ENTERPRISE RISK MANAGEMENT in Indian Power Companies Part 2

Regulatory requirements in risk management

In India, there is no legal mandate yet to incorporate enterprise risk management in non-financial companies. However, there are provisions under different laws when considered in totality, making a push for having a robust risk management programme. Here is a brief overview of various legal provisions.

The Companies Act 2013 in India mandates that companies implement a risk management framework. Here is a summary of the key requirements:

• Board Responsibility: The Board of Directors is responsible for developing and implementing a risk management policy for the company.
• Disclosures: The Board’s report must include a statement outlining the developed and implemented risk management policy.
• Independent Review: The role of the company’s audit committee includes evaluating the effectiveness of the risk management systems.

The SEBI LODR (Listing Obligations and Disclosure Requirements) regulations complement the Companies Act by mandating specific disclosures and emphasizing the Board’s role in overseeing risk management for listed companies.

The Central Electricity Authority (CEA) of India issued the “Guidelines on Cyber Security in the Power Sector” in 2021. These guidelines are mandatory for all “Responsible Entities” in the power sector.

Despite the obvious need for growth and indications of supportive public policies, the power companies have not been able to seize the opportunities in the market. A lot of it is due to policy issues such as lack of regulatory clarity and lax enforcement.

In this articlre, however, the focus is on the risk management practices of individual power companies. As per our analysis, there are several risks that need to be better managed at the individual company level. The first step is to understand their own company’s risk profile and manage it well before they can exploit the opportunities. Some notable risks in the Indian power sector are:

• Project delays and cost escalation
• Inadequate fuel supply / Inefficient fuel linkages
• Land acquisition and permit risks
• Regulatory Changes
• Geo-political risks
• Non-Performing Assets (NPAs)
• High AT&C losses
• Financial risks due to delays in payments/ non-payments by consumers to DISCOMs, who in turn default to the generating companies
• Contractual risks
• People (HR) risks
• Climate risks

These risks can be categorised as strategic, financial, operational and regulatory risks. Implementing a comprehensive enterprise risk management framework will help identify such risks and work out mitigation measures, while exploiting the opportunities through innovation and strategic decisions.

The role of Enterprise Risk Management (ERM)

ERM is a ‘holistic’ framework that organizations use to identify, assess, and manage risks that could potentially hinder their ability to achieve their objectives. The core notion of ERM is to adopt a portfolio approach to managing risks. ERM promises to lower the firm’s total risk by building resilience against systematic failures and monitoring growth opportunities; optimize performance and consequently increase a firm’s value and longevity. A breakdown of the key aspects of ERM include:

Focus:

• Takes a comprehensive view of all potential risks faced by an organization, rather than focusing on isolated risk silos within departments.
• Considers both internal and external risks, encompassing financial, operational, strategic, reputational, and other potential threats.

Process:

• Involves a structured process with several key steps, namely Risk Identification, Risk Assessment, Risk Prioritisation, Risk Mitigation, Risk Monitoring and Risk Reporting.
• These are all ongoing processes that the ERM needs to be adapted to. Reports will keep stakeholders updated on the current and emerging risk profiles.

Global Standards:

Two of the important global standards that have influenced the framework of ERM are defined below:

COSO (Committee of Sponsoring Organizations of the Treadway Commission):

ERM, according to COSO, is “a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect its value and implement risk management strategies to manage risk to be within its risk appetite.”

ISO 31000:

Unlike COSO, which outlines a specific process, ISO 31000 offers a framework for organizations to design their own ERM system. It emphasizes principles and guidance for effective risk management.

Both COSO ERM and ISO 31000 offer valuable approaches to ERM. Both are non-mandatory and typically provide the same basic components of implementation. Having implemented ERM programs in multiple companies both in the power sector and in the retail sector, it is our recommendation to take an eclectic approach to implementing a fit for purpose ERM program. The key is to define the goal of the program and take a phase-wise approach for the best experience.

Benefits of ERM 

ERM is more than just managing risks, as it also provides strategic inputs to the decision-making process. It helps navigate uncertainties with confidence, and empowers business leaders to take appropriate risks within the boundaries of the company’s risk appetite as they pursue growth and long-term success.

Several other studies link ERM with increasing firm value.  Aon’s 2020 Global Risk Management Survey found that companies with mature ERM programs reported higher profitability and shareholder returns compared to those with less mature programs. PwC’s 2019 State of Risk Management Survey indicated that organizations with strong risk cultures outperform their peers on various financial metrics.

