The History of Enterprise Risk Management at Hydro One Inc.

Abstract

Hydro One Inc. is widely regarded as having had one of the most successful implementations of enterprise risk management (ERM). The purpose of this article is to record the history of this successful implementation so that it will benefit other companies and organizations who are at the beginning or in the early part of their ERM journey. In this article, we delve deeper into the dynamics at work and the steps involved in the implementation of ERM. This article is an interview by Betty Simkins with John Fraser and Rob Quail so as to record the challenges, successes, and methods used at Hydro One. This article covers the period from 1999 to when John Fraser left the ERM function in 2014 but many of the processes they implemented have continued to the date of writing (2021). This article should also be of interest to academic researchers who seek to understand why some ERM implementations succeed while other flounder or fail to achieve their objectives.

1. Introduction

Hydro One Inc. is widely regarded as having had one of the most successful implementations of enterprise risk management (ERM) in Canada. Executives had wanted to implement ERM from the time the company was split off in 1999 from the predecessor company, Ontario Hydro. They had tried unsuccessfully to introduce it with the use of external consultants. In 2000, John Fraser was asked to take on the role of chief risk officer (CRO) and implement ERM, later that year Rob Quail joined him. They based their methods on the meagre literature available at the time and had great success over the following years.

In 2005, Tom Aabo, John Fraser, and Betty Simkins researched and published an article on the Hydro One ERM methodology that is published in this journal (see Aabo et al. 2005). Several other research articles and case studies have been written on the successful processes that were put in place at Hydro One (see Fraser and Simkins 2007, 2016; Mikes 2008, 2010; among others). The reason for writing this article is to delve deeper into the dynamics at work and the steps involved in the implementation of ERM. This interview by Betty Simkins with John Fraser and Rob Quail is to allow John and Rob to record the challenges, successes, and methods used at Hydro One, with the hope that these experiences will be of help to others at the beginning or early part of their journey with ERM, as well as academic researchers who seek to understand why some ERM implementations succeed while other flounder or fail to achieve their objectives (see Fraser et al. 2021). This article records the period from 1999 to 2014, which is the period that the interviewees, John Fraser and Rob Quail, were the Chief Risk Officer and Manager respectively of the ERM function, so it is historical but it is understood that many of the processes they implemented have continued to the date of writing (2021).

Hydro One Inc. (Hydro One) was originally part of Ontario Hydro. On 1 April 1999, Ontario Hydro was split apart and Hydro One Inc. (originally incorporated as Ontario Hydro Services Company Inc., Toronto, Ontario) was established as a separate corporation, owned by the Province of Ontario, with responsibility for electricity transmission and distribution. The government appointed a high-profile board of directors under the leadership of Sir Graham Day as Chair, and Eleanor Clitheroe as President and CEO.

As part of establishing a separate company that was to go public, the board and management team wanted to follow best practices in governance and therefore hired consultants to advise them. One area in which they sought to be leaders was in the area of ERM. At that time, in 1999, ERM was not well known. Hydro One hired a series of four consulting firms to help introduce ERM. Each firm came in and did interviews and prepared risk profiles and offered templates etc., but nothing seemed to be successful. At that time, ERM was under the Strategic Planning Group, which seemed a good place for it to reside. Refer to

Table 1. Timeline for ERM at Hydro One.

1998–1999	Management tries to implement ERM using four successive firms of consultants and having ERM as part of the Strategic Planning group
Mid-1999	ERM Group transferred to CFO and Leadership changed to Mr. C, an experienced accountant, with Miss K as staff due to her analytical skills. Literature review done for best practices
Late 1999	First Risk profile prepared by Mr. C and his staff. John Fraser appointed as Chief Risk Officer effective 1 January 2000
2000 to late 2000	ERM rolled out by John Fraser, Mr. C and Miss K. ERM Policy and Framework approved by the Audit Committee. First risk workshop, first risk criteria (impact scale etc.). First workshops with Leadership Team
Late 2000	Mr. C retired in November. Rob Quail picked to lead the ERM function due to his experience and charisma.
2002	Case study on Hydro One’s ERM by John Fraser, Rob Quail and Nina Kiriendo published by the Conference Board of Canada (Hydro One 2002)
Late 2003	John Fraser recommended to the CEO to allow ERM staff (Rob Quail and Miss K) to move on in their careers while he would maintain ERM on a shoestring basis
2004	Case study on Hydro One’s ERM published by Professor Tom Aabo, Professor Betty Simkins, and John Fraser
2008	Case study on Hydro One’s ERM published by Professor Anette Mikes of Harvard
2009	Multi-media case study on Hydro One’s ERM prepared by Anette Mikes of Harvard Business School
2011	Rob Quail rejoined ERM group
2012	Rob Quailrecruited Ms S.
2013	John Fraser ceased as Chief Risk Officer
2014	ERM maintained by Ms S.
2015	Mr. D appointed as Chief Risk Officer

