Power & Utilities Spotlight — Risk at the core of key strategic decision making

Published on: 24 Nov 2015

Download PDF


The Bottom Line

  • California Public Utilities Commission (CPUC) regulators demand better alignment of risk and rate case filings. California’s utilities are expected to establish a systematic approach to showcase how investments and operational expenses drive safety and reduce reliability risk.
  • Understanding the risk culture and changing it to the “new norm” is a major initiative for a number of utilities. Enabling and sustaining the right behaviors will lead to a high-performing culture committed to ensuring the success of the organization’s strategic priorities and to thriving during times of uncertainty.
  • Brand and reputation risk is becoming one of the key strategic risks. The ability to understand and promote a brand and reputation may help an organization manage stakeholders’ relationships during crises so that it is positioned favorably for future opportunities.
  • Strategic risk is becoming increasingly integrated with enterprise risk management (ERM) functions. The alignment enables creation of a more resilient and agile organization that is able to effectively create and protect new value while proactively monitoring a potential shift in fundamental assumptions behind the strategy and strategic initiatives.
  • The role of ERM functions in the development and assessment of risk response plans varies throughout the sector. An alignment of business, risk management, and internal audit is critical to the development and maintenance of comprehensive risk response strategies.

Beyond the Bottom Line


Deloitte has been hosting a P&U risk management roundtable series for the past six years. The primary goals of this series are to discuss leading practices, identify trends, promote innovative solutions, perform benchmarking/studies, and facilitate networking within the industry.

The most recent roundtable was held in October 2015 at Sempra Energy in San Diego. Deloitte and over 40 ERM professionals representing more than 30 companies discussed (1) risk-informed decision making and regulators’ increased focus on risk-informed decisions, (2) enhancing and maintaining a sound risk culture, (3) brand and reputation risks, (4) strategic risk management, and (5) risk mitigation strategies. In addition, in an open session, participants were asked to share how their risk management functions are helping achieve their organizations’ strategic objectives and to identify their ERM groups’ current major initiatives.

Many professionals indicated that their risk management functions are becoming further integrated with strategic planning and strategic decision making. In addition, professionals indicated that a number of initiatives are focusing on further integration with other functions, such as internal audit, compliance, crisis management, business continuity, insurance, and capital projects. A number of professionals also indicated a desire to better understand and, as necessary, adjust the current risk culture to help their organizations survive and thrive in the new “VUCA norm” (volatility, uncertainty, complexity, and ambiguity).

Deloitte set the stage for discussion by holding a brief pre-roundtable benchmarking poll on the key attributes of an organization’s risk environment. The poll results were incorporated into the discussions.

Industry Perspective

Executives from Sempra Energy offered their insights into risk management and what they are doing to enhance perspectives within the organization. Some of these practices include:

  • Implementing project controls for large-scale infrastructure projects — These controls add value by incorporating greater discipline into project management. Putting a program in place offers a balanced risk perspective, challenges assumptions, and improves future decision making by incorporating “lessons learned.”
  • Establishing a close relationship between audit and risk management — Risk exploration should go beyond risks that are considered “auditable” and should include risks specific to the organization. An entity may gain valuable insights by broadening its consideration of risk (e.g., by examining risks faced by other organizations).

The executives’ shared experiences helped further emphasize the importance of ERM’s pervasive involvement in strategy and operations.

CPUC Risk Reduction Requirements

Risk reduction is increasingly becoming an integral part of a utility’s operational investment justification. For example, in December 2014, the CPUC finalized risk reduction requirements that enforce a risk-based decision-making framework to justify the value of investments and operational expenses in relation to how well risks are mitigated as part of future general rate case filings. The first response to this new rulemaking was filed in May 2015. At the roundtable, a panel of professionals provided an update on how their organizations will perform risk-based evaluations of potential capital and O&M1 projects and programs in response to this rulemaking.

This rulemaking emphasizes safety, security, and reliability. Specifically, the CPUC expects an evolution in how utilities look at safety and reliability on an enterprise-wide basis. Organizations may need to more thoughtfully consider the entire organization to assess risk tolerance and develop a framework to identify risks and respond to them in a prioritized manner. Polling results indicated that 49 percent of the participants’ organizations surveyed use predictive modeling to help make risk-informed asset investment decisions. While this modeling can help with asset investment decisions, other participants cautioned against overreliance on this method since it is often difficult to determine what data should be used or are considered high quality.

