4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 38 5. Appendix A: Risk Reporting Requirements Illustrative High-Level Risk Reporting Requirements Function Overall Emphasis Illustrative Risk Reporting Needs Operating Units Day to day operating decisions • Notional and MtM analysis versus limits – commodity, location, spread etc. • Credit risk reports – authorized counterparty, exposure versus limits by counterparty, counterparty concentration report • P&L (gross margin) – realized and unrealized versus stop-loss limits • Cost-at-risk flow metric (vs. P&L) for non-profit/public power entities Corporate / Enterprise Risk Management Ensure that risks incurred are within constraints set-out in the risk policies of the firm • Notional positions and risk exposures versus limits – aggregated across portfolios with drill-down capabilities • Control Self-Assessment – summary and detail • Enterprise Risk Metrics – EaR, CFaR, etc. • “Dashboard” of risks – long-term, intermediate and short-term risks risk owners and mitigation plans • P&L (gross margin) – realized and unrealized versus stop-loss limits • Cost-at-risk flow metric (vs. P&L) for non-profit/public power entities Risk Management Committee Evaluate compliance with limits and policies • Business performance report summarized to appropriate level of detail – typically presentation format aggregated from multiple sources • Compliance reports at appropriate level of detail • RMC – more detail showing trend analysis, scenarios and stress tests • BOD – “stoplight” summaries of critical risks • Unique or strategic risk assessment presentations – especially supporting investment decisions Senior Management Evaluate performance of the business and allocate capital • Tone at the Top • Transform Risk Appetite to Policies and Procedures Board of Directors Evaluate performance of the business and meet fiduciary duties • Tone at the Top • Develop Risk Appetite