JOSEPH P. TONEGUZZO
Director—Implementation & Approvals, Power System Planning, Ontario Power Authority
Optimal allocation of resources to maximize the probability of achieving the business objectives of an enterprise is a key deliverable of the business planning process undertaken annually by leading companies. This chapter describes a practical business framework for allocating resources, assumed in this chapter to be company expenditures, based on managing risks that jeopardize the successful achievement of company objectives. Resource allocation based on identifying and managing risks is a common business practice for enterprises that own, operate, maintain, and replace a portfolio of industrial or civil assets, such as energy, transportation, and hospitality sector companies and government entities responsible for managing public infrastructure. Although the discussion is focused on the optimal allocation of resources based on risk, the concepts have also been applied in businesses that focus on opportunities or a combination of opportunities and risks.
The Risk Focused Resource Allocation Framework (RFRAF) described is based on about a decade of best practice learning of this specific subject area by the electric power industry. This business sector has been studying, developing, implementing, operating, and improving risk-focused resource allocation processes to improve business performance, as part of the evolution of the industry toward competition. During the past 10 years, the regulated vertically integrated (generation, transmission, and distribution) businesses historically dominating this industry were unbundled in many global jurisdictions. The primary purpose of moving to this new business model was to stimulate competition between generators and drive efficiencies from the natural monopoly-based transmission and distribution functions, through more focused regulation in the sector. These changes in the business environment resulted in the electric power industry embarking on a series of international studies1 to establish and improve business models for the optimal allocation of resources to deliver the improved business performance demanded by the shareholders, regulators, and other stakeholders involved in this industry. To streamline the regulatory process, the regulated transmission and distribution businesses within this sector developed resource allocation frameworks having a high degree of transparency, consistency of results, and efficiency of execution. These attributes of transparency, consistency, and efficiency should be valued within the business planning model used by any enterprise. The international effort to study, develop, implement, and improve these business models and supporting decision-making frameworks is expected to be of value to any industry that must optimally dispatch finite resources to achieve company objectives.
The business framework discussed has been developed and refined by the electric power industry after considerable analysis of similar frameworks used in other large-scale regulated and competitive businesses. The elements of the framework are generic in nature and have been utilized in many competitive and regulated businesses to develop annual business plans that require the prioritization of expenditures to deal with:
Examples of such businesses include the oil and gas industry, facilities management, the hospitality sector, infrastructure services, fleet management, the airline and aerospace industry, the shipping industry, and a range of other businesses.
The chapter focuses on the key design elements of an effective RFRAF and includes a discussion of some key lessons learned while developing, implementing, operating, and improving the framework.
To facilitate the discussion, this chapter has been structured in accordance with the following six key components of the framework:
Also included are some practical lessons and best practices for managing the interdependencies between these key operational elements. Understanding these interdependencies is critical to the overall effectiveness of the RFRAF.
The RFRAF, which is discussed within this chapter, is a subset of both the higher level Enterprise Risk Management Framework (ERMF) and the corporate level Business Planning Framework (BPF). The ERMF is a corporate-wide, continuous process encompassing all aspects of the business, including the processes necessary for the ongoing management of risk in real time. The ERMF is therefore at a higher level than the RFRAF described in this chapter. The BPF is also a corporate-wide process that is typically conducted on an annual basis and includes setting the basic business assumptions to be used in all business evaluations within the company (such as cost of capital, inflation, external cost escalation factors, relevant exchange rates, growth projections, effects of competition, productivity targets, benchmarking).
Exhibit 12.1 shows the relationship between these major business frameworks and the RFRAF, which underpins these major corporate level business processes.
Risk management is the process whereby an organization systematically identifies, assesses, evaluates, manages, reports, and monitors risks on an ongoing basis to ensure that barriers to achieving the strategic objectives of the business are identified and managed, as necessary. The typical steps within a comprehensive risk management process are well documented within the literature on this subject.2
Two fundamental ingredients for the successful development and implementation of a RFRAF are:
In addition to outlining the overall risk management strategy and objectives, the corporate level risk management policy should also document the various risk-based definitions and the roles, responsibilities, accountabilities and authorities necessary to achieve the objectives of risk management. Risk has been defined as “the combination of the probability of an event and its consequence.”3
Based on this generally accepted definition, risk can therefore be considered a two-dimensional concept requiring an understanding of the probability of an undesirable event occurring and the expected consequence should the event occur. The corporate level risk management policy and the related policy implementation processes, procedures, and concepts must build on this definition and develop risk identification, assessment, evaluation, mitigation, and resource allocation methods and tools that are consistent with this definition. Subsequent sections in this chapter describe methods and tools that are founded on the basis of this important definition, which must be understood by all staff involved in the business planning effort.
