Key Policy Elements

In addition to outlining the overall risk management strategy and objectives, the corporate level risk management policy should also document the various risk-based definitions and the roles, responsibilities, accountabilities and authorities necessary to achieve the objectives of risk management. Risk has been defined as “the combination of the probability of an event and its consequence.”³

Based on this generally accepted definition, risk can therefore be considered a two-dimensional concept requiring an understanding of the probability of an undesirable event occurring and the expected consequence should the event occur. The corporate level risk management policy and the related policy implementation processes, procedures, and concepts must build on this definition and develop risk identification, assessment, evaluation, mitigation, and resource allocation methods and tools that are consistent with this definition. Subsequent sections in this chapter describe methods and tools that are founded on the basis of this important definition, which must be understood by all staff involved in the business planning effort.

Center of Excellence

Championing, developing, implementing, operating, and improving a RFRAF requires a substantial and sustained effort within the company. A critical first step in the development and implementation phase is the identification of staff from the senior management, middle management, and professional ranks of the company who are committed to participating in this initiative. The existence of a core group of staff from these various levels interested in championing and developing the required policies with the board of directors and executives of the company and developing/implementing the required enabling business processes is critical to the successful establishment of the RFRAF. Experience has shown that the COE does not need to be a specific organizational unit dedicated to this initiative. Given the need to spread the principles and knowledge of risk-based concepts throughout the company and the multidisciplined nature of risk assessments, the COE is most effective when it is comprised of staff who hold regular positions within the various line units. The members of the COE-Team must, however, allocate sufficient time to take on the additional responsibilities for overseeing the development, implementation, operation, and continuous improvement of the RFRAF. This dispersed COE-Team should also be formally constituted and meet regularly to develop and monitor the progress of implementation initiatives and to help overcome operational challenges or barriers associated with improvement initiatives. The COE-Team should also be involved in specific strategic and operational process steps, within the framework, such as updating the key decision factors used within the RFRAF, as the business environment changes. These key decision factors will be defined and discussed in more detail in the following sections. Experience has shown that this dispersed team, embedded within the various line units, can effectively act as champions and change agents for new processes and methods. Members of the COE-Team are also in a good position to identify new opportunities for improvement, train senior staff across the company, and promote new processes, methods, and models to senior management and working level professional staff.

Translating Strategic Objectives into Risk-Based Concepts

The effective allocation of resources based on risk requires company staff responsible for business planning to understand the relationship between the business objectives of the company, the operational and strategic risks that may jeopardize the achievement of those objectives, and the risk-based concepts that enable the systematic identification, evaluation, and prioritization of the various risks. A primary design element of a RFRAF is a methodology that establishes the relationship between the strategic objectives, the operational and strategic risks of the business, and the risk-based concepts that enable identifying, quantifying, comparing, and organizing the various risks in order of importance.

The methodology typically used to establish these relationships is to involve the company leadership team in a workshop designed to develop the correlation between the strategic business objectives (SBOs), the detailed measures of success or key performance indicators (KPIs), and the degree of tolerance within the company for deviations from the KPIs, termed risk tolerances (RTs). This workshop is also used to inform the business leaders of the risk based concepts utilized within the RFRAF. Having a common understanding at the leadership level of the risk-based concepts is critical to the successful development of the framework. Experience has shown that utilizing a top-down process for establishing the degree of risk tolerance to shortfalls in attaining each specific KPI is an effective approach for determining the appetite for risk inherent within the company. The final product of the workshop is an information source that identifies and consolidates the relationships between the SBOs, KPIs, RTs, and the risk-based concepts. This product, termed the corporate risk matrix (CRM), provides critical risk-based information and indicators to facilitate identifying risks, conducting detailed risk assessments, and developing evaluation methods and models. The CRM also serves as an effective guideline enabling the consistent evaluation and prioritization of risks and is an excellent communication tool for use with line staff involved in business planning. Utilities in the electric power industry use products of this nature as an integral part of business planning.⁴

As indicated in the previous section, risk is “the combination of the probability of an event and its consequence.” The approach for establishing the relationships between the SBOs, KPIs, RTs, and risk-based concepts must therefore deal with these two domains of event consequences and probabilities.

