The Federal Energy Regulatory Commission (FERC) recently authorized its Office of Enforcement to begin revealing publicly the names of subjects under investigation, as well as summaries of...
Energy Trading & Risk Management: How to evaluate risk and improve decision-making capabilities.
"Risk-management capabilities" include the policies, processes, competencies, reporting, methodologies, and technology required to execute the organization's response to managing its priority risks. They also consist of what we call "ERM infrastructure." To illustrate:
Item A. Defining the specific capabilities around managing the priority risks begins with prioritizing the critical risks and determining the current state of capabilities around managing those risks. Once the current state of capabilities is determined for each of the key risks, the desired state is assessed, with the objective of identifying gaps and advancing the maturity of risk management capabilities to close those gaps.
Item B. ERM infrastructure consists of the policies, processes, organization oversight, and reporting to instill the appropriate discipline around continuously improving risk-management capabilities. Examples of elements of ERM infrastructure include, among other things, an overall risk-management policy, an enterprise-wide risk assessment process, presence of risk management on the board and CEO agenda, a chartered risk committee, clarity of risk-management roles and responsibilities, dashboard and other risk reporting, and proprietary tools that portray a portfolio view of risk.
Here is the message: The greater the gap between the current state and the desired state of the organization's risk management capabilities (Item A), the greater the need for ERM infrastructure (Item B) to facilitate the advancement of those risk management capabilities over time. A working group of senior executives should be empowered to articulate the role of risk management in the organization and define relevant goals and objectives for the enterprise as a whole and its business units.
3. Advance the risk management capability of the organization for one or two priority risks.
This step focuses the organization on improving its risk management capability in an area where management knows improvements are needed. Like any other initiative, ERM must begin somewhere.
Possible starting points include:
- Compliance with the Sarbanes-Oxley Act (specifically Sections 404 and 302 of the act);
- Risks other than financial reporting risk (for example, one or two priority financial or operational risks, environmental, health and safety risks, regulatory compliance risks, IT security risks, facility protection risks, and/or governance reform issues, etc.);
- Evaluating enterprise-wide risk-assessment results to identify priority areas (in other words, migration to ERM begins with first selecting the priority risks and assessing the current state of risk-management capabilities addressing those risks, as discussed in Step 1);
- Integration of ERM with the management and operating processes that matter (for example, strategic management, annual business planning, new product launch or channel expansion, quality initiatives, performance measurement and assessment, capital expenditure planning, etc.).
Many public companies in the United States may begin their evolution to ERM with Section 404 compliance because the first-year compliance investment is significant and a company cannot have sound governance without transparency in its financial reporting. A strong focus on reliable financial reporting is a good foundation on which to build ERM capabilities. Regardless of where an organization begins its journey, the focus of ERM is the same: to advance the maturity of risk management capabilities for the organization's priority business risks.
4. Evaluate the existing ERM infrastructure capability and develop