Integration of risk management processes
Risk management is ingrained in all activities, including business planning, investment analysis, portfolio and project management and day-to-day operations. The Risk Management Policy and Framework outline accountabilities and expectations to ensure risk management is integrated into processes, systems, culture and decision making. This ensures risk is proactively identified, assessed and mitigated across the Meridian Group. This is supported by regular risk management training as outlined in the risk culture section below.
In addition to the Risk Management Policy and Framework, Meridian’s Project Risk Management Guidelines outline the processes that deliver risk management for projects, ensuring risks are adequately identified, assessed, managed and monitored. Certain areas of the business also have specific project delivery frameworks to further embed risk management practices. For our Retail business unit this includes Retail Guardrails which provide further guidance when developing new Retail energy products. These Guardrails are in place to enable consultation on decisions that are high risk or have material consequences, requiring stakeholder approval based on risk/value level in the areas of Brand and Reputation, Financial, Legal and Compliance, and Pricing. The Guardrails empower people closer to customers to make decisions, improving quality of outcomes and reducing risk, while ensuring that escalation points and thresholds for accepting risk are clear and directly link to group policies.
In line with Global Reporting Initiative (GRI) standards, Meridian undertakes an objective assessment of the positive and negative impacts of our business activities that affect the environment, society and the economy, including human rights. The materiality assessment findings are integrated into our risk management processes and aligned to Meridian's key enterprise risks. This ensures enterprise risks reflect material topics and their impacts, and that they have appropriate accountability and management. A gap assessment is undertaken to ensure new and emerging material issues are translated into risks that are appropriately managed and monitored in line with the Risk Management Policy and Framework.
A tailored risk assessment approach has been developed for climate-related risks and opportunities. This is informed by methodologies outlined by the Intergovernmental Panel on Climate Change and Aotearoa New Zealand’s National Climate Change Risk Assessment method report. This approach is supported by internal guidelines which establish clear roles and responsibilities, and provide an overview of the process of identifying, assessing, managing, and reporting on climate-related risks and opportunities, with specific alignment to Meridian’s overall enterprise risk management approach, including the Risk Management Policy and Framework.
Meridian’s climate-related risks are assessed with the same ‘Low’, ‘Medium’, ‘High’ and ‘Extreme’ categories as the Group Risk Management approach. Climate-related risks assessed as ‘High or Extreme’ and requiring near-term action are included in the enterprise risk register. Applying a consistent approach to risk categories and integrating climate-related risks into the risk register enables Meridian to prioritise all risks (including climate-related risks) according to their impact in a consistent way.
More information on the risks and opportunities of climate change on our business can be found in Meridian’s Climate Related Disclosure.
Risk appetite and escalation
Meridian’s Risk Appetite statements and escalation levels outline the level and type of risk that Meridian is prepared to accept in pursuit of its objectives across Meridian’s four risk categories:
- People – Including impacts to staff, contractors, suppliers, customers and the public (including public property, communities, iwi and mana whenua) in all areas where we operate, including our supply chain.
- Financial – Impacts to the underlying value of Meridian including increased costs or loss of revenue.
- Environmental – Impacts to the environment through or to emissions, river flows and water quality, biodiversity, cultural wellbeing and values (associated with the environment) or waste and disposal practices.
- Reputational – Events that may deteriorate Meridian’s reputation.
Meridian’s Risk Appetite statements have been operationalised through risk escalation levels for each risk category. Escalation levels support decision making and escalation to ensure appropriate scrutiny and challenge across all risks and ensure that Meridian undertakes appropriate actions to manage individual risks. It provides a mechanism for both Management and/or the Board or relevant Board Committees (if required) to challenge risk owners where applicable. Escalation Levels along with the Risk Appetite statements, which are both reviewed and approved annually by the Board, were initially developed as part of workshops with subject matter experts and subsequently validated through reviews by key stakeholders across the business including Executive members.
In accordance with the Risk Management Framework, risk owners review target risk scores against the Escalation Levels to determine whether further action could be taken to reduce (or, if applicable, eliminate) the risk. Oversight and challenge are provided from Risk Champions and the Risk Function. Enterprise risks, where the target risk remains above escalation levels, require review by the appropriate General Manager and Chief Executive. High and extreme target risks above escalation levels are reviewed by the Audit & Risk Committee and/or may be required to be reviewed by the Board or relevant Board Committees.
The frequency of risk reviews is undertaken in accordance with requirements set out within the Risk Management Framework. Risk reviews undertaken by risk owners consider the likelihood and impact to people, the environment and impacts to Meridian’s reputation and financials, pre and post mitigations. Evaluation of potential impacts may be based on, but not limited to, qualitative evaluation, historical data (i.e. analysing prior risk events within Meridian and the industry), external expert advice, hydrology modelling and sensitivity analysis of financial risks. Meridian is in the process of formalising a list of key risk indicators currently used in the business to ensure regular monitoring of these metrics is formally included in risk reviews and included within our assessment of likelihoods. Risk reviews consider the controls which are in place to manage the risk and that treatment plans are progressing to plan.
