by Dave Thompson and Len Rubin
For energy companies, the world of enterprise risk management (ERM) is about to change dramatically. In the past few years, most energy companies implemented some elements of ERM, focusing primarily on selected key risks of the business. Now, however, with Standard & Poor’s announcement of its intention to adapt its policies, infrastructure and methodologies (PIM) framework to its review of energy and utility companies, ERM will shift from a narrowly focused concept to an enterprise-wide process that can have an immediate impact on a company’s credit rating.
Standard & Poor’s uses PIM in the financial services industry to determine if a company under review has the right mechanisms in place to continually identify and address risks. Given the volatility of the energy industry over the past several years, it is little wonder S&P has decided to apply PIM to energy companies.
Policies, Infrastructure and Methodology
PIM focuses on three key aspects of risk management:policies-company strategy, risk tolerance and reporting; infrastructure-people, skills, processes, data and technology; and methodology-measures of risk like value-at-risk (VaR) and analytic approaches.
Does a company have the policies in place to clearly understand and manage risk? S&P will favorably view companies that clearly define their risk tolerance, demonstrate alignment on risk tolerance throughout the organization from the board of directors on down, map their business strategies with their risk profile and have specific strategies in place to address risks. Overall, S&P will want to see a consistency between a company’s risk policies and objectives and its external risk statements to the investment community.
Can a company execute its risk policies? Key areas for review will be processes, policies, data, tools and the company culture in place for managing risk. Companies will need to demonstrate effectiveness across a broad range of areas, including the organizational structure, with proper separation between organizations to create checks and balances, existence of controls, use of data validation processes and effective communications of risk assessments and analysis.
Has a company selected the right risk metrics? Are these metrics calculated correctly? Are they used properly to make decisions and support control processes? It is clear S&P will be driving further into the details of a company’s risk analyses and challenging the metrics, based on evolving industry best practices. Considering its liquidity analysis, it’s not hard to imagine S&P asking for analyses of metrics tied to the PIM framework, such as calculations of capital adequacy.
S&P has been working with various energy industry groups to tailor PIM to the energy industry. Full rollout of PIM is expected in early 2007. According to S&P, “In the past, assessing the risk management practices was done at a more general or aggregate level. Now, we’re getting more specific and going deeper into certain aspects so as to get a firmer understanding of the robustness of an institution’s risk management practices.”
S&P does not plan to issue a stand-alone rating for PIM, but rather factor the assessment into the overall credit rating. “If we find that an institution is significantly weak in certain attributes, then it definitely would have an impact on the overall credit score … that could lead to a downgrade or [make] an upgrade less likely.”
Preparing for PIM
There are some steps companies can take to prepare for the wide-ranging focus of PIM.
Determine your risk tolerance. Most organizations, particularly those with low-risk hedging and trading profiles, have a challenging job ahead to define and quantify their risk tolerance. For investor-owned companies, risk tolerance can be understood from the perspective of the debt and equity holders who are ultimately concerned about cash flow. Risk tolerance, therefore, is best described as the degree of willingness by these stakeholders to accept fluctuations in near-term and long-term cash flow.
While this concept is easy to theorize, it is quite difficult to develop in practice. Companies often start with a qualitative approach. Typically the management team identifies key risks of the business as part of the annual planning process and these risks can then be discussed in terms of a relative risk spectrum, capturing the characteristics of both high and low tolerances for each risk. (See Figure 1.)
This qualitative discussion can then be used to help inform strategic decisions as well as identify areas of concern from a risk perspective. It’s straightforward and an excellent vehicle for communicating risks throughout the company (including the board), thereby addressing a number of the PIM requirements. While effective as a first step, this qualitative approach needs to be supplemented with a systematic quantification of risks in order to fully address the PIM methodology requirements for defining risk tolerance.
Systematically quantify risk. While most companies have developed a list of risks, typically captured in a “risk dictionary,” quantification has been a challenge. Risk quantification has generally been limited to the area of power supply/trading, where measures such as value-at-risk (VaR) are the norm. While VaR-type analyses are important in capturing variability in the trading business, two critical elements of quantification are missing: one, translating these VaR analyses into corporate financials, and two, capturing the rest of the company’s risks in a comprehensive risk measure, such as earnings-at-risk (EaR) or cash-flow-at-risk (CFaR).
For example, risks surrounding growth, major capital project expenditure timing, interest rates, weather, etc., are all important and need to be quantified in order to understand the company’s full risk profile. Quantifying these risks in a meaningful way means translating them directly into financial model inputs, developing probability distributions around each risk and using the proper simulation techniques (e.g., Monte Carlo) to create meaningful and actionable risk analyses.
Once captured in a financial model, key risk measures can be calculated across a wide range of potential future scenarios and strategies to provide a quantitative understanding of the company’s risk tolerance.
Create an effective ERM process. Designing and implementing an effective ERM process has been a challenge for most companies. In fact, it appears the effort to fully embed ERM within a company requires tackling the problem from two challenging perspectives.
First, the basics of ERM need to be established. Specifically, this means having the right people, procedures, tools and data in place for risk identification, risk screening and analysis, risk management strategy development, risk management strategy execution, risk monitoring and risk reporting. For example, organizational clarity is needed.
Who should be responsible for monitoring the marketplace to identify new risks and spot changes in existing risks (e.g., economic news, coal rail issues and legislative initiatives)? Should this accountability be centralized or shared with the business units? Who is responsible for developing risk management strategies? Which risks require an enterprise-wide, integrated approach and which risks require an individual department approach?
Data integration is needed to capture information spread out across multiple business units, multiple departments and multiple systems. Effective reporting is needed to monitor the effectiveness of risk management strategies in a timely manner, supporting changes in strategy as appropriate.
Second, effective risk management requires embedding risk concepts into key management processes, including strategic planning, resource allocation and capital project evaluation. One way is to incorporate risk into the annual budget process to understand the likelihood of making or exceeding the budget. Another way is incorporating risk concepts into capital budgeting to understand the likelihood of achieving returns on invested capital. Embedding risk into these basic management processes is proving to be an effective way to create the ERM environment.
S&P’s adoption of a systematic approach to evaluate risk management should come as no surprise to an industry that has seen its risk profile change dramatically several times over the past decade. It is likely other rating agencies will follow suit, ushering in a new era of rating agency evaluations and enterprise risk management.
Len Rubin is a founding partner of MCR Performance Solutions. Dave Thompson leads the planning and enterprise risk management practice at MCR as vice president, with more than 12 years experience in the performance management, strategic planning and portfolio risk management areas, working with generation, trading and energy services business units. Contact Dave Thompson at email@example.com.