• Diana Day, Enterprise Risk Management and Compliance Vice President, San Diego Gas & Electric Company and Southern California Gas Company
• Phil DeCicco, Regulatory Vice President and Deputy General Counsel, National Grid
• Janaize Markland, Enterprise Risk Management Director, Pacific Gas and Electric Company

Facilitator: Grant Davies, Management Consulting Principal, Accenture

Reporter: Brian Fletcher, Utility Consultant, Accenture

In the wake of significant, headline-grabbing incidents and outages, regulators are seeking answers about the safety of their utilities’ gas and electric delivery systems. New regulatory policies have been developed to address the way utilities manage risk, as well as to reexamine how risk is defined. As a result, interest has grown among utility leaders to discuss how to best address these new dynamics of risk. While previously referring to topics like liquidity and creditworthiness, today, “risk” is being discussed in the more practical terms of operations.

At WEI’s January Board of Directors Meeting in Marina del Rey, California, utility executives from three of the continent’s largest utilities spoke about the evolution of risk management at their organizations. Each shared how leadership could go beyond regulatory requirements to operationalize risk management, and all discussed how managing risk can strengthen the utilities’ businesses, while meeting reliability and affordability goals.

The responses have been edited for space and clarity.

Grant: How have operations been affected by decisions made for the sake of risk?

Phil: As we look at factors such as increasingly severe weather events, aging utility infrastructure, the growing need for cybersecurity and the rise of an aging workforce, we are more aware of risk now than at any other time in history.

Our counterparts in the U.K. were much better at looking at operational risk and reporting on it, so we gleaned best practices from them. We had a regulatory audit a few years ago, which revealed that although we’re good at risk management at a managerial level, we weren’t reporting well to the executive level.

We also learned a lot from Superstorm Sandy. Sandy affected 8.5 million customers in the eastern U.S., resulted in 117 deaths, and caused $65 billion in infrastructure damage. In New York, we had 150,000 customers without gas, which necessitated one of the largest restoration efforts in the history of the natural gas industry.

This called for a consistency in risk monitoring and a proactive approach to risk mitigation unlike anything we had seen before. No longer could we wait until the next rate case. We wanted regulators in the field to see what we were doing well and what we weren’t doing well. This was necessary to help us build support for needed investment and mitigate risk to our customers.

Janaize: Before the San Bruno incident (a 30-inch natural gas pipeline explosion in 2010), we had 10-12 enterprise risks in our enterprise risk management system.

Risk management improved in the aftermath of San Bruno. We created risk registries specific to our lines of business where we evaluated what could go wrong, how frequently and how bad things could be if they did. We held risk workshops and integrated the results into business planning. We are now working to quantify our risks to enable data-driven, risk-based decision-making using metrics and models.

Diana: We revamped our enterprise risk function four years ago with a goal of adding formality and structure. Our executives directed us to build a program closer to operations, as they believed this would make it a more effective risk function.

First, we gathered energy risk experts and quantitative analysts and tried to teach them operations; but that didn’t work very well. Then we tried the opposite — we gathered operations people and taught them risk management. That was much more successful. Not only were they able to intuitively grasp the concept of risk, they had credibility and connections within operations.

Our philosophy is to have a rotational program. We have a core staff with risk management knowledge, but we also have an operational risk function where we rotate through folks with experience throughout the organization. After spending time in our organization, employees return to their positions to evangelize and translate risk into their day-to-day decision-making.

Grant: Regulators are driving some risk initiatives while others are driven by boards of directors. Can you share how governance over risk has been structured?

Janaize: Our management, our board and our regulators are driving risk management at PG&E. We have people in the business to identify and manage risks and in 2011, we established a robust governance structure to oversee the work. In 2013, we integrated risk into PG&E’s planning process.

Line-of-business risk managers meet every month to discuss risk and compliance management activities and prepare materials for the board’s annual deep dive review of each designated enterprise risk.

California’s Risk Assessment Mitigation Phase (RAMP) proceeding was a tremendous development that requires large utilities to use probabilistic risk modeling techniques to better understand their risks and the underlying drivers of those risks. Work on the RAMP proceeding led us to some greater insights about where else we should be focusing our mitigation spending. For example, in looking at our electric public safety risk, we viewed data on contacts with conductors, specifically the incidents that caused fatalities, and we noticed that contact with intact conductors were leading to more serious safety impacts than wires-down events.

