GUIDELINES ON ESTABLISHING A RISK
MANAGEMENT FRAMEWORK AND POLICY

Committee of Chief Risk Officers

February 18, 2005

THE COMMITTEE OF CHIEF RISK OFFICERS (“CCRO”) GRANTS USERS A REVOCABLE,
LIMITED, NON-EXCLUSIVE, NON-SUBLICENSEABLE, NON-TRANSFERABLE LICENSE TO
REPRODUCE THIS DOCUMENT SOLELY FOR INTERNAL, NON-COMMERCIAL AND
EDUCATIONAL PURPOSES. ALL OTHER RIGHTS ARE RESERVED BY THE CCRO. WITHOUT
LIMITING THE FOREGOING, THE CCRO DOES NOT CONSENT TO THE REPRODUCTION OF
ANY OF ITS DOCUMENTS FOR PURPOSES OF PUBLIC DISTRIBUTION, SALE OR ANY OTHER
COMMERCIAL USAGE. ATTRIBUTION TO THE CCRO, AS THE COPYRIGHT OWNER, IS
REQUIRED IN ALL CASES.


TABLE OF CONTENTS

I INTRODUCTION.........................................................................................................................3
II FIRMWIDE RISK MANAGEMENT POLICY COMPONENTS.........................................4
2.1 Scope, Objectives and Purpose.............................................................................................4
2.2 Discussion of Management Philosophy.............................................................................5
2.3 Identifying Risks.....................................................................................................................6
2.3.1 Market Risk.......................................................................................................................6
2.3.2 Reliance or Credit Risk...................................................................................................6
2.3.3 Operative Risk..................................................................................................................7
2.3.4 Business Risk....................................................................................................................7
2.4 Governance and Organizational Structure.........................................................................7
2.4.1 Governance - Committee Architecture........................................................................8
2.4.2 Governance – Regulated and Non-Regulated Entities Within a Firm..................9

2.4.3 Risk Management - Organizational Structure...........................................................9
2.4.4 Organizational Risk Management Structure and other Company
Functions...................................................................................................................................10
2.5 Enterprise Risk Management..............................................................................................11
III BUSINESS UNIT RISK MANAGEMENT POLICY COMPONENTS...........................11
3.1 Introduction............................................................................................................................11
3.2 Risk Measurement................................................................................................................12
3.2.1 Enterprise Risk Metrics................................................................................................13
3.3 Risk Limits and Guidelines................................................................................................13
3.4 Risk Analysis and Reporting..............................................................................................15
3.5 Risk Management and Commercial Decision Making..................................................15
3.6 Remedial Actions..................................................................................................................16
IV CONCLUSION..........................................................................................................................17
APPENDIX A – BEST PRACTICE BIBLIOGRAPHY..................................................................................18
APPENDIX B – RISK COMMITTEE CHARACTERISTICS.........................................................................29
Appendix C – Risk Committee Structures..................................................................................30
APPENDIX D – RISK MANAGEMENT STRUCTURES WITHIN
ORGANIZATIONS.....................................32


I INTRODUCTION
The increased relevance of an energy company’s risk management policy and the importance of
deriving such policies directly from risk tolerance as defined by the Board of Directors (“BOD”), or by
senior management as delegated by the BOD, requires companies to either revisit their current risk
management policies or develop a formal risk management framework and policy. Energy firms
should have a formal commitment to and cultural understanding of risk management across the
organization. The risk management framework and policy should provide: (1) for the delegation of
the appropriate authority to management to manage risk, (2) the corresponding criteria to manage
risk within the firm including risk tolerances, 3) a clear segregation of responsibilities around analysis
and management of risks, and 4) a delineation of the communication channels needed to report risk

management issues and concerns to appropriate levels in the Company. The formal risk
management policy should address both effective communication of risk and specific compliance
requirements for each energy company.
The Committee of Chief Risk Officers (CCRO) was formed in an effort to compile risk management
best practices for companies participating in energy markets. The CCRO is composed of Chief Risk
Officers from leading companies that are active in both the physical and financial energy markets.
The CCRO is committed to opening channels of communication and establishing best practices for
risk management in the industry.
This position paper strives to address the necessary components of an effective energy risk
management policy document without providing a “how to manual” level of detail that would be
more typical of a CCRO white paper. It identifies best practices in risk management, recognizing that
not every practice can be incorporated into a company’s unique risk management framework. This
paper strives to provide a “roadmap” for developing an effective risk management policy that
identifies the distinctive elements as they relate to the different segments of the industry. This paper
allows flexibility incorporating such components within a company’s formal risk management policy
documentation – it is not in the scope to advocate an appropriate number or hierarchy of risk
management policy documents within a firm. For example, companies may have both corporate and
business unit risk management policies as well as separate risk management policies for different risk
categories such as market and credit risk. In addition, companies may decide to address certain risk
management issues in other corporate policies. The purpose of this position paper is to identify the
types of risk management issues that should be addressed and not dictate the ultimate policy
document.
CCRO documents are referenced within the body of this paper and also in a
bibliography, including abstracts, contained in Appendix A.
Again, the objective of this paper is to provide a components checklist or “roadmap” necessary for
the development of an effective energy risk management policy. Specifying the operating steps
necessary at each level of the organization to implement the policy -- procedures and processes -- is
not part of the scope. Notwithstanding this paper’s focus, it is recognized that many firms elect to
include procedural content within their risk management policy – that is a valid method to organize
and communicate both policy and procedures within a company.

