Energy Risk Conference

ERM – A Holistic Approach to Assessing And Monitoring Risks

May 16, 2012

Agenda

2

1

2

3

4

5

6

7

Establish a Risk Management Vision with Top-Down Support

Bottoms-Up Design to Reinforce Company Corporate Values

Convergence of Functional Groups in Risk Assessments

Risk Appetite and Integration into Strategic Planning Process

Communication of Top Risks, Emerging Risks and Strategic Risks

Resiliency/Sustainability: The Importance of How We React

Risk Pricing/ Risk Capital

Everyone is a Risk Manager

8

Goals of Risk Management

• Vision – Develop an industry leading discipline and be a valued partner to the

business, driving a culture of accountability for all employees, while striving to protect

the company within a defined risk appetite; seek to exhibit a proactive approach to

optimizing risk and reward

• High-Level Objective – Manage the firm’s risks and understand the drivers of

earnings volatility in order to add shareholder value and in turn, increases shareholder

returns

• Processes and Governance – Provide appropriate controls and ongoing

management of major risks in our business activities, creating risk awareness and

personal accountability for risk-taking

• Detailed objectives align with the vision

• Traditional risk management focuses primarily on market and credit risks; however,

Constellation’s risk management approach assesses risk across a broad risk

framework, including contingent liquidity needs, safety risk, cyber-security risks and

people risks

3

Risk Management assesses and links risks to business activities in a proactive and methodical

manner to optimize risk, levels of control and business returns

1

Top Down Support, Organizational Alignment and Risk Culture

Operating

Company

Heads

Company management establishes strategy, business plan and risk appetite. Board of

Directors is responsible for risk oversight of the Company’s activities. The Board

approves the risk appetite and authorizes management to establish risk policies and

limits. 4

Board of Directors

Chief

Strategy

Officer

Chief

Risk

Officer

General

Counsel

Corporate

Affairs

Chief Human

Resources

Officer

CEO

Chief

Financial

Officer

1

ERM Design to Reinforce Company Corporate Values

Accountability

Customer Commitment

Enterprise Thinking

Teamwork

5

ERM drives the integration of risk management into management decision-making and

promotes a culture of business ownership while simultaneously ensuring compliance with

industry and company standards

2

Standard Language R

isk

Fram

ewo

rk

Settlement Risk

Counterparty Performance

Supply Chain

Liquidity Market Credit

People

Process

System

Operational

External

Environmental Business & Strategic

Unethical Behavior

Crisis Management

Association Risk

Reputational

Fram

ewo

rk

Def

init

ion

s

Ability to generate or obtain sufficient cash, in a timely manner, to meet demands as they

arise (expected and unexpected)

Potential loss arising from adverse movements in

external market variables

Risk of loss inherent in business

segments, resulting from counterparty failure, decreased creditworthiness,

and poor performance

Risk of loss from inadequate or failed internal processes,

people, financial reporting, systems, or external events

Risk of loss and associated harm due

to the company’s interaction with the

environment

Risk of unsuccessful performance due to

potential threats, actions, or events

adversely affecting the organization’s

ability to achieve its objectives

Potential negative publicity regarding business practices,

regardless of validity

Corporate Funding

Collateral Requirements

Contingency Funding

Market Factor Sensitivity

Volume Risk

Market Liquidity

Investment Performance

Non-Compliance

Environmental Impacts

Environmental Positioning

Law Changes Industry Changes

Demand Changes

Competition

Political Risk

Financial Reporting

A company focused on strategic risk management constantly assesses risk factors

across multiple time horizons to ensure they reflect business realities 6

• Use a standard language to create consistency in language, processes and systems used for capturing

risk information and consistent approach to business unit risk control self-assessments with common

taxonomies, evaluation criteria and a central data repository

• The common framework approach enables each business and functional area to manage their own

• Enterprise-wide standard hierarchy and pre-defined libraries in a common system enable data aggregation

for clear, concise management reporting

2

Bottoms-up Risk Assessment of End to End Business Process Lo

ss D

ata

Key R

isk

Indic

ator

s

Categorize risks as critical, radar

or watch

Calculate overall risk level

Rate risk impactRate risk

probability Identify risks

Assign risk owners

Develop metric(s) to monitor

effectiveness of each control

Develop action plan

Identify current controls

Collect data

Rate control effectiveness

Rate control importance

Set threshold(s)

Workshop

Pre-work

Business Process

Assign control action plan

owner

Assess $ impact of new

investment

Define loss data ReportCollect loss data

Monitor & Report

Risk

/ Co

ntro

l Self

Ass

essm

ent Identify key

business processes

Op

era

tio

nal

Ris

k P

roce

sse

s

• The initial phase of the Integrated Risk Assessment (IRA) is the Risk and Control Self-Assessment (RCSA)

