NARIMS
12th Annual Professional Day
Royal Glenora Club, Edmonton, AB .
Tom Haber
Senior Manager, Enterprise Risk Management
EPCOR
March 14, 2012
1

2
EPCOR Utilities Inc. (EPCOR) builds, owns and operates electrical transmission and distribution networks, water and wastewater treatment facilities and infrastructure in Canada and the United States.
EPCOR is headquartered in Edmonton, Alberta.

Wholly-owned by the City of Edmonton for over 100 years

Minority ownership in Capital Power Corporation
(TSX:CPX), a power generation business
 2010 revenue of approximately C$ 1.5 billion
 About 2,500 employees

3
• What is Risk?
– Risk, is there a common understanding?
– Managing Risk within an Organization
• Enterprise Risk Management (ERM) and a Risk Matrix
– Role of ERM
– ERM Risk Matrix Challenge
• How to Build a Risk Matrix
– Important Considerations
• How to Use a Risk Matrix
– Risk Assessment Process
– Steps of a Risk Assessment
• Benefits and Limitations

4
Risk is not tangible
– Outcomes are tangible (consequences)
– Uncertainty of occurrence (likelihood)
– Risk must be tied to an achievement of an objective
Definition (ISO 31000):
• Risk is the effect of uncertainty on objectives
– Expressed by the consequence and likelihood of an
“event” occurring
– Measured as a product of the consequence of its outcome and the likelihood of occurrence
(Risk = C X L)
– May lead to opportunities or threats

5
• Graphical tool that combines Consequence and
Likelihood to help analyze the risk of a scenario
• Quick and easy tool to help you understand the level of risk
• Consequence and Likelihood
Levels
• Ranking marked by color bands
• Slope of bands mark equal degrees of risk

6
Managing Risk
• Culture
• Processes
• Structures

7
Risk Management: the structured process of identifying, assessing, mitigating and monitoring risks that prevent or impede the achievement of goals and objectives. Includes:
Operational Risk Management:
• Internal event focused
• Risks associated with the people, process and systems, includes services reliability, safety, billing, projects, IT and financial stewardship
Strategic Risk Management:
• External event focused
• Risks associated with managing reputation, competition and the business environment including markets, labor pool, regulatory uncertainty and economic conditions.

8
Typical Risk Management within a Large Enterprise
– Diverse risk management practices within each business unit or shared services group
– Business Units and Shared Services may identify, assess, monitor and manage risk with different methods, models and language
Why is this a problem?
– Difficult to reliably understand and compare risks within an enterprise risk profile
– Potential misinterpreted threat levels and impact to the company
– Makes decision making on risk tolerances and adherence to risk appetite more difficult

9
• Risk
• Hazard
• Hazardous Event
• Risk Factor Statement
• Risk Appetite
• Risk Tolerance
• Risk Treatment
• Risk Response
• Risk Register
• Black Swan Event
• etc…
An extensive risk vocabulary
A common and consistent language is central to a shared understanding of risk

 Having a common understanding between operations, senior management and the board’s view of risk
 Further entrenching operations in consistent and integrated risk-based thinking
 Providing increased validity of risk understanding for better informed decision making
 Enabling ground level input to all risks company-wide with increased effectiveness of Risk Management and Strategic
Planning activity
10 requires integrated, enterprise-wide Risk Management tools that share a common language and approach

11
Enterprise Risk Management: the INTEGRATED identification, analysis and monitoring of Risk across the entire business, addressing all levels, including strategic and operational.
An ERM program represents the process to oversee risks within a company’s risk appetite / tolerance and to provide reasonable assurance for the effective execution of strategy
– continuous and systematic
– company wide perspective
– applied in a strategic setting
– not an audit, but should contribute to the development of an audit plan
Key ERM objectives:
– identify, assess, measure, manage, mitigate and report on the company’s top enterprise risks for effective oversight
– promote a common language, framework and process for managing risk across the organization

12
• Overall management and standards setting of the ERM program which includes:
– Development and management of an enterprise-wide risk register
– Design and implement enterprise risk management framework and risk management process standard and guidelines (ISO 31000)
• Facilitate, monitor and report on risk management practices
– Facilitate the implementation of company-wide risk assessments
– Ensure that risk assessments are performed periodically and completely for all business units and shared service areas
– In collaboration with risk owners, determine which risks are most significant and facilitate discussion with management for risk monitoring, management and improvement activities

13
Provide/ensure standardized procedures and tools for assessing, analyzing and evaluating risk that are valid, reliable and meet the needs of decision making at various levels
– Standardize consequence and likelihood criteria that allow for valid and reliable calculations of risk rating
– Standardize a risk model rigorous enough to measure and assess risk that supports decision making at different levels

• How to define risk scores, levels and ranks?
• Risk bands and tolerances
• What scale to use?
Semi-quantitative or purely qualitative
• How to handle aggregations of lower risks that may become higher risk?
• Beware the tails – black swans, and false-risks
14

15
Illustrative example only

16
Illustrative example only

17
Illustrative example only

18
Pick your rating criteria judiciously and carefully
Illustrative example only

• unique to the organization and its business environment
19
• relative equivalencies of consequence levels
Illustrative example only

