8 minute read 1 Sep 2018
Ship lies half submerged in coastal waters off Whitsand Bay

How to avoid being sunk by operational P&U risks


Matt Chambers

EY Global and Americas Power & Utilities Risk Leader

Risk management leader in power and utilities. Solving complex problems with pragmatic solutions. Avid snow skier. Sports lover. Father.

8 minute read 1 Sep 2018
Related topics Power and utilities

For power and utilities (P&U) organizations, operational risks are often the most critical, with consequences that can be catastrophic.

Aging assets, complex supply chains, growing cyber threats and uncontrollable natural hazards, such as storms or earthquakes, are just some of the operational risks that P&U organizations need to manage.

The effective deployment of the right people, technologies and processes across the enterprise is essential to manage such a broad spectrum of challenges.

The Global Power & Utilities Risk Pulse Survey asked executives to rank the importance of the most critical operational risks affecting the sector — examining both how important they are today and how they see their importance changing over time.

Read on to find out if you agree with what they saw as the top five operational risks facing utilities and discover the steps you can take to address these challenges.

Lightning bolt hits electricity pylon
(Chapter breaker)

Chapter 1

The top five operational risks facing P&U organizations

From falling demand to catastrophic business interruption, operational risks are at the forefront of P&U industry concerns.

Power and Utilities. Current most critical operational risks for the industry

No. 5: Stagnant energy demand and rising energy efficiency

As regulatory changes see countries around the world implement energy efficiency programs, low carbon agendas and anti-pollution measures, traditional P&U business models of sales over large networks have also come under threat from the rise of distributed generation.

While this may reduce pressure to replace, maintain or upgrade aging plants that can now be retired, it also leaves less revenue for innovations that could allow incumbents to keep pace with transformative change. This complexity and uncertainty is why 44% of respondents ranked this in their top three operational risks.

No. 4: Supply shortages, quality or safety issues

Access to safe, reliable and affordable energy and water is a worldwide challenge. The EY 2016 Megatrends report found that in 2015, the world’s population consumed the equivalent of 1.6 planets’ worth of resources — and this will rise to 2 planets’ worth by 2030. This growing pressure is why 58% of respondents ranked this in their top three operational risks.

The stress on resources is being made worse by growing interdependencies: it takes enormous volumes of water to produce electricity, and tremendous amounts of energy to produce clean water. In fact, energy accounts for as much as 80% of the cost of producing drinking water.

For instance, the 2014 decision by the city of Flint, Michigan, to switch water supply sources without putting in place adequate corrosion controls while the new pipeline was under construction led to its population being seriously affected by drinking water that contained lead and other toxins. The city now has to make costly improvements to water treatment plants that will also require extensive upgrades to energy-intensive systems, such as pumps and transfer stations.

Investment in assets today has cost implications decades into the future. However, remediation and recovery costs, as well as the avoidance of reputational damage associated with catastrophic asset failure and supply interruptions, will likely far outweigh the costs of replacing, maintaining or upgrading these assets.

No. 3: Data privacy and protection

The rise of innovative new technologies, such as smart meters and thermostats, presents enormous opportunities for P&U organizations to collect, manage and analyze detailed data from millions of customers. This could lead to a greater understanding of customer needs and the opportunity to provide more valuable personalized services to encourage customers to stay loyal.

With the ongoing cyber threat and a renewed regulator focus on data privacy, the associated risk in managing and protecting such customer information is substantial, both financially and reputationally.

The new critical infrastructures utilities are implementing generate reams of data that create enormous opportunities. However, if something goes wrong, it impacts not only the utility but also broader society.
Alex Campbell
Associate Partner, Ernst & Young LLP

Given that 37% of P&U companies globally describe their data protection policies as ad hoc or nonexistent, it is not surprising that 54% of respondents ranked this in their top three operational risks.

No. 2: Aging infrastructure

The intergovernmental International Energy Agency has estimated that organizations will need to invest more than US$21 trillion in power infrastructure and natural gas pipelines worldwide between 2016 and 2040. The OECD has estimated a similar amount will be required for water infrastructure. Much of this investment will be needed to replace, maintain and upgrade aging assets that, in many cases, haven’t been updated since the post-World War II infrastructure boom.

