Enterprise Risk Management: Value in the Electricity Industry

Enterprise Risk Management

Value in the Electricity Industry

About Electricity Canada

Electricity Canada members generate, transmit, and distribute electrical energy to industrial, commercial, residential, and institutional customers across Canada every day. From vertically integrated electric utilities, independent power producers, transmission, and distribution companies, to power marketers, to the manufacturers and suppliers of materials, technology, and that keep the industry running smoothly— all are represented by this national industry association.

Acknowledgements

Electricity Canada acknowledges the important contributions of others in the preparation of the Enterprise Risk Management Value in the Electricity Industry Overview. Special thanks to the participants of the Enterprise Risk Management Committee who were instrumental in the design of the benchmarking survey cited herein. number of utilities contributed to the Enterprise Risk Management Benchmarking Study and Electricity Canada acknowledges their participation in that endeavour.

Confidentiality individual data is presented within the overview. All data is aggregated or anonymized for confidentiality.

Recommended Citation CANADA, ENTERPRISE RISK MANAGEMENT VALUE IN THE ELECTRICITY INDUSTRY, 2022.

Preamble

Foundation:

The

What

Recommendations

Risk

Risk

Risk

Risk

Industry

Steps Forward

Chief Risk

See the Big-Picture

Framing

Conclusion

Appendix A:

Appendix B:

References

Preamble

The Enterprise Risk Management (ERM) Committee of the Finance, Tax and Accounting program have identified a need to promote the value ERM delivers to an organization. This document of risk principles, trends, and tools aims to help increase awareness of the value ERM delivers when properly supported.

Introduction

Enterprise Risk Management is a growing field that allows decision makers to make informed choices that balance risk and reward. Risks can never be fully mitigated, but they can be understood and planned for. It is the role of an ERM strategy or framework to understand risks and communicate the nature and impacts of those risks to decision makers. In the process of identifying risks, ERM can also help descision makers understand the potential rewards gained by greater risk tolerance and risk mitigation strategies.

Electricity sector companies face many risk exposures with the potential for adverse effects arising from both internal events to the organization, as well as socio-economic, regional, provincial, global, or inter-jurisdictional events.

Identifying and managing these exposures is well recognized by Federal and Provincial governments, which in turn have issued guidelines and directives, such as those identified in the Ontario Energy Board’s Business Plan 2019-2022. Industry companies must be aware of what regulators and governments put in place. Governing Boards, executive leadership, and management teams must integrate risk management practices into their organizations to create and protect utility value and resources. Value will be delivered by re-positioning the long-term direction of the ERM program itself and by establishing leading risk maturity levels to enable dynamic and lasting value creation.

The goals of this paper are to increase awareness of the role of Enterprise Risk Management within the industry and its significant nature to safeguarding what may be considered the most critical infrastructure in today’s economy. Boards, executives, and management teams will need to align their objectives in order to effectively and efficiently apply risk management principles, techniques, and tools within their organizations.

Foundation: Risk and Enterprise Risk Management

Risk

Risk is the uncertainty of outcomes that will have an impact on organizational objectives.

Risk is often specified in terms of an event or circumstance and the consequences that may flow from it.

• Examples of event or hazard risk are a pandemic or an ice storm.

Risk is measured in terms of a combination of the impacts of an event and the likelihood of that event occurring.

• Identifying the impacts and likelihood will help identify which risk scenarios will need to be addressed with mitigation, retention, or absorbing techniques.

• A low likelihood event may be a pandemic, which would result in a significant impact to operations.

Risk may have a positive or negative impact.

• Hedging is an example of a positive risk, if the price of the commodity increases.

Enterprise Risk Management

Enterprise Risk Management (ERM) is the continuous, coordinated process used to identify, quantify, manage, and monitor corporate risks within a unified framework for an organization. ERM is a structured approach which provides the methodology to consistently consider the uncertainty involved with the organization’s ability to meet its strategic and operational objectives. Due to the integrated approach, each department’s staff would be responsible for identifying and mitigating organizational risks. Effectively, making all staff at the company aware of risk management and looking for risks in their day-to-day efforts.

It is recommended for an ERM department to adopt an existing industry framework from a recognized standards body to implement and follow.

Electricity Canada completed a benchmarking survey with Canadian utility

ERM departments in 2021 and found 41% were following COSO, 41% were following ISO 31000 and the remaining 18% applied a different framework .

Risk Management Standard Frameworks

ERM frameworks analyse risks to consider their likelihood and impact as a basis for determining how they should be managed.

Two of the more widely adopted industry frameworks include:

• Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated Framework

• International Organization for Standardization (ISO) 31000.

Where COSO defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives”; and enterprise risk management as a “process effected by an entity’s Board of Directors, management and other personnel, applied in strategy and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objective.” 1

ISO defines risk as the “effect of uncertainty on objectives”, and risk management as “the coordinated activities to direct and control an organization with regard to risk”. 2

Both frameworks highlight potential impact to objectives and the way to manage those impacts are considered the founding principles of a good enterprise risk management system.

Side-bar definition:

Black Swan events are considered rare and difficult to predict. They are events that have a negative impact to the organization. Examples of black swan events are the global pandemic or multiple tornadoes landing in a region that is not known for tornado activity.

The Enterprise Risk Management Process

Risks are identified through a risk management process and are typically assessed, prioritized, and depending on the probability, magnitude and materiality of the risk, escalated to the Senior Leadership Team and the Board of Directors as required. Risk management should follow a specific, structured process using established criteria and terminology to allow the consistent identification, evaluation, and comparison of risks. The success of ERM depends in part on a common language for identifying, describing, and managing risk.

Risk tolerance helps decision-makers understand what is expected of them in making trade-offs of corporate objectives against one another, to improve general understanding of strategic objectives, and to help define and maintain risk tolerances.

An organization’s executive leadership team typically sets the “target” risk appetite, an outcome trade-off to each strategic objective, that is most aligned with the Company’s mission, vision, and values. It is an expression of an organization’s willingness to place each strategic objective at risk in the pursuit of value.

The following summary process is applied to the identification and management of the Company’s “conventional” (i.e., nonblack swan) risks.

