Share this
Twitter
Digg
Reddit
StumbleUpon
Slashdot
Yahoo
Technorati
Facebook
LinkedIn
Tags
Print
E-mailAlburquerque, 10 August 2009
"Risk Management" is a broad term used to describe the practice of identifying, measuring, and mitigating any number of unforeseen events that may negatively impact an organization. These events can relate to virtually anything, from natural disasters, malicious acts, market changes, accidents, and equipment failure, to just plain old acts of stupidity by an employee.
Risk management is practiced in some form by virtually every business enterprise and is, in many cases, specialized in its application to suit a particular business unit, function, or exposure—operational risk management focuses on preventing or mitigating equipment or employee failures; financial risk management looks at those risks that might impact an enterprise's finances, including credit, interest rates, and currency exposures; environmental risk management focuses on preventing or limiting a business's negative impact on the air, ground, water or people; and the list of specialization could go on and on.
One area of risk management that has received increasing attention over the last several years, primarily due to high profile failures that impacted potentially millions of people, is information technology or IT risk management. We've all seen the numerous news stories of IT security breaches have exposed millions of consumers to potential theft of valuable financial and personal data. It's these events that have really crystallized the practice of IT risk management and have brought increased attention to the position and its role in the identification of potential risks to the security of electronic data and information related to the enterprise and its clients.
Probably most familiar, or at least most interesting to many readers of UtiliPoint's IssueAlert, is the practice of commodity or energy trading risk management. As the name explicitly denotes, risk management in this context refers to the specialized and structured approach of identifying, evaluating and managing commercial exposures, including and primarily future price movements that might negatively impact the organization's commodity positions. Most companies of any size that transact in energy commodities practice this form of risk management, either explicitly, with some individual serving in the titled role of Risk Manager, or implicitly, in which the traders practice risk management techniques via price hedging in order to limit their possible downside on a physical trade or position.
A New Role for IT Risk Management?
Information technology groups have, of course, always been an important component of all trading organizations, ensuring the right systems are in place and are properly maintained and available. Less common has been the active involvement of IT risk management in developing policies and procedures that impact the commercial activities of the energy commodity trading organizations. In this role, IT is not merely acquiring, maintaining and securing trading systems; they are, in cooperation with the business unit, actively managing the risks associated with the technology infrastructure utilized by energy traders. While the number of companies that have embraced this level of involvement from their IT organizations is still somewhat limited, at CommodityPoint we are seeing a growing influence by IT risk management within some organizations, particularly in those companies that hold generation assets.
NERC CIP standards around cyber security are forcing generation owners to look closely at their IT infrastructure and ensure that they are in compliance with the various standards mandated by NERC/FERC, as their exposures for non-compliance are huge, with penalties up to $1,000,000/day. Given this level of exposure, these organizations are making significant investments in systems and personnel to ensure compliance. Having made such investments, including in the area of IT risk management, these companies view that investment as an opportunity to leverage those assets across the wider organization, including applying a more formal approach to managing the infrastructure risks within their trading organizations.
Some of the areas we are seeing a more active role on the part of IT risk managers include development of policies around the various trading channels in use, including telephones, on-line exchanges and instant messenger. The involvement of IT risk management in the development of trading policies relate to the security and auditability of the information exchanged in consummating trades—that is, for each of these various channels, is there a mechanism in place to record that transaction and are those records secure, retrievable and auditable? For example, if it's the corporate policy that all trades must be automatically recorded in some electronic format , the IT risk manager may dictate, in cooperation with trading management, that no deals may be made via cell phone (as a cell conversation cannot be automatically recorded). Or, if a trade is conducted via instant messenger technology, the IT risk manager may dictate which technology or product may be used, as one may be determined to be less secure or less auditable than another.
Another area in which we are seeing a more active role by IT risk management is in the development of policies and procedures as they relate to the use of energy trading and risk management (ETRM) systems. Increased regulatory reporting requirements such as Sarbanes-Oxley and FERC Order 552, combined with potential new intervention by the CTFC, have and will continue to bring increased scrutiny to the business practices of trading shops. These new regulations implicitly require that trading systems not only capture deals and manage positions, but also be capable of providing full audit trails for all transactions and provide for the complete accounting and reporting of historical and future positions. Other aspects of ETRM system usage impacted include the necessity to ensure access to critical or sensitive information is properly limited; and ensuring that any interfaces to external systems, such as the trading exchanges or price feeds are appropriately managed and secured. IT risk management's involvement in this environment is to ensure the ETRM systems and the policies governing their use are adequate to minimize the exposures associated with the various regulatory mandates.
Is This a Lasting Trend?
While IT has always played a significant role in trading shops, this new role in setting policy clearly marks a new level of involvement in the trading function. Such a role by IT could not exist without the mandate of senior management and cooperation within the business unit. And while, as previously noted, the trading shops where the IT risk management function is most involved are primarily those with associated generation assets that fall within the purview of NERC/FERC, given the potential exposures associated with the ever increasing use of technology in energy trading shops, it's certainly plausible that IT risk management's influence will continue to grow across energy trading organizations, particularly as new trading regulations emerge. Undoubtedly though, that level of involvement will be dependent upon a thorough evaluation of the potential cost of the exposures versus the cost of any limitations that might be subsequently placed on the commercial activities of the trading units.
Ends --
By Patrick Reames, Vice President TRM - CommodityPoint
