In a nutshell: Unprecedented transformation and rising threats are a top focus for power and utilities. Meanwhile, the cleaner energy transition poses unique opportunities to move the industry forward. Leaders know that taking a panoramic view of risk is no longer a nice-to-have. It’s a must.
Power and utilities companies are no strangers to managing risk, with safety and reliability the mantra across the industry. While the mission is crystal clear, the risks are less so. Historical extreme weather events, emerging cyber threats, supply chain uncertainty and the cleaner energy transition have all changed the face of risk. The unlikely feels more likely, and the day-to-day challenges feel more complex — because they are. For most, if not all, especially those in regulated jurisdictions, the bar continues to be raised ever higher, with regulators increasingly asking companies to connect the dots between risk mitigation and capital investment. It’s nearly impossible to effectively tackle risk in silos. Operations, maintenance, safety, cybersecurity, finance and other issues need to be considered. Leaders know this, and they’re taking an enterprise-wide approach to risk, enabled by the right governance and technology.
The industry is changing at a pace unprecedented in its 100-plus-year history. It’s on the front lines of a major clean energy transformation that entails connecting new technologies to the grid and exploring new strategies for striking a balance between sustainable energy sources and reliable ones. Keeping up with this pace, specifically the speed of digital and other transformations, was cited as the top challenge for power and utility leaders responding to PwC’s 2022 Global Risk Survey. In fact, 83% called it a significant or very significant risk management challenge, followed by resource constraints and access to digital tools and enablers.
But while bringing challenges, the increasing number of transformation initiatives is a cause for optimism. Power and utilities expect growth over the next 12 months, with 79% expecting revenue increases — at the second highest level among all sectors. Nearly half (40%) predict that revenues will increase between 6% and 10%.
What’s driving these increases? Expansion into a new customer segment (14%), digitisation of products and services (13%), launch of a new product or service (12%) and entrance into a new geographic market (12%). The top factors driving growth are somewhat consistent across industries, but for power and utilities it’s a likely indicator of the industry striving to find new ways to help create value in a changing energy landscape.
With many new connections to the grid and new customer programmes — including Electric Vehicle (EV) charging and battery storage — there are new potential vulnerabilities to consider. The pressure to reduce or eliminate these risks is very real. In fact, cybersecurity and information management ranks as the top individual risk for power and utilities, cited by 25% of respondents. Close behind are risks related to systems implementation and integration (19%) and, tied at third place (17%), geopolitics, external change, market and product risk.
Cyber is the most top-of-mind risk for good reason due to evolving geopolitical threats to the industry’s role in protecting critical infrastructure. Groups of hostile or potentially hostile actors actively target the industry, and some are equipped with the capabilities to cause major disruptions. Because of this, governmental and regulatory agencies continue to evolve and expand cybersecurity monitoring and reporting requirements for electric and gas utilities. There’s a shift in compliance standards underway from voluntary to mandatory, and in monitoring, both reactive to proactive.
Most power and utilities respondents told us they plan to moderately or significantly increase their spending on detection and monitoring of risks (76%), data analytics (75%) or process automation (71%). Two-thirds or more are very concerned or extremely concerned about national or state cybersecurity regulation (69%), privacy rights and/or protection (69%) or data protection laws (66%). More than three-quarters (83%) of power and utilities say that R&D tax incentives are important or very important when it comes to making decisions around investing in technologies to support cyber risk management.
With climate change contributing to more frequent one-in-100-year storms, floods, deep freezes and other catastrophes, power and utility companies are focusing on crisis response. Those who have suffered extensive damage to infrastructure are rethinking strategies and investing in preventing future risks. As an example, in the wake of recent wildfires, one utility is burying overhead lines in high-threat areas as part of a massive undergrounding project. Leading companies also think beyond the immediate response to the impacts on commodity prices, modernization investments and financial implications. Connecting these dots is increasingly important. In the US, proposed SEC climate disclosure rules could lead to an even greater need to understand and report climate risks and the associated costs.
It should come as no surprise that environmental-related regulations are a top concern for the industry. Nearly-three quarters (71%) of power and utilities respondents say they’re extremely concerned or very concerned that environmental regulations will have a negative impact on their business in 2022.