Business Context

The risk management strategy should be aligned with the organization’s strategic objectives and operational activities. A risk management strategy should never be considered a standalone activity, considerations in defining the criteria should include the following:

• Nature and type of risks

• Risk likelihood and impact

• Timeframes of cause

• Complex risks, linked to others

• Regulatory, contractual commitments

Risk Assessment

• Strategic Alignment

• Integration in procedures

• Severity and impact

• Risk velocity

• Risk response

Risk assessment is the complete review of risks through identification, analysis, and evaluation. It is critical that the risk team identify as many risks and their impacts as possible. A risk registry is a commonly used tool to facilitate the maintenance or risks.

Process Elements Description

Risk Identification Identifies impacts, causes and consequences of the risk incident. Process of gathering risk information via senior leadership interviews, brainstorming and research on key corporate risks.

Risk Analysis

Risk Evaluation

Provides input into the evaluation process and whether the risk needs to be treated and how it should be treated.

Assists in the decision-making process to select risk treatment and prioritization needs and the related priority of each risk.

Risk Treatment

A continuous process of evaluating and selecting the options to modify an organization’s risks. Risk treatment can take on multiple forms such as avoidance and transfer. Refer to Delivering Value for more information about risk treatment.

Monitoring

Monitoring should be a planned part of the risk management process that incorporates tracking and continuous evaluation of both the risk but also the treatment techniques applied within the organization. This process will assist the risk team in determining if and when risk strategies are no longer aligned with the organization’s overall corporate strategies.

Reporting

The Board (or board-level risk committees) will establish risk policy which must be communicated to all levels of the organization. The risk and management teams will report on risk response plans, incidents, and financial impacts. This provides critical information to the Board or risk committee allowing them to make sound decisions. Reporting can also focus on Key Risk Indicators (KRI) and their trends. KRI’s will provide a sense of the impact to business strategic objectives and the emerging trends that can make the risk a live event, allowing the company to pivot in a timely manner, provided reporting is concise, timely and complete.

What Can Leadership Do

ERM practices within the electricity industry are very prevalent within company departments such as asset management and operations. They analyze risks from the loss of assets, increase in costs from regulatory compliance, staff health, safety, and more.

For ERM to be successful in any organization it requires active engagement and support from management and active reinforcement with all staff through constant communication. At Electricity Canada, the Enterprise Risk Committee has recommended that it is the responsibility of all staff to identify risks and ways to mitigate those risks within the ERM framework. One way an organization may accomplish this is through an objective performance process held in many organizations. Every employee can have a risk objective.

Risk management should be integrated into the organizational culture, and performance objectives throughout the company with the aid of a risk management champion who has the support of both the company executives and the Board of Directors. Such companies have a greater likelihood of achieving their strategic objectives and delivering their products or services more effectively and efficiently.

Board members understand the importance of Enterprise Risk Management, yet in a recent McKinsey and Company Study, only 40% of Board Directors from 1500 surveyed identified that their organization is prepared for the next crisis. Additionally, only 7% identified that their Board was effective at risk management.

This is exceptionally concerning when one of the mandates of a Board is to ensure that management identifies and addresses predictable risk that will impact the entire organization.3 Results for Function is seen by our Senior Management, Executive and CEO, and Board as a function in our company

Leadership Considerations

A best practice for Board members and risk champions is to consider those risks that could happen as if they will happen instead of accommodating probabilities. This will ensure that your company is always prepared.

Risk practitioners must also develop scenarios where they are not only addressing one risk, but multiple. In 2022, we have seen a decrease in COVID-19 numbers, only to see a rise shortly thereafter. At the same time, utilities are facing increased pressures from government to have a net-zero ready grid by 2035. All this is happening while there is a supply chain bottleneck on much needed microchips and rare earth metals, as well as a labour shortage and increasing inflation rates.

Risk comes in all forms and leadership must be aware of what can happen and imagine that it will happen.

Risk champions should be preparing the Board of Directors with scenario testing on risk events. Such scenario testing should be conducted on a regular basis and should be comprehensive in identifying the resolution of a risk event. A post-mortem exercise must be conducted to ensure decision-making was effective in the scenario exercise.

Boards and management must recall that enterprise risk management teams exist to deliver value to company stakeholders even in times of crisis.

The 2021 Electricity Canada survey of ERM departments highlights that Boards and executive teams see risk as a critical function of their organizations. However, Figure 2.0 shows that this does not extend to senior management. This could result from a disconnect in communication about ERM to senior management from the Board and executive teams.

ISO 3100 recommends that management should:

• define and publicly endorse the risk management policy;

• ensure that the organization’s culture and risk management policy are aligned;

• determine risk management performance indicators that align with performance indicators of the organization;

• align risk management objectives with the objectives and strategies of the organization;

• ensure legal and regulatory compliance;

• assign accountabilities and responsibilities at appropriate levels within the organization;

• ensure that the necessary resources are allocated to risk management;

• communicate the benefits of risk management to all stakeholders; and

• ensure that the framework for managing risk continues to remain appropriate.

Enterprise Risk Management: Value in the Electricity

Case Study: Poorly implemented ERM solution

In 2016, Chipotle was known for its good service and food innovation with fresh local food They were also known for salmonella outbreaks in their food supply chain, that where ultimately served to the customer Chipotle did not introduce adequate resources for enterprise risk management into their company They also failed to disclose that their safeguards where inadequate to safeguard customer and employee health Due to Chipotle’s lack of investment in risk management their share price fell 35%, sales decreased by 30% in months following the announcement, they faced a marred reputation and a civil lawsuit

An ERM approach would have established robust quality controls in the supply chain to ensure risks were identified and these controls would have decreased or all-together avoided regulatory penalties

Recommendations to the Board

The following are several recommendations that Boards of Directors can implement to facilitate the integration of enterprise risk management within the organization.

Category Description

Timeliness

Boards do not meet often. Risk is a constant presence to the company and ERM processes must be as up to date as possible for when the Board meets to avoid gaps in knowledge at the Board level. Boards can meet more frequently (i.e., regular schedule) to review risks and their updates, the ERM team may update their material more frequently to close those gaps. Another option that has been identified is creating a risk committee comprised of several of the Board members and senior management. This team would be more flexible in their schedule and be able to meet more often to ensure risks are addressed in a timely manner.