This paper is organized into two primary sections; a firmwide section that addresses the global
components that should be universal to any risk management policy, and a business unit section that
focuses on the risk management policy components where the specific elements are driven by the
type of business that is being addressed. As an example, governance issues such as risk management
committee architecture, middle office independence, etc. are global in nature and are included within
the firmwide section. Conversely, risk measurement, while certainly a necessary component in any
risk management policy document, has elements that are very distinctive to the type of business in
which risk is being measured; therefore this is contained in the business unit section.



II FIRMWIDE RISK MANAGEMENT POLICY COMPONENTS
This section focuses on those components of a risk management policy that contain elements that are
universal to the firm’s business operations. The “roadmap” for developing and identifying the
components of a firmwide risk management policy are highlighted in the following sections.
2.1 Scope, Objectives and Purpose
A risk management policy should start with a scope, objectives, and purpose section. While
the scope should define the applicability of the policy document within the organization, the
objectives and purpose of the policy document should center on the need to develop a
framework for risk management that addresses the following:


• Senior management’s commitment to an effective risk management function to
1

ensure appropriate management and oversight of the company’s risks.
• The development of an effective risk management function that identifies the
process for establishing authorities and responsibilities (governance) and rules
and guidelines (protocols) that will identify, measure, monitor and manage
those risks that impact the company’s performance objectives.

• Clearly tying governance and protocols to the risk appetite defined by senior
management and/or the BOD and to the appropriate best practices, some of
which can be found in Appendix A.
• Distinctly setting out independence between the commercial and non-commercial
responsibilities within the company
• The need to keep the BOD and executives aware of the risk exposures of the
company and ensuring that the disclosure of significant risks is not at the
discretion of senior management.
• Consistent application of practices to ensure accurate and consistent measuring
and monitoring of value and risk.
• Creating a living document that is revised as methods and approaches in risk
management improve and/or management philosophy towards risk tolerance
change.

2.2 Discussion of Management Philosophy
This section should provide a high level overview of the company’s commercial activities and
strategies including:
•

Statement that correlates the company’s tolerance for risk with its business
strategies and the willingness to undertake certain risks to achieve its financial
2

objectives . Formal recognition of a company’s tolerance for risk may be
articulated in a number of ways, including:
o A minimum earnings or cash flow level the company is willing to accept.
o A minimum acceptable credit rating.
o  Limits or targets on variability measures around the firm’s financial
performance – for example: Value at Risk, Earnings at Risk, Cash Flow at
Risk, Power Supply Cost at Risk, Rate Volatility (public power,

cooperatives, municipalities), etc.
1

Managing risk covers the acceptance and management of risk as well as the elimination or mitigation of risk.


The company’s strategies and activities must be consistent with its tolerance for risk in order
for the BOD to approve the risk management policy.
It is recognized that a company’s business strategy, in terms of the detail contained within this
section, may be dynamic in nature and change over the course of time. Therefore, it may be
more appropriate for a company to address only the most generic aspects of its business
strategy within this section. Further details may be contained within other parts of its risk
management policy that are more easily amended, such as in the appendices.
2.3 Identifying Risks
This section should define and identify the types of risks and how each contributes to the level
of uncertainty around the company’s financial performance. Typical risk categories along
with high level definitions are as follows:
2.3.1 Market Risk is generally defined as the impact of price movements in energy,
foreign exchange, interest rates, etc. on the financial performance of the company.
2.3.2 Reliance or Credit Risk is the risk of loss caused by a counterparty not
fulfilling its obligations.
A firm’s financial objectives include the ability for the company to create economic value and to possess adequate financial
liquidity to meet its ongoing obligations.
2


2.3.3 Operative Risk includes the following:


o  Operational risk - The risk of direct or indirect loss resulting from

inadequate or failed internal processes, people, and systems or from
external events.
o  Operations risk - The risks associated with physical assets or delivery of
energy commodities.

