Risk Management: Asking Today's New Questions
McGraw-Hill Homeland Security Summit
C. Jeffery Triplette
Vice President, Risk Management Services
In the aftermath of 9-11, a number of industries found themselves on the risk management radar screen—either with regulators, or the public at large.
Nuclear power plant operators grabbed a lot of attention.
Companies that operated gas pipelines or other energy infrastructure were suddenly on the radar screen.
Also, companies that operated telecommunications infrastructure—such as fiber optic cable.
Then, there were companies that operated overseas. And, of course, companies that had prominent headquarters sites in urban areas.
A number of companies met one or more of those criteria. Very few companies met all of those criteria. Except—maybe the company I work for—Duke Energy.
Duke Energy owns and operates energy infrastructure all over the world—from Australia to South America to Western Canada—and throughout the United States. The good news is that—over the years—Duke Energy has been focused on risk management. Much good work had been done. Many good plans were in place—and these plans had been put to the test a number of times. We were diligent in going back and fine-tuning our plans afterwards. Overall, we had done all of the right things.
But 9-11 gave us something new to think about. It was a little like a quote from the 18th century British statesman Edmund Burke, who said, “You can never plan the future by the past.”
The point is this: Our future risk assessment cannot rely on what has happened in the past. We have to start thinking about future events with no precedents—things we have never seen—things we have never thought about. 9-11 showed us that as much as we plan, as good as our companies are—the future will throw events us that are very difficult to imagine.
The bad news is that we’ve got to plan for those events, and may have not started asking the questions yet.
I know there is a session going on right now about infrastructure and natural resources, so I’ll spare you that speech.
But I’d like to touch on two aspects of our work at Duke Energy since 9-11, and I’m convinced it is work many companies should be doing—no matter how large or small—if you represent an energy company, a financial company or a retail company.
First—Better integrate all of your emergency response and risk management plans throughout your enterprise.
Second—Re-think your risk management efforts with regard to support functions within your corporation.
Point one sounds a little trite. We all need to be better integrated. We hear that every day. But for any fast-growing corporation, integration takes on new importance, new urgency.
For example, five years ago, Duke Energy was barely on the Fortune 500. Today, we are No. 14. Five years ago, we weren’t in Australia, El Salvador, Western Canada. Today, we are.
That means we have facilities in those locations that have emergency response plans—that have risk management efforts underway. But do all areas of our corporation know what they are? Do we handle a gas pipeline rupture the same in Ohio, as we do in Australia? One key variable we face in risk management is this: There is no guarantee that a diversified, far-flung company will handle a similar crisis the same every time.
Wall Street expects us to. Main Street expects us to. But can we look at ourselves today and say that we could do it?
Right after 9-11, Duke Energy established an Enterprise Safety and Security Network project team. This group was charged with reviewing business continuity, employee health and safety and facility issues, with a focus on prevention, crisis management and disaster recovery.
We brought together various Duke Energy business units to start down the path of making sure we have a collective handle on our risk management practices.
To be fair to ourselves, we were already doing a lot of that. But 9-11 taught us a few things—we can never put too much work into preparedness—or too much effort in coordination.
It’s natural to let your individual businesses control their risk management and emergency response. They’ve probably been doing an excellent job at it. But is there some place in your corporation that has review over the individual plans? Are there standards each area should address? Are there conflicts and disconnects within your response system? If there were—would you know?
Are there established thresholds for how your corporation responds? Has a central crisis operations center been established? When was the last time all your crisis management plans were validated? These questions are worth asking—and are worth getting answers for.
Do you know where your key employees are in regards to risk management? At Duke Energy, our leaders are actively involved with the American Gas Association’s safety effort, and also the Energy ISAC—an industry-led high-tech consortium improving computer safeguards. Your company may have similar ties with industry efforts. But do you know what they are?
An interesting discovery we made at Duke Energy was that we have more than 40 government and industry organizations providing and requesting information from us on risk management matters.
Who has the lead for each of those 40 groups? Are the right people plugged into these groups? Just as important, are these groups getting consistent answers from your company.
