Enterprise Risk Management Program Development Update

Finance & Audit Committee Meeting September 25, 2015

Enterprise Risk Management Presentation Topics

Enterprise Risk Management (“ERM”) Overview

Lead Roles - LIPA/PSEG-LI ERM Process

Status of the 2015 ERM Cycle

Summary of Results of the 2015 ERM Cycle

Key Risks Comparison to Others in Utility Sector

Internal Audit/Review

ERM Cycle Areas of Improvement - Next Steps

Finance & Audit (“F&A”) Committee – Next Steps

2

ERM Overview

ERM Overview Enterprise Risk Management (“ERM”) increases risk awareness, ensures the

appropriate management of risks, and provides transparency.

Encourages a comprehensive perspective of risks by assessing existing risk and mitigation efforts at both LIPA and PSEG-LI.

Aligns Management’s efforts to prevent risk events from occurring or mitigating risk events when they are unavoidable or outside LIPA’s control.

Formally identifies a “Key Risk Owner” for each high risk area. Key Risk Owner responsibilities include: – Monitoring of mitigation efforts impacting their risks

– Reporting on risks and mitigation efforts on a regular basis

Fulfills key recommendations from the Northstar Operations Audit Report (Chapter 7 – ”Enterprise Risk Management and Strategic Planning”) dated September 13, 2013.

3

Lead Roles - LIPA/PSEG-LI ERM Process ERMC T. Falcone (Chairman), B. Chu, C. Horowitz, K. Kane, J. Little, M. Simione; and J. Bell (legal advisor to ERMC)

Adopt ERM Procedures Manual, update as needed Review and approve ERM Program Timeline (Appendix Pg. 19)

Determine the ERA working group Interview: F&A Committee members, LIPA & PSEG-LI Officers, Directors and Managers

Determine appropriate owners for each Key Risk/Key Risk Category Approve appropriateness of risk mitigation:

Completeness of documentation articulating risk mitigating activities/processes

Determine tolerance or comfort with existing amount / level of risk mitigation

Ensure ERM process is compliant with Board approved Policy Work with Internal Audit Department, conduct assessment of overall

effectiveness of ERM program, and identify areas for enhancement

4

Lead Roles - LIPA/PSEG-LI ERM Process

5

Director of Risk Management C. Horowitz

Initiate and lead ERA effort

Consolidate ERA results, mapping of ERA to Risk Framework*

Develop and lead Risk Prioritization process to rank Risks

Catalog Key Risk Mitigation Activities assigned by Risk Owners

Review Risk Mitigation Activities with Risk Owners and address potential concerns

Continuously monitor risk, including regular touch points with Risk Owners

Provide ERMC with regular Risk Mitigation status updates

Draft and present regular updates for the F&A Committee (no less than annually)

*Identifies list of Environment Risks, Process Risks and Information for Decision-Making Risks - approximately 85 Risk components (Appendix Pg. 18)

Status of the 2015 ERM Cycle

6

Protiviti retained by LIPA to assist with: Development of LIPA ERM Framework [Completed]

Board Policy [Approved August 6th, 2015]

Delegates responsibilities to LIPA’s ERMC and Staff

Facilitate initial LIPA/PSEG-LI ERM Cycle [Completed]

Enterprise-wide Risk Assessment (“ERA”) activities

Risk Mitigation Worksheets (“RMW”)

Draft LIPA’s internal Policies, Procedures and Controls Manual for ERM [Near Completion]

Details ERA and ERM Process

ERM Process Timeline

Monitoring Process [In Development]

Summary of Results of the 2015 ERM Cycle

7

Following the 2015 ERA, LIPA identified the following Key Risk Categories to the organization, which will be monitored continuously:

NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred.

Outsource & Partnership Relationship

Concerns

Personnel & Human

Resources Concerns

Understanding & Delivering on

Customer Expectations

and Needs Rate Case and Success of Financial

Policy

Cyber Security

External Influences &

Interests

Summary of Results of the 2015 ERM Cycle

8

Description: LIPA and its external service providers need to perform at best-in-class levels to deliver on LIPA's mission, goals & objectives, and improve customer perception of the Long Island electric utility.

Risk Mitigation Activities: Maintain continuous oversight functions; participate in monthly PSEG-LI Scorecard Reporting meetings and PSEG-LI Monthly Management Board Review meetings; prepare audit universe as part of LIPA’s 2016 oversight activities plan.

Outsource & Partnership Relationship

Concerns

Personnel & Human

Resources Concerns

Understanding & Delivering on

Customer Expectations

and Needs

Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization:

Description: Success of LIPA, particularly in its OSA oversight role, requires attracting and retaining qualified staff.

Risk Mitigation Activities: Create interim succession plan; implement utility industry training requirements and include as part of all employees’ 2016 performance evaluation goals; establish employee development program for continuous improvement; institute a competitive compensation program in 2016 to attract and retain qualified workforce.

Description: Customers’ desires for higher reliability and/or expanded distributed energy resources must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement.

Risk Mitigation Activities: LIPA and DPS annual review of the Emergency Response Plan (ERP) and contingencies; review of PSEG-LI reliability metrics, storm response and capital budgeting and capital development.