Because key stakeholders (primarily regulators and customers) are demanding more accountability in safety and reliability decisions as well as greater focus on prioritized risk reduction, other jurisdictions may mandate regulations similar to those in California. Regardless of the jurisdiction, an organization’s relationship with its regulators is increasingly important since changes in the regulatory environment are likely to strengthen the link between risk and operational decisions.

Thinking It Through

Organizations will need to consider how to integrate risk-based decision-making frameworks into their day-to-day operational decisions and possibly entertain significant changes to their ERM program frameworks. Determining a means of measuring risk reduction may prove challenging; however, organizations may consider leveraging experience from adjacent sectors, such as aviation, to expand their capabilities and practices.

Risk Culture

Risk culture, which can be defined as an organization’s risk-related behaviors, is important to a successful execution of strategy. Therefore, organizations must identify an optimal risk culture, determine steps they need to take to establish the desired culture, and ensure that the risk culture is appropriately aligned with the strategy.

Because the classic utility business model is being disrupted (e.g., by regulatory activities, customer demand, and technological advances), organizations are required to make critical decisions more frequently and much faster. In addition, management continues to be challenged to optimize limited resources and deliver more value. Risk culture is becoming a key focus for P&U leadership. A number of management teams are working on initiatives to assess the current culture and further develop a culture that will help companies survive and thrive.

Polling results indicated that 58 percent of the participants’ organizations surveyed have identified a desired risk culture, and 53 percent have identified specific behaviors that align with the desired risk culture. To be successful, an organization must define its vision, establish a plan, and hold individuals accountable for implementing change and monitoring progress. To accomplish these goals, an organization can take various steps, including the following:

  • Engage executive leadership — Leaders and trusted influencers demonstrate commitment and act as role models. Key leaders should be engaged early in the process to assess the current culture, analyze strengths and gaps, and define the organization’s desired culture vision to support its risk strategy.
  • Engage multiple levels — Change can be effected through concrete, definable, and observable behaviors specific to different levels and functions to drive commitment across the entire organization. To the extent that a behavioral model is already in place, the organization can highlight or modify existing behaviors that align with the desired vision. Individuals should be held accountable for demonstrating desired risk behaviors and take personal responsibility for risk management.
  • Identify a core group to influence change — Employees can be given a voice through a core group that has the ability to influence change (e.g., respected middle managers). This will encourage individuals to talk openly and honestly about risk and will help establish a common risk vocabulary that promotes shared understanding.
  • Get personal through communications and training — An organization might consider implementing (1) customized communications that emphasize the need for the culture change and (2) a training approach to increase awareness of desired risk behaviors. This targeted approach should include more person-to-person interactions, fewer broad messages, and various safe channels for raising new risks.
  • Recognize, reward, and address — Performance and reward structures can be aligned to encourage and recognize appropriate risk behaviors and fairly address misconduct. In addition to formally recognizing and rewarding individuals, an organization can effectively reinforce behaviors through informal rewards and ad hoc/ongoing performance discussions.
  • Encourage risk-informed decisions — Leveraging risk capacity, risk appetite, and risk tolerance parameters throughout the organization may help drive behavior in daily activities and establish the right metrics and means of measurement. Risk culture can be reinforced by ongoing communication as well as a formal process for measuring and reporting on the alignment with the overall strategy.

Organizations should consider a big-picture view to identify and implement the right programs and reinforcement activities to achieve their desired risk culture. Because the business and regulatory environment is constantly changing, organizations must continually assess and reevaluate their risk culture through effective monitoring and collecting feedback.

Industry Perspective

Organizations in the industry should work to create a risk culture that promotes the appropriate risk and compliance while fostering innovation in the face of unprecedented changes (e.g., technology, regulation, cyber risks). In addition, organizations should understand that risk subcultures can, and should, exist within different functions.

Organizations must also maintain a dialogue about risk culture and try to proactively effect change. At the roundtable, one professional shared her experiences with effecting culture change at the middle management level. While accomplished primarily through formal communication and training, this change also required an informal open dialogue about risks and behaviors. In addition, training reinforced the need for middle management to have more discussions about risk, specifically risk related to executing a strategy.

The professional further noted that her organization piloted an effort to perform a joint risk assessment involving both internal audit and risk management. This assessment not only positively affected the risk culture but also persuaded the business units to seek more help from risk management in identifying and mitigating risks.

Brand and Reputation Risk

As the industry and the regulatory environment experience transformation, it is becoming increasingly important for P&U organizations to effectively manage their brand and reputation. In addition, organizations face many uncertainties that may result in unfavorable outcomes, both external (e.g., natural disasters, cyberattacks, compromised third-party relationships) and internal (e.g., employee or executive misconduct, regulatory noncompliance). The ability to protect an organization’s brand and reputation in light of change and uncertainty will contribute to its ability to protect and increase value for stakeholders.

