How power and utility companies can proactively manage risks in a new era of uncertainty

One of the core tools utilities use to proactively prepare for new and emerging risks is a trends-and-uncertainties framework that maps out the various challenges, based on the immediacy and scope of the impact:

• Uncertainties: Issues that have an impact on the sector as a whole or a specific utility but for which there is little information on the direction and pace of change. Examples of uncertainties include technology advancements, policy shifts, and potential regulatory change.

• Trends: Issues that have evolved to a point where visible patterns begin to emerge. Organizations may start determining whether the trend is a threat or opportunity and begin developing plans to mitigate, leverage, or just monitor it for further developments. Demographic shifts, customer expectations, or load changes are some of the examples of trends.

• Emerging risks: New, or evolving, risks that may have an impact on the organization but have not yet risen to an enterprise-risk level. Examples include the impacts of social media’s influence on brand perception, workforce shortages, and the effects of rising costs on the ability to meet increased demand.

These emerging risks require evaluation, monitoring, and—in some cases—preparation to enable agility and readiness if they materialize. Developing a watchlist of items may help identify new risks to be added to the enterprise risk profile. An emerging risk deemed consequential may be added to the enterprise risk taxonomy as a new risk or as an elevation of an existing risk that is tracked by the ERM program.

According to the roundtable discussion, many utilities are working to shift to a more proactive approach to identify and evaluate uncertainties and trends that may translate into potential enterprise risks. A “STEEP” framework is an approach that can help organizations outline social, technological, economic, environmental, and political trends and formalize the evaluation process for them (figure 1).

In the sections that follow, we explore a key set of “STEEP” trends that are affecting power and utility companies right now, and offer solutions and best practices based on the benchmarking discussion and survey results.

Social trend: Advancing risk culture to address complexity with speed and agility

A risk-intelligent culture is an ecosystem of interconnected attributes that shape the way employees think, what they say, and how they behave. A risk-intelligent culture can exist when employees’ understanding and attitude toward risk lead them to make appropriate risk-informed decisions and their actions are aligned with and support their organization’s strategy, business model, business practices, and risk tolerance. Some key characteristics of a risk-intelligent culture include:

• Commonality of purpose, values, and ethics;
• Universal adoption and application;
• A learning organization;
• Timely, transparent, and honest communication;
• Expectation of challenge;
• Individual and collective responsibility; and
• Understanding of the value of effective risk management.

Most responding organizations to Deloitte’s September 2024 Power and Utilities ERM survey have established a strategy for risk culture that aligns with their management and business priorities (57%). They promote a positive risk culture through regular training and awareness sessions, and leadership communications. Moreover, 41% conduct annual talent surveys, and 54% use a combination of data and surveys to gauge employee engagement and understand the organization’s risk culture. However, only 13% frequently leverage analytics to identify patterns of behavior within defined parameters.

Among spot poll participants, only 6% actively measure risk culture.

Periodic assessments of risk culture can help an organization understand opportunities for advancement, which may include both specific areas and parts of the organization. They can also help track the progress of cultural change. Risk culture influencers include the collective risk management competence of the organization, the motivation for people to manage risk, relationships between people in the organization, and the organization’s structure and values (figure 2).

A spot poll of participants at Deloitte’s roundtable identified risk competence as the influencer of greatest concern (figure 3).

Participants specifically homed in on awareness gaps between leadership and the rest of the organization and challenges with implementation amid competing priorities. To overcome these challenges, participants identified the need for organizations to create a compelling cultural expectation aligned with the organization’s mission, vision, values, and strategy. Levels of culture can include invisible beliefs reflecting subconscious assumptions; values more explicitly stating philosophies, principles, standards, and mindsets; and fully visible behaviors.

Activating behavior change begins with setting the “tone at the top” and “walking the talk.” It involves facilitating discussions to share the leadership’s concerns and provide inspiration to overcome identified obstacles. Leaders should have a forum to reflect on how to change their own behavior such that it embodies leadership principles. In a unified and aligned organization, employees know how to assess risk to achieve the organization’s cohesive mission, vision, and strategy.

A cultural diagnostic, interviews, and data analysis can help define gaps and desired attributes, as well as identify levers to enhance or minimize cultural attributes. The “future state” culture can then be activated through design thinking, agile executions, and culture enablement coaches, among other tools.

