Risk Assessment Mitigation Phase (RAMP-B) Enterprise Risk

Preparing to load PDF file. please wait...

0 of 0
100%
Risk Assessment Mitigation Phase (RAMP-B) Enterprise Risk

Transcript Of Risk Assessment Mitigation Phase (RAMP-B) Enterprise Risk

Risk Assessment Mitigation Phase (RAMP-B)
Enterprise Risk Management Framework
November 27, 2019

TABLE OF CONTENTS I. INTRODUCTION ...............................................................................................................1 II. ENTERPRISE RISK MANAGEMENT FRAMEWORK...................................................1
A. Risk Identification....................................................................................................4 B. Risk Analysis ...........................................................................................................6 C. Risk Evaluation and Prioritization ...........................................................................6 D. Risk Mitigation Plan Development & Documentation ............................................7 E. Risk-Informed Investment Decisions and Risk Mitigation Implementation ...........7 F. Monitoring and Review ...........................................................................................8 III. CONTINUOUS IMPROVEMENT OF RISK MANAGEMENT PRACTICES ................8 IV. EVOLUTION OF RISKS IN THE ERR COMPARED TO 2016 RAMP AND TY 2019 GRC ..........................................................................................................................10 A. Records Management.............................................................................................11 B. Climate Change Adaptation ...................................................................................11 APPENDIX ..................................................................................................................................B-1
Page RAMP B-i

I. INTRODUCTION This chapter discusses the risk management framework for Southern California Gas
Company (SoCalGas or Company). For purpose of RAMP, the Company has integrated the directives established in Decision (D.) 18-12-014 and the Settlement Agreement adopted therein (SA Decision) into the Company’s existing enterprise risk management (ERM) framework. This chapter describes in detail the current ERM framework utilized by the Company. II. ENTERPRISE RISK MANAGEMENT FRAMEWORK
As described in the direct testimony of Risk Management and Policy witness Diana Day in the Test Year 2019 General Rate Case,1 the Company’s risk framework:
is modeled after ISO [International Organization for Standardization] 31000, an internationally recognized risk management standard. This framework consists of an enterprise risk management governance structure, which addresses the roles of employees at various levels ranging up to the Companies’ Board of Directors, as well as risk processes and tools. One such process is the six-step enterprise risk management process. Figure 1 below describes the Company’s enterprise risk management process, by which the Company identifies, manages, and mitigates enterprise risks, and aims to provide consistent, transparent, and repeatable results.
1 A.17-10-007/-008 (cons.), Exhibit (Ex.) 03 (SCG/SDG&E Day/Flores/York Revised Direct) at DD-8.
Page RAMP B-1

Figure 1: Enterprise Risk Management Process

The process illustrated in Figure 1 aligns with Cycla Corporation’s 10-step evaluation method, which was adopted by the Commission in 2016 “as a common yardstick for evaluating maturity, robustness, and thoroughness of utility Risk Assessment and Mitigation Models and risk management frameworks.”2 While the lexicon used by Cycla differs slightly from that of the Company, the content is largely aligned. Table 1 below provides a side-by-side comparison of the steps in the Company’s ERM process to the Cycla method sections.

Table 1: ERM Process Alignment with the Cycla Method

Steps in Cycla3 Step 1: Identify Threats

Corresponding Risk Step in Enterprise Risk Management Process
1. Risk Identification

2 D.16-08-018 at Ordering Paragraph (OP) 4. 3 Id. at 17, referencing Evaluation of PG&E’s 2014 Gas Distribution General Rate Case (GRC) Filing,
by Cycla Corporation, Attachment 3, page 2, Figure 3-1.
Page RAMP B-2

Step 2: Characterize Sources of Risk; Step 3: Identify Candidate Risk Control Measures (RCMs) Step 4: Evaluate the Anticipated Risk Reduction for Identified RCM Step 5: Determine Resource Requirements for Identified RCMs; Step 6: Select RCMs Considering Resource Requirements and Anticipated Risk Reduction Step 7: Determine Total Resource Requirement for Selected RCMs; Step 8: Adjust the Set of RCMs to be Presented in Rate Case Considering Resource Constraints; Step 9: Adjust RCMs for Implementation following CPUC Decision on Allowed Resources Step 10: Monitor the Effectiveness of RCMs

