4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 1 Table of Contents Executive Summary .......................................................................................................................................ii Acknowledgements........................................................................................................................................ix 1. Introduction ......................................................................................................................................... 2 1.1. Objective ................................................................................................................................................. 3 1.2. What is ERM? .......................................................................................................................................... 4 1.3. What is a Utility?....................................................................................................................................... 5 1.4. Who Should Implement ERM? ................................................................................................................... 6 2. ERM Framework for Utilities ............................................................................................................ 7 2.1. Benefits of ERM ....................................................................................................................................... 7 2.2. Appreciating the Value of Best Practice Risk Categorizations ....................................................................... 9 2.3. The Utility Risk Environment .................................................................................................................... 15 2.3.1. Market Risk ....................................................................................................................16 2.3.2. Credit Risk .....................................................................................................................17 2.3.3. Operative Risk................................................................................................................18 2.3.4. Business Risk..................................................................................................................20 2.4. The Scope of the Framework ................................................................................................................... 21 2.4.1. Risk Appetite ..................................................................................................................22 2.4.2. Risk Tolerance ...............................................................................................................23 2.4.3. Corporate Governance ..................................................................................................23 2.4.4. Risk Metrics ...................................................................................................................24 2.4.5. Risk Policies...................................................................................................................25 2.4.6. Measurement and Reporting..........................................................................................26 3. Implementation of Framework ........................................................................................................ 29 3.1. Six Steps to Implementation .................................................................................................................... 29 3.1.1. Identify and Quantify Risks ............................................................................................29 3.1.2. Establish Risk Tolerance and Policies...........................................................................30 3.1.3. Develop Business Unit Strategies and Metrics ..............................................................32 3.1.4. Implement Controls and Procedures .............................................................................32 3.1.5. Execute Strategies ..........................................................................................................33 3.1.6. Monitor Risk and Reporting ..........................................................................................33 3.2. Key Challenges ...................................................................................................................................... 33 3.3. Implementation Sophistication ................................................................................................................. 33 3.3.1. Communication ..............................................................................................................34 3.3.2. Culture ...........................................................................................................................35 4. Conclusions & Recommendations ................................................................................................... 37 5. Appendix A: Risk Reporting Requirements ................................................................................... 38 6. Appendix B: Risk Governance Roles............................................................................................... 39