The Probability Domain

Risk analysis includes identifying events in the internal or external business environment, which could compromise the achievement of one or more business objectives. It is not sufficient however to simply identify undesirable events and the related business consequences. Risk analysis also requires determining the probability (or likelihood) of the event actually occurring within the discrete time frame being assessed. For the purpose of this discussion, the time frame of interest is the business planning period, typically between one and five years.

Exhibit 12.6 provides the categories and related probability levels typically used in business planning and risk prioritization processes. The probability scale for evaluating the likelihood of undesirable events occurring should provide both a sufficient range of probability categories and adequate distinction between the various categories. Experience and evaluation of good practices has determined that developing five categories of probability ranging from “Remote” to “Very Likely” provides a good range for segmenting undesirable events for the purpose of identifying, evaluating, controlling, and optimizing risks over the business planning period. Experience and evaluation of good practices has also established that the probability levels should range from less than 1 percent for the Remote category to about 90 percent for the Very Likely category.

The Integration of Business Objectives/Risk Events/Risk Concepts

Consolidating the consequence and probability concepts described in the above sections results in identifying a two-dimensional “risk space” with event consequence represented on one axis and probability (or likelihood) represented on the other, as shown in Exhibit 12.7.

The policy discussed earlier should identify senior management as responsible for determining the level of unacceptable risk for each specific corporate level KPI. This is represented by the red (unacceptable risk) zone in Exhibit 12.7. Experience with the framework has shown that having senior management establish the unacceptable region of risk, and the actions that must be taken for intermediate risk levels, in advance of the development of the business plan is necessary for effective risk identification and analysis. Once the unacceptable region of risk is identified, any internal operational or external business events determined to be within this unacceptable region must be effectively controlled. The least cost risk mitigation alternative for effectively controlling “unacceptable events” will be scheduled as a nondiscretionary expenditure, within the associated expenditure prioritization process. Examples of unacceptable risks could include severe safety events, violations of mandatory regulatory requirements, and events resulting in catastrophic financial consequences.

It should be noted that the effectiveness of the overall framework is only as good as the accuracy of the methods and models used to quantify the likelihood and consequence of the various undesirable events and relating them to the KPIs. Given that some of the assessments may require the application of expert judgment, it is advisable to develop independent methods to validate the results of the bottom-up risk identification, mitigation, and prioritization process. The development of alternate methods to assist in validating the results of the detailed bottom-up risk identification, mitigation, and prioritization process will be discussed later in this section.

The overall purpose of the framework is to establish a prioritized list of expenditure plans that minimize the overall risk of the enterprise falling short of meeting its key goals and objectives. The development, sustainment, and continuous improvement of the CRM significantly contributes to the success of the RFRAF. The CRM provides:

• A single source of information linking the SBOs, KPIs, PIs, RTs, and risk concepts.
• Top-down direction on the appetite for risk within the company.
• A useful method of communicating what constitutes risk in relation to the SBOs.
• A top-down guide for use by all staff levels within the company to identify bottom-up operational and strategic risks that are candidates for mitigation through the development of investment proposals (IPs). An IP describes/specifies the technical and/or process based solution/work necessary to effectively mitigate unacceptable risk events. This includes identifying the cost of the mitigating solution and the change in risk profile compared to the “do-nothing” option.
• Consistent treatment of risk across the enterprise.
• A consistent information source for assessing the overall effectiveness of the bottom-up solutions/IPs.

Risk-Based Business Processes

The main process steps that must be completed as part of the RFRAF are outlined in the following seven steps:

1. Identify business risks and assess/evaluate their impact on the SBOs, KPIs, and PIs under a “do-nothing” scenario. The assessment must investigate both strategic risks and routine operational risks. Strategic risks are typically assessed by senior and middle management staff within workshops comprised of several related disciplines across the organization. The operational risks are typically assessed by the various departmental and regional experts involved in the business planning effort. The results of both assessments are documented on a consistent risk evaluation template. At a minimum, the risk evaluation template requires a description of the risk event, the KPIs or PIs impacted by the event, and the expected probability and consequence for each impacted KPI. The probability and consequence associated with the “do-nothing” scenario on each KPI should be quantified to the extent possible, using appropriate methods and models. Experience over a number of years of application has shown that it is preferable to assess these risks over at least two specific time periods used within business planning. For each risk event the level of risk should initially be assessed over the first two-year period of the business plan. This is to be followed by an assessment of the risk event over the entire business planning period (typically five years) or beyond. This information is of importance for prioritizing work. Urgent and important risk events having significant impacts in the first two-year period are given priority over those that materialize over a longer period of time. It is useful in executing the process to provide an estimate of the time requirements for establishing the risk mitigation options for each risk event. Including this information on the risk evaluation template at this point in the process facilitates the identification of potential resource constraints in performing the next phase of the process, outlined in Step 2 below.
2. Establish the key risks requiring treatment (or mitigation) based on the probability and consequence information developed in Step 1. If the analysis shows that there are constraints on the resources available to develop the risk mitigation options, only the events that represent the largest risks to the business will be evaluated and mitigated.
3. For each of the risk events requiring treatment, a series of risk-mitigation alternatives is developed. For the strategic risks identified in the management level multidisciplined workshop mentioned in Step 1, a dedicated group of management staff develops the mitigation alternatives. For the operational risks the various departmental and regional experts develop the mitigation alternatives. Each alternative is assessed in relation to a prioritization index calculated as follows:
   

   The preferred alternative is selected for mitigating each risk event based on the highest Prioritization Index. These preferred alternatives become the Investment Proposals (IPs), which must be prioritized as part of the overall RFRAF, based on the highest risk-reduction impact to the SBOs per expenditure level.

4. All high-priority risk events identified within Steps 1 to 3 are prioritized through the use of a prioritization model. The prioritization model is designed to incorporate the input from all submitted IPs and uses the Prioritization Index to sequence the proposals in an optimum manner to achieve the greatest risk reduction for the least cost. The resulting portfolio of preferred IPs represents the optimal scenario for achieving the SBOs in a least cost manner.
5. Given the importance of the decision to proceed with this portfolio of preferred IPs, the next step in the process involves conducting a validation review through the application of a series of validation tests on the optimal scenario developed by the prioritization model. These validation tests are conducted prior to approving the implementation of the portfolio of preferred IPs for the purpose of providing the approval authorities with supplemental information related to:
   1. Sensitivity of the optimal scenario to the prioritization criteria.
   2. Compatibility to historical business performance.
   3. Ability to implement the portfolio of preferred IPs given possible resource constraints. This includes availability of equipment, material, staff skills and competencies, outages, and/or other related business constraints.
   4. Comparability to other independent strategic assessments, which can be used to validate the overall level of expenditures and/or the expected level of business performance in the various business areas.

      Further details on the validation review and related tests are provided below:

      • Sensitivity of the optimal scenario to the prioritization criteria—Conducting sensitivity analysis on the weighting factors used for prioritization provides approval authorities with valuable information related to the stability of the portfolio of preferred IPs. A good practice in this area involves predetermining alternative weighting factors within a senior management workshop and reviewing program changes produced by the prioritization model. IPs consistently ranking high under various reasonable alternative weighting factors can proceed with a high degree of confidence. Experience has shown that conducting a sensitivity analysis for only the factors that can be quantified also provides a good alternate source of information in deciding on final programs, as this eliminates the impact of qualitative or subjective assessments. In a utility environment this sensitivity test could mean only using the cost and reliability based KPIs, assuming critical safety events are nondiscretionary.
      • Compatibility to historical business performance—Comparing the portfolio of preferred IPs and forecasted KPI performance to the historical portfolio of expenditure programs and the historical performance of comparable KPIs provides valuable information based on actual results. This type of comparison is effective in long-standing companies such as electric utilities that have information sources going back many decades. Changes from history should be explained based on either a change in the SBOs or a change in risk profile associated with a specific area of the business. Companies without a long history or that have experienced significant changes in the products and services delivered will need to find other means of performing such comparisons. This may include using benchmarking methods to establish cost and service/product performance in relation to comparable organizations or competitors.
      • Ability to implement—Conducting comparisons between the portfolio of preferred IPs and the resources (capital, human, materials, equipment, etc.) available to finance and perform the work, provides information related to the ability to complete the program in the allotted time. This is a critical check in an era of constrained capital, professional and trades expertise, and uncertain availability of necessary equipment and materials. Another concern in the industrial business environment is the availability to obtain the required equipment outages (i.e., downtime) to perform the work while still delivering on commitments to customers and/or contributions to the bottom line.⁵
      • Comparability to independent strategic assessments—Many businesses perform macro-level strategic assessments to forecast the overall mid-term or long-term capital or O&M requirements of the business based on factors such as growth projections, infrastructure replacement rates, and/or asset aging rates. If the results of these independent forecasts can be reconciled with the portfolio of preferred IPs developed by the risk-based process described previously, the confidence level of the approval authorities can be significantly increased. Experience with the process has shown that conducting such comparisons typically requires grouping the expenditures associated with the portfolio of preferred IPs into higher level categories of assets, regions, services, deliverables, and/or accounting designations (capital and O&M), depending on the nature of the business and the strategic assessments. Given the importance of the decision (approving the details of a work program that is expected to achieve the SBOs of the company) the effort required to perform this comparison is worth the increase in confidence gained when two independent methods identify similar requirements.

