4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 34 management practices, an ERM framework implementation could produce great strides in the company’s understanding of their risks and subsequent management and mitigation of these risks. In addition to the level of sophistication present in the company is the degree of sophistication that is appropriate. As discussed above, a utility must not just ask, “Can we implement this structure?” but “Should we implement the framework?” That is, the incremental benefit of achieving greater sophistication in policies, metrics or governance may be far outweighed by the associated costs. Further, all companies implementing an ERM framework must be careful to not become too complacent once the program has been initially implemented. The temptation is to believe that an ERM framework is a ‘silver bullet’ that will fix risks. Instead it is a dynamic process that is constantly updated and refined with new information, changing market or business situations and level of complexity of the utility’s portfolio. 3.3.1. Communication Identified risks and their corresponding mitigation actions need to be communicated up and throughout the utility and to senior executives and the Board in a timely and accurate manner. To ensure consistency, accuracy and transparency, a formal reporting structure with defined frequency and standardized reports should be established and utilized. Figure 3.3 outlines one possible approach to the structure of a communications network. Key features of the communication network depicted include the redundancy and integration points. Corporate Risk Management, the Risk Management Committee and Board Oversight Committee are key synthesis and integration points where disparate information is bought together and analyzed. The Management Committee and Board of Directors can then use this information in making decisions. Another important aspect of this communication network is the redundancy of information flows which provides for some level of independent analysis and validation. Once established, the communication network of a utility acts as its “central nervous system”, delivering critical risk information to all interested parties. Hence, it is important to establish regular communication protocols to ensure that identified risks are regularly evaluated and the exposures communicated. More importantly, the communication network needs to be leveraged to identify emerging risks as well as a shifting of priorities among the utility’s existing risks.