Enterprise Risk Management Program … Risk Management...Enterprise Risk Management Program...
Transcript of Enterprise Risk Management Program … Risk Management...Enterprise Risk Management Program...
Enterprise Risk Management Program Development Update
Finance & Audit Committee Meeting September 25, 2015
Enterprise Risk Management Presentation Topics
Enterprise Risk Management (“ERM”) Overview
Lead Roles - LIPA/PSEG-LI ERM Process
Status of the 2015 ERM Cycle
Summary of Results of the 2015 ERM Cycle
Key Risks Comparison to Others in Utility Sector
Internal Audit/Review
ERM Cycle Areas of Improvement - Next Steps
Finance & Audit (“F&A”) Committee – Next Steps
2
ERM Overview
ERM Overview Enterprise Risk Management (“ERM”) increases risk awareness, ensures the
appropriate management of risks, and provides transparency.
Encourages a comprehensive perspective of risks by assessing existing risk and mitigation efforts at both LIPA and PSEG-LI.
Aligns Management’s efforts to prevent risk events from occurring or mitigating risk events when they are unavoidable or outside LIPA’s control.
Formally identifies a “Key Risk Owner” for each high risk area. Key Risk Owner responsibilities include: – Monitoring of mitigation efforts impacting their risks
– Reporting on risks and mitigation efforts on a regular basis
Fulfills key recommendations from the Northstar Operations Audit Report (Chapter 7 – ”Enterprise Risk Management and Strategic Planning”) dated September 13, 2013.
3
Lead Roles - LIPA/PSEG-LI ERM Process ERMC T. Falcone (Chairman), B. Chu, C. Horowitz, K. Kane, J. Little, M. Simione; and J. Bell (legal advisor to ERMC)
Adopt ERM Procedures Manual, update as needed Review and approve ERM Program Timeline (Appendix Pg. 19)
Determine the ERA working group Interview: F&A Committee members, LIPA & PSEG-LI Officers, Directors and Managers
Determine appropriate owners for each Key Risk/Key Risk Category Approve appropriateness of risk mitigation:
Completeness of documentation articulating risk mitigating activities/processes
Determine tolerance or comfort with existing amount / level of risk mitigation
Ensure ERM process is compliant with Board approved Policy Work with Internal Audit Department, conduct assessment of overall
effectiveness of ERM program, and identify areas for enhancement
4
Lead Roles - LIPA/PSEG-LI ERM Process
5
Director of Risk Management C. Horowitz
Initiate and lead ERA effort
Consolidate ERA results, mapping of ERA to Risk Framework*
Develop and lead Risk Prioritization process to rank Risks
Catalog Key Risk Mitigation Activities assigned by Risk Owners
Review Risk Mitigation Activities with Risk Owners and address potential concerns
Continuously monitor risk, including regular touch points with Risk Owners
Provide ERMC with regular Risk Mitigation status updates
Draft and present regular updates for the F&A Committee (no less than annually)
*Identifies list of Environment Risks, Process Risks and Information for Decision-Making Risks - approximately 85 Risk components (Appendix Pg. 18)
Status of the 2015 ERM Cycle
6
Protiviti retained by LIPA to assist with: Development of LIPA ERM Framework [Completed]
Board Policy [Approved August 6th, 2015]
Delegates responsibilities to LIPA’s ERMC and Staff
Facilitate initial LIPA/PSEG-LI ERM Cycle [Completed]
Enterprise-wide Risk Assessment (“ERA”) activities
Risk Mitigation Worksheets (“RMW”)
Draft LIPA’s internal Policies, Procedures and Controls Manual for ERM [Near Completion]
Details ERA and ERM Process
ERM Process Timeline
Monitoring Process [In Development]
Summary of Results of the 2015 ERM Cycle
7
Following the 2015 ERA, LIPA identified the following Key Risk Categories to the organization, which will be monitored continuously:
NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred.
