DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS

Transcription

1 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.

2 CONTENTS INTRODUCTION... 3 ERM DRIVERS... 3 ENERGY RISK FACTORS... 4 WHAT IS ERM?... 4 THE ERM FRAMEWORK... 4 CAS ERM FRAMEWORK... 5 TOP DOWN... 5 TAILORING TAXONOMIES... 5 EMERGING RISKS... 6 KEY RISK INDICATORS... 6 TECHNOLOGICAL SUPPORT... 6 BENEFITS... 7 FACTORS FOR SUCCESS... 7 CONCLUSION DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

3 INTRODUCTION Modern economies are energy hungry and demand continues to grow inexorably across the globe. This can create enormous opportunities for energy firms, but it also entails significant challenges. Energy organizations face a uniquely broad range of risks across their activities, including project, operational, market, regulatory, environmental, socio-political and reputational risks. Traditionally, many of these risks have been addressed in isolation and with varying degrees of rigor, often leading to underestimated or unexpected exposures that impact profitability, or even threaten the business. The dynamic nature of the energy industry, plus the diversity and complexity of the companies that operate within it, calls for a more enterprise approach to risk that brings consistency across all areas of business. By proactively bringing all exposures into a comprehensive framework, enterprise risk management (ERM) leads to more informed decision making, and protects short- and long-term profitability, while providing risk-adjusted assessment of emerging opportunities. ERM DRIVERS A number of factors are converging in the energy industry that add up to a powerful business case for an enterprise approach to risk management. Recent history has no shortage of lessons as to what can threaten, or even destroy, energy companies even those that are large, wellresourced or, on the face of it, well-managed. The list of disasters just since the turn of the millennium includes the California energy crisis of , the collapse of Enron, the Deepwater Horizon oil spill, the Fukushima nuclear meltdown, and China Aviation Oil and Ceylon Petroleum hedging losses. The causes range from natural catastrophes and operational malfunctions, to reckless market speculation, to the governance and oversight issues at the heart of the Enron fiasco. In many cases, the effects have rippled out way beyond the immediate location of the incidents. The Fukishima disaster in Japan contributed to the decision to phase out nuclear power generation in distant Germany. BP s troubles in the Gulf of Mexico have impacted its reputation far across the globe. Events entirely outside of the industry can also have heavy consequences for energy firms. New market abuse regulations introduced in the wake of the financial crisis of 2008 apply equally to energy trading as to other markets. Energy firms with trading operations now face a raft of regulation covering not only market abuse but also best execution, pricing transparency and over the counter (OTC) derivatives reporting. In Europe, these include the European Market Infrastructure Regulation (EMIR) and the Markets in Financial Instruments Directive (MIFID), as well as specific energy rules such as the Regulation on Wholesale Energy Market Integrity and Transparency (REMIT), which came into force in In the US, energy firms are subject to the Sarbanes-Oxley and Dodd-Frank Acts, as well as Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) requirements. Ensuring compliance across this dense and continually evolving regulatory landscape is a significant challenge. New regulation, along with difficult global economic conditions and a highly competitive environment, mean that energy firms are under intensifying pressure to optimize assets and capital something that cannot be achieved without tight control of risks across the board. At the same time, shareholders, ratings agencies and other stakeholders are demanding greater transparency and control of risks. Meanwhile, the industry is becoming ever more 3 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

4 dynamic and complex. New fossil fuel sources and extraction techniques are appearing just as climate change concerns increase and carbon emission caps tighten. Change and uncertainty inevitably entail risk, but they also hold the seeds of opportunity. Those companies with deeper and more comprehensive insight into their internal and external exposures will be more Treadway Commission (COSO), the Casualty Actuarial Society (CAS), and the International Organization for Standardization (ISO) standard Although they differ in emphasis and focus, there is much commonality between them. Firms will need to adapt or draw from the models to create a framework tailored to the size and complexity of their own organization ENERGY RISK FACTORS Operational Need for long term investments Large scale projects Ageing facilities and infrastructure Disruptive technologies Environmental degradation Climate change Regulation Trading and market abuse rules Pricing transparency Derivatives market changes Governance requirements Environmental controls Emissions targets Market and financial Price volatility Currency exchange rates Risks related to derivatives for hedging Political Seizure or destruction of assets Currency exchange rate collapse Forced divestiture Brand and reputation Mishandling of disaster Changing consumer attitudes Perceived abuse of market position License or contract repudiation able to protect themselves from losses, as well as be better positioned to exploit new possibilities as they appear. WHAT IS ERM? ERM is a framework of methods and processes that aims to identify and manage risks, as well as exploit opportunities, in alignment with the organization s business objectives and overall risk appetite. ERM is a proactive end-to-end approach that covers all aspects of the business, protecting the organization and creating short and long term value. THE ERM FRAMEWORK The ERM framework provides context and structure for the methods and processes that deliver on the ERM goals. There is no single standard ERM framework for the energy industry. Several model frameworks exist, such as those of the Committee of Sponsoring Organizations of the and the particular nature of their business, as well as to their external environment in terms of operating conditions, competition and regulation. The purpose of the framework is to provide a multi-dimensional structure that links risk factors and risk management processes with overall company objectives, in an integrated and controlled environment. The CAS ERM framework, for example, maps seven processes across four risk categories. TOP DOWN COSO states that ERM is a process effected by an entity s board of directors, management and other personnel. In other words, it must start from the top. Board and senior management buy-in is a pre-requisite for meaningful implementation and success. Without top-level support, the efforts to identify, measure and control risks will fail to connect with business 4 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

