The new CROs are bringing back much-needed discipline to restore investor confidence.
Scott Smith's title is senior vice president and chief risk officer. But when he's out of earshot, some people at AEP call him the chief SOB.
"I'm not a popular guy," Smith says half-jokingly. "I continually get comments about what a pain I am. My people are aggressive and they don't take any crap."
But Smith isn't a bully or sadist. He's just doing his job-namely, helping AEP "make informed risk-taking decisions." Sometimes that means unearthing risk factors that effectively send the company's business managers back to the drawing board.
While the CRO might never be elected the Most Likeable Person, utility senior management is becoming positively enamored with the office of the CRO. Fully 40 percent of America's CROs work for utilities and energy companies, according to a survey by the Conference Board of Canada, Tillinghast Towers Perrin, and the University of Georgia.
And the industry's CRO community is taking a higher profile in the face of recent crises. Earlier this year, a group of six energy companies-AEP, Constellation Energy, Duke Energy, Mirant, Tractebel North America, and TXU-came together to form the Committee of CROs. (See sidebar: "The Committee of CROs: United We Stand") The committee's purpose is to identify best practices for energy industry risk management.
"It's a trend for the industry. The investor community is saying we need this," says Mark Williams, an executive-in-residence at Boston University. "Each company needs to look at its risk tolerances and find the right person to bring in." This trend is motivated, obviously, by the major changes that are sweeping through the marketplace-and being reported on the front pages of daily newspapers across the country.
Investors fatigued by scandals and earnings volatility are driving companies to bring consistency back to their financial performance. From a risk-management perspective, this means the organization needs a steady hand on the tiller-hence the creation of the CRO.
"The industry has a credibility issue, partly created by the lack of independence," Williams says. "Companies are sending the strong message to the market that they have an independent, senior manager focusing on the risks associated with the returns."
How'd We Get Here?
The industry has come a long way in its view of risks. Today, the industry's leading companies are seeking to create a risk-management culture, in which an awareness of risks is integral to the entire company's decision-making processes. This represents a tremendous advancement from its position just a few years ago.
"When regulators controlled prices and return-on-investment for utilities, they also controlled the utilities' risks," says David Shimko, president of Risk Capital Management in New York. "With deregulation, everyone got excited about lower prices and fancy contracting services, but they didn't realize that they also needed to manage risks in a completely new way. The industry became awash with people needing help managing risks without implicit governmental support."
Further, modeling the energy trading business turned out to be more complex than modeling other commodities and financial instruments. Software systems have had trouble capturing the effects of weather, seasonality, and the interrelation of different commodities. This has made it difficult for companies to identify and track their risk exposures.
Nevertheless, the industry has made progress toward more sophisticated approaches to managing risks. One of the first steps was to include gas and coal prices in their electricity trading analyses. While such efforts obviously improved companies' trading operations, they left out major factors affecting overall performance. "For example, a trading-centered viewpoint does not recognize that a power-plant development group represents an enormous commodity position," says Dunham Cobb, a senior manager with Cap Gemini Ernst & Young (CGEY). "The decision to build a power plant is a decision to buy a long-term coal option."
An even more troublesome problem involves credit risks. Trading systems have become robust at clearing counterparties and measuring credit exposure on the trading floor. However, credit risks don't stop there-a fact underscored by the Enron meltdown.
"When Enron filed for bankruptcy, all the analysts asked, 'what was your exposure to Enron?'" says Phil Kassin, a consultant with PwC Consulting. For many companies, the CFO was unable to answer that question because the company's risk-management infrastructure did not cover large parts of its operations.
"Even the banks couldn't get a handle on their exposure," Kassin says. "Now boards [of directors] are asking, 'do you have the necessary systems in place to manage all this data?' Suddenly risk management is back in vogue."
Combined with the recent California market disaster, the Enron meltdown opened utilities' eyes-and those of regulators, investors and analysts-to a multitude of risk exposures that were not being captured in companies' risk analyses. "Even major utilities have been managed on a reactive basis," Kassin says. "With competition and volatility in prices, they have no choice but to learn to manage these risks or perish."
