Strong CROs: More Important Than Ever


How important is the risk function at your company?

Fortnightly Magazine - April 2007

How, in the post-Enron environment, can some utilities continue to ignore the benefits of, or downgrade the importance of, the chief risk officer (CRO)? As many utilities retrenched and divested themselves of risk-creating businesses such as energy trading and merchant-power development, they were lulled into the belief that they simultaneously had divested themselves of all risk.

To an outside observer, it would appear that the risk-management function within utilities is now less critical or even wholly unnecessary. Despite this false sense of “security,” volatility is extreme, assets are being run more aggressively with less room for forgiveness, and the regulatory environment is unpredictable at best. With these and other factors taken into account, it is safe to say that the CRO function, and its associated infrastructure, risk culture, and staffing requirements has become more important than ever, and investment analysts are taking note and keeping score.

The majority of senior management at utilities were, of course, keenly aware of the need for serious and focused risk management when they became involved in large-scale energy trading and marketing activities during the heady days of the 1990s and early 2000s. However, as post-Enron capital and credit constraints became insurmountable hurdles, many utilities were forced to evaluate their stomach for risk and volatility. Several chose to shut down, or sell off trading/marketing subsidiaries. As utilities implemented a “back-to-basics” strategy, some boards of directors and top executives chose to relax their vigilance in the area of risk management under the false assumption that the risk-creating businesses had been discontinued. As a result, some organizations eliminated the CRO function entirely, and some allowed the discipline to be “spun off” along with the trading function.

Utilities may have retained some staff in middle-office positions who once reported to a CRO, but they now are under the umbrella of the responsibilities of a CFO or a controller. No longer is there an independent, risk-savvy, strategic thinker at the top of the risk-management pyramid who has the mission and authority to identify, quantify, and mitigate enterprise-wide risk. In other cases, the CRO remains, but the risk function is perceived as less important than it once was. The CRO may be working with a smaller staff than before, or may have been pushed downward in the management hierarchy.

Risk Remains

Despite all these changes, the risks remain, and they are as big as ever. Utilities still are “trading around their assets,” still buying and selling wholesale commodities in a complex and volatile market, and still exposed to a substantial amount of regulatory risk. They must deal with many more uncertainties, from the huge volatility in the price of energy in the last few years to the ripple effects of these wild commodity swings on the creditworthiness of counterparties.

As many companies have exited trading, the remaining ones have assumed larger and larger roles. If one of the remaining players performs badly, or even blows up, the impact could cause far-reaching and sizable disruptions in the market. Although the CRO function might have been important once because of wholesale markets and trading, the function is even more important now because the risk-creating factors affecting even traditional utilities (particularly price volatility and regulatory risks) are extreme and deeply embedded within a utility’s core business.

Arlene Spangler at Standard and Poor’s recently prepared a detailed report, Taking the “PIM” Approach When Assessing U.S. Energy Companies’ Risk Management, which describes in exquisite detail how S&P analysts intend to examine an energy company’s risk-management program on the basis of close attention to policies, infrastructure and methodologies. The very first item discussed under “Infrastructure” is “the quality of the risk-management organization.” The risk-management staff’s “seniority, career path, and compensation” will be examined, along with their educational backgrounds and the quality of their training. The analysts also will examine the budget for the risk-management function.

Four Crucial Areas

Clearly, utility executives need to look at risk management again—particularly the all-important position of CRO. A CRO must look after at least four highly diverse yet interconnected risks: market risk, credit risk, operational risk, and regulatory risk. The most obvious of these is the market risk—the cost of fuel and the price of electricity.

Credit risk involves the creditworthiness of people buying and selling large amounts of fuel or electricity. Simply put, when the utility sells energy to another market participant, the company needs to get paid. Likewise, fuel and power sellers want to do business with utilities that have a strong credit rating and a good balance sheet.

Operational risk involves the risk in the company’s day-to-day asset operations, be it power generation, or natural gas/coal procurement and transportation. The regulatory risk, of course, entails anticipation of, and preparation for, unforeseen new regulations or modifications to regulations. One example of this latter concern would be the often discussed and debated “carbon tax” on emissions.

The risk-management staff, under the CRO’s supervision, constantly models and stress-tests the market and credit risks, creating scenarios that illuminate potential problems in operational risk. For example, what happens if one of our plants unexpectedly goes off line and we have to buy power on the open market? How will this affect our credit and exposure?

A major issue pertaining to the regulatory environment is the utility’s rate structure—whether unexpected costs can be passed through to the consumer, and if so, how quickly. One of our clients recently approached $1 billion in unexpected, unrecovered fuel costs, but because of the regulatory environment in his state, his ability to pass these unexpected expenses through to consumers in a timely manner was impeded. The company therefore had to implement aggressive strategies to deal with liquidity issues associated with the unrecovered fuel costs.

The CRO must anticipate these types of market-driven regulatory risk issues, track them through the legislative or regulatory process, and prepare strategies to deal with the direct and indirect issues associated with them. The risk-management staff has to be well qualified to perform these functions effectively, and the CRO has to have the knowledge and wisdom to oversee them all. Background and training are major issues here. Some CROs possess outstanding commercial and analytical acumen and easily can discuss highly theoretical aspects of risk. However, unless these skills are married with real-world experience and lessons learned through a “baptism by fire,” such as liquidity crises and trading-book blowups, their effectiveness can be limited. Additionally, many lack the requisite interpersonal, diplomatic, and political skills to make them effective in the role. Without question, a candidate’s personal style and interpersonal skills are the most critical and unique aspects of a utility CRO search. The cultural complexity and institutional history associated with most utilities require the CRO to be skilled at assessing personalities, determining motivations, and educating skeptical internal “clients.”

The importance of the independence of the CRO hardly can be overestimated. In a well-run company, the CRO needs to be able to “deep dive” anywhere and perform in-depth analysis of transactions and operations. He should have easy, unencumbered access to all commercial and operational areas and to almost any other corporate records, without having to negotiate burdensome and time-consuming bureaucratic obstacles.

Where Do You Stand?

Where the CRO stands in the actual and perceived command structure is as important as the independence of the CRO and the quality of experience and leadership. Does the CRO report directly to the board of directors, CEO, or CFO, or to a lower-level manager? The position of the CRO in the hierarchy often directly reflects the degree of importance the company places on risk management, and this can send an informal, yet powerful message to the individuals and groups being scrutinized by the CRO.

Analysts like Arlene Spangler are making it clear that a rudimentary risk function simply will not do. The qualitative assessment of utilities’ risk function is sure to create angst for some and opportunities for others. Some organizations will have a slight reprieve, given that most of the focus appears to be on utilities that still have meaningful trading and marketing activities. However, rating agencies such as Standard & Poor’s ultimately will be turning their finely tuned microscopes on all utilities and judging them against essentially the same guidelines.

Shelley Hurley, a partner with Accenture’s Risk Management Practice and long-time proponent of risk management in the energy industry, says the decision to embrace a comprehensive risk-management culture and infrastructure usually has been the result of one or several of the following: a risk-savvy board of directors demanding that the company implement a world-class risk management infrastructure, a “blow up” in the company’s energy trading and marketing business, or pressure from rating agencies.

It is safe to assume that the last of those options is likely to become the predominant factor causing traditional utilities to examine the benefit of implementing a robust risk-control program.