• A Risk Control Self-Assessment (RCSA) process creates a mechanism where each business unit and

functional group identifies key processes, and the risks that impact those processes

• Each risk is assigned probability and impact rating. Each risk is linked to mitigating controls and each

control is regularly evaluated for effectiveness

7

IRA process clarifies key business processes, risks and controls ownership

2

Risk Governance • Create a top down and bottoms up approach to shifting the culture of risk identification and management

throughout the enterprise:

o set the tone at the top via an Integrated Risk Executive Steering Committee

o incentivize employees to do the right thing and make risk-informed decisions

• Educate individuals across the company take responsibility for risk management, understanding how their risks

aggregate, and how to take the appropriate steps needed to bring risk levels to acceptable levels

• Improve enterprise risk through enhanced communication and making information more readily and efficiently

available

• Integrate risk assessment into management decision-making while simultaneously ensuring compliance with

industry and company standards

Role Process Output

Board of Directors • Review & assess changes and outputs • Improved understanding of the Company’s

risk profile

• Provide risk appetite

Management

Committee

• Perform priority risk assessment

• Own priority risks of the company

• Common vocabulary and assessment of risk

• Risk based Corporate Audit plan

• Insurance evaluations

Risk Committee • Prioritize risks in business units • Business and functional support Priority

Risks

Risk Management

Group

• Measure, aggregate and report operational

risks

• Risk capital

• Standard reporting

Business Units

and Functional

Support

• Risk and control self-assessment

• Metrics

• Loss event data

• Risk register

• Business-owned risk & control self-

assessment

• Action plans

Bo

tto

m-U

p A

pp

roac

h

Top

-Do

wn

Ap

pro

ach

8

2

Convergence of Functions in Support of “Risk Assessment” in Business Process

Challenges

• Each business unit had its own risk and control

terminology

• Control functions duplicated efforts by reviewing

similar, if not the same, risks and controls

• Risks were highlighted based on business unit

versus corporate impact

• Large data sets needed to be merged at various

levels of granularity

• Different systems housed control information

• Silos had the potential to continue to exist

Constellation rapidly transitioned from a siloed and fragmented functional structure to an

integrated business model requiring a new standardized risk framework to enterprise risk

management

9

3

Risk Appetite and Integration into Strategic Planning Process

Management Committee

Agrees on Risk Appetite

Management Committee

Agreement on Strategic Direction

Business Dreaming Session

Business Unit Articulation of

Viable Initiatives

Risk Management

Highlights Potential Risks of

Offerings

Business and Functional

Groups Assess Controls

1 5 4 3 2 6

RISK

APPETITE

What risks can I take?

How much risk can I take?

Who is willing to take the

risks?

When do we take the

risk?

Risk Identification

Risk Assessment

Risk Balancing

Risk Limits

Risk Control

Strategic

Plan

Capital

Allocation Results

Assessment Articulation Action

Functional support areas play a critical role in evaluating a company’s strategic risks 10

4

Communication of Top Risks, Emerging Risk and Strategic Risks

To build and maintain an effective risk management framework, a company must continuously

evaluate the risk landscape

• Top risks are highlighted to

ensure that executive

management is focusing on the

priority risks to the company

• Emerging risks are identified

based upon new systemic,

political and market factors, as

well as other current events

• Strategic risks assess

underlying emerging and

systematic risks incorporated in

the strategic plan that could derail

the strategy and business plan

By understanding the enterprise risk factors, a company can develop strategies to

optimize controls, improve performance and reduce the negative impacts to the business 11

5

Resiliency/Sustainability: The Importance of How We React

12

Ris

k F

ram

ew

ork

Settlement Risk

Counterparty

Performance

Supply Chain

People

Process

System

External

Unethical

Behavior

Crisis

Management

Association

Risk

Corporate

Funding

Collateral

Requirements

Contingency

Funding

Market Factor

Sensitivity

Volume Risk

Market

Liquidity

Investment

Performance

Non-

Compliance

Environmental

Impacts

Environmental

Positioning

Law ChangesIndustry

Changes

Demand

Changes

Competition

Political Risk

Financial

Reporting

Disaster Risk Framework

Incident (Cause) - Examples Impact (Effect)

Fire, Hurricane, Utility Outage, Workplace

Violence

Loss of Building

Datacenter / Network Failure, Cyber Attack Loss of Technology

Pandemic / Health Crisis, Management

Committee Compromised

Loss of Personnel

Plant Explosion, Nuclear Accident, Coordinated

Attack on Electric Grid

Loss of Critical Infrastructure

Fire at Supplier’s Only Production Facility Loss of Critical Materials /

Services

Major Hazmat Leak into Chesapeake Bay Environmental Disaster

Highlighted “impacts” fall within the scope of the

Business Continuity program

Operational Risk Framework• People

• Employee fraud

• Inadequate people resources• Employee disputes

• Aging workforce

• Process• Contract• Documentation• Model• Change management

• Client & service interaction• Transaction process failure

• Physical security

• Safety• Reliability

• Compliance• Privacy and confidentiality

• Business continuity• Financial Reporting

• Systems• Plant Assets

• Information security• Systems

• Hardware• Software

• Communications• Interfaces

• External

• Disaster• Outsourcing/third party• Customer/counterparty fraud

• Stakeholder actions (e.g., labor union, rating agency)

