The Bottom Line

• As the power and utilities (P&U) sector contends with a web of uncertainty stemming from shifting customer expectations and technological advancements, enterprise risk management (ERM) programs must play a greater strategic role as entities navigate new risks and opportunities.
• ERM 2.0, third-party risk management, risk-based decision making, and risk appetite frameworks can help professionals better understand and manage a broad spectrum of risks.
• ERM programs are capable of bringing value to businesses rather than simply protecting value.

Beyond the Bottom Line

Overview

Deloitte has been hosting a risk management roundtable series for the P&U sector for the past 10 years. The primary goals of this series are to discuss lessons learned, identify trends, promote innovation, perform benchmarking and studies, facilitate networking within the industry, advance risk management practices, and enhance the value of the ERM function.

The fall 2018 roundtable was held in October 2018 at FirstEnergy Corp. in Akron, Ohio. Deloitte and more than 35 risk professionals representing more than 25 companies discussed (1) the ERM 2.0 framework and its capabilities, (2) scenario planning and the role of ERM, (3) the risk-based decision framework of the California Public Utilities Commission (CPUC), (4) extended enterprise risk management (EERM) and third-party risk management, (5) the future of the digital utility and risks stemming from digitization, and (6) using risk appetite in business decisions. In addition, during open sessions, participants shared targeted items they planned to focus on to help elevate their ERM programs in 2019. These included ERM’s playing a greater role in strategy and business planning processes; standardizing risk taxonomy and emerging risk signals; creating a key risk indicator library; automating ERM processes; breaking down silos to ensure that information flows throughout the organization and to link enterprise and operational risks; focusing more on sustainability, fraud, and workforce-of-the-future risks; and visualizing the risk universe and the interdependencies between risks.

Industry Perspective As one utility executive stated during the roundtable, entities’ thinking about major decisions should start with ERM groups, because they help bracket business opportunities and “see the bullet before it gets you.” This viewpoint came into focus when the utility experienced major financial challenges. The ERM group helped the utility’s leadership assess the relative value of its commodity-exposed business, highlighting how difficult it would have been to make that business successful. The utility has also relied on its ERM team to understand the risks associated with the execution of its transmission buildout, which is one of the largest in the country. Finally, the utility is interested in pursuing nearly a dozen emerging technologies and is drawing on its ERM group’s expertise to ensure it is doing so in the most strategic way possible, with a full understanding of the risks involved. The ERM group has open access to any board member, the CFO, and the CEO.

ERM 2.0 Framework and Capabilities

When the roundtable participants were asked what words come to mind when they think of risk management, the leading answers were “opportunity,” “uncertainty,” and “evolving.” These three terms seem to encapsulate ERM groups’ new role well. Whereas ERM professionals have traditionally considered themselves to be primarily stewards, their function is evolving as they navigate a landscape of uncertainty, forcing them to stay ahead by identifying any opportunity to not only protect value but also to create it. As shown in the graphic below, their area of authority covers a broad spectrum of risks and opportunities spanning operations, finance, strategy and reputation, regulation, and cyber risk.

As stewards, ERM professionals assist with understanding opportunities and transforming risk into an advantage by shaping strategic choices and pathways to an aspirational business model. As strategists, they assess broad risks in the existing business model, including operational, financial, compliance, culture, and third-party matters. As catalysts, they can understand the “mega trends” that will affect their organizations, including digitization, sustainability, and transformation of energy ecosystems. Finally, as operators, they must respond to industry risks stemming from the business model, product platforms, and pricing schemes, as well as from unexpected events like cyberattacks, natural disasters, and terrorism.

Gaps seem to have formed between ERM professionals’ current and aspirational roles. Most of the participants’ ERM programs focus on risk assessments. More than half of the participants see their ERM function’s role in strategy as a mix of three activities: the planning and execution of strategic initiatives and monitoring of the risks involved. Participants indicated that they would like their organizations to spend more time on activities such as corporate strategy discussions and risk analytics, and, to a lesser degree, on risk mitigation and reporting on risk response.