2.3.4 Business Risk is the risk surrounding the uncertainty in the business
environment in which companies conduct its operations. Examples include:
o  Changes in the regulatory environment.
o Competitor landscape and substitution of products/services.
o Shifts in the supply/demand for products/services.
o Reputation damage (Headline Risk).
o Business continuity risk, i.e. maintaining the integrity of the business in the
event of a disruption.
o Security Risk

These are broad risk areas. Depending upon the business operations, there may be more
detailed classifications of risk within each category. For example, other risks such as
volumetric risk, liquidity risk, performance risk, instrument suitability risk and other risks
may play a large role in certain energy businesses.
It is difficult to quantify the impact of each and every risk on a firm’s financial performance,
particularly certain aspects of operative risk and most areas of business risk. In these cases,
there are numerous qualitative techniques to address the impact of these risks such as using a
risk matrix or a scorecard approach. These methods are defined in more detail in the
upcoming CCRO white paper on Enterprise Risk Metrics.
2.4 Governance and Organizational Structure


A risk management policy emanates from the highest level of an organization, at the BOD. A
clear path for managing risk starts at the BOD and senior management. The BOD and senior
management’s roles should include:

• Being a major advocate of risk management within the organization.
• Being aware of, understanding, and supporting risk management activities across
the organization
• Approval of major strategies and associated risks the organization will take
within the approved risk tolerance of the firm.
• Delegating the authority for managing these risks through a formal committee
structure, or delegation policy.

2.4.1 Governance - Committee Architecture
There should be a structure in place which ensures the risk management function is
ultimately accountable to the BOD through the company’s Audit Committee or other
appropriate means. Audit Committees are now charged with more responsibilities in
the areas of risk assessment and risk management. Recent mandates from the SEC,
NYSE, NASDAQ, and other key stakeholders, address these responsibilities (see
Appendix A).
A risk management committee structure provides a level of
transparency and shared accountability within an organization that allows more
effective oversight of risk issues. There may be a single risk committee within an
organization or many committees specific to each business unit, depending on the size
of the firm and the complexity of the risk management issues facing it.
Elements of a risk management committee structure should include the following:
o  Authority - including a level of risk management and control
commensurate with best practices prior to engaging in certain
commercial activities.
o  Membership – specific members and titles across the organization with a
independent risk management officer leading each committee.
o General Duties – variety of duties including independent monitoring and
reporting of risk.



These elements may be included within the risk management policy or by referencing
the charter document of each risk management committee. It is helpful to include
diagrams within this section of the risk management policy that help the reader
visualize the committee structure within the firm.
Appendix B provides more detail in the areas of membership, authorities and duties for
risk management committees as well as specific attributes of successful risk
management committees.
2.4.2 Governance – Regulated and Non-Regulated Entities Within a Firm
As energy companies attempt to implement enhanced disclosures of risk management
positions, there is a growing need for organizations to ensure compliance with
applicable rules and regulations that govern the activities of the regulated and nonregulated operations.
As risk management organizations become increasingly
embedded in regulated and non-regulated business units, as well as remaining within
corporate staff, procedures must be in place to ensure that intra-company activities
comply with regulatory requirements. Nonetheless, it is clear that risk oversight needs
to encompass all of the organization.
Appendix C provides some examples of current risk management committee structures
within organizations including those that have both regulated and non-regulated
entities.
2.4.3 Risk Management - Organizational Structure
This section should include the organizational structure of the risk management groups
within the company. Additionally, roles and responsibilities for these groups also
should be addressed in this section. Attention should be given to the following:


o  Hierarchy and responsibilities between corporate and business unit risk
management groups.
o  Framework of risk management groups within the business unit
infrastructure.


2.4.4 Organizational Risk Management Structure and other Company Functions
Many of the responsibilities associated with other functional areas within the company
have an impact on the risks faced by the company. Therefore, the risk management
function, both through the governance (committee) and organizational structure, must
relate to traditional company functions such as:
o Treasury
o Legal/Regulatory
o Accounting – Controller
o Information Technology
o Internal Audit/Compliance
o Credit
o Operations
o Strategic Planning
o Security
o Business Continuity Planning

This section should address the roles and responsibilities of these groups within the risk
management function. In most cases, the risks relating to these functions are identified,
monitored, reported and controlled by a risk management group(s); however, some
companies may employ a structure whereby the respective functions are responsible for their
own risk management. Nonetheless, best practices in risk management should apply across
the entire organization and not be contingent upon where these risks ultimately are managed.


