Powering Strong Communities
Security and Resilience (Cyber and Physical)

Staying Ahead of Emerging Risks

There are plenty of scenarios that could keep a utility employee up at night – what if one of the utility’s networks is attacked by a cyber criminal? What if someone tries to vandalize a substation? What if the winter storms keep getting more severe?

The alternative to increasing anxiety about these issues is risk management. Beyond simply detailing plans for what to do following an event, risk management is a process that helps organizations to understand the suite of potential threats to all parts of their business and to spur a discussion about the threshold for tolerating consequences if action isn’t taken to address these threats.

As utilities need to be prepared for a wider range of potential disasters, more utility employees are getting looped into the process to ensure a more comprehensive, proactive, and actionable approach.

Knowing the Threat Landscape

To maintain a continuous discussion about risk management, the American Public Power Association, through support from the Department of Energy, convened a Risk Management Working Group with public power professionals from across the country. The group began its work by developing a series of case studies that outline the major risks facing utilities and strategies to respond. The resulting documents, which are forthcoming as of this publication, cover the basic threat landscape for public power and walk through what potential strategies could help reduce those risks. The cases tackle three topics: a cybersecurity incident, flood risk, and physical threats to the grid.

Tom Spencer, the New York Power Authority’s senior director of enterprise and operational risk management, who co-leads the working group’s development of the case studies, said that the cases were selected to reflect the broad array of risk areas that are of greatest concern to the public power community.

The idea, said Spencer, is that “individuals could see how these case studies could tie into their day-to-day operations,” so that if disaster happens, there is a ready answer to “What do you need to do?”

In addition to offering scenarios for utilities to work through, Spencer said the idea was to include information to give people a “big picture view” of the scope of the potential risks, rather than just a “slice.” It also allows public power utility leaders to leverage the experience of other public power utilities.  

The biggest challenge in developing a uniform risk management program for public power utilities, said Spencer, is that they have different levels of maturity in their risk management programs and use different technology to manage risk. As an example, at NYPA, his team has an internal enterprise governance, risk and compliance system that helps manage risk across the organization, whereas he recognizes other utilities might use spreadsheets for similar purposes.  

“Given the differences in maturity levels, but similarity in many risks, we attempted to provide a wide spectrum of solutions,” he said.

Rapid Change, Rapid Response

Because of the way risk evolves, the need for risk management has been exacerbated. Being able to respond quickly isn’t the sole impetus for planning ahead. The complexity of some risks means that more stakeholders inside and out of the utility need to be engaged to make risk-informed decisions.

“We’re great at responding to storms or events that happen,” said Toni Hoang, enterprise risk manager at the Sacramento Municipal Utility District in California, but the increasing frequency of events requires a fresh look at how the organization and community can be affected. Hoang co-chairs the risk management working group along with Spencer.  

Hoang said that SMUD had nine atmospheric systems come through its service territory in the last year, which resulted in “normal business” interruption to the community because of the storms.

“A lot of utilities are seeing more frequent and severe weather events, taking a more strategic risk-based approach to addressing these vulnerabilities are of substantial value to any organization,” she said.

Hoang said that utilities have also been increasingly looking at how different communities might be more vulnerable to natural disasters, such as wildfires, and how that can impact day-to-day operations.

Utilities shouldn’t only see risk in the form of damage to parts of the electric system or business networks. Other challenges, from volatile energy prices to supply chain constraints, can exacerbate risk and disaster events. Understanding the interdependencies of these risks can help organizations to better prevent or be more prepared for risk events, noted Hoang.

The variety of current dynamics and innovation bring a higher potential for risks that could occur, said Hoang. She defined risk management as a framework for identifying, assessing, tracking, monitoring, and communicating risks. An enterprise risk management program can help increase awareness of business risks across an entire organization, instill confidence in strategic objectives, improve compliance with regulatory and internal mandates, and enhance operational efficiency through more consistent applications of processes and controls. Risk management is also important in providing assurance to governing boards, credit rating agencies, insurers, and others that the organization has a process in place to manage and communicate risks appropriately.