      In the electric utility industry, for example, models⁶ have been developed to establish long-term capital requirements based on assets reaching end-of-life and requiring replacement with equivalent facilities. The models use probability density functions to represent expected end-of-life ages for various asset groups. When these probability density functions are applied to the demographic profile of the asset base the expected level of asset replacement can be generated. Assuming like-for-like replacement and typical unit replacement costs enables the generation of mid-term to long-term forecasted capital requirements for specific asset groups. Conducting macro-level, long-term studies of this nature can also assist in identifying the risk to certain KPIs such as degradation in levels of system reliability as the system ages and equipment begins to fail. These types of assessments provide long-term forecasts of both the expected level of capital expenditures and the risk of delivery performance, using a completely separate long-term/top-down type of analysis. Comparing the results of strategic assessments of this nature to the results of the bottom-up annual risk analysis described earlier provides a valuable cross-check on the results. If the results of the two independent assessments can be reconciled, confidence in both approaches is increased. If the results do not reconcile, further investigation is warranted, including comparisons to the other validation tests mentioned earlier.

6. The next step in the process involves reviewing all the available information in a workshop with the approval authorities and approving the preferred portfolio of IPs. This preferred portfolio of IPs represents the optimal work program for achieving the SBOs. The business planning process will use this optimal work program to allocate costs and resources to various business units depending on the approach used within the company.
7. The final step in the process involves establishing the necessary work program performance measures and monitoring processes to ensure effective, efficient, and timely delivery of the portfolio of preferred IPs.

Exhibits 12.8 and 12.9 summarize the main elements in the process.

Experience with operating the process indicates that major efficiency gains can be obtained by identifying typical risk events and standardizing the consequence and likelihood assessments through the development of pick lists based on specific criteria, which can be selected by operations staff. In the electric power utility example for evaluating KPI risks associated with the frequency of system outages, it was found that a major reduction in evaluation effort could be achieved by correlating the frequency of system outages to standard equipment failure rates and certain generic system configurations. These correlations were observed from the initial risk assessments and resulted in the development of simple pick lists for the consequence and likelihood assessments, associated with the KPI for frequency of system outages. A major reduction in evaluation effort was achieved by providing Operations staff with simple pick lists for the consequence and likelihood assessments based on these correlations. This obviated the need for unique assessments for each occurrence of this risk event across the company. As experience is gained with the RFRAF, efficiencies of this nature begin to emerge, reducing the overall effort while improving the accuracy of the assessments.

Organizational Considerations

A dedicated organizational unit should be established within the company to manage the routine operation of the business processes within the RFRAF. It should be noted that this formal organizational unit is distinct from the COE-Team mentioned earlier. The primary functions of the COE-Team are to develop the RFRAF, promote and launch the related implementation initiatives, oversee successful implementation, develop and monitor performance measures, and help develop and promote improvements. The purpose of the dedicated organizational unit is to operate the detailed processes, including establishing an information system and developing the required guidelines and procedures necessary for effective functioning of the annual process. The leader of this dedicated organizational unit should be a member of the COE-Team. Experience has shown that this dedicated organizational unit should be located within a business unit that does not have a stake in the outcome of the prioritization process. Examples of best locations include the finance function or a dedicated Investment Planning or risk function within the company. The dedicated organizational unit should be responsible for:

• Establishing the processes necessary to identify and manage risks.
• Obtaining models capable of prioritizing the investment proposals.
• Developing information systems and templates to ensure the transparency, consistency, and continuity necessary for process effectiveness and efficiency is in place.
• Conducting detailed training sessions to ensure staff involved in the processes have the necessary knowledge.
• Conducting macro-level studies, scenario analysis, and validation tests to ensure the outputs of the prioritization process are reasonable and robust.
• Implementing effective internal controls to provide oversight on all IPs to ensure evaluation accuracy and consistency within and between organizational units.
• Arranging, facilitating, and documenting the results of the senior management workshops necessary to obtain the required approvals.
• Updating the process elements and assumptions on an annual basis.
• Developing process measures to provide the monitoring necessary to ensure the process is effective and efficient and continuously improve the processes, models, tools, and information systems.
• Manage the implementation of the approved portfolio of IPs and make in-year adjustments as new risk information becomes available.

Experience in operating these processes indicates that the organizational hierarchy should be leveraged to ensure consistency in the identification of risk events and in the evaluation of their impacts on the SBOs, KPIs, and PIs. This is also the case for the development of the IPs designed to manage unacceptable risks. Having the managers and directors of the business units review and approve the risk evaluation templates and IPs developed by their expert staff serves to maintain some consistency in the identification and evaluation of risks between organizational units and/or geographic locations. This is a good practice, prior to submitting the risk-evaluation templates and IPs to the centralized business unit responsible for final prioritization. The centralized business unit responsible for prioritization should also develop a high-level expert responsible for reviewing risk scores submitted on all risk evaluation templates and IPs, in relation to historic evaluations and actual results from previous or similar evaluations. This practice ensures consistency across all business units within the company.

Exhibit 12.10 shows the typical business functions involved in the business planning processes, the span of the RFRAF, and the roles typically undertaken by the various organizational functions. Experience has shown that the process management role for the RFRAF should either be in the finance or investment planning functions.

The Concept of Evaluation Time Frames

As mentioned earlier, both operational and strategic risks must be evaluated by knowledgeable staff within the organization when identifying events with potential for unacceptable impacts (consequences and the related probabilities of occurrence) on the SBOs of the business. Operational risks are typically evaluated by expert front-line staff responsible for operating and managing the business. This includes maintenance, operations, and customer account staff who deal with daily/weekly/monthly issues in the management of the business. These resources are responsible for executing the near-term elements of the business plan (defined as the first two years of the business plan) and have knowledge of factors such as immediate maintenance requirements, demand exceeding the capability of systems to deliver, and/or customer satisfaction issues. Experience has shown that most long-standing companies have the required knowledgeable resources, detailed business processes, and supporting information systems necessary to conduct the near-term risk assessments that are an integral part of the RFRAF.

Strategic risks typically span a longer time period and are also likely to span the responsibilities of several organizations or disciplines within the company. Uncovering risks of this nature is important because it may be necessary to invest in controlling these risks within the period of the business plan to ensure the SBOs can be realized over the planning period. Experience with the framework has shown that middle- and senior-management staff members typically possess the multidisciplined knowledge and work in time frames consistent with these strategic risks. Therefore, this group of staff members are in the best position to identify these risks and the related mitigation alternatives. Many companies have also established an organizational unit responsible for proactively identifying, evaluating, and managing strategic risks. In the electric utility industry several regulatory jurisdictions have recognized the importance of managing strategic risks and the regulatory authorities require utilities to establish and formally submit long-term plans to ensure the prudent management of this critical public infrastructure.⁷ These long-term plans typically span about 10 years in recognition of the long lead times required to obtain approvals for new infrastructure and/or order and install major equipment. These plans also typically deal with risks associated with the aging of various fleets of similar assets, rather than the maintenance and replacement of specific assets, as is the case in the near-term evaluation mentioned earlier. Strategic risk evaluations of this nature can identify events that must be managed in the near-term (one to two years) or mid-term (three to five years) to prevent jeopardizing the achievement of SBOs over a much longer time frame (such as 10 years). The IPs developed to manage strategic risks must utilize the same template (and provide the same consequence and probability information for affected KPIs) as the operational risks and are subjected to the same prioritization process.