Championing, developing, implementing, operating, and improving a RFRAF requires a substantial and sustained effort within the company. A critical first step in the development and implementation phase is the identification of staff from the senior management, middle management, and professional ranks of the company who are committed to participating in this initiative. The existence of a core group of staff from these various levels interested in championing and developing the required policies with the board of directors and executives of the company and developing/implementing the required enabling business processes is critical to the successful establishment of the RFRAF. Experience has shown that the COE does not need to be a specific organizational unit dedicated to this initiative. Given the need to spread the principles and knowledge of risk-based concepts throughout the company and the multidisciplined nature of risk assessments, the COE is most effective when it is comprised of staff who hold regular positions within the various line units. The members of the COE-Team must, however, allocate sufficient time to take on the additional responsibilities for overseeing the development, implementation, operation, and continuous improvement of the RFRAF. This dispersed COE-Team should also be formally constituted and meet regularly to develop and monitor the progress of implementation initiatives and to help overcome operational challenges or barriers associated with improvement initiatives. The COE-Team should also be involved in specific strategic and operational process steps, within the framework, such as updating the key decision factors used within the RFRAF, as the business environment changes. These key decision factors will be defined and discussed in more detail in the following sections. Experience has shown that this dispersed team, embedded within the various line units, can effectively act as champions and change agents for new processes and methods. Members of the COE-Team are also in a good position to identify new opportunities for improvement, train senior staff across the company, and promote new processes, methods, and models to senior management and working level professional staff.
The effective allocation of resources based on risk requires company staff responsible for business planning to understand the relationship between the business objectives of the company, the operational and strategic risks that may jeopardize the achievement of those objectives, and the risk-based concepts that enable the systematic identification, evaluation, and prioritization of the various risks. A primary design element of a RFRAF is a methodology that establishes the relationship between the strategic objectives, the operational and strategic risks of the business, and the risk-based concepts that enable identifying, quantifying, comparing, and organizing the various risks in order of importance.
The methodology typically used to establish these relationships is to involve the company leadership team in a workshop designed to develop the correlation between the strategic business objectives (SBOs), the detailed measures of success or key performance indicators (KPIs), and the degree of tolerance within the company for deviations from the KPIs, termed risk tolerances (RTs). This workshop is also used to inform the business leaders of the risk based concepts utilized within the RFRAF. Having a common understanding at the leadership level of the risk-based concepts is critical to the successful development of the framework. Experience has shown that utilizing a top-down process for establishing the degree of risk tolerance to shortfalls in attaining each specific KPI is an effective approach for determining the appetite for risk inherent within the company. The final product of the workshop is an information source that identifies and consolidates the relationships between the SBOs, KPIs, RTs, and the risk-based concepts. This product, termed the corporate risk matrix (CRM), provides critical risk-based information and indicators to facilitate identifying risks, conducting detailed risk assessments, and developing evaluation methods and models. The CRM also serves as an effective guideline enabling the consistent evaluation and prioritization of risks and is an excellent communication tool for use with line staff involved in business planning. Utilities in the electric power industry use products of this nature as an integral part of business planning.4
As indicated in the previous section, risk is “the combination of the probability of an event and its consequence.” The approach for establishing the relationships between the SBOs, KPIs, RTs, and risk-based concepts must therefore deal with these two domains of event consequences and probabilities.
Establishing KPIs linked to the SBOs has been a common business practice for effectively managing companies for many years. However, in order to effectively allocate resources based on risk, having the KPIs is not sufficient. It is also necessary to determine the degree of tolerance that the leadership team of the company has for deviations from each specific KPI. The higher the tolerance for deviations from KPIs the more the company may profit by avoiding expenditures and keeping costs low. However, inadequate expenditures in critical business areas increase the likelihood of missing KPI targets and the related SBOs critical to the mid-term to long-term success of the company. Therefore establishing the degree of tolerance to deviations from the KPIs, through the development of formal RTs, is a fundamental design element of the framework. See Exhibit 12.2.
As an example, the power industry described in the introduction may have the following five SBOs within the five-year business planning period:
These strategic objectives would need to be translated into specific reliability, efficiency, and profitability targets. These specific targets must be meaningful to the line staff responsible for assessing business risks in the operational time frame and identifying the work and expenditures required to mitigate unacceptable risks during business planning.
Exhibit 12.3 provides a sample breakdown of the linkages between the SBOs and the KPIs.
The RTs associated with each KPI are categorized into a number of consequence levels from minor to catastrophic. A good practice in developing the planning consequence levels is to use a five-point scale. Practical application of the framework has shown that using the five-point scale provides sufficient granularity of analysis and allows for adequate degree of freedom when describing the implications of each tolerance level and the related response required by the company under each situation, as follows:
Exhibit 12.4 outlines some representative RTs for three KPIs associated with Exhibit 12.3.
