Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 28
The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One

TOM AABO

Associate Professor, Aarhus School of Business (Denmark)

JOHN R.S. FRASER

Chief Risk Officer, Hydro One, Inc.

BETTY J. SIMKINS

Professor of Finance, Oklahoma State University

The Chinese symbols for risk shown here capture a key aspect of enterprise risk management. The first symbol represents “danger” and the second “opportunity.” Taken together, they suggest that risk is a strategic combination of vulnerability and opportunity. Viewed in this light, enterprise risk management represents a tool for managing risk in a way that enables the corporation to take advantage of value-enhancing opportunities. A missed strategic opportunity can result in a greater loss of (potential) value than an unfortunate incident or adverse change in prices or markets.

As in the past, many organizations continue to address risk in “silos,” with the management of insurance, foreign exchange risk, operational risk, credit risk, and commodity risks each conducted as narrowly focused and fragmented activities. Under the new enterprise risk management (ERM) approach, all would function as parts of an integrated, strategic, and enterprise-wide system.¹ And while risk management is coordinated with senior-level oversight, employees at all levels of the organization are encouraged to view risk management as an integral and ongoing part of their jobs.

Although there are theoretical arguments for corporate risk management,² the main drivers for the implementation of ERM systems have been studies such as the Joint Australian/New Zealand Standard for Risk Management, Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the United States (in response to the control problems in the S&L industry), the Group of Thirty Report in the United States (following derivatives disasters in the early 1990s), CoCo (the Criteria of Control model developed by the Canadian Institute of Chartered Accountants), the Toronto Stock Exchange Dey Report in Canada following major bankruptcies, and the Cadbury report in the United Kingdom.³ In addition, large pension funds have become more vocal about the need for improved corporate governance, including risk management, and have stated their willingness to pay premiums for stocks of firms with strong independent board governance.⁴ These studies point out that boards of directors need to have a thorough understanding of the key risks in the organization and what is being done to manage such risks.

What’s more, security rating agencies such as Moody’s and Standard & Poor’s have recently begun to take account of ERM systems in their ratings methodology. As reported in a recent study by Moody’s:

Increasing numbers of companies are undertaking enterprise-level approaches to risk—a more encompassing and systematic review of potential risks and their mitigation than most companies have undertaken in the past. Business units are tasked with identifying risks and, where possible, quantifying and determining how to mitigate them. These assessments typically are rolled up to a corporate level, sometimes with direct input from the board or audit committee. These assessments have often been relatively broad, focusing on reputation, litigation, product development, and health and safety risks, rather than focusing solely on financial risks. Where we have seen these assessments implemented we have commented favorably, particularly when the board or the audit committee is actively involved.⁵

Given the overwhelming incentives and pressures to employ an enterprise-wide approach to risk management, we are surprised that more firms are not doing so. One deterrent is the scarcity of case studies describing successful implementations of ERM. A recent study by the Association of Financial Professionals noted that although most senior financial professionals see their activities evolving into a more strategic role, most also feel that more education and training are needed to meet these future challenges.⁶ The Joint Australian/New Zealand Standard for Risk Management provides the first practical prescription for implementation of ERM using generic examples. Some articles and reports provide examples and insights into the potential benefits of ERM, but most lack a useful framework and sufficient practical detail to guide other firms.⁷ One case study published in this journal in 2002 by Scott Harrington, Greg Niehaus, and Kenneth Risko describes how United Grain Growers combined protection against financial (such as currency and interest rate) risk and conventional insurance risk using an integrated risk management policy provided by Swiss Re.⁸ However, there is a crucial need for case studies that help firms to better understand the totality of risks faced—that is, a more holistic view of ERM—and not just those that are easier to quantify.⁹

Although there is no “one size fits all” approach to ERM, companies can benefit by following the best practices of successful firms. The purpose of this case study is to fill this gap in the literature by providing the process by which one firm, Hydro One Inc., has successfully implemented ERM. This firm is at the forefront of ERM, especially in the comprehensive management of risks faced. Risk managers from the World Bank, the Auditor General of Canada, Fluor Corporation, Toronto General Hospital/Universal Health Network, and other firms from various economic sectors have visited Hydro One in order to learn from its experiences.

This case study examines the implementation of ERM at Hydro One by describing the process the firm followed, beginning with the creation of the chief risk officer position (the rise of the CRO). We describe the steps of implementation, which started with a pilot study involving workshops conducted with one of the subsidiaries. The purpose of the pilot study was to determine if ERM should be deployed throughout the firm. We next analyze the ERM process and describe various tools and techniques such as the “Delphi” method, risk trends, risk maps, risk tolerances, risk profiles, and risk ranking as it relates to the capital expenditure process. Finally, we note that ERM has become such an integral part of the workplace that the corporate chief risk officer is now becoming a low-maintenance position (the evolution of the CRO) within the company.

HYDRO ONE

Hydro One Inc. is the largest electricity delivery company in Ontario, Canada, and one of the 10 largest such companies in North America. Its predecessor, Ontario Hydro, was founded nearly a century ago, principally to build transmission lines to supply municipal utilities with power generated at Niagara Falls. Hydro One came into being in 1999 after legislation divided Ontario Hydro’s delivery and generation functions into two separate companies. Hydro One today consists of three businesses—(1) transmission, (2) distribution, and (3) telecom. Its main business (contributing 99 percent of revenue) is the transportation of electricity through the high-voltage provincial grid and low-voltage distribution system to municipal utilities, large industrial customers, and 1.2 million end-use customers.

