4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. ii Executive Summary Changes in the utility industry, such as deregulation, have been key drivers in changing the way companies, and the outside world, view utilities. These changes are precipitating an expanding interest in Enterprise Risk Management (ERM) by utilities as they express interest and conviction about the need for robust risk management frameworks and capabilities. A previously published CCRO paper entitled “Enterprise Risk Management and Supporting Metrics” outlined many of the concepts of ERM in considerable depth. However, upon completion of that effort, it became evident that further focus on this topic was needed specifically for utilities. While the fundamental ERM concepts are generally applicable across all types of entities, CCRO members recognized that the magnitude of and emphasis on specific components of the ERM framework are quite different for a regulated versus un-regulated entity. Therefore the CCRO commissioned a working group to develop this paper addressing the specifics of ERM for regulated utilities (including self-regulated public power utilities). The objective of this paper is to provide an understanding of ERM and assist executives in developing and applying an ERM framework unique to the business of a regulated utility. For the purpose of this paper, a utility is defined as an entity that has rates that must be approved by a regulatory authority, be it local, state, regional or federal (including public power entities’ self- regulating governance), and tends to have extensive exposure to operative risks. Further, this paper focuses only on energy-related utilities that offer products or services to the power and gas sector. The CCRO has defined ERM as the program or process enacted to identify, assess, quantify and respond to the complete set of risks facing a firm in an integrated fashion. Risk is defined as the likelihood and severity of an event or action that will adversely affect the company’s ability to achieve its business objectives and execute its strategies successfully. The utility considering the implementation of an ERM framework can view it as the aspirational destination on a Risk Management Continuum (see Figure E.1). On all parts of the continuum, the traditional activities associated with identifying, assessing, quantifying, controlling and mitigating specific market, credit, operative or business risks will exist. 1 The main differentiator across the spectrum lies in the level of integration achieved in the firm. 1 Earlier white papers provide a comprehensive discussion of what the CCRO members consider “best practice” in several of these areas such as Analytics and Valuation, Credit Risk Management, Governance and others. Readers interested in reviewing these documents can find them at www.ccro.org.