Common Standards

Organizations aren’t developing a common language to articulate risk. It has become difficult within organizations to communicate between departments on common standards of risk measurement. Companies within the same industry are encouraged to develop a common standard language on risk management. Industry related associations are one channel that can facilitate the develop of such standards.

Frameworks

The majority of risk management processes in use today do not have a formal risk identification process that links risks with strategic objectives. Risk teams and Boards need to examine ways to link risks to strategic objectives and identify ways to pivot when those objectives are at risk.

Strengthen Internal Auditing

Internal auditing must work closely with the risk management team to identify risk levels that can surpass or have surpassed internal controls. Ensure they examine company wide risk management processes, and their impacts to organizational strategic objectives.

Litigation

Not identifying risks can put companies at risk of legal repercussions. Ensure litigation measures are identified and described in detail in risk assessments.

Ask the Tough Questions

Boards and executive teams must ask tough questions to executives and risk champions to ensure risks to strategic objectives are identified and managed appropriately.

Risk in the Industry

The utility industry in Canada is facing multiple risks in the short and long-term future. Risks in the industry can be assessed by reviewing the economic, political, societal, environmental, and technological impacts of decisions being made or trends that are occurring. Each utility will face different risks compared to other utilities in the industry. For example, environmental risks will differ based on local geography. Even technological risks will differ based on managerial decisions and utility adoption of new technological solutions.

Table 1 .0 Some short- and long-term risks

Near-Term Long-Term

Infrastructure (e .g ., aging, climate impacts) Changes to financial systems (e.g., Interest Deductibility)

Government Regulation (e .g ., Net-Zero) Continued Exposure to Climate Change

Cyberthreats (e .g ., Ransomware) Changes to operating standards

Rapid changes to technology solutions Development of new generation

Sample of Known Industry Risk Events

• Disruptive Technologies: Smart devices, IoT, Sensors, AI,

• Rapid transformation: Firmware updates, Big Data, 5G, policy change

• Cybersecurity: Ransomware, malicious hackers, data theft

• Grid reliability: Storm hardening, customer expectations,

• Constrained Budgets: Slow growth, rising costs, regulated budgets

• Climate Impact: Hurricanes, wildfires, extreme temperatures

Risk Maturity:

In 2021, Electricity Canada’s Enterprise Risk Management Committee undertook a benchmarking study to gauge the processes in play within the industry in Canada. From participating members, 50% had ‘established’ ERM programs where processes are standardized, coordinated, and promoted consistently and risk information is factored into decision making, resource allocation, and performance management.

Only 2 respondents were leading with capabilities and practices being well integrated into strategic planning and performance, while management activities and risk appetites are clearly articulated. In these organizations, a strong culture of effective ERM exists across the organization with a clear understanding of roles and responsibilities and risk information and outcomes are continuously used to reinforce risk culture, to improve performance, and inform decision-making.

Case Study: What we do!

At our organization, we have regular risk reporting on a quarterly basis to senior leaders/executive management The Board maintains an understanding of the company risk profile and reviews the risk philosophy on an annual basis The executive team also ensures that key risks are brought forward to the attention of the Board for discussion and action, as required The senior leadership team supports the executive team and is a collection of subject matter experts who actively engage in the day-to-day management of risks Members of the senior leadership team have been assigned to be the designated responsible person for managing and reporting upon enterprise risks Working with the executive team, the senior leadership team oversees the risk profile and its performance against the defined risk philosophy This group understands changes in risk status and trends, identifies potential opportunities, and determines responses and action plans that are then implemented by the organization They also work to ensure effective, efficient, complete and transparent risk reporting to the executive team

Risk Tools

This section provides several tools for the Risk Manager’s toolbox.

Risk Matrix

A risk matrix, or risk map, is a measurement tool that provides a visual perspective to company risks and the prioritization of those risks. Organizations should develop a Risk Matrix based on criteria which make up the risk tolerance of the organization. The criteria should outline guidelines for assessing the impact and likelihood of risks.

Figure 3 .0 Enterprise Risk Management Matrix

Likelihood

The 2021 Electricity Canada ERM Benchmarking Study found that the majority of utilities are utilizing a 5x5 risk matrix. Other matrix options exist and ERM professionals should use a matrix that is best suited to their management philosophy and risk appetite.

Almost Certain Medium High High Extreme Extreme

Likely Low Medium High High Extreme

Possible Low Low Medium High High

Unlikely Low Low Low Medium High

Remote Low Low Low Medium Medium

Insignificant Minor Moderate Major Severe

Impact

Depending on the risk tolerance of the organization, the risk categorization can be altered within the risk matrix. Each organization may want to consider different inputs into the categorization of Impact and Likelihood. Inputs will come from various sources such as historical data, political and social environments, and measured and estimated impacts to systems based on estimated recovery costs.

Impact: Each risk impact can have a range of potential outcomes, each associated with a likelihood or probability. However, each business risk is usually assessed on the magnitude of the Worst Credible Impact.

Likelihood/Probability: Assessment of the likelihood of the Worst Credible Impact coming to pass. A standardized Probability/Likelihood scale for this step is recommended.

Likelihood

• Historical event data

• Political Atmosphere

• Frequency of Regulatory change and reviews

• Societal Atmosphere

• Technological Change

• Control and Monitoring Assessments

Impact

• System Changes

• Lost Revenue

• Increased Costs

• Lost Infrastructure

• Added Regulatory Burden

• Safety and Loss of Life

• Staffing Changes

• Recovery Time

• Reputational

Risk Bow-Tie Model

Risk Bow Tie Model or Risk Bow-Tie Analysis is a process for identifying where new and enhanced controls and monitoring techniques can be applied to effect for the organization.

Figure 5 .0 Bow tie model

Risk Registry

Risk registries are typically used by risk teams to identify and prioritize the risks that can impact your organization, department, process, or project. A risk registry is consolidated at an enterprise level and is used for informing the board of directors and management of the impact and likelihood of risks along with their recommended course of resolution. A risk registry may be built off of a risk profile.

