Guidelines on estabilishing a risk management framework and policy

MANAGEMENT FRAMEWORK AND POLICY THE COMMITTEE OF CHIEF RISK OFFICERS “CCRO” GRANTS USERS A REVOCABLE, LIMITED, NON-EXCLUSIVE, NON-SUBLICENSEABLE, NON-TRANSFERABLE LICENSE TO REPRODUCE

MANAGEMENT FRAMEWORK AND POLICY

THE COMMITTEE OF CHIEF RISK OFFICERS (“CCRO”) GRANTS USERS A REVOCABLE, LIMITED, NON-EXCLUSIVE, NON-SUBLICENSEABLE, NON-TRANSFERABLE LICENSE TO REPRODUCE THIS DOCUMENT SOLELY FOR INTERNAL, NON-COMMERCIAL AND EDUCATIONAL PURPOSES ALL OTHER RIGHTS ARE RESERVED BY THE CCRO WITHOUT LIMITING THE FOREGOING, THE CCRO DOES NOT CONSENT TO THE REPRODUCTION OF ANY OF ITS DOCUMENTS FOR PURPOSES OF PUBLIC DISTRIBUTION, SALE OR ANY OTHER COMMERCIAL USAGE ATTRIBUTION TO THE CCRO, AS THE COPYRIGHT OWNER, IS REQUIRED IN ALL CASES

TABLE OF CONTENTS

I INTRODUCTION 3

II FIRMWIDE RISK MANAGEMENT POLICY COMPONENTS 4

2.1 Scope, Objectives and Purpose 4

2.2 Discussion of Management Philosophy 5

2.3 Identifying Risks 6

2.3.1 Market Risk 6

2.3.2 Reliance or Credit Risk 6

2.3.3 Operative Risk 7

2.3.4 Business Risk 7

2.4 Governance and Organizational Structure 7

2.4.1 Governance - Committee Architecture 8

2.4.2 Governance – Regulated and Non-Regulated Entities Within a Firm 9

2.4.3 Risk Management - Organizational Structure 9

2.4.4 Organizational Risk Management Structure and other Company Functions 10

2.5 Enterprise Risk Management 11

III BUSINESS UNIT RISK MANAGEMENT POLICY COMPONENTS 11

3.1 Introduction 11

3.2 Risk Measurement 12

3.2.1 Enterprise Risk Metrics 13

3.3 Risk Limits and Guidelines 13

3.4 Risk Analysis and Reporting 15

3.5 Risk Management and Commercial Decision Making 15

3.6 Remedial Actions 16

IV CONCLUSION 17

APPENDIX A – BEST PRACTICE BIBLIOGRAPHY 18

APPENDIX B – RISK COMMITTEE CHARACTERISTICS 29

Appendix C – Risk Committee Structures 30

APPENDIX D – RISK MANAGEMENT STRUCTURES WITHIN ORGANIZATIONS 32

I INTRODUCTION

The increased relevance of an energy company’s risk management policy and the importance of deriving such policies directly from risk tolerance as defined by the Board of Directors (“BOD”), or by senior management as delegated by the BOD, requires companies to either revisit their current risk management policies or develop a formal risk management framework and policy Energy firms should have a formal commitment to and cultural understanding of risk management across the organization The risk management framework and policy should provide: (1) for the delegation of the appropriate authority to management to manage risk, (2) the corresponding criteria to manage risk within the firm including risk tolerances, 3) a clear segregation of responsibilities around analysis and management of risks, and 4) a delineation of the communication channels needed to report risk management issues and concerns to appropriate levels in the Company The formal risk management policy should address both effective communication of risk and specific compliance requirements for each energy company

The Committee of Chief Risk Officers (CCRO) was formed in an effort to compile risk management best practices for companies participating in energy markets The CCRO is composed of Chief Risk Officers from leading companies that are active in both the physical and financial energy markets The CCRO is committed to opening channels of communication and establishing best practices for risk management in the industry