In practical terms, this means companies need a systematic way to ensure that all their significant exposures are included in their decision-making processes. This is frequently termed "enterprise risk management" or "global risk management," and is defined as a holistic way of viewing and analyzing risks.
Whatever the terminology, companies are striving to develop high-level risk-management competencies and weave them into the fabric of their cultures. This trend is coming none too soon, because better risk management is needed to help the industry restore its credibility and earnings performance.
"The more we can do to support risk management in the industry, the better off we will all be," says Patrich Simpkins, CRO of TXU. "It's important to make executive managers understand that risk-management is not some line function that drains resources. It's an integral part of making money consistently."
Simpkins explains that companies with the highest price/earnings (P/E) multiples have the most consistent revenue performance, and accomplishing consistent revenue in today's energy and utility industry requires world-class risk-management competency. "Many companies fail to understand that, and it creates a huge credit burden on the trading and retail side. Seventy-five percent of the credit capacity is held by fewer than 15 counterparties," he says. "We need more people who can hold up their ratings and grow this business."
Accordingly, the industry's leading companies have worked hard in the past 12 to 18 months to advance their risk-management capabilities, and positive results are already emerging from this effort. At AEP, for example, the company's enterprise risk-management system revealed credit risks involving a $150 million plant-construction deal that was being negotiated. AEP withdrew from negotiations and consequently avoided a significant bad-debt exposure when the counterparty became insolvent.
Similarly, TXU's risk analyses recently led the company to re-think a major pipeline project. Rather than canceling the project, the company restructured its plans to bring in a partner, which reduced TXU's capital requirements and actually shortened the development time frame.
Going a step further, Sempra Energy attributes its very solvency to the enterprise risk management approach that it has taken since the company was formed.
When California's utility market was deregulated, Sempra's risk analysts identified a high degree of price-risk exposure associated with the state's stranded-cost recovery plan. "We made the decision early that we did not want that risk," says Mark Randle, vice president of energy risk management. "It wasn't responsible to our customers and our shareholders. So we adopted a strategy to recover our stranded costs and get out from under the market cap early. That's why we're solvent today with a strong credit rating."
The payoffs may be great, but creating a risk-management culture has its price.
First, the present business climate has companies retreating from what might be strategic and justifiable risks. This might be unavoidable to the degree that capital resources are limited, but there is a danger that companies will become risk-hypersensitive.
"In the next 12 to 18 months, we'll see extra conservatism because of what has happened," says Steve Lis, a consultant with PwC Consulting. "People are becoming risk-averse, and the opportunity for value creation has been taken off the table."
In the long term, a more rigorous approach to unearthing risks should allow companies to take risks with greater confidence in their understanding of the implications. In the short term, however, it might exacerbate the trend toward risk-aversion.
Second, for some companies, the factors that make the CRO seem like an SOB could be disruptive. Any process change can be stressful, and the transition toward an enterprise view of risk often encounters resistance from the existing culture. "People need to see their role as being a partner to the business and helping to ensure the company's assets are protected," Lis says. "But this can be interpreted as control rather than partnering."
The key to overcoming such challenges starts at the top of the organization. Senior management, from the chairman down through all the business-line managers, must be completely vested in the idea of adopting a risk-management culture. "I have the full support of the executive committee," AEP's Smith says. "If you don't have that, you might as well forget it."
At the same time, however, companies must ensure that their risk-management goals are well understood by everyone at the company. "Communication with the front office and commercial operations is critical to ensuring that risk management is part of everybody's business," says Richard Osborne, CRO of Duke Energy. "It won't have much impact if only the CEO is focused on it."
This translates into two things: communicating senior executives' rationales and expectations clearly and thoroughly, and holding people accountable for following the risk-management policies that apply to them.
"Enterprise risk-management is a frame of mind for an organization," says James Rich, a vice president with ERisk in New York. "We have to get managers thinking in terms of risk management and strategic issues. There is a large training component." Overlooking such training-or failing to enforce risk policies-can scuttle the transition to a risk-management culture.