Exhibit 12.3 Strategic Business Objectives and Key Performance Indicator Relationship
Strategic Business Objective | Key Success Factor | Key Performance Indicator |
First Quartile Reliability | Improve overall system reliability by a% over the business planning period. | Reduce frequency of system outages by b% in Northern Service Areas and c% in Southern Service Areas. |
No Increase in Customer Rates | Improve productivity by d%, exceeding inflationary expectations with sufficient margin to meet net income targets. | Unit cost reduction e%/yr for all work programs. Work program accomplishment 100%. |
Increase Net Income by x% | Obtain regulatory approval for increased Return on Equity (ROE), based on benchmark studies of ROE in other jurisdictions and providing regulator with assurance of no rate increases. Reduce O&M expenditures by f% within 3 years. |
Successful regulatory filing for increased return on equity within next 2 years. 70% of O&M savings from consolidation of operations centers, work centers, and warehouses and 30% of savings from a maintenance optimization program to be implemented for all key asset groups over next 2 years. |
Maintain Public and Employee Safety | Stay within good historic safety levels experienced by the company. | Historical levels of frequency and severity of public and employee safety incidents do not degrade. |
Maintain Good Corporate Reputation | Public Profile—Positive industry, national, state, and local media attention on high level of service reliability, low rates, and good environmental performance. Employee satisfaction high; skills and competencies align with company requirements. |
At least one article per year in major industry publication, national, state, and local newspapers outlining high quality of industry performance in the areas of service reliability, low cost, and safety and environmental performance. Maintain satisfaction scores at high levels and all required employee training completed. |
The CRM is used by all staff involved in the business planning effort to assist in identifying risk events that may adversely impact the KPIs under a scenario where no incremental risk treatment is applied to the identified event. This is termed the “do-nothing” scenario. The CRM is also useful in assessing the adequacy and cost-effectiveness of risk mitigation alternatives/initiatives.
Experience with the application of the CRM indicates that some of the corporate level KPIs and related RTs do not always correlate well with the risks experienced by line staff responsible for the daily operation or annual planning of the business. In these cases, it has been found useful to develop another level of detail below the KPIs. These more detailed indicators termed planning indicators (PIs) provide working level staff with detailed measures that can be directly related to local or departmental level risks and understood by the operations or planning staff. In the utility example, the SBO for achieving first quartile reliability and the related KPI for improving overall service area reliability may not be meaningful to working level operations and planning staff. These staff members are only capable of identifying, assessing, and mitigating risks at the local area (subservice area) level. In these cases the KPI, developed by the top-down process, should be cascaded to a more detailed level to provide guidance for staff directly involved in the risk identification and mitigation effort. The following Exhibit 12.5 provides an example of how a KPI can be cascaded to a more detailed level.
Exhibit 12.4 Key Performance Indicators and Risk Tolerance Relationships
Key Performance Indicator | Risk Tolerance (Planning Consequences) |
Reduce frequency of system outages by b% in Northern Service Areas and c% in Southern Service Areas | Minor—Improvement only 75% of expectation Moderate—Improvement only 50% of expectation Major—No improvement from recent history Severe—Degrades below recent historical levels Catastrophic—Degrades below regulatory compliance level |
Unit Cost Reduction d%/yr for all work programs | Minor—Achieve 75% of expectation Moderate—Achieve 50% of expectation Major—No reduction from recent history Severe—Increases 5% above recent history Catastrophic—Increases 10% above recent history |
Work Program Accomplishment 100% | Minor—Achieve 90% of target Moderate—Achieve 80% of target Major—Achieve 70% of target Severe—Achieve 60% of target Catastrophic—Achieve 50% of target |
It should be noted that this more detailed level requires the availability of a reliability methodology, capable of establishing the required reliability contribution from local areas to the overall service area.
The SBOs, KPIs, PIs, and RTs should be reviewed annually as part of the routine initiation of the business planning process or whenever the business objectives are modified. Given that the RTs can be sensitive to changes in the business environment, it is also a good practice to review the RTs whenever a change to the operational or strategic business environment is identified by one of the lines of business. In the following electric utility example, if specific equipment failure rates began to increase (thereby effecting system reliability) and/or the regulator were to increase penalties for noncompliance of reliability performance, the RTs and PIs would need to be reviewed by the COE-Team.
