4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. vii management objectives, and risk tolerance of the organization, but nonetheless specific strategies should not be finalized until the risk management objectives and risk tolerance of the firm are clear. In addition, the corporation must then develop a process to allocate the appropriate resources to address the risks identified as being a priority. Step 4: Implement Controls and Procedures. Develop and implement controls and procedures to provide the assurance of proper oversight, processing, and execution of business activities. A strong control and procedural process is necessary since many risks affect numerous business units even though risks are generally assigned to a single business unit to manage. Step 5: Execute Strategies. With an ERM process in place, strategies are executed based on a clear understanding of the risks being taken, clear oversight of activities, clear controls and procedures, and clear metrics that guide the activity and measure the level of success. Step 6: Monitor Risk and Reporting. Each business unit is responsible for monitoring certain risks and reporting up through the risk management department in some fashion. As new risks emerge, there should be a systematic process for reporting them and determining if policies or strategies should change in response to the risk. All utilities will face challenges regarding the gap between existing and aspirational levels of risk management sophistication, formal and informal communication networks, and risk and business culture. The challenges are listed below. Challenge 1: Implementation Sophistication - Any successful implementation of an ERM framework must consider the utility’s current level of sophistication. If the utility has some risk management infrastructure in place, then the ERM framework will serve as an enhancement, with results showing improved risk management practices and procedures. Conversely, for a utility that has adopted few risk management practices, an ERM framework implementation could produce great strides in the company’s understanding of their risks and subsequent management and mitigation of these risks. Challenge 2: Communication - Identified risks and their corresponding mitigation actions need to be communicated up and throughout the utility and to senior executives and the Board in a timely and accurate manner. To ensure consistency, accuracy and transparency, a formal reporting structure with defined frequency and standardized reports should be established and utilized. Key features of the communication network depicted include the redundancy and integration points. Corporate Risk Management, the Risk Management Committee and Board Oversight Committee are key synthesis and integration points where disparate information is brought together and analyzed. The Management Committee and Board of Directors can then use this information in making decisions. Another important aspect of this communication network is the redundancy of information flows which provides for some level of independent analysis and validation. In addition, feedback from the executives to the report providers on risk issues being addressed is also an effective tool in building an ERM process. This feedback can best be provided through the Risk Management organization. Communications and risk reporting tools should not be static but should evolve as risk exposures change and as the business adapts to meet new challenges.