RAMP also required an in-depth alternatives analysis and the calculation of risk spend efficiency to determine the risk reduction value per dollar spent.

Diana: We have an annual process for evaluating risk within a business unit where we present risks for consensus. These get rolled up to Sempra Energy’s board of directors. In this sense, it’s a bottoms-up approach to risk. However, it is also top-down, because we then take the top enterprise risks and make them the focus for management.

Phil: Corporate boards certainly want risk information presented to them. Some issues don’t get brought to the forefront until there’s an incident. However, the trend today is that corporate boards are trying to get ahead of potential incidents.

Audience Member: How do you deal with the human element as risk programs mature? How do you help people deal with doing something that they’ve done for years but didn’t know was wrong?

Diana: For us, it was a cultural journey. When we first started, senior leadership said they were on top of risks, mostly because risk was perceived as a sign of mismanagement. We had to make risk ok to be talked about. This broke down silos because we all recognized risk as an inherent part of our business.

Janaize: It’s a matter of improving the data and potentially making a different decision. And it’s ok to say that we know more now than we did then.

Phil: For us, it was about empowering people to make decisions. For example, we had an employee shut down a facility because they thought a piece of equipment was at risk. It turns out that everything was fine and the facility didn’t need to be shut down. Nevertheless, we acknowledged that individual…not because they were right, but because they were aware and proactive about risk.

Grant: Who owns the risk in your organization?

Phil: The business owns the risk — not the chief risk officer. Compliance and risk groups challenge the business and develop a risk profile, but the business units are ultimately accountable for managing risk in their respective areas.

Audience Member: How much have capital budgets been impacted by risk planning?

Phil: We’re good at identifying and addressing operational risks, but not yet as good at using regulatory and other risk factors to inform our operational budgets.

Grant: When it comes to risk tolerance, there are three entities at play — the utilities, the intervenors and the regulators. Who sets the risk tolerance?

Diana: The California proceeding called S-MAP attempts to address what California utility risk tolerance is. We don’t set the risk tolerance alone; it’s set by all three parties (utility, regulator and intervenors).

Janaize: We’re at the point where we’re now beginning to model our operational risks. This begins to facilitate a conversation on risk tolerance as you can use the models to roughly estimate the impacts of various mitigation options for various levels of spend.

Phil: Right now, we are collaborating with our regulators and other stakeholders to address operational risk through targeted investments. Yet we don’t have a blank check, so we own the risk tolerance in that sense.

Grant: How do you deal with litigation?

Diana: We work closely with our internal lawyers. Much of our risk work is done at the direction of counsel. We have templates for consistent documentation, and endeavor to ensure that we aren’t overstating or understating risk. We drive for transparency and we try to educate regulators on that.

Janaize: We’ve taken the approach that it’s better to identify our risks and do our best to mitigate them. To do that, you need to be able to have a concrete discussion about what they are and how they are currently being managed.

Phil: We have a cultural shift to transparency that lawyers need to get comfortable with. We state risks, and we put them on paper. Lawyers traditionally get scared that writing about risk might be misconstrued by the public — but more transparency is necessary for building consensus around the need for investment and risk mitigation.

Audience Member: Are commissions getting more restrictive on capital and O&M budgets?

Phil: Utilities used to agree to a rate plan and then direct the spend afterward based on business need. Reporting requirements are now very restrictive. They can challenge your ability to manage the ebbs and flows of business.

Diana: At one point in our regulatory pursuit, there seemed to be a concept that regulators thought they could make an algorithm in S-MAP to guide budgeting. However, they’re realizing it’s not as feasible as they originally thought. By the time you get the money, the risks are five years old. Risks are dynamic and we need to run the business with that in mind.

Janaize: Quantification helps. It provides a level of transparency into decision-making that we’ve never had before. Additionally, the risk accountability reporting provides insight into the utility’s activities to mitigate risk, including work that may be different from what was originally proposed.

As evidenced by the robust discussion held by leaders from three of our continent’s largest utilities, risk is a pressing topic that has gripped the attention of regulators, intervenors and utility executives alike. Each entity is dependent on each other to adequately address the factors at play, including safety, budget, governance and risk tolerance. Collaborative discussions such as these will guide our utilities as we navigate the dynamics of risk in our industry today.