Corporate risk manager of the year: Duke Energy

Energy Risk Awards 2016

On February 2, 2014, a rupture occurred in a stormwater pipe beneath an ash basin at one of Duke Energy's retired coal-fired power plants in North Carolina. Tens of thousands of tonnes of toxic coal ash spilled into the Dan River, fouling the riverbanks as far as 70 miles downstream.

Duke would ultimately be ordered to pay more than $100 million in fines and cleanup costs for the incident. The spill also had major internal repercussions, prompting the Charlotte, North Carolina-based firm to shake up its approach to enterprise risk management (ERM).

Dan River "was a real challenge for the company", says Stephen Parrish, Duke's head of ERM. "It was an event that caused us to pause and reevaluate some of our practices."

Beginning in late 2014, Duke Energy took a series of steps aimed at systematising its approach to risk management across dozens of divisions. The initiative entailed the creation of a consistent framework for identifying and managing risks and the development of a new bespoke software tool to track hundreds of potential risks.

"We had good governance functions in place, but they weren't really tied together under a risk envelope," Parrish says. "We realised that we needed to have a common language around risk – a common taxonomy."

Achieving those goals would be no easy feat for a company of Duke's size. The largest electricity utility in the US, Duke serves 7.4 million retail electricity customers in six states across the southwestern and midwestern US. It employs more than 29,000 people and owns about 52,700 megawatts of generation capacity. The firm posted $23.5 billion in operating revenue in 2015.

"A big ship like Duke has a wide turning radius," Parrish says.

Duke's top-down, company-wide revamp ERM initiative began at a meeting in October 2014, attended by Parrish, chief risk officer (CRO) Dwight Jacobs and their colleagues in the company's risk management team. On the whiteboard, Jacobs drafted a new ERM mission statement: "Enhance day-to-day company practices that continuously improve the experience of our customers, regulators and communities, and protect our people."

"We went through it word-by-word, phrase-by-phrase," Parrish recalls. "What do each of these words mean? How do we make this real for the company? We attacked it solely in terms of what it means to Duke Energy."

The result of the meeting was a plan that Duke began to implement in 2015, with the aim of finalising it in 2016. It would require the establishment of new governance structures and the identification of personnel in each business unit to help pinpoint risks that the company faces.

Various divisions of Duke, such as energy transmission and power generation, faced many different types of risk. "Some are exposed more significantly to safety risk, for example," Parrish says. "We had workshops with each business unit, and introduced how to think about risk."

Duke executives needed to be able to take an eagle's eye view and assess the most pressing issues facing each of the company's divisions, so they could decide how to allocate time and money towards mitigating risks. That meant the firm needed new tools, Parrish and his team decided. Microsoft Excel, they felt, wouldn't cut it.

So a custom software solution was developed in-house within three months. The new risk-register tool could handle 200 users with zero downtime. It soon began tracking approximately 700 risks simultaneously.

The new framework incorporated a wide variety of strategic, operational and financial risks, including low-probability, high-impact events. For example, one risk identified in the system involved the maintenance of decommissioned steam smokestacks. Duke needed to make sure they remained physically and structurally sound and that aerial lighting stayed on to prevent aeroplanes from crashing into them. By bringing such details into the system, Duke developed a systematic approach to dealing with such assets and accelerated the decommissioning and deconstruction of some smokestacks, Parrish says.

In all, Duke implemented 550 enhancements to existing processes and procedures aimed at avoiding negative events, as well as managing problems after they arose. Dozens of workshops were held throughout the company. Parrish's team began presenting to the board of directors monthly.

A key part of the process was making sure employees knew when and how to raise risk-related issues to their managers – "to enable employees so that they identify risk and escalate it for assessment and response," says Jacobs, Duke's CRO.

The aim was to instill a culture of risk management in the company's fabric. "It is not a cliché," Jacobs says. "We are all risk managers."