17 minute read
The Enterprise Risk Management Process
Side-bar definition:
Black Swan events are considered rare and difficult to predict. They are events that have a negative impact to the organization. Examples of black swan events are the global pandemic or multiple tornadoes landing in a region that is not known for tornado activity.
The Enterprise Risk Management Process
Risks are identified through a risk management process and are typically assessed, prioritized, and depending on the probability, magnitude and materiality of the risk, escalated to the Senior Leadership Team and the Board of Directors as required. Risk management should follow a specific, structured process using established criteria and terminology to allow the consistent identification, evaluation, and comparison of risks. The success of ERM depends in part on a common language for identifying, describing, and managing risk.
Risk tolerance helps decision-makers understand what is expected of them in making trade-offs of corporate objectives against one another, to improve general understanding of strategic objectives, and to help define and maintain risk tolerances.
An organization’s executive leadership team typically sets the “target” risk appetite, an outcome trade-off to each strategic objective, that is most aligned with the Company’s mission, vision, and values. It is an expression of an organization’s willingness to place each strategic objective at risk in the pursuit of value.
The following summary process is applied to the identification and management of the Company’s “conventional” (i.e., nonblack swan) risks.
Figure 1 .0 Enterprise Risk Management Process
Business Context
Risk Identi cation | Risk Analysis | Risk Evaluation (Tolerability Assessment)
Business Context
The risk management strategy should be aligned with the organization’s strategic objectives and operational activities. A risk management strategy should never be considered a standalone activity, considerations in defining the criteria should include the following:
• Nature and type of risks
• Risk likelihood and impact
• Timeframes of cause
• Complex risks, linked to others
• Regulatory, contractual commitments • Strategic Alignment
• Integration in procedures
• Severity and impact
• Risk velocity
• Risk response
Risk Assessment
Risk assessment is the complete review of risks through identification, analysis, and evaluation. It is critical that the risk team identify as many risks and their impacts as possible. A risk registry is a commonly used tool to facilitate the maintenance or risks.
Process Elements Description
Risk Identification Identifies impacts, causes and consequences of the risk incident. Process of gathering risk information via senior leadership interviews, brainstorming and research on key corporate risks.
Risk Analysis
Risk Evaluation
Provides input into the evaluation process and whether the risk needs to be treated and how it should be treated.
Assists in the decision-making process to select risk treatment and prioritization needs and the related priority of each risk.
Risk Treatment
A continuous process of evaluating and selecting the options to modify an organization’s risks. Risk treatment can take on multiple forms such as avoidance and transfer. Refer to Delivering Value for more information about risk treatment.
Monitoring
Monitoring should be a planned part of the risk management process that incorporates tracking and continuous evaluation of both the risk but also the treatment techniques applied within the organization. This process will assist the risk team in determining if and when risk strategies are no longer aligned with the organization’s overall corporate strategies.
Reporting
The Board (or board-level risk committees) will establish risk policy which must be communicated to all levels of the organization. The risk and management teams will report on risk response plans, incidents, and financial impacts. This provides critical information to the Board or risk committee allowing them to make sound decisions. Reporting can also focus on Key Risk Indicators (KRI) and their trends. KRI’s will provide a sense of the impact to business strategic objectives and the emerging trends that can make the risk a live event, allowing the company to pivot in a timely manner, provided reporting is concise, timely and complete.
What Can Leadership Do
ERM practices within the electricity industry are very prevalent within company departments such as asset management and operations. They analyze risks from the loss of assets, increase in costs from regulatory compliance, staff health, safety, and more.
For ERM to be successful in any organization it requires active engagement and support from management and active reinforcement with all staff through constant communication. At Electricity Canada, the Enterprise Risk Committee has recommended that it is the responsibility of all staff to identify risks and ways to mitigate those risks within the ERM framework. One way an organization may accomplish this is through an objective performance process held in many organizations. Every employee can have a risk objective.
Risk management should be integrated into the organizational culture, and performance objectives throughout the company with the aid of a risk management champion who has the support of both the company executives and the Board of Directors. Such companies have a greater likelihood of achieving their strategic objectives and delivering their products or services more effectively and efficiently.
Board members understand the importance of Enterprise Risk Management, yet in a recent McKinsey and Company Study, only 40% of Board Directors from 1500 surveyed identified that their organization is prepared for the next crisis. Additionally, only 7% identified that their Board was effective at risk management.
