Power & Utilities Spotlight — Making power and utilities companies more risk-aware and resilient

Published on: 06 Sep 2018

Download PDF 

The Bottom Line

  • As the power and utilities (P&U) sector continues to evolve, enterprise risk management (ERM) programs are looking at new ways to provide value to their organizations, such as aligning ERM with other business functions, establishing a strong risk culture, and evaluating the organization’s structure to identify business unit interdependencies that create risk and opportunities.
  • While known risks can both provide opportunity and pose a threat to an organization, unknown or emerging risks are much harder to analyze. ERM can provide a platform for cross-functional collaboration to help organizations identify the various risks and develop plans to monitor those risks.
  • To meet the growing demands of internal stakeholders, ERM programs keep evolving through investments in resources such as people, data capabilities, and automated risk reporting tools.

Beyond the Bottom Line


Deloitte has been hosting a risk management roundtable series for the P&U sector for the past nine years. The primary goals of this series are to discuss lessons learned, identify trends, promote innovation, perform benchmarking/studies, facilitate networking within the industry, advance risk management practice, and enhance the value of the ERM function.

The fall 2017 roundtable was held in October 2017 at Bonneville Power Administration (BPA) in Portland, Oregon. Deloitte and over 30 risk professionals representing 27 companies discussed (1) addressing corporate separation risk, (2) the alignment of ERM with insurance, (3) the role ERM plays in tackling emerging risks, (4) how to enable a more advanced ERM program, (5) the definition of culture risk and the implications of such risk for an organization and the role of ERM, and (6) ways to incorporate risk in asset management decision analysis. In addition, during open sessions, participants shared creative ways of addressing their risk management function’s biggest challenge or obstacle and discussed the role of the risk function in informing business decisions. The overall discussion theme ultimately chosen was “How ERM programs can help shape their organization to have structures, processes, and programs in place to promote risk-informed decision making, increase understanding of risk management, and improve overall resilience of the organization.”

Corporate Separation: Risk Mitigation, Risk Creation, or Both?

In the P&U sector, it is common for organizations to consist of multiple legal entities. Of the top 20 investor-owned utilities in the United States, 15 have at least one subsidiary, and some of these have as many as 10 subsidiaries. There are various reasons for a corporation to be divided into multiple legal entities, one of which could be to protect its other entities in a time of turmoil. If a portion of the organization is legally separate from the rest, the organization as a whole can have increased protection in the event of a major business decision, such as a divestiture. One roundtable presenter described corporate separation as being similar to “how watertight compartments on a ship can keep the ship afloat even if a portion of the hull is punctured.” However, if the risks are not properly understood and managed, entities may not be as fully separate from the parent company as originally perceived, and the rest of the company may still be vulnerable to downstream consequences.

A chief risk officer from a major P&U company provided insights into how these vulnerabilities can take shape and be managed. One of the key vulnerabilities that many companies face stems from the use of internally shared services or cost recovery departments, such as information technology, procurement, and real estate. While this approach distributes costs and creates efficiencies, it can also affect a company’s ability to demonstrate the independence of its subsidiaries. For example, if a subsidiary declares bankruptcy, the existence of shared services can be used as an argument that the subsidiary is not entirely independent from the parent company, and the parent company may bear responsibility for any outstanding debt held by the subsidiary.

ERM functions can play an important role in managing this risk. Corporate separation should be treated as any other risk, and ERM functions should work with their organization’s leadership to increase awareness and understanding of entity interdependencies. It may be worthwhile for ERM to facilitate tabletop exercises for exploring potential scenarios that could result from corporate separation. Understanding the corporate structure of an organization with separate subsidiaries and the vulnerabilities inherent in that structure can help enhance risk monitoring and the effectiveness of risk mitigation plans.

key-takeaways Key Takeaways
  • Identifying risks inherent in an organization’s corporate structure could provide value in the event of a decision to create separate subsidiaries.
  • A corporate structure with shared services or assets may make it more challenging to prove that a subsidiary is independent from the rest of the organization.
  • ERM professionals should engage leadership in tabletop exercises to explore potential scenarios related to corporate separation.
  • Organizations should consider mapping enterprise risks to legal entities to ensure that (1) all of the legal entities are properly represented and (2) risk mitigation strategies do not put certain legal entities at a disadvantage.