Scenario Description Owner Likelihood Consequences

Level of Risk Action

Wind Damage Wind damage to lines Operations High $3 to 100 M High

Develop restoration plan; emergency response plan; Establish insurance coverage

Data Breach Theft of Customer info

Risk Profiles

IT , Legal, Customer Moderate $10k to $100M Moderate

Review IT security; Review insurance coverage

One of the first activities typically associated with the practice of integrated risk management is the development of a Corporate Risk Profile4. A Corporate Risk Profile enables an organization to obtain an overview of its key risks including an understanding of the organization’s operational context and objectives with respect to managing risk.

A Corporate Risk Profile describes an organization’s key risks, which include both threats and opportunities, and provides staff, external partners, and advisors with a clear ‘snapshot’ of the organization’s key risks and, when implemented, can help identify areas of efficiency and potential opportunity. This, in turn, supports strategic priority setting and resource allocation, informed decisions with respect to risk tolerance, and improved results.

How an organization presents its corporate risks differs from organization to organization, however, all Corporate Risk Profiles include fundamental qualities that make them a valuable management tool. A traditional risk profile is a set of characteristics common to any given risk. For an example of a risk profile refer to Appendix B.

Value of Introducing Enterprise Risk Management into your Organization

To realize the benefits of Enterprise Risk Management, leaders of the organization must think of ERM as a living enterprise-wide process that is active and vibrant with continuous updates and improvements in all aspects of the business. Every opportunity and threat to a utility holds risk. ERM will help determine the potential reward vs. potential harm.

Value of ERM Function

• Informs core business Strategy of risks on the horizon.

• Prioritizes which risks to mitigate, reduce, transfer, and retain.

• Identifies the type and number of resources that will be required to manage the risk.

“

To understand the value of risk management, is to understand the value at risk .

- Daniel Gent, Electricity Canada

Table 2 .0 Known Benefits

Benefit Description Enterprise Risk Management

Take intelligent risks

Many companies take risks to grow their business. For example, utilities can take intelligent risks by investing in other utilities or by introducing new behind-themeter services (i.e., capturing opportunities).

Will identify if the possible rewards are greater than the potential harm.

Reduce costs of hazard risks

Reduce deterrence effects of hazard risks

Costs related to a particular asset or activity.

Examines the risks of future losses by making them more foreseeable in the planning stages of upcoming projects.

Will reduce overall costs of risk, one can expect an increase in profits or a reduction in budget expenses.

Will increase feasibility of future ventures.

Reduce and manage downside risk

Inherently there is always risk, and downside risks may be considered the cost of doing business. The goal is to mitigate the risk and establish protocols to monitor and track these risks.

The ERM strategy would implement a threshold limit and when the threshold is reached, becomes an actional item under management review. Establishing SAIDI and SAIFI measures are a good example of thresholds within the industry.

Global Survey

In the ERM Oversight survey from 2020, 83% of respondents identified that an operational surprise impacted the way they do business. The high value was attributed to COVID-19; previous trends remained in the high 60’s.

Case Study: Equifax Risk Failure

Equifax has been exposed to numerous lawsuits and financial penalties due to a 2017 data breach that the company did not immediately identify In addition, it was revealed that some information was provided to 3rd party companies without the permission of customers

This incident highlights the need for management to be aware of the practices within their company and the inherent risks when protocols are not adhered to

Since 2017, Equifax has agreed to pay over 380 million USD to resolve claims associated with the data breach

With an ERM practice in place, the data breach likelihood and impact would have been identified and mitigation could have prevented such an event

Global Survey

Enterprise Risk Management is most successful when it is fully integrated into the organization. In a 2020 discussion paper released by Dr. John Walter of St. John’s University, only 24% of ERM leaders identified that employees were risk aware. Risk leaders must close the gap. They can do so with appropriate resourcing, staff training, and the tools needed to deliver value to the organization.

Embedding ERM into Strategy

A major source of risk for any enterprise are risks associated with its strategic plan. Strategy involves making assumptions about the future and making choices about the direction and focus of the enterprise based on those assumptions. As a result, risk is inherently part of strategy. Integration, or the “embedding” of Enterprise Risk Management (ERM) into strategy development, supports successful execution of strategy.

The embedding of ERM into strategy is particularly valuable to the Board of Directors. The primary roles of the Board include the strategic direction of the enterprise and the risks facing the enterprise. The Board has oversight on the selection and execution of the strategy and over the development and execution of risk management. Embedding ERM into strategy supports better decision making by the Board in relation to these roles.

ERM can therefore enhance the development and execution of strategy by better supporting the Board in their decision making around strategy choice and execution. Embedding ERM into strategy can enhance focus on strategic risks that could impact the enterprise’s strategic plan. It allows for the testing/challenging of key planning assumptions upon which the strategy is based and allows for the monitoring and mitigation of those risks while executing the strategy. It also allows for the ability to “course correct” on the strategic journey based on risks that arise, how those risks impact the enterprise, and how those risks are managed.

How to embed ERM into strategy:

• Integrate the ERM framework within the strategy and business planning process.

• Operationalize the organization’s risk appetite statements and develop associated risk tolerances.

• Integrate the ERM framework with other key corporate tools or frameworks that support resource planning, asset management, etc.

Risk Response Strategies

Risk Treatment techniques include avoidance, mitigation, transfer, retention, and exploiting. These techniques are not mutually exclusive, and some risks will require multiple techniques to address them. For example, as a result of the 1998 ice storm, transmission tower standards changed to hold more weight and line monitoring techniques were introduced. Updating standards is a way to mitigate future occurrences. Utilities, however, will continue to purchase insurance to transfer some of the financial risk.

Risk Mitigation

Ideally, actions to mitigate risk should be clearly defined, measurable, and tracked on an ongoing basis. The progress of these mitigation actions should be communicated to the Board on a regular basis. When not being achieved as planned, any significant impact to residual risk should be identified.

The Board must understand the role of ERM in the allocation of the finite resources of the company. If risks are being mitigated to an extent such that the residual risk falls well below the accepted risk tolerance, resources could likely be allocated more effectively.

Risk Transfer

As a result of risk treatment, risk transfer occurs when the company moves the impact of the risk to a third party. The purchase of insurance is an example of a risk transfer action. Companies must stay aware of changes to their insurance rates and policies to ensure that they are the necessary value. In times of a hard market when insurance rates are being adjusted to external forces such as climate change, pandemics, labour shortages, and supply chain disruption, it is prudent for the risk team to work with the finance team to find the best possible rates.