Another good practice within this portion of the framework is to utilize the KPIs as part of the regular business reporting process. This ensures staff members involved in the process recognize that the risks they identify and manage within the framework directly influence the performance of the company. In addition, when company performance results in underachievement for specific KPIs, the corrective actions should be consistent with the threshold levels identified by the CRM. Maintaining this consistency and communicating it to staff validates the importance of the KPIs, PIs, RTs, and the framework to company staff. The consistent application of the risk framework also ensures resources are regularly adjusted to achieve the required performance results.
Exhibit 12.5 Key Performance Indicator/Planning Indicator/Risk Tolerance Relationship
Key Performance Indicator | Planning Indicator | Risk Tolerance (Planning Consequences) |
Improve frequency of system outages by b% in Northern Service Area and c% in Southern Service Area | Improve frequency of system outages by b% in Northern Service Area by improving the five local areas as follows: | Minor—Improvement only 75% of expectation Moderate—Improvement only 50% of expectation Major—No improvement from recent history |
Local Area 1—20% Local Area 2—10% Local Area 3—20% Local Area 4—30% Local Area 5—20% |
Severe—Degrades below recent historical levels Catastrophic—Degrades below regulatory compliance level | |
Improve frequency of system outages by c% in Southern Service Area by improving the four local areas as follows: | Minor—Improvement only 75% of expectation Moderate—Improvement only 50% of expectation Major—No improvement from recent history Severe—Degrades below recent historical levels | |
Local Area 1—25% Local Area 2—10% Local Area 3—25% Local Area 4—40% |
Catastrophic—Degrades below regulatory compliance level |
Risk analysis includes identifying events in the internal or external business environment, which could compromise the achievement of one or more business objectives. It is not sufficient however to simply identify undesirable events and the related business consequences. Risk analysis also requires determining the probability (or likelihood) of the event actually occurring within the discrete time frame being assessed. For the purpose of this discussion, the time frame of interest is the business planning period, typically between one and five years.
Exhibit 12.6 provides the categories and related probability levels typically used in business planning and risk prioritization processes. The probability scale for evaluating the likelihood of undesirable events occurring should provide both a sufficient range of probability categories and adequate distinction between the various categories. Experience and evaluation of good practices has determined that developing five categories of probability ranging from “Remote” to “Very Likely” provides a good range for segmenting undesirable events for the purpose of identifying, evaluating, controlling, and optimizing risks over the business planning period. Experience and evaluation of good practices has also established that the probability levels should range from less than 1 percent for the Remote category to about 90 percent for the Very Likely category.
Exhibit 12.6 Representative Categories and Probability Levels for Assigning Probabilities to Risk Events
Probability Categories | Expectation of Event Frequency in years | Probability in Any Given Year | Probability in Planning Period (5 years) |
Very Likely | > 1 in 2 | > 0.45 | > 95% |
Likely | 1 in 2 to 1 in 5 | 0.45 to 0.19 | 95% to 65% |
Medium | 1 in 5 to 1 in 20 | 0.19 to 0.05 | 65% to 25% |
Unlikely | 1 in 20 to 1 in 100 | 0.05 to 0.011 | 25% to 5% |
Remote | < 1 in 100 | < 0.011 | < 5% |
Consolidating the consequence and probability concepts described in the above sections results in identifying a two-dimensional “risk space” with event consequence represented on one axis and probability (or likelihood) represented on the other, as shown in Exhibit 12.7.
The policy discussed earlier should identify senior management as responsible for determining the level of unacceptable risk for each specific corporate level KPI. This is represented by the red (unacceptable risk) zone in Exhibit 12.7. Experience with the framework has shown that having senior management establish the unacceptable region of risk, and the actions that must be taken for intermediate risk levels, in advance of the development of the business plan is necessary for effective risk identification and analysis. Once the unacceptable region of risk is identified, any internal operational or external business events determined to be within this unacceptable region must be effectively controlled. The least cost risk mitigation alternative for effectively controlling “unacceptable events” will be scheduled as a nondiscretionary expenditure, within the associated expenditure prioritization process. Examples of unacceptable risks could include severe safety events, violations of mandatory regulatory requirements, and events resulting in catastrophic financial consequences.
It should be noted that the effectiveness of the overall framework is only as good as the accuracy of the methods and models used to quantify the likelihood and consequence of the various undesirable events and relating them to the KPIs. Given that some of the assessments may require the application of expert judgment, it is advisable to develop independent methods to validate the results of the bottom-up risk identification, mitigation, and prioritization process. The development of alternate methods to assist in validating the results of the detailed bottom-up risk identification, mitigation, and prioritization process will be discussed later in this section.
