Enterprise Risk Management: Getting your organization started, and improving corporate results John...

Enterprise Risk Management: Getting your organization started,

and improving corporate results

John R.S. FraserSenior Vice President, Internal Audit & Chief Risk OfficerHydro One Networks Inc. For Directors Global & Grant Thornton LLP – TorontoDecember 2, 2010

Summary of Presentation

1. Background on Hydro One (2 - 4)

2. ERM Concepts and Clarifications (5 – 8)

3. Policy and Framework (9)

4. Risk Criteria (Tolerances) (10 – 13)

5. Corporate Risk Profile (14 – 18)

6. Risk Workshops (19 – 24)

7. Business Planning (25 – 27)

8. Conclusion (28 – 32)

1

Background on Hydro One 2

Background on Hydro One

• Ontario’s primary electricity transmission & distribution company

• One of the largest Tx companies in N.A.

• $15.8 B of assets

• $4.7 B of annual revenue

• $1.5 B annual capital and maintenance spend

• 5,400 employees

The Changing Electricity Marketplace in 2000

• Unprecedented change within the industry (Re-regulation, Commercialization, Reorganizations)

• Ontario Hydro broken up in April 1999

• Commercial Board of Directors appointed

• Asset Management Model introduced

• Retirement of 20% of workforce in 2000

• Purchased 88 municipal electric utilities in 2000

• For 2002, an IPO and Market Opening (unbundled bills)

3Background on Hydro One

History of ERM at Hydro One

• Previous attempts that did not engage

• Organizational realignment with CFO led to rethink

• Can the Head of Audit be the CRO?

• January 2000 - New Beginnings

• 2000 – 2003: Full Steam Ahead

• 2004 – Present: Sustainment

• 2011 - Regeneration

4Background on Hydro One

Is there a need in your organization ?

• Amount of change in the organization and/or industry

• Amount of change in senior management

• Appetite for:– governance (actual and optics)– clarity of decision making

5ERM Concepts and Clarifications

ERM – Scope of Mathematical Intensity

Detailed math is the answer

Broad ranges are the way to

go

AU/NZS 4360

COSO

ISO 31000

SOA

CAS

PRMIAS&P

Moody’sRIMS


Notice - What our ERM is not about

• Sarbanes Oxley

• Compliance

• Audits

• Regulations

• Performance Measurement

• Credit, market or operational risk in isolation

Note - The world does not need more bureaucracy


Notice - What our ERM is about

• Good Governance

• Good Management

– Agreed objectives and risk strategies

– Future outlook

– Prioritization of objectives and risks and mitigants

– Resource allocation based on risks to objectives


ERM Processes

“Conversations” & “Prioritizations” via:

• Policy and Framework

• Risk Criteria (appetite /tolerances)

• Corporate Risk Profile

• Risk workshops

• Business Planning

Hydro One’s Approach

ERM Policy and Framework

• ERM Policy:– “ERM provides uniform processes to identify, measure, treat and

report on key risks.”

– This is the umbrella policy under which all other risk policies fall.

– Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone’s responsibility.

– Key accountabilities: Audit & Finance Committee, the President, CFO, Management and CRO.

• ERM Framework:

– Establishes the basic process for all risk assessments

9

ERM Policy and Framework

BOARDCOMMITTEE

EXECUTIVEMANAGEMENT

LINEMANAGEMENT

CORPORATE RISK

PROFILEPOLICY &

FRAMEWORK

RISK PROFILES

RISK TOLERANCES

MANAGE RISKS, $$

ERM - Corporate View

ERM Process

Risk Criteria (Tolerances)

Risk Tolerances

Use of Risk Criteria (Tolerances)

•In order to run effective risk workshops•In order to create a common understanding of risks by both the leadership team and the board•Criteria for Business Planning/Resource Allocation prioritization

10Risk Tolerances

A more complex view

Risk Capacity

Risk Appetite

Risk Tolerance

RiskTarget/Range

Source: Web presentation by:

J. Chris Karow

E&Y

ERM Symposium

New York

March 28, 2007 RiskLimits

This is the box we play in

11Risk Tolerances

Turning Strategy into Risk Tolerances

Strategic Planning

How are we goingto achieve our

overall Corporateaims??

