June 1 , 2002
Energy Risk Management: Rise of the Chief Risk Officer
is critical to ensuring that risk management is part of everybody's business," says Richard Osborne, CRO of Duke Energy. "It won't have much impact if only the CEO is focused on it."
This translates into two things: communicating senior executives' rationales and expectations clearly and thoroughly, and holding people accountable for following the risk-management policies that apply to them.
"Enterprise risk-management is a frame of mind for an organization," says James Rich, a vice president with ERisk in New York. "We have to get managers thinking in terms of risk management and strategic issues. There is a large training component." Overlooking such training-or failing to enforce risk policies-can scuttle the transition to a risk-management culture.
Third, a key challenge lies in the technological systems that make a comprehensive risk-management process work. Software solutions are available for some pieces of the puzzle, and vendors are working frantically to assemble the pieces into something resembling a complete picture. But an automated, global risk-management solution does not exist, and this fact might delay progress for some companies.
"There is no product right now that can cover both transactional and higher level exposures," says Rana Basu, a vice president with Trade Capture. "An integrated approach is desirable, and lack of that system breaks down the vision."
The complexity of the problem makes developing a comprehensive enterprise risk management system difficult, if not impossible. How does a large energy company identify and measure all its risk exposures? What about non-quantifiable things like regulatory, legal, operational, and strategic risks? How do they get included in the analysis?
In reality, however, practical risk-management competency doesn't necessarily require automation. "You don't need a sophisticated data-capture system. Ultimately you want to move toward that, but first you need your executives to understand risks and to evaluate that information in their decisions," says Fred Cohen, an auditor with PricewaterhouseCoopers. "You can implement an enterprise-wide program just by going through the fundamentals."
Smith agrees. "If you develop a huge risk-management black box, you're going to lose a lot in the number turning. Some organizations may be distracted by doing that."
AEP implemented what Smith calls the "USA Today" approach, in which the company's key risks are summarized for executives in a minimalist fashion. (See Sidebar, "AEP: Red Light, Green Light") "On a monthly basis the entire risk status for the enterprise is reported in 10 to 20 pages," he says. Of course more detail is available to executives if they need it, but key issues are summarized, on paper, in a way that can be comprehended instantly.
This is not to say, however, that sophisticated computer models don't have a role to play. AEP, Duke, and TXU are implementing SAS Risk Dimensions, a market risk-analysis platform that incorporates credit-risk exposure. Some companies, like Sempra Energy, developed their own proprietary systems, and solutions providers continue evolving their systems.
The next generation of off-the-shelf platforms will incorporate treasury items-such as currency exchange and interest-rate risks-as well as some broader market and counterparty credit risks. Solutions integrating these features are expected in 2003.
"The holy grail