Enterprise Risk Management

bringing it to life

Enterprise Risk Management – bringing it to life

Enterprise Risk Management is a term that has been around now for decades. But how many energy companies really understand it? What are the benefits? And why is now the time to take a fresh look at what it can do for the energy industry? Let’s start from the top...1 What is ERM?Enterprise Risk Management (ERM) has been defined as:

“The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organisations rely on to manage risk in creating, preserving, and realising value²”.

In plain English... risk may be a cause of uncertainty, a driver of strategic decisions or it may simply be embedded in the day to day business of organisations. ERM should be a systematic process to identify, assess, prioritise and manage the potential impact of all types of current and emerging risks (both on an individual and an aggregate level) on all processes, activities, stakeholders, products and services, taking into account organisations’ implicit or explicit risk appetites.Sounds simple and straightforward? Not really...2 Why should organisations bother with ERM?Based on the continuous interactions we have with key stakeholders in the industry, and the extensive research that we are conducting, we know that the amount of time and money that organisations spend (and are planning to spend next year) on ERM is significant. But why?There are numerous drivers for this; some of them are external in nature and some of them internal. But which ones do really matter, which are at the forefront of the risk professionals and top CEOs’ agendas? You raised them with us, we listened and below we provide the industry’s aggregated view.

Key external drivers

Increasing corporate regulation requires Boards to demonstrate they have carried out a robust assessment of the principal risks their companies are facing.

In the UK, Boards are now required to:

monitor the company’s ERM framework – including its risk appetites

at least annually, carry out an effectiveness review of the ERM framework

report the outcomes of that review in their Annual Report (This is now regarded as good market practice across the globe.)

Rating agencies assess companies’ ERM frameworks thoroughly, which significantly impact the overall rating process and the development of capital requirements.

Increased activism from the shareholders demands greater transparency into Board’s decision making process, including the assessment and financing of business risks.

Increasing corporate regulation requires Boards to demonstrate they have carried out a robust assessment of the principal risks their companies are facing

Key internal drivers

Reduced financial volatility, by managing risk at an enterprise level and by strengthening the internal control framework.

Higher business resilience, by putting together rigorous and well tested contingency plans that cover all the plausible risk classes that organisations are facing.

Lower operational losses, by implementing a robust and proactive monitoring process throughout the organisation.

A risk adjusted decision making process, which enables organisations to make more informative and risk balanced decisions.

Increased visibility of the ERM function to the Boards of Directors, by demonstrating the value that the Function adds to the organisation as a whole.

Better allocation of risk management resources, by targeting them on areas of risk over or under exposure.

3 All right, but what does good ERM look like?Over the past year we have seen several energy companies, of different sizes and in different geographies, trying to establish and embed robust risk management frameworks with clearly articulated organisational structures and well defined and documented responsibilities across the enterprise. This is necessary, but challenging too, because it enables organisations to:

satisfy their external and internal key drivers

achieve segregation of duties

comply with general accepted risk management standards such as the updated COSO II and the new ISO 31000 which are well regarded by their stakeholders

In Figure 1 overleaf we provide an example of a well- articulated ERM framework, and its elements, that energy companies frequently use.As mentioned earlier, establishing a resilient enterprise ERM framework can be a challenging process and it requires a clear action plan with specific improvement points and defined timelines. To do that, an assessment of the current status of each ERM element against the desired – “fit for purpose” one and the global risk management standards is required. A widely used framework from energy companies that achieves the above objectives is demonstrated in Figure 2 overleaf.

4 Got it, but how do ERM and strategy link together?This is one of the key questions that we almost always get asked when we are interacting with C-suites from different industries. Although the industries are different, the answer is always the same - risk appetite and tolerances.Risk appetiteAn organisation’s risk appetite describes the amount of risk that it is willing to seek or accept in the pursuit of its long term objectives. It influences strategic parameters, such as the types of activities a business engages in and the time horizon for investment activities, and is a contributing factor to the overall business strategy.

Tolerances and limitsEnergy companies around the globe are trying to set appropriate risk appetites and tolerances that reflect their strategy, their business model and the environment in which they operate. In doing so, they are establishing financial and non- financial limits against which their exposure to the major categories of risk can be controlled, measured, communicated and reported. The major categories of risk typically include Strategic, Financial, Operational and Regulatory, but these categories should be tailored to fit the needs of different organisations.Cascading Group Risk Appetite to a Business Unit and a Risk Type levelCascading a high level risk appetite to more granular level and allocating it to the different business units and risk types is a challenging process - the effort and time commitment that is required to complete this should not be underestimated. The outcome of this process, as shown, enables organisations to link risk directly with their strategy and assess which business decisions could breach their appetite and/or tolerance. If a business decision breaches an organisation’s appetite, then either the business decision should be amended or the risk appetite should be reassessed and revised.

ConclusionChanges in regulations, business environment, political agenda and technology create new emerging risks and opportunities and drive organisations to adapt.The energy sector will of course continue to grow and flourish, with companies winning and losing along the way. The role of ERM is to enable companies in the sector to become knowledgeable risk takers, maximise the value that they create for their various stakeholders and to empower key decision makers to build bolder business visions and more resilient organisations.

The role of ERM is to enable companies in the sector to become knowledgeable risk takers, maximise the value that they create for their various stakeholders and to empower key decision makers to build bolder business visions and resilient organisations.

Ioannis Michos is a Chartered Accountant, CFA charterholder and Partner in the Strategic Risk Consulting team at Willis Towers Watson.

²Source: COSO ERM Aligning Risk with Strategy and Performance, June 2016 edition.