Governance
Risk management

Risk management

Governance
Risk management

Approach to risk management

Meridian operates an active programme to ensure ongoing risk management across the Group. The Risk Management Policy and Framework have been developed to meet ISO 31000 Risk management – Guidelines. Their purpose is to embed a consistent and integrated approach to risk management that supports delivery of Meridian’s strategic objectives and operational goals, outlining key areas of responsibilities in how we record, identify, assess, manage, monitor and report risks.

Governance Framework

The Board has overall responsibility for approving annually Meridian’s Risk Management Policy and Framework, Risk Appetite Statements and escalation levels, and ensuring risks are managed appropriately and effectively. In exercising this responsibility, it delegates oversight of risk management activities to the Audit & Risk Committee. The Audit & Risk Committee consists only of independent directors.

The Audit & Risk Committee responsibilities include:

Ensuring that management has established a risk management framework which includes policies, procedures and systems to effectively identify, treat and monitor principal business risks
Evaluating the effectiveness of the company’s risk management policies, practices, procedures and systems
Reviewing the company’s enterprise risks and related controls every six months, reviewing Officer and Director risks every six months and reviewing emerging risks every quarter
Considering Deep Dive Risk Reviews presented to the Committee
Identifying significant risks for escalation to the Board and/or relevant Committees

The governance framework includes dedicated operational risk management functions:

Operational Risk ownership (first line of defence)

The first line of defence includes risk owners, who are responsible for ensuring risks are identified, fully understood and assessed, with appropriate controls, treatment plans and risk monitoring put in place and delivered, and Chief Executives and General Managers (including subsidiary Chief Executives) who have responsibility for ensuring risk management is undertaken across the Group and their business unit on an ongoing basis.

Risk Management and Compliance oversight (second line of defence)

A separate Group Risk function works with Group risk champions who are responsible for ongoing monitoring and reporting of risks in their area, and other second line defence roles and functions who are responsible for setting control standards and overseeing compliance with them (e.g. Health and Safety, Compliance Managers and Security).

The Group Risk function delivers risk management services independently across the Group, including:

Maintaining the Risk Management Policy and Framework
Providing support to risk champions, risk and control owners and staff
Co-ordinating deep dive risk reviews which are reported to the Board and/or relevant Board Committees
Independent reporting of Meridian’s Enterprise Risks to the Audit and Risk Committee, based on enterprise risks or emerging risks in Meridian’s risk management system or areas of globally heightened risk

The Group Risk function reports directly to Meridian’s Chief Financial Officer and maintains independence from the business by having no direct operational responsibility to ensure objective and independent assessment of the risks faced by Meridian are provided. Additionally, the Group Risk function has a dotted reporting line directly to the Audit and Risk Committee, providing a direct channel for engagement with the Audit and Risk Committee outside of management involvement.

There are established roles and processes to monitor compliance with any breaches of the Code of Conduct (which defines the behaviours expected when working for Meridian) and Meridian policies which are reported and escalated through formal channels, including privacy breaches. To support compliance processes, Meridian has established the following:

A Compliance Policy outlining responsibilities for each business unit to ensure processes are established to identify, report and prioritise compliance breaches
Business unit roles established to support compliance activity. These are individuals embedded within business units who have and provide specific compliance and technical support in their chosen field(s)
Monthly reporting of compliance breaches to Meridian’s Chief Executive and Board where applicable. Any breach of Meridian policy, standards and procedures is viewed as a serious matter that will be addressed by management and may lead to disciplinary action
Quarterly business assurance probity and fraud testing to test compliance with Meridian policy and processes (third line of defence)
Regular review of Meridian’s compliance processes, including tracking and reporting, undertaken by an external third-party provider (third line of defence)
Other third-party engagements which review compliance activity across key business process areas including health and safety, retail processes, resource consenting, building infrastructure, Dam Safety and Sustainability reporting (fourth line of defence)

Independent Assurance (third line of defence)

Meridian’s Business Assurance function, which operates in a co-sourced arrangement with Meridian’s outsourced internal auditors, is responsible for providing independent assurance on Meridian’s risk management and compliance activities and providing assurance that practices are aligned with risk strategy and policies, as implemented by the first and second line of defence.

The Business Assurance programme is approved by the Audit & Risk Committee every six months. Audit findings are reported to the Audit & Risk Committee quarterly, which provides a level of assurance to the Committee and management that key risks are being managed adequately. Status updates on agreed management actions on any medium and high rated audit findings are also reported to the Audit & Risk Committee on a quarterly basis to provide comfort that these are being adequately closed.