The overall purpose of the framework is to establish a prioritized list of expenditure plans that minimize the overall risk of the enterprise falling short of meeting its key goals and objectives. The development, sustainment, and continuous improvement of the CRM significantly contributes to the success of the RFRAF. The CRM provides:
As mentioned in the introduction, the RFRAF is a subset of the broader business planning framework and therefore must provide information required by this higher level business process.
The main process steps that must be completed as part of the RFRAF are outlined in the following seven steps:
The preferred alternative is selected for mitigating each risk event based on the highest Prioritization Index. These preferred alternatives become the Investment Proposals (IPs), which must be prioritized as part of the overall RFRAF, based on the highest risk-reduction impact to the SBOs per expenditure level.
Further details on the validation review and related tests are provided below:
In the electric utility industry, for example, models6 have been developed to establish long-term capital requirements based on assets reaching end-of-life and requiring replacement with equivalent facilities. The models use probability density functions to represent expected end-of-life ages for various asset groups. When these probability density functions are applied to the demographic profile of the asset base the expected level of asset replacement can be generated. Assuming like-for-like replacement and typical unit replacement costs enables the generation of mid-term to long-term forecasted capital requirements for specific asset groups. Conducting macro-level, long-term studies of this nature can also assist in identifying the risk to certain KPIs such as degradation in levels of system reliability as the system ages and equipment begins to fail. These types of assessments provide long-term forecasts of both the expected level of capital expenditures and the risk of delivery performance, using a completely separate long-term/top-down type of analysis. Comparing the results of strategic assessments of this nature to the results of the bottom-up annual risk analysis described earlier provides a valuable cross-check on the results. If the results of the two independent assessments can be reconciled, confidence in both approaches is increased. If the results do not reconcile, further investigation is warranted, including comparisons to the other validation tests mentioned earlier.
Exhibits 12.8 and 12.9 summarize the main elements in the process.
Experience with operating the process indicates that major efficiency gains can be obtained by identifying typical risk events and standardizing the consequence and likelihood assessments through the development of pick lists based on specific criteria, which can be selected by operations staff. In the electric power utility example for evaluating KPI risks associated with the frequency of system outages, it was found that a major reduction in evaluation effort could be achieved by correlating the frequency of system outages to standard equipment failure rates and certain generic system configurations. These correlations were observed from the initial risk assessments and resulted in the development of simple pick lists for the consequence and likelihood assessments, associated with the KPI for frequency of system outages. A major reduction in evaluation effort was achieved by providing Operations staff with simple pick lists for the consequence and likelihood assessments based on these correlations. This obviated the need for unique assessments for each occurrence of this risk event across the company. As experience is gained with the RFRAF, efficiencies of this nature begin to emerge, reducing the overall effort while improving the accuracy of the assessments.
A dedicated organizational unit should be established within the company to manage the routine operation of the business processes within the RFRAF. It should be noted that this formal organizational unit is distinct from the COE-Team mentioned earlier. The primary functions of the COE-Team are to develop the RFRAF, promote and launch the related implementation initiatives, oversee successful implementation, develop and monitor performance measures, and help develop and promote improvements. The purpose of the dedicated organizational unit is to operate the detailed processes, including establishing an information system and developing the required guidelines and procedures necessary for effective functioning of the annual process. The leader of this dedicated organizational unit should be a member of the COE-Team. Experience has shown that this dedicated organizational unit should be located within a business unit that does not have a stake in the outcome of the prioritization process. Examples of best locations include the finance function or a dedicated Investment Planning or risk function within the company. The dedicated organizational unit should be responsible for:
Experience in operating these processes indicates that the organizational hierarchy should be leveraged to ensure consistency in the identification of risk events and in the evaluation of their impacts on the SBOs, KPIs, and PIs. This is also the case for the development of the IPs designed to manage unacceptable risks. Having the managers and directors of the business units review and approve the risk evaluation templates and IPs developed by their expert staff serves to maintain some consistency in the identification and evaluation of risks between organizational units and/or geographic locations. This is a good practice, prior to submitting the risk-evaluation templates and IPs to the centralized business unit responsible for final prioritization. The centralized business unit responsible for prioritization should also develop a high-level expert responsible for reviewing risk scores submitted on all risk evaluation templates and IPs, in relation to historic evaluations and actual results from previous or similar evaluations. This practice ensures consistency across all business units within the company.
Exhibit 12.10 shows the typical business functions involved in the business planning processes, the span of the RFRAF, and the roles typically undertaken by the various organizational functions. Experience has shown that the process management role for the RFRAF should either be in the finance or investment planning functions.
This section describes the generic concepts, methods, and models that are used within the RFRAF to identify, evaluate, mitigate, prioritize, and manage risks.