for a timeline of implementation of ERM at Hydro One.

2. ERM Processes and Challenges at Hydro One

This section of the article covers ERM processes used by Hydro One along with challenges experienced along the way. It is structured as an interview of John Fraser and Rob Quail by Betty Simkins to provide deeper insight into the history of ERM implementation at Hydro One and the processes and challenges involved.

The section is divided into the following different topical areas: Section 2.1 Creating the Role of Chief Risk Officer and Introducing Risk Workshops, Section 2.2. Developing Risk Criteria and Risk Tolerances, Section 2.3. Involving the Executive Team, Section 2.4. Further Development of ERM Tools and Techniques, Section 2.5. Getting Involved with Academia, and Section 2.6 Reenergizing ERM.

2.1. Creating the Role of Chief Risk Officer and Introducing Risk Workshops

Betty Simkins: John, when did you join Hydro One and how did you become the chief risk officer?

John Fraser: In May 1999, I was hired as head of Internal Audit and started work at Hydro One. Prior to that, I had worked on Bay Street in leadership roles in internal audit. As part of my orientation at Hydro One, I met with the ERM group and quickly assessed that the leader’s personality type was unsuited to what ERM required. I decided that this group’s activities, as conducted, would not be of benefit to my audit function and so I revised the internal audit function to my standards, both as to people and processes.

Later in the year, the CFO told me that the CEO wanted the ERM function to be moved under her, and she asked what I thought of the idea. I explained that the staff was not right for the role and needed to be changed. As a result, Mr. C, who was in the Finance Department, became leader of the group. Mr. C was ideal for the role. He knew the company and the culture, and he had a wonderful charismatic personality and a great attitude. He quickly moved into the role and with the help of Miss K, did a literature search on ERM and initiated the first corporate risk profile in late 1999. At that time, the key sources that were available were the Australian/New Zealand (2004) Risk Management Standard, papers by the Conference Board of Canada, and articles by Tillinghast Towers Perrin.

At the end of 1999, the CFO asked me if I would take on the role as CRO with Mr. C and Miss K reporting to me, as well as continuing on as head of internal audit. I thought there might be a conflict of interest with my audit role, but finally agreed to take it on with the following conditions: that I would keep my audit staff and ERM staff quite separate and manage each function with zero overlap, and if after six months I could not show value, then I would close the function and turn my ERM staff into auditors.

Betty Simkins: Once you accepted the role of CRO, what were the first steps you took to implement ERM?

John Fraser: I assumed the role of CRO on 1 January 2000. The first thing I did was meet with Mr. C to discuss our respective visions of what ERM would consist of. After much discussion and debate, we agreed that our initial approach to ERM should focus on risk interviews, risk workshops, and risk profiles.

The next step was to get the support of the management team and the board. Since in my audit role I was accustomed to having a mandate that spelled out my accountabilities and key roles, I decided that we needed something similar and so we drafted an ERM policy (see Aabo et al. 2005). I took this policy to the CEO and her direct reports. They said that I would have to demonstrate that I could add value by using ERM techniques before they would support my taking the policy to the board committee. We decided that I should do a pilot risk assessment with Hydro One Remotes Inc. (Remotes), a small subsidiary that provided electricity to remote northern communities. We met with the president of this subsidiary and decided to do our first risk workshop.

We conducted two risk workshops with the Remotes subsidiary, and they were a major success. Afterwards, the president of that subsidiary reported on the success to the Executive Team, who then gave approval to proceed with the ERM Policy to the Audit Committee. Needless to say, if this first workshop had not gone well, that might have been the end of ERM at Hydro One!