This position paper strives to address the necessary components of an effective energy risk management policy document without providing a “how to manual” level of detail that would be more typical of a CCRO white paper It identifies best practices in risk management, recognizing that not every practice can be incorporated into a company’s unique risk management framework This paper strives to provide a “roadmap” for developing an effective risk management policy that identifies the distinctive elements as they relate to the different segments of the industry This paper allows flexibility incorporating such components within a company’s formal risk management policy documentation – it is not in the scope to advocate an appropriate number or hierarchy of risk management policy documents within a firm For example, companies may have both corporate and business unit risk management policies as well as separate risk management policies for different risk categories such as market and credit risk In addition, companies may decide to address certain risk management issues in other corporate policies The purpose of this position paper is to identify the types of risk management issues that should be addressed and not dictate the ultimate policy document CCRO documents are referenced within the body of this paper and also in a bibliography, including abstracts, contained in Appendix A

Again, the objective of this paper is to provide a components checklist or “roadmap” necessary for

the development of an effective energy risk management policy Specifying the operating steps necessary at each level of the organization to implement the policy procedures and processes is

not part of the scope Notwithstanding this paper’s focus, it is recognized that many firms elect to include procedural content within their risk management policy – that is a valid method to organize and communicate both policy and procedures within a company

This paper is organized into two primary sections; a firmwide section that addresses the global components that should be universal to any risk management policy, and a business unit section that focuses on the risk management policy components where the specific elements are driven by the type of business that is being addressed As an example, governance issues such as risk management committee architecture, middle office independence, etc are global in nature and are included within the firmwide section Conversely, risk measurement, while certainly a necessary component in any risk management policy document, has elements that are very distinctive to the type of business in which risk is being measured; therefore this is contained in the business unit section

II FIRMWIDE RISK MANAGEMENT POLICY COMPONENTS

This section focuses on those components of a risk management policy that contain elements that are universal to the firm’s business operations The “roadmap” for developing and identifying the components of a firmwide risk management policy are highlighted in the following sections

• Senior management’s commitment to an effective risk management function to ensure appropriate management1 and oversight of the company’s risks

• The development of an effective risk management function that identifies the process for establishing authorities and responsibilities (governance) and rules and guidelines (protocols) that will identify, measure, monitor and manage those risks that impact the company’s performance objectives

• Clearly tying governance and protocols to the risk appetite defined by senior management and/or the BOD and to the appropriate best practices, some of which can be found in Appendix A

• Distinctly setting out independence between the commercial and non-commercial responsibilities within the company

• The need to keep the BOD and executives aware of the risk exposures of the company and ensuring that the disclosure of significant risks is not at the discretion of senior management

• Consistent application of practices to ensure accurate and consistent measuring and monitoring of value and risk

• Creating a living document that is revised as methods and approaches in risk management improve and/or management philosophy towards risk tolerance change

o A minimum earnings or cash flow level the company is willing to accept

o A minimum acceptable credit rating

o  Limits or targets on variability measures around the firm’s financial performance – for example: Value at Risk, Earnings at Risk, Cash Flow at Risk, Power Supply Cost at Risk, Rate Volatility (public power, cooperatives, municipalities), etc

1 Managing risk covers the acceptance and management of risk as well as the elimination or mitigation of risk

2.3 Identifying Risks

This section should define and identify the types of risks and how each contributes to the level

of uncertainty around the company’s financial performance Typical risk categories along with high level definitions are as follows:

2.3.1 Market Risk is generally defined as the impact of price movements in energy,

foreign exchange, interest rates, etc on the financial performance of the company

2.3.2 Reliance or Credit Risk is the risk of loss caused by a counterparty not

fulfilling its obligations

2 A firm’s financial objectives include the ability for the company to create economic value and to possess adequate financial liquidity to meet its ongoing obligations

2.3.3 Operative Risk includes the following:

o  Operational risk - The risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events

o  Operations risk - The risks associated with physical assets or delivery of energy commodities

2.3.4 Business Risk is the risk surrounding the uncertainty in the business

environment in which companies conduct its operations Examples include:

o  Changes in the regulatory environment

o Competitor landscape and substitution of products/services

o Shifts in the supply/demand for products/services

o Reputation damage (Headline Risk)

o Business continuity risk, i.e maintaining the integrity of the business in the event of a disruption

o Security Risk

It is difficult to quantify the impact of each and every risk on a firm’s financial performance, particularly certain aspects of operative risk and most areas of business risk In these cases, there are numerous qualitative techniques to address the impact of these risks such as using a risk matrix or a scorecard approach These methods are defined in more detail in the upcoming CCRO white paper on Enterprise Risk Metrics

