Beyond Sarbanes-Oxley


Energy Trading & Risk Management: How to evaluate risk and improve decision-making capabilities.

Energy Trading & Risk Management: How to evaluate risk and improve decision-making capabilities.

Fortnightly Magazine - October 2005

In an effort to comply with Sarbanes-Oxley, many companies spent thousands of hours assessing controls around financial reporting. When all was said and done, their main complaint was that the efforts failed to focus on the key processes, reports, and systems the companies used to make daily operational decisions.

This is where enterprise risk management (ERM) enters the picture. ERM was a methodology that was discussed by many organizations several years ago. Some utilities even implemented certain aspects of ERM, but broader application of the concept was shelved as problems developed within the energy trading sector. The reality is, most utilities applied components of ERM to specific risks, namely commodity market risks and interest-rate risks. This was a great place to start but, unfortunately missed many other important risks within these companies, such as operational risks, integrity risk, compliance risk, strategic and reputation risk, .

Boards of directors also have a heightened sense of need regarding governance and control infrastructure, given the current environment. The Committee of Sponsoring Organizations (COSO), the same organization that set forth the standards that most companies are using for compliance with Sarbanes-Oxley, recently introduced an integrated framework for ERM. Boards are under increasing pressure to understand how management is assessing and managing risks across the organization. This expectation has, in turn, increased the pressure on management. Yet, research consistently indicates that six of 10 senior executives "lack high confidence" that their company's risk-management practices identify and manage all potentially significant business risks.

With a heightened focus on risk management, it has become increasingly clear that traditional risk-management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalized. These risk management approaches often limit the scope to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in ways that better reflect this rapidly changing world.

An ERM approach integrates risk management with existing management processes, identifies future events that can have both positive and negative effects, and evaluates the effectiveness of strategies for managing the organization's exposure to those possible future events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused, and process-driven activity.

A New Approach

ERM differs from traditional risk-management approaches in terms of focus, objective, scope, emphasis and application. It aligns strategy, people, process, technology, and knowledge. The emphasis is on strategy, and the application is enterprise-wide.

EES North America

Under an ERM approach, management's attention is directed to the uncertainties around the enterprise's entire asset portfolio, including intangibles such as customer assets, employee and supplier assets, and such organizational assets as its differentiating