Risk Retention

Identifies the strategy of retaining the impact of the risk. The unexpected failure of a transformer may be considered an acceptable risk. Retention occurs when there is no desire or benefit to shift the financial burden of the risk, in this case the risk is retained for the company to shoulder the impact.

Reporting Timeliness

As identified in Part I, the Board of any company must be informed of any changes to the company’s risk profile. Reporting must provide assurance that company risks are being actively and properly managed on an ongoing basis. Information related to risk management should be communicated to the Board on a regular basis so that they are adequately informed of the current risk exposure to the company. Following an annual risk refresh/update, the Board should be informed of any changes to the ranking of the top risks, any new risks that have been identified, and any changes to the risk mitigation strategies.

Deriving Value from Risk Profiles

In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate, and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making and better allocation of resources in an organization.

A Corporate Risk Profile identifies risks that affect the achievement of objectives. Risks, including threats and opportunities, must be forward looking and relate to future uncertainty. A risk is not a business condition, a current issue or problem. Sometimes, reoccurring issues may be interpreted as risks. In this instance, organizations should identify the risks associated with managing those reoccurring issues, rather than describing the issues themselves.

Profiles should reflect the organization’s particular circumstances and objectives. It should reflect the current business conditions of the organization, as well as the size of the organization and the complexity of its mandate. Likewise, a risk profile should be presented in a balanced way, with enough detail to provide context and a clear description of risks, including how these risks are being managed within the organization. There should not be so much detail that it overwhelms the reader or is not easily used to support effective decision-making.

Industry Risk Categories

Operational

Operational risks can be defined as risks that might affect key operations of the organization impacting its ability to execute its strategy. The Risk Management Association also defines operational risk as “the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events”. Operational risks can be very broad and will be unique to each organization, as well as unique to various types of utility services, and typically occur at every level in an organization. Operational risk is inherent in all our activities, processes and systems and losses can be directly or indirectly financial.

The electricity industry is currently undergoing a rapid operational change driven by changes to traditional electricity services and there are several common and rising risks that can be identified.

Common Operational Risks Rising Operational Risks

Employee conduct and employee error

Breach of private data resulting from cybersecurity attacks

Technology risks tied to automation, robotics, and artificial intelligence

Business processes and controls

Physical events that can disrupt a business, such as natural catastrophes

Internal and external fraud

Business Interruption

Product Failure

Health & Safety

Human Resources

Accelerating Changes in Industry Structure

Globalization and Shortages of the Supply Chain

Integration of New Technologies

Meeting Net Zero

With new developments in climate change, there is a transition that is being sought from carbon intensive sources to move to a net zero carbon footprint. This may result in operational risks for stranded assets.

The emergence of new technologies such as electric vehicles (EVs), grid technologies including smart meters and distributed connection generation increases the operational risk in these areas. Grid modernization and increased capital may be required. New technologies may also mean new vendors and suppliers, which may create additional operational risk including quality control, availability and suitability.

The COVID-19 pandemic and globalization of supply chains is negatively impacting the supply chain with increasing costs and possibly impacting the ability to deliver on capital programs. Organizations should ensure that they have sufficient planning to compensate for delays in the deliveries of key materials.

These key operational risks in isolation or in combination for most organizations currently require attention.

Environmental

The primary external environmental risk pertaining to the utility industry in Canada is extreme weather events. Such events, increasingly exacerbated because of climate change, can have significant financial impacts, in part through increased capital and maintenance costs to repair or replace damaged equipment and infrastructure, and through reduced revenue. Moreover, due to the industrial nature of electrical distributions sites, there is a high likelihood that some degree of contaminants (arsenic, polychlorinated biphenyls and petroleum hydrocarbons) exists in all utilities across the country. To mitigate such risks, utilities consider site specific climate and weather factors, such as flood plain mapping and extreme weather history; performing regulatory due diligence to manage environmental liability; all while ensuring system adequacy through system planning and coordination.

Environmental risks are increasingly associated with government policies relating to the production and procurement of renewable and clean energy. Carbon emissions and conservation are certainly present in utilities’ evolving landscape. Canada’s climate has warmed and will warm further in the future, driven primarily by human influence. As a result, the Canadian government has taken significant steps forward by releasing plans last year to reach Net Zero by 2050, and recently increased its 2030 target to reduce greenhouse gas (GHG) emissions to up to 45%. The risks pertaining to utilities in meeting these targets are very real. Particularly, for the most carbonexposed players that face escalating financial challenges—like carbon pricing, product substitution and demand pressures—as well as brand headwinds including social licence, workforce retention, and shareholder activism.

As they diversify the scope of their activities and operations, utilities will need to compete for scarce talent in a number of spheres, including environmental science. Even in the back office, utilities may feel the need to expand the range of skills necessary for success in the emerging business environment. Whether it is sourcing capital from more environmentally conscious lenders or meeting new compliance needs for ESG reporting, utilities may discover that their need for managerial and professional talent runs consistently ahead of their ability to attract or retain it.

Technology

Technology is evolving rapidly and redefining the industry with transforming business models and changing customer roles and expectations. Much of Canada’s electricity infrastructure is nearing its end of life and the expectation is that like-forlike replacement and incremental technological improvements will no longer be adequate. The risk for utilities is increasing due to the rapid pace of change and the significant level of investment required in the coming decades.

Technological advancements in areas such as renewable energy, distributed energy resources, battery storage and energy efficiency products and services will ensure a sustainable power supply for the future and better meet evolving customer expectations. However, they may also result in stranded assets and could significantly impact retail sales.

As a result, utilities are having to develop strategies that include innovation and experimentation, balance investments between traditional infrastructure and more technologically advanced assets, and drive cost efficiency to mitigate rate impacts. Utilities are also having to develop new business models that will lead to long-term value creation by developing new revenue streams from customers seeking solutions for their energy challenges.