Hydro One has total revenues of CAD 4.1 billion,¹⁰ total assets of CAD 11.3 billion, and approximately 4,000 employees. Total equity is CAD 4.3 billion, or 38 percent of total assets, and all the shares are owned by the Ontario government. In 2001, the Ontario government announced its intention to proceed with an initial public offering (IPO). However, special interest groups successfully challenged the IPO in the Supreme Court of Ontario, and the prospectus was withdrawn. Long-term financing for Hydro One is provided by access to the debt markets, including a medium-term note program. Short-term liquidity is provided through a commercial paper program. The company’s long-term debt is rated A2 by Moody’s and A by Standard & Poor’s, and its commercial paper is rated Prime-1 and A-2.

GETTING STARTED WITH ERM

Enterprise risk management was established at Hydro One in 1999. As part of the firm’s spinoff from the previous Ontario Hydro, the management and board of Hydro One set high goals for being a best-practices organization with superior corporate governance and business conduct. Hydro One wanted to look at risks and opportunities in an integrated way that would lead to a better overall allocation of corporate resources. At the same time, the scheduled deregulation of the electricity markets posed a new external challenge that had to be addressed. Finally, the increased scrutiny on corporate governance called for a comprehensive risk management program.

Corporate Risk Management Group

At first, the attempts to implement ERM were led by external consultants, but no lasting benefits or transfer of knowledge appeared to result from those initiatives. Then, in late 1999, the head of internal audit, John Fraser (one of the authors of this article), was asked to take on the additional role of chief risk officer (CRO). The Corporate Risk Management Group was established consisting of the CRO (part-time) and two full-time professionals, one with a degree in industrial engineering and one with an MBA in process reengineering and organizational effectiveness. The group was given six months to prove its worth. If it failed to demonstrate its value during this period, the idea of implementing ERM would be abandoned and the Corporate Risk Management Group dissolved.

In early 2000, the Corporate Risk Management Group prepared two documents with the help of experienced consultants: (1) an ERM policy (Box 28.1) and (2) an ERM framework (Exhibit 28.1). The ERM policy set forth the governing principles and who was responsible for specific aspects of risk management activities, and the ERM framework set out the procedures for ERM in greater detail. The Corporate Risk Management Group took the ERM policy and ERM framework to the Executive Risk Committee for discussion and approval. The committee, which consisted of the CEO and the most senior executives, suggested that a pilot study be undertaken with one of the small subsidiaries before formal approval of the policy and framework was sought from the audit and finance committee of the board.

Pilot Study

With some consulting assistance, the Corporate Risk Management Group planned the first ERM workshop in the subsidiary. Using its own staff, the group executed the first ERM workshop in spring 2000.

The workshop followed a conventional format. Prior to the workshop, a list of some 80 potential risks or threats to the business was developed and e-mailed to the management team of the subsidiary. Each member of the team was asked to choose the 10 most critical risks facing the company—and based on these choices, a list of the top eight was prepared. Then, at the workshop, these eight risks were discussed one at a time and their relative importance voted upon by the management team. Voting was accomplished using the Delphi method,¹¹ which involves a combination of facilitated discussions and iterative anonymous voting technology designed to quickly identify and prioritize risks based on magnitude and probability and to evaluate the quality of controls.

The first vote on the perceived magnitude of a particular risk—with risk defined on a five-point scale: Minor, Moderate, Major, Severe, and Worst Case—often showed wide dispersion. In each case, the initial vote was followed by discussion of the definition of the particular risk, and of its causes and consequences. Depending on the dispersion of votes in the first voting session, the discussion could be long or short. A second vote was then taken; and until a clear alignment or a clearly defined cause of disagreement was established, this sequence of discussion and voting might be repeated (usually no more than three votes were needed in practice). Then, with the voting and prioritization of risks completed, preliminary action plans were discussed and managers identified as “Champions” with the responsibility of developing more concrete action plans.

132 — **Exhibit 28.1** Risk Management Process

The discussions proved to be valuable. Issues that managers had thought about but never openly discussed were addressed. Concerns about some risks were allayed and new risks were identified; but in any case there was the beginning of a common understanding of risks and of a corporate plan for prioritizing action and resources to manage such risks. Since this was a pilot study for the Corporate Risk Management Group, the participants were asked to evaluate the quality and benefits of each workshop. The programs received high ratings and the managers of the subsidiary requested a follow-up session to discuss and rank the next eight risks that had been identified.

Final Approval

Following the pilot study in the subsidiary, the Corporate Risk Management Group returned to the Executive Risk Committee for debriefing. The pilot study was considered a success, and the chief risk officer presented the ERM policy and the ERM framework to the audit and finance committee of the board for approval. In the summer of 2000, the audit and finance committee approved the documents, and a roadmap for implementing ERM at Hydro One was established.

PROCESSES AND TOOLS

The overall aim of Hydro One’s ERM framework (Exhibit 28.1) is not risk elimination or risk reduction per se, but rather attainment of an optimal balance between business risks and business returns.

The Business Context

The ERM Policy of Hydro One in Box 28.1 defines risk as follows:

The potential that an event, action, or inaction will threaten Hydro One’s ability to achieve its business objectives. Risk is described in terms of its likelihood of occurrence and potential impact or magnitude. Broad categories of risk in Hydro One include strategic, regulatory, financial, and operational risks.

Since risk is defined by its potential to threaten the achievement of business objectives, it is imperative to clearly state these objectives and how they contribute to Hydro One’s overall strategy. The Corporate Risk Management Group found that objectives were not always clearly articulated, and that the workshop process from the pilot study helped in achieving clarity of business objectives needed to achieve the corporate mission.

