Risk Management at PG&E

A Spectrum of Risks

PG&E manages risk throughout the enterprise:

1. Enterprise Risk Management includes activities that manage risks that could have a potentially catastrophic impact on public safety or the company’s financial or reputational condition.
2. Physical Risk Management includes security and access control, theft prevention, fire prevention and management of risks associated with our physical plant.
3. Compliance Risk Management includes all programs designed to comply with the myriad regulatory requirements to which PG&E is subject.
4. Market and Credit Risk Management includes activities that monitor and manage PG&E’s exposure to risks associated with PG&E’s energy portfolio, including trading in energy commodities, financial hedging and counterparty risk.

Board Oversight

As part of their oversight functions, the PG&E Corporation and Utility Boards of Directors generally oversee the company’s risk management policies and programs, and allocate certain specific oversight responsibilities to Board committees, consistent with the substantive scope of each committee’s charter.

The allocation of Board-level risk oversight responsibility is based on legal requirements and internal governance standards. The Audit Committee in particular advises and assists the Boards with the guidelines and policies for managing and assessing major risks and with the review of processes used by other committees of the Boards to monitor and control major financial risk exposures. The Finance Committee approves our annual energy risk management program and reviews it every quarter, and also reviews the company’s enterprise risks. For a full description of Board committee oversight responsibilities, please see PG&E Corporation’s and Pacific Gas and Electric Company’s 2010 Joint Proxy statement.

Executive Oversight

PG&E’s Chief Risk and Audit Officer (CRAO) is responsible for leading the company’s enterprise risk management, internal audit, compliance and ethics, market and credit risk management, insurance, business continuity and corporate security functions. The CRAO functionally reports to the Audit Committee of the PG&E Corporation and Utility Boards, which advise the full Boards on the guidelines and policies for managing and assessing major risks.

The CRAO also chairs PG&E’s Risk Policy Committee, which includes the Chairman, CEO and President of PG&E Corporation; the President of Pacific Gas and Electric Company; the Senior Vice President (SVP) of Energy Supply and Chief Nuclear Officer; the SVP and Chief Financial Officer; the SVP and General Counsel and the SVP of Corporate Affairs. This executive committee is responsible for adopting and approving energy price and credit risk management policies and adopting and approving overall risk exposure limits.

The SVP of Energy Procurement is responsible for managing the company’s risk exposure related to energy procurement, including energy commodities and derivatives. The Finance Committees of PG&E’s Boards regularly review the strategies developed to manage this set of risks, and the Audit Committees review the processes used by the Finance Committees to monitor and control major financial risk exposures.

PG&E manages operational risk at the EVP or SVP level for each line of business. In addition, PG&E manages operational risk through the CRAO’s internal audit program, which regularly monitors and strengthens the controls environment of the company and informs the CRAO and senior management of the effectiveness of their operational risk management programs.

Enterprise Risk Management

PG&E’s enterprise-level risks span the spectrum of business risks and include those associated with energy commodities, operations, natural hazards, political and regulatory issues, public safety, the economy and the environment.

PG&E’s Enterprise Risk Management (ERM) program, which is administered by the CRAO, takes a holistic approach to managing these risks. For potentially catastrophic risks, cross-functional teams, guided by subject matter experts and experienced managers, follow a systematic method to identify the risks, evaluate the likelihood and severity of consequences as well as develop mitigation activities and controls.

Oversight by senior officers helps ensure risk management activities are consistent with the company’s overall corporate strategy. Regular communication to the PG&E Corporation and Utility Boards of Directors enhances accountability and reinforces the importance of risk management at all levels of the company.

The ERM program at PG&E is cyclic; we identify and evaluate the top risks facing the company every two to three years. In this way, senior management has a periodic opportunity to evaluate the most significant concerns facing PG&E and can calibrate the program with challenges in the current business environment and external stressors that potentially affect operations.

The program also has a mechanism to introduce new risks mid-cycle, if a new risk emerges in the business environment that requires immediate attention. We follow a “bottom-up, top-down” approach to identifying risks, with technical staff and managers at the business-unit level participating in a risk identification and characterization process. We subsequently review the identified risks, add additional risks if necessary to address senior management concerns, prioritize them for analysis and assign them to specific officer-owners. Each iteration of the ERM process improves the understanding of the risks facing PG&E and allows management to make better informed risk-based decisions.

Internal Audit: An Important Tool in Managing Risk

Our Internal Auditing program provides independent, objective assurance over the adequacy of processes and controls to manage business risk and provide control advisory services. The program follows a standardized, disciplined approach to help management evaluate and improve the effectiveness of risk management, control and governance processes.

To carry out its work, our Internal Auditing program annually designs a plan—in conjunction with business leaders—that focuses audit attention on high-risk areas. Through its work, Internal Audit assesses, monitors and reports on the adequacy of internal controls in areas such as energy procurement, information technology, energy delivery, customer care and capital projects. The Audit Committees of the PG&E Corporation and Utility Boards receive periodic reports on audits conducted and progress in implementing the annual audit plan and on changes made to the audit plan.