Throughout most of their history, the concept of risk for electric cooperatives has centered around the hazardous nature of the power industry. But over the past decade, broad transformations in the energy sector have brought waves of new potential risks to plan for and mitigate, from sophisticated cyberattacks and a global pandemic to climate change, personnel challenges and unprecedented regulatory obstacles.

“Everybody knows the risks are there, circling us like sharks,” says Ken Sivertsen, director of member services at JCE Co-op based in Elizabeth, Illinois. “Risks are changing constantly. Ten years ago, who heard of ransomware, that you could click on an innocent-looking link in an attachment, and before you know it, your phone is bricked, and they’re stealing all your information?”

But as in any industry, a certain amount of risk can help spur evolution and the need to meet new expectations, drive innovation and inspire new services.

The key is to know where those risks are (or may arise) across the organization.

“The failure to identify and manage risks can result in fragmented views of impacts, inconsistent treatment and missed opportunities,” says Dave Viar, vice president of risk management at SMECO in Hughesville, Maryland. “This can lead to potential financial losses, reputational damage and missed chances for value enhancement.”

To get a better handle on the full range of challenges, co-ops are increasingly adopting the principles of enterprise risk management (ERM), a holistic approach that considers the impact of risk across the business.

NRECA Chief Risk and Compliance Officer Danielle Sieverling says co-op leaders are already engaging in broad risk discussions as they face new challenges or evaluate new business opportunities, “but they might not be calling it enterprise risk management.”

“ERM elevates the risk conversation by showing there is recognition across leadership that this is important, and collectively risks can be managed more effectively when a holistic view is applied,” she says.

“In its simplest form, it’s having conversations about the things than can go wrong and asking, ‘How are we managing these risks, and do we have a plan?’”

The Evolution of Risk

More comprehensive risk management strategies are becoming a priority for many industries.

“Co-op leaders are nimble and do a nice job evolving and creating mitigation solutions,” says Corey Parr, vice president of safety and loss prevention at Federated Rural Electric Insurance Exchange, underwriter for most of the nation’s electric co-ops. “But when the risk environment is changing at the pace we are experiencing, our mitigation strategies become crucial and more visible.”

A recent survey of corporate leaders and board members by North Carolina State University and global consultant Protiviti found a top 5 list of risks for 2023 that will sound familiar to electric co-op leaders: economic pressures; succession planning and attracting/retaining talent; cybersecurity threats; third-party products and services; and new regulatory changes and scrutiny.

“Co-ops are facing the same potential threats as any other business in America,” says Sieverling. “These studies are a great starting point to help co-ops think about what is an ‘enterprise risk.’”

Federated has seen these evolving risks and now provides coverage for emerging challenges like heightened wildfire activity, large-scale battery storage and cyber incidents.

“Five years ago, I was spending little time with wildfire mitigation strategies,” Parr says. “Today, it encompasses probably 20% of my time.”

“Ultimately, there are only four responses to risk: mitigate, transfer, accept or avoid,” he says. “We accept and control risk by putting up guardrails. That risk is also transferred to insurers or reinsurers.”

After the co-op’s directors adopted formalized risk review as part of its larger business continuity management program, it paid for Sivertsen to earn his certification as a business continuity professional from the Disaster Recovery Institute International.

As risk manager, Sivertsen keeps the co-op’s “risk register” and oversees its ERM framework and ensures it’s integrated across the organization. The process adds another layer to staff workloads, he says, but a designated risk manager is important “because if no one identifies and, more importantly, assigns ownership of that risk, then everybody else thinks someone else is taking care of it.”

Minnesota generation and transmission cooperative Great River Energy has also adopted ERM.

Co-ops wanting a deeper dive into ERM can start with simple steps that can help take a hard look at financial, operational and reputational risk, McFarland says.

“From a pragmatic and practical perspective, it’s what are the things that we most value, and what are we going to do to make sure those things are protected,” he says.

“And if they’re not protected, what plans do we have in place to respond to threats?”

Mangan says it pays to start with the building blocks of risk management: identification of actual or potential risks, assessment of each risk, mitigation strategies, consistent communication and transparency around a solid strategic plan.

“Communication is key to ensuring that everyone is aware of the risks, understands the mitigation strategies and knows how to respond in case of risk events,” Mangan says.

Sivertsen says to remember that while it’s impossible to mitigate risk to zero, co-ops can succeed by managing their response.

Up until recently, “JCE Co-op adhered to the, ‘If you don’t mention it, it won’t bite you’ approach to risk,” he says. “But we’re a small co-op, and we need to protect ourselves. We now talk about risk.”