This is exceptionally concerning when one of the mandates of a Board is to ensure that management identifies and addresses predictable risk that will impact the entire organization.3
Figure 2 .0 ERM Survey Results for Critical Function
12
10
8
6
4
2
0
ERM is seen by our Senior Management, Executive and CEO, and Board as a critical function in our company
Critical Function Importance
1 2 3 4
Senior Management Executive and CEO Board 5
Leadership Considerations
A best practice for Board members and risk champions is to consider those risks that could happen as if they will happen instead of accommodating probabilities. This will ensure that your company is always prepared.
Risk practitioners must also develop scenarios where they are not only addressing one risk, but multiple. In 2022, we have seen a decrease in COVID-19 numbers, only to see a rise shortly thereafter. At the same time, utilities are facing increased pressures from government to have a net-zero ready grid by 2035. All this is happening while there is a supply chain bottleneck on much needed microchips and rare earth metals, as well as a labour shortage and increasing inflation rates.
Risk comes in all forms and leadership must be aware of what can happen and imagine that it will happen.
Risk champions should be preparing the Board of Directors with scenario testing on risk events. Such scenario testing should be conducted on a regular basis and should be comprehensive in identifying the resolution of a risk event. A post-mortem exercise must be conducted to ensure decision-making was effective in the scenario exercise.
Boards and management must recall that enterprise risk management teams exist to deliver value to company stakeholders even in times of crisis.
The 2021 Electricity Canada survey of ERM departments highlights that Boards and executive teams see risk as a critical function of their organizations. However, Figure 2.0 shows that this does not extend to senior management. This could result from a disconnect in communication about ERM to senior management from the Board and executive teams.
ISO 3100 recommends that management should:
• define and publicly endorse the risk management policy; • ensure that the organization’s culture and risk management policy are aligned; • determine risk management performance indicators that align with performance indicators of the organization; • align risk management objectives with the objectives and strategies of the organization; • ensure legal and regulatory compliance; • assign accountabilities and responsibilities at appropriate levels within the organization; • ensure that the necessary resources are allocated to risk management; • communicate the benefits of risk management to all stakeholders; and • ensure that the framework for managing risk continues to remain appropriate.
Case Study: Poorly implemented ERM solution
In 2016, Chipotle was known for its good service and food innovation with fresh local food They were also known for salmonella outbreaks in their food supply chain, that where ultimately served to the customer Chipotle did not introduce adequate resources for enterprise risk management into their company They also failed to disclose that their safeguards where inadequate to safeguard customer and employee health Due to Chipotle’s lack of investment in risk management their share price fell 35%, sales decreased by 30% in months following the announcement, they faced a marred reputation and a civil lawsuit An ERM approach would have established robust quality controls in the supply chain to ensure risks were identified and these controls would have decreased or all-together avoided regulatory penalties
Recommendations to the Board
The following are several recommendations that Boards of Directors can implement to facilitate the integration of enterprise risk management within the organization.
Category
Timeliness Description
Boards do not meet often. Risk is a constant presence to the company and ERM processes must be as up to date as possible for when the Board meets to avoid gaps in knowledge at the Board level. Boards can meet more frequently (i.e., regular schedule) to review risks and their updates, the ERM team may update their material more frequently to close those gaps. Another option that has been identified is creating a risk committee comprised of several of the Board members and senior management. This team would be more flexible in their schedule and be able to meet more often to ensure risks are addressed in a timely manner.
Common Standards Organizations aren’t developing a common language to articulate risk. It has become difficult within organizations to communicate between departments on common standards of risk measurement. Companies within the same industry are encouraged to develop a common standard language on risk management. Industry related associations are one channel that can facilitate the develop of such standards.
Frameworks
Strengthen Internal Auditing
Litigation
The majority of risk management processes in use today do not have a formal risk identification process that links risks with strategic objectives. Risk teams and Boards need to examine ways to link risks to strategic objectives and identify ways to pivot when those objectives are at risk.
Internal auditing must work closely with the risk management team to identify risk levels that can surpass or have surpassed internal controls. Ensure they examine company wide risk management processes, and their impacts to organizational strategic objectives.
Not identifying risks can put companies at risk of legal repercussions. Ensure litigation measures are identified and described in detail in risk assessments.
Ask the Tough Questions Boards and executive teams must ask tough questions to executives and risk champions to ensure risks to strategic objectives are identified and managed appropriately.
