Building and maintaining a solid reputation is important for all types of organizations and it is especially important for utilities. With cyber and physical security being major topics for political conversation and subject to considerable media magnification after an event, it could be argued that protecting an energy company's reputation is the most significant risk management challenge that boards of director face today.Reputational risk is regarded as the greatest threat to a company's market value and standing in the community.
The reputation of a utility is built over time and determined, in large part, by how well several core commitments are met, including delivering reliable, safe, and least cost power to customers while meeting and exceeding the financial (cost and revenue) expectations of a variety of stakeholders.
Today, stakeholder perceptions around emerging strategic factors, such as physical and cybersecurity, are increasingly impacting a utilities' reputation. Recent data breaches affecting major retailers, financial institutions, and other high-profile companies, vividly illustrate the realities that organizations of all types face risks that can suddenly propel them into global headlines, creating complex enterprise-wide risk events that threaten reputation and brand.
Traditionally, a utility's reputation is judged based off of a few public interactions. Operationally speaking, reputation is impacted by:
- Unplanned and/or extended outages. Questions surrounding storm restoration and other asset outages and the subsequent public examination.
- Aging infrastructure. Risks of asset operational failure and the associated cost of asset replacement and ongoing asset safety. The public may see a utility's justification for a "rate hike" and be annoyed at the request.
- Regulatory and political forces. Focused and engaged groups that provide key approvals (compliance) or boisterous disapproval for utility operations.
- Life safety. Life safety risks involves personal injury or death.
Today, with security being a major reliability focal point at the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC), utilities cannot afford to highlight themselves and be the subject of a NERC Critical Infrastructure Protection (CIP) investigation or see their case played out in the court of public (or industry) opinion. Recent grid security events highlight the need to include security as a data point in a company's risk evaluation.
As we have seen from the Pacific Gas and Electric (PG&E) Metcalf substation shooting on April 16, 2013, we must add infrastructure and personnel security to the list above. PG&E, to their deserved credit, was openly transparent from the start and cooperated with law enforcement and federal officials, however, this event thrusted them into both local and national media stories.
Years have now passed and we can see that this event was the genesis for a new NERC physical security standard and renewed interest in protecting critical substations. It's difficult to predict the next major attack, or the enemy's future methods, but we must start to realize that these events will likely adversely impact reputational risk on a utility and the sector at-large.
Sign up for CIO Asia eNewsletters.