External Independent Assurance (fourth line of defence)

Independent third-party assurance, including external audit and business unit driven reviews, provide impartial validation and oversight on how risks are being managed within Meridian.

Risk Management Processes

Integration of risk management processes

Risk management is ingrained in all activities, including business planning, investment analysis, portfolio and project management and day-to-day operations. The Risk Management Policy and Framework outline accountabilities and expectations to ensure risk management is integrated into processes, systems, culture and decision making. This ensures risk is proactively identified, assessed and mitigated across the Meridian Group. This is supported by regular risk management training as outlined in the risk culture section below.

In addition to the Risk Management Policy and Framework, Meridian’s Project Risk Management Guidelines outline the processes that deliver risk management for projects, ensuring risks are adequately identified, assessed, managed and monitored. Certain areas of the business also have specific project delivery frameworks to further embed risk management practices. For our Retail business unit this includes Retail Guardrails which provide further guidance when developing new Retail energy products. These Guardrails are in place to enable consultation on decisions that are high risk or have material consequences, requiring stakeholder approval based on risk/value level in the areas of Brand and Reputation, Financial, Legal and Compliance, and Pricing. The Guardrails empower people closer to customers to make decisions, improving quality of outcomes and reducing risk, while ensuring that escalation points and thresholds for accepting risk are clear and directly link to group policies.

In line with Global Reporting Initiative (GRI) standards, Meridian undertakes an objective assessment of the positive and negative impacts of our business activities that affect the environment, society and the economy, including human rights. The materiality assessment findings are integrated into our risk management processes and aligned to Meridian's key enterprise risks. This ensures enterprise risks reflect material topics and their impacts, and that they have appropriate accountability and management. A gap assessment is undertaken to ensure new and emerging material issues are translated into risks that are appropriately managed and monitored in line with the Risk Management Policy and Framework.

A tailored risk assessment approach has been developed for climate-related risks and opportunities. This is informed by methodologies outlined by the Intergovernmental Panel on Climate Change and Aotearoa New Zealand’s National Climate Change Risk Assessment method report. This approach is supported by internal guidelines which establish clear roles and responsibilities, and provide an overview of the process of identifying, assessing, managing, and reporting on climate-related risks and opportunities, with specific alignment to Meridian’s overall enterprise risk management approach, including the Risk Management Policy and Framework.

Meridian’s climate-related risks are assessed with the same ‘Low’, ‘Medium’, ‘High’ and ‘Extreme’ categories as the Group Risk Management approach. Climate-related risks assessed as ‘High or Extreme’ and requiring near-term action are included in the enterprise risk register. Applying a consistent approach to risk categories and integrating climate-related risks into the risk register enables Meridian to prioritise all risks (including climate-related risks) according to their impact in a consistent way.

More information on the risks and opportunities of climate change on our business can be found in Meridian’s Climate Related Disclosure.

Risk appetite and escalation

Meridian’s Risk Appetite statements and escalation levels outline the level and type of risk that Meridian is prepared to accept in pursuit of its objectives across Meridian’s four risk categories:

People – Including impacts to staff, contractors, suppliers, customers and the public (including public property, communities, iwi and mana whenua) in all areas where we operate, including our supply chain.
Financial – Impacts to the underlying value of Meridian including increased costs or loss of revenue.
Environmental – Impacts to the environment through or to emissions, river flows and water quality, biodiversity, cultural wellbeing and values (associated with the environment) or waste and disposal practices.
Reputational – Events that may deteriorate Meridian’s reputation.

Meridian’s Risk Appetite statements have been operationalised through risk escalation levels for each risk category. Escalation levels support decision making and escalation to ensure appropriate scrutiny and challenge across all risks and ensure that Meridian undertakes appropriate actions to manage individual risks. It provides a mechanism for both Management and/or the Board or relevant Board Committees (if required) to challenge risk owners where applicable. Escalation Levels along with the Risk Appetite statements, which are both reviewed and approved annually by the Board, were initially developed as part of workshops with subject matter experts and subsequently validated through reviews by key stakeholders across the business including Executive members.

In accordance with the Risk Management Framework, risk owners review target risk scores against the Escalation Levels to determine whether further action could be taken to reduce (or, if applicable, eliminate) the risk. Oversight and challenge are provided from Risk Champions and the Risk Function. Enterprise risks, where the target risk remains above escalation levels, require review by the appropriate General Manager and Chief Executive. High and extreme target risks above escalation levels are reviewed by the Audit & Risk Committee and/or may be required to be reviewed by the Board or relevant Board Committees.

