What has made creating an integrated risk management system such a difficult process?
JV: Robust strategies for risk and compliance are necessary for controls against deficiencies in corporate governance and operational and financial inefficiencies, as well as for safeguarding the company’s assets, reputation, and ultimately, the interest of shareholders. However, most of these risk and compliance strategies are managed through isolated, manual processes and systems. This raises project costs, duplicates efforts across the enterprise, and deflects resources away from key business initiatives.
An integrated Governance, Risk and Compliance (GRC) approach helps to achieve sustainable integrated risk programs by facilitating the efficient use of risk information in strategic decision-making. Ensuring the usage of consistent terminologies and methodologies across departments encourages a risk-focused corporate culture. Furthermore, the integrated approach provides a comprehensive view of the organization’
Over the past 2 years, Constellation has transformed the way it thinks about and evaluates strategic risk. During the implementation phases of the system we sought to overcome a number of challenges to list a few:
Each business unit had its own risk and control terminology and assessment criteria
Prior to the implementation of the GRC, each business unit used their own terminology and process to define and assess risks and controls. The lack of a common risk framework, definitions and rating methodology did not provide a unified perspective of risk. As a result, risk evaluation across the enterprise was disjointed and in turn, hindered data aggregation and reporting to senior management. Furthermore, we gained consensus with the businesses to standardize likelihood and impact assessment values consistent with the enterprise-wide perspective
Control functions duplicated efforts by reviewing similar, if not the same, risks and controls
Constellation Energy, similar to any company operating in a highly regulated environment, is subject to multiple compliance requirements, including NERC, FERC, SOX and other legal and regulatory mandates. Compliance with each of these regulations was managed independently by each department. There was no common platform unifying the processes or associated controls. Consequently, controls and other related efforts were unnecessarily duplicated across the enterprise. As a result of the integrated approach, we have gained agreement on common categories, definitions and framework of processes, risk, and controls, allowing identification and assessment of all areas of risk in a cohesive manner.
What have you learned from previous attempts of integrating risk buckets?
JV: Two important lessons learned were uncovered. First, it is essential that any company take a holistic approach to risk management. Second, management buy-in and agreement is of paramount importance.
A company focused on strategic risk management constantly assesses risk factors to ensure they reflect business realities. Risk management integration begins by defining the risk appetite of the company proportionate to strategic goals. The management committee defines the company’s appetite for risk exposures subject to board of director approval. It also defines what risk, how much risk, risk ownership and the timing of risk taking in support of the strategic plan. Risk assessments should be owned by the business with input from the functional support groups to assist in the identification and quantification of risks.
Creating this top down and bottom up approach to shifting the culture of risk identification and management throughout the enterprise is the key to success. Also, it is very important to educate individuals across the company take responsibility for risk management, understanding how their risks aggregate, and how to take the appropriate steps needed to bring risk levels to acceptable levels. It is incumbent on risk managers to demonstrate the value of integrated risk to each part of the business. Lastly, improving enterprise risk through an enhanced communication and making information more readily and efficiently available is a must.
How does market risk factor into creating an integrated risk management system?
JV: To build and maintain an effective risk management framework, a company must continuously evaluate the risk landscape. Risks such as change in market liquidity, lack of price volatility, legislation changes, natural hazards and weather risk, and trader fraud are just a sampling of risks that any market risk manager must continuously evaluate. The risk manager with input from the experts across the enterprise must determine how to classify and quantify the impacts of these risks. For example, how are these risks categorized?
The market risk manager therefore becomes a key player during the Risk Control Self-Assessment (RCSA) process. The results of these types of assessments are aggregated and contribute to the priorities of the company.
How can an integrated system help measure risk effectively?
JV: By understanding the enterprise risk factors, a company can develop strategies to optimize controls, improve performance and reduce the negative impacts to the business. A simple, repeatable RCSA process creates a mechanism where each business unit and functional group identify key processes, the risks that impact the process and assign probability and impact estimates. Each risk is linked to mitigating controls and each control is regularly evaluated for effectiveness. The overall assessment process will lead to process effectiveness and efficiency by aggregating data and providing standard tools to evaluate across the enterprise. A common language of risks, controls and business processes ensures a cohesive integrated risk process, facilitates risk aggregation across business units, functions and the enterprise and highlights interdependencies between risks and controls spanning numerous processes and functions. The technology solution empowers Constellation to institutionalize its RCSA methodology that supports individuals across the company to ultimately take responsibility for risk management.
In the end, it boils down to some general themes discussed earlier. The goal of any integrated risk management system is to increase transparency, standardize terminology and process all under a commonly accepted framework.
# # #
Marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers.