they use to identify regulatory risks. These processes included the maintenance of a fluid and up-to-date risk register populated by regular meetings with business owners as well as frequent status calls and e-mails related to regulatory risk. Participants also discussed whether each of their processes were more centralized or decentralized for risk identification purposes. As with the risk-based prioritization session (see above), certain participants indicated that they use a decentralized process in which business owners are tasked with identifying all potential regulatory risks since they are the ones with intimate knowledge of the business and the regulations affecting it. Other participants indicated that they employ a more centralized approach in which ERM identifies risks through controlled surveys and other techniques. Most agreed that regardless of the method employed, improved integration of ERM with business owners was a key factor in the identification of regulatory risks, particularly because ERM is responsible for the company’s risk management plan and reporting all issues to the board of directors.

Analyzing and Evaluating Risks

One of the panelists indicated that in analyzing and evaluating regulatory risk, her company assesses both quantitative and qualitative metrics. The panelist mentioned that because it is difficult to perform a quantitative analysis of regulatory risk in isolation, her company generally examines quantitative metrics related to aspects of the operating environment that affect regulatory risk. The company often obtains these metrics from the business owners, who have more detailed knowledge of which operational risks could have regulatory impacts. In response to a polling question, about 68 percent of respondents indicated that they use both quantitative and qualitative metrics to analyze regulatory risk while the remaining 32 percent only use qualitative analysis. Half the participants indicated that they use speed of onset to analyze regulatory risk while an overwhelming majority indicated that they did not look to vulnerability (i.e., the susceptibility to a risk event in terms of criteria related to preparedness, agility, and adaptability) in performing this analysis. Finally, almost all participants indicated that they do not use automated tools to analyze and evaluate regulatory risk.

Integrating Risk

Almost 80 percent of participants indicated that they integrate regulatory risks into their overall ERM plan at the organizational level. Participants reiterated that it is sometimes difficult to manage competing priorities in delivering a safe, reliable, and affordable utility service. Mitigation plans for safety issues suffer if the focus is on delivering an affordable service and vice versa. Although regulators need to understand these priorities, they must also feel comfortable that an organization is doing enough to manage its risk. A swing toward either priority may strain a relationship with a regulator, thereby increasing regulatory risk. In one poll, 66 percent of respondents indicated that they use scenario analysis when assessing regulatory risk while the remaining respondents indicated they use either stress testing or a combination of scenario analysis and stress testing.

One of the panelists emphasized the importance of educating regulators on potential risks. After recent events such as Hurricane Sandy and the San Bruno pipeline accident, utilities spent a great deal of time educating regulators on the risks involved when they should have been merely responding. There are many challenges to educating regulators, such as explaining the complications associated with the cost of mitigation plans and acceptance of risk tolerance levels. These factors place additional strain on relationships with regulators but need to be managed to ensure a trusting relationship in the future.

Monitoring and Reviewing Risks

Panelists highlighted the importance of monitoring and reviewing risks. Many of the participants had learned from recent events, such as Hurricane Sandy and the San Bruno pipeline explosion, that risk identification and mitigation planning are important but that they should be continually monitored and tested to ensure that they are performing the tasks they were designed to do. Certain participants indicated that they had shared their risk register with their internal audit department, which in some cases had begun to test mitigation plans.

Communicating and Consulting on Risks

In reporting on regulatory risk, 10 percent of participants indicated that they report to the full board of directors, 33 percent indicated that they report to a subcommittee, and the remaining 57 percent indicated that they report to both. In addition, approximately 50 percent report quarterly, 20 percent annually, 10 percent monthly, and 20 percent on an ad hoc basis.

Key Takeaways: In delivering services to customers, companies should ensure that they balance affordability with reliability and safety so that they effectively mitigate regulatory risk.

  • Utilities should be aware that because regulators are increasingly looking outside their jurisdiction to understand what other regulators are doing to deal with risk, utilities may find themselves more and more affected by regulatory changes both nationally and internationally.
  • Consistent reporting on regulatory risks to senior management and the board of directors is vital to ERM throughout the organization.
  • Educating and building trusting relationships with regulators is as important as mitigating regulatory risks.
  • It is critical to have a clear definition of regulatory risks to develop effective risk management practices.
  • Utilities are employing risk management strategies that assess criteria beyond simply the likelihood that a regulatory risk will occur and its potential impact.

Reporting to the Audit Committee and Board of Directors

Facilitators opened this session by setting out the role of the board of directors and the audit committee in risk management. The board of directors has the ultimate responsibility for overseeing risk management and (1) establishes the company’s risk culture, (2) promotes open discussion regarding risk, (3) provides input and approves risk appetite, (4) defines the issues that the board must focus on, (5) monitors risk management capabilities, and (6) obtains reasonable evidence regarding risk management.

Industry participants presented the communication practices they use to report to the board or audit committee on enterprise risks. One facilitator displayed a risk matrix that her company uses to summarize the organization’s top risks and illustrate each risk’s probability, potential impact, speed of onset, assessment of mitigation strategies against such risk, and whether the mitigation and risk trends are increasing or decreasing. Participants indicated that they present similar communications to their board but also show how the risk has changed over a number of previous reporting periods. Another facilitator indicated that his company provides a detailed write-up on each risk to the audit committee and board that also details (1) the risk mitigation strategy for the risk,
(2) projects or programs addressing the risk, (3) current and proposed spending on the risk, (4) speed of risk onset, (5) status of mitigation efforts, (6) key risk indicators and methods of monitoring risk, and (7) relevant risk owner(s). Participants agreed that there is seldom a “one-size-fits-all” model for reporting on risk.

Key Takeaways: In closing the session, facilitators shared some of the top issues ERM professionals should consider when reporting to their audit committee, including the following:

  • The awareness of other risks and why they are not considered strategic or key risks that warrant reporting to the audit committee or board of directors.
  • The desire of many audit committee members to discuss each risk with their assigned owner at both a senior management and governance committee level to educate themselves and more fully understand the risks that the utility faces.
  • General counsel’s view on risks.
  • Understanding whether internal audit has tested any risk mitigation strategies implemented by the ERM function and reporting on the results of such tests.
  • The correlation between the risks presented to the audit committee and the risks provided in the company’s annual Form 10-K filing, including whether the disclosures in the Form 10-K change in line with the risks reported to the audit committee.

Thinking Ahead

The Deloitte P&U industry team will continue to monitor current and future activities relevant to ERM. The next ERM roundtable is scheduled for February 2014.

Topics that are being considered for future roundtable discussions include:

  • Risk appetite.
  • Integrating ERM into strategic planning.
  • Cost savings and efficiencies.
  • Integrating ERM and insurance.
  • Top risks within the sector.
  • Emerging risks.

 

____________________

1 During the roundtable, participants responded to multiple-choice questions posed to them by facilitators by submitting responses via text messages that were subsequently collated anonymously by a software application. Results shown throughout this spotlight represent the responses received from participants during the roundtable. It is possible that not all participants responded to every question.

Download

Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.