Enterprise Risk Management

PG&E manages risk throughout the enterprise, with all the various risk management elements coming together with the CRO. We use internal auditing as a tool to monitor and strengthen the controls environment of the enterprise, and to inform the CRO and senior management of the effectiveness of these programs.

1. Enterprise Risk Management includes activities that manage risks that could have a potentially catastrophic financial or reputational impact on the enterprise.
2. Physical Risk Management includes security and access control, theft prevention, fire prevention and management of risks associated with our physical plant.
3. Operations Risk Management includes management of those risks with day-to-day impact on operations, including health and safety protection for our employees and the public, supply chain management, fleet management and procedures and policies associated with how work is done.
4. Compliance Risk Management includes all programs designed to comply with the myriad regulatory requirements which PG&E is subject to.
5. Market and Credit Risk Management includes activities that monitor and manage PG&E's exposure to risks associated with PG&E's energy portfolio, including trading in energy commodities, financial hedging and counterparty risk.

The ERM program at PG&E is cyclic; we identify and evaluate the top risks facing the company every two to three years. In this way, senior management has a periodic opportunity to evaluate the most significant concerns facing PG&E and can calibrate the program with challenges in the current business environment and external stressors that potentially affect operations.

The program also has a mechanism to introduce new risks mid-cycle, if a new risk emerges in the business environment that requires immediate attention. We follow a "bottom-up, top-down" approach to identifying risks, with technical staff and managers at the business-unit level participating in a risk identification and characterization process. We subsequently review the identified risks, add additional risks if necessary to address senior management concerns, prioritize them for analysis and assign them to specific officer-owners. Beginning in 2009, we evaluated the risks identified in the process cycle that started at the end of 2008, and we are presenting and acting upon these risks during 2010. Each iteration of the ERM process improves the understanding of the risks facing PG&E and allows management to make better informed risk-based decisions.

PG&E's enterprise-level risks span the spectrum of business risks and include those associated with energy commodities, operations, natural hazards, political and regulatory issues, the economy and the environment. We have developed risk assessments and mitigation plans to enhance how PG&E addresses risks. We continue to refine and improve these assessments and plans by taking into account changing market, regulatory and other forces. Additionally, many of the risk management plans include engaging with external stakeholders who influence the company's ability to manage these risks successfully.

A recent example is how we are managing the risk of a pandemic impacting PG&E's ability to operate its facilities and provide service. At the inception of the ERM program, senior management raised concern over the company's preparedness for a pandemic. When this scenario was first considered in 2006, a cross-functional team envisioned sustained, high absenteeism due to employees being ill, fear of becoming infected and the need to care for family members. The scenario also considered supply chain disruptions, public health directives that could impact operations (such as school and office closures) and other factors that could prevent PG&E from serving its customers.

Using the ERM process, the team developed a comprehensive pandemic risk management plan with the twin goals of sustaining electric and gas service and protecting the health of our employees. We ultimately integrated the plan with PG&E's business continuity plan, and undertook a number of activities to improve PG&E's readiness.

In 2009, with public health agencies expressing concern over the threat of the H1N1 virus, PG&E implemented components of its pandemic preparedness plan. While the H1N1 pandemic that has ensued has not had the devastating societal impact anticipated compared to other historic pandemics, PG&E is using the experience to enhance the pandemic plan and to identify areas where further testing and preparedness would be beneficial. We are also applying lessons learned from the response to the 2009 pandemic to enhance other aspects of PG&E's business continuity plan.