Risk Assessment Software: Enterprise Risk Management (ERM) in Energy and

Utility Industry
A front end process for compliance management activities

Since the last decade, the process of ‘Risk Management’ has evolved rapidly, growing
Favorites
from a perfunctorily performed activity to a critical enterprise-wide requirement.
Functions like recognizing and mitigating risks,complying with regulations, gaining
Email
increased market valuation and optimizing the use of assets with higher returns on risk
capital are now generating new risk management requirements and thus companies Print
seeking risk assessment and analysis software .
Bookmark

Download
While risk managers in all industries are grappling with the problems of performing
real-time risk measurement and mitigation, risk managers in the energy and utilities
sector have to tackle additional complexities due to the inherent nature of the business. Optimizing risks and
returns in generation plant usage, delivery schedules, natural gas and electricity selling prices, deliveries, oil
pipeline usage and cash flows is a formidable task. Moreover, stringent compliance and regulatory
requirements, like Sarbanes Oxley Act (SOX), FERC and NERC regulations (Federal Energy Regulation
Commission and North American Electric Reliability Commission) and state and regional public service
commissions add an additional layer of challenges for energy risk managers. All business functions are
impacted operationally as well as strategically. As a result, companies in this sector are looking to
systematically identify, measure, prioritize and respond to all types of risk in the business.

MetricStream offers an integrated solution for successfully meeting these enterprise wide risk management
requirements while lowering the associated costs that can otherwise be substantial. It provides best-in-class
integrated modules and services to companies in the energy sector, so that they can seamlessly automate
and streamline compliance business processes and gain real-time visibility into their risk profile.

Enterprise Compliance Platform: Business Value

Using standards to deliver re-usable technology components that enable

Standards Based
complex business processes in a consistent structured and repeatable fashion

Federated Process Shift to a holistic perspective to meeting business process requirements.

Driven Approach Instead of focusing only on the tactical need of individual silos, ECPTM looks
to enable compliance requirements functionality in a way that can be used by
others in the future. It also allows individual pieces of the business process to
be realized by best-in-class solutions

Change Oriented Focus on the creation of IT components expecting and anticipating changes in
the compliance ecosystem. ECPTM looks to recognize that changes is
inevitable: regulatory mandates, managing go-to-market risks and other
change drivers are the reality. ECPTM is designed for relevant, agile solutions
so that critical, dynamic business controls and processes can be quickly
adjusted

Real Time Reporting Addressing business information and process across organised and
and Visibility technological silos. ECPTM delivers rolled-up visibility of key information
across the enterprise

Knowledge Based Shift to a holistic perspective to meeting compliance requirements. ECPTM

engages ComplianceOnline.com's knowledge network and its ommunity of
experts to provide know how in a way that can be used across the company
for varied requirements

Challenges
The operational environment in energy companies has never
The global power industry is rife with
been more challenging. Companies are wrestling with regulatory
price, supply and consumption
compliance requirements, market volatility and industry
issues. Energy companies also face
consolidation as they face pressure to drive revenues and
an array of political, legal and
increase efficiency. Rapidly changing and highly complicated
regulatory risks on a daily basis.
energy policies are pressurizing companies to constantly look
Those with international operations
for better ways to manage and monitor compliance and controls
are particularly susceptible to
processes across the enterprise, eliminating deviations, errors
commercial and security threats
and redundant activities.
arising from currency inconvertibility
or transfer restrictions, breach of
Despite the growth of various technologies, energy risk contracts, nationalization and
managers continue to face the two-fold challenge of compliance confiscation or ‘creeping’
and risk management. expropriation of energy assets,
besides war and civil unrest. Issues
Compliance Management bedeviling the risk managers are best
summarized by the following
Compliance Environment with Increasing Regulation and questions posed by a power risk
Legislation: Regulatory compliance is a key challenge for manager: “Between constantly
companies in the energy and utilities industry with numerous changing conditions and the immense
standards and regulations governing nearly all aspects of their amount of realtime data, how do I
businesses. Benchmarking against best industry practices like recognize threats to the company
GARP, CCRO framework, FSA requirements and financial when they occur? How do I
accounting standards has become the norm. Regulatory acts discriminate between different
like SOX, OSHA, EH&S, FERC and NERC govern the way threats and their relative importance
companies in energy and utilities sector operate. These include to the company? How can I then take
complex and interconnected regulation guidelines regarding the appropriate action in real time if
financial assurance, operations, ethics, record keeping as well more than one of these threats
as physical and cyberspace security, reliability and occurs?”
environmental protection policies in the country.

