According to the World Economic Forum, we’re in “an era of compounded economic, environmental, geopolitical and technological risks.”
From the ripple effects of COVID-19 to long-term environmental degradation, executives grapple with rapid change and an uncertain future. In fact, executives report risk volume and complexity are at a 12 year high.
For utilities in 2021, risk management is particularly challenging because the sector is at an inflection point.
As state and federal regulation push green energy, extreme weather tests grid resilience, and cybercriminals target third party software - utilities are scrambling to harden and transform the grid.
Older business models from before digital transformation and climate change - when coal was king - won’t survive the 21st century.
To remain viable, utilities need a fresh approach to risk - one that is integrated, holistic, proactive, and strategic. Conversations about risk shouldn’t be relegated to a single department - they should permeate an organization.
Utilities need robust enterprise risk management.
What is Enterprise Risk Management?
Risk is everywhere, from the “Floor is Wet” sign in the hall to “Caution: Contents are Hot” printed on a coffee cup.
All employees deal with risk in their day-to-day work when triaging a week’s workload. A team evaluates the risk a project may exceed its budget. And an organization purchases insurance to secure its assets and reviews its regulatory compliance to pass an audit.
But enterprise risk management goes beyond these practices.
In its 2019 guidelines, the International Standards Organization (ISO) defined risk management as “coordinated activities to direct and control an organization with regard to risk.”
Notably, ISO insists risk management’s purpose is “the creation and protection of value” and it “improves performance, encourages innovation, and supports the achievement of objectives.”
ISO recommends making risk management central to all decision-making and strategy. Enterprise risk management informs the entire organization.
This focus on an all-encompassing approach is part of what distinguishes enterprise risk management (ERM) from traditional risk management.
Traditional vs. Enterprise Risk Management
Traditionally, risk management is…
- SEGREGATED to a single department or confined within auditing and compliance
- SILOED within individual projects without collaboration between teams, and with limited engagement from the C-Suite
- REACTIVE, responding to known, historic risks; mitigating the impact of risks once they’ve occurred; or restricting itself to insurable risks
- LIMITED IN SCOPE to avoiding threats, rather than leveraging opportunities in strategy
On the other hand, ERM is…
- INTEGRATED within an entire organization’s culture, decision-making, and strategy, ultimately led from the top down and actively involving the C-Suite and board
For Linda Milburn-Pyle, the Chief Risk Officer at Advanced Auto Parts, every employee is a risk manager. She prioritizes “bringing cultural awareness as well as enterprise risk topics to the forefront of everybody’s discussion.”
Education is key, so everyone is on the same page about ERM’s vital role in an organization.
- HOLISTIC in mitigating risks that span multiple teams, fostering multidisciplinary collaboration
Kate Kraycirik, the Director of RM at The University of Texas MD Anderson Cancer Center, created enterprise resiliency teams within her organization to identify and mitigate risks.
The teams were multidisciplinary and united people from different areas and levels. While individual teams met weekly to discuss the effects of remote work, team leaders dissolved silos by joining forces, reporting to an overarching committee, and bringing new perspectives to their groups.
- PROACTIVE in its analysis of key risk indicators - looking to the future to understand risk
Bob Kolasky, Assistant Director of the Cybersecurity and Infrastructure Security Agency (CISA), stresses “defending today and securing tomorrow” through robust threat intelligence, partnerships, and information sharing. With cybersecurity, risks are always evolving, and experts must keep one step ahead of cybercriminals.
In risk management, foresight is superior to hindsight.
- STRATEGIC, guiding an organization through complex risks that threaten to upend traditional business models and transform value propositions
Steve Zawoyski, an ERM advisor, insists ERM’s not all about the “bad things that could happen” - instead, it asks what’s needed to execute strategy.
Organizations may appoint a Chief Risk Officer to execute ERM, educate the C-Suite and board, and promote risk topics within conversations about strategy.
In the end, ERM ensures clear communication, leadership, and visibility, while traditional risk management may not account for all risks or take meaningful action to mitigate them.
Traditional risk management’s siloed approach may neglect external risks and those that fall between departments - where there’s no clear ownership. A traditional framework may also misjudge the ripple effects of a risk that touches more than one silo.
Over the last twenty years, more and more organizations are administering ERM - but it remains undervalued, misunderstood, and immature.
Traditional risk management persists.
Current Risk Management Is…Well...Risky
The Risk Management Society’s 2019 survey results are bleak: only 32% of organizations “believe their risk management teams are prepared to meet future challenges.”