To effectively conduct a comprehensive risk evaluation, experience with the RFRAF indicates that it is useful to evaluate undesirable events in up to three distinct time frames: The near-term (defined as the first two years of the business plan); the mid-term (defined as years three to five of the business plan) and the long-term (defined as the period beyond five years). This should be accomplished utilizing company staff with specific knowledge of potential risks in these various time periods. As mentioned above, many companies also develop long-term strategic plans that contain information useful to the risk identification and evaluation process. Exhibit 12.11 illustrates the time frames of interest, the type of information provided for risk analysis and business planning, the basis for the risk information, and the level of analysis typically conducted in each time frame. It should also be noted that risk information in one time frame can be used to validate the risk assessments in an adjacent time frame or as a minimum inform the risk assessors of changing business circumstances and the effects on risk profiles over time. See Exhibit 12.11.

Methods and Models to Quantify the Impact of Risk Events

The overall risk-based process outlined earlier identified the importance of quantifying the probability and consequence imposed by critical risk events on each impacted KPI. Quantification of risk-event impacts on KPIs, through the use of appropriate methods and models is far more desirable than the use of qualitative or subjective approaches, which may be a combination of judgment and speculation. The accuracy of the methods and models used to quantify the probability and consequence impacts on the KPIs is a determinative factor in the overall effectiveness of the risk evaluation and mitigation process and possibly the success of the business. For this reason, significant effort should be focused on developing a portfolio of methods and models that enable the quantification of risk events in terms of each specific KPI or PI, to the extent practical.

These methods and models should be designed to enable quantification of KPI impacts associated with the “do-nothing” scenario for each risk event. They should also be capable of evaluating the KPI impacts for the risk-mitigation alternatives for the purpose of generating IPs. The electric power industry example discussed earlier identified the reduced frequency of unplanned system outages as a KPI for achieving the SBO of first-quartile reliability. To effectively quantify and manage risk a methodology and model should be put in place to quantify the impact on the frequency of system outages under a “do-nothing” scenario in the service territories. This method and model would also be used to identify the effectiveness of mitigation alternatives on the frequency of system outages in the service territories. The mitigation options that provide the required reduction in the frequency of system outages at the lowest cost will be submitted to the prioritization process described in the following section.

Experience with the RFRAF in the electric power sector indicates that a large portfolio of such methods and models must be developed to quantify the risk impacts on all critical KPIs. This includes methods and models for conducting operational risk assessments affecting the near-term (such as asset condition methods and models to evaluate the near-term risk of equipment failure) and strategic risk assessments impacting KPIs in the mid-term or long-term. The portfolio of methods and models must be capable of assessing a wide variety of risk factors (reliability, safety, environmental impacts, regulatory compliance, etc.) and deal with both technical and financial concepts.

Prioritization of Investment Proposals

As mentioned earlier, the prioritization model is designed to incorporate the input from all submitted IPs for the purpose of sequencing the proposals in an optimum manner to achieve the greatest risk reduction for the least relative cost. The resulting portfolio of preferred IPs represents the optimal scenario for achieving the SBOs in a least cost manner. A graphical representation of the output for a typical prioritization model appears in Exhibit 12.12. The model treats all IPs on a consistent basis and sequences the IPs from highest benefit to cost ratio to lowest. This approach enables the identification of what is known in the literature as the efficient frontier.

The IPs capable of producing the highest overall reduction in risk to the SBOs for the least overall cost would appear on the steep upward slope on the left portion of the graph. IPs of lower value would appear on the right portion of the graph where at the extreme end it may be observed that significant increases in expenditures produce little change in benefit. Output results of this nature are effective for establishing the cut-off points for projects (IPs) when expenditure constraints have been determined. The IP labeled “B” in Exhibit 12.12 would just make the cut-off point if a cost of 150 represented the upper limit of expenditures. The graphical representation also enables comparisons between alternative IPs designed to manage the same risk event. For example the IPs labeled “P,” “C,” and “B” in Exhibit 12.12 could all represent IPs designed to manage the same risk event. From the graphical output it can easily be observed that IP-P is the least effective alternative for managing this risk event, since IP-B can deliver higher benefits for the same cost and IP-C can deliver similar benefits at lower cost. In this example a judgment would be needed by the approval authorities to determine if the risk event should be mitigated under IP-B or IP-C. It should also be noted from this example that if expenditure constraints determined that IP-B was just beyond the level of affordability, this specific risk event would continue to be within the portfolio of preferred IPs (as IP-C) and receive funding for mitigation under a lower level of cost.