2.4 Governance and Organizational Structure

A risk management policy emanates from the highest level of an organization, at the BOD A clear path for managing risk starts at the BOD and senior management The BOD and senior management’s roles should include:

• Being a major advocate of risk management within the organization

• Being aware of, understanding, and supporting risk management activities across the organization

• Approval of major strategies and associated risks the organization will take within the approved risk tolerance of the firm

• Delegating the authority for managing these risks through a formal committee structure, or delegation policy

of the firm and the complexity of the risk management issues facing it

Elements of a risk management committee structure should include the following:

o  Authority - including a level of risk management and control commensurate with best practices prior to engaging in certain commercial activities

o Membership – specific members and titles across the organization with a independent risk management officer leading each committee

o General Duties – variety of duties including independent monitoring and reporting of risk

These elements may be included within the risk management policy or by referencing the charter document of each risk management committee It is helpful to include diagrams within this section of the risk management policy that help the reader visualize the committee structure within the firm

Appendix B provides more detail in the areas of membership, authorities and duties for risk management committees as well as specific attributes of successful risk management committees

to encompass all of the organization

Appendix C provides some examples of current risk management committee structures within organizations including those that have both regulated and non-regulated entities

2.4.3 Risk Management - Organizational Structure

This section should include the organizational structure of the risk management groups within the company Additionally, roles and responsibilities for these groups also should be addressed in this section Attention should be given to the following:

o  Hierarchy and responsibilities between corporate and business unit risk management groups

o  Framework of risk management groups within the business unit infrastructure

2.4.4 Organizational Risk Management Structure and other Company Functions

Many of the responsibilities associated with other functional areas within the company have an impact on the risks faced by the company Therefore, the risk management function, both through the governance (committee) and organizational structure, must relate to traditional company functions such as:

Appendix D includes examples of different organizational structures that relate risk management and other functions within companies The area of compliance and its congruence with risk management is a developing issue within the energy industry The upcoming Governance and Compliance CCRO white paper will provide more direction in this area

at some operational levels of an organization, most multi-business concerns will need to address rolling risks up to the enterprise level Integrated enterprise risk management should

be included within the risk management policy’s scope, objectives and purpose and be addressed in the governance and risk management organizational structure and other sections

of the risk management policy

The Committee of Chief Risk Officers Enterprise Risk Metrics white paper provides more detail in the area of ERM (Appendix A)

dictates where the emphasis should reside in their management of risk Previous CCRO work has addressed managing risk across varying lines of business (referenced later in this Section and in Appendix A) Therefore, for each company’s risk management policy, the distinctive detail relative to the components within this section should be consistent with this prior CCRO work

Methodologies to measure risk and the specific metrics that relate to each risk category have been evolving within the energy industry, particularly in the area of applying relevant methodologies and metrics to the different business operations As mentioned before, the CCRO has been at the forefront of this effort and specifically addresses these methodologies and measures in its Valuation and Risk Metrics, Credit Risk Management, and Emerging Practices in Assessing Capital Adequacy white papers (Appendix A) The risk measurement section of the risk management policy should be organized around the risk categories (market, credit, operative, business) and include detail on the specific methodologies and appropriate measures for each risk category, while being consistent with previous CCRO work

3 As an example, companies should measure the risks associated with both their accrual and mark-to-market books

For many companies in the energy industry, business and operative risk have the largest potential impact on financial performance The lack of quantitative measures and controls in these areas make it difficult to employ traditional risk management protocols Nonetheless, these “qualitative” risks should still be identified, monitored, reported and, whenever strategy dictates and is cost-effective, mitigated Furthermore, the Department of Homeland Security looks at the Energy and Utility sector as part of the critical national infrastructure; this new emphasis on business continuity reinforces the importance to identify, monitor and report all risks (Appendix A)

