June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 34 of 92 Figure 4.2 – An Operative Risk Management Framework The following addresses each of the principles and how they can be approached from an energy risk management perspective. 4.4. Developing an Appropriate Risk Management Framework While the first three principles are dealt with in the CCRO’s ‘Enterprise Risk Management and Supporting Metrics’ White Paper published in February of 2006, it is important to mention them here as they lay the foundation for an operational risk assessment. PRINCIPLE 1: The board of directors should be aware of the major aspects of the…operational risks as a distinct and controllable risk category and should approve and periodically review the…operational risk strategy. The strategy should reflect the…tolerance for risk and the understanding of D I S C L O S U R E D I S C L O S U R E R O L E O F S U P E R V I S O R S R O L E O F S U P E R V I S O R S I d e n t i f y , M e a s u r e , M o n i t o r , C o n t r o l I d e n t i f y , M e a s u r e , M o n i t o r , C o n t r o l D E V E L O P F R A M E W O R K D E V E L O P F R A M E W O R K PRINCIPLE 1: Board Establishes Operational Risk Strategy PRINCIPLE 2: Senior Management Implements Operational Risk Strategy PRINCIPLE 3: Communicate Strategy and Embed as Part of the Culture of the Organization PRINCIPLE 4: Identify all Material Operational Risks • Internal: People Processes and Systems • External: Legal, Regulatory, Political, Environmental • Physical: Production, Delivery, Storage PRINCIPLE 5: Measure all Identified Operational Risks • Qualitative • Quantitative PRINCIPLE 6: Monitor and Report • What the Risks Are • How they are Mitigated • The Residual Risk • Cost of Mitigation vs. Cost of Risk PRINCIPLE 6: Mitigate • Insurance • Self-Insurance • Improve Operational Reliability • Improve Technology • Internal Controls • Physical Security • Capital Reserves Re-Assess the Risk Exposure PRINCIPLE 8: Supervisors should require an Operational Risk Management Framework as part of an Enterprise Wide Risk Structure PRINCIPLE 9: Supervisors should conduct Independent assessments of the Operational Risk Framework PRINCIPLE 10: Disclose Operational Risk • Strategies and Processes • Structure of Ops Risk Framework • Scope of Reporting and Measurement • Policies and Strategies of Mitigation