Modernizing ERM: How Energy and Utilities Companies Can Stay Current in Risk Management

4 min read


The risks faced by energy and utilities organizations have evolved tremendously over the past decade. From intensifying cyber threats to growing awareness of environmental concerns, changing geopolitical dynamics, supply chain disruptions, fluctuating prices, regulatory changes, and more, the sector today has to navigate an extremely complex and highly interconnected risk landscape. 

In PwC’s 2022 Global Risk Survey, 83% of power and utility leaders identified keeping up with the speed of digital and other transformations as a significant or very significant risk management challenge. While the traditional approach to enterprise risk management (ERM) might have worked well in the past, energy and utilities companies need to rethink their ERM program and the approach to implement and reinforce it across the enterprise.

Needless to say, technology has a critical role to play in effectively managing these fast-changing and interdependent risks, but there’s also a greater need to change the very mindset of organizations. In today’s volatile business environment, organizations cannot view and approach risk as an afterthought – they need to be proactive and farsighted to not just address today’s risks but also prepare for tomorrow.

Modernizing ERM – Key Considerations

The U.S. Office of Management and Budget (OMB) outlined ERM requirements for federal agencies in the circular “Management’s Responsibility for Enterprise Risk Management and Internal Control.” Based on this circular, the Department of Energy explains various aspects and processes of a comprehensive ERM program in its Enterprise Risk Management Fiscal Year 2023 Guidance, including:

  • Developing an organizational risk profile by understanding the internal and external environments of the organization 
  • Evaluating the identified risks to include the probability and impact
  • Analyzing the risks with respect to the achievement of objectives – strategic, operational, compliance, and reporting 
  • Determining a risk response – accept, avoid, reduce, transfer, share – for the identified risks by considering risk tolerance, placement of controls, and other mitigating actions 
  • Monitoring the performance to determine whether the response strategy achieved the intended objectives 
  • Conducting continuous risk identification to stay on top of new and emerging risks

It is important to underscore the need for a continuous approach to ERM. Given today’s rapidly evolving internal and external risks and their cascading impacts, energy and utilities companies can no longer consider ERM as a one-time activity – it is essential to adopt a continuous and agile approach to risk identification, assessment, analysis, and mitigation so that there are no blind spots. 

Using technology as an enabler, organizations can implement the continuous approach to ERM as well as gain operational efficiencies by automating repeatable tasks. Equally important is to adopt an integrated approach to ERM that cuts across operational and functional silos, which leads to ineffective risk visibility and foresight, duplication of efforts, and misuse of resources.

Against this backdrop, here are a few key considerations for enabling an integrated and continuous ERM approach for energy and utilities organizations:

  • Centralized Risk Repository

Organizations must record all their financial and non-financial risks from internal and external environments in a centralized risk repository and map them to assets, controls, regulatory requirements, policies, business units, etc. This serves as the single source of truth across the organization, which streamlines risk aggregation and analysis and improves risk visibility.

  • Risks from the Extended Enterprise

Energy and utilities organizations have an extensive third-party ecosystem, comprising of suppliers, technology providers, transportation and logistics providers, consultants, contractors, and others. It is important to continuously identify, manage, and mitigate the risks from this extended enterprise for an effective and comprehensive approach to ERM.

  • Actionable Risk Intelligence with AI

Exploring AI use cases has become a top priority for organizations across industries. For energy and utilities organizations, AI holds the promise to transform ERM by providing timely and actionable intelligence into risk trends, control environment, action plan recommendations, and more. But it’s equally important to understand the risks of AI models and monitor them proactively to ensure the negative effects of AI on people, organizations, and data are curbed or minimized to a great extent.

  • Resilient Mindset

Being critical infrastructure organizations, the importance of business resilience of energy and utilities organizations cannot be overstated. Fostering a resilient mindset requires deliberate and active participation from the top management and board. The objective is to not only manage risks but also be able to foresee, prepare for, and adapt to changing internal and external environments and withstand, respond to, and recover from disruptions. Implementation of robust business continuity plans and testing them regularly for their effectiveness is key to ensuring resilience in energy and utilities organizations. 

The World Energy Council explains it in terms of the Dynamic Resilience Framework

“The Dynamic Resilience Framework is an integrated approach to emerging risk management that contributes to building capacity and capabilities for managing the resilience of energy systems. Resilience to specific events and systemic shifts can be enhanced by situational awareness of the different types of risks preparedness for future developments.”

What’s Next?

With the growing pressure to scout for cleaner energy sources, intensifying regulatory scrutiny, an increasing number of catastrophic events, rising cyber attacks, volatile tariff and trade policies, and more, energy and utilities companies are looking at a highly uncertain business environment with multi-dimensional risks. Embracing a technology-driven and integrated ERM program is a business necessity today for continued financial and operational success.

For a closer look at the ERM process, risk methodology, and the critical role played by technology in modernizing risk management at energy and utilities organizations, download our latest eBook which discussed key elements of a well-defined risk methodology and how to build an ideal risk management governance structure.


MicrosoftTeams-image (9)



Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.