Data Security: Responsible entities must define methods, processes and procedures for securing critical
information like company IP, customer and employee data, confidential strategic or financial data. FERC and
NERC compliance regulations provide clear definitions of a well documented and a widely disseminated
enterprise compliance program.

Document Management and Control: To ensure compliance with stringent regulations and legislations,
energy and utilities companies must retrieve, compile and integrate data from multiple sources to be able to
provide federal and state regulators with accurate, up-to-date information on the state of their business and
day-to-day operations.

Compliance Reporting and Real-time Alerts: Most energy companies are managing compliance
reporting and management in discrete categories - by geography, business unit or business function -
resulting in lack of visibility into their operations. This silo-based approach is insufficient to keep pace with
stringent compliance requirements. Companies must find a way to pull consistent, reliable and auditable
reports from many disparate sources. This includes appropriate triggers to alert staff on potential
compliance issues and updates, so they can react on a timely basis.

Operational Efficiency: With limited IT budgets, unpredictable market pricing and a massive
infrastructure, companies in the energy and utilities industry are constantly focused on improving
operational efficiency. Data managers seek holistic view of operations across the entire organization so that
they are armed with the information they need to make key business decisions that directly influence the
bottom line while ensuring compliance with internal policies and industry regulations.

Adverse Event Management: Due to the inherent hazardous nature of their jobs, energy industry risk
managers require an efficient adverse management system that provides prompt reporting and tracking,
analysis and resolution of adverse events.

Risk Management

Non-Prioritized Risk Management: Determining which risks are relevant through a manual procedure is
tedious and time-consuming. Understanding risk management methodologies (like VaR, EaR, PaR and CfaR)
and their pertinence to the energy or utility organization is highly resource intensive. Most ERM
systems/framewoks are not customized for a particular company and they do not address company specific
risk priorities.

Disparate Risk Systems: In a distributed organization, establishing a common risk management program
is a challenging and labor-intensive task. Business units manage their risks independently and without
coordination. Integration and standardization of process and procedures across the organization demands a
central risk management information system.

Inefficient Risk Control Measures: Controls for mitigation of regulatory, operational and reputation risks
are as significant as the company’s market, liquidity and credit risk management efforts. Response
approaches are not optimized across risk types and commodities, exposing the company to unpredictable
changes.

Reactive Threat Identification and Mitigation: Power firms follow a defensive approach and suffer
losses by not identifying risks in a timely manner. Undiscovered exposures can result in massive losses. By
guarding against situations where aggregate risk exposure exceeds its risk appetite, the company can
prevent such situations. Preventive and detective controls that will help mitigate risks in real time using
alerts are necessary in this highly competitive market.

Poor Visibility and Error-prone Reports: Current energy risk management systems offer an ad-hoc view
of the multitude of internal and external risks faced by a company. Manual data-reporting procedures are
unreliable, inflexible and do not provide site-level and enterprise-level views of performance and risks.

Operational Hazards: Accidents and injuries, fatalities, losses to plant and equipment, spillages and other
loss of product and materials are a few of the issues that plague the energy industry. Proactive risk
management can help avoid losses and drive faster crisis recovery times.
Risk versus Investment: Energy companies face an
increasingly significant dilemma –making a bankable
investment in the face of risk. Measuring the risk of long-
term investments and assessing opportunities on daily basis
proves to be taxing for companies. To facilitate
implementation of desirable projects, the company must be
able to assess with the profit–risk ratio.

The MetricStream Solution

Understanding and managing risk is imperative to succeed in
a competitive environment. Enterprise Risk Management
(ERM) software platforms and tools empower the energy and
utilities organization through careful structuring of risk
assessment and automation of compliance efforts.
MetricStream’s solutions for both risk and compliance
management help energy and utilities firms with:

Regulatory Compliance Management: The MetricStream solution provides a common framework and an
integrated approach to manage energy risks as well as cross-industry mandates and regulations such as
SOX, OSHA, EH&S and FCPA and industry focused regulatory guidelines from FERC, NERC and Data
Management laws.