Summary of Results of the 2015 ERM Cycle

9

Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization:

External Influences &

Interests

Cyber Security

Rate Case and Success of Financial

Policy

Description: Relationships with key stakeholders are important in order for the organization to efficiently conduct business.

Risk Mitigation Activities: Oversight of PSEG-LI Public Relations programs; increase LIPA engagement with public stakeholders; implement focused Public Relations program and public hearings.

Description: Properly secure key IT systems from outside attack or interference.

Risk Mitigation Activities: Cyber security audit; NERC CIP-5 rule compliance of PSEG-LI control systems and data networks; User Access process technologies, and-LIPA and PSEG-LI review of cyber security insurance products.

Description: Rate case includes LIPA’s financial policy goals, which include improved credit ratings and achieving key financial ratios to reduce the cost of electric service for customers over time.

Risk Mitigation Activities: Rate plan filing included sound financial plan; communication with financial community; improved access to financial and operating data.

Summary of Results of the 2015 ERM Cycle

10

Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories to focus on, which will be monitored continuously by both organizations:

NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred.

Managing the Utility in Compliance

with the OSA

Personnel & Human

Resources Concerns

Understanding & Delivering on

Customer Expectations

and Needs Outcome of

the Rate Case

Cyber Security

Regulations, External

Influences & Interests

Summary of Results of the 2015 ERM Cycle

11

Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories:

Managing the Utility in Compliance

with the OSA

Personnel & Human

Resources Concerns

Understanding & Delivering on

Customer Expectations

and Needs

Description: The OSA must fairly and completely measure PSEG-LI’s performance. OSA metrics and goals may not remain relevant throughout contract term.

Risk Mitigation Activities: On-going monitoring of performance metrics to ensure compliance with the OSA; periodic review of metrics to assure relevance.

Description: Success of organization requires ability to attract and retain qualified driven staff.

Risk Mitigation Activities: Leadership Risk Management; employee training and development; employment branding.

Description: Customer’s desires for improved reliability and increased renewable energy technologies must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement.

Risk Mitigation Activities: Customer communication; customer satisfaction initiatives; review of the monthly Scorecard Report and key operating metrics.

Summary of Results of the 2015 ERM Cycle

12

Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories:

Regulations, External

Influences & Interests

Cyber Security

Outcome of the Rate

Case

Description: Relationships with all key stakeholders are important in order for the organization to efficiently conduct business.

Risk Mitigation Activities: Strategic staffing; increase engagement with planning committees for project development; focused Public Relations program geared towards community outreach.

Description: Key IT systems may be susceptible to outside attack or interference. Systems may include business systems with non-public information or operations systems that would interfere with substations, power generation or T&D infrastructure.

Risk Mitigation Activities: Compliance with NERC Cybersecurity Standards; User Access processes and technology.

Description: The rate case may affect PSEG-LI’s ability to achieve its goals required under the OSA and LIPA Reform Act.

Risk Mitigation Activities: Daily rate case calls and activities; monthly Management Review Board meetings, monthly Scorecard Report meetings; 2016 O&M budget submittal.

Key Risks Comparison to Others in Utility Sector

13

Executive Perspectives on Top Risks for 2015*

Key Issues Being Discussed in the Boardroom and C-Suite

Energy and Utilities

Regulatory changes and heightened regulatory scrutiny

Economic conditions in markets we currently serve

Cybersecurity threats

Resistance to change

Succession challenges and ability to attract and retain top talent

LIPA has identified many of these risks for 2015 * Research Conducted by North Carolina State University’s ERM Initiative and Protiviti

Internal Audit/Review

Internal Audit’s Role:

Assess the appropriateness of the ERM Program Policies, Procedures and Controls Manual established by the ERMC

Determine the effectiveness of the processes used by LIPA and PSEG-LI to identify Key Risks and Emerging Risks

Perform an appraisal of the ERM processes in place at LIPA and PSEG-LI to measure, monitor, manage and mitigate Key Risks

Report observations to the F&A Committee no less than annually

14

ERM Cycle Areas of Improvement - Next Steps Next Steps for ERM Process Improvement: Continue documenting existing Risk Mitigation efforts taken by LIPA and PSEG-LI

Develop greater participation and communications across entire staff at LIPA and PSEG-LI throughout ERM process

Implement continuous Risk Management-Risk Owner feedback mechanism:

Has Key Risk occurred? If so, was Mitigation Activity effective to minimize impact within desired risk tolerance

Is there any new Emerging Risks that require ERMC or Senior Management’s immediate attention?