Business Objectives

KeyPerformance

Indicators

RiskTolerances

What is ourattitude toward

failure for each KPI??

How will wemeasure successfor each Business

Objective?

What 6-10 objectivesdo we want to

factor in todecision-making?

12Risk Tolerances

Example of HOI “risk tolerances”

Risk Tolerances Business

Objectives Event Impact Description 5

Worst Case 4

Severe 3

Major 2

Moderate 1

Minor

Financial

Net Income shortfall (after tax, in one year)

$>150M shortfall $75-150M shortfall $25-75M shortfall

$5-25M shortfall <$5M shortfall

Reputation

Negative Media Attention; Opinion leader and Public Criticism

National media attention; opinion leaders/customers nearly unanimous in public criticism

Provincial media attention; most opinion leaders/customers publicly critical

Significant local attention; Several opinion leaders/ customers publicly critical

Credible letter(s) to Ministry of Energy, to Premier, to Chair of OEB, or to Minister of Environment, that require action

Letter(s) to Senior Management

Customer /Reliability

Outages on the Hydro One system

One of: >100,000 Customers Distribution or >1000MW Tx for more than 7 days

One of: 40k-100k Customers Dx or 400-1000MW Tx for 4-7 days

One of: 10k-40k Customers Dx or 100-400MW Tx for 2-4 days

One of: 1k-10k Customers Dx or 10-100MW Tx for 4-24 Hrs

One of: <1000 Customers Dx or <10MW Tx for <4 Hrs

Worst Case:

- threatens the survival of

Hydro One Inc. in its current form

Minor:

- noticeable deterioration

in results

Major:

- significantdeterioration

in results

13Risk Tolerances

Corporate Risk Profile

Hydro One’s Approach


•Purpose and Benefits•Semi-annual based on:

– Interviews & Databases–Trends & Emerging risks

• Reviewed by:•Executive (Risk) Committee•Audit Committee

• Input to Business Planning

• The Corporate Risk Profile

14Hydro One’s Approach

Risk Interviews

•Strategic Objectives•List of major events since last Risk Profile•Prior list of top risks: to capture trend and rating•Listings of all possible existing and evolving risks

15Risk Interviews

Structured Risk Interviews/Workshops

Human Resources(R=2.6 / C=2.9)

RetainingExpertiseR=2.6 / R=2.1)

Training

(R=2.5 / C=2.8)

LabourAgreements

R=2.4 / C=2.0)

Commercial Culture

(R=3.4 / C=2.1)

Volatile WorkSchedule

(R=2.4 / C=2.1)

Budget

(R=2.8 / C=2.6)

Skills

(R=2.5 / C=2.6)

Demographics

(R=3.5 / C=2.3)

Competition

(R=2.7 / C=2.5)

R = Residual RiskC = Control

16Risk Workshops


SOURCES OF RISK

IMPACTED OBJECTIVES

MITIGANTS

RISK # 1

RISK # 2# 3

# 4# 5

CHARTOF

RISKS

SCOPE,METHODS

&CHANGES

SPECIFIC RISKS

17Risk Profiles

Risk Source March 2001 Dec. 2001 Risk Trend

Cost Reduction Very High Very High

Regulatory Uncertainty High Very High

Initial Public Offering High High

Customer Relationships High Medium

Human Resources Medium Medium

Safety High Medium


Note: Each risk category is explained with a half page analysis outlining the sources of the risk and the mitigants in place or planned.