Although we had some ideas and prior experience with risk workshops, we decided to hire consultants to help us. However, when we started the planning for the voting process using anonymous voting technology, they were unable to answer our concerns regarding the use of criteria and definitions for the impact scale, so we decided to develop our own methods. Specifically, the consultants advised us to have attendees vote on ‘impact’ using a 1 to 5 scale, but without definitions of what a 1 or a 5 was, beyond descriptions such as ‘minor’ and ‘catastrophic’ respectively. Therefore, we developed our own risk criteria, customized to suit the company. The most important part of this was an impact scale for each of the major strategic objectives (e.g., safety, customers, environmental, financial, etc.) with simple examples of what an impact might look like in dollars, variances from plan, or other events that might happen.

2.2. Developing Risk Criteria and Risk Tolerances

Betty Simkins: Tell me more about the use of risk criteria. Were they related to key performance indicators?

John Fraser: The impact criteria came to be known internally as “risk tolerances”. We specifically scaled each line item in the criteria so the same point on the scale (3, or “medium”, on the 5-point scale) for all measures was the level at which the risk might start to become intolerable, or at least indicate a need to formally assess the risk in more detail and determine tolerability.

Rob Quail: One thing that worked very much in our favor through this process of developing risk criteria was that the company had implemented a balanced scorecard, with explicitly stated business objectives and associated key performance indicators (KPIs). We were able to use those measures to define the line-items in the impact criteria. For the first few years of our ERM program, we collaborated extensively with the person who was in charge of the scorecard. This relationship helped make both the ERM and the scorecard processes more effective.

Betty Simkins: How did you define risk and how did you make this a meaningful concept for the executives and managers?

Rob Quail: We decided quite early to abandon any discussion of “inherent risk,” because the question invariably yielded blank stares among workshop participants. This was an important departure of our approach to ERM from what was then widely regarded to be then “best practice,”. However, we decided that if a concept was of no use to decision-makers, we would not use it at all in our program. So “inherent risk” was thrown to the trash heap.

An important innovation that we developed instead was the concept of “worst credible impact”. The problem was trying to define a risk in terms of a single magnitude and impact combination. As we know, all risks are more correctly described as a probability distribution curve rather than a single “point” on a heat-map. But, like the “inherent risk” problem above, expecting decision makers in a risk workshop to go through any process of defining multiple points so we could draw a curve was just unrealistic. Therefore, in workshops we asked participants, when evaluating impact, to consider not the most extreme nor the most likely outcome, but something in between: where some credible combination of a risk event and control failure happened together and resulted in an outcome that a reasonably informed person would agree is “worst credible.” Throughout the life of the ERM program at Hydro One we worked on refining the approach to develop “worst credible”, including postulating mini-scenarios and bringing to light future events or changes that could have a reasonable impact on the risk (through the Risk Calendar tool). Figure 1 provides an illustration of a typical risk map format.

John Fraser: This type of risk criteria is now common, but to our knowledge had not yet been invented or published at that time. Having conversations around these tolerances was a major step forward as it required management to think ahead about various scenarios.

Let me share an interesting story when we were trying to develop impact criteria, “Tolerances”, for the government relationship. We knew that maintaining a positive relationship between the company leadership and the government, which at the time was the sole shareholder, was critical. We needed to be able to assess risks where an outcome might damage that relationship. Therefore, we created an impact scale with a letter of complaint to the Minister of Energy as a “minor” event, and the CEO and board all being fired by the government as the “catastrophic” end of the scale. When I showed this to the executives and Audit Committee, they laughed at how outlandish it seemed. Interestingly enough it came true three times afterwards! This shows that these scales for risk criteria should envision all possibilities, no matter how extreme they may seem under normal circumstances.

We took the ERM Policy, as well as a Risk Framework that we developed (based on the AS/NZ 4360-2004 Standard), to the Audit Committee for approval. When I took it there, the Audit Committee asked why we were bringing this policy to them, since at the time the board believed that they were not responsible for risk and that this was management’s job. Somewhat reluctantly, they approved these critical documents and continued to approve them at my request on an annual basis. The policy was then disseminated to all staff.