The frequency of risk reviews is undertaken in accordance with requirements set out within the Risk Management Framework. Risk reviews undertaken by risk owners consider the likelihood and impact to people, the environment and impacts to Meridian’s reputation and financials, pre and post mitigations. Evaluation of potential impacts may be based on, but not limited to, qualitative evaluation, historical data (i.e. analysing prior risk events within Meridian and the industry), external expert advice, hydrology modelling and sensitivity analysis of financial risks. Meridian is in the process of formalising a list of key risk indicators currently used in the business to ensure regular monitoring of these metrics is formally included in risk reviews and included within our assessment of likelihoods. Risk reviews consider the controls which are in place to manage the risk and that treatment plans are progressing to plan.

The Audit & Risk Committee also review the company’s enterprise risks and Officer and Director risks every six months and emerging risks every quarter against escalation levels and uses these when considering the appropriateness of target risk levels and mitigation strategies.

Risk exposure 

Priority enterprise risks

Two priority enterprise risks included in reporting to the Audit & Risk Committee are outlined below as well as their mitigating actions:

Critical asset failure

Risk	Risk Category	Current Likelihood	Current Consequences	Mitigating actions
Component part(s) of our generating assets may fail unexpectedly leading to substantial loss of generation and the potential for environmental damage, injury and loss of life.	People, Environmental, Financial, Reputational	Highly unlikely	Major	Mitigations include a range of engineering protections, ongoing internal and external expert assessments leading to planned engineering works, process safety practices and preventative maintenance activities.

Adverse hydrological conditions

Risk	Risk Category	Current Likelihood	Current Consequences	Mitigating actions
Dry periods or drought conditions in the Waitaki or the Waiau catchments may reduce water levels and significantly affect our generation capability.	Financial, Reputational	Unlikely	Major	Meridian has a number of mitigations in place to manage water during a dry period, including wholesale hedge products and a demand response agreement with industrial customers to enable demand response flexibility.

Emerging Risks

Two long term emerging risks (3-5 years+) which are considered to have the most significant impact on the business in the future are outlined below as well as any mitigating actions that have been taken.

	Emerging risk 1	Emerging risk 2
Emerging risk	Thermal fuel risk	Peak Capacity
Category	Economic	Societal
Description	There is an industry-wide risk to thermal fuel availability which continues to escalate due to dwindling gas investment and depletion of reserves. Meridian therefore faces a risk that fuels necessary to ensure a reliable electricity supply and integral to the energy transition, are constrained in supply	There is a risk of insufficient national generation and reserve offers to meet electricity demand and provide N-1 security while the margin of generation offered over peak periods will be tight compared to forecasted demand generally.
Impact	This could result in costly hedge arrangements and increasing wholesale prices which may in turn prompt regulatory intervention potentially increasing operating costs and impacting Meridian’s earnings.	This could impact consumers and investor confidence and could result in market structural changes via regulatory intervention, which has the potential to impact Meridian’s future earnings.
Mitigating actions	Continuing to build our renewable generation portfolio (new wind and solar). Meridian maintains a swaption portfolio and demand-response options for flexibility. Active investments in large-scale batteries and Virtual Power Plant initiatives to access flexible demand-side resources.	Regular monitoring and reporting of Transpower forecasts and Meridian’s associated outages. Meridian is also investing in new generation, such as the Ruakākā Battery which has the capacity to respond to periods of energy shortfall and projects related to retail demand response options and lifting peaking capacity of our existing hydro plant.

Privacy risk

Privacy protection is a fundamental requirement of the overall operational risk and compliance management structures of Meridian, and the Privacy Policy requirements are embedded into the group-wide risk and compliance management programme and framework. 

This includes:  

The Business Assurance function conducts internal audits that, where relevant, include the review of privacy systems, processes and compliance of Meridian’s privacy systems and procedures to ensure compliance with Meridian’s Group Compliance Policy. The findings of these audits are reported to the Audit & Risk Committee.

Our Independent co-sourced partners conduct independent audits of our privacy systems and procedures, as part of Meridian’s 18-month Assurance Plan which is approved by the Audit & Risk Committee.

Privacy Champions are embedded within the Business Units, who report to the Privacy Officer. These staff members undertake specialised privacy training and work with each Business Unit along with the Legal Team to develop knowledge within the business and ensure compliance with the Privacy Act.

Meridian reviews and reports any privacy breaches on a monthly basis to the Board. Any potential breaches noted, are investigated to remediate any weakness in the system(s), with amendments made as required to mitigate the identified risk.

ICT security has multiple data security and control processes in place that manage data privacy of related systems and processes across the business. For any new system or process introduced where customer data is collected, a risk assessment is undertaken to ensure appropriate controls are in place to protect customer data.