Appendix D includes examples of different organizational structures that relate risk
management and other functions within companies. The area of compliance and its
congruence with risk management is a developing issue within the energy industry. The
upcoming Governance and Compliance CCRO white paper will provide more direction in this
area.
2.5 Enterprise Risk Management

The building blocks of risk management within a firm most often start with identifying,
measuring, monitoring, and managing risks within risk categories or “silos”. The next level of
risk management moves beyond this silo approach to managing risks on an enterprise-wide
basis. Enterprise Risk Management (ERM) integrates multiple risks (market, credit, operative,
business) across multiple regions or business units, commodities and timeframes. Assessing
risks on an enterprise basis is no longer an option for most companies; Sarbanes-Oxley, the
NYSE, NASDAQ, the SEC and the Commission of Sponsoring Organizations of the Treadway
Commission (COSO) all have made it clear that an enterprise view of risk is a necessity for
most firms and ultimately should be the responsibility of the BOD’s Audit Committee
(Appendix A). Although it is appropriate to continue to manage risks within a silo approach
at some operational levels of an organization, most multi-business concerns will need to
address rolling risks up to the enterprise level. Integrated enterprise risk management should
be included within the risk management policy’s scope, objectives and purpose and be
addressed in the governance and risk management organizational structure and other sections
of the risk management policy.
The Committee of Chief Risk Officers Enterprise Risk Metrics white paper provides more
detail in the area of ERM (Appendix A).

III BUSINESS UNIT RISK MANAGEMENT POLICY COMPONENTS
3.1 Introduction
This section focuses on those components of a risk management policy that contain elements
specific to the firm’s business operations. For example, pure trading entities will measure and
report risk differently than a fully regulated entity. Furthermore, while some firms will
manage risk primarily around shorter term market risk measures, others are more focused on
asset investments and the impact of longer term movements of energy prices as well as
operative and business risk issues. For regulated utilities and consumer-owned cooperatives,
the extent of the regulatory cost recovery process or the risk tolerance toward rate variability
dictates where the emphasis should reside in their management of risk. Previous CCRO work
has addressed managing risk across varying lines of business (referenced later in this Section
and in Appendix A). Therefore, for each company’s risk management policy, the distinctive

detail relative to the components within this section should be consistent with this prior CCRO
work.


3.2 Risk Measurement
The potential for adverse conditions introduces uncertainty around a company’s financial
performance by impacting its ability to create economic value over time and to possess
adequate liquidity to meet its obligations. This section should focus on measuring this
uncertainty or risk by identifying, modeling and valuing the various components that have the
potential to affect a company’s financial performance. Although financial performance is
traditionally associated with a company’s reported GAAP results, several accounting rules,
most notably the discrepancy between mark-to-market and accrual transactions and the
various hedge accounting guidelines that are in place, may serve to distort accounting results
from economic performance. This section should also address the potential for accounting
and economic inconsistencies within the organization and reiterate that risk measures will be
3

aligned with the ability of the firm to add economic value and possess financial liquidity.
Methodologies to measure risk and the specific metrics that relate to each risk category have
been evolving within the energy industry, particularly in the area of applying relevant
methodologies and metrics to the different business operations. As mentioned before, the
CCRO has been at the forefront of this effort and specifically addresses these methodologies
and measures in its Valuation and Risk Metrics, Credit Risk Management, and Emerging
Practices in Assessing Capital Adequacy white papers (Appendix A). The risk measurement
section of the risk management policy should be organized around the risk categories (market,
credit, operative, business) and include detail on the specific methodologies and appropriate
measures for each risk category, while being consistent with previous CCRO work.
3

As an example, companies should measure the risks associated with both their accrual and mark-to-market books.



For many companies in the energy industry, business and operative risk have the largest
potential impact on financial performance. The lack of quantitative measures and controls in
these areas make it difficult to employ traditional risk management protocols. Nonetheless,
these “qualitative” risks should still be identified, monitored, reported and, whenever strategy
dictates and is cost-effective, mitigated. Furthermore, the Department of Homeland Security
looks at the Energy and Utility sector as part of the critical national infrastructure; this new
emphasis on business continuity reinforces the importance to identify, monitor and report all
risks (Appendix A).
3.2.1 Enterprise Risk Metrics
Whereas risk control objectives dictate the management of risk at the risk category or
silo level, the next stage in the risk continuum is measuring risk across the enterprise.
Enterprise risk measures involve more robust methodologies and are centered on
achieving optimal capital allocation through maximizing the risk adjusted return of the
enterprise portfolio. This section should address the specific methodologies and
metrics in the area of enterprise risk and should be consistent with the Committee of
Chief Risk Officers Emerging Practices in Assessing Capital Adequacy and Enterprise
Risk Metrics white papers (Appendix A).
3.3 Risk Limits and Guidelines
This section should highlight the limits enforced within the organization. Limits should be
consistent with the measures detailed in the risk measurement section above and may also
include other parameters including confining activities to certain instrument types,
commodities, volumetric limits, geographic markets, and tenors. Ultimately, the limit
structure should be derived from the company’s risk tolerance level and business strategies.
Attributes of a limit structure should include the following:
• Volumetric limits, dollar-transaction limits, stop-loss limits, VaR limits, and
authority limits, among others, provide a useful set of limits that capture the
measurable and subjective dimensions that define risk tolerance in the context
of a company’s risks.