The Disaster Risk Framework recognizes various types of incidents (cause)

while emphasizing that emergency response focuses on the impact (effect)

Information Security

Liquidity Market Credit Operational Environmental Business & Strategic

Reputational

6

13

Retail and Wholesale Gross Power Margins

13

Pricing Risk in Customer Transactions 7

Capital Adequacy

Text • Show balance sheet is

consistent with target credit

rating and Company’s risk

appetite

• Potential use in discussions with

rating agencies

Capital Adequacy

Text

Text • Price all risks taken

• Compare profitability of

investments using a coherent

metric

• Determine “true” value added

• Identify portfolio synergies

Pricing & Profitability Performance

Measurement & • Measure performance relative to

risk taken by / allocated to

businesses and individuals

• Identify risk-adjusted value

added

Performance

Measurement

Risk Capital Framework

14

7

Appropriate Risk Pricing Drive Financial Performance

Risk-based metrics complement the financial metrics and help protect the company

against adverse events by measuring potential losses, capital and liquidity adequacy.

Risk adjusted returns help to incorporate risk charges into transaction pricing

Corporate Risk Metrics Capital Adequacy Liquidity Adequacy Economic Value Added/RAROC Credit Exposure RnF@Risk

Business Financial Metrics Gross Margin/Earnings Cash Flows NPV IRR Business Growth Metrics

Business Risk Metrics Transaction RAROC Risk Adjusted IRR Business Portfolio RAROC VaR/GMaR Credit/Liquidity Risk

Metrics Return on VaR

Corporate Financial Metrics EBIT/Earnings per Share Return-on-Equity FFO as a % of Net Income OpEx as a % of Gross Margin Credit Rating

Company

Performance

15

7

Risk Integration Benefit

Consolidation of financial reporting risks for SOX 404. Ability to perform control testing and evaluation, and to

issue/action plan management

Risk aggregation of risk and controls for regulatory reporting

Risk assessment for applications and infrastructure/disaster recover/cyber security

Identification and documentation of environmental risks and exposures. Consolidated metrics reporting

Leverage risk assessment results for business plan assessments of risk identification completeness and

adequacy of plans to enhance controls or the risk acceptance

Integrated risk identification, issue/action plan management, and loss event data management

Automates manual processes and disparate systems/websites. Also reduces inefficient communication traffic

16 16

Everyone is a Risk Manager

• Businesses and functions are responsible for identifying risk and controls in buisness activities

• A common system for risk data capture ensures the consistent processes and data sets are captured

using a common vocabulary of risks and controls

Business & Functions

Business Process

Risk Controls Enterprise Top Risks

Audit Plan Priorities

Board and Management Communication

8

Risk Management

Enterprise-Perspective &

Business-Aligned Risk Management

Business is the First Line of Defense in Risk Management

Generation Wholesale

Corporate

Asset Management & Development Intensive Business

Market Optimization Intensive Business

Ris

k L

iais

on

s

Ris

k L

iais

on

s

Ris

k L

iais

on

s

• Risk Factor Identification

• Oversight of Risk

• Integrated Risk Assessment

• Risk Systems and Standards

• Fraud Risk

• Policies and Procedures

• Financial Performance Risk

• Risk Metrics

• Liquidity Evaluation

• Portfolio Analysis

• Transaction Analysis

• Portfolio Management and Trading Limits

• New Product Review

• Credit Review

• Credit Workout

• Risk Measurement

• Risk Monitoring and Reporting

• Risk Mitigation

Retail BGE

Customer Relationship Intensive Business

Business Process and Execution

Business Strategy and Planning

Continuous Evaluation

Validate/refine strategy

Capital

Limits

Policy

Procedures

Reporting

Analysis

Re-allocate capital/limits

Market Risk Credit Risk Operational Risk Risk Capital Liquidity Risk Strategic Reputation

Corporate Audit

Control testing 9-month rolling audit plan Process & control consulting

Risk and Control Self-Assessments Control Environment

Legal Regulatory Compliance Environmental Audit SOX NERC Middle Office

B u s i n e s s

S e g m

e n t s

B u s i n e s s

C y c l e s

K e

y

C o n t r o l s

C o n t r o l

G r o u p s

L

IN

ES

O

F D

EF

EN

SE

1

2

3

17

8