4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 33 necessary since many risks affect numerous business units even though risks are generally assigned to a single business unit to manage. For example, the trading unit trades commodities, but it must have trading contracts reviewed by legal and credit departments before transactions are executed. Controls and procedures also provide necessary safeguards against operative risks within the firm. 3.1.5. Execute Strategies Finally, execution of strategies takes place. Many firms make the mistake of executing business unit strategies as the first step. This leads to an inconsistent approach to managing enterprise risks and often business units determine their own risk tolerance that will differ from that which the overall firm desires. With an ERM process in place, strategies are executed based on a clear understanding of the risks being taken, clear oversight of activities, clear controls and procedures, and clear metrics that guide the activity and measure the level of success. 3.1.6. Monitor Risk and Reporting The last step in the framework is continual monitoring and reporting of the risks of the business. Each business unit is responsible for monitoring certain risks and reporting them up through the risk management department in some fashion. As new risks emerge, there should be a systematic process for reporting them and determining if policies or strategies should change in response to the risk. Additionally, metrics and risk reports should be systematically and consistently developed to communicate risk and results. Reports are disseminated throughout the firm based on a process agreed upon at various governance levels of the firm. A firm’s reporting structure design should specify report ownership, contents, distribution, and frequency. Reports for the Board of Directors are the most general, yet they clearly articulate the risk of the organization and the performance around managing the key risks and strategies of the firm. As you move down into the organization of the firm, reports become more detailed. The risk management department either generates reports independently, or is responsible for overseeing the validity of the reports that are developed. 3.2. Key Challenges Although many of the challenges a utility will face will be unique to the company’s risk profile, there are several common challenges that all utilities will face to some degree. Specifically, all utilities will face challenges regarding the gap between existing and aspirational levels of risk management sophistication, formal and informal communication networks, and risk and business culture. 3.3. Implementation Sophistication Throughout this paper, the concept of customizing the ERM framework to the utilities business has been emphasized. Any successful implementation of an ERM framework must consider the utility’s current level of sophistication. If the utility has some risk management infrastructure in place, then the ERM framework will serve as an enhancement, with results showing improved risk management practices and procedures. Conversely, for a utility that has adopted few risk