Third, a key challenge lies in the technological systems that make a comprehensive risk-management process work. Software solutions are available for some pieces of the puzzle, and vendors are working frantically to assemble the pieces into something resembling a complete picture. But an automated, global risk-management solution does not exist, and this fact might delay progress for some companies.
"There is no product right now that can cover both transactional and higher level exposures," says Rana Basu, a vice president with Trade Capture. "An integrated approach is desirable, and lack of that system breaks down the vision."
The complexity of the problem makes developing a comprehensive enterprise risk management system difficult, if not impossible. How does a large energy company identify and measure all its risk exposures? What about non-quantifiable things like regulatory, legal, operational, and strategic risks? How do they get included in the analysis?
In reality, however, practical risk-management competency doesn't necessarily require automation. "You don't need a sophisticated data-capture system. Ultimately you want to move toward that, but first you need your executives to understand risks and to evaluate that information in their decisions," says Fred Cohen, an auditor with PricewaterhouseCoopers. "You can implement an enterprise-wide program just by going through the fundamentals."
Smith agrees. "If you develop a huge risk-management black box, you're going to lose a lot in the number turning. Some organizations may be distracted by doing that."
AEP implemented what Smith calls the "USA Today" approach, in which the company's key risks are summarized for executives in a minimalist fashion. (See Sidebar, "AEP: Red Light, Green Light") "On a monthly basis the entire risk status for the enterprise is reported in 10 to 20 pages," he says. Of course more detail is available to executives if they need it, but key issues are summarized, on paper, in a way that can be comprehended instantly.
This is not to say, however, that sophisticated computer models don't have a role to play. AEP, Duke, and TXU are implementing SAS Risk Dimensions, a market risk-analysis platform that incorporates credit-risk exposure. Some companies, like Sempra Energy, developed their own proprietary systems, and solutions providers continue evolving their systems.
The next generation of off-the-shelf platforms will incorporate treasury items-such as currency exchange and interest-rate risks-as well as some broader market and counterparty credit risks. Solutions integrating these features are expected in 2003.
"The holy grail is RAROC-risk adjusted return on capital," says Gordon Allott, a vice president with KWI North America. "It's still undefined for the energy business, but the fundamentals of RAROC would bring in asset risk, market risk, and counterparty credit risk. Also, foreign exchange and interest-rate exposures are important. We are bringing those together in the not-too-distant future."
Already, some systems incorporate exchange-rate risks, and integrators are knitting various platforms together to obtain an integrated perspective on companies' risks. However, non-quantitative risks, such as regulatory and operational risks, will probably remain outside the scope of computer modeling for the foreseeable future.
Companies need not stand by and wait while programmers design better boxes. The key to successful risk management is not in having the biggest, best modeling system, but in executing the fundamentals. These can be summarized in several key steps:
- Obtain senior executive buy-in. The vision for creating a risk-management culture must start at the top. The CEO, CFO, and board of directors all need to understand how risk can influence the performance of the company.
- Establish a risk committee. A core group of senior executives should assemble to develop and implement the risk-management strategy.
- Study risk exposure. Examine each part of the organization to determine what risks it faces. Evaluate the likelihood, magnitude, and effects of these risks on the business.
- Prioritize the risks. Focus on managing the most important exposures first.
- Create a reporting process. Develop a workable reporting structure. Establish consistent methods for assessing and reporting the status of risks, and implement a simple rating format-such as a "stop light" system-that informs executives quickly and concisely.
- Set risk policies. Establish guidelines, limits, and triggers for important and routine risk exposures.
- Communicate goals, policies, and limits throughout the organization. Train business managers in the rationale, imperatives, and objectives that are driving this change. Use the system in the decision-making process. Hold business-line leaders accountable for enforcing risk policies and reporting the status of their exposures.
- Continue developing the system.
This approach might seem simplistic, but it incorporates the major stages in the process of creating an effective, global risk management system. Such a system need not be obsessively quantitative, nor should it be expected to quickly reach some arbitrary state of finalization. "Organizations don't stay the same. Requirements change," Sempra's Randle says. "We have a stable and completed platform that is undergoing continual adjustment. We are always looking for the optimum solution to meeting those requirements."