Although the challenge of protecting brand and reputation may be complex, it is manageable. By developing risk intelligence strategies and investing in the right capabilities, organizations can dramatically reduce the impact of brand and reputation risks while continuing to grow and succeed. Polling results indicated that 74 percent of the participants’ organizations surveyed treat brand and reputation risk as an outcome of other risks while the remaining 26 percent treat it as stand-alone risk. Although it is important for organizations to consider which of these two approaches works better in their ERM framework, best practice suggests that they should use both approaches to ensure that their risk management programs are tackling the issue from all angles.

Protecting brand and reputation starts with understanding the organization’s current capacity for managing them across all functions. This includes understanding (1) what the brand strategy is; (2) who the key stakeholders are and how to engage them; (3) how to identify, track, and monitor brand and reputation risks; and (4) how to prepare for and respond to brand threats. Tracking and monitoring brand and reputation risks can be very challenging in today’s ever-changing environment (e.g., introduction of social media), and many organizations are faced with more competition from unexpected parties. Therefore, it is imperative that organizations develop a repeatable process to measure, protect, and defend their brand and reputation before it is too late.

Industry Perspective

At the roundtable, one professional shared her experience with transitioning to a role in a newly formed organization that was spun off from an established organization. Although the individuals in the newly formed organization were largely the same as those who had worked together in the established organization, stakeholders questioned who they were as an organization. Those individuals have since faced many challenges as a result of not having an established brand and reputation for the newly formed organization as a whole. In light of this example, participants at the roundtable emphasized the importance of engaging stakeholders and having a clear strategy on establishing and managing a brand.

It is important to understand and measure stakeholder perceptions of brand, as well as understand who in the organization is ultimately responsible for managing its brand and reputation. This fundamental understanding will better enable meaningful dialogue with individuals responsible for establishing and maintaining brand and reputation and will guide better decision making.

Polling results indicated that 56 percent of the participants’ organizations surveyed hold public relations/communications responsible for owning brand and reputation risk management. But while public relations may be responsible for communicating about an organization’s brand, true accountability for the company’s brand and reputation lies with the C-suite executives. According to leading practice, ultimate accountability should reside with the C-suite executive, or small number of C-suite executives, responsible for guiding and governing the organization’s brand and reputation management program and capabilities.

A holistic brand and reputation program is built on three pillars:

  • Brand strategy — Brand and reputation should be embedded within business strategies to create a risk-intelligent culture and drive long-term strategic enhancements. A sound brand strategy allows for an enhanced brand risk intelligence and consistent brand messaging.
  • Brand advocacy — To elevate its brand and reputation, an organization should enhance internal and external stakeholders’ understanding of brand value. Successful brand advocacy empowers key stakeholders to actively champion and support the brand, especially during challenging times. Consequently, brand advocacy also builds relationships with key stakeholders.
  • Brand resilience — An organization should build brand resilience by (1) enhancing risk identification, assessment, and monitoring capabilities and (2) proactively devising a strategy to address potential damage to brand reputation.

This holistic program is further optimized through an effective governance model that includes monitoring, measurement, and continuous improvement. Such a model requires organizations to initially and continually evaluate how they are perceived by customers, regulators, and other key stakeholders. Establishing a clear and robust governance process will help (1) connect and align brand and reputation risk with risk strategy and (2) defend and protect the organization from brand-damaging threats and events.

Market Insights

For 2014, Forbes Insights, on behalf of Deloitte Touche Tohmatsu Limited, conducted an in-depth, global reputation risk survey of more than 300 executives from companies representing every major industry and geographical region. Results of this survey emphasized the importance of reputation risk. Specifically:

  • Of the executives surveyed, 87 percent indicated that reputation risk was more important than other strategic risks.
  • Reputation problems have the biggest impact on revenue and brand value.
  • In the energy and resources industry, top drivers of reputation risk are issues related to:
    • Ethics and integrity.
    • Products and services.
    • Security issues.

Strategic Risk Management Program

A strategic risk management program is an essential tool for building leadership’s in-depth understanding of the key challenges and opportunities on the company’s horizon and ensuring that management is adequately prepared to protect against, and possibly take advantage of, approaching uncertainties. According to “Reducing Risk Management’s Organizational Drag” (CEB, 2014) and “How to Live With Risks” (Harvard Business Review, July–August 2015), risk functions spend approximately 39 percent of their time focusing on financing reporting risks and only 6 percent of their time on strategic risks. In contrast, of the significant losses in market value experienced over the past decade, 89 percent were attributable to strategic risks and 2 percent were attributable to financial reporting risks. This demonstrates the need to spend more time focusing on strategic risks.

