4/20/2020 Understanding Enterprise Risk Management for Utilities © Copyright 2007, CCRO. All rights reserved. viii Challenge 3: Culture - A risk management culture is a set of beliefs, values, attitudes, customs, and behaviors about the management of risk that are shared among people in an organization. The organization’s culture sets a tone and expectations for which behaviors can expect to be either rewarded or discouraged. The corporate risk culture begins at the highest level of management, the Board of Directors and senior management. The Board and senior management should be major advocates of risk management within the organization and should be aware of, understand, and support risk management activities throughout the organization. In conclusion, it is paramount to understand that ERM is not a product, but rather a process by which utilities can iteratively improve upon their understanding, control and management of risks. An ERM framework for utilities should ultimately strive to first identify and quantify material risks, and identify the levels of risk that are acceptable for all stakeholders. Once these have been determined, the risk governance, policies, procedures, monitoring and controls should be established in a manner that is consistent with the level of risk being controlled and the current capabilities of the firm. Once the framework is in place, a continuous review of the risks, controls and metrics is essential to establishing a lasting and improving risk management function within a utility. To successfully implement an ERM framework, each utility must first consider where they are on the Risk Management Practices Continuum. Utilities should strive to close performance gaps (as defined in the Risk Management Practices Continuum Figure above) in developing an ERM Framework by focusing on practices that most effectively manage risks for the individual utility. The general structure of the ERM framework is complex, but the key is to consider all components of ERM, the complexity of the firm’s portfolio, and available risk management resources in determining the level of sophistication to apply to each of these components. In any risk management endeavor, there will be challenges that will be unique to the company’s portfolio, resources, management and regulatory environment. Nevertheless, a key ingredient to any successful framework is constant and clear communication and a culture of risk management throughout the company, led by the tone at the top.