2. Risk Analysis 3. Risk Evaluation & Prioritization 4. Risk Mitigation Plan Development
& Documentation
5. Risk Informed Investment Decisions and Risk Mitigation Implementation
6. Monitoring and Review

The Company performs its ERM process annually, resulting in an enterprise risk registry (ERR). The ERR contains each of the Company’s identified enterprise-level risks. Each risk is assigned to one or more risk owner(s), a member of the senior management team who is ultimately responsible and accountable for the risk, and one or more risk manager(s) responsible for ongoing risk assessments and overseeing the implementation of risk plans. The ERM organization facilitates sessions amongst the Company’s risk owners to identify, evaluate, and prioritize risks, and to review mitigation plans and consider how investments align with risk priorities.

Page RAMP B-3

As Ms. Day explained: “The enterprise risk management process is both a ‘bottom-up’ and ‘top-down’ approach, by taking input from the risk managers and the risk owners to ultimately finalize the risk registry. As with any useful risk assessment, the enterprise risk registry is not intended to be static; it must be refreshed on an annual basis. Risks are dynamic; risks that were consolidated together may be separated out, new risks may appear, and the level of the risk may change over time.”4
Each of the steps in the ERM process are discussed further below. A. Risk Identification Risk identification is the process of finding, recognizing, and describing risks. As the first step in the risk management process, the ERM organization works with various business units to update existing risk information and identify enterprise-level risks that have emerged or accelerated since the prior assessment. This part of the process also includes the identification of risk events, their causes, and potential consequences. Figure 2 below provides a depiction of the Risk Bow Tie, which is a commonly-used tool for risk analysis. The risk Bow Tie is a way to systematically and consistently evaluate the Drivers/Triggers, possible outcomes, and Potential Consequences of a Risk Event. The left side of the Risk Bow Tie illustrates potential Drivers and/or Triggers that may lead to a Risk Event (center of the Risk Bow Tie) and the right side shows the Potential Consequences of a Risk Event.5
4 Ex. 03 (SCG/SDG&E Day/Flores/York Revised Direct) at DD-9. 5 This 2019 RAMP Report uses the SA Decision lexicon. Please refer to Appendix A-1 in Chapter
RAMP-A for a glossary of terms.
Page RAMP B-4

Figure 2: Example of Risk Bow Tie
The Company breaks down risks into two groupings – operational risks and cross-cutting risks. Operational risks are those events that have operational implications and may result in damage to or loss of company or public assets, serious injury and/or fatality, and/or interruption of service to customers. An example of an operational risk is Third Party Dig-in on a Medium or High Pressure Pipeline Incident. Cross-cutting risks, while not specific to one asset or group of assets, may also have similar potential consequences to those of operational risks. An example of a cross-cutting risk is Employee Safety, since it focuses on human systems and cuts across all asset types.
The categorization of the 2019 RAMP Report’s risks is outlined in Table 2 below. As discussed in RAMP-A, there are 18 separate risk chapters presented: eight for Southern California Gas Company (SoCalGas), nine for SDG&E, and one joint SoCalGas/SDG&E chapter.
Page RAMP B-5

Category Gas
Electric Cross-Cutting

Table 2: Categorization of Risks

SoCalGas

SDG&E

Medium Pressure Gas Pipeline Incident (Excluding Dig-in)

High Pressure Gas Pipeline Incident (Excluding Dig-in)

Third Party Dig-in on a Medium Pressure Pipeline

Third Party Dig-in on a High Pressure Pipeline

Storage Well Integrity Event

N/A

Wildfires involving SDG&E

N/A

Equipment (including Third Party

Pole Attachments)