The same was true of risk tolerances. Risk tolerances are guidelines that establish levels of acceptable and unacceptable exposures to any given risk (Exhibit 28.2 shows risk tolerances for 3 categories of risk out of 16). Tolerances define the range of possible impacts (on a five-point scale from Minor to Worst Case) of specific risks on business objectives. Through the workshops, a common understanding was developed as to how to categorize impacts from a particular risk on the firm’s ability to accomplish key business objectives.¹²

As an example, Hydro One has a financial objective related to earnings stability—namely, to limit the risk of a major shortfall in net income and the associated possibility of financial distress costs. One source of the risk to net income is loss of competitiveness; another is the volatility of financial markets.

A second important corporate objective of Hydro One is maintaining its reputation and public profile. One potential source of reputational risk is pollution damage; another is inappropriate employment contracts. In this case, the magnitude of the risk is not measured in dollar terms, but in terms of the extent of public criticism both on a local as well as an international basis.

Although the ERM policy of Hydro One states that “risk management is everyone’s responsibility, from the Board of Directors to individual employees,” the risk facing a specific project or line of business will typically fall under the accountability of a primary risk “owner,” typically the project manager or the business’s CEO.

Identification and Assessment of Risks and Controls

The approach to risk identification depends on the depth and breadth of the activities under review and the extent to which these activities are “new” to Hydro One. As described above, however, the process typically involves the identification of 50 to 70 business risks, which are then narrowed down to the 10 most significant risks through interviews and focus groups. In assessing risks, the aim is to understand both the size of the potential losses as well as the associated probability of occurrence. In theory, the correct way to portray the estimated effect of a risk is to use a probability curve that reflects the potential outcomes and associated probabilities. But given the practical difficulties of “building” such a curve, Hydro One has instead chosen to focus on the “worst credible” outcome within a given time frame and its associated probability of occurrence. This has proven to be a practical and efficient way to focus on major risks while avoiding excessive detail and complex calculations.

For all risks deemed to be “major,” Hydro One defines the “worst credible” outcome as the greatest loss that can result in the event that certain key controls fail. (As so defined, worst credible outcomes differ both from “inherent magnitudes,” which assume that all controls fail or are absent, and “residual magnitudes,” which assume that all key controls are in place and functioning.) The probability of such outcomes is evaluated for a specific time frame, generally two to five years, though for special projects the period is as short as six or nine months. As shown in Exhibit 28.3, Hydro One uses a probability rating scale from “Remote” (a 5 percent probability that the event will occur in the stipulated time frame) to “Virtually Certain” (95 percent probability).

After the Corporate Risk Management Group has helped management estimate the “worst credible” outcome, the impact on various objectives, and the associated probabilities for each risk (by workshops and the Delphi method), the next step is to produce a “risk map” like the one presented in Exhibit 28.4. The bubbles in the figure represent the expected effect of the risk on a certain objective in terms of its estimated impact (reflected on the horizontal axis) and the estimated probability that the impact materializes (on the vertical axis). In the case of each risk, the estimated probabilities represent the relevant experts’ best guess that the “worst credible” outcome will materialize. Management also uses the risk map to track the historical development of particular risks and to project expected future developments.¹³

134 — **Exhibit 28.3** Probability Rating Scale

The size of the bubbles in the figure indicates the extent of management’s confidence in the effectiveness of the company’s controls and efforts to limit individual exposures. Control assessment involves the strength of existing organizations, processes, systems, and feedback loops that are in place to manage the risk. The company has developed a “control strength” model that is designed to complement its risk tolerances. For any given magnitude of risk (from Minor to Worst Case), there is a corresponding strength of control, with “1” representing few controls and “5” representing full prescriptive controls with executive oversight.

Tolerability of Risk—and Risk Mitigation

Once risks and controls are assessed, a rank-ordered list of “residual risks” is assembled. The risk owner (for example, the subsidiary CEO or the project manager) then determines the firm’s tolerance for each risk. Within the limits of the risk owner’s accountability, the risk owner decides either to accept the risk as is or to take (further) steps to mitigate it. If the risk owner accepts the risk as is, the risk is monitored and reviewed in the normal future course of risk management processes. If the risk owner decides to mitigate the risk, the process of risk mitigation is defined.

Risk owners thus have seven possible ways of dealing with significant risks:

Retain: Risk exposure is accepted as is without further mitigation, since the potential return is viewed as desirable and the downside exposure is not significant.
Retain, but change mitigation: A partially mitigated exposure is maintained, but a change in mitigation reduces the cost of control.
Increase: Risk exposure is increased, either because the potential return is viewed as desirable or the controls in place are not cost-effective.
Avoid: Risk exposure will be eliminated entirely (perhaps by withdrawal from a business area or ceasing the activity), since the potential return does not offset the downside exposure.
Reduce the likelihood: Risk exposure will be reduced cost-effectively through new or enhanced preventive controls.
Reduce the consequences: The impact of any risk that materializes will be reduced through emergency preparedness or crisis response.
Transfer: Risk exposure will be transferred to others (perhaps through an insurance policy or an outsourcing arrangement).

As can be seen from the list, risk mitigation is not necessarily the same as risk elimination or risk reduction. As previously mentioned, the purpose of strategic risk management at Hydro One is to balance business risks and business returns by taking into account the potential upside as well as the downside associated with a particular risk. Thus, a balancing act may involve an increase in risk. In practical terms, however, an increase in risk at Hydro One is most likely to be decided at the strategic level. Once the strategic plan is set, the primary focus is on limiting the downside risk of failure to achieve stated business objectives.

Monitor and Review

Risks do not remain static. The magnitude and probability of a certain risk is affected by internal controls (mitigation) as well as external changes in the environment. Monitoring and reporting are fundamental to effective management of business risks. Furthermore, risks may not always be categorized correctly in the first place. Risks are notoriously hard to predict, and assessing risks is to a large extent a matter of qualitative guesswork. As physicist Niels Bohr observed, “Prediction is very difficult, especially about the future.”