Regulatory

The ability for regulatory bodies to change or enact regulations that reduce revenue, increase costs, or limit a utility’s ability to recover prudently incurred costs and earn an appropriate return on assets has long been a risk for utilities. Increasing regulatory risk in some jurisdictions is linked to disruptive factors in the industry, including rapid advances in technology, a shift towards clean energy, and changing customer expectations.

The traditional cost-of-service model utilized by many economic regulators can be an impediment since it requires utilities to go through demanding reviews of investment plans that link the proposals to customer value. Similarly, as utilities develop

new business models to align with shifts in the industry and take advantage of opportunities related to new energy, products, and services, they run the risk of regulators disallowing the proposed changes. Moreover, regulators are increasingly expecting utilities to demonstrate efficiency when applying for rate increases driven by investments in clean energy and new technologies.

Utilities are managing regulatory risk through regulatory filings meant to educate and inform, as well as through ongoing consultation with stakeholders and governments.

Health & Safety

Ensuring the health and safety of workers and members of the public is a core value for utilities. Significant effort is put into building a strong organizational safety culture and ensuring occupational health and safety standards are followed. Information campaigns focus on educating the public about safety hazards and steps are taken to keep members of the public at a distance from energized equipment. Nonetheless safety incidents continue to occur.

One aspect of health and safety that has recently risen in prominence is mental wellness. The COVID-19 pandemic has shown that utilities must be prepared for public health threats and be ready to implement heightened safety protocols, but it has also underscored the importance of maintaining good mental health. Employee wellbeing is critical to a business’s success since employees that are feeling depressed and anxious are more likely to be disengaged, less productive, have higher levels of absenteeism, and are at a higher risk of having a safety incident.

Never has there been more urgency for organizations to champion mental health initiatives in their workplace. Over the past eighteen months, many organizations have implemented or enhanced mental health resources to support employees and have broadened awareness of the issue to reduce the stigma attached to mental health.

Financial

The winds are changing when it comes to the financial risks faced by Canadian Utilities. In the pre-pandemic era, financial risks were mostly dominated by the underlying regulatory environment (i.e., regulatory or rate changes impacting cost recovery of assets); credit ratings and financing; volatility in prices of certain commodities and industrial inputs, counterparty credit risk, volatility in interest or foreign exchange rates, and the accuracy of financial reporting. While these risks will always be in play, the rapidly changing political, economic, social, and technological landscape in which utilities operate, as exacerbated by the COVID-19 pandemic, is rapidly changing the futuristic views on financial risk for CFOs across the country.

During the height of the COVID-19 pandemic, writer Derek Thompson said: “because the pandemic pauses the present, it forces us to live in the future”. In that sense, over the past two years, the sentiment that the Canadian government and its people need to do more about climate change has grown exponentially. Why does this matter? Because climate related risks are substantive financial risks as they have a direct and measurable impact on the expected production and distribution of electricity from various facilities. A prime example is the electrification of personal transport, which could be as significant for the electricity sector in this century as the internal combustion engine was to the petroleum industry in the twentieth century.

The financial community, not just in Canada but worldwide, also appears to have embraced the need for climate change action, with a particular emphasis on Environment, Social, and Corporate Governance (ESG) imperatives. ESG is becoming the decisive factor in obtaining access to sufficient capital/liquidity in financial markets. A lack of ability to tap-in thereto may restrict growth opportunities, and is therefore becoming a mounting financial risk in the eyes of Canadian utilities.

The increasing effect of climate change causes financial risk to power and electrical utilities considering recent market developments in the insurance industry. The power and utilities sector is likely to see a substantial increase in its insurance premiums, even as there is a reduction in the insurance industry’s willingness to offer coverage. As an example from a global perspective, Lloyd’s of London is scaling back its exposure to coal and oil sands, in a reversal of its traditional hands-off approach to climate change strategy.

With the significant uncertainty, volatility, and change in the financial markets brought on by ESG, will the regulatory model of today be sustainable? Or are future consumers to pay for today’s investments? Financial markets work best when assets are properly valued; however, in today’s market economy, climate factors are often mispriced, and climate risks are generally underappreciated. Prices and incentives that reflect climate risk will be critical to succeed in tomorrow’s financial environment.

Legal

Legal risk is the potential loss that a company or individual could face as the result of a legal issue. Legal risk can include claims made against the organization, a change in law or failure to take the proper legal measures. As with Operational Risk, legal risk can be very broad across an organization.

Common Legal Risks

Rising Legal Risks

Regulatory Breaches Contract Management

Breach of Privacy

Health and Safety

Improper Trade/ Market Practices Environmental

Property Cost/ Land Usage Changes in Regulations

Digital Transformation and Innovation

Legal risk is currently a key risk for many electricity organizations. Organizations face a potentially challenging environment with exposure to financial and reputational losses if legal risks develop. Regulatory and legislative requirements for organizations are becoming more stringent and contracting requirements are also becoming more complex.

Legal departments are now doing more and focusing on the identification, management and mitigation of legal risks facing their organizations. There is a heightened interest in regulatory requirements, health and safety, and environmental considerations examining how legal risks align with the enterprise risks. This heightened interest leads organizations to identify and manage the legal risk and the interaction with the business more effectively.

Regulatory risk sits firmly between legal and political risk as provincial governments will have an impact on regulations and regulatory activity that can quickly become policy, framework, or laws that electricity companies must adhere to. The industry is subject to the risk that its business activities may be impeded through the actions of regulatory authorities or by changes in regulation.

Political

Political risk is the risk faced by investors, corporations, and governments from political decisions. The political climate can change with competing political parties pushing their own agendas to capture votes. Changes in the political landscape can lead to shifting attitudes in areas of emerging risk. Political risk may arise at any level, including the international, federal, provincial, and municipal levels.

Common Political Risks

Trade Barriers

Rising Political Risks

Changes in Regulations/ Legislation

Change in Taxation

Change in Government Leaders

Socio-Economic Imbalances

Environment Regulations

Sustainability

Political risk is constantly changing and significantly impacted by socio-economic and environmental movements across the globe. We have recently seen the landscape changing at an accelerated pace that is unprecedented in our industry. Environmental, Social, and Governance issues are also rising, driven by politics at multiple levels across organizations and industries.