Outsource & Partnership Relationship
Concerns
Personnel & Human
Resources Concerns
Understanding & Delivering on
Customer Expectations
and Needs Rate Case and Success of Financial
Policy
Cyber Security
External Influences &
Interests
Summary of Results of the 2015 ERM Cycle
8
Description: LIPA and its external service providers need to perform at best-in-class levels to deliver on LIPA's mission, goals & objectives, and improve customer perception of the Long Island electric utility.
Risk Mitigation Activities: Maintain continuous oversight functions; participate in monthly PSEG-LI Scorecard Reporting meetings and PSEG-LI Monthly Management Board Review meetings; prepare audit universe as part of LIPA’s 2016 oversight activities plan.
Outsource & Partnership Relationship
Concerns
Personnel & Human
Resources Concerns
Understanding & Delivering on
Customer Expectations
and Needs
Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization:
Description: Success of LIPA, particularly in its OSA oversight role, requires attracting and retaining qualified staff.
Risk Mitigation Activities: Create interim succession plan; implement utility industry training requirements and include as part of all employees’ 2016 performance evaluation goals; establish employee development program for continuous improvement; institute a competitive compensation program in 2016 to attract and retain qualified workforce.
Description: Customers’ desires for higher reliability and/or expanded distributed energy resources must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement.
Risk Mitigation Activities: LIPA and DPS annual review of the Emergency Response Plan (ERP) and contingencies; review of PSEG-LI reliability metrics, storm response and capital budgeting and capital development.
Summary of Results of the 2015 ERM Cycle
9
Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization:
External Influences &
Interests
Cyber Security
Rate Case and Success of Financial
Policy
Description: Relationships with key stakeholders are important in order for the organization to efficiently conduct business.
Risk Mitigation Activities: Oversight of PSEG-LI Public Relations programs; increase LIPA engagement with public stakeholders; implement focused Public Relations program and public hearings.
Description: Properly secure key IT systems from outside attack or interference.
Risk Mitigation Activities: Cyber security audit; NERC CIP-5 rule compliance of PSEG-LI control systems and data networks; User Access process technologies, and-LIPA and PSEG-LI review of cyber security insurance products.
Description: Rate case includes LIPA’s financial policy goals, which include improved credit ratings and achieving key financial ratios to reduce the cost of electric service for customers over time.
Risk Mitigation Activities: Rate plan filing included sound financial plan; communication with financial community; improved access to financial and operating data.
Summary of Results of the 2015 ERM Cycle
10
Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories to focus on, which will be monitored continuously by both organizations:
NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred.
Managing the Utility in Compliance
with the OSA
Personnel & Human
Resources Concerns
Understanding & Delivering on
Customer Expectations
and Needs Outcome of
the Rate Case
Cyber Security
Regulations, External
Influences & Interests
Summary of Results of the 2015 ERM Cycle
11
Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories:
Managing the Utility in Compliance
with the OSA
Personnel & Human
Resources Concerns
Understanding & Delivering on
Customer Expectations
and Needs
Description: The OSA must fairly and completely measure PSEG-LI’s performance. OSA metrics and goals may not remain relevant throughout contract term.
Risk Mitigation Activities: On-going monitoring of performance metrics to ensure compliance with the OSA; periodic review of metrics to assure relevance.
Description: Success of organization requires ability to attract and retain qualified driven staff.
Risk Mitigation Activities: Leadership Risk Management; employee training and development; employment branding.
Description: Customer’s desires for improved reliability and increased renewable energy technologies must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement.
Risk Mitigation Activities: Customer communication; customer satisfaction initiatives; review of the monthly Scorecard Report and key operating metrics.
Summary of Results of the 2015 ERM Cycle
12
Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories:
Regulations, External
Influences & Interests
Cyber Security
Outcome of the Rate
Case
Description: Relationships with all key stakeholders are important in order for the organization to efficiently conduct business.