Another gap exists between the organization’s interest in strategic risks and its interest in operational risks, which are more tactical and topical. One participant proposed framing ERM’s role in strategic discussions as providing additional sources of information to enhance long-term planning. This can be achieved by conducting in-depth workshops with subject matter experts to identify issues that may not be mentioned in the organization’s strategic plan.

Still another gap concerns ERM’s brand. Most participants’ ERM groups are primarily recognized for being operators. However, participants would like their ERM groups to be recognized more as partners (stewards and strategists) that provide actionable insights conducive to risk-informed decision making. About two-thirds of the participants indicated that organization-enhancing coordination with business leaders, communication, decision making, and reporting provide the greatest opportunity to improve the effectiveness of their organizations’ risk management programs. How might ERM professionals rebrand themselves to translate their wealth of business risk knowledge, gathered from facilitating risk discussions across all business units, into their recognition as strategic risk partners?

Industry Perspective One participant’s ERM function conducted a survey involving key information users and found that the ERM group was good at extracting information and passing it on to senior executives but not to the wider organization. In response, the ERM group is now analyzing and aggregating data differently so that it can show distinct departments the cross-functional lessons learned. Another participant described transitioning from a passive to an active risk management function: By becoming heavily involved in all issues transmitted to the decision-making committee at the executive level, the ERM group can serve as a partner offering a different perspective from a risk management standpoint. One technique used to foster deeper relationships in view of creating a partnership is to regularly interview contacts at each business unit to develop trust so that they are comfortable coming to the ERM group at their own initiative rather than because they are told to do so.

More than half of the participants indicated that understanding risk implications and interdependencies across the organization is the most important capability for a leading risk management group. This highlights the enterprise aspect of risk management. Silos are a natural occurrence in large organizations and are sometimes difficult to break down. The ERM function can serve as a conduit by consistently identifying inefficiencies and bridging gaps between the silos, as well as by advocating for underresourced risk areas. One approach to addressing such inefficiencies is risk reboot.

Risk reboot involves taking a fresh, holistic look at an organization’s risk management practices. The goal is to assess current such practices and eliminate low- or no-value, high-cost risk management activities (e.g., processes that are manual, redundant, or no longer relevant), optimize required/high-value risk management activities by applying levers of transformation (e.g., outsourcing, rationalization, automation), and add high-value activities to identify and manage risks related to culture, strategy, and brand and reputation. Levers of transformation can be applied to reboot risk. These include risk management operating model changes (e.g., outsourcing), a better understanding of risk exposure and the current cost of controls and mitigating strategies, process improvements (e.g., reviewing, simplifying, and standardizing processes), and technology and automation (e.g., leveraging advanced risk sensing).

No participants claimed to have total transparency into the total cost of risk management at their organizations. Most have partial transparency, and more than a quarter have no transparency. One of the reasons for this may be the difficulty in assessing the cost of risk management activities across the ERM, information security, finance, compliance, and internal audit departments. Overlapping priorities can cause duplicative efforts both within and across functions, leading to inefficiencies, inconsistencies, lack of common taxonomy, and risk/control fatigue.

Key Takeaways The ERM 2.0 framework takes a broader view of the risks and opportunities facing businesses and gives risk management a role in both protecting and creating value for the organization. ERM professionals spend the bulk of their time on risk assessment but would rather focus on corporate strategy development and risk analytics. Organizations can achieve a better return on their risk management activity investments by examining where there is overlap and ensuring that risk management activities across the organization are not redundant and are housed in the appropriate function.

Scenario Planning and the Role of ERM

The current P&U business environment is volatile, uncertain, complex, and ambiguous (VUCA). By embracing uncertainty, scenario planning enables organizations to engage with the VUCA environment, providing a view of both their risk profile and the opportunities ahead. It helps organizations act despite the uncertainty. Typical responses to uncertainty include denial and paralysis. Scenario planning helps overcome these responses by offering data-driven stories about the future, descriptions of the external environment, hypotheses rather than predictions, plausible narratives that stretch thought, and a tool with which to structure strategic considerations. Whereas trends denote forces that are already visible and wild cards refer to low-probability events that may dramatically change the landscape, uncertainties lie somewhere in between, encompassing forces that cannot accurately be predicted, controlled, or influenced but are likely to affect the future of the industry. By incorporating uncertainties in addition to known factors, scenario planning challenges assumptions and provides organizations with more options so they can make better decisions. Scenario planning has three core principles: use outside-in thinking, embrace diverse perspectives, and take the long view (more than 3 years and often as many as 10).

