The energy company emerged from bankruptcy with the help of its established risk management practices and went forward to evolve those practices into a comprehensive ERM initiative, creating a culture of risk awareness and positive change.
Mirant is an independent power company that generates and sells electricity for customers in the United States, the Philippines and the Caribbean. As a power company, Mirant manages risk as part of its business model.
Paul Sobel has been the vice president of internal audit for Mirant for the past three years. His colleague, Anne Cleary, is Mirant’s vice president and chief risk officer, a position she has held for about one year. According to Sobel, while it was broadly believed that Mirant had leading-edge risk management capabilities, it also was acknowledged that these capabilities were in pockets or silos throughout the organization. “Once we emerged from bankruptcy, the time was right to leverage our existing risk management capabilities and practices, which had been put in place over time, and expand them across the enterprise,” he says. “It is important to note that without those existing risk management practices, we may never have emerged from bankruptcy – so they were a good place to start.”
Led by Cleary and supported by the internal audit (IA) team, the first step was to brief Mirant’s newly formed Audit Committee on how the company approaches risk. This was accomplished during Audit Committee orientation, conducted just before Mirant came out of bankruptcy. The next step was to update Mirant’s Business Risk Profile, a key enabler for enterprise risk management.
“Our Business Risk Profile represents a compilation of the risks facing the company, all of which have been assessed based on a five-point scale for residual impact and likelihood,” says Sobel. “From there, risks are classified into four buckets: major, key, moderate and minor. The intention is to provide formal updates to the Audit Committee or the Board of Directors on the status of all ‘major’ risks.”
Inherent and residual risk
“Coming into a new year out of bankruptcy was a two-step process,” Sobel says. “We needed to develop a full-year audit plan and justify that plan to the Audit Committee by creating a risk universe. Due to the timing of my Audit Committee presentation, I took the first step of developing a risk model based on inherent risk to support my audit plan. This was an important first step. Anne took the second step of facilitating meetings with management to transition my risk model to become Mirant’s Business Risk Profile, which was focused on residual risk. Anne presented our updated Business Risk Profile to the Audit Committee in May 2006, and it was well received. Traditionally, our Business Risk Profile had outlined key risks and tactical actions, but it lacked a robust point of view and focused mostly on strategic and industry risks. We took a big step this year to include inherent risk and residual risk, creating a comprehensive risk universe that has been assessed based on impact and likelihood criteria.”
According to Cleary, it’s important to examine inherent risks when looking at the audit landscape. “You can’t assume the controls work so you need to first look at the inherent risk and then analyze the residual risks, determining where you have the greatest potential breakdown of controls and organize your work in that way,” she says. Cleary approached the Business Risk Profiles based on the concepts put forth by the COSO ERM model. She wanted to achieve value, not just documentation. “I wondered how to get that value add out of having looked at the risks of the company,” she says. “I started with the more residual risks because I was trying to identify where we could make improvements, create economies of scale and scope, and break down silos.”
As an example, Cleary cites Mirant’s risk control function. “Compliance and risk control have common skill sets and intersections for accomplishing their tasks. We recently made inroads to link the two so that legal compliance and risk control do not operate in silos but are instead brought together – which, in an international operation, is proving to be very useful.”
According to Cleary, Mirant has three components in its ERM approach that contribute significantly to its success:
- A robust risk management policy.
- A risk oversight committee (ROC) that meets on a regular basis and covers appropriate risk topics.
- Risk management monitoring and reporting capabilities that go beyond global risk assessment.
The risk management policy
Mirant’s policy focuses on four key aspects of risk management: how market risk is to be monitored; how various models are to be used; how elements of operational risk are to be managed; and how credit risk is to be dealt with.
- Market risk. “We focus our market risk efforts in places where we have merchant revenue gross margin exposures,” says Cleary. “We are focused primarily on the U.S.-based business, because our overseas businesses don’t have the same characteristics – they are more price regulated.”
- Model oversight. “This deals with the necessary controls for the models that calculate the exposures of Mirant’s market risks,” she says. “The inputs to the model as well as their core logic have tight controls around them. For example, if someone wants to change a specific characteristic on how one of our generating plants is modeled, these controls govern how input is signed-off on and change is allowed.”
