This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
Hydro One’s risk management effort has an interesting history. Tell us about it.
Well, I was hired to be head of internal audit, and that’s where I spend most of my time. I was asked to take on the risk management responsibility at the beginning of 2000. From then through 2003, I had a staff of two; we were doing 40 or 50 workshops per year, and we had a full-blown program going … At one time we were to do an IPO, and life was pretty hectic. Ontario opened our market like California did, we bought 88 municipal utilities. We were going through some very volatile times.
At the start of 2004, we went back to basics without an IPO. When that happened, we decided that we couldn’t keep two staffers full-time employed. We’re at a stage where we’re trying to keep enterprise management going without any staff … Now we’re almost trying to work our way out of a job.
What are your CRO duties now?
The bulk of my time is actually spent on audit; risk management occupies maybe 20 percent of my time and involves a few things. For example, in February I go to the audit committee of the board, and on an annual basis I get them to approve the risk management policy and the risk management framework. I discuss with them, although we don’t get them to approve formally, our risk tolerances.
Twice a year in January and July, I also take to the audit committee corporate risk profile; think of that as the top 10 risks in the company … In fact, last August I presented to our full board the company’s risk profile. That’s only been done a few times; usually it’s just the audit committee.
What is different about your risk tolerances?
What we call tolerances are just a magnitude scale of what we consider a bad risk versus a lesser risk, on a five-point scale. We do that each year … So we update them, and our asset management group uses them to determine how to spend money either in capital or maintenance for all our assets. We do it that way because we have to convince regulators we’re spending money wisely, in a structured fashion.
How did you launch your risk management program at the start?
The president and the CFO wanted me to go to the audit committee and get our policies and frameworks blessed, but they didn’t want me to go until we had actually proven ourselves. We took a small facility and ran a pilot there—and every step of the way, if we had not been successful, the whole thing would have been shut down.
We literally sat down and brainstormed to come up with about 70 or 80 risks that the subsidiary might see: fraud, foreign exchange, all the usual types of stuff. We then sent it to the 15 participants who were the management team of this subsidiary, ahead of the facilitated workshops. We asked them to choose the top 10 that they thought might be applicable; when they sent that back, 16 were voted frequently. We ranked them by the number of responses, and then did a workshop with the top eight.
When we finished the first workshop, they were so impressed … they wanted us to come back and deal with the rest of the 16 risks. The president of that subsidiary went to the management team of the whole company and said it was a success that should be done through the whole company.
Was it eye-opening for managers, talking with each other about the risks they perceived?
The magic comes from people getting the opportunity to express what’s been bothering them for years. They also are shocked sometimes to find that something they thought was a risk really isn’t, because someone else does something about it …
Another thing that helped to entrench risk management in the company was that the president asked us to run workshops to educated the senior management team. Every month or so we’d run a workshop with the president and her direct reports on some specific topic.
Example?
Let’s take environmental. We’d have a 40-minute meeting using anonymous voting software, with the management team and the environmental expert in the room with us. The first time we’d vote on a particular risk (usually on a five-point scale), lots of people considered it a five or a four and some thought it was a one or a two. You had a bifurcated result—a lack of common understanding.
The purpose of the workshop was to talk about this. Why did some people think it was a big risk? Why did some think it small? Then we re-voted. After you’ve discussed and voted two or three times, you find that everyone has a clear agreement on what the ranking is, or a clear articulation of why they have different views.
What’s the tangible payoff for that common knowledge?
It was a real benefit when we started to do the IPO. We did a $1 billion bond offering, and the investment bankers and ratings agencies would ask us, “Do you have this type of risk or that type of risk?” Well, our management team was very well-prepared to speak to that. When somebody might ask about risk from the condition of our assets, we could say that was ranked seventh out of our top 10, and here’s what causes it and here’s what we’re doing about it. The real benefit was the common understanding of the team.
You said Hydro One evaluates its risk tolerances annually. Give us an example of one that has changed over time.
The classic example was when we were planning the IPO, we decided the worst-case scenario for publicity would be a bad-news story in the Wall Street Journal … For a few years we kept going with that, but we had a recent incident (an oil spill) that made us reconsider. We realized we should have adjusted that tolerance because Wall Street is not an audience of great concern to us; we’re very much within our own province, and so we’ve changed that tolerance so our worst-case scenario is getting into the provincial press with a bad story.
When that spill happened, we realized the views of Wall Street or British Columbia were not as important to us as our own provincial audience.
Now that Hydro One is scaling back its risk management office, how do you get the lessons learned to stick in executives’ heads?
Oh, a whole bunch of ways. When we were going full-speed and ran 40 or 50 workshops a year, we had so many people attending it just became a part of their life. They talk the talk. When you read the literature about how to get management to speak in a common language, you can talk to most of our managers and they’ll rattle off about magnitude and probability and all this stuff that in most companies only the risk managers say. Our VPs are well-versed in it because they’ve been through it so many times.
With what departments do you work most closely? It seems like you rove quite a bit.
I should say that when they first offered me the risk management role I refused, because I saw a conflict with my internal audit role. But I thought about it and decided to take the job, first because I thought it would be a challenge, and second because nobody seemed to want to take it on.
When I had a risk management staff, they were not invited to any internal audit meetings; it was run as a completely separate function … For example, when we run a risk-management workshop, the information coming from that meeting is not available to internal audit staff without written authorization from a vice president. When people speak in those workshops they are extremely frank. I know the waters have been muddied, particularly in the United States … but I think they should be kept very separate.
And a professor actually wrote a case study about Hydro One’s risk management. How did that come to pass?
Well, the dean of business at Dalhousie University heard what we were doing and invited me to speak in 2002 at a conference in Denmark. At that session was Professor Betty Simkins [of Oklahoma State University], who videotaped my presentation. Last year she approached me and said she was intrigued by my methodology, and asked whether I would to do an academic paper. Because we were winding down and my staff was moving on, I thought it would be a benefit to others to capture it in writing.
Well, is risk management something we need to further hone, into a more precise process?
It is still experimental. It’s something we need to get into the business schools so the MBAs learn to do it. It’s something every board member should be asking for.
Thanks, John.
Click here for upcoming Webcasts with compliance officers.
No comments yet