Article | Risk Management – Energy

3rd November 2021 Atheneum Team

Expert Profile

Role:

CIO Quality & Transformation Director

Organization:

EDF

Bio:

Ludovic is an engineering and IT specialist within the energy industry, with over 26 years of experience. His work is focused on translating business strategy into digital investment proposals, this includes creating the infrastructure supporting risk management systems. He has been involved and contributes to the creation of new processes and controls to secure operational decisions, management of EDF assets & transfer of information to inform short term risk management. In addition to his trading & operations risk management activities he is also a key figure in protecting EDF’s systems from cyber security threats.

Section 1: Current Approach to Risk Management

1.1. How does your industry frame risk management?

We have a risk management framework with some well-known policies, guidelines and instruction at the group level, for both risk management and internal control. The two are closely coupled. You cannot have a sound risk management if you don’t embed some internal control practices.

At group level, in terms of the organization, we have a risk management and internal control direction, as well as an audits department. At operational level and affiliates level the organization varies from dedicated points of contacts to small teams. For example, in some affiliates, we’ve got some small teams dedicated to audit risk and total control, that report to group level.

1.1.1. How have you approached uncertainty in the last 3 years?

It is interesting, because it touches upon regulatory risk, where the only traction you’ve got is through lobbying. And obviously there’s COVID, that came out of the blue, and I think very few companies were prepared and I’m not sure they even had this on their risk map.

I think the answer is twofolded. Utilities, they have a strong risk aversion, when you look at their business model it is low margin, high volume, and they want consistency. We also have some trading affiliates such as EDF trading, and there the risk appetite is different where they are after high volatility opportunities, and they want to seize opportunities.

The organization we have at EDF is as a utility, we’ve got a strong risk immersion. So, we want to control risk, minimize the impact, and put a lot of internal controls in place, whereas at a trading level, we are seeking volatility, because that’s where most income will come.

1.2. How do you detect the internal and external risks to your company?

We have a yearly process, a yearly review process, which is a mix of top-down and bottom-up. We incorporate some risk into our risk map, and there’s a yearly top-down process to review main risks.

We also have internal controls set for the assessment framework exercise that is conducted on a yearly basis, which is a bottom-up exercise where every single professional entities are asked to identify the existing or potential risks that either have materialized or not. And score them against the impact likelihood, and internal control levels in place. So, impact being ranked from one to five, the likelihood same, one to five, and the level of intolerant control from one to five.

If you’ve got no internal controls in place, that’s a one, and a strong, that’s a five. And then you come up with some risk, and at one stage, the bottom of the top-down exercise join each other. And there can be some updates and changes where some risks tend to decrease and others tend to increase.

Cybersecurity is considered as an internal and external risk. During COVID there was a surge in the cybersecurity risk. The amount of phishing attacks increased by 700%; ransomware 250%. And obviously, because we were all confined and working from home, this has also opened some vulnerabilities for hackers. I’d say it’s really high on our IT operational risk maybe the highest one. So far we’re coping quite well at EDF, there’s a good risk management in place. We haven’t faced any materialization of this cybersecurity risks that impacted our teams or operations.

1.3. What are the best practices for determining risk appetite?

Usually you look at KPIs such as the VaR, value at risk and past volatility, and usually there’s a framework in place where the value at risk is the indicator that is being looked at by the middle office team. What the traders wants is to keep their position open the longest they can. But then at one stage the VaR is being looked at, and the middle office can ask them to close their position.

There are some margin credit risks, cash risk related to the margin calls, but that’s more dealt with by the treasury and credit risk department. I’d say the value at risk is that the main KPI, and then the treasurer and credit department will look at the credit risk and the cash risk with the margin calls.

1.3.1. How is risk adverseness integrated into your company culture?

It stems from our core business, to produce electricity from power plants. You don’t want to the materialization of any nuclear hazards or nuclear events. And that’s the same for the hydro power plants. So our core business is around production and distribution and transmission of electricity. And there are some industrial risk or hazards. By essence, what you want is this hazards not to materialize. That’s strongly embedded in our culture.

1.4. What does your decision-making process for responding to risks look like?

1.4.1. Operational Risk

When it comes to an operational risk that we know we’ve analyzed and identified, we’ve usually got some response and action plans already in place. Let’s say, we have an issue on one part for nuclear power plant. The script is already written. It’s already in the playbook.

We know what actions need to take place. The organization is in place, the response is very quick in practice. I’d say that covers all the industrial risk that are part of our core business industry.