Betty Simkins: Please tell me about some of your initial activities in implementing ERM that demonstrate its importance.

John Fraser: We originally planned to do about six risk workshops a year. For more information on running risk workshops, refer to Quail (2021a). That was our planned measure of success. However, the word spread and in the first year we greatly exceeded that and in subsequent years, until 2003, we were doing between 40 and 60 a year.

Several other seminal initiatives also helped ERM take hold. The first of these was the Voluntary Retirement Program (VRP). In 2000, the company offered a retirement package, to reduce headcounts and costs. Once the retiring staff had made their selections, the CEO of Hydro One Networks Inc. (the major operating subsidiary of Hydro One Inc., Toronto, Ontario), asked if we could help. He was concerned that since many departments were losing a high percentage of their staff, they would be asking for replacements, and without some mechanism to prioritize or control re-hires, he could soon have replaced the same number of staff who had left, and be no further ahead. As a result, we designed an exercise based on using our risk criteria to determine the risk to each major business objective (e.g., safety, financial, reliability, etc.). We then obtained estimates of the numbers of staff or consultants that would be required to bring the risk in each area down to a tolerable 1 or 2 of 5 on our impact scale. Next, we held a workshop with the CEO as sponsor, where we shared the results showing that everyone agreed, that with just 125 staff re-hired in total and $4 million for consultants/contractors, the risks could be brought into the tolerable range (i.e., a 1 or 2 on our impact scale). This initial practical application of our ERM concepts to a major business decision helped solidify our credibility with management.

Rob Quail: By this time, I was getting involved in the new ERM program. While my role at the time the ERM program first started was manager of Environment, Health and Safety Audit, I had some experience running Control Self-Assessment workshops in prior roles in support of Environmental Management Systems implementation. What the ERM team was doing really interested me.

During this period, we started to prove the value of our process by applying it to a range of other different business problems and decisions, including the construction of a new Grid Control Centre (a project which was in deep trouble at the time), launching of unregulated businesses through newly-created subsidiaries, the acquisition and integration of over 70 local distribution utilities, and several key enterprise technology projects. Later, risk workshops were an important management tool regarding the outsourcing agreement Hydro One entered into with Capgemini, which was at the time the largest outsourcing agreement in the history of the electricity industry in Canada and in North America.

Our ERM team also conducted an extensive series of risk workshops with engineers within the asset management group, assessing the risk of failure of various asset classes (such as poles, transformers, and conductors) given their condition, usage history, and age profile, and projecting the impact on things like system reliability and customer experience. This was important as it exposed ERM to a large population of system planners and engineers, who later became major proponents of the approach.

2.3. Involving the Executive Team

Betty Simkins: How did you first get the executive team involved with ERM?

John Fraser: In the middle of 2000, we prepared an updated Corporate Risk Profile and shared it with the Chair, before delivering it to the Audit Committee. The report was very well received by the Chair. He said that this was just how he liked things done, simple and straight-forward. He wished more board documents were written like that.

The CEO asked me to do something that would help engage the management team with risk. I proposed that we allocate 40 min once a month to discuss a specific risk on the Risk Profile at the Executive Committee, with subject matter experts (such as environmental) invited to answer any technical questions from the executives. It was a big success. I remember that when we asked for the very first vote using voting technology, every head turned to see what the CEO was doing, as that was how previous decisions were made. It soon became obvious to executives that they could vote anonymously without risking the censure of the CEO.

Rob Quail: This series of executive workshops had many benefits. First, it allowed us to continue to develop and refine the risk criteria with the most-senior risk owners present, before applying them to a range of business risks. It also helped us develop as facilitators and workshop planners/orchestrators, and to refine our process. Finally, and perhaps most importantly, it was great for promoting the value and benefits of our approach. Many of the executive team at the time became advocates of ERM and asked for our help in tackling problems in their own businesses. This series of executive workshops was invaluable in building support and excitement for ERM in Hydro One, and in developing a sense of shared ownership for our ERM tools and processes among the executive team. The ERM program was everyone’s, not just ours.

Betty Simkins: How did you decide what risks to focus on?