As mentioned earlier, both operational and strategic risks must be evaluated by knowledgeable staff within the organization when identifying events with potential for unacceptable impacts (consequences and the related probabilities of occurrence) on the SBOs of the business. Operational risks are typically evaluated by expert front-line staff responsible for operating and managing the business. This includes maintenance, operations, and customer account staff who deal with daily/weekly/monthly issues in the management of the business. These resources are responsible for executing the near-term elements of the business plan (defined as the first two years of the business plan) and have knowledge of factors such as immediate maintenance requirements, demand exceeding the capability of systems to deliver, and/or customer satisfaction issues. Experience has shown that most long-standing companies have the required knowledgeable resources, detailed business processes, and supporting information systems necessary to conduct the near-term risk assessments that are an integral part of the RFRAF.
Strategic risks typically span a longer time period and are also likely to span the responsibilities of several organizations or disciplines within the company. Uncovering risks of this nature is important because it may be necessary to invest in controlling these risks within the period of the business plan to ensure the SBOs can be realized over the planning period. Experience with the framework has shown that middle- and senior-management staff members typically possess the multidisciplined knowledge and work in time frames consistent with these strategic risks. Therefore, this group of staff members are in the best position to identify these risks and the related mitigation alternatives. Many companies have also established an organizational unit responsible for proactively identifying, evaluating, and managing strategic risks. In the electric utility industry several regulatory jurisdictions have recognized the importance of managing strategic risks and the regulatory authorities require utilities to establish and formally submit long-term plans to ensure the prudent management of this critical public infrastructure.7 These long-term plans typically span about 10 years in recognition of the long lead times required to obtain approvals for new infrastructure and/or order and install major equipment. These plans also typically deal with risks associated with the aging of various fleets of similar assets, rather than the maintenance and replacement of specific assets, as is the case in the near-term evaluation mentioned earlier. Strategic risk evaluations of this nature can identify events that must be managed in the near-term (one to two years) or mid-term (three to five years) to prevent jeopardizing the achievement of SBOs over a much longer time frame (such as 10 years). The IPs developed to manage strategic risks must utilize the same template (and provide the same consequence and probability information for affected KPIs) as the operational risks and are subjected to the same prioritization process.
To effectively conduct a comprehensive risk evaluation, experience with the RFRAF indicates that it is useful to evaluate undesirable events in up to three distinct time frames: The near-term (defined as the first two years of the business plan); the mid-term (defined as years three to five of the business plan) and the long-term (defined as the period beyond five years). This should be accomplished utilizing company staff with specific knowledge of potential risks in these various time periods. As mentioned above, many companies also develop long-term strategic plans that contain information useful to the risk identification and evaluation process. Exhibit 12.11 illustrates the time frames of interest, the type of information provided for risk analysis and business planning, the basis for the risk information, and the level of analysis typically conducted in each time frame. It should also be noted that risk information in one time frame can be used to validate the risk assessments in an adjacent time frame or as a minimum inform the risk assessors of changing business circumstances and the effects on risk profiles over time. See Exhibit 12.11.
The overall risk-based process outlined earlier identified the importance of quantifying the probability and consequence imposed by critical risk events on each impacted KPI. Quantification of risk-event impacts on KPIs, through the use of appropriate methods and models is far more desirable than the use of qualitative or subjective approaches, which may be a combination of judgment and speculation. The accuracy of the methods and models used to quantify the probability and consequence impacts on the KPIs is a determinative factor in the overall effectiveness of the risk evaluation and mitigation process and possibly the success of the business. For this reason, significant effort should be focused on developing a portfolio of methods and models that enable the quantification of risk events in terms of each specific KPI or PI, to the extent practical.
These methods and models should be designed to enable quantification of KPI impacts associated with the “do-nothing” scenario for each risk event. They should also be capable of evaluating the KPI impacts for the risk-mitigation alternatives for the purpose of generating IPs. The electric power industry example discussed earlier identified the reduced frequency of unplanned system outages as a KPI for achieving the SBO of first-quartile reliability. To effectively quantify and manage risk a methodology and model should be put in place to quantify the impact on the frequency of system outages under a “do-nothing” scenario in the service territories. This method and model would also be used to identify the effectiveness of mitigation alternatives on the frequency of system outages in the service territories. The mitigation options that provide the required reduction in the frequency of system outages at the lowest cost will be submitted to the prioritization process described in the following section.
Experience with the RFRAF in the electric power sector indicates that a large portfolio of such methods and models must be developed to quantify the risk impacts on all critical KPIs. This includes methods and models for conducting operational risk assessments affecting the near-term (such as asset condition methods and models to evaluate the near-term risk of equipment failure) and strategic risk assessments impacting KPIs in the mid-term or long-term. The portfolio of methods and models must be capable of assessing a wide variety of risk factors (reliability, safety, environmental impacts, regulatory compliance, etc.) and deal with both technical and financial concepts.