Half of the participants stated that their organizations had not had the opportunity to use scenario planning as a risk management tool. The other half had either used the tool themselves or reported that other functions in their organizations had used it. ERM professionals who had used scenario planning assessed it to be a good use of time and a forum for the ERM group to interact with the rest of business. The main barrier to using scenario planning tools is familiarity with the process.

Industry Perspective One participant shared an experience from recently conducting a long-term asset study scenario planning exercise. The scenarios represented a set of possible futures — second recession, status quo, moderate recovery, high growth — with different commodity price results and a range of inputs designed to encompass an extreme range of outcomes. While the scenario results turned out to be only partially accurate, as would any assumptions-based forecasts, they were internally consistent, and they sparked executive discussions related to the various possible outcomes and risk correlations. The greatest value lay in the outlier scenarios, which generated significant discussion and moved away from the centrist approach to most planning conversations. The utility consequently was able to adjust its investments to manage previously unaddressed risks. Its ERM team also valued scenario planning as a tool with which to engage and secure buy-in from corporate leadership, as well as to integrate the business units, which all had a seat at the table.

Two interactive group exercises followed this discussion. The first consisted of developing a list of key uncertainties affecting the P&U sector. Groups highlighted the following sample uncertainties: distributed energy resources, cybersecurity, social and shareholder activism, customer expectations, carbon pricing, regulatory changes, overpollution, and utility obsolescence. In the second exercise, one group considered a scenario in which technological advancement transforms the world while another considered a future of extreme weather and stagnation. While these scenarios presented risks, groups identified many opportunities for utilities, ranging from creating new business models to repurposing assets and centralizing certain functions.

More than three-quarters of respondents to a poll following the scenario planning group exercises envisioned their teams using scenario planning in the future. Participants were most taken with how scenario planning could widen the aperture of the ERM function to include more strategic, longer-term risk discussions.

Key Takeaways Scenario planning enables action despite uncertainty. Entities can use scenario planning to identify threats and opportunities within the current strategy. The ERM function can become a strategic partner to the business by using scenario planning to highlight risks to and of the strategy and identify correlations between various risk response strategies. Scenario planning provides a means by which to recognize and adapt to change ahead of time.

The CPUC’s Risk-Based Decision Framework

After the 2010 gas pipeline explosion in San Bruno, California, the CPUC increased its focus on how utilities identify and manage safety risk. It initiated the Safety Model Assessment Proceeding (S-MAP) to establish a common framework for utilities to identify and analyze risks and mitigations. The S-MAP determines the risk analysis framework, scope, and approach used in the Risk Assessment Mitigation Phase (RAMP) of general rate cases (GRCs). California utilities must now file RAMP reports one year before their GRC submissions. In the RAMP report, each utility determines safety risks to be addressed and evaluates the costs and benefits of risk mitigation activities on the basis of the S-MAP framework. The RAMP report justifies safety-related mitigation activities and costs in the GRC. After the first year of the GRC, utilities must file an annual report on the actual spending and effectiveness of RAMP mitigation activities. As a result, utilities have less flexibility to modify spending for safety-related GRC funding requests evaluated as part of the RAMP. To meet RAMP requirements, utilities need to identify top safety risks and propose mitigations and alternatives. They must also specify the risk-spend efficiency (the ratio of risk mitigated to cost of mitigation) for each mitigation activity and include a timeline for improvements in the overall risk management process. Finally, utilities must provide an assessment of executive engagement and safety culture. This change secured a seat for the ERM function at almost all decision-making forums and committees across each utility. At California utilities, ERM teams now regularly interact with regulatory bodies with which they previously had very little contact.

Key Takeaways California’s regulatory requirement served as a catalyst for utilities to further establish and enhance the corporate risk culture, adopt a more data-driven and structured approach, and explicitly include ERM in financial planning and resource allocation processes. Internal stakeholder alignment (i.e., ERM, regulatory, finance, business units, legal) and external stakeholder coordination (i.e., peer utilities and regulatory bodies) served the utilities well in establishing and implementing the CPUC’s risk-based decision framework.