John Fraser: In order to decide what risks to focus on, we reviewed the business plans to see where resources were being expended. We also brainstormed what might be the most likely risks to an energy company such as ours. We then developed a “risk universe” which is a list of these most typical risks to draw on when planning workshops or performing interviews. This customized set of risks increased our credibility with all levels and types of business operations’ managers and executives because it showed that we understood the business. We also were able to customize each workshop very quickly to meet the specific needs of each workshop sponsor. We became so skilled that our ERM team could be called the day before and still deliver a customized workshop the next day. The subsequent report of the conversations and a risk map were then delivered to the sponsor the day after the meeting (even for the board workshops). This is very impressive service. This risk universe continued to be developed and refined over the years, to allow us to show cause-effect relationships among risks and avoid duplication and overlap.

Risk workshops were the major thrust of our approach. We used these to entrench the business objectives, the risk criteria/tolerances, create conversations and assist decision making. In fact, the CEO was so enthusiastic about this format that she asked our group to use voting technology at a staff meeting of over 400 staff. This created major challenges as we had to rent the additional voting pads. This session was a success and then we were asked to do an even larger one with over 700 staff!

Betty Simkins: How did you manage this with 700 staff?

Rob Quail: I investigated on how to facilitate a meeting with 700 participants. I spoke to one workshop facilitator who told me he thought we were insane to try to run a session with that many people and get any value out of it. We came up with the idea of having all participants at each table discuss the risks and then vote on the table’s consensus using a single keypad at their table. Next, there were breakout discussions at each table where their ideas were recorded and collected later for analysis. The session was a big boost for our credibility with a wider audience of managers and employees across the company.

2.4. Further Development of ERM Tools and Techniques

Betty Simkins: After these initial successes, what else did you do to help entrench ERM in the organization’s key processes?

John Fraser: The next major milestone was around 2001 when one of our asset managers, who had been a participant in the earlier workshops on asset failure risks, approached us for help with devising a methodology for allocating resources based on the risks to assets. This methodology became the method used for annual business planning purposes for the capital and maintenance expenditures and was very successful. The method involved each asset manager proposing several alternative levels of investment in their work programs, e.g., maintaining transformers, constructing new lines, etc. These investment levels were then risk rated for each business objective (e.g., safety, customer, financial, environment, reliability, etc.). After that, we conducted sessions where the executive team reviewed and probed the asset managers’ risk ratings and cost assumptions over the course of two days. In this way, we were able to arrive at an agreed enterprise-wide budget that allocated money across work programs based on their potential to mitigate risk (see Toneguzzo 2021). This method was praised by the regulators and others.

Rob Quail: What was particularly satisfying about this risk-based prioritization process was that we did not develop it. A couple of managers in the Asset Planning part of the company who had been exposed to our ERM process came up with the idea of using it to prioritize individual asset investment levels. This effort was a collaboration, but the seed of the idea originated with them, based on the concepts and tools we had brought to the company.

Betty Simkins: Did you use computer software in your ERM processes, and if so which software programs?

John Fraser: We kept looking for suitable software, apart from the Resolver Ballot voting software, to store and manage the data we were collecting at risk assessments. Until then, we were using Excel and Microsoft Word to keep track of everything, and it was becoming unmanageable. Early in 2002, we purchased Methodware’s ERM package. No other packages met our needs and expectations at the time. Many packages advertised were only workable for risks involving market risks and return on capital, etc. After 2003, we stopped using Methodware, and in 2011 when Rob returned, the cost had become prohibitive so we returned to using Excel and Word software, along with Resolver Ballot application.

Rob Quail: The initial task of configuring Methodware was a challenge, because it was to a large extent an empty shell without many prior implementations. The company that sold it provided only high-level advice on its use. The process of learning how to use it and how to organize information in it yielded many benefits in terms of our own thinking about the relationship between risks, objectives, initiatives, and metrics. Aside from the learning experience, Methodware was a life-saver in those years when the number of workshops became so high (sometimes 3 or 4 in a single week!). We used it to automate the production of reports. During workshops we entered data and discussion points directly into the system, and when we were done, the system would package it up into a report we could email to participants within a half-hour of concluding the workshop. Methodware was a big help in pulling together annual risk profile reports for the Board, because we could roll-up lower level risks into higher level Corporate risk categories, complete with impact, likelihood, and control strength scores.

Betty Simkins: How involved were you in the business planning process and how did ERM mesh with the culture at Hydro One?