An example of changing risk tolerances is Hydro One’s decision to issue shares on the New York Stock Exchange. During the period leading up to the scheduled offering, one of management’s greatest fears was the possibility of an unfavorable news story in the international press. As things turned out, however, the IPO was shelved. Then, in October 2003, the company had an oil spill that overflowed into a small stream and received a lot of press in Ontario.¹⁴ When this got the attention of both the Ontario Government (Hydro One’s shareholder) and the company’s board of directors, the Corporate Risk Management Group quickly realized that their greatest reputational exposure was not to the international press, but to the local press and its power to inflame the sensitivities of Hydro One’s primary stakeholders. As a consequence, negative provincial press stories are now identified as a worst-case scenario—considerably worse than their international counterparts—and strong measures are taken to avoid them.

CORPORATE RISK PROFILE

The risk management process described in the previous section serves as the basic framework for managing risks at Hydro One. The framework can be used in the normal conduct of business or for new projects.

To aggregate the information from these processes in a form suitable for the senior management and board of directors, the Risk Management Group prepares a Corporate Risk Profile twice a year. Exhibit 28.5 provides an illustration of the risk profile using the same risk sources contained in the risk map in Exhibit 28.4.

The purpose of the Corporate Risk Profile is to ensure that the senior management team shares a common understanding of the principal risks facing the organization and to provide a basis for allocating resources to address risks based on their priority. The Corporate Risk Profile is based on structured interviews with the top 40 to 50 executives together with databases from other sources (such as annual business plans and workshops). The profile reflects the executives’ assessments of both previously identified risks and risks that may have been identified since the last profile in workshops, media scans, or other sources.

Description of Risk Sources

The June 2000 Corporate Risk Profile in Exhibit 28.5 shows the list of the top risks ranked as “Very High,” “High,” and “Medium.” As of June 2000, 11 key risks had been identified. The figure also shows how these risks were rated in the previous profile and the estimated trend. And as the changes and trends suggest, the Corporate Risk Profile is by no means a static document. New risks arise with legislation or new initiatives. The severity of some risks can be reduced by mitigation efforts or changes in external factors. And the estimated severity of some risks can also change because the risks (and the consequences of mitigation) are better understood.

136 — **Exhibit 28.5** Corporate Risk Profile

In addition to the major sources of risk and their trends, the Corporate Risk Profile also describes the corporate objectives that are likely to be most affected by such risks and the corporate controls being used to mitigate such risks. Below we describe each of the 11 major risks as evaluated in June 2000 and the corporate measures to manage such risks.

Growth: Hydro One has plans for significant growth through acquisitions of both existing and related businesses within and beyond Ontario. This is a major risk source because there are many substantial barriers to the achievement of the planned growth. Business development and financial results are the objectives most likely to be affected. The actions of the government (as owner) create the largest part of this risk because the degree of owner support for the acquisition strategy is not always clear and firm. Hydro One has limited experience in identifying, negotiating, and integrating significant acquisitions. The exposure to government actions is mitigated by senior management participation in government review processes and a proactive government relations function. Acquisition risks are mitigated by various means, including careful planning and analysis, staff skill development, and external advisors.
Regulatory uncertainty: The objectives of Hydro One are greatly influenced by the actions of regulators. The rules under which regulators operate will likely change as experience in the restructured industry is gained. Also, other stakeholder groups will influence regulatory decisions. The objectives most likely affected are financial results, legal/regulatory status, and reputation. Methods for mitigating this risk include increased and more effective interactions with the government and the Ontario Energy Board, increased priority and profile for regulatory matters within the company, and restoration of the company’s regulatory staff capability through the addition of senior regulatory staff.
Organizational readiness: Organizational readiness reflects the ability of the company to provide effective services to customers and to improve operating efficiency in the new business environment. Many systems and processes are recognized to be less than optimally efficient and some inefficiencies are amenable to IT solutions. Readiness has been both helped and made more complex by the departure of 1,400 of the most seasoned employees through the recent voluntary retirement program (see Box 28.2). This risk source impacts competitiveness and customer service. Methods being used to mitigate this risk source include performance contracting, compensation programs, labor relations strategies, and improved technology prioritization processes.
Network services launch: The risks associated with the creation of a separate subsidiary to provide wire network services in the open market are many and varied, including uncertainty about the form of the future competitive market, the ability of the business to achieve a competitive cost structure, and the regulatory treatment of the business’s reorganization costs. Possible consequences of such risks are reductions in competitiveness, reliability of customer service, and financial results. Mitigating this risk source involves a carefully crafted strategy and transition plan.
Asset conditions: The aging of asset wires and the possibility of underfunded maintenance and incomplete information about the condition of assets represent risks to customer service and reputation. Ways to mitigate this risk include redundancy on the transmission system, emergency response capability, and increased attention to this issue through higher planning priority.
Catastrophic events: Hydro One has assets covering a large geographical area, and the firm thus faces some exposure to destructive natural events such as tornadoes, which damage facilities every year, and ice storms, which are less frequent but can cause widespread damage and disruption of service. These events affect customer service, reputation, and financial results. Methods used to mitigate this risk include those listed under asset conditions (see above), as well as emergency preparedness plans and rehearsals, weather forecasting, and insurance.
Environmental contamination: This risk is largely driven by lands owned by the company that are contaminated with arsenic trioxide. Other contaminants are penta poles, transformer oils, and PCBs. To mitigate such risks to the firm’s reputation and financial results, as well as to the environment itself, the firm uses a combination of limited insurance coverage with initiatives designed to prevent such contamination.
Hazardous operating environment: Essentially all Hydro One facilities are electrically energized and so represent a threat to employees, contractors, and the public. In order to protect the firm’s reputation as well as ensure employee and public safety, risk mitigation is accomplished through facilities design, asset maintenance, safe work practices, and employee training and supervision.
Market Ready Project: The Market Ready Project is a major complex undertaking with uncertain requirements and has the potential to cause Hydro One to delay the province’s market opening, to cause significant customer or regulator dissatisfaction, or to well exceed its projected budget. Mitigation is provided by giving the project a high priority and profile. The recently announced delay in market opening reduces this risk, although it does not eliminate it, as even the delayed schedule is seen as tight.
New electricity market: The evolving electricity market exposes Hydro One to a wide range of unpredictable actions by competitors, customers, generators, and regulators. Any one of these parties may be able to erode the company’s market position or increase its costs, thereby harming financial results. To limit this risk, the company’s management is active on the IMO Board (the Independent electricity Market Operator) and is negotiating a comprehensive operating agreement with the IMO.
Economy/financial markets: Changes in commodity prices, exchange rates, or interest rates can have adverse effects on net income and cash flows. Hydro One has no commodity risk and does not trade in energy derivatives. The direct effect of fluctuations in exchange rates is considered insignificant, although this may change in the future if the company issues foreign currency debt. (All debt is currently denominated in local currency.) The company is, however, exposed to fluctuations in interest rates through its floating-rate debt (though corporate policy specifies that at most 15 percent of total debt can have floating rates) and through the refinancing of its maturing longer-term debt. Besides limiting its use of floating-rate debt, the company also periodically uses interest rate swap agreements to manage interest rate risk. Management estimates that a 100-basis-point increase in interest rates would reduce net income by roughly CAD 25 million—a risk deemed to be “Minor” or “Moderate” on the risk tolerance scale. All prudent expenses, including interest, are part of the rate base and recoverable through billing rates, so that any interest rate increase would eventually be recovered, but it would not be regarded as good management by the board and would show up as a reduction of profits in the current year.

