Applying Enterprise Risk Management Techniques

ERM Is Not Just for Large Utilities

Enterprise risk management has a reputation for being the province of large investor-owned utilities with dedicated risk management departments. In reality, the core techniques of ERM are accessible to utilities and cooperatives of any size. The risks that ERM addresses — storm damage, cybersecurity threats, power supply disruption, regulatory changes, workforce shortages — are common across the industry. A right-sized ERM program does not require a separate department; it requires structured thinking applied consistently to the organization's most significant exposures.

The Risk Identification Workshop

Effective ERM begins with identifying the risks the organization faces. A structured risk identification workshop — typically a half-day session with cross-functional representation from operations, engineering, finance, IT, and senior management — surfaces risks that no single department sees in isolation. The facilitator guides the group through major risk categories: strategic (competitive, regulatory, technological), operational (system reliability, storm exposure, supply chain), financial (power cost volatility, interest rate exposure, liquidity), and compliance (FERC requirements, environmental regulations, cybersecurity mandates).

The output is a risk register: a structured list of identified risks, with initial estimates of likelihood and impact for each.

The Risk Heat Map

Once risks are identified, they are plotted on a heat map — a two-dimensional grid with likelihood on one axis and impact on the other. Risks in the upper right corner (high likelihood, high impact) demand immediate attention and robust mitigation strategies. The heat map makes risk prioritization visual and intuitive, enabling management and boards to focus resources on the exposures that matter most.

Mitigation Strategies for Key Utility Risks

For electric utilities and cooperatives, several risks consistently appear in the upper-right quadrant. Cybersecurity threats require layered technical controls, staff training, and incident response planning. Major storm exposure requires mutual aid agreements, pre-positioned materials, and regulatory accounting policies that enable cost deferral and rate recovery. Power supply cost volatility is mitigated through diversified supply contracts, fuel cost adjustment clauses, and rate stabilization reserves.

Integrating ERM into the Budget Process

ERM produces its greatest value when integrated into annual budgeting and capital planning rather than operating as a separate exercise. Risk mitigation strategies have costs — cybersecurity investments, mutual aid agreements, reserve fund contributions — that belong in the budget. When the board approves the budget, they should understand both the strategic priorities it reflects and the risks it is designed to manage.