Extended Enterprise Risk Management/Third-Party Risk

As P&U organizations transition to become digital utilities, there is a growing dependence on third-party relationships. This dependence potentially increases an organization’s inherent risks from (1) growing uncertainty in the business and macroeconomic environment, (2) concerns related to emerging regulation and regulatory scrutiny, and (3) threats of third-party-related incidents/disruption. Organizations need to not only understand the full universe of external risks posed by changing business models but also need to be more agile in responding to regulatory change, customer demands, and technological disruption.

All but one of the roundtable participants indicated that they have seen a third-party incident affect one of their business units. Third-party risk is no longer viewed as just a supply chain issue but one that also covers a wide range of external players, such as supplemental workforce contractors and nonfinancial transactions like relationships with joint ventures, partnerships, and universities. Even the smallest third-party relationship can cause vast damage, as demonstrated in a major retailer’s breach, wherein a $100,000 contract with an HVAC company ultimately cost the retailer hundreds of millions of dollars in losses. In the event of an incident, an entity’s major challenge typically is to form a plan to resume relationships with partners and rebuild trust. Breaches can reveal a tangle of relationships involving many layers of subcontracting. The value in unraveling this tangle is the minimization of risk and financial impact. Third parties can pose risks through, among other areas, their access to a company’s data and systems and their potential effect on the organization’s customers and overall reputation. Despite the marked increase in the dependence on third parties, a perceived rise in the associated risk, and a renewed focus on and investment in the extended enterprise, many organizations are still not fully equipped to manage this risk in a holistic and coordinated manner. According to Deloitte Touche Tohmatsu Limited’s 2018 Global Survey on EERM,¹ almost 70 percent of energy and resources respondents perceived an increase in inherent risks in the extended enterprise, but only 16 percent have integrated or optimized their EERM mechanisms.

The extended enterprise, illustrated in the graphic above, is the concept that an organization does not operate in isolation. Its success depends on a complex network of third-party relationships. Threats can be viewed across a set of “risk domains,” which include contractual risk, financial stability risk, credit risk, compliance/legal risk, information security risk, business continuity risk, transaction/operational risk, reputational risk, and strategic risk. Today, third parties are closer than ever to an organization’s core, meaning that if something were to go awry, the incident’s impact could be catastrophic and immediate (e.g., spread via social media). In response to regulations, banks have created consortiums to collect information on third-party risk domains once rather than independently pursue duplicative efforts. Utilities are in prime position to do the same but more proactively.

Industry Perspective Two participants shared their thoughts and challenges regarding third-party risk. They used existing strengths in their organization to build an EERM program. One of the first initiatives was to establish risk management as a goal in the supply chain. The supply chain team used two tools to manage risk: a relationship with the risk management team and a supplier management program that included a quarterly performance review. In a recent initiative, a cross-functional team created a contractor information management system to track all third parties working for the utility and to establish channels, rules, and controls for bringing in contractors. Business units were initially resistant to the change, so strong support from the CEO was essential. Some units eventually came around as the discussion about cost evolved into one more focused on cyber and physical risks. Participants suggested creating an IT checklist early in the process to screen out businesses that are unable meet certain requirements or allow for mediation of gaps. Additional recommendations were to (1) create an inventory of sensitive data with exposure to third parties as well as a termination plan, (2) continue monitoring third parties after contracts are signed, and (3) identify critical contracts on a separate watch list to be shared with business units.

More than half of the participants reported that the chief procurement officer owns and has accountability for EERM in their organizations. Although it is the duty of the entire organization to manage risk, the following groups typically have the most responsibility: (1) sourcing and procurement; (2) business; (3) legal, compliance, and risk; (4) IT; and (5) internal audit. ERM’s role is to understand and define the key risk drivers and consequences of extended enterprise relationships that can help protect the company’s brand, reputation, relationships, people, physical assets and security, data, and stakeholder value. EERM programs are designed to help organizations understand and mitigate the risk of their third-party relationships while improving the bottom line and shifting focus from cost to overall value. A structured EERM program can help generate value creation throughout the third-party relationship life cycle. EERM programs have demonstrated the ability to improve the bottom line by at least 2 percent to 3 percent through digital solutions, cost and revenue recovery programs, and managed risk services.