Risk Mitigation Activities: Strategic staffing; increase engagement with planning committees for project development; focused Public Relations program geared towards community outreach.
Description: Key IT systems may be susceptible to outside attack or interference. Systems may include business systems with non-public information or operations systems that would interfere with substations, power generation or T&D infrastructure.
Risk Mitigation Activities: Compliance with NERC Cybersecurity Standards; User Access processes and technology.
Description: The rate case may affect PSEG-LI’s ability to achieve its goals required under the OSA and LIPA Reform Act.
Risk Mitigation Activities: Daily rate case calls and activities; monthly Management Review Board meetings, monthly Scorecard Report meetings; 2016 O&M budget submittal.
Key Risks Comparison to Others in Utility Sector
13
Executive Perspectives on Top Risks for 2015*
Key Issues Being Discussed in the Boardroom and C-Suite
Energy and Utilities
Regulatory changes and heightened regulatory scrutiny
Economic conditions in markets we currently serve
Cybersecurity threats
Resistance to change
Succession challenges and ability to attract and retain top talent
LIPA has identified many of these risks for 2015 * Research Conducted by North Carolina State University’s ERM Initiative and Protiviti
Internal Audit/Review
Internal Audit’s Role:
Assess the appropriateness of the ERM Program Policies, Procedures and Controls Manual established by the ERMC
Determine the effectiveness of the processes used by LIPA and PSEG-LI to identify Key Risks and Emerging Risks
Perform an appraisal of the ERM processes in place at LIPA and PSEG-LI to measure, monitor, manage and mitigate Key Risks
Report observations to the F&A Committee no less than annually
14
ERM Cycle Areas of Improvement - Next Steps Next Steps for ERM Process Improvement: Continue documenting existing Risk Mitigation efforts taken by LIPA and PSEG-LI
Develop greater participation and communications across entire staff at LIPA and PSEG-LI throughout ERM process
Implement continuous Risk Management-Risk Owner feedback mechanism:
Has Key Risk occurred? If so, was Mitigation Activity effective to minimize impact within desired risk tolerance
Is there any new Emerging Risks that require ERMC or Senior Management’s immediate attention?
Reach out to other Municipal entities to gain insights into other ERM programs Benchmark LIPA’s ERM Program
Monitoring and Reporting Move from manual process to automated process by implementing ERM monitoring
software
Review reporting documentation needs and frequency across various levels of management up to and including the Board
15
Finance & Audit Committee - Next Steps
Next Steps for F&A Committee ERM Review: LIPA Staff to reflect 2015 ERM cycle results in 2016 Goals and
Operating Budgets
LIPA Staff to continually monitor Key Risks and/or Emerging Risks and periodically report back to the F&A Committee
Internal Audit will schedule a review of the ERM process and report observations to the F&A Committee
ERMC to meet with the F&A Committee during the 1st Quarter of 2016 prior to the kick-off of the 2016 ERM cycle
16
ERM Risk Framework
18
Customer Wants
Technological Innovation
Stakeholder Expectations
Capital Availability
Legal Environment
Regulatory
Environment
Financial Markets
Catastrophic Loss
Asset Location/ Community Concerns
External Influence &
Interests
FINANCIAL
Price Interest Rate Commodity
Basis Volatility
Liquidity Cash Flow
Concentration Commodity
Volatility
Credit Default
Concentration Settlement
Rating
EMPOWERMENT Leadership
Authority/Limit Outsourcing Performance
Incentives Change Readiness Communications
INFORMATION TECHNOLOGY
Integrity Access
Availability Infrastructure
Cyber Security
GOVERNANCE Organizational Culture
Ethical Behavior Board Effectiveness Succession Planning
Compliance
REPUTATION Image and Branding