Do you have an emergency response plan for your commercial office or complex? I’m sure you have one on your computer data center or your manufacturing plant. But what about the place where people in your company work? Who’s in charge at a multi-business unit facility like an office building?
Finally—a very simple question. Do you know where your employees are? If a large airliner went down today, would you know if you had any employees on that plane? We recently implemented the requirement at Duke Energy that our Corporate Travel office be involved in all travel plans. Cost is one issue—but keeping up with our employees was the other issue. It’s easy for employees to book their own travel. We all know how to get on the Internet to do that. But that can cause problems during an emergency.
What if a disaster struck a facility where you had several hundred employees and contractors who had worked for your company for a number of years? How quickly could you account for BOTH the employees and contractors?
Now, I’d love to tell you that Duke Energy has answered each and every one these questions, and we have a “How to” booklet for you to buy for $19.95. We don’t. But we have made a lot of progress in fleshing out these answers. Better yet, we’re asking the questions.
When it comes to risk management and emergency response, integration isn’t just some corporate buzzword—it’s asking the questions today that someone could be asking tomorrow.
My second point is how we think about our corporation’s support functions. In the energy industry, it’s easy to be concerned about the power plant or pipeline—the tangible asset that is highly visible to the public and is crucial as a money-maker for the company.
But what about the support functions behind the scenes. Of course, a lot of time and effort have gone into our computer operations—even before 9-11. Duke Energy and a number of other companies have excellent backups and risk management plans concerning computer operations.
But I doubt we have given our other support functions quite as much effort. We can probably learn a little from the military in this regard. I served in Desert Storm as a logistics officer, and part of my command was to make sure we could support frontline troops for Gen. Schwarzkopf’s famous left hook during the ground assault. Let’s face it—you could never make it around southern Iraq to northern Kuwait without plenty of support along the way. In fact, it took about five support soldiers for every frontline combat soldier.
Our businesses are a little like that, too. Our plants and manufacturing facilities can run out of gas—literally and figuratively—without the business support behind them.
We gave that some hard thought at Duke Energy. We had great backup plans for our computer operations and our transmission controls, but what would happen if Uptown Charlotte were the next terrorist site, and our 4,500 headquarters employees couldn’t go to work Monday morning?
Where is our backup? If it’s two blocks away… that’s not good enough. Remember, all of Uptown Charlotte has been affected… and a wide area has been taken out of commission. Ask the obvious questions—How do you communicate with your employees? Employees want to do the right thing. You’ve just got to figure out how to tell them. How do you quickly recover your operations?
The good news is that your plants or key operations are still operating. But without your support functions—how long can that go on? Have your key suppliers also been affected? Can you move money and supplies when and where you need them?
Another key area I believe businesses should address is loss of life. In a small business, it may be just one employee. In a large business, it could be different.
You must remember that about 15 people die every day from on-the-job injuries. Death happens in business every day. What if 50 people in your company were wiped out by some incident? Could you continue to operate? Maybe.
How would you administer the assistance needed to the families of the employees you lost? How about the employees who survived and are needed to keep the business going? Is your company ready for that task? Whose responsibility is it? It might be yours and you don’t even know it.
I know that Duke Energy doesn’t have all the answers to these questions. I do know that we’ve been busy for eight months asking ourselves those questions. We’ve re-shaped our organization to deal more effectively with what may happen.
Are we posing the right questions to our organizations? Not just the obvious ones, but the questions that no one has previously thought of. We’re trying because the best time to do that is today while we have time to contemplate the questions.
Risk management is not somebody else’s job. It’s everybody’s responsibility. That means everybody has to ask questions, and the great thing about a conference like this is that you leave with hundreds of new questions—plenty of items to chase when you get back to work. Let me add my two questions to your stack:
How well is your risk management integrated across your enterprise?
How much thought have you given your support functions within your organization?
9-11 changed our mindset about risk management. It’s not about what has happened in the past, or what has happened to someone else—It’s what could happen in the future. We need to drill down to ask the next level of questions. Many companies have done an excellent job at asking the obvious questions. The key going forward—is to ask the not-so-obvious questions. Ask those questions today before someone asks them of us—tomorrow.