As pressures from regulators, customers and boards mount, the ongoing shift to cleaner energy sources continues. This poses additional risk considerations due to the intermittency of renewables like wind, solar, thermal and hydro. Utility-scale energy storage remains costly. Battery storage at scale, a needed piece to the clean energy puzzle, remains largely in the developmental stage in the US, and has experienced technical hiccups. Other providers face challenges as well.
The tech and renewables sectors are both integral to storage and cleaner energy generation. With many IPOs and acquisitions afoot, rapid innovation is driving speed to market — creating more risk considerations for the industry.
The transition to cleaner energy is prompting power and utilities to invest in new infrastructure, technologies, joint ventures and customer markets. With this level of growth and change, achieving a more holistic view of risks — and how they relate to each other — is essential. To move in this direction, more than one-fifth of power and utilities are investing in creating an integrated governance, risk and controls system. Governance, risk management, and compliance (GRC) programmes serve as the connective tissue helping companies move from navigating risk by segments — business unit by business unit — to gaining a valuable view into how various risk programmes and initiatives sync up with each other. They also provide leaders with higher-quality insights into whether their risk management processes are adequately robust.
Some companies also report benefits from other advances, such as achieving compliance by design with security and controls directly embedded in business and digital applications (27%), quantifying new risks and adjusting risk appetites (23%), and creating ethical frameworks for new areas that the business is pursuing (23%).
But more could be done.
Responsibility for risk management at utility organisations is often fragmented based on the type of risk. The CFO is tasked with financial risks, according to 66% of respondents, while strategic risks are the responsibility of the CRO (24%) or the CEO (21%). Nearly half (47%) say operational risks are under the purview of the COO.
Companies should create some sort of roadmap — formal or informal — for those responsible for specific risk areas to develop a panoramic or integrated view of risk. Success hinges on understanding the full impact of risk events and how to prevent them — or at least react quickly. Power and utilities companies on successful paths also pursue innovation in a manner that’s appropriate for the accepted level of tolerance among customers, employees and other stakeholders.
The industry is increasing spending on technology supporting risk management: 72% of respondents plan to increase their tech spend in 2022, with 24% expecting to boost their tech spend by more than 10%.
When it comes to the type of tech investments being made, about three quarters (76%) are increasing spending on detection and monitoring of risks (76%), data analytics (75%) or reporting and visualization (72%). They’re also focused on process automation (71%), an integrated risk platform (69%) and workflow management (69%).
Many utilities are bolstering their investments in risk management technology. But they will need to institute better practices to help make those investments pay off.
Consider, for example, that 39% don’t invest in risk technology solutions as part of an integrated technology stack, and 55% don’t have a multi-year roadmap. More than half don’t complement their risk technology investments with people and process changes. Some fail to use leading practices around tech investment. Specifically, 45% say they don’t yet consider the user experience, another 45% that they don’t yet spend on tech that complements their capabilities as organisations, and only 49% adopt tech that helps them keep up with the speed and scale of their transformation initiatives.
As with other sectors, the power and utilities industry is fighting for talent, and it’s not a new challenge. Long-time employees continue to retire, and companies are competing for individuals who have the technical and strategic capabilities needed to respond to existing challenges and help enable the transformation to a cleaner energy future. In fact, 82% of power and utilities companies cite resource constraints as a significant or very significant risk management challenge.
Consequently, utilities are tackling workforce issues head on by proactively rethinking some practices in order to enhance risk management. Nearly three-quarters (72%) aim to add headcount to the risk function. Seventy percent are adding technology and digital capabilities, and 69% are contracting with managed services or co-sourcing providers. More than two-thirds (67%) are reorganizing the structure of the risk function and slightly fewer (66%) are implementing diversity, equity, and inclusion programmes. An equal number (66%) are building a three-lines model.
With 69% of power and utilities companies tapping external support for the risk function, the largest number (51%) plan to spend more on cybersecurity services in 2022.
Power & Utilities IA, Compliance & Risk Leader, PwC US
Principal, Energy, Utilities and Resources Cyber, Risk and Regulatory Leader, PwC US