• Market risk limits should be consistent with the company’s measures of market
risk; however, not all business activities will have market risk limits. For
example, although a physical energy asset’s performance may be dependent
upon market price movements, there may be no distinct market risk limit
structure that, when breached, would force a sale of the asset.
• There may be different levels of market risk limits for cross-sections of the
business operations. For example, the total trading portfolio VaR may be
$25MM while the fixed price desk might be $10MM.
• CFaR limits and tolerances, or other measures of liquidity required to support the
business, should be established for all commodity based businesses regardless
of whether or not they trade.
• Guidelines may take the form of implementing hedging strategies across business
operations when certain parameters (prices) are met.
• For regulated entities, limits may be developed around the uncertainty associated
with rate structures being approved by regulatory bodies.
• For self regulated non-profit load serving entities, limits may be developed
around the uncertainty associated with power supply cost (or rate) variability or
overall margin variability. Additional limits might relate to the potential to


violate financial covenants, the non-profits’ tax-exempt status, or other financial
measures.
• Credit limits should be specific to each counterparty and be determined by the
counterparty’s creditworthiness. Additionally, counterparty limits should be
aggregated in order to apply a portfolio type credit exposure limit.
• The limit structure should include a reference to an “Authorization to Transact”
appendix that specifically defines the authorized instruments, commodities,
geographic regions, types of markets, and tenors.




addressed, along with specific remedial actions. More information is provided
below in Section 3.6 Remedial Actions.
L
i 3.4 Risk Analysis and Reporting
m
i Consistent with best practices, the independent risk management
t function is responsible for identifying, analyzing, monitoring, reporting
and in some companies managing risk. This role includes:
b
r
o Stress testing, scenario and sensitivity analysis.
e
o Backtesting models and valuation methodologies.
a
o Assessment and Reporting.
c
o Capturing risk and maintaining risk inventories
h
e
s
a
n
d
p
o
l
i
c
y

v
i
o
l
a
t
i
o
n
s
s
h
o
u
l
d
b
e

Details on these areas, including the parameters for analyzing risk and
the content and structure of reports should be included within this
section. Reports should be consistent with a company’s disclosure
requirements (both externally and from an internal perspective). More
detail in this area is contained in the CCRO’s Disclosure white paper
(Appendix A).
3.5 Risk Management and Commercial Decision Making
As mentioned above, a company’s risk management policy entails
managing risk through the identification, measuring, monitoring, and
controlling of risks that impact the firm’s financial performance. Risk
management may initially concentrate on controlling these risks

through the silo management of risks. However, as silo risk
management broadens into an enterprise wide approach, risk
management expands its role by impacting the firm’s commercial
decisions as follows:
• The identification and measurement of risks inherent in
commercial opportunities and the obligation to bring this
information forward for evaluation in capital allocation
decisions.
• The ongoing evaluation and measurement of risk-adjusted
performance.
• The impact of risk limits and potential limit breaches on
commercial decisions.


The risk management policy document should be clear in linking effective risk management with
successful commercial decision making. Within the context of the above, the risk management policy
should address the following:
• The threshold level whereby formal risk management analysis is required prior to a
commercial decision being made. The upcoming CCRO white paper on Governance
and Compliance will address oversight in the context of the investment and large
transaction decisions within a firm.
• Specific methodologies and metrics for evaluation of commercial opportunities and
ongoing performance evaluation. The CCRO’s Valuation and Emerging Practices in
Assessing Capital Adequacy (Appendix A) white papers and soon to be released work
covering Enterprise Risk Metrics specifically addresses these areas.

