4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. 39 6. Appendix B: Risk Governance Roles ILLUSTRATIVE RISK GOVERNANCE ROLES AND RESPONSIBILITIES Business Unit • Develop sub-policies in conjunction with CRO/Corporate Risk that comport with ERM Policy • Identify, assess and report risks – propose strategies to mitigate key risks • Implement risk control structure that evidences compliance with ERM Policy and sub-policies • Integrate risk management into operations, planning and strategy • Ensure that accurate risk related information is provided to Corporate Risk Oversight in a timely manner for consolidation CRO/ Corporate Risk • Process lead in establishing and implementing ERM including the coordination of risk assessment, mitigation and monitoring activities • Develop ERM Policy and submit to RMC for approval • Work with Business Units to develop sub-policies as appropriate and submit to the RMC for approval • Facilitate the flow of risk related information across the company • Evaluate risks from a company portfolio perspective • Along with Internal Audit and Ethics and Compliance, evaluate the compliance of risk policies and procedures in the business units • Coordinate RMC meetings • Develop and implement an education program on risk management • Assess risks to the company in aggregate, by business unit, and by material business activities • Measure and report on the company’s risk profile • Develop, recommend, and administer corporate risk management and/or middle-office processes and procedures • Research, develop, test, and implement risk measurement methodologies and models • Recommend to the RMC specific risk limits consistent with the company’s risk management objectives, risk tolerance, and risk management policy • Report to the Board of Directors and the RMC on the company’s compliance with its risk policy and risk management in accordance with the risk policy RMC • Approve risk management policies (ERM policy and sub-policies) • Approve key risk mitigation decisions • Approve key risk related assumptions (load growth, market prices, etc.) used in strategic and business planning processes across the organization • Monitor the management of key risks • Communicate and discuss key risk issues with senior management and the CEO Board of Directors • Review and approve ERM policy and other key decisions as escalated from the RMC • Via audit committee or other board oversight body, provide independent evaluation of the risk management governance and infrastructure of the company • Monitor the management of key risks via periodic reporting provided by the RMC, CRO, and/or Business units Internal Audit • Annual process audits and reviews