Case Study: Interest Deductibility Limit (IDL)

In 2021, the Government of Canada introduced IDL in their budget for 2023 In 2022, they released draft legislation This legislation effectively limits the amount of debt interest a business can deduct from their taxable income Not all in the electricity industry are impacted by this proposed legislation, but those who are impacted will suffer increased costs This can cut into funds that can otherwise be used to invest in other government mandated activities to hit Net Zero For Canada to reach its Net Zero by 2050 goals, or for utilities to establish a clean gird by 2035, companies will be required to make increased investments in large amounts of renewable capital and initiatives IDL will impact the feasibility of these large investments and resulting costs could be passed on to the ratepayers

Societal

Transformation within the utility industry is largely driven by society’s changing expectations for utilities with regard to environmental, social, and economic sustainability as well as the role customers will play in energy transactions and long-term decision-making related to a lower-carbon economy.

The public and shareholders are intensifying the pressure for utilities and large emitters to decarbonize, which is driving governmental policies regarding emissions. The increasing pressure to respond to climate change, both within Canada and globally, will likely cause the federal government to accelerate the achievement of emission reduction targets which will put utilities at risk of having stranded assets.

Another key societal shift impacting the utility industry is the electrification of the economy. The adoption of electric vehicles (EVs) will reshape the transportation sector and dramatically reduce emissions. Utilities are faced with both challenges (such as ensuring grid capacity to handle the increased electricity requirements) and opportunities to develop new revenue streams by building out charging infrastructure. Utilities risk losing out on such opportunities if they cannot adapt quickly.

The switch to cleaner energy sources and implementation of technological advances will add cost, but customers expect utilities to find efficiencies to mitigate the rate impact of rising costs. Utilities, supported by lawmakers and regulators, will need to communicate to customers that such investments will increase the value of services being provided.

Reputational

Electricity companies also face reputational risk. For publicly traded companies this may impact shareholder value. Likewise, an organization that may be viewed negatively by its customers may face more regulatory scrutiny in order to appease the customer base. Companies that have suffered reputational damage may also see higher rates of voluntary staff attrition.

Reputation may be impacted by both external and internal causes. Decisions made one day, that may be viewed as necessary and operational feasible, may result in long-term reputational damage in years to come.

In the end, one can argue that poor risk management practices will impact the company’s reputation on many fronts and can be long-lasting. When there is a negative event or impact in any of the above categories, reputation can be damaged if there is proof your organization is at fault. If your company is not at fault, your organization will still face public scrutiny that may cause reputational obstacles.

Steps Forward

The concept of resilience has gained in popularity over the past several years, as organizations (and individuals) have faced an unprecedented level of disruption and volatility resulting from the COVID-19 pandemic. This global crisis has illustrated the holistic and interconnected nature of the world we live in, reminding us of the importance of taking a holistic view of risk and resilience. This also holds true within organizations. Building resilience is a ‘whole-organization’ endeavour, not something that can be relegated to a department or functional area. Now is the time for Enterprise Risk Management to demonstrate its value as both a practice and a mindset that adds value by strengthening resilience. To do so ERM must evolve to a more holistic practice, supporting risk awareness and a unified effort at all levels the organization.

Any evolution of ERM practice that leads to better integration of risk thinking throughout the organization is a positive step forward and will lead to an increased ‘big-picture’ view of risks and how they are interconnected.

The following are stepping-stones for risk and management teams and their respective Boards to advance integration and increase the relevance of Enterprise Risk Management for the benefit of the organization.

Chief Risk Officer

Executives are often tied to their specific functions within their departments of the organization. Designating a Chief Risk Officer (CRO) in the organization to handle risk, oversee a risk department, or ensure implementation of enterprise risk management strategies is a growing trend in many industries. A number of electricity companies have established CRO’s within their organization to spearhead risk change and awareness within the company. The CRO will oversee and guide all risk management strategies and operations within the organization.

See the Big Picture

Boards of Directors and Executive teams generally want to spend a good portion of their time on ‘big picture’ thinking and ‘connecting the dots’. Enterprise Risk Management practitioners can act as a catalyst to provide this perspective, but only by going beyond the traditional risk register or list of top risks. When enterprise risks are represented as a landscape rather than as a list, they will prompt holistic thinking and valuable discussions.

Scenario Mapping

Mapping the connections between enterprise risks supports more integrated thinking and can provide a useful basis for working through scenarios where multiple risks emerge at the same time or in sequence. Discussions like these are a great platform for developing strategy or gaining insight to make more complex decisions. Much of the value is in the discussion. It is important to remember that there is more to be gained through iterating risk and interconnected views with the Board and Executive teams.

Many Boards hold annual retreats. Risk workshops or risk scenario exercises can be a very effective anchor for these events as long as they are approached in a holistic manner and don’t feel overly mechanical to participants. These events require pre-planning, and advanced one-on-one interviews with Board members.

Integration

An integrated planning and ERM process is more time efficient for managers in the business, and also provides the ERM practitioner a chance to build credibility, relationships, and sources of valuable risk information (i.e., risk intelligence) across the business. Business planning and risk may be co-located within the organizational structure. This may make the task of integrating risk and planning easier, but it is not required to pursue this objective.

Similarly, using risk discussions as a component of strategic planning exercises can be highly effective, and while these usually happen less frequently than business planning processes, monitoring risks as part of ongoing strategy execution oversight can keep ERM front of mind.

For risk to be fully integrated, staff training is required. ERM must become part of the company culture. The best way to accomplish that is to integrate the risk strategy into the company strategy and integrate risk indicators and objectives into performance management objectives for all staff.

Framing the Problem

The same approach used to connect with different areas of the business and understand specific risks can be applied to help organizations resolve complex challenges or make difficult decisions. In this situation, the ERM practitioner is the facilitator and synthesizer, pulling perspectives and pieces of information together into a framework that will help build a comprehensive view of complex issues and evaluate potential solutions. For example, this could include one-on-one interviews on a topic, pulling together information into a background brief and a ‘risk framework’, and convening participants to discuss options to resolve. In doing this, participants who previously had only one view of an issue get to see the bigger picture, benefit from structured framework to represent the issue and options, and benefit from the ERM practitioner facilitating a dialogue. Providing such services, that are somewhat outside the traditional view of ERM, can significantly increase the profile, credibility, and relevance of the ERM group.