As mentioned earlier, the prioritization model is designed to incorporate the input from all submitted IPs for the purpose of sequencing the proposals in an optimum manner to achieve the greatest risk reduction for the least relative cost. The resulting portfolio of preferred IPs represents the optimal scenario for achieving the SBOs in a least cost manner. A graphical representation of the output for a typical prioritization model appears in Exhibit 12.12. The model treats all IPs on a consistent basis and sequences the IPs from highest benefit to cost ratio to lowest. This approach enables the identification of what is known in the literature as the efficient frontier.
The IPs capable of producing the highest overall reduction in risk to the SBOs for the least overall cost would appear on the steep upward slope on the left portion of the graph. IPs of lower value would appear on the right portion of the graph where at the extreme end it may be observed that significant increases in expenditures produce little change in benefit. Output results of this nature are effective for establishing the cut-off points for projects (IPs) when expenditure constraints have been determined. The IP labeled “B” in Exhibit 12.12 would just make the cut-off point if a cost of 150 represented the upper limit of expenditures. The graphical representation also enables comparisons between alternative IPs designed to manage the same risk event. For example the IPs labeled “P,” “C,” and “B” in Exhibit 12.12 could all represent IPs designed to manage the same risk event. From the graphical output it can easily be observed that IP-P is the least effective alternative for managing this risk event, since IP-B can deliver higher benefits for the same cost and IP-C can deliver similar benefits at lower cost. In this example a judgment would be needed by the approval authorities to determine if the risk event should be mitigated under IP-B or IP-C. It should also be noted from this example that if expenditure constraints determined that IP-B was just beyond the level of affordability, this specific risk event would continue to be within the portfolio of preferred IPs (as IP-C) and receive funding for mitigation under a lower level of cost.
All prioritization models use some form of multicriteria decision analysis methodology (i.e., Multi-Attribute Utility Theory, Multi-Attribute Value Theory, Analytical Hierarchy Process) as the basis for the evaluation of inputs and there are many models available on the market.8 Care must be taken to select a model that is consistent with the information and competencies available within the company. Once a model is selected the related input process must be established.
The detailed theory associated with such models is beyond the scope of this framework-based discussion. However, there are several good in-depth papers on project prioritization and project portfolio management.9 In addition, regulatory authorities responsible for approving cost of service applications recognize the importance of prioritization methods and models in establishing the expenditure requirements of the utilities they regulate. They also value the transparency and consistency provided by these methods and models. As a result, regulatory authorities often require the submission of detailed information related to the prioritization approaches used by utilities. These submissions provide an excellent source of information related to the application of these business processes in a complex business environment.10
Overall, the prioritization model and supporting process must possess the following core capabilities:
Selection and implementation of a prioritization model and supporting methodology, which is compatible with the optimization problem and the information and competencies available within the company, is critical to the success of the initiative. Obtaining professional guidance from knowledgeable experts may be a prudent course of action given the complex nature of decision theory.
Once the portfolio of preferred IPs has been approved for implementation the dedicated organizational unit responsible for the RFRAF must oversee the successful implementation. This includes making adjustments to the approved portfolio should unforeseen higher priority risks materialize or expenditure constraints change throughout the year. This requires:
Experience with implementing and operating a RFRAF indicates that overall the framework requires the development, processing, and storage of a considerable degree of new information. This includes information associated with the following products and related assessments:
As mentioned above, detailed information for the RFRAF requires the provision of consequence and likelihood information for various risk events and mitigation plans, in relation to the KPIs. The incremental information required for the RFRAF varies significantly depending on the type of risk assessments under consideration.
Operational risk assessments and strategic risk assessments impose different incremental information requirements on the business.
Experience with implementing the RFRAF indicates that the consequence information associated with operational risk assessments is typically the easiest to obtain within the company. These assessments typically involve identifying and mitigating risk events associated with the failure of a business process, asset, or supplier to deliver the required business result. These types of failure events, and the related causes, are usually well understood by operations staff within the company. They are therefore capable of describing the failure outcome in terms of the consequence impact on the KPIs or PIs. Operations-based staff are also good at identifying typical mitigation measures for managing the risk and how this will change the consequences from the “do-nothing” alternative. The challenge for operational risk assessments is to identify the probability or likelihood of occurrence. This usually requires reviewing failure rate and cause information from historical records and forecasting the expected probability of occurrence in the future. This imposes a more complex level of analysis on the historical information and the generation of new information related to quantifying the probability domain.
If strategic risk assessments are normally conducted within the business the incremental information requirements are typically similar to those for operational risk assessments, where again establishing the probability domain is the biggest challenge.