Hydro One has some exposure to credit risk, both from its customers and from the possibility of counterparty default on its interest rate swaps. The credit risk associated with customers is effectively managed through a broadly diversified customer base. The counterparty default risk is limited by the company’s policy of transacting only with highly rated counterparties, limiting total exposure levels with individual counterparties, and entering into master agreements that allow “net settlement.”

Box 28.2 Strategic Risk Management Analysis of Voluntary Retirement Package

In the early summer of 2000, the Risk Management Group was asked to perform an enterprise risk management analysis of the risks related to a Voluntary Retirement Package (VRP) that was offered to employees at Hydro One. The purpose of the Voluntary Retirement Package was to reduce staff and related costs in preparation for an IPO. However, the Voluntary Retirement Package turned out to be almost too much of a success. Hydro One lost 1,300 employees out of a total of more than 6,000 employees—far more than the 800 that were expected to take the package. And the 1,300 employees were in most cases senior and experienced personnel. The senior management of Hydro One feared that without a rigorous analysis, some unjustified requests for personnel to replace those who had left would eradicate the economic benefits of the program. In risk map terms, the purpose of the enterprise risk analysis was to address the bubbles in the far right-hand corner and move these bubbles toward the lower left-hand corner as cost effectively as possible. (See Exhibit 28.4 for an illustration of this concept.)

The Corporate Risk Management Group discussed business objectives and related risk tolerances with about 40 managers whose groups had experienced material VRP losses. The group asked the managers what actions they had taken or planned to compensate for VRP losses (such as efficiency improvements or dropping activities) and where they felt they still had a resource gap that could impact corporate objectives. The interviews allowed the Corporate Risk Management Group to identify units where the VRP losses resulted in material risk and what the impacts of those risks might be. The group vetted this feedback through a series of interviews with senior management responsible for each major functional area (finance, regulatory, and so on) to validate middle management’s assessment of both the gap and the impacts. For areas of material risk (“Major” or higher), the group asked managers what could be done in order to reduce risk to a “Moderate” level or lower.

The managers indicated that they had taken actions or had plans underway to compensate for the loss of some of the employees. The most important mitigating technique was from planned efficiency gains, but the possibility of hiring contract/temporary workers was also planned. Overall, managers estimated that they could compensate for 1,100 employees out of the 1,300 employees lost, thus leaving a gap of some 200 employees to mitigate excessive levels of risks.

The Corporate Risk Management Group developed a draft list of VRP risk sources, which the senior management team assessed and ranked at a two-hour facilitated workshop, using electronic voting technology and the Delphi method. The result was a list of 11 risk sources ranked according to their significance. “Customer Relations” and “Network Services” topped the list with a risk score of 3.9 and 3.8 on a five-point scale integrating both magnitude and probability. For example, “Customer Relations” was voted as having a magnitude of 3.8 and a probability of 4.1, which gave an ultimate risk score of 3.9.

Some of the risk sources pertained to specific organization units while other risk sources were generic (organization-wide). For the unit-specific risks, the Corporate Risk Management Group calculated on the basis of input from managers that a mitigation process that reduced all risks to a “Moderate” level or lower (1 or 2 on a five-point scale—see Exhibit 28.2) would require 126 full-time employees and CAD 4.4 million. For the generic risks, a combination of monitoring, planning, and risk assessment programs was proposed. The mitigation as to unit-specific risks as well as generic risks was not intended to eliminate the VRP as a source of risk but to reduce the risks to acceptable levels in a cost-effective way.

QUANTIFYING THE UNQUANTIFIABLE

The final step of the ERM process at Hydro One is to prioritize the use of resources for investment planning based on the risks identified. Hydro One is inherently an asset management company in the sense that most of its assets have a life expectancy of 30 to 70 years. The Investment Planning Department of Hydro One collaborated with the Corporate Risk Management Group to develop a risk-based approach for allocating resources. Using this approach, the company has managed to find an innovative way of “quantifying the unquantifiable.”