Enablers of continuous cultural improvement include:

1. Leadership commitment: Secure the buy-in and commitment of the leadership team, including executives and the board.
2. Communication: Communicate program goals to all stakeholders and proactively seek feedback.
3. Measurement and reporting: Establish an objective measurement of the organization’s risk culture, with both periodic assessments and ongoing data analytics integrated into monitoring and reporting processes.
4. Program management: Manage as a program of change, including coordination with other relevant change initiatives.

Risk culture shapes and is also shaped by risk tolerance and appetite, which should be evaluated on a scenario-specific basis, with a view to enterprisewide impact and dependencies. To take smart risks in a risk-intelligent culture, leaders should consider:

• Risk capacity: The amount of risk an organization can absorb.

• Risk appetite: The amount of risk an organization is prepared to accept in pursuit of its objectives. Risk appetite should be periodically reevaluated to understand changes in the overall risk profile; trends in regulatory or political and social landscapes; changes in management philosophy, industry, and peer performance; and other relevant factors.

• Tolerance thresholds: The quantitative indicators and triggers set to monitor the organization’s current risk exposure.

• Key risk indicators: The indicators that show an organization’s risk trending against its tolerance thresholds and the types of action that an organization can take to manage its risk exposure.

Having a defined and consistent risk appetite can help promote risk discussions, drive accountability, align with business objectives, prioritize the focus, and proactively monitor emerging challenges.

According to Deloitte’s September 2024 Power and Utilities ERM survey, however, most responding organizations (61%) do not have a defined risk appetite. Of those that do, 56% do not have a formal definition.

Among organizations with a defined risk appetite, 80% do so at the enterprise level, with 34% assigning the task of setting and reviewing risk appetite to the board of directors (versus 22% who assign it to the ERM team or senior management). Forty-four percent (44%) review this definition at least annually.

Furthermore, 67% of respondents measure their risk appetites both quantitatively and qualitatively, but an equal share is only somewhat confident about managing risk within their defined appetite. While the primary objective should be to drive directional alignment to develop decision-making guardrails, risk exposure can also be monitored using metrics that help indicate the overall performance of a specific risk, including the effectiveness of risk response plans. Criteria for identifying metrics include whether the data is readily available and whether it is a leading or lagging indicator.

Risk appetite should be viewed as a continuum that considers the organization’s relative willingness to take on risk in pursuit of value (figure 4). Tolerance thresholds are determined for each metric considering risk appetite. Considerations for setting thresholds include determining the acceptable target performance level and “upper boundary” threshold.

The biggest challenge roundtable participants report facing in “developing and/or operationalizing risk appetite or tolerance thresholds” is conflicting internal priorities (figure 5). 

Some practices to address common challenges in operationalizing risk appetite include:

• Documenting the intended value of risk appetite and risk tolerance thresholds and proactively communicating the desired value to executives.

• Starting “slow” by setting tolerance thresholds for areas where the organization is capturing key risk indicators.

• Piloting the creation of risk appetite for one area and involving executives throughout the process.

• Keeping a record of the process and embedding risk appetite and tolerance thresholds in strategy setting and executive reporting.

• Leveraging standardized risk rating criteria and risk taxonomy across risk groups.

Risk appetite and tolerance thresholds can help ERM managers hold business units accountable if they are breaching communicated thresholds. An organization can start small, piloting them in areas where it has existing key risk indicators, and review them periodically to assess their relevancy and effectiveness. It is also important to align risk appetite to risk response strategy based on data-derived insights. Figure 6 illustrates the process of setting risk appetite using the example of cybersecurity risk.

Technology trend: Integrating and leveraging AI tools

AI is already bringing transformative changes into the industry, providing better insights, faster workflows, and enhanced employee experiences. Leveraging it should include a preliminary assessment of available and desired data, followed by the development of effective prompt engineering and model fact-checking processes. Governance, training, and change management practices should also be prioritized throughout to promote the successful adoption of AI.

Use cases for AI capabilities from mature programs span grid and field operations, enterprise insights, and customer experience (figure 7).

As the digital revolution unfolds, ERM functions can leverage data tools that their organization is already using or developing to drive data-driven insights into risk trends. At the moment, most roundtable participants (62%) are leveraging both quantitative and qualitative approaches to evaluate risks, while 33% are leveraging only a qualitative approach. While a qualitative approach may be simple and more practical to adopt in some cases, a quantitative approach can yield a transparent, objective, and empirical framework to evaluate risk (figure 8). 

Auditable data-driven inputs can help ensure high transparency and minimize user bias. A risk quantification process and data management model can include design metrics that align with strategic objectives, data organized into one source of truth, impact quantification, uncertainty management, and opportunity seizing. An analytical solution is likely only as good as strong processes and governance.

