Business Continuity An Integral Part of Risk Management At Constellation Energy

Transcription

1 Business Continuity An Integral Part of Risk Management At Constellation Energy World Disaster Management Conference Toronto, Canada June 19, 2006 Robert W. Cornelius Director Business Continuity

2 Operating in all areas of the Energy Value Chain Baltimore Gas and Electric Transportation and distribution utility for 1.2 million electricity customers and 620,000 gas customers in Central Maryland Constellation Generation Owns 11,856 Megawatts of primarily base load coal and nuclear generation capacity Constellation Commodities Group Wholesale competitive supply business acting as an intermediary between producers and consumers of electricity, coal and natural gas Manages the sale of our fleet s output and the fleet s fuel inputs Constellation NewEnergy Nation s largest supplier of electricity to commercial and industrial customers Constellation Energy I The way energy works.tm 2

3 Industry Recognition Constellation Energy named 2004 Energy Company of the Year EEI Emergency Response Award Hurricane Isabel EEI Emergency Assistance Award Response to Florida 3

4 Industry Recognition Continued Named to the Dow Jones Sustainability North America Index - tracks the financial performance of companies that demonstrate excellence in economic, environmental and social leadership Named to FORTUNE magazine's list of the 100 fastest-growing companies in America. Named the most admired energy company for its prestigious 2005 list of "America's Most Admired Companies." Advances to No. 167 on Fortune 500 list Received the electric power industry's highest honor, the prestigious 2005 Edison Award in recognition of its leadership in the competitive energy marketplace 4

5 CE s Business Continuity Program Enterprise program across all lines of business Business Continuity Program (BCP) Office comprised of: 7 full-time employees 225 part-time Business Continuity coordinators in the business areas 450 Building Wardens 30 Enterprise Risk Management System (ERMS) Coordinators Strong Program Support from all management levels Corporate policy and standard methodology all business units will have recovery plans that will be drilled and maintained Emergency events (response & recovery) are coordinated from a central organization Management of risk under the guidance of the Chief Risk Officer Business Continuity Tools Strohl Systems Products 5

6 What are the Industry Trends for Risk? Move toward an Integrated Risk Management Process coordinate at all operating levels with executive-level oversight Continuous Process become a culture, constantly looking at processes with risk identification in mind Broader Focus encompasses all aspects of business, operations and finance Embedding Risk Discipline into Existing Processes risk identification and assessment into forecasting, planning and capital budgeting Prioritization of Risks focus on most important and greatest impact exposures first Improving Risk Communications both internally and externally More Focus on Internal Controls and Identifying Potential Vulnerabilities Sarbanes-Oxley compliance 6

7 CE s Risk Division Structure Pre-2003, the Risk Division focused: Credit Risk Market Risk Financial Risk Post 2003, the division grew to include: Operational Risk Security Business Continuity Credit Risk Market Risk Financial Risk Management Operational Risk Security Business Continuity I/T Disaster Recovery 7

8 CE s Approach to Risk Management Inventory the major risks that could impact the company s financial and operational performance Establish the risk tolerance in coordination with business plan objectives Develop plans to manage and mitigate material risks Chief Risk Officer oversees all corporate risks. Throughout the company risk is taken seriously. Weekly Risk Management Committee Meetings Board of Directors - Audit Committee Internal/ External Auditors Monthly Operating Risk Committees 8

9 Risk Management Committees Oversight and Controls Audit Committee of the Board of Directors CE Chief Risk Officer LOB President and Executive Leadership Team LOB Risk Management Committee Strong risk management culture and network enables CE to identify and proactively manage key risks to meet business objectives 9

10 Business Continuity Risk Considerations Threat >> Probability/ robability/impact >> Risk Strategy Cost vs Risk Compliance vs Customer Service The above are considered when vulnerabilities and the associated risk mitigation activities are identified. 10

11 Business Continuity Objective Facilitate enterprise-wide vulnerability documentation and risk strategy development to provide for an acceptable level of risk and to facilitate completion of mitigation projects 11

12 CE s Risk Management Tool In 2003, Business Continuity selected Mitirisk, a Strohl Systems tool to manage the vulnerabilities and risk. To meet our company s needs, Business Continuity: customized to fit CE s risk terminology and philosophies renamed Mitirisk to Enterprise Risk Management System (ERMS) created risk categories for - BCP (e.g. vital records), Environmental, Physical Security, I/T Disaster Recovery, I/T Security, Safety / Fire Protection, Facilities expanded ERMs to Operational Risks Committees such as Electric, Gas, and Generation expanded to Staff Risk Committees: I/T, Facilities, and Supply Chain 12

13 Enterprise Risk Management System (ERMS) Document vulnerabilities Assign executive owner Assign risk severity rating (1-5) Document risk strategies (mitigate/accept/avoid/transfer) Document mitigation projects Assign manager owner Assign effectiveness rating (1-5) Track progress 13

14 Sources for Vulnerabilities Vulnerabilities are discovered during assessments for Facilities BCP plan development/maintenance BCP drills/exercises Operational risk committees Security I/T disaster recovery Specific scenarios (e.g. pandemic, workplace violence, bio-terrorism, data center loss, loss of executives) Audits 14

15 Risk Migration Strategy 15

16 Sample of Mitigation Projects Alternate and Hot Site Construction Energy Supplies 2 MW Portable Generation and Building Connections PC and Mobile Office Retainers Geographically dispersed primary and backup I/T Servers Life Cycle replacement of Critical Systems Data Backups 16

17 ERMS Metrics Metric produced for each category of risk or owner of risks Simple pie chart showing profile of risks by severity Reports showing vulnerabilities ordered by risk severity Show monthly trending for various categories of risk Average starting risk Average targeted risk Current risk level Quarterly reports for CRO and Senior Executives 17

18 Sample Metric Report 18

19 Benefits Inventory of vulnerabilities Documentation of vulnerabilities, risk strategies, and discussions Legal review of risks and the documentation wording Proper management of risk (material / significant) Accountability is high all risks are assigned an owner Risk profiles reviewed by senior management Improved risk disclosures Focused capital budget planning on corporate risk profile 19