Reach out to other Municipal entities to gain insights into other ERM programs Benchmark LIPA’s ERM Program

Monitoring and Reporting Move from manual process to automated process by implementing ERM monitoring

software

Review reporting documentation needs and frequency across various levels of management up to and including the Board

15

Finance & Audit Committee - Next Steps

Next Steps for F&A Committee ERM Review: LIPA Staff to reflect 2015 ERM cycle results in 2016 Goals and

Operating Budgets

LIPA Staff to continually monitor Key Risks and/or Emerging Risks and periodically report back to the F&A Committee

Internal Audit will schedule a review of the ERM process and report observations to the F&A Committee

ERMC to meet with the F&A Committee during the 1st Quarter of 2016 prior to the kick-off of the 2016 ERM cycle

16

Appendix

Appendix

17

ERM Risk Framework

18

Customer Wants

Technological Innovation

Stakeholder Expectations

Capital Availability

Legal Environment

Regulatory

Environment

Financial Markets

Catastrophic Loss

Asset Location/ Community Concerns

External Influence &

Interests

FINANCIAL

Price Interest Rate Commodity

Basis Volatility

Liquidity Cash Flow

Concentration Commodity

Volatility

Credit Default

Concentration Settlement

Rating

EMPOWERMENT Leadership

Authority/Limit Outsourcing Performance

Incentives Change Readiness Communications

INFORMATION TECHNOLOGY

Integrity Access

Availability Infrastructure

Cyber Security

GOVERNANCE Organizational Culture

Ethical Behavior Board Effectiveness Succession Planning

Compliance

REPUTATION Image and Branding

Stakeholder Relations

INTEGRITY Management Fraud

Employee Fraud Third-Party Fraud

Illegal Acts Unauthorized Use

OPERATIONS Compliance

Business Interruption Service Failure Environmental

Health and Safety Transition

Performance Gap Cycle Time

Supply Chain Physical Asset

Reliability Rate Case

Customer Satisfaction Human Resources Knowledge Capital

Efficiency Capacity

Partnering

STRATEGIC Environmental Scan

Business Model Regulator Model

Business Portfolio Organizational Structure Measurement (Strategic)

Resource Allocation Planning Life Cycle

PUBLIC REPORTING Financial Reporting Evaluation

Internal Control Evaluation Executive Certification

Pension Fund Regulatory Reporting

OPERATIONAL Budgets and Planning

Service Pricing Contract Commitment

Measurement (Operations) Alignment

Accounting Information

ERM Program Timeline

19

ERM Activity: Responsible Party:

Review / Revise Risk Framework ERMC

Kick-off annual ERM effort at first F&A Committee

Meeting; Summarize Prior Year Results

DRM; F&A

Committee

Risk Owners to Complete Questionnaire;

Follow-up Meetings (as needed) Management; DRM

Risk Consolidation / Mapping ERMC

Develop Risk Prioritization Meeting

Presentation(s) DRM

Risk Prioritization Voting Session(s) Management; DRM

Analyze Prioritization;

Identify Key Risks / Categories ERMC

Identify Risk Owners;

Prepare Risk Mitigation Worksheets Management; ERMC

Risk Owners to Document Existing Risk

Mitigation Processes Risk Owners

Assess Existing Mitigation Efforts;

Identify Gap Remediation ERMC; Risk Owners

Identify Budgetary Requirements for New Risk

Mitigation, and include in budget for next year Risk Owners

Present ERA Results to F&A Committee DRM; F&A

Committee

Continued Monitoring of Risk Mitigation from Prior

Year ERM DRM; Risk Owners

Implementation of New Risk Mitigation (If no

budget required; e.g., process improvement) DRM; Risk Owners

Implementation of New Risk Mitigation

(If incremental budget required) DRM; Risk Owners

Routine Review of Risk Mitigation;

Internal Audit Review of Key Processes

ERMC; Risk Owners;

IA

Present Update on Risk Mitigation and Monitoring to

F&A Committee

DRM; F&A

Committee

Routine Communication between Risk Owners, ERMC, others DRM, Risk Owners

January February March April May November December June July August September October

Newly Developed ERM Policy

20

Core Provisions of the Enterprise Risk Management Policy: Mandates an annual effort to identify significant risks to achieving the mission, goals and

objectives of the Authority, including those which are: – Known to already exist – Emerging risks which may be faced in the future – Risks which affect LIPA’s service provider’s performance and fulfilment of contractual obligations

Incorporates a process for documenting existing risk mitigation for the most significant risks, and identifying if additional risk mitigation activities should be developed

New risk mitigation development will be tied to the Authority’s existing budget development process, so that if any additional risk mitigation is required, it can be appropriately budgeted and provided for

The most significant risks, and their corresponding mitigation efforts shall be continuously monitored (year-round) for effectiveness of mitigation and to identify any changes to known risks

Policy requires regular reports on risk and risk mitigation to the F&A Committee

Risk Mitigation Monitoring Dashboard [ In Development ]

21

Category # Risk CategoryTotal # of Risk

Mitigation Tasks

Tasks Deemed to be Sufficiently Mitigating

Risk

Mitigation Task with Room for Improvement

Task not Yet Assessed

1Outsource & Partnership

Relationship Concerns0 0 0 0

2Personnel & Human Resources Concerns

0 0 0 0

3Understanding &

Delivering on Customer Expectations and Needs

0 0 0 0

4External Influences &

Interests0 0 0 0

5 Cyber Security 0 0 0 0

6Rate Case and Success of

Financial Policy0 0 0 0

TOTALS 0 0 0 0

Risk Mitigation MonitoringLIPA