Enterprise Risk Management Program Development Update Finance & Audit Committee Meeting September 25, 2015
Enterprise Risk Management Presentation Topics Enterprise Risk Management ( ERM ) Overview Lead Roles - LIPA/PSEG-LI ERM Process Status of the 2015 ERM Cycle Summary of Results of the 2015 ERM Cycle Key Risks Comparison to Others in Utility Sector Internal Audit/Review ERM Cycle Areas of Improvement - Next Steps Finance & Audit ( F&A ) Committee Next Steps 2
ERM Overview ERM Overview Enterprise Risk Management ( ERM ) increases risk awareness, ensures the appropriate management of risks, and provides transparency. Encourages a comprehensive perspective of risks by assessing existing risk and mitigation efforts at both LIPA and PSEG-LI. Aligns Management s efforts to prevent risk events from occurring or mitigating risk events when they are unavoidable or outside LIPA s control. Formally identifies a Key Risk Owner for each high risk area. Key Risk Owner responsibilities include: Monitoring of mitigation efforts impacting their risks Reporting on risks and mitigation efforts on a regular basis Fulfills key recommendations from the Northstar Operations Audit Report (Chapter 7 Enterprise Risk Management and Strategic Planning ) dated September 13, 2013. 3
Lead Roles - LIPA/PSEG-LI ERM Process ERMC T. Falcone (Chairman), B. Chu, C. Horowitz, K. Kane, J. Little, M. Simione; and J. Bell (legal advisor to ERMC) Adopt ERM Procedures Manual, update as needed Review and approve ERM Program Timeline (Appendix Pg. 19) Determine the ERA working group Interview: F&A Committee members, LIPA & PSEG-LI Officers, Directors and Managers Determine appropriate owners for each Key Risk/Key Risk Category Approve appropriateness of risk mitigation: Completeness of documentation articulating risk mitigating activities/processes Determine tolerance or comfort with existing amount / level of risk mitigation Ensure ERM process is compliant with Board approved Policy Work with Internal Audit Department, conduct assessment of overall effectiveness of ERM program, and identify areas for enhancement 4
Lead Roles - LIPA/PSEG-LI ERM Process Director of Risk Management C. Horowitz Initiate and lead ERA effort Consolidate ERA results, mapping of ERA to Risk Framework * Develop and lead Risk Prioritization process to rank Risks Catalog Key Risk Mitigation Activities assigned by Risk Owners Review Risk Mitigation Activities with Risk Owners and address potential concerns Continuously monitor risk, including regular touch points with Risk Owners Provide ERMC with regular Risk Mitigation status updates Draft and present regular updates for the F&A Committee (no less than annually) *Identifies list of Environment Risks, Process Risks and Information for Decision-Making Risks - approximately 85 Risk components (Appendix Pg. 18) 5
Status of the 2015 ERM Cycle Protiviti retained by LIPA to assist with: Development of LIPA ERM Framework [Completed] Board Policy [Approved August 6 th, 2015] Delegates responsibilities to LIPA s ERMC and Staff Facilitate initial LIPA/PSEG-LI ERM Cycle [Completed] Enterprise-wide Risk Assessment ( ERA ) activities Risk Mitigation Worksheets ( RMW ) Draft LIPA s internal Policies, Procedures and Controls Manual for ERM [Near Completion] Details ERA and ERM Process ERM Process Timeline Monitoring Process [In Development] 6
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA identified the following Key Risk Categories to the organization, which will be monitored continuously: Rate Case and Success of Financial Policy Outsource & Partnership Relationship Concerns Cyber Security Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs External Influences & Interests NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred. 7
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization: Outsource & Partnership Relationship Concerns Description: LIPA and its external service providers need to perform at best-in-class levels to deliver on LIPA's mission, goals & objectives, and improve customer perception of the Long Island electric utility. Risk Mitigation Activities: Maintain continuous oversight functions; participate in monthly PSEG-LI Scorecard Reporting meetings and PSEG-LI Monthly Management Board Review meetings; prepare audit universe as part of LIPA s 2016 oversight activities plan. Personnel & Human Resources Concerns Description: Success of LIPA, particularly in its OSA oversight role, requires attracting and retaining qualified staff. Risk Mitigation Activities: Create interim succession plan; implement utility industry training requirements and include as part of all employees 2016 performance evaluation goals; establish employee development program for continuous improvement; institute a competitive compensation program in 2016 to attract and retain qualified workforce. Understanding & Delivering on Customer Expectations and Needs Description: Customers desires for higher reliability and/or expanded distributed energy resources must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement. Risk Mitigation Activities: LIPA and DPS annual review of the Emergency Response Plan (ERP) and contingencies; review of PSEG-LI reliability metrics, storm response and capital budgeting and capital development. 8