Going Digital

The industry is capitalizing on the four Ds: Decarbonization, Democratization, Decentralization, and Digitalization. Going digital requires a great deal of technological solutions that the industry may not be fully prepared to take on. Digitalization will support the other broad changes to the industry and play a significant role for those companies seeking to increase their performance and operational efficiencies. Digital solutions will be embedded into all aspects of a utility or generator. Companies will require talented staff that can handle big data and analytical solutions that will provide the company the toolset to move forward and grow. ERM will capitalize on all these changes and use big data analytics to their advantage. Data driven decision making and data science solutions will provide risk professionals with the ability to predict future events and impacts more accurately, and therefore apply better risk management techniques to the benefit of the company.

Key Risk Indicators

Use of Key Risk Indicators (KRI) is a growing trend in risk management. They are developed to be early predictors of risk events to the organization. They will vary by organization based on risk categories the company is sensitive to. They play a pivotal role by providing a means to develop thresholds for monitoring, predicting and establish an alert system that will enable an escalation process that the organization must address to mitigate the pending risk event.

Emerging Risk Intelligence

The new normal for ERM programs envisions a more robust and resilient risk organization that exhibits “risk intelligence”. This trend looks to a dynamic ERM state where the dial moves from today’s common speak of ‘integrated’ programs towards an ERM program that is ‘strategically’ consumed by organizations.

Where risk intelligence is “the organizational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities, and creating lasting value.” 5

Conclusion

Risk is ever present in the industry and will impact the electricity industry in a variety of forms. One risk event can easily set off another risk event for the company. The contents and recommendations throughout this document are aimed at increasing the awareness of the critical role enterprise risk management has in the industry when everyone in the organization is aware of it, understands its relationship with strategic and operational objectives, is knowledgeable enough to identify risks, and has the authority to make decisions to mitigate those risks.

Appendix A: Glossary of Terms

Term Description

Black Swan Risks

Are risks that come as a surprise and have a major impact on the organization.

Control Action taken to manage risk.

Enterprise Risk Management

The coordinated activities to direct and control a company’s efforts in regard to risk.

Likelihood Chance of something happening.

Residual Risk The risk remaining after controls and treatment are taken into account.

Risk Acceptance An informed decision by the risk owner to accept the consequences of the risk.

Risk Appetite

The amount of risk the company is willing to be exposed to.

Risk Avoidance An informed decision to withdraw from a risk event.

Risk Identification Identifies impacts, causes and consequences of the risk incident

Risk Impact

The risk impact are the consequences when and if the risk event occurs, often measured in cost to the company.

Risk Management Framework Policies, procedures and processes concerning risk management.

Risk Profile Characteristics and assessment of a range of specified risks that the organization may face.

Risk Register

A registry of risk information that identifies risk events, the potential impact, costs, mitigation techniques, stakeholders, owners of the risk, etc.

Risk Tolerance

The level of variation from the pre-determined risk appetite that the organization is willing to accept before changing the risk response.

Risk Transfer Moving or shifting the risk burden of loss to another party with the use of insurance, contracts or other legal means.

Appendix B: Example Risk Profile

An example of risk details is provided below:

Issue Human Resources Risk ID 001

Risk Owner ADM, Research and Policy Branch | Accountable | ADM, HR Branch

Statement There is a risk that the organization may not be able to maintain the current number of staff in scientific job categories.

Category This risk belongs to the Human Resource Capacity category. The risk refers to insufficient HR capacity for scientific research.

Sources The organization is exposed to this risk due to following:

• Increased private sector demand in the science and technology field.

• Increased demand for staff in scientific field within the federal government.

• Insufficient retention and recruitment activities specific to the science and technology field.

Inherent Risk Exposure

Existing Controls

If the risk were to materialize, consequences would be severe and could not be endured by the organization without sustaining extensive delays to research targets.

The organization currently employs the following strategies to mitigate the risk:

• Communication with local colleges and universities to promote the organization as an employer of choice.

Residual Risk Exposure

If the risk were to materialize consequences would be significant, however, they could be endured by the organization by adjusting the research agenda and setting new targets. This may result in some activities being subject to review to address shortfalls.

Consequences and Strategic Outcome

• If not mitigated, the research targets would not be met.

• If not mitigated, the reputation of research excellence would be compromised.

• If not mitigated, the organization may lose the ability to provide the scientific community with timely, relevant information.

• If not mitigated, the organizational objectives may not be met.

Issue Human Resources

Risk Evaluation

The organization's tolerance for human resource risks is within the moderatehigh risk level. The organization evaluated the risk and the residual exposure remains outside our tolerance. Additional risk responses are proposed to increase the retention and recruitment rate over the next 2 years.

Risk Responses

Additional risk responses include renewal of staffing and retention policies and accessing broader pools of qualified candidates to fulfil the scientific requirements of the organization.

• The organization will develop a retention program that will encourage long-term commitment.

• The organization will create a formal graduate recruitment program with universities across the country.

• The organization will create an internship program with colleges and universities to promote the organization.

Action and Timelines

• Identify and establish partnerships with colleges and universities – Fall 2010

• Develop communication and stakeholder engagement strategy – Fall, Winter 2010

• Establish and implement policy changes with the HR Branch – Spring, Summer 2011

Indicators

• Organizational turnover rate in the science and technology category.

• Organizational retention and recruitment rates over the next two years

• Analysis of research targets over the next 3 to 5 years.

1. Committee of Sponsoring Organizations of the Treadway Commission. (2004) Enterprise Risk Management – Integrated Framework, Executive Summary.

2. International Standards Organization (ISO). (2018) ISO 31000 Risk Management Guidelines.

3. The role of the board in preparing for extraordinary risk. McKinsey and Company, (2022).

4. Guide to Corporate Risk Profiles – Government of Canada (https://www.canada.ca/en/ treasury-board-secretariat/corporate/risk-management/corporate-risk-profiles.html)

5. Tilman, Leo. Risk Intelligence: A Bedrock of Dynamism and Lasting Value Creation. Retrieved from: https://www.europeanfinancialreview.com/risk-intelligence-a-bedrock-of-dynamismand-lasting-value-creation/