John Fraser: Until the end of 2003, we continued with entrenching the ERM concepts and practices throughout the company. It was always a ‘pull’ approach, where we responded to managers’ requests for assistance. We never asked for a ‘push’ of making it a strict requirement. There was, however, a requirement in the ERM policy that risk assessments should be done at least annually but it did not mandate our involvement. We also added a section in the Business Planning documentation for each area to identify and highlight the risks they faced. This was because in 2000, I had asked my staff to scan the Business Planning submissions to see how often the word ‘risk’ was used. The result was that the word ‘risk’ was never used, because risk was considered a bad word. However, this changed when I started doing risk interviews and explained to managers that without identifying risks to meeting business objectives, they would not be able to justify having staff and resources. This completely changed how risk was viewed and managers started identifying risks in order to justify budget requests. As a result of this change in culture, in 2002 I recommended Rob and Miss K for the President’s Culture Change Award, which they won.

Rob Quail: What really struck me about that award was that, at that time, most of our work had been with the top three layers of the company. That is where we had started to effect change. Usually when executive teams give awards for “culture change,” they are talking about the culture at the workface, i.e., “other people’s culture”, and not their own. It was a very rewarding acknowledgement that we had changed the thinking of the executive office, and not just the people “out there.”

Betty Simkins: What was the next stage in the ERM journey?

John Fraser: We had a new board and new Chair in mid-2002. The Chair was supportive of ERM but wanted us to show ‘inherent risk’ on the risk profile. This we did reluctantly, because as we mentioned earlier, we did not believe in the concept and had to create almost fictitious ratings for ‘inherent risk’, as it is virtually impossible to estimate consequences in the absence of ANY controls.

In May 2003, another new Chair was appointed who was also very supportive of ERM, but the new CEO, while supportive, changed the business strategy to a return to basics. Therefore, many of the risky business strategies/objectives, such as growth and acquisitions etc., were shelved and the need for ERM was reduced in such a stable environment.

At this time, the asset resources prioritization process and the plethora of risk workshops was really having an impact on many areas of the company. Many lines of business were doing their own risk assessments for business planning and other purposes without needing our help (which we thought was a great thing!). We agreed that the growth phase was over and that the company did not seem to need a full time ERM function anymore. In 2004, Miss K moved to work on the company’s information privacy management framework. Rob moved into customer care, and then later, major IT projects and outsourcing.

I proposed to the CEO that I would keep ERM in maintenance mode, i.e., preparing profiles and doing only key risk workshops, but not as comprehensive as before. I did realize that ERM might diminish and even fade but was thrilled when it kept going, albeit on a reduced basis. Note: ERM resurged in May 2011, when I was able to re-hire Rob and he re-energized the function.

Betty Simkins: With Rob and Miss K moving on in their careers, how did you manage to keep ERM alive with just yourself part-time?

John Fraser: For seven and a half years, I kept ERM alive on a minimal basis, but with many successes. I was fortunate that, despite their moving on, both Rob and Miss K were prepared to come back and help me with risk profiles (interviews, editing or writing as time permitted) and risk workshops (e.g., with the executive team and later with the full Board of Directors) when needed and when they could spare the time. Occasionally, neither was available and I was on my own.

Betty Simkins: What was your involvement with the board of directors apart from with the Audit & Finance Committee?

John Fraser: In December 2006, a new CEO was appointed who was very supportive of ERM and as a result the resurgence started. One highlight was her persuading the Chair to have the full board participate in risk workshops. The purpose was both to get the views and conversations of the board regarding key risks, and also to educate the board on ERM. We included “Black Swan” risks in the board risk workshops. Black Swan risks are those considered of high impact but low likelihood: e.g., in 2009 we assessed a forced sale of Hydro One, and then in 2010 we assessed a cyber security meltdown. Impact and likelihood criteria were of course no longer useful for Black Swans, as by definition they are all high-impact, low probability. Rob came up with new criteria, Velocity and Resilience, to evaluate Black Swan risks. We regarded these criteria as a major innovation. These workshops went well and we were applauded at the end of the sessions by the board members. For more information about Black Swans, see (Taleb 2007).

2.5. Getting Involved with Academia

Betty Simkins: How did you get involved with academia?

