4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 32 the enterprise risk policy and sub-policies provides a basis to assess compliance on an ongoing basis. Integration of compliance with ERM can lower the redundancy of the monitoring functions of the firm through an integrated assessment process whereby companies work to rationalize the information requests and audits of the operating and support functions of the firm in order to ensure compliance with the lowest amount of intrusion and disruption. As ERM becomes an increasingly aspirational goal of energy companies, this approach is likely to become a common side effect of these efforts. There should be a structure in place which ensures the risk management function is ultimately accountable to the Board. Any risk management committee charter or terms of reference should include: • Authority – Mandates a level of risk management and control commensurate with best practices prior to engaging in certain commercial activities. • Membership – Designates specific members and titles across the organization with an independent risk management officer leading each committee. • General Duties –Includes a variety of duties including independent monitoring and reporting of risk. These elements may be included within the risk management policy or by referencing the charter document of each risk management committee. It is helpful to include diagrams within this section of the risk management policy that help the reader visualize the committee structure within the firm. 3.1.3. Develop Business Unit Strategies and Metrics Once the firm has a good grasp on its strategic plans, risk management objectives, and risk tolerance, then each business unit can develop specific strategies for managing the risks for which they are responsible. Of course, Steps 1, 2, and 3 are iterative since the business units will be responsible for identifying risk and assisting in formulating the strategic plans, risk management objectives, and risk tolerance of the organization, but nonetheless specific strategies should not be finalized until the risk management objectives and risk tolerance of the firm are clear. In establishing risk tolerance through the use of metrics, management needs to determine which metrics best align with the overall risk appetite. It is quite possible that different members of the management team will be interested in different metrics – and reconciliation of these viewpoints is an important exercise that should not be avoided. Business unit strategies should be measured against specific risk tolerance or performance metrics. Several metrics are typically developed for firm-level and at the business unit level. Metrics are a critical component of risk management and serve the functions of articulating acceptable risk levels and providing valuable reporting tools to monitor the performance of the business unit relative to the risk management objectives and risk tolerance of the firm. 3.1.4. Implement Controls and Procedures Controls and procedures for implementing strategies provide the assurance of proper oversight, processing, and execution of business activities. A strong control and procedural process is