Enterprise wide overview.
Developing a framework for risk management across energy companies can be a difficult task. Here some of the key components are summarized.
By Donald Mumma.
The quest for effective enterprise-wide risk management in the energy industry, to many market professionals, seems to be as elusive as finding Bigfoot.
There are a number of reasons for this. The rules of the game are changing fast, there is no common risk framework that can bring debate forward and company structures are rapidly changing. But through all of this, there are some common-sense truths that can help a company through the process.
Enterprise-wide risk management is about helping people make decisions and influencing how they behave. It has been said that you cannot manage what you have not measured. And risk is no exception. Most corporate disasters have come from not seeing the risk rather than having measured it wrongly.
To take just two well-known examples, both Proctor and Gamble and Orange County did not see the risk of the interest rate options they were writing, resulting in millions of dollars in losses. The profound effects risk management has had on the banking industry can be seen from the significant decline in the big accidents that used to occur in the past, such as the Chemical Bank options losses of the late 1980s, or the oil patch bet in the early 1980s that cost Continental Illinois and Penn Square Bank their corporate existence. So the question of what it costs to have good enterprise-wide risk management should be framed on the basis of what it costs not to have it.
Who should do it? It should start at the top. A company board of directors has to give guidance. And some outside board members should have the professional expertise and experience necessary to ensure management has established a risk management framework consistent with the strategic goals of the company. Senior management must not only organize and execute the business strategy, but it should have a scorecard for business unit performance tracking that includes risk.
The management reports of business units’ performance have not only profit and loss summaries and other key performance indicators such as return on investment, revenue and cost per head count, but they should also have risk measures such as risk-adjusted return on capital (Raroc), value-at-risk and credit risk capital. The independent reporting of risk measures, along with other financial reporting and the principles of separation of duties are important elements to consider in the organization of risk management. No matter how honest, capable and trustworthy your people are, you put them in a potentially compromising position, if they have the capacity to administer the scorecard that influences how they get paid and promoted.
What should be measured? Risk can be defined as the chance that an undesirable outcome occurs. Therefore, the business strategy, performance goals, risk appetite – sometimes called comfort – and organizational structure will influence the particulars of what is to be measured, but there are common elements to this.
What risks?
First, the types of risk need to be identified. This is a whole topic in itself, but the major categories of risk are market risk, credit risk, liquidity, legal and regulatory risks, operational risk, weather risk and fraud. Each of these areas can be broken down further into subcategories. For example, market risk could include commodity prices, currency exchange rates, interest rates, and equity values.
Second, you need to identify the business activity that gives rise to the risk classes and quantify the exposures and positions. The use of traditional accounting measures is a good starting point for this, but they do not capture all of the exposures. For example, credit risk is a multi-step process that starts with the current and potential credit exposure through time on a deal level, and then progresses to default and recovery on a portfolio basis.
Third, there is the need to quantify upside and downside sensitivities. This is the most difficult part of the process to master. It requires a great deal of data, the ability to organize it and a set of models that attempt to calculate different future outcomes under different sets of market and operating conditions. The key ingredients to achieving success in this area are technology and experienced personnel. They may come from inside the organization, but increasingly, they are coming from outside. The ‘big five’ accountancy firms – PricewaterhouseCoopers, Arthur Andersen, KPMG, Cap Gemini, Ernst
& Young and Deloitte & Touche, have significant risk management consulting practices that help in many of these areas. Others, such as Axiom, Measurisk and Cygnifi, have risk management outsourcing services that can satisfy many companies’ requirements.
Some examples of measures that can be used include value-at-risk, earnings-at-risk, cashflow-at-risk, and Raroc. Credit risk measures include the current exposure, maximum settlement exposure, potential future exposure – including netting and collateral – and expected, unexpected and worst-case losses due to default.
The next question to ask is: when should risk be measured? The short answer to this is as often as management needs to be able to make decisions on how to manage the risk. If significant risk exposures change daily because of business activity, risk should be measured daily. If they change more passively, then weekly or monthly measurement may be more appropriate. The question of frequency is itself a dynamic one. Changes in market conditions or rules of the game will influence frequency, but the main point is for risk measures to help people make decisions that will prevent undesirable outcomes from occurring.
The threat of continued accidents in the electricity markets, such as the losses from the June 1998 Cinergy spike, extraordinary market volatility and rapid changes in regulation make the imperative of enterprise-wide risk management a matter of survival in most circumstances. For a few, it is already a matter of competitive advantage.
Donald Mumma
Managing director of Axiom Software Laboratories, based in New York. e-mail:don@axiomsl.com
Reprinted with the permission from Energy Power Risk Management • October 2000
| 