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization: External Influences & Interests Description: Relationships with key stakeholders are important in order for the organization to efficiently conduct business. Risk Mitigation Activities: Oversight of PSEG-LI Public Relations programs; increase LIPA engagement with public stakeholders; implement focused Public Relations program and public hearings. Cyber Security Description: Properly secure key IT systems from outside attack or interference. Risk Mitigation Activities: Cyber security audit; NERC CIP-5 rule compliance of PSEG-LI control systems and data networks; User Access process technologies, and-lipa and PSEG-LI review of cyber security insurance products. Rate Case and Success of Financial Policy Description: Rate case includes LIPA s financial policy goals, which include improved credit ratings and achieving key financial ratios to reduce the cost of electric service for customers over time. Risk Mitigation Activities: Rate plan filing included sound financial plan; communication with financial community; improved access to financial and operating data. 9
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories to focus on, which will be monitored continuously by both organizations: Outcome of the Rate Case Managing the Utility in Compliance with the OSA Cyber Security Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs Regulations, External Influences & Interests NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred. 10
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories: Managing the Utility in Compliance with the OSA Description: The OSA must fairly and completely measure PSEG-LI s performance. OSA metrics and goals may not remain relevant throughout contract term. Risk Mitigation Activities: On-going monitoring of performance metrics to ensure compliance with the OSA; periodic review of metrics to assure relevance. Personnel & Human Resources Concerns Description: Success of organization requires ability to attract and retain qualified driven staff. Risk Mitigation Activities: Leadership Risk Management; employee training and development; employment branding. Understanding & Delivering on Customer Expectations and Needs Description: Customer s desires for improved reliability and increased renewable energy technologies must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement. Risk Mitigation Activities: Customer communication; customer satisfaction initiatives; review of the monthly Scorecard Report and key operating metrics. 11
Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories: Regulations, External Influences & Interests Description: Relationships with all key stakeholders are important in order for the organization to efficiently conduct business. Risk Mitigation Activities: Strategic staffing; increase engagement with planning committees for project development; focused Public Relations program geared towards community outreach. Cyber Security Description: Key IT systems may be susceptible to outside attack or interference. Systems may include business systems with non-public information or operations systems that would interfere with substations, power generation or T&D infrastructure. Risk Mitigation Activities: Compliance with NERC Cybersecurity Standards; User Access processes and technology. Outcome of the Rate Case Description: The rate case may affect PSEG-LI s ability to achieve its goals required under the OSA and LIPA Reform Act. Risk Mitigation Activities: Daily rate case calls and activities; monthly Management Review Board meetings, monthly Scorecard Report meetings; 2016 O&M budget submittal. 12
Key Risks Comparison to Others in Utility Sector Executive Perspectives on Top Risks for 2015 * Key Issues Being Discussed in the Boardroom and C-Suite Energy and Utilities Regulatory changes and heightened regulatory scrutiny Economic conditions in markets we currently serve Cybersecurity threats Resistance to change Succession challenges and ability to attract and retain top talent LIPA has identified many of these risks for 2015 * Research Conducted by North Carolina State University s ERM Initiative and Protiviti 13
Internal Audit s Role: Internal Audit/Review Assess the appropriateness of the ERM Program Policies, Procedures and Controls Manual established by the ERMC Determine the effectiveness of the processes used by LIPA and PSEG-LI to identify Key Risks and Emerging Risks Perform an appraisal of the ERM processes in place at LIPA and PSEG-LI to measure, monitor, manage and mitigate Key Risks Report observations to the F&A Committee no less than annually 14
ERM Cycle Areas of Improvement - Next Steps Next Steps for ERM Process Improvement: Continue documenting existing Risk Mitigation efforts taken by LIPA and PSEG-LI Develop greater participation and communications across entire staff at LIPA and PSEG-LI throughout ERM process Implement continuous Risk Management-Risk Owner feedback mechanism: Has Key Risk occurred? If so, was Mitigation Activity effective to minimize impact within desired risk tolerance Is there any new Emerging Risks that require ERMC or Senior Management s immediate attention? Reach out to other Municipal entities to gain insights into other ERM programs Benchmark LIPA s ERM Program Monitoring and Reporting Move from manual process to automated process by implementing ERM monitoring software Review reporting documentation needs and frequency across various levels of management up to and including the Board 15