Stakeholder Relations
INTEGRITY Management Fraud
Employee Fraud Third-Party Fraud
Illegal Acts Unauthorized Use
OPERATIONS Compliance
Business Interruption Service Failure Environmental
Health and Safety Transition
Performance Gap Cycle Time
Supply Chain Physical Asset
Reliability Rate Case
Customer Satisfaction Human Resources Knowledge Capital
Efficiency Capacity
Partnering
STRATEGIC Environmental Scan
Business Model Regulator Model
Business Portfolio Organizational Structure Measurement (Strategic)
Resource Allocation Planning Life Cycle
PUBLIC REPORTING Financial Reporting Evaluation
Internal Control Evaluation Executive Certification
Pension Fund Regulatory Reporting
OPERATIONAL Budgets and Planning
Service Pricing Contract Commitment
Measurement (Operations) Alignment
Accounting Information
ERM Program Timeline
19
ERM Activity: Responsible Party:
Review / Revise Risk Framework ERMC
Kick-off annual ERM effort at first F&A Committee
Meeting; Summarize Prior Year Results
DRM; F&A
Committee
Risk Owners to Complete Questionnaire;
Follow-up Meetings (as needed) Management; DRM
Risk Consolidation / Mapping ERMC
Develop Risk Prioritization Meeting
Presentation(s) DRM
Risk Prioritization Voting Session(s) Management; DRM
Analyze Prioritization;
Identify Key Risks / Categories ERMC
Identify Risk Owners;
Prepare Risk Mitigation Worksheets Management; ERMC
Risk Owners to Document Existing Risk
Mitigation Processes Risk Owners
Assess Existing Mitigation Efforts;
Identify Gap Remediation ERMC; Risk Owners
Identify Budgetary Requirements for New Risk
Mitigation, and include in budget for next year Risk Owners
Present ERA Results to F&A Committee DRM; F&A
Committee
Continued Monitoring of Risk Mitigation from Prior
Year ERM DRM; Risk Owners
Implementation of New Risk Mitigation (If no
budget required; e.g., process improvement) DRM; Risk Owners
Implementation of New Risk Mitigation
(If incremental budget required) DRM; Risk Owners
Routine Review of Risk Mitigation;
Internal Audit Review of Key Processes
ERMC; Risk Owners;
IA
Present Update on Risk Mitigation and Monitoring to
F&A Committee
DRM; F&A
Committee
Routine Communication between Risk Owners, ERMC, others DRM, Risk Owners
January February March April May November December June July August September October
Newly Developed ERM Policy
20
Core Provisions of the Enterprise Risk Management Policy: Mandates an annual effort to identify significant risks to achieving the mission, goals and
objectives of the Authority, including those which are: – Known to already exist – Emerging risks which may be faced in the future – Risks which affect LIPA’s service provider’s performance and fulfilment of contractual obligations
Incorporates a process for documenting existing risk mitigation for the most significant risks, and identifying if additional risk mitigation activities should be developed
New risk mitigation development will be tied to the Authority’s existing budget development process, so that if any additional risk mitigation is required, it can be appropriately budgeted and provided for
The most significant risks, and their corresponding mitigation efforts shall be continuously monitored (year-round) for effectiveness of mitigation and to identify any changes to known risks
Policy requires regular reports on risk and risk mitigation to the F&A Committee
Risk Mitigation Monitoring Dashboard [ In Development ]
21
Category # Risk CategoryTotal # of Risk
Mitigation Tasks
Tasks Deemed to be Sufficiently Mitigating
Risk
Mitigation Task with Room for Improvement
Task not Yet Assessed
1Outsource & Partnership
Relationship Concerns0 0 0 0
2Personnel & Human Resources Concerns
0 0 0 0
3Understanding &
Delivering on Customer Expectations and Needs
0 0 0 0
4External Influences &
Interests0 0 0 0
5 Cyber Security 0 0 0 0
6Rate Case and Success of
Financial Policy0 0 0 0
TOTALS 0 0 0 0
Risk Mitigation MonitoringLIPA