Risk in the Industry
The utility industry in Canada is facing multiple risks in the short and long-term future. Risks in the industry can be assessed by reviewing the economic, political, societal, environmental, and technological impacts of decisions being made or trends that are occurring. Each utility will face different risks compared to other utilities in the industry. For example, environmental risks will differ based on local geography. Even technological risks will differ based on managerial decisions and utility adoption of new technological solutions.
Table 1 .0 Some short- and long-term risks
Near-Term Long-Term
Infrastructure (e .g ., aging, climate impacts) Changes to financial systems (e.g., Interest Deductibility)
Government Regulation (e .g ., Net-Zero) Continued Exposure to Climate Change
Cyberthreats (e .g ., Ransomware)
Changes to operating standards
Rapid changes to technology solutions Development of new generation
Sample of Known Industry Risk Events
• Disruptive Technologies: Smart devices, IoT, Sensors, AI,
• Rapid transformation: Firmware updates, Big Data, 5G, policy change
• Cybersecurity: Ransomware, malicious hackers, data theft
• Grid reliability: Storm hardening, customer expectations,
• Constrained Budgets: Slow growth, rising costs, regulated budgets
• Climate Impact: Hurricanes, wildfires, extreme temperatures
Risk Maturity:
In 2021, Electricity Canada’s Enterprise Risk Management Committee undertook a benchmarking study to gauge the processes in play within the industry in Canada. From participating members, 50% had ‘established’ ERM programs where processes are standardized, coordinated, and promoted consistently and risk information is factored into decision making, resource allocation, and performance management.
Only 2 respondents were leading with capabilities and practices being well integrated into strategic planning and performance, while management activities and risk appetites are clearly articulated. In these organizations, a strong culture of effective ERM exists across the organization with a clear understanding of roles and responsibilities and risk information and outcomes are continuously used to reinforce risk culture, to improve performance, and inform decision-making.
Case Study: What we do!
At our organization, we have regular risk reporting on a quarterly basis to senior leaders/executive management The Board maintains an understanding of the company risk profile and reviews the risk philosophy on an annual basis The executive team also ensures that key risks are brought forward to the attention of the Board for discussion and action, as required The senior leadership team supports the executive team and is a collection of subject matter experts who actively engage in the day-to-day management of risks Members of the senior leadership team have been assigned to be the designated responsible person for managing and reporting upon enterprise risks Working with the executive team, the senior leadership team oversees the risk profile and its performance against the defined risk philosophy This group understands changes in risk status and trends, identifies potential opportunities, and determines responses and action plans that are then implemented by the organization They also work to ensure effective, efficient, complete and transparent risk reporting to the executive team
Risk Tools
This section provides several tools for the Risk Manager’s toolbox.
Risk Matrix
A risk matrix, or risk map, is a measurement tool that provides a visual perspective to company risks and the prioritization of those risks. Organizations should develop a Risk Matrix based on criteria which make up the risk tolerance of the organization. The criteria should outline guidelines for assessing the impact and likelihood of risks.
Figure 3 .0 Enterprise Risk Management Matrix
The 2021 Electricity Canada ERM Benchmarking Study found that the majority of utilities are utilizing a 5x5 risk matrix. Other matrix options exist and ERM professionals should use a matrix that is best suited to their management philosophy and risk appetite.
Depending on the risk tolerance of the organization, the risk categorization can be altered within the risk matrix. Each organization may want to consider different inputs into the categorization of Impact and Likelihood. Inputs will come from various sources such as historical data, political and social environments, and measured and estimated impacts to systems based on estimated recovery costs.
Impact: Each risk impact can have a range of potential outcomes, each associated with a likelihood or probability. However, each business risk is usually assessed on the magnitude of the Worst Credible Impact.
Likelihood/Probability: Assessment of the likelihood of the Worst Credible Impact coming to pass. A standardized Probability/Likelihood scale for this step is recommended.
Likelihood
Almost Certain Medium High High Extreme Extreme
Likely
Possible Low Medium High High Extreme
Low Low Medium High High
Unlikely
Remote Low Low Low Medium High
Low Low Low Medium Medium
Insignificant Minor Moderate Major Severe
Impact
Figure 4 .0 Enterprise Risk Inputs
Likelihood
• Historical event data • Political Atmosphere • Frequency of Regulatory change and reviews • Societal Atmosphere • Technological Change • Control and Monitoring Assessments
Impact
• System Changes • Lost Revenue • Increased Costs • Lost Infrastructure • Added Regulatory Burden • Safety and Loss of Life • Staffing Changes • Recovery Time • Reputational
Risk Bow-Tie Model
Risk Bow Tie Model or Risk Bow-Tie Analysis is a process for identifying where new and enhanced controls and monitoring techniques can be applied to effect for the organization.
