Risk management isn’t just about being compliant. It affects broader business strategy including operations, finance, customers, and overall brand and reputation. The stakes are high for power and utility companies right now, as regulatory uncertainty, technological innovation, extreme weather events, stakeholder activism, technological disruption, and a surge in energy demand have created a complex risk environment that leaves energy providers with little room for missteps.
A proactive enterprise risk management (ERM) strategy can help power and utility companies meet these emerging expectations, while delivering on regulatory requirements and pursuing growth opportunities. ERM can help support organizational success by measuring a strategy’s effectiveness, demonstrating its relevancy, contributing to its performance, and reinforcing confidence in its purpose. ERM teams can also offer an unbiased view, challenge status quo thinking, and promote forward-looking insights.
Proactive ERM starts with a grasp of emerging risks. Yet, few organizations have strong, formal emerging risk processes. According to Deloitte’s Power and Utilities ERM survey,1 58% of respondents don’t have a standard process for identifying and tracking emerging risks, while 21% have no structure around this process at all.
In October 2024, Deloitte assembled a roundtable of 30 ERM leaders from the power and utilities sector,2 for peer-to-peer discussions and spot polls about the challenges they face and their approaches for managing enterprise risks. The discussion also incorporated results from Deloitte’s September 2024 Power and Utilities ERM survey, which reflected input from these companies before the roundtable (see methodology).
One of the core tools utilities use to proactively prepare for new and emerging risks is a trends-and-uncertainties framework that maps out the various challenges, based on the immediacy and scope of the impact:
These emerging risks require evaluation, monitoring, and—in some cases—preparation to enable agility and readiness if they materialize. Developing a watchlist of items may help identify new risks to be added to the enterprise risk profile. An emerging risk deemed consequential may be added to the enterprise risk taxonomy as a new risk or as an elevation of an existing risk that is tracked by the ERM program.
The responsibility for managing emerging risks falls squarely within the remit of the ERM function (80%), according to the respondents of Deloitte’s September 2024 Power and Utilities ERM survey.3 Among 50% of those organizations, this responsibility is shared with business units, while 30% assign this exclusively to the ERM team.
According to the roundtable discussion, many utilities are working to shift to a more proactive approach to identify and evaluate uncertainties and trends that may translate into potential enterprise risks. A “STEEP” framework is an approach that can help organizations outline social, technological, economic, environmental, and political trends and formalize the evaluation process for them (figure 1).
In the sections that follow, we explore a key set of “STEEP” trends that are affecting power and utility companies right now, and offer solutions and best practices based on the benchmarking discussion and survey results.
A spot poll of participants at Deloitte’s roundtable identified risk competence as the influencer of greatest concern (figure 3).
Participants specifically homed in on awareness gaps between leadership and the rest of the organization and challenges with implementation amid competing priorities. To overcome these challenges, participants identified the need for organizations to create a compelling cultural expectation aligned with the organization’s mission, vision, values, and strategy. Levels of culture can include invisible beliefs reflecting subconscious assumptions; values more explicitly stating philosophies, principles, standards, and mindsets; and fully visible behaviors.
Activating behavior change begins with setting the “tone at the top” and “walking the talk.” It involves facilitating discussions to share the leadership’s concerns and provide inspiration to overcome identified obstacles. Leaders should have a forum to reflect on how to change their own behavior such that it embodies leadership principles. In a unified and aligned organization, employees know how to assess risk to achieve the organization’s cohesive mission, vision, and strategy.
A cultural diagnostic, interviews, and data analysis can help define gaps and desired attributes, as well as identify levers to enhance or minimize cultural attributes. The “future state” culture can then be activated through design thinking, agile executions, and culture enablement coaches, among other tools.
Enablers of continuous cultural improvement include:
Risk culture shapes and is also shaped by risk tolerance and appetite, which should be evaluated on a scenario-specific basis, with a view to enterprisewide impact and dependencies. To take smart risks in a risk-intelligent culture, leaders should consider:
Having a defined and consistent risk appetite can help promote risk discussions, drive accountability, align with business objectives, prioritize the focus, and proactively monitor emerging challenges.