If strategic risk assessments are not normally conducted within the business or new strategic risk assessments are required, the incremental information requirements are likely to be materially increased. The new strategic risk assessments may require detailed new financial and business performance information.
The RFRAF requires planning for a new family of input and output information within the company. The input information is needed to conduct risk assessments performed by a portfolio of new methods, models, and processes that enable the identification, quantification, and mitigation of operational and strategic risks to the SBOs of the company. The output information of these new methods, models, and processes includes a variety of new information that must all be stored to maintain an effective audit trail for these critical business decisions. Output information includes probability and consequence information for each risk in relation to the KPIs, financial evaluations for establishing least cost IPs, validation that appropriate internal controls have been followed within and between organizational units, the portfolio of preferred IPs generated by the prioritization model, results of the validation review, documentation from any related workshops, and the approved portfolio of IPs, with supporting rationale.
Overall the implementation of a RFRAF can significantly increase the information requirements of a company and the COE-Team should therefore include a senior-level expert from the information technology field to ensure that these requirements are appropriately understood and accounted for while developing information technology plans.
Given the importance of the RFRAF products, and the significant resource requirements necessary for the successful completion of the process steps, performance measures should be established to ensure the effectives of the framework and to identify areas requiring improvement. Some critical measures, which assist in managing the overall performance of the framework and identify areas needing improvement include:
Monitoring and managing to these performance measures facilitates the effective operation of the processes and the identification of process inefficiencies. Identifying the root causes for poor performance under these measures followed by the development of the corrective actions necessary to improve performance will continuously improve the effectiveness and efficiency of the RFRAF.
The allocation of resources based on risk requires the development, implementation, operation, and continuous improvement of a comprehensive business framework. This framework integrates critical knowledge, expertise, experience, and information available across the organization within a corporate-wide process, spanning all the major functions of the business. The development and implementation of the framework should be overseen by a COE-Team comprised of senior management staff from across all the major business functions involved in business planning and having an interest in the discipline of risk management.
The development and implementation phases require the establishment of SBOs, KPIs, RTs, and risk concepts. The framework also requires the development of methods and models for quantifying risk events to the best extent practicable. Where possible, industry-accepted methods and models should be utilized to enhance the credibility of the analysis. This is especially the case for regulated enterprises.
The effective functioning of the processes require the involvement of everyone from experienced senior management, having knowledge of the strategic business risks, to experts in the various line disciplines, who can identify and quantify the likelihood and consequences of credible operational risk events and determine the reasonable mitigation options. The successful operation of the process also requires the utilization of middle management, who possesses the knowledge and experience needed to provide a third-party opinion on the accuracy of the IPs submitted by their staff. This process step provides a critical control ensuring the projects are properly scored on a relative basis, prior to being subjected to the prioritization step.
The routine operation of the related business processes should fall under a dedicated organizational unit and the leader of this business unit should be a member of the COE-Team. The dedicated organizational unit and the COE-Team are collectively accountable for the success of the RFRAF and its continuous improvement.
The framework enables the integration of risk management and business planning bringing transparency, consistency, and traceability to the overall process. This combination of factors enhances the overall credibility of decision making within the company and regulated enterprises have seen success in defending revenue requirements when such a framework is in place.
The allocation of resources based on risk requires the implementation of a comprehensive integrated framework linking the SBOs to the strategic and operational risk events jeopardizing those objectives. The RFRAF facilitates the systematic identification and management of those risks by allocating limited resources where they provide the highest value. The framework represents a significant investment in resources, models, and information systems. However, if managed properly, the payback is nothing less than the long term success of the business.
Joseph Toneguzzo is the Director of the Implementation and Approvals Division, within the Power System Planning Group of the Ontario Power Authority, the government agency responsible for establishing and evolving the long term integrated plan for the electric power system within the Province of Ontario. He has been a Professional Engineer within the Province of Ontario since 1980 and has over 30 years of experience within the electricity industry. His career included working for Ontario Hydro and Hydro One holding professional and/or management positions within the operations, planning, asset management, and regulatory affairs functions. He worked on several provincial, national, and international industry task groups involved in system planning, asset management, sector development, and regulatory affairs, including representing Canada in these areas within the International Council on Large Electric Systems (CIGRE—Conseil International des Grands Réseaux Électriques) from 2004 to 2008. He has co-authored many industry publications in the areas of System Planning, Integrated Resource Planning and Asset Management/Risk Management, which have been published in various electricity industry publications including CIGRE, the Institute of Electrical and Electronics Engineers—IEEE Transactions on Power Systems, the Electric Power Research Institute, and the Canadian Electricity Association.
3.144.91.24