N/A

Electric Infrastructure Integrity

Employee Safety

Contractor Safety

Customer and Public Safety

Cybersecurity

B. Risk Analysis Risk analysis is the process of understanding the risk and the degree of risk. Risk analysis provides a basis for risk evaluation and decisions about risk mitigation. Risk analysis is undertaken using varying methodologies, depending on the risk and the availability of data and resources. The Company utilizes a combination of qualitative (e.g., calibrated subject matter expertise) and quantitative analyses (including external data) to analyze its risks. C. Risk Evaluation and Prioritization Using the information from the prior steps, an evaluation and prioritization is performed. The result of this step is pre-mitigation risk scores for each risk in the ERR and a relative ranking reflecting consensus around risk priorities. This step involves a discussion of each ERR risk, including changes in the risk frequency or impact, challenges, and elements of the previous assessment’s implementation of mitigants. Arriving at a risk prioritization can be an iterative

Page RAMP B-6

process; risks that may be very different are compared to one another to determine a relative ranking (for example, evaluating an IT risk in comparison with a customer service risk).
In 2018, the Company completed its ERR before year-end and in advance of the issuance of the SA Decision. The evaluation and prioritization process for the 2018 ERRs used the Company’s 7x7 matrix, a risk tool that aids in developing the pre-mitigation risk score for ERR risks. Subsequently, the SA Decision was adopted in December 2018 and provided, among other things, a new methodology to be used as the basis of this RAMP Report, rather than the 7x7 matrix.
In particular, the SA Decision established a multi-attribute value function (MAVF).6 For purposes of this RAMP Report, the Company developed a new MAVF consistent with the SA Decision. Using this MAVF, the Company conducted a secondary analysis on each risk that was identified in its 2018 ERR, which resulted in new pre-mitigation risk scores. This process, methodology, and calculations for the pre-mitigation risk scores are further discussed in Chapter RAMP-C.
D. Risk Mitigation Plan Development & Documentation
Based on the analysis and evaluation of risks in the prior steps, risk owners and managers develop, and document risk mitigation plans to capture the state of the risk given current control activities and any additional mitigations. On an annual basis, the ERM organization facilitates the risk mitigation planning session where risk owners present their key risk mitigation plans and alternatives considered to the senior management team and discuss the feasibility and prudence of those plans. This risk mitigation planning session helps shape the Company’s priorities going into the annual investment planning process and helps identify gaps and/or areas of overlap in risk mitigation plans.
E. Risk-Informed Investment Decisions and Risk Mitigation Implementation
The capital planning process is the Company’s current annual process for prioritizing funding based on risk informed priorities and input from operations. The capital allocation

6 D.18-12-014 at Attachment A, A-8 (Risk Assessment).

Page RAMP B-7

planning sessions begin with input from functional capital committees that comprise subject matter experts who perform high level assessments of the capital requirements based on achieving the highest risk mitigation at the lowest attainable costs. These requirements are presented to a cross-functional team representing each functional area with capital requests. This committee reviews the resource requirement submissions from all functional areas, and projects are evaluated against priority by assessing a variety of metrics including safety, cost effectiveness, reliability, security, environmental, strategic, and customer experience. Recommendations for capital spending are then presented to an executive committee for approval. Once the capital allocations are approved, each individual operating organization is chartered to manage their respective capital needs within the capital allotted by the plan. This includes re-prioritizations as necessary to address imminent safety concerns as they arise. Similar to the Company’s risk evaluation processes, the capital planning process is continuing to evolve as the Company endeavors to achieve the goal of determining more quantitatively the risk reduction per dollar invested.
F. Monitoring and Review Monitoring and reviewing the aspects of risk management supports the Company’s efforts to continuously improve their risk management practices. Periodic reviews of the ERR are performed to keep the register current and facilitate discussions on any emerging new risks that the Company could face. In addition to using risk scores to monitor changes in risks, the Company leverages risk metrics similar to those identified in the S-MAP to hold parties accountable and improve risk oversight. III. CONTINUOUS IMPROVEMENT OF RISK MANAGEMENT PRACTICES The Company’s risk management practices continue to mature. This is evidenced through the implementation of the processes and methodologies in the SA Decision, as well as other steps the Company is taking for advancement. The TY 2019 GRC presented a vision related to integrating risk, asset, and investment management to be accomplished over future
Page RAMP B-8
RisksRiskCompanyProcessRcms