AI automation can also help facilitate risk management processes. From intelligent automation, where a bot executes processes that require little human judgment, to generative AI, where algorithms can create new content (audio, code, images, text, simulations, and videos), analytics can be integrated into each step of the risk management life cycle (figure 9).

Most respondents to Deloitte’s September 2024 Power and Utilities ERM survey currently rely on manual processes (73%), while only 5% have fully automated most of their processes. For a majority of responding organizations (54%), automation is implemented in risk identification assessment and prioritization.

The spot poll of roundtable participants shows that AI is on their radar, particularly for monitoring, identifying, and reporting risks (figure 10). 

While AI can be a helpful in the ERM process, it can also introduce new risks related to use of the tool itself and could also have implications for the company’s environmental impact.

Environmental trend: Mitigating and preparing for extreme weather events

Environmental trends encompass changes to the physical world, and related targets that can influence an organization’s operations and business strategy. Common environmental risk owners include vice presidents for asset planning and delivery, operations, and safety, health, and environment.

According to the Deloitte roundtable participants, the climate is the environmental area of predominant concern for organizations, as the frequency and intensity of extreme weather events has grown. It has primarily impacted organizations through the increased cost of mitigation. Hazards that have caused material impacts on responding organizations’ businesses include: more frequent and powerful storms, extreme heat, severe flooding, wildfires, water shortages, severe drought, and rising sea levels.

Responding organizations are making their assets more resilient to these hazards by fortifying (27%), winterizing (18%), and elevating (13%) their assets, incorporating new materials (20%), and undergrounding power lines (18%). Only 2% are doing so through smart grid adaptation and updating and adapting standards, each.

Most organizations quantify climate risk (61%), and scenario analysis is the leading tool (30%), according to Deloitte’s September 2024 Power and Utilities ERM survey. A risk quantification approach for climate includes identifying risk themes, exploring risk tolerance, aligning on calculation, identifying data inputs, and determining top climate-related risks (figure 11). 

While 53% of roundtable participants reported their organization is leveraging metrics to assess climate impacts, 47% are not. One example of a climate metric is hydro generation. A below-average water level or the presence of drought, for example, could imply a potential risk to cash flow. Risk managers would also need to be mindful of double counting since some climate change impacts might also be captured in asset health.

Organizations may consider financial position, reliability, technology, internal stakeholders, and external stakeholders to determine enterprise-wide risk tolerance. Each of these categories includes several common risk factors. Climate is a common risk factor in the reliability category.

If left unaddressed, trends in this area can affect business continuity, supply chain management, and major project execution.

This includes poor quality control, noncompliance with standards, market and regulatory changes, and supply chain disruptions. The second most common pitfall was budget management, which included cost underestimation, uncontrolled spending, insufficient or disrupted funding, and lack of agility. The third was inadequate project governance, which encompasses inconsistent and delayed decision-making, siloed or inadequate information, and inability to measure success or progress.

Participants commonly evaluate their risk exposure to these aspects based on:

• Challenges encountered and mitigation efforts,
• Safety issues,
• Relationship conflicts with key stakeholders,
• Prior experience with project delivery,
• New technologies,
• Heavy reliance on third parties,
• Regulatory compliance, and
• Material cost.

Additionally, changes to trade policy can have major industry supply chain implications. The 10% tariff on Chinese imports and additional announced tariffs on various countries and products are expected to impact the costs of supplies for the sector by raising the price for solar cells, batteries, EVs, steel, and aluminum.⁴ Other economic trends that affect supply chains include strikes, climate impacts (such as the drought-limiting Panama Canal capacity), geopolitical instability (such as vessel attacks in the Red Sea), and global conflicts⁵(figure 13).

While few of the roundtable participants (5% of spot poll respondents) are currently integrating project risk management with enterprise risk management, doing so could offer a range of benefits. Applying a risk management lens to project management can help leaders drive value by proactively identifying, managing, and escalating project execution risks in a timely manner.

Project risk monitoring in ERM could also cover the schedule, financial performance, and changes. Data analytics can help shed light on project execution trends and their impact on the organization’s risk profile. ERM teams can also encourage a culture of speaking up to help proactively identify potential execution risks that may lead to significant impacts on the organization or key stakeholders. Indeed, ERM would be integral to formalized processes for escalation.

Risk, conformance, and performance monitoring should occur across these lines of action:

• Project risks: Assisting with identifying and monitoring project risks, sharing leading practices and communicating lessons learned in proactive project risk management.
  