The Audit & Risk Committee also review the company’s enterprise risks and Officer and Director risks every six months and emerging risks every quarter against escalation levels and uses these when considering the appropriateness of target risk levels and mitigation strategies.
Risk exposure
Priority enterprise risks
Two priority enterprise risks included in reporting to the Audit & Risk Committee are outlined below as well as their mitigating actions:
Critical asset failure
Risk |
Risk Category |
Current Likelihood |
Current Consequences |
Mitigating actions |
Component part(s) of our generating assets may fail unexpectedly leading to substantial loss of generation and the potential for environmental damage, injury and loss of life. |
People, Environmental, Financial, Reputational |
Highly unlikely |
Major |
Mitigations include a range of engineering protections, ongoing internal and external expert assessments leading to planned engineering works, process safety practices and preventative maintenance activities. |
Adverse hydrological conditions
Risk |
Risk Category |
Current Likelihood |
Current Consequences |
Mitigating actions |
Dry periods or drought conditions in the Waitaki or the Waiau catchments may reduce water levels and significantly affect our generation capability. |
Financial, Reputational |
Unlikely |
Major |
Meridian has a number of mitigations in place to manage water during a dry period, including wholesale hedge products and a demand response agreement with industrial customers to enable demand response flexibility. |
Emerging Risks
Two long term emerging risks (3-5 years+) which are considered to have the most significant impact on the business in the future are outlined below as well as any mitigating actions that have been taken.
|
Emerging risk 1 |
Emerging risk 2 |
Emerging risk |
Thermal fuel risk |
Peak Capacity |
Category |
Economic |
Societal |
Description |
There is an industry-wide risk to thermal fuel availability which continues to escalate due to dwindling gas investment and depletion of reserves. Meridian therefore faces a risk that fuels necessary to ensure a reliable electricity supply and integral to the energy transition, are constrained in supply |
There is a risk of insufficient national generation and reserve offers to meet electricity demand and provide N-1 security while the margin of generation offered over peak periods will be tight compared to forecasted demand generally. |
Impact |
This could result in costly hedge arrangements and increasing wholesale prices which may in turn prompt regulatory intervention potentially increasing operating costs and impacting Meridian’s earnings. |
This could impact consumers and investor confidence and could result in market structural changes via regulatory intervention, which has the potential to impact Meridian’s future earnings. |
Mitigating actions |
Continuing to build our renewable generation portfolio (new wind and solar).
Meridian maintains a swaption portfolio and demand-response options for flexibility.
Active investments in large-scale batteries and Virtual Power Plant initiatives to access flexible demand-side resources.
|
Regular monitoring and reporting of Transpower forecasts and Meridian’s associated outages. Meridian is also investing in new generation, such as the Ruakākā Battery which has the capacity to respond to periods of energy shortfall and projects related to retail demand response options and lifting peaking capacity of our existing hydro plant. |
Privacy risk
Privacy protection is a fundamental requirement of the overall operational risk and compliance management structures of Meridian, and the Privacy Policy requirements are embedded into the group-wide risk and compliance management programme and framework.
This includes:
- The Business Assurance function conducts internal audits that, where relevant, include the review of privacy systems, processes and compliance of Meridian’s privacy systems and procedures to ensure compliance with Meridian’s Group Compliance Policy. The findings of these audits are reported to the Audit & Risk Committee.
- Our Independent co-sourced partners conduct independent audits of our privacy systems and procedures, as part of Meridian’s 18-month Assurance Plan which is approved by the Audit & Risk Committee.
- Privacy Champions are embedded within the Business Units, who report to the Privacy Officer. These staff members undertake specialised privacy training and work with each Business Unit along with the Legal Team to develop knowledge within the business and ensure compliance with the Privacy Act.
- Meridian reviews and reports any privacy breaches on a monthly basis to the Board. Any potential breaches noted, are investigated to remediate any weakness in the system(s), with amendments made as required to mitigate the identified risk.
- ICT security has multiple data security and control processes in place that manage data privacy of related systems and processes across the business. For any new system or process introduced where customer data is collected, a risk assessment is undertaken to ensure appropriate controls are in place to protect customer data.
Cyber security risk
Meridian Energy is focused on proactively managing cyber risks. We aim to maintain safe, secure, and reliable information systems and operational technology infrastructure that supports Meridian’s business goals and upholds the trust of our customers, staff, and stakeholders.