ERM program can be a valuable tool for energy companies. By proactively managing risks, energy companies can improve their decision-making, operational efficiency, and overall resilience, leading to long-term success in a dynamic and uncertain environment. The value of ERM has been recognized globally and several energy companies have implemented it in western countries. There are also other benefits for establishing an ERM programme, as explained below:

Improved Board Governance

Increasingly, boards are asked to understand the risk profile of the companies both in the short-term as well as in the long-term. Increasingly, board members are being held personally liable for failure of risk management. In our experience, boards need clarity around the following questions:

a) Value of the enterprise

• Value protection: What is the organisation doing to protect its value? Value leakage can be due to operational inefficiencies, loss of pricing power, loss of demand, supply chain vulnerability etc. The management would be best served if they have a clear idea about the value leakage risks and the strategy to mitigate them.
• Value enhancement: What is the organisation doing to enhance its value over a certain timeframe? Typically, an organisation would have a strategic vision to ensure growth; what strategy has been selected and why; what risks are being added to
  the risk profile of the organization due to the strategic initiative.b) Reputation of the enterprise

• What is the organisation doing to build and protect its reputation? Increasingly, reputation is becoming a risk by itself, meaning that it is not enough just to do things right. This is more so in the digital age where news travels almost instantaneously.
• Companies will need to be a lot more proactive and deliberate in managing their reputation on an on-going basis. That means they will need to understand the expectation of all their stakeholders including the public at large, be mindful about navigating through them and finding the optimal trade-offs. To quote Warren Buffet ‘it takes twenty years to build a reputation and five minutes to ruin it’.c) Resilience of the enterprise

• Calls for management to keep in view long term implications of current decisions to ensure its long-term survival. This calls for identification of resilience risks and their mitigation.

Informed Risk Taking

Every organisation faces several risks as it conducts its business. Not all risks can be eliminated, nor should the strategy be to mitigate every risk that there is since the cost of mitigation can potentially outweigh the benefits. Traditionally, there are four different ways to mitigate risks: avoid, mitigate, transfer and accept. However, companies must also get better at savvy risk taking.

Being too risk averse has caused many companies to fail. Taking too little risk can be more damaging than taking too much risk. Power companies are dealing with multiple uncertainties as they aim to exploit tremendous opportunities for growth. As we have indicated earlier in this article, companies will need to innovate constantly to stay ahead of the curve and innovation involves risk. So, it is imperative that they become adept at calculated risk taking.

In a highly dynamic and complex business environment, decisions will need to be made with insufficient information and will need to be made quickly. A properly designed and implemented ERM program can help organizations make robust optimal risk-return trade off decisions. A key element of the ERM program is the implementation of a risk appetite framework. As the word ‘appetite’ implies, companies will need to create a culture where risk taking is encouraged within a stated set of guidelines.

That said, the risk appetite framework is not easy to implement. It needs to be supported by other risk management components, such as a comprehensive risk taxonomy, robust risk identification and assessment processes, data and analytics capabilities, and a risk aggregation and prioritization logic based on risk materiality. Risk appetite needs to be integrated into risk governance, risk reporting, risk decision-making and risk mitigation activities.

Based on the experience of one of the authors, a former CRO of large utilities, the risk appetite framework, when implemented and executed successfully, moves the risk management program towards playing offense instead of defence. This      requires a significant paradigm shift both in case of the executive leadership as well as the risk professionals.

a) Identification of Emerging Risks

• Many experts agree that we live in a VUCA world; that is a world characterised by Volatility, Uncertainty, Complexity and Ambiguity. ERM program as an ongoing process of identification and assessment of the risks rising in the horizon, otherwise known as emerging risks. This includes understanding risks inherent in the company’s strategic plans, risks arising from the competitive landscape and the potential for technology and other developments to impact the company’s profitability and prospects for sustainable, long-term value creation.b) Sustainable Long-Term Planning

• A robust ERM program encourages a long-term perspective in decision-making. This could involve investments in renewable energy sources, grid modernization projects, or cybersecurity upgrades.

ERM value realization – a Hydro One case study

Hydro One – a Canadian electricity transmission and distribution company, is a prime example of how ERM can significantly benefit an energy company.  The following case study of Enterprise Risk Management (ERM) from Hydro One illustrates how the values of ERM detailed above were realized.