It is important to delineate risk management in the context of commercial decisions. Although risk
management entails the identification, measurement, monitoring, and controlling of risks throughout the
organization, this does not imply that the risk manager necessarily makes or carries out commercial
decisions. The risk management policy should be clear in separating the role of the risk management

function and the commercial function in this respect.
3.6 Remedial Actions
A company’s risk management policy document should specifically define potential
mitigating actions and repercussions that will occur when risk management limits and policies
are violated. This includes defining the roles and responsibilities of the risk management
function and the commercial operation around reviewing the breach, and determining
remedial actions and sanctions. Individual employees also have a role to play. It is their
responsibility to ensure they understand the company’s risk management policy and limit
structure, and their role in compliance. Clear understanding of their responsibility should be
demonstrated by an annual written attestation. Limit and policy violations due to compliance
failures may result in more severe sanctions than those due to adverse market movements.


The issue of whether or not limits can be overridden should also be addressed. The ability for
members of the company to override limits should be defined, including the corresponding
roles and responsibilities that both the independent risk function (middle office) and
commercial operations (front office) have when limits are overridden.

IV CONCLUSION
A company’s risk management policy document takes on much more importance in the
current environment. The Board of Directors and the Audit Committee have a regulatory
responsibility to understand “...guidelines and policies to govern the process by which this

4

(risk) is handled,” and “...should adopt a written mandate in which it explicitly assumes
responsibility for the stewardship of the issuer, including responsibility for... identifying the
principal risks of the issuer's business, and ensuring the implementation of appropriate
systems to manage these risks.”


5

With the increased scrutiny of the energy industry, particularly the merchant energy sector, it
is vital that the risk management policy document be both an effective communication tool
and a compliance instrument. This has led many energy companies to revise their existing
risk policies or to start anew in developing a risk management policy document. This position
paper highlights traditional best practice themes in energy risk management policy while also
addressing emerging issues and other areas which warrant increased attention in today’s
energy environment. While this paper is not a “how to” manual, it provides a checklist,
addressing the necessary components of an effective risk management policy document for
the energy industry.

4
5

New York Stock Exchange (NYSE). “Listed Company Manual.” Last updated November 2003.
Ontario Securities Commission (OSC). Proposed Multilateral Policy 58-201:Effective Corporate Governance. October 2004.


Appendix A – Best Practice Bibliography
File Name: det-guide-1203.pdf
Bibliographic Entry: Deloitte & Touche LLP. “A Guide to Enhanced Corporate Governance and
Financial Reporting in the Energy and Utility Industry.” Prepared for Edison Electric. December 2003.
73 pages. (www.deloitte.com)
Abstract: A guide designed to clarify new and emerging financial accounting and corporate
governance requirements and their applicability to the energy and utilities industry. It is intended to
be a resource document for corporate executives and board of directors to improve corporate
governance and investor confidence in the industry. Topics covered include sections 302 and 404 of
Sarbanes-Oxley, Internal Control-Integrated Framework adopted by COSO and current practices,
including lessons learned, in corporate governance for the industry. The audit committee charter,

auditor independence, whistleblower procedures, code of ethics, control certifications, auditor fees,
and determination of audit committee financial expert are covered. Mention is also made of the
pending Public Accounting Oversight Board (PAOB) auditing standard for section 404 of SarbanesOxley. Appendix A of the guide is an audit committee checklist for new Nasdaq, NYSE, and
Sarbanes-Oxley requirements.
File Name: det-ferc-0704.pdf
Bibliographic Entry: Deloitte & Touche LLP. “FERC adopts new financial reporting requirements.”
US Energy Insights. Newsletter. July 2004. 2 pages. (www.deloitte.com)
Abstract: A monthly newsletter for Deloitte’s Energy & Resources group, this edition address new
financial reporting requirements adopted in February of 2004 by the Federal Energy Regulatory
Committee (FERC). The new reporting requirements and required forms raise questions of cost and
benefit, particularly in light of accelerated filling requirements of Sarbanes-Oxley. Unresolved is an
issue regarding subsidiary firms using the consolidated footnotes from the parent companies 10-K on
FERC forms no. 1 an 2 and the new forms no. 3-Q and 6-Q. Deloitte notes that complying with the
new requirements, “will likely require changes for companies in areas such as
organization/management structure, reporting lines, roles and responsibilities, and information
security.” Compliance overlap with Sarbanes-Oxley section 404 is expected.
File Name: det-intaudit-1102.pdf
Bibliographic Entry: Deloitte & Touche LLP. “The Transforming Role of Internal Audit in the Energy
Industry.” Internal Audit Directors Forum. Chicago. November 22, 2002. 22 pages.
(www.deloitte.com)