The approach rests on three pillars:

The five-point risk tolerance scale (from Minor to Worst Case) for assessing the estimated impact of a given risk on a given corporate objective (illustrated earlier in Exhibits 28.2 and 28.4).
The five-point probability rating scale (from Remote to Virtually Certain) for evaluating the probability that a given impact will materialize (shown in Exhibit 28.3 and 28.4).
The quality of controls (or other risk management mechanisms) designed to reduce the residual risks.

Exhibit 28.6 illustrates this risk-based approach for determining capital expenditures. Each class of asset or type of expenditure is categorized into different levels as follows:¹⁵

Highest Risk Exposure: an unacceptable level of risk that must be funded as a priority (and shown in color in Exhibit 28.6).
Minimum Funding Level: the level of service at which the risk to the company’s business objectives is considered barely tolerable.
Level 1: at this level of funding, the risk to business objectives is materially lower than at the Minimum Funding Level.
Levels 2 and 3 (not illustrated in the figure): At these levels of funding, the risk to business objectives is materially lower than at Level 1. A description of the expenditures and associated risks is provided for each level. The investment levels are associated with specific accomplishments—for example, numbers of kilometers of line cleared, or numbers of calls answered within 30 seconds.

137 — **Exhibit 28.6** A Risk-Based Structural Approach to Investment Planning at Hydro One

As also shown in Exhibit 28.6, all investment levels for each asset class are risk-rated based on magnitude and probability for the major corporate objectives using a grid. This grid defines intolerable combined levels of magnitude and probability (shown as Highest Risk in Exhibit 28.6), and assigns a risk rating based on a scale for the combined rating. Each class of asset is stratified into different levels of risk (Highest Risk, Minimum Funding Level, Level 1, and so on). As an example, “Tree Trim” is broken down into several categories, each with its own risk rating. Highest Risk might be minimum clearance near urban centers, while Level 2 might correspond to a deeper clearance on small lines with lower risk.

Hydro One has applied a method named “Bang for the Buck” to be used in prioritizing expenditures for non–Highest Risk risks. The Bang for the Buck index prioritizes by calculating the risk reduction per dollar spent. For example, at the top of the Bang for the Buck index in Exhibit 28.6 is “Tree Trim” (Minimum Level), which shows 2.8 risk units (“Risk if not done”) eliminated by spending one dollar (“Cost”). This gives a Bang for the Buck value of 2.8. At the other end of the scale, the elimination of 2.3 risk units in relation to Poles (Minimum Level) by spending $12 gives a more modest Bang for the Buck value of 0.18.

At the point where the cumulative expenditures reach the level of the available resources, the planned work for the year is determined. The documented prioritization of planned investments in assets is then the subject of a formal two-day meeting between the senior asset managers and the executives that is designed to probe and validate assumptions before the investment plan is presented to the board of directors as part of the annual business planning process.

Using this approach to enterprise risk management, the company then attempts to combine the qualitative, imaginative strengths of scenario planning with the quantitative rigor associated with real options analysis.¹⁶ Scenario planning is a well-established approach (the origins of which are generally traced to practices at Royal Dutch/Shell)¹⁷ for thinking about major sources of corporate uncertainty. Real options, on the other hand, is a more scientific, finance-oriented approach that, at least in well-defined cases, can be used to quantify possible outcomes and the value of different strategies for dealing with such outcomes. In the case of an oil exploration company, for example, scenario planning might be used to help management anticipate the set of political and economic events that could lead to $100 per barrel oil prices. Real options could be used to estimate how much the firm would be worth while also providing management with a value-maximizing schedule for developing its reserves.

BENEFITS OF ERM AND OUTCOMES AT HYDRO ONE

Hydro One’s 2003 Annual Report summarizes the benefits of ERM as follows: “An enterprise-wide approach enables regulatory, strategic, operational, and financial risks to be managed and aligned with our strategic business objectives.” Exhibit 28.7 reflects our attempt to list and elaborate on some of the key benefits. Although most are qualitative and difficult to quantify, all are perceived as valuable.

From a finance perspective, the most direct evidence of a benefit from ERM is the positive reaction of the credit rating agencies and the resulting reduction in the company’s cost of debt.¹⁸ In 2000, Hydro One issued $1 billion of debt, its first issue as a new company after the split-up of Ontario Hydro. According to recent conversations with senior ratings analysts at Moody’s, ERM was then (and continues to be) a significant factor in the ratings process for the company.¹⁹ The firm reportedly received a higher rating on this initial issue (AA– from S&P and A+ from Moody’s) than initially anticipated, and the issue was oversubscribed by approximately 50 percent. To quantify the potential yield savings, consider that since 2000, the long-term mean yield spread between AA and A has averaged approximately 20 basis points. And if we conservatively credit ERM with reducing the company’s debt costs by, say, 10 basis points, this translates into annual savings in interest costs of $1 million on the $1 billion in new debt.

Another clearly important benefit is the improvement of Hydro One’s capital expenditure process using the risk mitigation prioritization index. As described in the previous section, this process takes into account the benefit of risk reduction in all major risk categories (that is, regulatory, financial, reliability, safety, reputation, and so on) by allocating capital expenditures according to the greatest overall risk reduction per dollar spent. While the system is complex and involves extensive computer modeling, the result is a capital allocation process that is much more likely to lead the firm toward the optimal (viewed on a risk-adjusted basis) portfolio of capital projects.