Perhaps no risk-management system can ever be considered perfect or 100 percent complete, but even a minimalist process can inform executives' risk-taking decisions. And reports from the field suggest that progress in this direction is paying dividends.
"Rating agencies have been very pleased with what they've seen in our risk-management capabilities," says Randle. "It's been a factor in maintaining our solid credit rating. And because we're emerging as one of the stronger credits of the energy trading business, our business in unregulated markets has seen deals that it hasn't in the past."
Companies that develop solid risk-management competencies-and use them to refine their strategies and avoid costly pitfalls-will gain ground over their competitors in the long term. Ultimately, as margins grow thinner, capital constraints grow tighter, and competition becomes more fierce, a clearer understanding of enterprise risks might separate the quick from the dead.
AEP: Red Light, Green Light
When Scott Smith joined AEP in early 2001, he was given an enormous task: implement an enterprise risk management (ERM) approach that would inform AEP's decision-making processes.
The result was what Smith calls the "USA Today" approach, and already it has helped AEP save millions, if not hundreds of millions, of dollars.
In mid-2001, a group of 125 AEP executives convened to define and categorize the company's risks. On that basis, the company established 10 risk categories:
- strategic franchise,
- legal & regulatory compliance,
- staffing & organization,
- operational systems & technology,
- financial documentation & reporting, and
Next, AEP created an organizational structure that would report risk data to the company's executive risk committee. Most of the hot-button areas report directly to Smith's 65-person organization. Others report through other company officers, and Smith himself reports to the CFO and the audit committee of the board of directors.
AEP then set policies, procedures, and triggers for risks in each area. In each group, the status of a risk factor is signaled with a "stoplight" icon, with red, yellow, or green indicators signifying risk priority.
This process is used throughout the organization. For example, the general counsel's staff members report to him in this stoplight format. "They don't bother to report the greens," Smith explains. "But he looks at the yellows and really focuses on the reds." The general counsel then takes 100 pages or more of documents and distills it into a single page with stoplight icons at the top. This is reported to the executive risk committee, along with reports from the company's other risk areas.
To date, most of AEP's 10 risk categories have been integrated into the reporting process, but Smith says his task is far from complete. "It hasn't been easy. Just when you think you're done, a new risk pops up. I don't know if the process will ever be done." -M.T.B.
The Committee of CROs: United We Stand
When human beings face a crisis, their typical response is either to fight or flee. Because neither action is particularly constructive, people strive to develop more rational responses-such as analysis, diplomacy, and cooperation.
A group of chief risk officers (CROs) did just that recently by forming the Committee of CROs (CCRO) in May 2002. The group now includes risk officers from about 30 companies, who are working to identify best practices in risk management for the energy and utility industry.
"The trigger for this activity was the continued dissatisfaction among securities analysts with the disclosures companies were making," says Richard Osborne, CRO of Duke Energy.
In a May 2002 Special Comment publication, for example, Moody's Investors Service said, "Differences in accounting methodologies and the degree of latitude available to the energy merchants make financial statement comparisons difficult."
To address this and other problems, the CCRO organized itself into four working groups, focused on the following areas:
- Valuation & Metrics: What should be measured, and how should it be valued?
- Credit Risk Management: How can credit and liquidity be ensured through bilateral agreements? What are the characteristics of an effective multilateral clearing platform?
- Governance & Controls: How should companies be organized to ensure senior executives are aware of risk positions? How should policies be developed and enforced?
- Disclosure: How can companies ensure that their reporting processes are accurate, useful, and comparable to other companies in their sector?
Given the pressure the industry is facing, a sweeping change in risk-management practices is inevitable, according to Osborne. "The question is whether it will be built on a best-practices template that is developed by those who understand it, or by regulators who reluctantly conclude that the industry can't answer these questions for itself."
So far, the CCRO seems to be overcoming the fight-or-flight instinct. "Never before have I seen as much devotion to getting something right as I've seen on this committee," says TXU CRO Patrich Simpkins. "The work that's being done is tremendous."
At press time, the committee's first best-practices document was expected in September 2002. -M.T.B.
Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.