Abstract: A report of findings and discussions from the November 22, 2002 forum for directors of
internal audit in the energy industry, which address changes for the industry resulting from
Sarbanes-Oxley. Deloitte & Touche sponsored the forum that challenged internal audit leaders to
understand their relationship with audit committees, the external auditors, and stakeholders.
File Name: pwc-erminsur.pdf
Bibliographic Entry: Price Waterhouse Coopers. “Enterprise-wide Risk Management for the
Insurance Industry: Global Study”. 2004. (www.pwcglobal.com)
Abstract: A study that includes the results of surveys with 44 leading insures from around the world

providing insights into the development and deployment of an effective ERM framework. The report
is intended to be practical rather than theoretical and states that an effective ERM framework aligns
the fundamentals of corporate governance and organization, standards and policies, risk
measurement methodologies, and systems and tools. ERM is recognized as an imperative for the
board and CEO. Based on the survey, the report defines the critical success factors for ERM and
breaks down the ERM program into a design phase and an implementation phase. Credit risk,
investment risk, operation risk, risk aggregation, capital allocation, and systems and data are detailed
within the framework of ERM, much of it insurance industry specific, but also revealed are general
principal and tools.
File Name: pwc-utility-1103.pdf
Bibliographic Entry: Price Waterhouse Coopers. “Utilities Industry Whitepaper. 2003 Year-End
Update.” November 2003. (www.pwcglobal.com)
Abstract: A year-end report with information on market issues, Sarbanes-Oxley Section 404 control
compliance, taxes and “hot topics” in new/amended accounting rules, auditing standards and from
the SEC. Issues among the hot topics include long-lived assets, derivatives, hedging, and audit fraud.
Market issue topic are operational, regulatory, pricing, ERM, and politics of the potential repeal of the
Public Utility Holding Company Act of 1935.
File Name: cos-intcontd.doc
Bibliographic Entry: Committee of Sponsoring Organizations of the Treadway Commission.
“Internal Control Issues in Derivatives Usage.” Executive Summary. 2004. 4 pages. (www.coso.org)
Abstract: The COSO report, Internal Control--Integrated Framework, issued by the Committee of
Sponsoring Organizations of the Treadway Commission in 1992, is becoming a widely accepted basis
for developing business control systems and assessing their effectiveness. This information tool was
developed to help end-users of derivative products establish, assess, and improve internal control
systems using the COSO Framework. Many of the control considerations discussed are also
applicable to financial instruments other than derivatives. This Executive Summary provides senior
management and boards of directors with an overview of how the COSO Framework might be
applied to risk management activities involving the use of derivatives. It can be used to help
management design control processes, especially by providing direction for formulation of risk
management policies. It also provides insights that enable those charged with oversight

responsibilities to constructively examine existing policies and procedures.


File Name: cos-intcontf.doc
Bibliographic Entry: Committee of Sponsoring Organizations of the Treadway Commission.
“Internal Control — Integrated Framework.” Executive Summary.” 2004. 6 pages. (www.coso.org)
Abstract: Because internal control serves many important purposes, there are increasing calls for
better internal control systems and report cards on them. Internal control is looked upon more and
more as a solution to a variety of potential problems. Internal control means different things to
different people. This causes confusion among businesspeople, legislators, regulators and others.
Resulting miscommunication and different expectations cause problems within an enterprise.
Problems are compounded when the term, if not clearly defined, is written into law, regulation or
rule. This report deals with the needs and expectations of management and others. It defines and
describes internal control to establish a common definition serving the needs of different parties and
povide a standard against which business and other entities--large or small, in the public or private
sector, for profit or not--can assess their control systems and determine how to improve them.
File Name: NAS-MktRules.pdf
Bibliographic Entry: National Association of Security Dealers (NASDAQ). “Marketplace Rules.
Section 4350.” (www.nasdaq.com)
Abstract: Section 4350 of the NASD Marketplace Rules sets forth corporate governance standards
requirements for listing a public firm’s stocks on the NASDAQ National Market and NASDAQ Small
Cap Market. NASDAQ may deny a listing or impose additional restrictions based on their review of a
firm’s corporate governance standards. Several sections of 4350 are new with enforcement being
phased in from November 2003 to July 2005. Subsections of rule 4350 address the subjects of
independent directors, audit committees, conflicts of interest, peer review of auditing firm and code
of conduct.
File Name: NYS-corpgovr-1103.pdf
Bibliographic Entry: New York Stock Exchange (NYSE). “Listed Company Manual.” Last updated
November 2003. 56 pages. (www.nyse.com)