Key Takeaways EERM programs are designed to help organizations understand and mitigate the risk of their third-party relationships while improving the bottom line and shifting the focus from cost to overall value. One way in which the ERM function can play a role in managing the third-party risk is to understand and define the key risk drivers and consequences of extended enterprise relationships. If the reputational risk from engaging with external entities is not effectively managed, the company increases the chances of harming its core values, which would have both internal and external ramifications. To minimize redundancies and enhance the overall value of risk management, compliance, and assurance, organizations should establish and align clear roles, responsibilities, and expectations for these activities.

The Future of the Digital Utility and Risks Stemming From Digitization

Most participants reported that their ERM function is somewhat involved in discussions related to their organizations’ digital efforts and the associated risks. What does “becoming digital” mean? Being digital means that an entity is achieving new performance levels by integrating technology to unlock efficiencies that lead to new ways of working and provide benefits to customers, employees, and shareholders. In accordance with Moore’s Law, some digital technologies are close to crossing the curve of expectations and unlocking huge amounts of capability. The race is on for utilities to become bigger, faster, and cheaper before their competitors do.

Many organizations become mired in an endless loop of doing digital things rather than making necessary changes to business, operating, and customer models. The key is for an organization to transition from being an enterprise with digital projects to becoming a digital enterprise, as shown in the illustration above. Forty-five percent of the roundtable participants stated that their organizations are exploring digital. In this first phase of the transition to becoming a digital enterprise, organizations leverage traditional technologies to automate existing capabilities and dabble with digital without really changing. Close to 33 percent of the participants indicated that their organizations are doing digital. In this phase, companies extend capabilities but still largely focus on the same business, operating, and customer models. Fewer than 25 percent of the participants labeled their organizations as becoming digital, meaning that they are leveraging digital technologies with more advanced changes to define the future of work, of assets, and of the customer. No participants claimed their organizations were being digital, which would require business, operating, and customer models to be (1) optimized for digital and (2) profoundly different from prior business, operating, and customer models. The digital utility is likely to be a digitally enabled shared services organization, a fully automated and integrated corporate services organization, a predictive analytics and forecasting organization, and a user of robotic process automation. Although digital capabilities can help mitigate risks, they also reveal and create new ones. For example, organizations might suddenly be overwhelmed with false positive warnings that previously went undetected, or some previously secure operations might become vulnerable to a cyberattack. As expectations grow for the ERM function to address such risks, it has an opportunity to become more engaged in the topic of digital utilities. The graphic below illustrates an example of the value chain for digital utilities.

Industry Perspective An ERM professional shared his thoughts and challenges related to his company’s digital transformation. The company’s strategic objective was to leverage technology to create growth, operational efficiency, and a differentiated customer and co-worker experience with a digital culture that fosters innovation and a bias for action. A chief digital officer (CDO) was hired. The CDO’s integration was challenging: Organizational changes resulting from the new position gave rise to many clashes with the CIO as the CDO ushered in a major overhaul of the IT department, which had made catastrophic and costly mistakes in the recent past. Other key challenges encountered were the complexity related to scaling legacy systems to support the digital transformation, building the requisite talent while making needed management changes, realizing the value in digitally driven operational efficiencies, and integrating cybersecurity throughout the digital design.

The case presented in the Industry Perspective above illustrates three common challenges of digital transformations in the P&U industry. These challenges are the shift from executive-led to executive-informed governance, the transition from risk-averse to risk-tolerant leadership, and the jettisoning of a “tried and true” approach in favor of a “no sacred cows” culture.

Key Takeaways ERM professionals can and must help define the risk profile for the digital utility, and ERM programs must be part of the emerging agile and innovative culture. As utilities become more digital and experience a shift in their risk profiles, it is even more critical that they understand the intended and unintended consequences of digital initiatives. Digital capabilities should be used as a catalyst for the next generation of ERM as the ERM function looks to tackle more risk related to data governance, regulations, third parties, and cybersecurity.