Likewise, according to NC State University’s annual risk report, fewer than half of those surveyed assess their risk management as “mature” or “robust,” and an alarming two-thirds don’t have “complete ERM in place.”
NC State also observes a “disconnect” between organizations that report they’re risk averse, yet oversee immature risk management.
Most organizations - while adopting ERM in name - have yet to discard traditional risk management completely.
Overall, risk management remains...
SEGREGATED
- In a 2017 Deloitte poll of a power and utilities roundtable, no participants felt their ERM was well-integrated, and 22% didn’t believe it was integrated at all.
- NC State reports only 50% of organizations are assigning an executive to spearhead risk management, with many delegating this task to a board committee instead. And often, risk is still confined to a compliance context.
SILOED
- Deloitte’s roundtable also found a mere 7% believed their stakeholders understood ERM’s role and value proposition - and 86% saw some understanding among stakeholders but observed further education was still key.
- As a risk consultant, Carol Williams identifies “inconsistent leadership” or “tone-at-the-top” as the primary challenge for risk professionals in implementing ERM. Executives restrict risk management to compliance and don’t invest in a comprehensive, holistic framework.
- A 2018 Deloitte survey found approximately 50% of respondents lack the ability to detect, monitor, and analyze reputational risks. There are significant gaps in risk management processes.
REACTIVE
- In that same report, Deloitte observed most leaders “take reactive rather than proactive measures” while addressing “current, isolated, tactical risks.”
- NC State concludes most organizations aren’t adopting a proactive approach because they “do not provide training and guidance on risk management.” It’s worth noting - poor training and education also hamper integration and developing a holistic program.
LIMITED IN SCOPE
- Deloitte’s 2016 roundtable and 2018 survey both identify issues with organizations’ use of risk in strategy. Not only do leaders focus on opportunities, not risks, but “they’re not seeing these critical threats as interconnected, complex risks that, when managed correctly, could create opportunities for accelerating growth.”
- NC State observes while organizations focus on risks to “technology, legal/compliance, and financial issues,” their ERM is less focused on “emerging strategic/market/industry risks.”
Norman Marks, an RM consultant and writer, identifies the heart of the issue: executive understanding and buy-in.
According to Marks, NC State’s reports confirm - year after year - executives don’t believe risk management practices add value, and then persevere with traditional risk management.
But Marks argues a traditional “period review of risks” is problematic: “Focusing only on failure will result in failure.” Instead of avoiding risks, ERM’s real objective is generating value.
Trisha Sqrow, the Assistant Vice President of Risk Management at DFW International Airport, illustrates this point. She used ERM to engage with risk in strategy and identify opportunities, and she “transform[ed] the travel experience,” as a result.
Organizations must fully implement ERM to see this value, and leadership needs to understand ERM’s potential to preserve their business in an age of disruption.
5 Steps for Effective Enterprise Risk Management
1. Understand ERM’s value and get leadership on board
For ERM to succeed, you need C-Suite support. If it isn’t a top-down effort, your program won’t be well-integrated, holistic, or strategic, and you’ll be stuck with traditional risk management.
A Director of ERM, Beverley Harrington Leacock advises, “ERM is not a sprint” - take time to get management buy-in.
And to convince leadership ERM is worth it, clearly understand its value for your organization.
Carol Fox, formerly in leadership at RIMS, observes making a business case for ERM can be challenging because it’s difficult to express or measure your goals. Take a step back and reflect on the value your organization wants to create or safeguard.
Steve Zawoyski suggests one value proposition for ERM may be building resiliency during unprecedented change - underscore ERM’s role in building the right capabilities within an organization.
Before researching standards or developing a framework, stop and ask a fundamental question, Why ERM?
2. Choose a standard: ISO, COSO, or both!
Once you have executive buy-in, review ERM standards and decide which best fits your organization.
Use these standards as the foundation for your ERM framework and processes. Standards provide an aerial view and guidelines for effective practice.
There are two major standards you should review: ISO 31000 and COSO.
But you don’t need to choose.
Though some organizations stick to a single standard, a 2011 RIMS study found 44% of North American risk practitioners drew on multiple standards in their planning.
COSO ERM Framework
- Origin: Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group of private accounting organizations in the U.S.
- History: First published in 2004; Updated in 2017
- Summary: COSO hinges on five categories - Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; and Information, Communication, & Reporting - that describe an effective ERM program. There are also 20 principles divided between the categories which further explain the framework.