ERM Alignment With Insurance

Typically used as a vehicle for transferring exposure to risks of low probability and high impact, insurance can serve as an innovative solution for optimizing risk mitigation strategies. However, while insurance is a valuable tool for transferring risk, the fact that risk drivers and overall risk exposure may be less transparent to the insurance function than to the ERM function could affect coverage requirements. By working closely with the insurance function, risk professionals can help synchronize the organization’s risk tolerance with the current level of exposure and insurance coverage to determine whether any savings can be realized.

If implemented well, risk analytics and insurance can enable a healthy, forward-thinking ERM process. In our roundtable poll, almost 68 percent of the participants indicated that ERM programs are not tracking insurance information that can help them identify risk trends. When the ERM and insurance functions work together, they can complement each other to identify risks that have insurance coverage and those that may need coverage to better protect the organization in the event that the risks materialize.

How closely the two functions are aligned can be influenced by whom they report to within an organization. Our roundtable poll showed that the majority of the insurance functions reported within the finance group; however, ERM often reports elsewhere in the organization. This disparity may limit interaction between the two functions.

At the roundtable, an insurance manager from a P&U company offered his perspective on his company’s efforts to align ERM and insurance. He shared information about the company’s top risks and risk drivers and evaluated various consequences of the risks that helped him consider the true insurance coverage needed to manage those risks.

Another risk professional shared her company’s decision process for choosing which risks to insure and how organizations can assess different coverage strategies. She noted that her company’s approach is to self-insure against potential losses of relatively high probability and low impact, such as collision damage to vehicles, while using outside insurance to cover potential events of relatively low probability and high impact, such as a fire at a power plant.

More and more ERM functions are looking to develop quantifiable methods that leverage existing insurance products and identify new solutions to manage emerging risks. Monte Carlo simulation is a powerful tool for understanding risk and uncertainty, especially for uninsured or uninsurable risks. It can capture uncertainties and risks in a structure that lends itself to financial decision making (i.e., risk retention, insurance purchase, or other engineered financial transactions). Understanding insurance possibilities and limitations for traditionally uninsurable risks helps optimize the insurance portfolio and identify risk/reward trade-offs.

key-takeaways Key Takeaways
  • Evaluate risk exposure to determine the type and amount of insurance coverage needed, and compare the organization’s risk tolerance with the estimated exposure to determine whether savings can be realized.
  • Align the ERM and insurance functions to discuss risk response strategies for optimization of company resources.
  • Use risk quantification exercises to determine whether there are opportunities to insure traditionally uninsurable risks.
  • Integrate ERM perspectives on future potential disrupters, such as digitalization and decentralization, into insurance discussions.

Role of ERM in Emerging Risks

Assessing, prioritizing, and responding to risks are integral to any organization’s risk management efforts. While known risks are more manageable and better understood, unknown or emerging risks may represent significant risk and opportunity for the organization, may be harder to assess, and may take longer to materialize.

Because emerging risks are inherently hard to pinpoint and describe, organizations’ definitions of such risks have varied. Emerging risks typically arise from global trends, are outside of an organization’s control, and are potentially capable of affecting an organization significantly. Some common emerging risks identified by roundtable participants were related to disruptive technology, regulatory uncertainty, and evolution of the utility business model.

One challenge of emerging risks, as a roundtable participant described it, is that “we don’t know what we don’t know.” Emerging risks are not always immediately identifiable, and when they are identified, it is sometimes difficult to determine who should be responsible for managing them. Without fully understanding the drivers of the risks, an organization may have difficulty monitoring changes in the emerging-risk environment.

Only 16 percent of the participants in our roundtable poll indicated that their respective companies had a formal emerging-risk framework with clearly identified roles and responsibilities. At the roundtable, one participant discussed how his company, despite not having a formal process to manage emerging risks, identified emerging risks by participating in benchmarking studies and sharing knowledge with industry peers.

key-takeaways Key Takeaways
  • ERM can help provide a platform for using cross-functional teams that can bring multiple vantage points to bear on the identification of emerging risks.
  • Scan within and outside of the P&U sector when considering potential emerging risks.
  • Continuous monitoring of emerging risks gives organizations a better understanding of the risks’ impacts and trending.