Using Risk Appetite in Business Decisions

Risk appetite is the amount of risk an entity is willing to take given its capacity to bear risk and its philosophy on risk taking. There is often a mismatch between risk appetite and risk capacity, which is the limit of risk that can be taken by the company. The concept of risk appetite may help companies further enhance and defend their decision-making processes, prioritize top risks, and develop appropriate risk response plans and overall strategies. Risk appetite should be aligned with traditional business performance metrics and strategic objectives. Risk appetite frameworks can assist companies with capital and resource allocation, and they can provide a basis for more strategic decision making regarding risk. Such frameworks can also foster a more risk-intelligent culture, promote accountability, encourage more transparent communication with stakeholders, optimize use of resources, enhance cost management practices, and lead to more responsive decision making.

However, most P&U companies have not developed a formal risk appetite statement or a documented framework as part of their ERM programs. Common challenges have included overcoming the initial hurdle of taking the first step, terminology confusion, appetite and tolerance calculations and modeling, and barriers in the corporate culture. Even for organizations without a formalized risk appetite statement/process, risk appetite is typically inherent in an organization’s processes, policies, and procedures.

Industry Perspective One participant shared his company’s process for implementing a risk appetite framework. The utility’s risk appetite statement focuses on its core electric and gas utility business and is driven by concerns about safety, customer value, and constructive regulatory relationships. The risk appetite statement’s perspective is strategic, oriented toward risk versus reward, and guided by the company’s risk appetite, while the utility’s risk tolerance statement has an operational perspective, focused on consequences, and draws on budgetary and planning input. The objective of creating a risk appetite framework was to start a discussion about trade-offs given the limited funding pipeline, by using a stoplight chart to flag risk indicators that are below, at, or above certain tolerance levels. Under the continual sponsorship of three CEOs, the utility’s risk tolerance journey started with the establishment of an ERM program in 2008, matured with the proposed development of a risk appetite/tolerance statement in 2014, and culminated with the ERM function’s involvement in capital planning in 2018. The risk appetite framework helped enhance the ERM team’s role as a “strategic partner” throughout the organization.

In developing a formal risk appetite framework, an organization may conduct internal and external research to review strategies, financial statements, existing delegations of authority, and risk tolerance statements that may already be part of internal policies. An organization can then develop a risk appetite statement, tolerance thresholds, and risk assessment criteria. The risk appetite statement should be aligned with the organization’s overall business strategy and should be checked against the organization’s estimated exposure to define effective risk mitigation strategies.

Although the practical implementation of risk appetite frameworks in the P&U sector is largely in its infancy, the benefits of such frameworks are often viewed as outweighing the challenges. A consistent definition of risk appetite can help an organization take a more strategic approach to risk taking, risk mitigation, and overall decision making.

Key Takeaways A risk appetite framework serves as a basis for risk-informed decisions and helps companies enhance capital and resource allocation efforts. Risk appetite can also be leveraged to defend a company’s strategy or strategic objectives. Companies should compare their risk appetites with their estimated risk exposure when developing risk mitigation strategies. Risk appetite should be viewed as a continuum, and decision makers should consider multiple viewpoints when applying risk appetite to decision making. Although the practical implementation of risk appetite frameworks in the P&U sector is largely in its infancy, risk appetite is generally believed to play an important role in a company’s business strategy and strategic objectives.

Conclusion

The P&U sector is on the cusp of major transformation. Digitization is reshaping utilities as they navigate a landscape of increasing uncertainty and a growing network of relationships with third parties. Each of these elements presents great risks and opportunities that ERM professionals are best positioned to identify and address. The ERM 2.0, EERM, and risk appetite frameworks provide them with a sample of tools to do both. The ERM function can own this role if empowered as a key partner in strategic decision-making processes.

Thinking Ahead

The Deloitte P&U sector team will continue to monitor current and future risk-related activities as well as host roundtable events that give P&U risk professionals an opportunity to share prevailing practices with others in the industry. The next risk management roundtable will be held in October 2019.

Contacts

For more information about Deloitte’s risk management roundtable series for the P&U sector, or if you have questions about this publication, please contact the following Deloitte industry professionals:

Download