1.4.2. Unknown Risk

The second leg is the unknown, like the COVID and the Russian surge in energy prices. There, I think we are a bit more naked. And I think that we’ve seen, what I’ve seen is an EDF much more agile than in the past.

We had to be agile, which is, I think, a new way to respond. And it’s not in the playbook, so we need to be inventive and creative. We need to find ways to save circumvent the risks that have materialized. And that was interesting to see the way people responded, especially at management level. It was quite obvious also from a remote working perspective, our management team was quite reluctant before the COVID, to see remote workers.

I think that there’s a need to put more agility in the way we manage risk, especially when they materialize. We need to build more resilient organizations because I think that’s the future for risk management, especially with climate change as well, when it comes to some weather hazards that we will face. We need to have some resilience risk management organization in place.

Section 2: Building Blocks for Dynamic Risk Management

2.1. What are your ambitions for the future of risk management?

I think there will be some emphasis on the weather related risks, because we could easily see further flooding. So that means we need to be really cautious to plan correctly for all our hydro power and dams. We may need to review some scenarios or options, when will go beyond the normal.

Additionally, with weather, because we manage hydro power and nuclear power plants, we need a sustainable source of water. When we’ve got really dry and hot summer periods, the amount of water that flows in the rivers tends to decrease and the temperature can go higher. That can put a lot of stress on the nuclear energy segments for the nuclear plants that are close to rivers. We’ll need to stress test using some new scenarios.

When it comes to energy prices, obviously we’ve seen a surge in gas prices. We’ve seen a surge in coal prices. I think here, we have a long position at EDF. So, it’s obviously, and we’re less impacted, much less than some other countries that use a lot of gas, for example. I think that here we’re on the safe side for the time being.

I think there’s a need to set up or put in place a task force or an organization that can easily step in and access the right skills and the right people organization, to be able to respond to any kind of event. I think this kind of agility and resilience with the ability to call the right people in the organization, and enable them to easily organize themselves and managing the risk which is orientated in a way to come up with solutions and response. To me, that’s paving the future.

2.2. How will technology play a role in contributing to your risk strategy?

We need to make sure we make the data available to the business lines so that they can build the right risk scenarios. When I look back at COVID, we were looking at curves or charts. To me the data will play a really important role, and so, making sure that we retrieve the correct data to make the informed decisions is key.

This also puts us in a position to set up instruments to retrieve the correct data, even in open fields. With Covid, at first, we didn’t know what was coming, and then we started to put tests in place, and then vaccines. And we were looking at charts for the amount of people being infected, and then the amount of people that received the jabs. I think the data would be key.

We have a business model, which is risk averse. And the risk aversion comes with the reluctance to use bleeding edge technology. I think that the future will be electric. The future will be digital. And we will see a huge change coming with the 5G, IOT, blockchain, and quantum computing. It is unknown how prepared we are for these changes.

2.3. Why is it important to transform your culture in creating dynamic risk management?

The risk map of tomorrow will not look like the risk map that we’ve worked with for the past 50 years. When the team responded to Covid, the response was not in the playbook. We had to face some hazards or events that we were not prepared for. So the solution had to come from intelligence and not from book chapters. People are at ease, and employees now have greater confidence in management.

To improve agility, I would recommend to look at two things.

(1) recognize the importance of data. Because you will need data when something new comes up, you don’t know what the size and shape is that. So, I think we need to quickly put in place some task force that can retrieve the rights and correct data from which we will derive the right decision.

(2) how do we ensure that we know where the skills are? I’ve been working for EDF for more than 25 years. I’ve occupied several positions. I’d say that I’m quite knowledgeable on optimization and trading when it comes to electricity to IT. And I’ve got a good understanding of risk management, internal control. Tomorrow we will need to quickly be able to find the right people in the organization to help solve the problems caused by risk. To identify the right skills and competence within your organization. Because at EDF, we’re talking about 160,000 people.

2.4. What are the barriers to rapid decision making in your industry?

It’s just people need to taste it. They need to like it, and like it more. And it’s just a matter of finding the right opportunity to let people savor the taste of agility. It’s something new, I think in IT, we were prepared when COVID came. We were prepared because we’ve been in a culture with development teams working in different locations. We were prepared because we knew our network was resilient. We were prepared because agility is something we deal with on a daily basis when it comes to building a project.

But let’s say you pick up someone in HR, or someone in finance that hasn’t had the opportunity to work on an agile project. So, once he joins in agile team and understand what a MVP is, a product owner, a sprint, then you will understand the philosophy behind it, and people will start liking it. And he will quickly move into a much more agile position.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_27C9YQ1ZGC	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_66666848_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Risk Management – Energy

Interview Transcript