ERM 2.0

As the P&U sector continues to evolve and major risks and opportunities become more evident, executives are demanding more from their ERM program to help manage uncertainty. ERM is well positioned to help provide unique insights, promote cross-functional alignment for risk discussion, and help reduce silos to support a consistent and systematic risk management process. ERM professionals are analyzing their programs to identify ways to mature and enhance risk tools and capabilities to meet the growing needs of their stakeholders.

With advances in ERM, many programs are adopting more mature risk management activities such as bow-tie analysis and key risk indicator development, risk correlations, and scenario planning. In our roundtable poll, 28 percent of the participants indicated that their ERM programs had the characteristics of the “initial” or “fragmented” stage of maturity, while an equal percentage of participants indicated that their ERM programs were “integrated” or “strategic.” In all cases, the focus remains on the governance, people, process, and technology elements of risk management.

One P&U risk management leader at the roundtable shared his company’s approach to building a team with the critical capabilities. In his company’s view, skills can be classified into three categories: (1) soft/human, which captures characteristics such as interpersonal skills, self-motivation, and diplomacy; (2) technical, which recognizes skills such as interviewing, working with probability and statistics, and simulation modeling; and (3) conceptual, which refers to strategic planning, business planning, and frameworks. By bringing together teams that embody this wide range of skills, ERM programs become better equipped to fulfill their responsibilities and work effectively with the broader organization. The illustration below portrays skill sets and characteristics that the roundtable participants believed to be highly valuable for risk teams.

pu risk aware words

Another P&U risk management leader at the roundtable provided insights into his organization’s decision to invest in technology to help enhance risk identification, assessment, monitoring, and reporting. By implementing an automated risk tool, his company has been able to increase the amount of data collected for each risk to incorporate multiple criteria, track risk mitigation spending, and accelerate risk reporting. However, most of the roundtable participants noted that their respective companies relied on Excel as a repository for storing data about risks. Dependency on Excel can pose challenges in managing large amounts of data and developing robust risk dashboards for executives.

To address increased executive demand for the ability to obtain better insights faster, more companies are considering implementation of a risk system. More than half of the roundtable participants indicated that their respective companies were considering an investment of resources in risk software over the next 12 months.

When a company evaluates the objectives of its ERM program and the needs of various stakeholders, it should (1) consider the current and desired state of its skill sets, tools, and capabilities and (2) devise an enhancement plan that takes into account the acceptable pace of change for the organization.

key-takeaways Key Takeaways
  • Continue recalibration/enhancement of the program, as necessary, to be better positioned to respond to increased stakeholder demands.
  • ERM should provide measurable insights and unique perspectives on current and emerging risks to internal stakeholders.
  • Identify what your ERM function should be famous for, and develop an actionable roadmap to achieve your vision.

Culture Risk

Throughout the roundtable, risk leaders discussed ways for their organizations’ leadership to better understand risk, for companies to be better prepared for risk, and for ERM to more effectively report and monitor risk. Culture is top of mind for organizations, the C-suite, and corporate boards since it is shaped by leaders’ actions and sustained by employee behaviors. In a 2016 Deloitte Touche Tohmatsu Limited survey of executives around the world,1 86 percent of the respondents rated culture as “very important” or “important,” and 82 percent of the respondents believed that “culture is a potential competitive advantage.” However, only 12 percent of the respondents believed that their respective organizations were driving the right culture, and over 50 percent of those organizations were trying to change their culture.

pu risk aware square

Culture is defined as a system of values, beliefs, and behaviors that shape how things get done within an organization. The illustration to the right shows the elements that entities can use to understand “culture risk,” which is created when there is misalignment between leadership actions and core values, employee behaviors, or organizational systems. “Risk culture” represents how well attuned an organization is to (1) identifying and managing risks, (2) defining how much risk is considered acceptable, and (3) determining whether risk management thinking is embedded in its employees’ day-to-day activities.