Finance & Audit Committee - Next Steps Next Steps for F&A Committee ERM Review: LIPA Staff to reflect 2015 ERM cycle results in 2016 Goals and Operating Budgets LIPA Staff to continually monitor Key Risks and/or Emerging Risks and periodically report back to the F&A Committee Internal Audit will schedule a review of the ERM process and report observations to the F&A Committee ERMC to meet with the F&A Committee during the 1 st Quarter of 2016 prior to the kick-off of the 2016 ERM cycle 16
Appendix Appendix 17
ERM Risk Framework Customer Wants Technological Innovation Stakeholder Expectations Capital Availability Legal Environment Regulatory Environment Financial Markets Catastrophic Loss Asset Location/ Community Concerns External Influence & Interests FINANCIAL Price Interest Rate Commodity Basis Volatility Liquidity Cash Flow Concentration Commodity Volatility Credit Default Concentration Settlement Rating Customer Satisfaction Human Resources Knowledge Capital Efficiency Capacity Partnering EMPOWERMENT Leadership Authority/Limit Outsourcing Performance Incentives Change Readiness Communications INFORMATION TECHNOLOGY Integrity Access Availability Infrastructure Cyber Security OPERATIONS Performance Gap Cycle Time Supply Chain Physical Asset Reliability Rate Case GOVERNANCE Organizational Culture Ethical Behavior Board Effectiveness Succession Planning Compliance REPUTATION Image and Branding Stakeholder Relations INTEGRITY Management Fraud Employee Fraud Third-Party Fraud Illegal Acts Unauthorized Use Compliance Business Interruption Service Failure Environmental Health and Safety Transition STRATEGIC Environmental Scan Business Model Regulator Model Business Portfolio Organizational Structure Measurement (Strategic) Resource Allocation Planning Life Cycle PUBLIC REPORTING Financial Reporting Evaluation Internal Control Evaluation Executive Certification Pension Fund Regulatory Reporting OPERATIONAL Budgets and Planning Service Pricing Contract Commitment Measurement (Operations) Alignment Accounting Information 18
ERM Program Timeline ERM Activity: Review / Revise Risk Framework Responsible Party: ERMC January February March April May June July August September October November December Kick-off annual ERM effort at first F&A Committee Meeting; Summarize Prior Year Results Risk Owners to Complete Questionnaire; Follow-up Meetings (as needed) DRM; F&A Committee Management; DRM Risk Consolidation / Mapping ERMC Develop Risk Prioritization Meeting Presentation(s) DRM Risk Prioritization Voting Session(s) Management; DRM Analyze Prioritization; Identify Key Risks / Categories Identify Risk Owners; Prepare Risk Mitigation Worksheets Risk Owners to Document Existing Risk Mitigation Processes Assess Existing Mitigation Efforts; Identify Gap Remediation Identify Budgetary Requirements for New Risk Mitigation, and include in budget for next year Present ERA Results to F&A Committee Continued Monitoring of Risk Mitigation from Prior Year ERM Implementation of New Risk Mitigation (If no budget required; e.g., process improvement) Implementation of New Risk Mitigation (If incremental budget required) Routine Review of Risk Mitigation; Internal Audit Review of Key Processes Present Update on Risk Mitigation and Monitoring to F&A Committee Routine Communication between Risk Owners, ERMC, others ERMC Management; ERMC Risk Owners ERMC; Risk Owners Risk Owners DRM; F&A Committee DRM; Risk Owners DRM; Risk Owners DRM; Risk Owners ERMC; Risk Owners; IA DRM; F&A Committee DRM, Risk Owners 19
Newly Developed ERM Policy Core Provisions of the Enterprise Risk Management Policy: Mandates an annual effort to identify significant risks to achieving the mission, goals and objectives of the Authority, including those which are: Known to already exist Emerging risks which may be faced in the future Risks which affect LIPA s service provider s performance and fulfilment of contractual obligations Incorporates a process for documenting existing risk mitigation for the most significant risks, and identifying if additional risk mitigation activities should be developed New risk mitigation development will be tied to the Authority s existing budget development process, so that if any additional risk mitigation is required, it can be appropriately budgeted and provided for The most significant risks, and their corresponding mitigation efforts shall be continuously monitored (year-round) for effectiveness of mitigation and to identify any changes to known risks Policy requires regular reports on risk and risk mitigation to the F&A Committee 20
Risk Mitigation Monitoring Dashboard [ In Development ] Category # 1 2 3 4 Risk Category Outsource & Partnership Relationship Concerns Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs External Influences & Interests Total # of Risk Mitigation Tasks Tasks Deemed to be Sufficiently Mitigating Risk Mitigation Task with Room for Improvement Task not Yet Assessed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 Cyber Security 0 0 0 0 6 Rate Case and Success of Financial Policy Risk Mitigation Monitoring LIPA 0 0 0 0 TOTALS 0 0 0 0 21