5 CAS ERM FRAMEWORK Categories, with example risks: Hazard Risk natural catastrophe, theft, business interruption, liability claims Financial Risk price, credit, liquidity, inflation, hedging risks Risk management process steps: Establish Context internal, external and risk management contexts Identify Risks document conditions and events that represent material threats or areas of potential competitive advantage Operational Risk capacity or efficiency issues, product or service failure, IT availability Strategic Risks reputational damage, competition, capital availability, regulation, political risk Analyse/Quantify Risks calibrate and, where possible, quantify risks Integrate Risks aggregate all risks, reflecting correlations and portfolio effects, and express results in terms of impact on key performance metrics Assess/Prioritise Risks determine contribution of each risk to the aggregate risk profile and prioritise accordingly Treat/Exploit Risks avoid, retain, reduce, transfer or exploit risks Monitor and Review continually assess the risk environment and performance of the risk management strategies. decision making and will have little influence on strategic planning and performance. Successful ERM requires a risk culture embedded in the organization, which will only take root and flourish if initiated and supported at the most senior level. The board will have ultimate responsibility for risk management oversight. It should also set the firm s overall risk appetite. (It is against this appetite and associated tolerance levels that the risk profile must be measured.) The board and CEO must also establish the ERM governance structure, with clear roles and responsibilities for each element of the organization. It should appoint a risk committee, membership of which could include risk management, finance, audit, compliance, operations, business units and IT. The risk committee should establish risk policies and set tolerance levels for specific risks within the overall risk appetite. It should also establish the risk infrastructure and controls, and review and report on significant risk issues. In an industry as complex and diverse as energy, business unit managers will be key to identifying new and changing risks, as well as helping embed a risk culture in the organization. Business unit managers will be owners of risks and their associated treatments avoid, accept, transfer, mitigate and/or exploit. They will be responsible for reporting on risk exposures and actions, as well as losses. The risk management function will support the governance and processes of ERM, including developing and documenting policy, establishing assessment techniques and tools, measuring and aggregating risks, and producing reports for the risk committee and board. The audit function will underpin the ERM framework through an assessment of the risk management processes and the effectiveness of controls. TAILORING TAXONOMIES One of the first tasks for those adapting an ERM framework is to tailor the categorization of risk factors and risk drivers to the nature of the firm and its operating environment. In addition to the generic risk factors and drivers, the taxonomies must capture those elements specific to the energy industry and to the firm s particular operations, encompassing the full portfolio of exposures across all activities. This is especially important where firms are multifaceted businesses that might include generation, distribution, supply, trading and services. Correlation of risk factors must not be overlooked or underestimated. Risks must be further classified by treatment differentiating between those that can be quantified and those where a more qualitative approach is necessary, or a combination of quantitative and qualitative measures. Hazards such natural catastrophe and business interruption, and financial risks such as market and credit, are generally more quantifiable 5 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

6 than operational and strategic risks. Things like new regulation, political unrest or reputational damage from accidents or staff behaviour cannot be captured as statistical distributions and must be subject to expert assessment and review. EMERGING RISKS The nature of the energy industry means that it is essential for firms to take a long view of their business, both from the supply and demand sides. Factors such as global warming and environmental change can affect energy sources like water flow and wind. Emissions controls can impact the viability of conventional power plants. Demand for renewables can open up opportunities for new power generation, as well as business prospects like the provision of infrastructure for electric vehicles. ERM should focus not only on the current known risks, but also on newly developing or changing risks. By their nature, new or changing risks will lack historical data and, therefore, will be outside the realm of statistical analysis. Identifying and managing emerging risks requires a wide range of additional information sources, such as news reports, scientific research and academic studies, as well as specialised skills and expertise from across the organization or from external sources. Once identified, emerging risks can be investigated via scenario simulations and stress tests. Emerging risk analysis should feed into business strategy development and long term planning. KEY RISK INDICATORS Most energy firms are familiar with key performance indicators (KPIs) as a way of monitoring and measuring success or progress towards business goals. Key risk indicators (KRIs) can perform a similar role with regard to exposures. KRIs are leading indicators of potential threats and should be proactively monitored and tracked. For quantifiable exposures, KRIs could be thresholds that measure risk levels and trigger alerts. KRIs for non-quantifiable risks could involve the monitoring of events or conditions and expert assessment of risk levels. One of the challenges of embedding ERM in an organization is to gain agreement to include KRIs alongside KPIs in the balanced scorecard or other management reporting tool that the board and senior executives use for assessing business performance. By monitoring and assessing KRIs together with KPIs, a firm will have a better understanding of the context of its performance, as well as potential threats and opportunities that might impact that performance. TECHNOLOGICAL SUPPORT There are a number of areas where ERM requires technological support. Risk information must be gathered, organised and stored where it can be readily accessed for analysis and manipulation, including quantification, aggregation and reporting. Certain ERM processes can be made more efficient by a technology-based approach, including elements of information gathering and monitoring, the management of activities and the recording of audit trails. Tools will be required for statistical analysis and modeling of quantifiable risks, and for scenario analysis and stress testing for qualitative risk analysis. A centralised ERM solution can bring together all exposures for a holistic view of risk and enable assessment against the firm s overall risk appetite. It will also help identify risk concentrations as well as potential diversifications. An integrated ERM solution will facilitate ad hoc analysis and reporting and the creation of risk dashboards with drill-down functionality to underlying data. It can also provide essential support for compliance in today s demanding regulatory environment. 6 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