In addition to a lower cost of capital and improved capital allocation, our discussions with Hydro One’s management also suggest a number of less tangible benefits, some of which are described in Exhibit 28.7. Perhaps most important, top management seems convinced that employees at all levels of the organization now have a much better understanding of the firm’s risks and what they can do to manage them. And, as described in the next section, this process appears to have led to an impressive change in the company’s corporate culture.

Exhibit 28.7 Benefits of ERM and Outcomes at Hydro One

Examples of ERM Benefits	Hydro One Experiences
Achieve lower cost of debt	Realized higher debt rating and lower interest costs than expected on $1 billion debt issue, which was the first issue as a new company. Issue was heavily oversubscribed. Ratings analysts stated ERM was a significant factor in the ratings process for Hydro One.
Focus capital expenditures process on managing/allocating capital based on greatest mitigation of risk per $ spent	Capital expenditures are allocated and prioritized based on a risk-based structural approach. An “optimal portfolio” of capital investments is achieved providing the greatest risk reduction per $ spent. Also, ERM has been used in the management of major projects such as the 88 corporate utility acquisitions during 2000 and the potential building of an underground cable to the USA.
Avoid “land mines” and other surprises	Since starting ERM, there have been many unusual occurrences at the company. Two significant ones were spelled out in the Corporate Risk Tolerances ahead of time: the dismissal of the Board of Directors and the reaction to a large oil spill.
Reassure stakeholders that the business is well managed with—stakeholders defined to include investors, analysts, rating agencies, regulators, and the press	During the IPO road shows, the Corporate Risk Management Group was told that the ERM workshops had greatly assisted the executive team in articulating the risks they faced and what was being done about them. There are many other examples.
Improve corporate governance via best practices guidelines	Hydro One has moved from the Board Committees asking why these risk summaries were being brought to them to a point at which they now routinely expect this information. Directors recognize that Hydro One is ahead of other companies on whose boards they sit.
Implement a formalized system of risk management that includes an ERM system (a required component of the 1995/1999/2004 Australian Standard for Risk Management)	Hydro One has a formalized system that drives periodic assessment, documentation, and reporting of all risks.
Identify which risks the company can pursue better than its peers	Although not necessarily attributable solely to ERM: A subsidiary involved in marketing electricity was sold due to high commodity risks. Several processing and administrative functions were outsourced to transfer labor union and labor cost risks.

Current Status

Instead of the title “Current Status,” we could have substituted “The Evolution of the CRO.” At the outset of the ERM initiative, the Corporate Risk Management Group consisted of the CRO (part-time) and two full-time professionals. To date, the group has conducted more than 180 workshops and authored numerous internal reports on strategic risk management. Some of these reports were prepared in the normal conduct of business and were issued regularly. Other reports were requested ad hoc, such as the strategic risk management analysis of a voluntary retirement program at Hydro One that is summarized in the box insert.

From the end of 2003 until the present, there have been no full-time members of the Corporate Risk Management Group. The CRO devotes 20 percent of his time to this role, and his previous staff have been reassigned to other jobs, although they are occasionally “borrowed back” for certain specific high-risk ERM projects. This reduction in personnel is not a sign of failure, but rather of two notable accomplishments:

The transfer and generation of knowledge on strategic risk management throughout the organization has been so effective that strategic risk management is considered to be embedded in the various subsidiaries and divisions to such an extent that the need for extensive central planning, implementation, and monitoring is significantly reduced. As evidence of Hydro One’s success in making “risk management everyone’s responsibility,” in 2002 the Corporate Risk Management Group received the firm’s “Sir Graham Day Award for Excellence in Culture Change.”²⁰ In the words of the then CEO and President of the company,
1. Thanks to this team, Hydro One is becoming a leader in enterprise risk management—a key best-practice in the energy industry, and a critical element of good corporate governance … This group’s progress to date has also garnered attention from other organizations. In fact, the risk managers from the World Bank and Toronto General Hospital have visited Hydro One to learn about our methods.
Hydro One has become a well-established company both internally and externally. In 1999 it was a “new” company operating in a market that was to be deregulated and it was scheduled for privatization through an IPO. Today Hydro One has more than five years of experience as an independent company. It has demonstrated its ability to compete in a market that had been deregulated (but is now moving toward more regulation), and its ownership structure is now considered stable. Thus, the extent to which Hydro One faces internal and external changes has been markedly reduced.

The CRO continues to provide support for senior managers and develop risk management policies, frameworks, processes, and other analyses as needed. But thanks to the success of the program, the demand for hosting numerous workshops and establishing a risk management culture is greatly diminished. In short, risk management and awareness has become a mature operation at Hydro One.²¹

CONCLUSION

This chapter describes the implementation over a five-year period of enterprise risk management at Hydro One, a Canadian electric utility company that has experienced significant changes in its industry and business. Starting with the creation of the position of chief risk officer and the deployment of a pilot study involving one of the firm’s subsidiaries, the ERM implementation process has made use of a variety of tools and techniques, including the “Delphi Method,” risk trends, risk maps, risk tolerances, risk profiles, and risk rankings.

Among the most tangible benefits of ERM at Hydro One are a more rational and better-coordinated process for allocating capital and the favorable reaction of Moody’s and Standard & Poor’s, which has arguably led to an increase in its credit rating and a reduction of its cost of capital. But perhaps just as important is the company’s progress in realizing the first principle of its ERM policy—namely, that “risk management is everyone’s responsibility, from the board of directors to individual employees. Each is expected to understand the risks that fall within the limits of his or her accountabilities and is expected to manage these risks within approved risk tolerances.” The implementation process itself has helped make risk awareness an important part of the corporate culture.

As a result, the management of Hydro One feels that the company is much better positioned today than five years ago to respond to new developments in the business environment, favorable as well as unfavorable. Indeed, ERM can be viewed as an integral part of the company’s current business model. As Charles Darwin noted more than 150 years ago, in a world where mutability is the only permanent feature of the landscape, “It’s not the strongest of the species that survive, nor the most intelligent, but those that are the most responsive to change.”

