4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 36 management in any organization. A risk-aware culture can infuse risk management concepts and thinking into all of the decision-making, planning, and capital allocation processes of the organization. Leadership acceptance of the responsibility for risk management is evident when organizations have developed an effective risk management function that identifies the process for establishing authorities and responsibilities (governance) and rules and guidelines (protocols) that will identify, measure, monitor and manage those risks that impact the company’s performance objectives. The risk management culture should embrace open dialogue in which “silo thinking” is discouraged. The type of culture that fosters the notion of risk interdependence is one in which the risk owners are empowered to manage risks within the organization’s risk appetite and risk tolerances. Open communication of risks is encouraged, as is the linking of objectives throughout the organization at all levels. The risk culture may be codified through policies such as a Risk Management Policy, Corporate Compliance Policy, and Contracting Policy. These policies should clearly tie governance and protocols to the risk appetite (the acceptable level of variation relative to achievement of the organization’s objectives) defined by the Board and senior management with consideration given to appropriate practices. Once a risk aware culture is present, risk management becomes intertwined within the normal course of business and increases the effectiveness of the organization’s ability to balance the inevitable risk-reward trade-offs that arise in every day business activities. This drive for prudent risk management should be pushed down through management to the employee level. A risk-aware and compliant culture involves every member of the company. Business unit management should be expected to develop operating protocols/plans/policies that comport with ERM policy identify, assess and report risks propose strategies to mitigate key risks implement a risk control structure that evidences compliance with ERM Policy integrate risk management into operations, planning and strategy and ensure that accurate risk related information is provided to senior management in a timely manner. Employees should be required by policy to report any material risks they have identified and should be expected to play a role in managing the various risks that a corporation is exposed to through its day-to-day activities. Although this is a useful exercise in raising senior management awareness of risk issues, simply having a group-level statement of the desired aggregate risk profile will not in itself help the organization take the “right” risks in a well managed manner. To achieve that, risk management must become embedded throughout the organization. The “top-down” desired risk profile must be compared with the “bottom-up” reality. Aggregate reporting of the actual versus desired risk profile must be improved. The organizational model must be reviewed to ensure clear responsibilities and escalation criteria for “hard” and “soft” tolerance breaches. Finally, trigger levels, limit structures and delegated authorities must be realigned, and potential risk appetite implications must be considered in all major resource allocation decisions. This may seem a daunting and far-reaching array of tasks – but consider the ramifications if not undertaken: the firm’s risk taking might be too extensive or “off strategy” or both, storing up potentially severe problems for the future.