Cyber security risk

Meridian Energy is focused on proactively managing cyber risks. We aim to maintain safe, secure, and reliable information systems and operational technology infrastructure that supports Meridian’s business goals and upholds the trust of our customers, staff, and stakeholders.

Risk Culture

Training

The following training and material is provided to Meridian staff to support a positive risk culture and raise awareness of risk management accountabilities and our risk management policy and framework and processes:

E-Learning modules outlining our Group risk management processes and how Meridian’s risk management system can help staff to administer, track and manage risk effectively.  
Risk management system ‘explainer videos’. 
Tailored in-person risk management training for leadership teams and staff. 
Risk Forums for Risk Champions to provide additional training on risk principles, risk topics and emerging global and industry risks.

Meridian requires all Directors to participate in an induction process coordinated by the Company Secretary, which provides a smooth transition for new Board members.  The induction process for Directors includes fulsome briefings from Executives on Meridian’s structure, strategy, business operations, the sectors and environments in which we operate, our material risks and our people.

We also have a continuing education programme in place for all Directors and other professional development opportunities to further develop their skills and knowledge and enable Directors to stay up to date on best practices in corporate governance and risk management. This education programme is decided annually between the Chair, Directors and Management with consideration of the topic areas including Legal and Regulatory developments, Leadership and Governance and Risk Management. Delivery of the programme by internal subject matter experts and or external providers occurs periodically throughout the year either online or in person.  The FY25 education programme included specific risk management training which aimed to promote an understanding of the type of risks in the following areas: Hydrology Risk Management, Climate Change, Cyber Security, Psychosocial risks and the role of directors and Operating Site risks. We also periodically undertake site visits with Directors. In 2025 this included a site visit to Manapōuri, Meridian’s largest generation station. For FY26 and beyond, we are expanding on our risk management training for Directors to include a specific session annually on Global Risks, as identified by the World Economic Risk Forum and/or other credible sources, and their potential impact on Meridian.

In addition, a wide variety of training modules relating to different aspects of Meridian’s business are also available to Directors.  

Risk management incentive metrics  

Meridian’s annual report provides a detailed description of its approach to remuneration. In FY25, remuneration for the Chief Executive included a short term incentive (STI) opportunity of 60% of salary, and for the other Executives the STI opportunity was 30%. Up to 40% of the STI was based on performance against a Board-approved scorecard. When annually setting and assessing performance against the Executive Scorecard, the Board considers key initiatives that are designed to address material risks, opportunities and to execute Meridian's strategy. In FY25 this included the following performance areas:  

Performance Area	FY25 Initiatives	Enterprise Risk
Grow renewable generation to speed our path to a resilient, net zero future	Deliver Scale energy projects at pace Accelerate electrification of transport and process heat Grow peaking Generation capacity and bring dispatchable customer capacity to market	Development pipeline Peak Capacity Market supply
Deliver cleaner, cheaper energy through innovation that unlocks value for customers	Develop digital capability and innovation to achieve scale and grow customer relationships Continued investment in energy hardship and community programs to promote equitable access to the energy transition Advocate policy that promotes climate action and supports kiwis through energy transition.	Demand risk Health and safety
Deliver operational excellence so everything we do aligns to deliver on our goals	Build operational flexibility and agility while sustaining excellent asset productivity Build modern data and digital systems to promote collaboration, operational efficiency, innovation and data driven decisions	Critical equipment or Technology Failure
Grow capability and culture because how we do the mahi is what will make the real difference	Grow a diverse and inclusive, skilled workforce that reflects the country we live in Safety leadership that grows in maturity as we build into the energy transition Develop our understanding of the Māori world view to help build long term relationship  with Tangata whenua Build a sustainability culture that benefits people and planet, inspires climate action and attracts investors	Health and safety

Permanent employees may participate in variable pay via a STI scheme at the discretion and invitation of the Board. The STI is an at-risk incentive, which is offered for a specific year. Potential STI payments reflect achievement of certain company profit levels and individual performance objectives aligned to business strategy and goals. For example, this may include individual objectives relative to operational risk. 

Risk Management Audit 

In line with best practice, the Business Assurance 18-month programme includes regular internal audits of Meridian’s Risk Management Framework, including methods, tools and processes measured against best practice and risk management standards. These are conducted by a qualified independent external provider who sits outside0 Meridian’s co-sourced Business Assurance function on a two-year cycle. The last audit conducted in May 2024 assessed the effectiveness of the Risk Management Framework and maturity of Meridian’s risk management processes. The overall review rating was assessed as good, which is the highest rating, indicating that the control environment is strong. Some low-level improvement opportunities were identified to support further maturity.

Meridian’s Risk Management Policy outlines specific responsibilities for risk management at Meridian.