John Fraser: In 2002, Rob and I met with our Chair to discuss our ERM methodology and the Chair said that we had clearly shown that ERM works in practice, but “would we ever be able to show that it works in theory?” This question intrigued me ever since, and when the Chair, in discussion with the Dean of Business at Dalhousie University, recommended me as the keynote speaker for an upcoming conference in Denmark, I jumped at the chance.

After we met at this conference, Betty, you approached me in 2003 about co-authoring an academic article about ERM at Hydro One. This was my first venture into true academic writing. It has led to several other publications, including articles and books. Several of the articles and books have been mentioned in this interview.

In 2007, Professor Anette Mikes of Harvard University asked if she could do a case study on Hydro One’s ERM methodology. The management team agreed, and a series of interviews was completed and a very comprehensive case study published (see Mikes 2008). I was invited to Harvard to witness the first executive MBA class to discuss the case study in the summer of 2008.

In 2009, Professor Mikes approached us again to do a multi-media case study of Hydro One (see Mikes 2010). This visit included videotaping an actual executive risk workshop, as well as interviews with key executives, e.g., the CEO and the CFO. The video was very well done and has been used around the world to teach ERM. To my knowledge this was one of the very rare occasions where a university academic was able to witness a real-live risk workshop.

Betty Simkins: There has been significant increase in academic research on the topic of ERM in the past 10 years. There are two good literature review articles on ERM I wish to highlight: (Anton and Nucu 2020) and (Pagach and Pascanik 2021).

2.6. Reenergizing ERM

Betty Simkins: How and when did Rob later get involved in the ERM function again and what were the outcomes?

John Fraser: In 2011, I received approval to re-hire staff for the ERM function and Rob agreed to re-join me. There was a sense of new beginnings. Rob brought his usual enthusiasm and creativity to bear as we brainstormed on how we could take ERM to the next level. We knew that for many years we had been at the forefront but had done little that was new for several years. Rob came up with the concept of articulating risk appetite/risk attitude on a scale which was presented on a spider diagram for easy conversations. Rob then published this methodology in Corporate Risk Canada magazine (see Quail 2012) and expanded it as Chapter 23 in the 2nd edition of our book (see Quail 2021c).

Rob Quail: Until 2012, Hydro One had not developed the concept of risk appetite. We had detailed risk tolerances, which were really calibrated impact criteria based on the scorecard measure KPIs, but we had nothing that really connected the strategy at a high level to our willingness to take or avoid risk. Therefore, we developed criteria for describing our appetite for risk against each of the strategic objectives of the company. This was very much like the initial executive-team’s risk workshops of 12 years before, because again we had a new concept that had not been tried in quite this way. We developed and refined the process live with the CEO and executive team.

John Fraser: We also started using a ‘risk calendar’ which recorded events that were expected over the next several years. This was purely for reference to ensure these events were included in our risk discussions, e.g., government elections, union agreements. For more information on our use of risk calendars, see (Fraser and Simkins 2016).

Rob Quail: The idea of a risk calendar was really intended to solve a specific problem. In our risk assessments and interviews, it was a challenge to get participants to truly look out into the entire time horizon of the assessment; they were usually fixated on the coming year, or two years at most. What the risk calendar did was remind them of what was coming up over the entire 5-year horizon, and help overcome the “availability bias” associated with near-term, easily recalled events. For guidance on dealing with various biases in risk management, refer to (Quail 2021b).

John Fraser: Rob also started work on key risk indicators (KRI) and we held KRI sessions with the Executive Committee on a few risk areas. We made major refinements to Board reporting. For guidance on identifying and using KRIs, see Borovik et al. (2021). Around the beginning of 2011, I was thinking of retiring in a year or two and I had an excellent successor (Rob) in place. I went to the CEO and suggested the time was right to separate the audit and risk functions, which we did.

Rob then brought on board a staff member in 2012. Together, the ERM function was expanded and regained a high profile. The board asked for frequent updates at each board meeting, so I provided highlights of changes to key risks at each meeting where the full risk profile was not being presented. For more information on risk profiles, See (Fraser and Quail 2021).

Betty Simkins: Was the ERM function ever audited? If so, by whom and when, and what were the results?