ISO 31000
- Origin: International Organization for Standardization (ISO)
- History: First published in 2009; Updated in 2018
- Summary: At 16 pages, ISO is a quick read and includes eight “principles” that define effective ERM, five steps in a “framework” for implementation, and six areas to consider in its “process.”
While COSO is often used in an accounting or audit context, neither standard is generally seen as superior, so you’ll need to determine which best fits your organization.
3. Develop an ERM framework & determine risk appetite
After researching ERM and choosing a standard for your program, apply those principles to your own organization by developing an ERM framework and defining risk appetite.
According to ISO 31000, a risk framework is a “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management through the organization.”
Carol Williams describes the framework as “a high-level overview of your ERM program” provided to leadership that includes four parts:
- A definition of ERM & program objectives
- An overview of the ERM standard[s] and process
- A description of how ERM fits within the organization
- Roles & responsibilities for ERM
This document will provide the roadmap when you’re creating specific processes and procedures.
Williams also recommends creating a risk appetite statement - or Corporate Risk Profile - after developing your ERM framework, where you describe the risk level leadership is willing to accept as they pursue their objectives.
If an organization is hesitant to accept much risk, then this will inform decision-making and strategy.
4. Elevate your CRO
Appointing a Chief Risk Officer (CRO) - or an analogous position - is an excellent way to ensure risk management discussion in the C-Suite and board.
Without a CRO, an organization may relegate risk management to a committee, confine risk to compliance and auditing, or present on risk to leadership only periodically, divorced from strategy.
A CRO can be a champion for ERM.
However, they’re only effective if they’re empowered in their role.
Jim DeLoach, the managing director of Protiviti, notes fostering a culture of risk management and integrating risk within an organization provides a solid foundation for the CRO. After all, if leadership isn’t educated on ERM, they won’t appreciate the CRO’s role.
DeLoach also observes the CRO position must be clearly defined; the CRO needs direct access to the board and CEO or executive committee; and the CRO requires an ample staff.
If ERM is going to succeed, the CRO must be a vital member of the team.
5. Refine, Refine, Refine
Risks are variable and organizations must adapt to survive. You’re never finished implementing ERM - it’s iterative, like all risk management.
It’s important you’re continually evaluating and refining your program. In fact, ISO’s five-part “framework” is a cycle: integration, design, implementation, evaluation, and improvement.
To advance your program, watch trends in ERM and leverage new tools.
Steve Zawoyski anticipates a more robust relationship between risk and performance in ERM moving forward. Risk and performance can be two sides of the same coin.
Increasingly, risk practitioners are leveraging key risk indicators (KRI) to improve risk detection and mitigation, providing a parallel to key performance indicators (KPI). With data tied to performance, management can understand risk’s role in creating and securing value.
Conclusion: Enterprise Risk Management vs. Wildfires
Implementing robust ERM is essential considering the staggering challenges ahead.
The world is transforming, risks are growing more complex, and the rate of change is unlikely to slow. Organizations hazard being left behind if they don’t likewise adapt.
Nowhere is this clearer than in utilities’ struggle with climate change.
Mike Schneider, Vice President of Risk Management and Compliance, and Chief Compliance Officer at San Diego Gas & Electric (SDG&E) grappled with the dual-threat of wildfires and the pandemic in 2020.
2020 was the fifth-warmest year and worst wildfire season on record in the U.S., a double-whammy for the grid. Not only do fires threaten physical assets and may disrupt transmission, but the high temperatures drive usage among customers. And due to COVID, utilities had to address these challenges while transitioning to remote work.
Schneider suggests “getting in front of things'' is an enormous advantage when dealing with emerging risks. Because of prior planning, his team was well-prepared to deal with these unprecedented threats.
Notably, Schneider’s approach to risk involved revising the utility’s value proposition. The company spent hundreds of years providing power and ensuring reliability, but new risks brought that mission in conflict with providing a safe service - their power lines could spark wildfires.
In the end, they shut down the power to protect their community. Schneider describes prioritizing safety over reliability as a 180-degree change in mindset. Moving forward, SDG&E aims to be “solution-minded” as it redefines its value proposition and invests in innovative ways to deliver power.
SDG&E’s experience in 2020 underscores ERM’s value.
Organizations must be agile while navigating a turbulent future, and ERM’s comprehensive approach to risk management fuels forward-thinking strategy.
To learn more about risks to critical infrastructure, check out our blogs on wildfires, severe storms, cyber attacks, and the uncertain future of utility regulation.