All prioritization models use some form of multicriteria decision analysis methodology (i.e., Multi-Attribute Utility Theory, Multi-Attribute Value Theory, Analytical Hierarchy Process) as the basis for the evaluation of inputs and there are many models available on the market.⁸ Care must be taken to select a model that is consistent with the information and competencies available within the company. Once a model is selected the related input process must be established.

The detailed theory associated with such models is beyond the scope of this framework-based discussion. However, there are several good in-depth papers on project prioritization and project portfolio management.⁹ In addition, regulatory authorities responsible for approving cost of service applications recognize the importance of prioritization methods and models in establishing the expenditure requirements of the utilities they regulate. They also value the transparency and consistency provided by these methods and models. As a result, regulatory authorities often require the submission of detailed information related to the prioritization approaches used by utilities. These submissions provide an excellent source of information related to the application of these business processes in a complex business environment.¹⁰

Overall, the prioritization model and supporting process must possess the following core capabilities:

• Be capable of accurately solving an optimization problem (maximizing the value of the portfolio of IPs) for multiple decision criteria.
• Create a level playing field for all IPs.
• Deal with IPs having different impacts on multiple decision criteria.
• Manage large numbers of IPs.
• Be capable of dealing with both capital and O&M expenditures.
• Provide a transparent and auditable analysis.
• Produce outputs that clearly identify the efficient frontier, the impact of expenditure constraints, and trade-offs between IPs designed to mitigate the same risk event or similar risk events.

Selection and implementation of a prioritization model and supporting methodology, which is compatible with the optimization problem and the information and competencies available within the company, is critical to the success of the initiative. Obtaining professional guidance from knowledgeable experts may be a prudent course of action given the complex nature of decision theory.

Management of the Portfolio of Preferred Investment Proposals

Once the portfolio of preferred IPs has been approved for implementation the dedicated organizational unit responsible for the RFRAF must oversee the successful implementation. This includes making adjustments to the approved portfolio should unforeseen higher priority risks materialize or expenditure constraints change throughout the year. This requires:

• Establishing performance measures associated with the approved portfolio of IPs.
• Developing a redirection process for managing in-year changes to the approved portfolio of IPs.
• Reporting on portfolio progress to senior management and regulatory authorities.

Operational Risk Assessment Information

Experience with implementing the RFRAF indicates that the consequence information associated with operational risk assessments is typically the easiest to obtain within the company. These assessments typically involve identifying and mitigating risk events associated with the failure of a business process, asset, or supplier to deliver the required business result. These types of failure events, and the related causes, are usually well understood by operations staff within the company. They are therefore capable of describing the failure outcome in terms of the consequence impact on the KPIs or PIs. Operations-based staff are also good at identifying typical mitigation measures for managing the risk and how this will change the consequences from the “do-nothing” alternative. The challenge for operational risk assessments is to identify the probability or likelihood of occurrence. This usually requires reviewing failure rate and cause information from historical records and forecasting the expected probability of occurrence in the future. This imposes a more complex level of analysis on the historical information and the generation of new information related to quantifying the probability domain.

Strategic Risk Assessments

If strategic risk assessments are normally conducted within the business the incremental information requirements are typically similar to those for operational risk assessments, where again establishing the probability domain is the biggest challenge.

If strategic risk assessments are not normally conducted within the business or new strategic risk assessments are required, the incremental information requirements are likely to be materially increased. The new strategic risk assessments may require detailed new financial and business performance information.

The RFRAF requires planning for a new family of input and output information within the company. The input information is needed to conduct risk assessments performed by a portfolio of new methods, models, and processes that enable the identification, quantification, and mitigation of operational and strategic risks to the SBOs of the company. The output information of these new methods, models, and processes includes a variety of new information that must all be stored to maintain an effective audit trail for these critical business decisions. Output information includes probability and consequence information for each risk in relation to the KPIs, financial evaluations for establishing least cost IPs, validation that appropriate internal controls have been followed within and between organizational units, the portfolio of preferred IPs generated by the prioritization model, results of the validation review, documentation from any related workshops, and the approved portfolio of IPs, with supporting rationale.

Overall the implementation of a RFRAF can significantly increase the information requirements of a company and the COE-Team should therefore include a senior-level expert from the information technology field to ensure that these requirements are appropriately understood and accounted for while developing information technology plans.