18Risk Profiles

Risk Workshops

Risk Workshops

Risk Workshops are Facilitated for:

•Major Projects, e.g. construction, I.T., M&A

•Major Types of Risks, e.g. environmental

•Lines of Business, e.g. for business planning

•Leadership Team and Full Board of Directors

Note: A Full Report is Provided within 24 hours

“Risk Management is a contact sport.”

Diana Del Bel Belluz

19Risk Workshops

ERM Workshops

– Objectives articulated– Risk Criteria (tolerances) developed– Magnitude (“largest credible risk”)– Probability (always to specific time-

frames)– Risk Trends for the future– Risk Maps show quality of controls

• Unique Workshop Design


Risk Workshops - Process

•Champion: identified & used

•Attendees: number, qualities

•Pre-voting: methods & benefits/disadvantages

•Timing: length & agenda

•Software: voting and data capture

•Facilitation techniques: how to

•A Full Report is Provided within 24 hours21Risk Workshops

Environmental Hazards

0 20 100%806040

Worst Case

Severe

Major

Moderate

Minor

8

2

1

7

Risk Workshops

5

4

3

2

1

Number of participants

who voted for each category

22Risk Workshops

0 20 100%806040

Environmental Hazards

Worst Case

Severe

Major

Moderate

Minor

5

4

3

2

1

3

10

5

Risk Workshops23

2

3

4

2 3 4

Probability

Mag

nit

ud

e

NOTE: Size of bubbles depicts confidence in

controls

Briefing Sessions: voted results & meaning

“Molecules”• themes, patterns in discussion• common causes

Risk Workshops 24

Business Planning

Spending Prioritization: Making choices based on value

Vehicles??

House??

Medical??

Travel??

Intolerable Risks

Highest “Risk Mitigation” Value for money

+

25Business Planning

“True” tolerances: “Red Zone”

5Worst Case

4Severe

3Major

2Moderate

1Minor

5 Very Likely

4 Likely

3 Middle Odds

2 Unlikely

1 Remote

26Business Planning

Program Level Cost Cuml. Cost Risk if not done

Bang for Buck (1)

Vehicles Highest Risk $2 $2

100.0 House Highest Risk $6 $8 100.0 Medical Highest Risk $1 $9 100.0 Vehicles Level 1 $1 $10 2.8 2.80

House Level 1 $3 $13 3.0 1.00

Vehicles Level 2 $2 $15 1.9 0.95

House Level 2 $5 $20 3.2 0.64 Medical Level 1 $12 $32 2.3 0.19

Ranking across Work Programs

(1) value for $’s

IntolerableRisk

“BANGfor

BUCK”

Resources = $14

27Business Planning

Framework Initiated Formulated Implemented Robust

ERM Policy

ERM Framework

Executive Risk Committee

Common Language

Dedicated Corporate Risk Group

Champions

Integration with loss control

Integration with Strategic Planning

Integration with Business Planning

Hydro One ERM Status - April 2002


Tools & Techniques Initiated Formulated Implemented Robust

Approved Risk Tolerances

Workshops - Line

Workshops - Leadership

Voting Software

Measurement – broad ranges

Measurement – detailed metrics

Risk Register One sub only One sub only

Business Plan Templates

Scenario analysis

Sign-off by Line Management One sub only One sub only One sub only

Key Risk Indicators

ERM in VP’s Personal Contracts



Deliverables Initiated Formulated Implemented Robust


Reporting to Leadership/IRC

Reporting to Audit & FinanceCommitteeReporting to Board



Staying in Business“We have been in business since 1906, and we have been pleasing and displeasing the public ever since. We have been cussed and discussed, boycotted and investigated, talked about, lied about, hung up, held up and robbed. The only reason we are staying in business is to see what happens next.”

Sir Adam Beck, 1922As quoted in “Adam Beck and The Ontario Hydro”

by W. R. Plewman, published March 1947

31Conclusion

Questions?

32

Enterprise Risk Management: Getting your organization started, and improving corporate results John...

Documents

Transcript of Enterprise Risk Management: Getting your organization started, and improving corporate results John...