According to Deloitte’s September 2024 Power and Utilities ERM survey, however, most responding organizations (61%) do not have a defined risk appetite. Of those that do, 56% do not have a formal definition.
Among organizations with a defined risk appetite, 80% do so at the enterprise level, with 34% assigning the task of setting and reviewing risk appetite to the board of directors (versus 22% who assign it to the ERM team or senior management). Forty-four percent (44%) review this definition at least annually.
Furthermore, 67% of respondents measure their risk appetites both quantitatively and qualitatively, but an equal share is only somewhat confident about managing risk within their defined appetite. While the primary objective should be to drive directional alignment to develop decision-making guardrails, risk exposure can also be monitored using metrics that help indicate the overall performance of a specific risk, including the effectiveness of risk response plans. Criteria for identifying metrics include whether the data is readily available and whether it is a leading or lagging indicator.
Risk appetite should be viewed as a continuum that considers the organization’s relative willingness to take on risk in pursuit of value (figure 4). Tolerance thresholds are determined for each metric considering risk appetite. Considerations for setting thresholds include determining the acceptable target performance level and “upper boundary” threshold.
The biggest challenge roundtable participants report facing in “developing and/or operationalizing risk appetite or tolerance thresholds” is conflicting internal priorities (figure 5).
Some practices to address common challenges in operationalizing risk appetite include:
Risk appetite and tolerance thresholds can help ERM managers hold business units accountable if they are breaching communicated thresholds. An organization can start small, piloting them in areas where it has existing key risk indicators, and review them periodically to assess their relevancy and effectiveness. It is also important to align risk appetite to risk response strategy based on data-derived insights. Figure 6 illustrates the process of setting risk appetite using the example of cybersecurity risk.
AI is already bringing transformative changes into the industry, providing better insights, faster workflows, and enhanced employee experiences. Leveraging it should include a preliminary assessment of available and desired data, followed by the development of effective prompt engineering and model fact-checking processes. Governance, training, and change management practices should also be prioritized throughout to promote the successful adoption of AI.
Use cases for AI capabilities from mature programs span grid and field operations, enterprise insights, and customer experience (figure 7).
As the digital revolution unfolds, ERM functions can leverage data tools that their organization is already using or developing to drive data-driven insights into risk trends. At the moment, most roundtable participants (62%) are leveraging both quantitative and qualitative approaches to evaluate risks, while 33% are leveraging only a qualitative approach. While a qualitative approach may be simple and more practical to adopt in some cases, a quantitative approach can yield a transparent, objective, and empirical framework to evaluate risk (figure 8).
Auditable data-driven inputs can help ensure high transparency and minimize user bias. A risk quantification process and data management model can include design metrics that align with strategic objectives, data organized into one source of truth, impact quantification, uncertainty management, and opportunity seizing. An analytical solution is likely only as good as strong processes and governance.
AI automation can also help facilitate risk management processes. From intelligent automation, where a bot executes processes that require little human judgment, to generative AI, where algorithms can create new content (audio, code, images, text, simulations, and videos), analytics can be integrated into each step of the risk management life cycle (figure 9).
Most respondents to Deloitte’s September 2024 Power and Utilities ERM survey currently rely on manual processes (73%), while only 5% have fully automated most of their processes. For a majority of responding organizations (54%), automation is implemented in risk identification assessment and prioritization.
The spot poll of roundtable participants shows that AI is on their radar, particularly for monitoring, identifying, and reporting risks (figure 10).
While AI can be a helpful in the ERM process, it can also introduce new risks related to use of the tool itself and could also have implications for the company’s environmental impact.
Environmental trends encompass changes to the physical world, and related targets that can influence an organization’s operations and business strategy. Common environmental risk owners include vice presidents for asset planning and delivery, operations, and safety, health, and environment.
According to the Deloitte roundtable participants, the climate is the environmental area of predominant concern for organizations, as the frequency and intensity of extreme weather events has grown. It has primarily impacted organizations through the increased cost of mitigation. Hazards that have caused material impacts on responding organizations’ businesses include: more frequent and powerful storms, extreme heat, severe flooding, wildfires, water shortages, severe drought, and rising sea levels.
