So what exactly is risk management? Conventional wisdom in the utility industry has focused upon energy trading and insurance policy. However, with an increasingly more complex operating environment and accelerated industry change, utility companies are quickly realizing the interconnectedness of their risks and are therefore shifting towards a more holistic approach: adopting an enterprise risk management (ERM) model.
ERM seeks to achieve an organization’s larger goals and gain a strategic advantage by assessing all of its potential risks and managing them as a risk portfolio rather than as individual silos. The process examines the direct and indirect impacts of risks cross-functionally. Accordingly, it serves to reveal both threats and opportunities. This approach can present hurdles since it requires a systemic change in thinking, management, and structure, but when properly implemented it can produce great benefits.
Integrating Public Safety
We’ve long advocated an enterprise-wide approach to public safety program management. By integrating public safety programs across the organization, a company reaps more reward and achieves greater value (See The Strategic Advantage and The Culver Model).
Public safety programs are key components of the risk management portfolio. It’s clear that risk management—at both the program level and the portfolio level—require enterprise-wide involvement and visibility. This integration is only possible by design, a process preceded by assessment and planning.
Ensuring Performance at Every Level
To help assess risk, many utilities have adopted the widely-accepted principles contained in the Enterprise Risk Management Integrated Framework published by the Committee of Sponsoring Organizations (COSO) in 2004. Alternatively, the International Organization for Standardization’s ISO 31000 Risk Management Principles and Guidelines offer a similar framework.
Both COSO and ISO 31000 provide a structure for risk assessment, with the goal of minimizing risks and optimizing opportunity in efforts to create more value. The obvious core principle of each ERM framework is that risk management must be performed at every work level. It must permeate the organization.
From a public safety program stance, we generally refer to this as creating a culture of prevention in the organization—and we consider it central to success. Our research shows that public safety programs developed and implemented in concert with stakeholders from across the organization achieve optimal results and provide greater benefits to the organization.
Meeting Organizational Goals
Additionally, public safety programs, and overall risk management, must include enterprise-wide systems that provide these stakeholders with the information they require at their level in order for them to meet key performance indicators, achieve organizational goals, and to add more value to the business. Therefore, like COSO, we use a methodical development process to ensure integration into the larger risk management portfolio and to align with corporate goals.
According to COSO, ERM must be:
- A process, ongoing and flowing through an entity
- Effected by people at every level of an organization
- Applied in a strategy setting
- Applied across the enterprise at every level and unit
- Designed to identify potential events
- Able to provide reasonable assurance
- Geared to the achievement of objectives
These tenets represent the ideal, and they take the vital step of setting the tone for a company. But, while a commitment to ERM must be communicated throughout the organization, it also must be implemented in practical terms and embedded at the program level by design. Top down support and communications are vital to the cause, but just saying it doesn’t make it so.
Making More than Just a Mandate
In a Harvard Business Review piece entitled “Managing Risks: A New Framework,” Robert Kaplan and Anette Mikes point out that there have been many public declarations and well-intended attempts by corporate leaders to make safety the number one focus of their organizations. Many of these cases have resulted in failure and even catastrophe.
Accordingly, Kaplan and Mikes cite the Deep Water Horizon oil rig disaster as a painful example. Despite British Petroleum CEO Tony Hayward’s safety proclamation and all of his efforts, the company experienced a failure to manage risk, resulting in the largest oil spill in U.S. waters.
Following the disaster, an investigative commission concluded that “management failures crippled the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate, and address them.” In their Harvard Review piece, Kaplan and Mike stated, “Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them.”
Thinking Beyond Compliance
Similar thinking still exists in the utility industry. All too often public safety, and the larger issue of risk management, is addressed mainly through compliance. It’s easy to understand why. In an industry steeped in regulation, it’s very easy to fall back on historic practices and misplace your confidence in compliance.
In and of itself, compliance is a good thing, but it’s not designed to connect the dots nor drive a holistic approach towards safety or risk management. Furthermore, risk management has typically focused on loss and an effort to simply mitigate it. Certainly alleviating losses or recovering costs are important, but what about preventing the loss altogether? (See How to Win at Public Safety – A culture of prevention versus a culture of loss). This requires a systemic change and a realization of the benefits and opportunities presented by accident prevention.
Making a Paradigm Shift
Old ways of approaching safety and risk are inadequate and will not help utilities compete in the changing business environment. As one industry risk management firm points out, “the [top] challenges to ERM for utilities include a broader spectrum of risk such as new regulations and company reputation, organizational silos and outdated information systems, cost reduction and the alignment of ERM with overall business strategy, and avoiding the pitfalls of over emphasis on avoiding losses.”
Clearly, a proactive approach towards risk management that includes accident prevention is required. And, considering the internal obstacles that utility professionals must contend with, agents of change may come from outside the organization.
Researchers note that “there are individual and organizational challenges inherent in generating open productive discussions about managing risk and that these discussions must be anchored in strategy formation and implementation processes.” This is only possible by breaking down silos and moving towards an enterprise-wide effort. Many organizations have experienced success facilitated by outside experts and by programs that offer a new perspective. Isolated, inside thinking can prevent these conversations from progressing.
Behavioral research notes that individual and organizational biases can inhibit the ability to discuss risk and failure. Furthermore, “groupthink”—the desire for harmony or conformity—is prevalent in organizations and it often results in irrational or dysfunctional decision-making. Experts conclude that rather than mitigating risk, “firms actually incubate risk.” Further exacerbating this challenge is the fact that risk management focuses upon the negative—threats and failures—instead of the positive attitudes required to implement successful strategies. The challenge for management is to take a different view.
Evolving the Industry
Still, there is an active and evolving dialogue occurring in the industry that is identifying risks beyond traditional utility hazards and is seeking ways to address them on an enterprise level. For example, several years ago at the APPA National Conference, attendees ranging from utility company CEOs and CFOs to Risk Managers and Operational Staff participated in a session that identified risks within key business areas.
While not a scientific study, the session revealed a complex understanding of risks that might not have appeared on the radar a decade ago. What’s more, these risks could easily be viewed as both threats and opportunities—a real paradigm shift. Attendees identified such risk concerns as reputation, relations, trust, culture, customers, communications, rate-making, litigation, safety and safety management, and performance.
The APPA seminar is just one example of a shift in thinking that’s occurring as utilities attempt to identify risks more broadly, connect the dots, discover new ways to address them, and integrate their programs. Additionally, utilities are realizing the benefits of addressing risks and approaching public safety in a proactive, rather than reactive, manner. Benefits that include heightened customer satisfaction, enhanced regulatory outcomes, and an improved bottom line (as identified in J.D. Power studies and other research).
The challenge for utilities is to overcome their reliance upon the past by breaking down barriers within the organization, introducing the right outside experts that can help facilitate change and challenge internal “groupthink,” and incorporating programs and systems designed to span the organization and meet its objectives. It’s a tall order, but success of the enterprise depends on it.