• Groupwide risks: Overseeing and reporting on groupwide risks, defining business procedures and requirements, and providing objective assessments on a project’s progress and its risk management practices. This could also involve elevating specific projects, programs, and portfolios based on their impact on the organization.
  
• Governance: Provide independent and objective assessments on the adequacy and effectiveness of the company’s governance.

Using a “P3M” approach is one way to effectively manage transformational initiatives (figure 14).

1. Portfolio management is the centralized management of one or more portfolios to achieve strategic objectives for the enterprise. It involves using processes and techniques to analyze and collectively manage a group of current or proposed projects and programs.
   
2. Program management is the coordinated management of multiple related projects, which are often part of an overarching program. It focuses on achieving the program’s strategic objectives and benefits.
   
3. Project management is the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. It involves initiating, planning, executing, monitoring or controlling, and closing projects (across scope, schedule, budget, quality, reporting, financials, risks-assumptions-issues-dependencies, and value management).

A P3M approach can help ERM teams more quickly identify sources of economic risk as utilities recast their role and supply chain amid industry convergence and geopolitical divergence.

Political trend: Regulatory and policy uncertainty

In a rapidly shifting landscape in both the United States and abroad, roundtable participants rightly identified policy as the greatest source of potential risk for organizations to track.

In the run-up to the presidential election, roundtable participants saw energy, climate, and sustainability policy (40%) as the public policy issue that would have the biggest impact on their companies over the next two to four years. The roundtable participants unanimously agreed there is an inherent tension between decarbonization, customer affordability, and resilience goals. With regard to decarbonization, a natural gas phasedown was a potential policy change that a majority of roundtable participants were closely following before the presidential election (figure 15).

The other key policy shifts that roundtable participants were concerned with were tax policy and regulations (15%)—and trade and tariffs and artificial intelligence (10%). 

With a change in administration, the alignment across federal, state, and local levels has shifted. While policy uncertainty remains, there are some areas of bipartisan agreement on industrial policy goals like strengthening economic competitiveness, national security, and resilience.⁶

On the other hand, policy shifts could also affect previous or anticipated investments. For example, 67% of the organizations that participated in Deloitte’s spot poll roundtable discussions have taken advantage of federal incentives from the Infrastructure Investment and Jobs Act and Inflation Reduction Act, the fates of which are now uncertain.

The locus of action in some areas may shift to the state level, which, according to 78% of the Deloitte roundtable participants, most significantly shapes policies that drive the energy transition. This includes climate disclosure activity at the state level, such as California’s laws requiring climate-related financial risk and scope 1, 2, and 3 emissions reporting for large companies operating in the state.⁷ Activities outside the United States can also have an impact. For example, the European Union Corporate Sustainability Reporting Directive reporting requirements apply to many non-EU companies that do business in the European Union, including US companies with EU subsidiaries that meet certain criteria.⁸

For ERM leaders, it’s less the shifts in policy and more the ongoing uncertainty that present the biggest political risks at this time.

Ushering in a new era with risk intelligence

Organizations are being forced to think differently, innovate, and make faster, data-driven decisions. With the growing complexity, costs, and social expectations, it behooves organizations to identify the potential drivers that may lead to rapid changes in the risk profile, including uncertainties and emerging trends. Risk officers who translate information into financial outcomes may be more likely to be perceived as invaluable business partners within an organization.

Advanced ERM capabilities can help organizations develop strategies and confirm successful execution. These capabilities also bolster internal and external confidence. And in this new era of uncertainty, power and utility companies need to have enough information and the foundational systems to project confidence to all stakeholders. In this sense, ERM is no longer about looking around only the next corner, but about the next two corners to help organizations protect and create value.

Methodology

Deloitte has hosted an ERM roundtable series for the power and utilities sector for the past 17 years. The primary goals of this series are to discuss lessons learned, identify trends, promote innovation, perform benchmarking, facilitate networking within the industry, advance risk management practices, and enhance the value of the ERM function.

On October 28–30, 2024, Deloitte assembled a roundtable of 30 ERM leaders from the power and utilities sector at FirstEnergy in Akron, Ohio, for peer-to-peer discussions and spot polls about the top challenges facing the industry and their approaches for managing enterprise risks.

In advance of the roundtable, Deloitte fielded a survey among the 30 participating organizations to benchmark key aspects their ERM program structure, scope, and budgets. During open sessions, participants discussed the results from the September 2024 benchmark and participated in spot polls to add more dimension to the survey results. They also shared details they plan to focus on to help elevate their ERM program. All results captured in the survey and the spot polling during the roundtable are anonymous.