- Operational risk. “This portion of our policy examines how we ensure that we have complete and accurate representations of deals, as well as how we check the mark-to-market activities for our portfolios, validating the commodity curves we use,” she says. “This is the section where we outline how reports are to be submitted, who must report and how and when we can change the reporting structure. If a control is changed or violated in any way, reports go to the Risk Oversight Committee and beyond.”
- Credit risk. “Finally, we examine how we will grant credit and calculate exposures, both potential and actual, to counterparties,” she says. “We determine how we will track activity in the event of a change of counterparty status, codifying that so that it is under the purview of the Risk Oversight Committee. We also include management of our collateral requirements in this area.”
All controls and activities surrounding those controls are reported on a periodic basis to management, the Risk Oversight Committee and the Audit Committee. “Across all four areas, we have reporting requirements,” says Sobel. “In the event a control is broken, specific remediation and reporting requirements are outlined.”
The ROC
Senior Mirant management comprise a Risk Oversight Committee (ROC) that meets monthly to review reports from various risk areas across the company, including market and commodity pricing trends, legal compliance, insurance, environmental health and safety (EH&S), and regulatory. For example, under the direction of the ROC, there are a number of daily, weekly and monthly reports that are produced by the risk control function to report the status of the trading operation to senior management. Additionally, business units report in from the field regarding operational performance and EH&S.
“Our Audit Committee chartered the management-level ROC, a group responsible for not only the risks related to the areas the members manage but also for coming together and assessing the risk activities across Mirant,” Sobel says. “From a governance perspective, this has a high profile – it’s where everything starts.”
“As I examine risk management methods at other companies, I have come to understand that the greatest risk is not that the company is unaware of its exposures, but that only portions of the company are aware,” he says. “When this happens, factions within the company may work at cross purposes. The ROC is our vetting arena. All risks come through this group, which ensures enterprise-wide awareness and engenders open discussion in this innovative forum.”
Monitoring and reporting
Mirant’s risk management policy defines the controls and reporting that is required at a minimum. “We report more than the policy requires,” says Cleary. “We have a series of daily reports to management that come out of our operational trading controls area. We segregate errors from violations. For example, somebody may perform a task improperly, but that does not mean the policy has been violated. This is an important distinction: If you track errors along with violations you gather more complete data – even when someone did not violate a policy, the error is still a problem for the organization. Inadvertently inaccurate information, while it does not create a violation, does get caught in our downstream process. The risk control function tracks whether or not the error showed up, where it emerged and how long it took before we caught it. In this way we examine trends in errors and look for ways to improve.”
ERM has been embedded into Mirant’s resource allocation but is somewhat informal relative to the other practices. Cleary and Sobel are now looking at further integrating risk controls, compliance and internal controls resources and toolsets to create better economies of scale and scope across the risk control and compliance universe. This will continue to reinforce the emphasis of risk on a global basis across all functions. “We believe ERM will be more formally integrated into strategic planning as our new management team moves forward with the updated Business Risk Profile,” says Sobel.
Risk assessment continues to play a critical role in Mirant’s ERM initiatives. “With regard to our enterprise risk assessment, Anne has facilitated meetings with business people who have opinions and insights regarding critical risks,” Sobel says. “This was a collaborative effort that helped us reach agreement with regard to the level of residual risk in the company. Risk assessment is not limited to the CRO and the IA team discussing risks – it is a truly inclusive process.”
Continuing the journey
Sobel says that his vision for ERM at Mirant is that it will be so thoroughly embedded in the culture and the way people think that it will be viewed less as a program or initiative and more as simply an operating and management style. “While we plan for incremental improvements to the program, we feel we are past the initiative stage and moving toward this vision,” he says.
According to Cleary, she is hoping to further leverage the work accomplished to date. “In the past three to four years our emphasis has been on risk controls for our merchant generation group and, like all U.S. businesses, we also had to focus on Sarbanes-Oxley compliance. Now we are integrating administration of legal compliance into our risk control framework. We are hoping to build on what our Sarbanes team has achieved – namely the development of effective tools for the acceleration of issues. We want to institutionalize those achievements so that they become more a part of the fabric for the company.”
Sobel adds: “The risk mindset has pretty much been embedded in our culture. The key is that we have taken a first and important step of recognizing the whole array of risks that Mirant faces and making sure the key risks are truly being managed. When we get to the next layers of risk, we will gradually roll out responsibilities for management and reporting. Importantly, the structure of the ERM program is in place, and outside of ongoing continuous improvement I don’t see any significant changes that would be needed.”