Responding organizations are making their assets more resilient to these hazards by fortifying (27%), winterizing (18%), and elevating (13%) their assets, incorporating new materials (20%), and undergrounding power lines (18%). Only 2% are doing so through smart grid adaptation and updating and adapting standards, each.
Most organizations quantify climate risk (61%), and scenario analysis is the leading tool (30%), according to Deloitte’s September 2024 Power and Utilities ERM survey. A risk quantification approach for climate includes identifying risk themes, exploring risk tolerance, aligning on calculation, identifying data inputs, and determining top climate-related risks (figure 11).
While 53% of roundtable participants reported their organization is leveraging metrics to assess climate impacts, 47% are not. One example of a climate metric is hydro generation. A below-average water level or the presence of drought, for example, could imply a potential risk to cash flow. Risk managers would also need to be mindful of double counting since some climate change impacts might also be captured in asset health.
Organizations may consider financial position, reliability, technology, internal stakeholders, and external stakeholders to determine enterprise-wide risk tolerance. Each of these categories includes several common risk factors. Climate is a common risk factor in the reliability category.
If left unaddressed, trends in this area can affect business continuity, supply chain management, and major project execution.
Major project execution risk has come to the fore as the utility and construction sectors converge amid load growth. According to Deloitte’s September 2024 Power and Utilities ERM survey, regulatory and compliance challenges (28%) and schedule delays (28%) were the top project execution risks that respondents identified, followed by budget overruns (19%) and technical complexity (10%).
When asked to rank the most common project management pitfalls, respondents to a spot poll at Deloitte’s roundtable discussion cited “quality issues and external factors” as the area of greatest concern (figure 12).
This includes poor quality control, noncompliance with standards, market and regulatory changes, and supply chain disruptions. The second most common pitfall was budget management, which included cost underestimation, uncontrolled spending, insufficient or disrupted funding, and lack of agility. The third was inadequate project governance, which encompasses inconsistent and delayed decision-making, siloed or inadequate information, and inability to measure success or progress.
Participants commonly evaluate their risk exposure to these aspects based on:
Additionally, changes to trade policy can have major industry supply chain implications. The 10% tariff on Chinese imports and additional announced tariffs on various countries and products are expected to impact the costs of supplies for the sector by raising the price for solar cells, batteries, EVs, steel, and aluminum.4 Other economic trends that affect supply chains include strikes, climate impacts (such as the drought-limiting Panama Canal capacity), geopolitical instability (such as vessel attacks in the Red Sea), and global conflicts5(figure 13).
While few of the roundtable participants (5% of spot poll respondents) are currently integrating project risk management with enterprise risk management, doing so could offer a range of benefits. Applying a risk management lens to project management can help leaders drive value by proactively identifying, managing, and escalating project execution risks in a timely manner.
Project risk monitoring in ERM could also cover the schedule, financial performance, and changes. Data analytics can help shed light on project execution trends and their impact on the organization’s risk profile. ERM teams can also encourage a culture of speaking up to help proactively identify potential execution risks that may lead to significant impacts on the organization or key stakeholders. Indeed, ERM would be integral to formalized processes for escalation.
Risk, conformance, and performance monitoring should occur across these lines of action:
Using a “P3M” approach is one way to effectively manage transformational initiatives (figure 14).
A P3M approach can help ERM teams more quickly identify sources of economic risk as utilities recast their role and supply chain amid industry convergence and geopolitical divergence.
In a rapidly shifting landscape in both the United States and abroad, roundtable participants rightly identified policy as the greatest source of potential risk for organizations to track.
In the run-up to the presidential election, roundtable participants saw energy, climate, and sustainability policy (40%) as the public policy issue that would have the biggest impact on their companies over the next two to four years. The roundtable participants unanimously agreed there is an inherent tension between decarbonization, customer affordability, and resilience goals. With regard to decarbonization, a natural gas phasedown was a potential policy change that a majority of roundtable participants were closely following before the presidential election (figure 15).