Figure 5 .0 Bow tie model
Causes Event Consequences
Current Controls
Identify Gaps
New Controls Current Controls
Identify Gaps
New Controls
Risk Registry
Risk registries are typically used by risk teams to identify and prioritize the risks that can impact your organization, department, process, or project. A risk registry is consolidated at an enterprise level and is used for informing the board of directors and management of the impact and likelihood of risks along with their recommended course of resolution. A risk registry may be built off of a risk profile.
Figure 6 .0 Risk Registry Example
Scenario Description Owner Likelihood Consequences Level of Risk Action Review Date
Wind Damage
Wind damage to lines Operations High $3 to 100 M High Develop restoration plan; emergency response plan; Establish insurance coverage 2/1/2022
Data Breach
Theft of Customer info IT , Legal, Customer Moderate $10k to $100M Moderate Review IT security; Review insurance coverage 8/1/2023
Risk Profiles
One of the first activities typically associated with the practice of integrated risk management is the development of a Corporate Risk Profile4. A Corporate Risk Profile enables an organization to obtain an overview of its key risks including an understanding of the organization’s operational context and objectives with respect to managing risk.
A Corporate Risk Profile describes an organization’s key risks, which include both threats and opportunities, and provides staff, external partners, and advisors with a clear ‘snapshot’ of the organization’s key risks and, when implemented, can help identify areas of efficiency and potential opportunity. This, in turn, supports strategic priority setting and resource allocation, informed decisions with respect to risk tolerance, and improved results.
How an organization presents its corporate risks differs from organization to organization, however, all Corporate Risk Profiles include fundamental qualities that make them a valuable management tool. A traditional risk profile is a set of characteristics common to any given risk. For an example of a risk profile refer to Appendix B.
Value of Introducing Enterprise Risk Management into your Organization
To realize the benefits of Enterprise Risk Management, leaders of the organization must think of ERM as a living enterprise-wide process that is active and vibrant with continuous updates and improvements in all aspects of the business. Every opportunity and threat to a utility holds risk. ERM will help determine the potential reward vs. potential harm.
Value of ERM Function
• Informs core business Strategy of risks on the horizon.
• Prioritizes which risks to mitigate, reduce, transfer, and retain.
• Identifies the type and number of resources that will be required to manage the risk.
is to understand the value at risk . ”
- Daniel Gent, Electricity Canada
Table 2 .0 Known Benefits
Benefit
Take intelligent risks
Reduce costs of hazard risks Description
Many companies take risks to grow their business. For example, utilities can take intelligent risks by investing in other utilities or by introducing new behind-themeter services (i.e., capturing opportunities). Will identify if the possible rewards are greater than the potential harm.
Costs related to a particular asset or activity. Will reduce overall costs of risk, one can expect an increase in profits or a reduction in budget expenses.
Reduce deterrence effects of hazard risks
Reduce and manage downside risk
Examines the risks of future losses by making them more foreseeable in the planning stages of upcoming projects. Will increase feasibility of future ventures.
Inherently there is always risk, and downside risks may be considered the cost of doing business. The goal is to mitigate the risk and establish protocols to monitor and track these risks. The ERM strategy would implement a threshold limit and when the threshold is reached, becomes an actional item under management review. Establishing SAIDI and SAIFI measures are a good example of thresholds within the industry.
Enterprise Risk Management
Global Survey
In the ERM Oversight survey from 2020, 83% of respondents identified that an operational surprise impacted the way they do business. The high value was attributed to COVID-19; previous trends remained in the high 60’s.
Case Study: Equifax Risk Failure
Equifax has been exposed to numerous lawsuits and financial penalties due to a 2017 data breach that the company did not immediately identify In addition, it was revealed that some information was provided to 3rd party companies without the permission of customers This incident highlights the need for management to be aware of the practices within their company and the inherent risks when protocols are not adhered to
Since 2017, Equifax has agreed to pay over 380 million USD to resolve claims associated with the data breach
With an ERM practice in place, the data breach likelihood and impact would have been identified and mitigation could have prevented such an event