An effective strategic risk management program aids management and leadership by identifying market shifts that threaten to (1) disrupt the assumptions at the core of the company’s strategy (and strategic objectives) and (2) undermine the company’s ability to achieve or maintain exceptional performance. As illustrated below, this can be accomplished by an ongoing process of accelerating discovery, confronting bias, scanning ruthlessly, and preparing for surprise.


Strategic risk scenario planning is one way to identify “value killer” risks.2 At the roundtable, one professional shared her experiences with integrating strategy and risk through scenario planning. The professional emphasized the importance of implementing both a formal process for identifying potential scenarios and outcomes and a means of communicating results and findings. This involves the development of industry scenarios, including key success factors for each scenario and implications specific to the industry, the organization, and the organization’s strategic options. For strategic risk planning to be effective, the organization must know what the board is looking for and tailor the scenario planning exercise accordingly to give the board a better understanding of the risk environment. Consequently, effective scenario planning allows for natural exploration of risk relationships by risk managers and a high level of engagement with senior management and the board. It also enhances the value of the ERM program throughout the organization, thereby enabling the organization to identify emerging risks and shifts in current risks.

Risk Response Strategies

Including ERM functions in the development of risk mitigation plans provides a cross-functional lens through which to view the organization holistically. Polling results indicated that 58 percent of the participants’ organizations surveyed have risk mitigation plans for emerging and strategic risks, revealing that it is becoming more common to develop customized plans in response to specific risks. Other benefits of having ERM functions facilitate the development of risk mitigation plans include potentially enhancing the definition of the risk and enabling the identification of risk interdependencies. In addition, it promotes consistency in implementing a structured process throughout the organization.

Effective risk mitigation strategies require a clear understanding of the risk, defined and transparent activities, ownership, and deadlines. A number of risk management professionals play a key advisory role in the development, assessment, and implementation of structured risk management strategies and facilitate cross-functional discussions. Mitigation techniques are typically classified into five main categories:

  • Avoid — Eliminate risk by preventing exposure to the future possible events.
  • Accept — Maintain the risk at its current level.
  • Reduce — Implement policies and procedures to lower the risk to an acceptable level.
  • Share — Shift a portion of the risk to a financially capable, independent counterparty (e.g., insurance).
  • Exploit — Increase the risk accepted to pursue higher gains and value for stakeholders.

According to participants, “reduce” is the most common strategy; however, it is important for an organization to understand the risk and circumstances so that it can determine which technique is the most appropriate. At the roundtable, one professional shared that his company tackled one specific risk by developing a specialized model capable of analyzing complex internal and external factors that may cause the risk to materialize. The tool performs millions of data simulations and helps the company understand various scenarios of risk reduction so that it can prioritize the allocation of resources. Of course, a data-intensive tool like this may not be part of every mitigation plan, and the determination of whether such a tool should be used would depend on the complexity and severity of the risk in question. Other reporting tools, such as risk mitigation dashboards, are useful for showing the trending of risk over time.

In addition to increasing ERM’s involvement in risk mitigation planning, ERM should consider working closely with its internal audit functions to measure the effectiveness of risk mitigation strategies. Whereas 73 percent of the participants’ organizations surveyed indicated that they do not measure the effectiveness of risk response plans, only 22 percent indicated that ERM is responsible for this measurement. Including ERM in this process (both planning and subsequent measurement) could add significant value to an organization’s bottom line by assisting in a prioritized allocation of resources.

Thinking Ahead

The Deloitte P&U sector team will continue to monitor current and future risk-related activities. As an industry leader, Deloitte will continue to host these roundtable events so that P&U ERM professionals can share prevailing practices with others in the industry. The next ERM roundtable is scheduled for March 2016 at Exelon in Chicago. Keep an eye out for the pre-roundtable survey; the results will be a catalyst for the future discussions.

For more information about this roundtable series, please contact nationalutilitiesermroundtable@deloitte.com or reach out directly to Dmitriy Borovik at dborovik@deloitte.com.


1 Operations and maintenance.

2 For more information about value killer risks, see the Deloitte Touche Tohmatsu Limited publication The Value Killers Revisited: A Risk Management Study.


Related Topics

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.