John Fraser: In June 2011, the Corporate Governance Committee requested an external review be done of our ERM process. KPMG did a detailed review, with benchmarking against leading organizations, and their report dated 29 March 2012 concluded that Hydro One’s ERM was Excellent, as shown in Figure 2. The star shows that Hydro One is at the “Excellence” level.

“Excellence”–Risk management is seen as an organization-wide tool to address uncertainty, aid decision making at all levels, improve organizational performance, and enhance governance and accountability. Risk management is a demonstrated core value of the organization.

3. Final Words on ERM at Hydro One

Betty Simkins: So you moved on, John. What happened to the ERM function?

John Fraser: At the beginning of 2013, the new President reorganized his management team and transferred the risk function to the CFO who then delegated it to the Treasurer. Rob reported administratively to the Treasurer but functionally to the CFO.

In February 2014, there was a major problem with the newly implemented customer billing system and Rob was seconded to lead the team to fix the problems. He subsequently was appointed as the Vice President, Customer Service. In his absence, Maja Shkolnik, his staff member, took over and successfully ran the function until a new CRO, Frank D’Andrea, was appointed in 2015.

Betty Simkins: Rob, how did your experiences in the ERM function help in your career? I ask this in the interest of readers who may wonder what benefits may be gained for career advancement.

Rob Quail: My experience in ERM was a huge benefit to me when I was moved into my role as Vice President of Customer Service. As John mentioned, we were experiencing major problems with the new billing system which had cascading effects on all areas of customer service and hence the reputation of the company; we were on the front page of the Globe and Mail (Canada’s national newspaper), above the fold (i.e., the upper half of the front page), twice, and it was not a flattering story! Tens of thousands of customers had stopped receiving their electricity bills, some erroneous bills had gone out the door, and our call center and collections processes were overwhelmed. There was a myriad of problems to solve and many decisions to be made (most with incomplete information) to get the associated technology and business processes back on track as quickly as possible. My years as a risk manager really helped me manage through all this turmoil; I found myself falling back on the basic methodology we had taught decision makers to apply for the preceding 14 years. And it worked!

Betty Simkins: Thank you both for sharing this most interesting story about how ERM was implemented at Hydro One. Any last words?

John Fraser: I retired from Hydro One in May 2015, but my involvement with ERM was one of the most rewarding aspects of my career. I reported to the Presidents and was the longest serving member of the Executive Committee; I was heavily involved in the strategic decision-making processes at the highest level; I knew all about the myriad parts of the organization; and I dealt with the board and board committees, including running risk workshops with the full board. Not many CROs get this much opportunity to contribute to an organization’s success.

Rob Quail: Our success in getting ERM off the ground, and then getting it engrained into the culture of the company, was really the consequence of several things. First of all, we had the support of the executive team in the beginning, and throughout the years, despite several changes in leadership of the company, we were able to sustain ERM because we always had a “critical mass” of influential decision-makers who saw its value. That in turn really came from our “pull” strategy: from the very beginning, John and I wanted to position ERM as a service that decision-makers would seek, rather than something imposed on them as a mandatory corporate process from “on high.”

Second, we were able to demonstrate its value in helping solve some of the dominant challenges that the company faced though the years, and inject it into some of the key business and decision making processes in the company.

And third, I think the combination of John’s experience and steady hand, and my impatience and need to be forever reinventing things, made for a very effective team. This combination of styles allowed us to come up with effective tools and deal constructively with the inevitable resistance we encountered over the years.

Betty Simkins: John and Rob, thank you for your explanations and history on what you achieved at Hydro One. I hope this will be an inspiration to others on their journey with ERM and a useful resource for all of those interested in this developing methodology.

4. Conclusions

Enterprise risk management has become an accepted management methodology through much of the business world over the last two decades; however, while the objectives are generally agreed on, the low number of successful implementations has been disappointing with only 35% of organizations surveyed in the U.S. saying they had complete ERM in place (see Beasley et al. 2021). This recorded interview of two experienced practitioners, who achieved a successful and sustained implementation of ERM, serves as both a guide to other organizations seeking to implement ERM and as a basis for further research by academics in this field. This paper records the challenges, the tactics, the techniques and the processes followed that led to their success and provides references to other sources of guidance.