Decades old and at risk of failing, aging P&U infrastructure was listed as a top three risk by 62% of respondents, even though many organizations already have programs in place to extend the lives of their assets.

This core mission will be increasingly challenged as pressure mounts on traditional revenue streams and margins continue to erode. The fact that such investment could also be impaired by the rise of alternative technologies only adds to the complexity of managing the risks associated with aging infrastructure.

No. 1: Business interruption from cyber attack, storms and catastrophic events

The most significant operational failures are likely to lead to business interruption, and the list of potential catastrophic events is large — and growing in intensity.

Think of the 2017 Atlantic hurricane season’s impact across the Caribbean and several US states, the September 2016 storms that left the state of South Australia without power or the unprecedented cyber attack in Ukraine that crippled three energy distribution companies. And the distributed denial-of-service attacks of late 2016 and early 2017, which affected major websites and internet infrastructure in places as varied as New Hampshire and Liberia, could be a vision of a future in which compromised connected devices could unleash havoc on the utility grid.

The loss of income and reputational damage from such catastrophic events can prove disastrous for any organization. This is why 82% of respondents ranked this in their top three operational risks, and also why this ranked as the number one overall risk.

Paraglider flies through blue sky towards numerous wind turbines in the distance
(Chapter breaker)

Chapter 2

How to manage operational risks that could see your organization capsize

Focusing on data-driven approaches to asset management and upgrading your cyber defenses are smart strategies to improve resilience.

Looking to the future, today’s number one operational risk becomes increasingly more critical, with 78% of our survey respondents indicating that business interruption will become more or much more important. And 56% see our number three operational risk — data privacy and protection — becoming more or much more important.

P&U organizations need to be asking themselves whether their operating model is agile enough to react to unexpected events as they unfold, and whether they have the right resiliency to recover.

To increase their agility and resilience to and be better prepared to manage operational risks, P&U organizations should:

  • Prepare for the rising importance of cyber risk by:
    • Taking greater ownership of their information practices and being accountable for data privacy and protection risks across the enterprise
    • Seeing new regulations, such as the European Union’s General Data Protection Regulation (GDPR), as a guide for changing expectations around customer privacy, not just as a box-ticking exercise
  • Strengthen enterprise asset management strategies, including:
    • Taking advantage of new digital tools to fully understand and manage the whole life risk, cost and value of their assets in operation
    • Using this new insight to find ways to balance the reliable and safe supply of electricity, gas and water with sustainability goals and evolving regulatory requirements
    • Developing more targeted and diversified capital investment strategies to enable them to seize new opportunities with ascendant technologies, building on the upward trend in M&A activity we’ve seen across the sector in recent years in our Capital Confidence Barometer

As P&U organizations continue to grapple with the increasing uncertainty that these operational risks present, they will have to find the right balance between achieving results today and making decisions that will play out over the long term.

This challenge is the innovator’s dilemma and is affecting all industries. But, for P&U organizations, failure to pick the right path to manage their operational risks could prove catastrophic — for both them and their customers.

Key questions to ask to help your operations transition to a future energy and utility world:

  • How can data analytics be used to improve asset management, service reliability and business performance?
  • Are critical infrastructure standards sufficient to address physical security and cybersecurity challenges?
  • How should in-house operational capabilities be balanced against lower-cost managed services?
  • Do the benefits of improved resilience through asset hardening and upgrades outweigh their high investment costs?

Take the risk pulse of your own organization

Read our other survey results and deep-dive articles to learn what your peers are saying about key risks in the financialstrategic and compliance  categories, or find out more about how our risk and cybersecurity professionals can help.


Operational risks are among many power and utilities organizations’ biggest concerns, with the worst being genuinely existential crises. Making the most of new technologies to manage assets more effectively – while mitigating new cyber exposures – can help reduce the potential impact.

About this article


Matt Chambers

EY Global and Americas Power & Utilities Risk Leader

Risk management leader in power and utilities. Solving complex problems with pragmatic solutions. Avid snow skier. Sports lover. Father.

Related topics Power and utilities