NOTES

2. In the hypothetical Modigliani and Miller world of corporate finance, risk management does not add value. However, in the nonfrictionless environment of the real world, risk management by the firm can create value in one or more of the following ways that investors cannot duplicate for themselves: (1) facilitate the risk management efforts of the firm’s equity holders; (2) decrease financial distress costs; (3) lower the risk faced by important nondiversified investors (such as managers and employees); (4) reduce taxes; (5) reduce the firm’s capital costs through better performance evaluation and reduced monitoring costs; and (6) provide internal funding for investment projects and facilitate capital planning. Refer to “A Senior Manager’s Guide to Integrated Risk Management” by Lisa Meulbroek, Journal of Applied Corporate Finance, vol. 14, no. 4 (Winter 2002) for more information on these benefits. Another view of how risk management can maximize firm value is that risk management should eliminate costly “lower-tail outcomes,” while preserving as much of the upside as possible; see R. Stulz, “Rethinking Risk Management,” Journal of Applied Corporate Finance, vol. 9, no. 3 (Fall 1996). Corporate risk management should include choosing the optimal mixture of securities and risk management products and solutions to give the company access to capital at the lowest possible cost; see Christopher Culp, “The Revolution in Corporate Risk Management: A Decade of Innovations in Process and Products,” Journal of Applied Corporate Finance, vol. 14, no. 4 (Winter 2002).

3. The Joint Australian/New Zealand Standard for Risk Management (AS/NSZ 4360: 1999), first edition published in 1995, provides the first articulation of practical enterprise risk management. This guide covers the establishment and implementation of the risk management process involving the identification, analysis, evaluation, treatment, and ongoing monitoring of risks. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (September 1992); Group of Thirty, Derivatives: Practices and Principles (Washington, DC, 1993); “Where Were the Directors”—Guidelines for Improved Corporate Governance in Canada, Report of the Toronto Stock Exchange Committee on Corporate Governance in Canada (December 1994); CoCo (Criteria of Control Board of the Canadian Institute of Chartered Accountants); and Committee on the Financial Aspects of Corporate Governance (Cadbury Committee, final report and Code of Best Practices issued December 1, 2002).

11. The Delphi method, originally developed by the RAND Corporation in 1964 for technological forecasting, is a way of estimating future measures by asking a group of experts to make estimates, recirculating the estimates back to the group, and repeating the process until the numbers converge. It is a formal method used to generate expert collective decisions. The Delphi method recognizes human judgment as legitimate and useful inputs in generating forecasts. Single experts sometimes suffer biases and group meetings may suffer from “follow the leader” syndromes and/or reluctance to abandon previously stated opinions. The Delphi method is characterized by anonymity, controlled feedback, and statistical response. The Rand report is still interesting to read and contains many innovations that are used in the analysis and describes Delphi results. For instance, the report presents arguments for using median values rather than the mean values of the group’s responses and also illustrates how ranges of opinions can be presented graphically (see T.J. Gordon and Olaf Helmer, “Report on a Long Range Forecasting Study,” R-2982, Rand Corporation, 1964). For a broad review of the literature on Delphi and references to the method and past studies, refer to Fred Woudenberg, “An Evaluation of Delphi,” Technological Forecasting and Social Change (September 1991). For further information on practical applications, see Michael Adler and Erio Ziglio (eds.), Gazing into the Oracle: The Delphi Method and its Application to Social Policy and Public Health (Jessica Kingsley Publishers, 1996).

ABOUT THE AUTHORS

Tom Aabo is an Associate Professor at the Aarhus School of Business in Denmark. He has taught courses in corporate finance, international business finance, foreign direct investment, and internationalization of the firm at the Aarhus School of Business. His areas of research are strategic risk management, exchange rate exposure management, real options analysis, and international corporate finance. He is published in the Journal of Applied Corporate Finance, International Journal of Managerial Finance, European Financial Management, and Review of Financial Economics (among others). Tom also serves on the editorial board of the Asian Journal of Finance and Accounting. Prior to getting his PhD, Tom worked in industry for Amersk and Gudme Raaschou. Tom received a BA in Business Administration from Aarhus School of Business (Denmark), a MS in Business Administration, and PhD from Aarhus School of Business.

John Fraser is the Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of North America’s largest electricity transmission and distribution companies. He is an Ontario and Canadian Chartered Accountant, a Fellow of the Association of Chartered Certified Accountants (U.K.), a Certified Internal Auditor, and a Certified Information Systems Auditor. He has more than 30 years experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers and operations. He is currently the Chair of the Advisory Committee of the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants. He is a recognized authority on Enterprise Risk Management and has co-authored three academic papers on ERM—published in the Journal of Applied Corporate Finance and the Journal of Applied Finance.

Betty J. Simkins is Williams Companies Professor of Business and Professor of Finance at Oklahoma State University (OSU). She received her BS in Chemical Engineering from the University of Arkansas, her MBA from OSU, and her PhD from Case Western Reserve University. Betty is also very active in the finance profession and currently serves as Vice-Chairman of the Trustees (previously President) of the Eastern Finance Association, on the Board of Directors for the Financial Management Association (FMA), as co-editor of the Journal of Applied Finance, and as Executive Editor of FMA Online (the online journal for the FMA). She has coauthored more than 30 journal articles in publications including the Journal of Finance, Financial Management, Financial Review, Journal of International Business Studies, Journal of Futures Markets, Journal of Applied Corporate Finance, and the Journal of Financial Research and has won a number of best paper awards at academic conferences.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.