The other key policy shifts that roundtable participants were concerned with were tax policy and regulations (15%)—and trade and tariffs and artificial intelligence (10%).
With a change in administration, the alignment across federal, state, and local levels has shifted. While policy uncertainty remains, there are some areas of bipartisan agreement on industrial policy goals like strengthening economic competitiveness, national security, and resilience.6
On the other hand, policy shifts could also affect previous or anticipated investments. For example, 67% of the organizations that participated in Deloitte’s spot poll roundtable discussions have taken advantage of federal incentives from the Infrastructure Investment and Jobs Act and Inflation Reduction Act, the fates of which are now uncertain.
The locus of action in some areas may shift to the state level, which, according to 78% of the Deloitte roundtable participants, most significantly shapes policies that drive the energy transition. This includes climate disclosure activity at the state level, such as California’s laws requiring climate-related financial risk and scope 1, 2, and 3 emissions reporting for large companies operating in the state.7 Activities outside the United States can also have an impact. For example, the European Union Corporate Sustainability Reporting Directive reporting requirements apply to many non-EU companies that do business in the European Union, including US companies with EU subsidiaries that meet certain criteria.8
For ERM leaders, it’s less the shifts in policy and more the ongoing uncertainty that present the biggest political risks at this time.
Organizations are being forced to think differently, innovate, and make faster, data-driven decisions. With the growing complexity, costs, and social expectations, it behooves organizations to identify the potential drivers that may lead to rapid changes in the risk profile, including uncertainties and emerging trends. Risk officers who translate information into financial outcomes may be more likely to be perceived as invaluable business partners within an organization.
Advanced ERM capabilities can help organizations develop strategies and confirm successful execution. These capabilities also bolster internal and external confidence. And in this new era of uncertainty, power and utility companies need to have enough information and the foundational systems to project confidence to all stakeholders. In this sense, ERM is no longer about looking around only the next corner, but about the next two corners to help organizations protect and create value.
Deloitte has hosted an ERM roundtable series for the power and utilities sector for the past 17 years. The primary goals of this series are to discuss lessons learned, identify trends, promote innovation, perform benchmarking, facilitate networking within the industry, advance risk management practices, and enhance the value of the ERM function.
On October 28–30, 2024, Deloitte assembled a roundtable of 30 ERM leaders from the power and utilities sector at FirstEnergy in Akron, Ohio, for peer-to-peer discussions and spot polls about the top challenges facing the industry and their approaches for managing enterprise risks.
In advance of the roundtable, Deloitte fielded a survey among the 30 participating organizations to benchmark key aspects their ERM program structure, scope, and budgets. During open sessions, participants discussed the results from the September 2024 benchmark and participated in spot polls to add more dimension to the survey results. They also shared details they plan to focus on to help elevate their ERM program. All results captured in the survey and the spot polling during the roundtable are anonymous.
Social trend: Advancing risk culture to address complexity with speed and agility
A risk-intelligent culture is an ecosystem of interconnected attributes that shape the way employees think, what they say, and how they behave. A risk-intelligent culture can exist when employees’ understanding and attitude toward risk lead them to make appropriate risk-informed decisions and their actions are aligned with and support their organization’s strategy, business model, business practices, and risk tolerance. Some key characteristics of a risk-intelligent culture include:
Most responding organizations to Deloitte’s September 2024 Power and Utilities ERM survey have established a strategy for risk culture that aligns with their management and business priorities (57%). They promote a positive risk culture through regular training and awareness sessions, and leadership communications. Moreover, 41% conduct annual talent surveys, and 54% use a combination of data and surveys to gauge employee engagement and understand the organization’s risk culture. However, only 13% frequently leverage analytics to identify patterns of behavior within defined parameters.
Among spot poll participants, only 6% actively measure risk culture.
Periodic assessments of risk culture can help an organization understand opportunities for advancement, which may include both specific areas and parts of the organization. They can also help track the progress of cultural change. Risk culture influencers include the collective risk management competence of the organization, the motivation for people to manage risk, relationships between people in the organization, and the organization’s structure and values (figure 2).