Unique to the organization and its business environment
Likelihood = probability and/or frequency
Scale should be consistent and logical.
With a balanced matrix , the likelihood scale should mirror the consequence scale
Illustrative 20 example only

Medium-High
Medium-Low
High
Low
Assign rankings on grid: semi-quantitative tool, should we
21 use quantitative measures or not?
Illustrative example only

22
If you go semi-quantitative , you need to determine what scale to use (linear, logarithmic)
Illustrative example only

• Determine an appropriate scale and criteria for likelihood and consequences that align across all business areas
– e.g.: Health & Safety, Environmental, Financial
Asset, Community and Reputation
• Determine the best fit grouping of tolerance bands to support risk ranking and escalation
(generally 3, 4 or 5 bands)
– e.g.: low/green, medium-low/yellow, mediumhigh/orange, high/red
23
Ideal End State: build semi-quantifiable matrix that derives risk scores that supports assessments throughout the company. Ensure that the risk score is reliable, valid across the enterprise, and useful for decision making at any level.

Risk Velocity is an estimate of how quickly risks events will impact the organization.
• Our evaluation of risk may be affected by how much time there may be to prepare a response or make some other risk treatment decision about an exposure
• It is an additional level of insight to the risk
24
Illustrative example only

(consequence & likelihood) with velocity
Level II
Level III
Level IV
The velocity of a risk event may be displayed as colored (C X L) points on the chart
Very Slow
Slow
Fast
Very Fast
ALARP
Level I
25
Illustrative example only

26
Communication and consultation with internal and external stakeholders should take place during all stages of the risk management process.
Involving stakeholders in the risk management process is helpful to:
– Develop a communication plan;
– Help define the context appropriately;
– Ensure that the interests of stakeholders are understood and considered;
– Ensure that different views are appropriately considered in evaluating risks;
– Help ensure that risks are adequately identified; and
– Secure endorsement and support for a treatment plan.

27
• Define objectives and understand purpose of risk assessment
– What decisions will be made, what questions will be answered
– Helps set the scope of the risk management
• Determine Internal and External Conditions
– Define the business environment that exists
• Understand the criteria for evaluation
– Consequence and Likelihood, Velocity
– Follows a single, consistent risk matrix

(3 steps: identification, analysis and evaluation)
1. Risk Identification
– Finding, recognizing and describing risks/hazards (risk source, event and outcomes) and associated controls
(prevent or mitigate)
– Brainstorming, interviews, surveys, facilitated discussion
– Process mapping, site visits, historical data
– Scenario descriptions, what-if’s
28
Illustrative example only, does not represent an actual risk


What event could occur that would impact achieving the business objectives? c a u s e s prevention capabilities
29
 underlying factors and conditions contributing to the risk-event event mitigation capabilities u e e q n s c o n c e s  risk treatment controls
(layers of protection ) outcomes / impacts on objectives
 due to the risk-event occurring

2. Risk Analysis
– Rate the level of the risk (consequence, likelihood and velocity)
 Choose the greatest potential consequence that could reasonably happen, then choose the likelihood that it would occur
– Analyze before controls (inherent risk) then again with existing controls (residual risk)
– May also be done to analyze new controls, costs including the identification of contingencies
30
Who should participate in a risk rating session?

31
Pick the top consequence that is the greatest potential that could reasonably occur
Illustrative example only

Determine the likelihood that the event will occur
32
Illustrative example only

(consequence & likelihood) with velocity
Level II
Level III
Level IV
The velocity of a risk event may be displayed as colored (I X P) points on the chart
Very Slow
Slow
Fast
Very Fast
ALARP
Level I
33
Illustrative example only

34
3. Risk Evaluation
Assists in the decision about priorities, risk treatment and response:
– Examine the risk analysis
– Discuss variances, confirm understanding of risk and gain agreement on the risk rating
– Evaluate risk level with tolerances
– May need to do a deeper risk assessment
The Value is in the Discussion!

Acceptance: taking the risk in order to pursue an opportunity. This means making an informed decision to retain the risk.
Further action may be required if the risk level is not acceptable:
1. Elimination : avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.
2. Reduction: implement new controls to change the likelihood or the consequence.
3. Transfer/Sharing: sharing the risk with another party or parties (including contracts and risk financing or insurance). In many cases you can share the financial or legal risk, but the reputation risk is not easily transferred.
35
Repeat risk assessment to determine new residual risk level

Apply Treatment and Rate Residual Risk Rank
Determine controls to prevent the risk event from occurring and reduce the consequences ,
36 should the event occur.
Illustrative example only

Risk Register: a record of the identified risks.
The evaluation and risk decisions must be retained and reviewed on an ongoing basis.
The frequency to repeat the risk assessment depends upon the circumstances surrounding the business and confidence in achieving the objectives.
Illustrative example only, does not represent an actual risk
37

38
• Simple to use
• Common approach
• Compare and Analyze risk across all operations
• Prioritize risk for tolerance or further action

39
• Ambiguous risk scenarios may lead to poor assessments
• Human factors and bias may influence results
• Doesn’t make decisions for you!
• May be too simple a tool
• Be aware of the boundaries and tail events (black swans and trivial risks)

40
Illustrative example only

41

42
Tom Haber
Senior Manager, Enterprise Risk Management
EPCOR Risk, Assurance and Advisory Services thaber@epcor.ca
780.412.3524

43

44