Hoang noted the increasing resource constraints in the utility sector from multiple fronts, including people on the workforce, financing, and equipment. While utilities have always been under pressure to do more with less, she said that recent events and realities have ratcheted that pressure even higher, where utilities are being asked to make more changes and updates while having fewer resources at hand than in previous years. Enterprise risk management can help inform the decision-making process. Integrating it with the business planning and strategy process allows an organization to take a risk-based approach to focus on the highest areas of risk to the organization, allocating resources to the areas of the organization that are most in need considering the achievement of the organization’s strategic goals and objectives.

“SMUD takes a risk-based approach in prioritizing capital spending,” said Hoang.

“If you look at [the North American Electric Reliability Corporation], their models are changing to a more risk-based approach to compliance,” said Hoang. “They are understanding that they themselves and utilities have very limited resources, and that when there are limited resources, we look to leveraging a framework that helps to manage risks holistically and allows us to prioritize and address the highest impact, highest probability risks to the organization first.”

Another framework using a risk-based approach is from the National Institute of Standards and Technology, or NIST, which sets standards for cybersecurity.

Although the variety of entities have taken on a risk-based approach and mindset, Hoang noted that there is not a specific policy that pushed utilities to take this approach, but that it comes down to whether or not a utility or organization wants to be more proactive in understanding and recognizing risks.

As a parallel, she gave an example of how SMUD had developed a telework policy prior to the pandemic. While employees hadn’t really put the policy to use in advance of the pandemic, having already had the policy, procedures, and technology in place made it fairly smooth for workers to transition into teleworking.

Evolving with Risk

“Risk evolves and our mitigation efforts have to evolve with that risk,” noted Spencer.

Spencer said utilities should emphasize the process, rather than specifics, since risks change from region to region. He said that the five-step risk management lifecycle — identify, assess, respond, monitor, report — involves fairly uniform activities that could apply to different situations.

“Whether a wildfire or cyberattack, we all have some type of risks that we face,” he said.

“Who needs to be involved has not changed, but who’s wanting to be involved is changing.” Hoang theorized that’s because of the rapid rate of change affecting many areas at once and because technology connects more people and pieces of the utility than before.

That involvement needs to start with utility executive leadership.

“When your management and leadership teams emphasize risk management as part of the decision-making process, you will have more successful outcomes,” said Spencer. He noted appreciation for NYPA’s leadership’s attention to risk. “We have a risk management slot at every board meeting, which sends a message that risk is important.”

“A lot of organizations don’t understand how important risk management is until a risk happens. And then, they ask, ‘What should have we done?’” said Hoang. One common response is that risk should be integrated as a function throughout the entire organization. Her role is focused on working out how risk management can be integrated into everything from business planning processes to strategy development and compliance work.

A part of getting everyone involved in contributing to risk management is to run preparedness exercises.

“We run tabletop exercises all the time on a number of different scenarios, and different scenarios happening collectively. So, not just a wildfire, but a wildfire event with a cybersecurity event and physical security breach,” said Hoang. “We do that with both internal and external players so that we all as a community have a good understanding of how we will respond and how we can prevent and plan for potential future event(s).”

Exercises not only help utilities to think through various risks and plan for a variety of contingencies, but also help people to become comfortable with risk management concepts.

Continuing the Conversation

The case studies are a first step in helping public power providers to better understand the risks associated with running a utility in this era. The next step for the working group will be to develop practical tools that will help public power providers identify, prioritize, and address the risks facing their utility.

For Spencer, the key is that there is now a year-round community of public power professionals focused on risk management.

“It’s a credit to APPA for recognizing that there was a gap in risk management support. We talked about risk management at conferences, but the conversation didn’t really continue in a formal manner,” he said. “We took the initiative to start the Risk Management Working Group and are now formalizing a structure around it. I’m looking forward to continued involvement and keeping the momentum rolling.”

He encouraged those who are not yet involved in the working group to either join in the conversations or ask working group participants for information and advice. He also said he hopes members will follow up after reading the case studies to note any areas for improvement and provide feedback on other information and tools they can use in their day-to-day work. One potential venue for sharing this information is on APPA’s risk management online community group, which will roll out in 2024.

“We all have very similar risks. How we react to it or mitigate it may be very different, but there’s always lessons to be learned from other organizations,” said Hoang.

Ultimately, proactive risk management is about helping utilities to support their communities to be as resilient as possible.  

After all, “without the community, the utility serves nobody,” added Hoang.