Challenges and Shifting Risk Profile

In the early 2010s, Hydro One faced a changing landscape. Deregulation of electricity markets, the rise of renewable energy technologies, and growing climate change concerns presented new threats and opportunities. The CEO, Laura Formusa, recognized the need to reassess Hydro One’s risk profile and adapt its strategy accordingly.

Implementing ERM

• Hydro One became an early adopter of ERM. They established a comprehensive risk management framework that identified, assessed, and prioritized potential risks across the organization.
• This framework considered various aspects, including:

a. Operational risks (e.g., power outages, equipment failures)

b. Regulatory risks (e.g., changes in environmental regulations)

c. Financial risks (e.g., fluctuations in energy prices)

d. Market risks (e.g., competition from renewable energy sources)

Outcomes delivered

• Improved Strategic Decision-Making: By having a clear understanding of potential risks, Hydro One could make more informed decisions about investments, market opportunities, and long-term strategies.
• Enhanced Operational Efficiency: ERM helped identify areas for improvement in risk mitigation and operational processes, leading to a more efficient and reliable power grid. This led to stronger overall business resilience in the face of a changing energy landscape
• Increased Resilience: The company became better prepared to handle unforeseen events and adapt to a changing market environment.
• Positive Reputation and Investor Confidence: A robust ERM framework showcased Hydro One’s commitment to responsible management and risk mitigation, potentially leading to a more positive reputation and increased investor confidence.
• Improved financial performance: Hydro One’s proactive approach to risk management has been credited with contributing to higher revenue returns, enhanced credit rating and increased investor confidence.

Conclusion

Companies in the Indian Power Sector now have unprecedented opportunities thanks to the sustained economic growth but have to deal with various risks such as threats from political actions on tariffs and social challenges including thefts. The Regulatory mechanisms are also evolving to force companies’ management to be more accountable to their stakeholders. These call for companies to improve practices in all areas – forcing them to address risks in every area of the enterprise; an ERM is a proven tool to mitigate fallouts from risks. ERM is now not mandatory but not implementing it could lead to bad consequences.

Risk management can be costly when over applied; both in terms of direct and indirect costs. For instance, an excessive cyber risk management program can take a life of itself, requiring significant investments in various tools to prevent cyber risks without considering the firm’s business realities and the true impact of a potential cyber event. At the same time, it can hamper productivity by slowing down computers and logins. Hence the need to take a pragmatic approach so that a balance between costs of mitigating actions and potential losses is achieved by analyzing the risk profile appropriately.

A strong ERM program prepares for severe and plausible scenarios, while tolerating limited mishaps, by using the risk appetite framework. ERM can help companies define their risk appetite, exploit new opportunities, manage challenges and make optimal risk-reward trade-off decisions. They can then make informed choices that align with the overall risk management strategy. To cite an analogy: One can drive without a GPS but the question is – should one? ERM is essentially like a GPS for the management. Hence, we cannot overemphasise the need for every entity to have a comprehensive ERM in place – even to make it legally mandatory – if the full benefit of this major opportunity is to flow to all stakeholders.

            Concluded

K Ramakrishnan is an alumnus of IIT, Madras, IIM, Ahmedabad and NUS, Singapore. He served as the Executive Director of NTPC, before taking up the role of Chief Executive of STI Power. He also had an illustrious career at Rolls Royce and Siemens in Singapore. He has deep expertise in various aspects of the power sector in India. Ramakrishnan currently lives in Melbourne, Australia.

Soubhagya Parija, MA (Econ), JNU, MBA (Fin), Indiana University, Harvard Business Analytics Program (HBAP), Harvard University, has served as the Chief Risk Officer at FirstEnergy Corporation, a US-based utility. Prior to that he was the Chief Risk Officer at New York Power Authority. Before relocating to the USA, Soubhagya has worked in various capacities in NTPC. He is a seasoned risk professional and academic. He recently taught enterprise risk management at Columbia University, New York. He has served on the Board of Risk and Insurance Management Society (RIMS).  He currently lives near San Francisco, USA.

Jayant Sinha is an Engineer, PGDBM, Accredited Management Teacher and Level 5 Certified Energy Professional. He has served both the public and private sector in business transformation programs, offering engineering, consultancy, project management and capacity building services in the areas of smart metering, smart grids, power automation, renewable energy and sustainability. He has worked on international projects across India, UK, Spain, NA and ME involving SCADA/ DMS/ EMS, GIS, SAP-ISU, IoT, AI/ ML, and Cybersecurity. He also manages a blog: https://jayantsinha.wordpress.com.