4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. vi Figure E.4: Six Step Process for Enterprise Risk Management Step 1: Identify and Quantify Risks. This step is generally a bottom -up process with information provided by each business unit. However, firms usually employ a risk management department or committee to inventory, collect, and measure, or validate the quantification of risks. Once a firm identifies the dozens of risks they face, then the risks are typically categorized and prioritized based on various quantification techniques. When statistical tools and/or data are not available to quantify risks then subjective techniques are employed. Step 2: Establish Risk Tolerance and Policies. Top priority risks that emerge from Step 1 should be addressed by the strategic plans of the firm. Furthermore, the strategic plan should identify the risk management objectives and risk tolerance of the firm. Risk Policies are then developed to formalize and articulate the risk tolerance of the organization and to clearly identify the decision-making process and authority for individuals or committees within the firm to carry out transactions or business activities. Step 3: Develop Business Unit Strategies and Metrics. Each business unit develops specific strategies for managing the risks for which they are responsible. In some cases, the strategy for managing certain risks may be to simply monitor since mitigation may not be possible or feasible. Scenario plans may also be developed to prepare for risks that may occur but are not conducive to address through mitigation actions. Of course, Steps 1, 2, and 3 are iterative since the business units will be responsible for identifying risk and assisting in formulating the strategic plans, risk The Six Step Process for Enterprise Risk Management 1. Identify and Quantify Risks •Market Risk •Credit Risk •Operations Risk •Operational Risk •Business Risk 2. Establish Risk Tolerance and Policies •Corporate Strategy and Risk Management Objectives •ERM and Governance Policy •Authority and Sanctions Policies •Credit Policy •Financial Policy •Hedge Policy •Safety Policy 3. Establish Business Unit Strategies and Metrics •Market/Speculative/Hedging Strategies and Metrics •Credit Strategy and Metrics •Financial Strategy and Metrics •Safety Strategy and Metrics •Internal Risk Management Approval of Strategy 5. Execute Strategies •Examples Include: •Commodity Trading •Credit Risk Mitigation •Preventative Maintenance •Safety Program •Organizational Coordination 6. Monitor Risk and Reporting •Are There New Risks? •Any Necessary Changes to Policies or Strategies? •Is Corporate Strategy Yielding Expected Results? •Policy Compliance •Value at Risk •Rates at Risk •Financial Results •Results Vs. Performance Metrics 4. Implement Controls and Procedures •Trading Controls •Business Unit Procedures •Internal Risk Mgt. Committee •Independent Risk Oversight Begin/ Continue The Six Step Process for Enterprise Risk Management 1. Identify and Quantify Risks • Market Risk • Credit Risk • Operations Risk • Operational Risk • Business Risk 2. Establish Risk Tolerance and Policies • Corporate Strategy and Risk Management Objectives • ERM and Governance Policy • Authority and Sanctions Policies • Credit Policy • Financial Policy • Hedge Policy • Safety Policy 3. Establish Business Unit Strategies and Metrics • Market/Speculative/Hedging Strategies and Metrics • Credit Strategy and Metrics • Financial Strategy and Metrics • Safety Strategy and Metrics • Internal Risk Management Approval of Strategy 5. Execute Strategies • Examples Include: • Commodity Trading • Credit Risk Mitigation • Preventative Maintenance • Safety Program • Organizational Coordination 6. Monitor Risk and Reporting • Are There New Risks? • Any Necessary Changes to Policies or Strategies? • Is Corporate Strategy Yielding Expected Results? • Policy Compliance • Value at Risk • Rates at Risk • Financial Results • Results Vs. Performance Metrics 4. Implement Controls and Procedures • Trading Controls • Business Unit Procedures • Internal Risk Mgt. Committee • Independent Risk Oversight Begin/ Continue