3.2.1 Enterprise Risk Metrics

Whereas risk control objectives dictate the management of risk at the risk category or silo level, the next stage in the risk continuum is measuring risk across the enterprise Enterprise risk measures involve more robust methodologies and are centered on achieving optimal capital allocation through maximizing the risk adjusted return of the enterprise portfolio This section should address the specific methodologies and metrics in the area of enterprise risk and should be consistent with the Committee of Chief Risk Officers Emerging Practices in Assessing Capital Adequacy and Enterprise Risk Metrics white papers (Appendix A)

• Volumetric limits, dollar-transaction limits, stop-loss limits, VaR limits, and authority limits, among others, provide a useful set of limits that capture the measurable and subjective dimensions that define risk tolerance in the context

of a company’s risks

• Market risk limits should be consistent with the company’s measures of market risk; however, not all business activities will have market risk limits For example, although a physical energy asset’s performance may be dependent upon market price movements, there may be no distinct market risk limit structure that, when breached, would force a sale of the asset

• There may be different levels of market risk limits for cross-sections of the business operations For example, the total trading portfolio VaR may be

$25MM while the fixed price desk might be $10MM

• CFaR limits and tolerances, or other measures of liquidity required to support the business, should be established for all commodity based businesses regardless

of whether or not they trade

• Guidelines may take the form of implementing hedging strategies across business operations when certain parameters (prices) are met

• For regulated entities, limits may be developed around the uncertainty associated with rate structures being approved by regulatory bodies

• For self regulated non-profit load serving entities, limits may be developed around the uncertainty associated with power supply cost (or rate) variability or overall margin variability Additional limits might relate to the potential to

violate financial covenants, the non-profits’ tax-exempt status, or other financial measures

• Credit limits should be specific to each counterparty and be determined by the counterparty’s creditworthiness Additionally, counterparty limits should be aggregated in order to apply a portfolio type credit exposure limit

• The limit structure should include a reference to an “Authorization to Transact” appendix that specifically defines the authorized instruments, commodities, geographic regions, types of markets, and tenors

o Stress testing, scenario and sensitivity analysis

o Backtesting models and valuation methodologies

o Assessment and Reporting

o Capturing risk and maintaining risk inventories

• The identification and measurement of risks inherent in commercial opportunities and the obligation to bring this information forward for evaluation in capital allocation decisions

• The ongoing evaluation and measurement of risk-adjusted performance

• The impact of risk limits and potential limit breaches on commercial decisions

The risk management policy document should be clear in linking effective risk management with successful commercial decision making Within the context of the above, the risk management policy should address the following:

• The threshold level whereby formal risk management analysis is required prior to a commercial decision being made The upcoming CCRO white paper on Governance and Compliance will address oversight in the context of the investment and large transaction decisions within a firm

• Specific methodologies and metrics for evaluation of commercial opportunities and ongoing performance evaluation The CCRO’s Valuation and Emerging Practices in Assessing Capital Adequacy (Appendix A) white papers and soon to be released work covering Enterprise Risk Metrics specifically addresses these areas

It is important to delineate risk management in the context of commercial decisions Although risk management entails the identification, measurement, monitoring, and controlling of risks throughout the organization, this does not imply that the risk manager necessarily makes or carries out commercial decisions The risk management policy should be clear in separating the role of the risk management function and the commercial function in this respect

The issue of whether or not limits can be overridden should also be addressed The ability for members of the company to override limits should be defined, including the corresponding roles and responsibilities that both the independent risk function (middle office) and commercial operations (front office) have when limits are overridden

(risk) is handled,”4 and “ should adopt a written mandate in which it explicitly assumes responsibility for the stewardship of the issuer, including responsibility for identifying the principal risks of the issuer's business, and ensuring the implementation of appropriate systems to manage these risks.”5

With the increased scrutiny of the energy industry, particularly the merchant energy sector, it

is vital that the risk management policy document be both an effective communication tool and a compliance instrument This has led many energy companies to revise their existing risk policies or to start anew in developing a risk management policy document This position paper highlights traditional best practice themes in energy risk management policy while also addressing emerging issues and other areas which warrant increased attention in today’s energy environment While this paper is not a “how to” manual, it provides a checklist, addressing the necessary components of an effective risk management policy document for the energy industry

4 New York Stock Exchange (NYSE) “Listed Company Manual.” Last updated November 2003

5 Ontario Securities Commission (OSC) Proposed Multilateral Policy 58-201:Effective Corporate Governance October 2004