7 BENEFITS By identifying and assessing current exposures and potential threats, as well as new opportunities, ERM can protect value and improve performance. If it is implemented as a proactive and dynamic approach, ERM can be a differentiator and provide a competitive advantage in a challenging environment. Compliance Energy firms face a raft of new regulations, including EMIR, MIFID and REMIT in Europe, and Sarbanes-Oxley and Dodd-Frank Acts and FERC and NERC requirements in the US. An ERM framework can help address not only the detail of these regulations, such as monitoring of trading activities and reporting of OTC derivatives, but also their demands in terms of overall governance and risk management oversight. Portfolio risk management By bringing all risks together into a centralized framework, the organization will be able to ensure aggregate risk is within the stated risk appetite. It will also be able to identify concentrations of exposures across risk factors, products and business units. The organization will be able to take advantage of portfolio effects such as diversification for the offsetting or moderation of risks. And an integrated view of risk will allow the organization to optimize its approach to risk monitoring and control. More efficient use of capital ERM will enable a risk-adjusted assessment of business lines and potential ventures and lead to improved capital investment and allocation decisions. By demonstrating that exposures are properly identified, assessed and managed, firms can reduce the capital that regulators require them to hold against operational and other risks. Risk-adjusted decision making Incorporating risk information into business development planning and strategy will lead to more realistic expectations and more predictable outcomes. Improved risk transparency for stakeholders Not only regulators, but all stakeholders are now demanding more transparency on risk. Analysts and credit rating agencies are more penetrating in their assessments and expect a more rigorous approach to risk management. Investors now give greater weight to risk in their valuations of firms. Identifying opportunities Where there is risk, there is often opportunity. An ERM process that looks broadly and holistically at risk can also identify new business prospects. Some may be entirely fresh ventures, others may leverage existing capabilities for example, providing infrastructure and supply for the growing fleet of electric vehicles. Or the value may lie in the diversification and offsetting of risks elsewhere. FACTORS FOR SUCCESS Establishing effective ERM presents many challenges. Gaining board and senior management buy-in is the first essential component. ERM requires champions within the organization to communicate the rationale and drive the implementation. A culture of risk must be embedded throughout the company, with the identification, monitoring and management of risks incorporated into day-to-day business activities across all departments. Consistent and comprehensible measures of risk are essential to enable all functions to understand and enter a dialogue about risks. This is especially important in multifaceted energy firms where there can be a broad range of operations and a diverse set of risks. Estimating the potential economic impact of risks and expressing them using the same accounting framework used for performance 7 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

8 assessment can help staff grasp the significance of exposures (or opportunities) and the importance of mitigating (or exploiting) them. Comprehensive and accurate risk analysis requires complete, reliable and timely information. Therefore, ERM must be built on solid data foundations. This includes user friendly mechanisms for capturing information, such as assessments, KRIs and incidents, in consistent formats, and forwarding it to a central platform for integration, analysis and storage. This will provide the source for reporting whether it is on-screen, ad-hoc or in a formal format and enable risk managers to effectively communicate with the business, senior management and the board. Strict data management and quality assurance will give greater confidence in analytical results. CONCLUSION Energy companies are beset by risks on all sides, from immediate financial market exposures and regulatory compliance issues, to social and demographic changes and global warming over a longer horizon. However, energy is an essential ingredient of modern life and new business prospects are emerging constantly as the global economy evolves. The rewards can be substantial for those firms that can navigate their way through the hazards and seize the opportunities as they appear. ERM will provide a framework for a holistic view across the organization, identifying and assessing risks individually, as well as taking their correlations and diversifications into account, and comparing the overall risk profile against the firm s stated risk appetite. In this way, ERM not only provides ongoing protection, but can give competitive advantage and add value in the short- and long-term. 8 DRIVING ENTERPRISE RISK MANAGEMENT BEST PRACTICES FOR ENERGY FIRMS JUNE 2014

9 THOMSON REUTERS ACCELUS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus connects business transactions, strategy and operations to the everchanging regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards 2013 and For more information, visit accelus.thomsonreuters.com 2014 Thomson Reuters GRC01119/6-14