The majority of the roundtable participants stated that (1) their respective organizations had not established a strategy for culture and (2) the culture of their respective organizations did not necessarily align with or support business strategy. By developing a framework for understanding, measuring, and monitoring culture, organizations can gain greater insight into employee engagement, employee behaviors, and market signals to inform actions that proactively manage risk. In addition, such a framework fosters a culture in which employees live an organization’s shared core values and demonstrate behaviors that protect, preserve, and enhance the organization’s brand and reputation.

In a manner similar to how other risks in the organization are managed, ERM can help develop leading indicators for measuring and monitoring culture risk so that key concerns are escalated in a timely manner and the organization can develop plans to resolve risk issues. Examples of culture risk indicators are time and expense violations, physical security breaches, fraud, and data exfiltration. Any of these behaviors, while not necessarily indicating a culture risk on its own, can provide valuable insights into a company’s overall risk culture.


Key Takeaways

  • Connect with departments, such as talent, to understand what information your organization currently gathers:

    o Does your organization use analytics to monitor patterns in employee behavior?

    o Does your organization use external market sensing?

  • Consider how available information can be incorporated into risk management processes to give you a better understanding of potential culture risks and their impact on the organization.
  • Establish your risk culture baseline, and develop monitoring capabilities to track trends and skills.
  • Consider leveraging technology to advance risk culture monitoring.

Asset Management and Decision-Quality Framework

P&U companies across the nation have been grappling with aging infrastructure. They continue to develop long-term asset management plans to prioritize the maintenance of assets in their fleet so that they can prevent unplanned power outages and improve reliability. One presenter at the roundtable discussed his company’s decision-quality framework and how the company’s asset management function is partnering with ERM to apply this framework to help make difficult resource allocation decisions faster in a rapidly changing environment.

When evaluating a portfolio of assets, P&U companies need to have an approach that lets them quickly identify and prioritize capital funds in a manageable way. A P&U company’s ERM function can help provide a systematic approach and a process validation when the company is assessing a project’s value, and it can ask tough questions that challenge biases and underlying project assumptions.

In a roundtable presentation, one executive discussed the advantages of factoring risk into a major decision analysis that requires a clear understanding of objectives and the use of consistent criteria for evaluating a broad range of alternatives. Another presenter at the roundtable stressed the importance of considering all possible outcomes, including historical events, and identifying potential biases early to better understand the difference between fact and opinion.

Poll results from the roundtable showed that 66 percent of the participants used (1) analytical methods to quantify safety risks and (2) economic and other risk/reward scenarios to inform business decisions. Using scenario planning and advanced analytic tools can help prioritize investment decisions such as capital versus operation and management. As one participant noted, “math is a tool, not the decision maker,” and it is equally important to layer qualitative analysis before making final decisions. By working together, the ERM and asset management functions can help identify key assumptions used as inputs to reduce uncertainty and allocate resources and funds in a structured manner.

key-takeaways Key Takeaways
  • By integrating risk into the asset management framework, ERM can help prioritize maintenance funding requirements.
  • To optimize all available options, consider all potential outcomes and challenge biases when evaluating large-scale decisions.
  • ERM can add value by supporting a structured decision-quality framework that may help drive more consistent risk-informed decisions across the organization.


Technology, regulatory changes, and customer preferences continue to pose new and evolving challenges for the P&U sector. Critical to performing well in this environment is access to the right information at the right time. ERM is one function that is well positioned to provide measurable insights and unique perspectives by aligning better with other functions (e.g., compliance, emergency management, insurance, internal audit, strategy). However, for an ERM program to be effective, support from senior leadership and the company’s board is vital to ensure that a culture of risk management permeates the organization.

Thinking Ahead

The Deloitte P&U sector team will continue to monitor current and future risk-related activities as well as host roundtable events that give P&U risk professionals an opportunity to share prevailing practices with others in the industry. The next risk management roundtable will be held in October 2018 at FirstEnergy Corp.


For more information about Deloitte’s risk management roundtable series for the P&U sector, or if you have questions about this publication, please contact the following Deloitte industry professionals:

Dmitriy Borovik
Managing Director
Deloitte & Touche LLP
+1 212 436 4109


Brian Murrell
Deloitte & Touche LLP
+1 212 436 4805


Asma Qureshi
Senior Manager
Deloitte & Touche LLP
+1 212 436 7659



Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.