Streamlined Risk Management Methodology: The MetricStream solution ensures that a formal
procedure for analyzing and managing energy enterprise risk is implemented and followed. It identifies and
documents potential threats and vulnerabilities, quantifies total cost of risk and compliance management,
and drives the creation of business processes and controls. Its flexible scheduling tool allows the enterprise
to assess, test and document internal controls. Prioritizing response strategies for optimal risk/reward
outcomes is also easier to perform. The solution quantifies trade and market risks for energy portfolios and
ensures that the right risk management methodology is followed.

Increased Protection: Energy organizations must adopt a strategic approach to enterprise wide risk
management in order to ensure maximum protection from attacks. Process vulnerability and risk exposures
are fully mapped by MetricStream and threats to the most critical assets are prioritized to set the right
protection strategy for the organization. The underlying workflow and collaboration engine of MetricStream’s
solution determines the potential impact of threat occurrence and the existing level of risk to develop and
implement a suitable corporate risk management and mitigation plan.

Efficient Controls: The MetricStream solution enables process owners to take direct responsibility for
managing controls while auditors can focus on key compliance risks and project oversight. To eliminate risks
from deviations in procedures, errors and redundant activities, compliance and controls can be made
consistent across the enterprise using the centralized framework. It also helps avoid the danger of stringent
and varied sanctions by encouraging employees across the enterprise to contribute information that pertains
to reducing exposure to risk and improving safety, productivity and quality.

Cost Reduction: Automated information flows, assessments and testing, remediation assignments and time
stamped audit trails reduce overall compliance and risk management costs. The solution helps avoid
increased write-offs, losses and rising cost overlays while creating investment opportunities and improving
performance.
Web-based Reporting and Role-based Dashboards: Risk heat maps, graphical charts and compliance
dashboards provide increased enterprise-wide transparency into the compliance process and highlight issues
that need to be addressed. Continuous reporting and benchmarking of implemented procedures using
control diagrams and scorecards ensures that risks are identified and resolved in real-time. Detailed and
relevant risk data is automatically compiled by the MetricStream solution and drives internal audit,
regulatory and financial compliance processes (e.g., FERC, NERC, SOX). Quarterly and monthly trending
analysis, detailed reports and elaborative dashboards provide a bird’s eye view of the risk scenario.
Automated alerts help the risk managers foresee future challenges and manage risks better.

Integrated Document Management System: MetricStream’s integrated document management system

with change control capabilities synchronizes compliance documentation and business processes, ensuring
availability of data across the enterprise. When fully integrated with a company's daily compliance
management activities, accurate tracking of risks and compliance efforts helps the company easily and
effectively grow its business and strengthen its operations.

Structured Process for Sharing Confidential Information: MetricStream’s centralized document control
system coupled with its rigorous data mapping process enables real time sharing of sensitive data among
key stakeholders and support NERC CIP data loss prevention.

Closed-loop Issues Management: The MetricStream solution provides a robust issue and remediation
management platform that enables companies to establish and follow mandates for managing
nonconformance, adverse events, exceptions, failures, and process deviations. It is a comprehensive
solution that enables companies to streamline the development and implementation of remediation and
corrective action plans processes across the enterprise. It provides end-to-end exception and change
management capabilities to help companies capture problem data from anywhere in their operation, conduct
investigation to determine the root cause, manage the entire preventive and corrective process, implement
changes, and ensure that the issue is resolved effectively. Powerful analytics and reporting capability with
graphical dashboards to track each case from initiation to closure, gives managers complete real-time
visibility into the remediation process.
 Analyst Research
Access a complimentary copy of Gartner Magic
Quadrant for Enterprise Governance, Risk &
Compliance Platforms, 2010 to get an up-to-date
view of the GRC platform landscape.
October 2010 | Read Report
Download a complimentary copy of ISO 31000 -
The New, Streamlined Risk Management
Standard and learn more about modeling risk
around the ISO 31000 framework.
January 2010 | Download Report