Abstract: The listed company manual of rules for NYSE compliance includes sections on Corporate
Governance Standards (section 303), audit committees (section 303.01 and 303A.07), compensation
committee, code of business conduct and ethics (section 303A.10), and board of directors (section
304).
File Name: SEC-NASDNYSE-1103.pdf
Bibliographic Entry: U.S. Securities & Exchange Commission (SEC). “NASD and NYSE Rulemakeing
Relating to Corporate Governance.” November 2003. Release number 34-48745. 73 pages.
(www.sec.gov)
Abstract: Pursuant to the Sarbanes-Oxley Act of 2002, the SEC approved Rule 10A-3 under the
Exchange Act, which directs each national securities exchange and national securities association to
prohibit the listing of any security of an issuer that is not in compliance with the audit committee
requirements specified in Rule 10A-3. Because the provisions concerning audit committees in the
NYSE and Nasdaq corporate governance reform proposals, as filed with the Commission, did not
conform in all respects with the audit committee requirements set forth in Rule 10A-3 as proposed by
the Commission, both the NYSE and Nasdaq revised their listing company policy. Corporate
governance issues addressed include audit committee charter, independence of directors, business
ethics and code of conduct, internal audit function, and CEO certification.
File Name: SEC-finalrul-0804.pdf
Bibliographic Entry: U.S. Securities & Exchange Commission (SEC). Investment Company
Governance. Final Rule. Release number IC-26520; File number S7-03-04. Federal Register Vol. 69, No.
147. August 2, 2004. 17 pages. (www.sec.gov)
Abstract: The SEC adopted amendments to rules under the Investment Company Act of 1940 to
require investment companies (‘‘funds’’) that rely on certain exemptive rules to adopt certain
governance practices. The amendments are designed to enhance the independence and effectiveness
of fund boards and to improve their ability to protect the interests of the funds and fund shareholders
they serve. Effective date: September 7,2004. Compliance date: January 16, 2006.
File Name: DHS-phystrag-0203.pdf
Bibliographic Entry: White House. “The National Strategy For The Physical Protection of Critical
Infrastructure and Key Assets.” February 2003. 96 pages. (www.whitehouse.gov)

Abstract: Many businesses have increased their threshold investments and undertaken enhancements
in security in an effort to meet the demands of the new terrorist threat environment. The lion’s share
of our critical infrastructures and key assets are owned and operated by the private sector.
Customarily, private sector firms prudently engage in risk management planning and invest in
security as a necessary function of business operations and customer confidence. For most
enterprises, the level of investment in security reflects implicit risk-versus-consequence tradeoffs,
which are based on: (1) what is known about the risk environment; and (2) what is economically
justifiable and sustainable in a competitive marketplace or in an environment of limited government
resources. Given the dynamic nature of the terrorist threat and the severity of the consequences
associated with many potential attack scenarios, the private sector naturally looks to the government
for better information to help make its crucial security investment decisions. This National Strategy for
the Physical Protection of Critical Infrastructures and Key Assets is consistent with the National Strategy for
Homeland Security. It establishes a foundation for building and fostering a cooperative environment in
which government, industry, and private citizens can work together to protect our critical
infrastructures and key assets.


File Name: DHS-crtinfra-0204.pdf
Bibliographic Entry: Department of Homeland Security. “Procedures for Handling Critical
Infrastructure Information; interim rule”. Federal Register Vol. 69, No. 34. February 20, 2004. 17
pages.
Abstract: This interim rule establishes procedures to implement section 214 of the Homeland Security
Act of 2002 regarding the receipt, care, and storage of critical infrastructure information voluntarily
submitted to the Department of Homeland Security. The protection of critical infrastructure reduces
the vulnerability of the United States to acts of terrorism. The purpose of this regulation is to
encourage private sector entities to share information pertaining to their particular and unique
vulnerabilities, as well as those that may be systemic and sector-wide. As part of its responsibilities
under the Homeland Security Act of 2002, this information will be analyzed by the Department of
Homeland Security to develop a more thorough understanding of the critical infrastructure
vulnerabilities of the nation.

File Name: cpa-adtcmte-1203.pdf
Bibliographic Entry: American Institute of Certified Public Accountants. Audit Committee
Effectiveness Center. “The AICPA Audit Committee Toolkit.” December 2003. 145 pages.
(www.aicpa.org)
Abstract: The AICPA Audit Committee Toolkit provides checklists, matrices, questionnaires, and other
materials that are designed to help the audit committee do the job they need to do.
For example, preparing an Audit Committee charter is often referred to as a best practice, and is
actually required for many public companies. This tool is designed to help audit committees make
the charter a living document, and use it as a guide for defining the steps to accomplish each
objective, the associated performance measure, and the scheduling. The sample Audit Committee
charter presented here is based on one from a real company, and in some places goes beyond the
requirements of the Sarbanes-Oxley Act of 2002 (the Act) and stock exchange requirements.