4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 23 2.4.2. Risk Tolerance The determination of the appropriate risk tolerances is a hallmark of an effective ERM program. Risk tolerance is frequently synonymous with risk metrics in that limits, alerts and mitigation programs are put in place to prevent or detect a breach of a risk tolerance. That is, risk tolerance can be viewed as expectations of acceptable losses executives have defined based on stakeholders’ risk appetite. Risk tolerances guide executive management and board decisions toward strategic options that are consistent with its consent to operate which is implicitly and explicitly provided by stakeholders and regulators. In effect, the establishment of risk tolerances should answer the questions regarding the board’s understanding of how much a company could lose from all sources of risk in a period of time and whether external stakeholders would be surprised by such losses. Risk tolerance should be considered separately and applied at multiple levels of the company in different settings against specific metrics. Business strategy decisions will impact the firm’s outlook on overall returns, growth targets and risk – and should therefore be tied into any risk tolerance discussion. 2.4.3. Corporate Governance An appropriate governance structure ensures that policies, processes, limits, and enforcement systems are in place to monitor risks across an enterprise, to communicate appropriate risk information through the governance structure, to allow for prevention policies to be enacted, or to detect breaches in risk tolerance. The key to the governance structure is to develop a supportive organizational design that includes clear delegation of authority, well-defined roles and responsibilities, and enforced accountability. Figure 2.3 shows an illustrative governance structure that utilizes several governing committees and outlines key roles that must be addressed in an effective governance structure. While the concepts should be applied, the governance structure should be customized to meet the given organizational structure and needs. The roles and responsibilities must adhere to the strict rules of separations of duties such that parts of the business that are responsible for taking or mitigating risks are not the same as those charged with measuring and reporting the risks. Additionally, the committees designated should have clear terms of reference, or charters, regarding the level and scope of authority entrusted to them by the Board of Directors or their delegates. The number, scope, composition, and authority of these committees should be highly customized to the individual utility. For example, a large, integrated utility would become overly bureaucratic with a governance structure that mandates that any transaction over $5 million be reviewed by the executive team. On the other hand, a small distribution company may need that level of review for any expenditure over $1 million. The composition of the committee must be driven by the size and complexity of the utility’s portfolio as well as the roles and responsibilities determined by the governance. That is, all review committees should be balanced with respect to the numbers of members from the business units and financial and risk management functions, and should be inclusive of all members who have a role in either managing, taking, mitigating, measuring or reporting the risks. Great care