Hydro One Inc.Aabo, Frase & Simkins [2005] Jurnal of Applied Corporate Finance 17:3, 62-75

Ontario electrical distributor

Formed in 1999 (privatized)

IPO 2001 (withdrawn)

Finland May 2010

ERM at Hydro One

• Late 1999 head of Internal Audit appointed CRO

• Corporate Risk Management Group established– CRO, 2 full-time professionals– Given 6 months to prove themselves– Early 2000 prepared

• ERM Policy• ERM Framework

Finland May 2010

ERM Policy• Audit & Finance Committee of the Board

– Annually reviews the Corporation’s risk profile, the risk retention philosophy/risk tolerances of the Corporation, and the risk management policies, processes and accountabilities

• President – ultimate accountability for managing the Corporation’s risks

• Chief Financial Officer– specific accountability for ensuring that enterprise risk management processes are established, properly documented and

maintained

• Senior Management Team– provides management oversight of the Hydro One risk portfolio and the Corporation’s risk management processes– provides direction on the evaluation of these processes– identifies priority areas of focus for risk assessment and mitigation planning

• Each of the President’s Direct Reports– specific accountabilities for managing risks in their subsidiary or function– each will establish specific risk tolerances for their lines of business that do not exceed the limits of corporate risk tolerances– expected to annually formally attest that the unit’s risk management process is in place, operating effectively and is consistent with

this policy.

• Line and Functional Managers– responsible for managing risks within the scope of their authority and accountability– risk acceptance or mitigation decisions made explicitly and within the risk tolerances specified by the head of the subsidiary or

function

• Chief Risk Officer – provides support to the President, CFO, Senior Management Team and key managers within the corporation– includes developing risk management policies, frameworks and processes, introducing and promoting new techniques, preparing

annual corporate risk profiles, maintaining a registry of key business risks, and facilitating risk assessments across the Corporation

Finland May 2010

Risk Definitionsfrom Risk Policy

• Risk: – potential that an event, action or inaction will threaten Hydro One’s ability to

achieve its business objectives. Risk is described in terms of its likelihood of occurrence and potential impact or magnitude. Broad categories of risk in Hydro One include strategic, financial, and operational risks.

• Risk Assessment: – systematic identification and measurement of business risks on a project, line of

business or corporate basis. It also includes the review or establishment of risk tolerances, the evaluation of existing mitigation controls and conscious acceptance or treatment of residual risk.

• Risk Mitigation/Treatment: – Actions or decisions by management that will change the status of a risk.

Options include • retaining the risk (either completely or partially), • increasing the risk (where mitigation is not cost-effective), • avoiding the risk (by withdrawing from or ceasing the activity), • reducing the likelihood (by increasing preventive controls), • reducing the consequences (by emergency or crisis response), • and/or transferring the risk (by outsourcing, insurance, etc.).

Finland May 2010

Risk DefinitionsFrom Risk Policy

• Risk Profile: – results of any risk assessment, assembled into a consolidated

view of the significant strategic, regulatory, financial and operational risks at play in a project, line of business or across the Corporation.

• Risk Tolerances: – Guidelines first establish levels of acceptable and unacceptable

exposure from any risk. – Tolerances define the range of possible impacts (from minor to

catastrophic) that risks might have on business objectives. – Risk tolerances are established for the Corporation and

reviewed annually. – Each project, function or line of business assessing its risks is

expected to use or develop a set of risk tolerances that does not exceed established corporate limits.

Finland May 2010

Risk Management Process

• Establish Business Context• Identify Risks

– What can happen?/How?

• Assess Risks & Controls– Determine consequence

• Assess Current Controls– Confirm existence/Determine effectiveness– Estimate strength of controls– Determine likelihood– Estimate level of risk

• Check if Risk is Tolerable– If not, Mitigate/Treat Risks

Finland May 2010

Dimensions of Likelihood

5 – Virtually certain0.95 probability will occur within 5 years

4 – Very likely0.75 probability will occur within 5 years

3 – Even odds0.50 probability will occur within 5 years

2 – Unlikely0.25 probability will occur within 5 years

1 – Remote0.05 probability will occur within 5 years

Finland May 2010

Risk Magnitude

1. Minor• few controls needed

2. Moderate

3. Major

4. Severe

5. Worst case• full prescriptive controls with executive

oversight

Finland May 2010

Means of Dealing with Risk• Retain

– risk exposure accepted without mitigation, since potential return is viewed as desirable and downside exposure is not significant;

• Retain but change mitigation– a partially mitigated exposure is maintained, but change in mitigation reduces

the cost of control;• Increase

– risk exposure is increased, either because the potential return is viewed as desirable or the controls in place are not cost effective;

• Avoid– risk exposure to be entirely eliminated, possibly by withdrawal from a business

area, since the potential return does not offset downside exposure;• Reduce the likelihood

– risk exposure reduced cost-effectively through new or enhanced preventive controls;

• Reduce the consequences – impact of any risk that materializes will be reduced through emergency

preparedness or crisis response;

Finland May 2010

Hydro One Risk Tolerances3 of 16 total

Financial Reputation Reliability

1 Minor <$5M loss Letter to Govt, mgmt

<1000

<10MW

2 Moderate $5-25M Local 1-10k

10-100MW

3 Major $25-75M Provincial 10-40k

100-400MW

4 Severe $75-150M National 40-100k

400-1k MW

5 Worst >$150M International >100k

>1MWFinland May 2010

Pilot Study

• Spring 2000 workshop• One subsidiary• Pre-meeting – e-mailed participants

– Asked for list of 10 most critical risks– Compiled, top eight selected

• Delphi• Vote on 1-5 scale• Discuss

– Iterate• Deemed successful

– ERM continued

Finland May 2010

Corporate Risk Profile

Risk source Trend Mitigation

Growth Very high, up Senior mgmt participation in govt

Regulatory Very high, up More board participation; Add regulatory staff

Org. Readiness High, up Contracting, labor rel., technology

Network subs. High, new Strategy & transition plan

Finland May 2010

Corporate Risk Profile

Risk source Trend Mitigation

Asset condition High, even Redundancy, emergency response

Catastrophic events

High, down Planning, forecasting, insurance

Environmental

Contamination

High, even Insurance

Hazardous operations

Medium, up Design, maintenance, training, supervision

Finland May 2010

Corporate Risk Profile

Risk source Trend Mitigation

Market ready project

Medium, even

Delay market entry

New electricity marketplace

Medium, even

Participate on market board, negotiate

Economy/

financial markets

Medium, down

Limit floating rate debt, interest rate swaps, diversified customer base

Finland May 2010

Benefits of ERM• Lower debt cost:

– Initial debt issue was oversubscribed about 50 percent, and ERM was credited by ratings analysts as being a significant factor in high ratings received

• Capital expenditures focused on greatest risk mitigation per investment: – the risk-based structural approach yielded an optimal portfolio of capital investments

• Catastrophe avoidance: – dismissal of the Board of Directors and reaction to the oil spill.

• Reassurance to stakeholders that the business is well managed: – ERM workshops aided the executive team to articulate risks faced– Many other examples of stakeholder reassurance existed.

• Improve corporate governance: – Board of Directors was initially skeptical– now routinely expects risk analysis

• Implement formalized risk management system: – Formalized system drives periodic assessment, documentation, and risk reporting

• Identify risks where Hydro One is most competitive: – A subsidiary involved in marketing electricity was sold due to high commodity risks– several processing and administrative functions were outsourced to transfer labor union and

cost risks

Finland May 2010