Integration of risk management processes
Risk management is ingrained in strategic and operational activities, including business planning, investment analysis, portfolio/project management and day-to-day operations. The risk management policy, supporting framework and guidelines outline accountabilities and expectations to ensure risk management is integrated into processes, systems, culture and decision making, ensuring risk is proactively identified, assessed and mitigated across the Meridian Group. This is supported by regular risk management training as outlined in the risk culture section below.
When undertaking projects and developing new assets, business units are supported by frameworks and processes which have risk management practices embedded. These processes include initial and ongoing risk identification workshops and monitoring of project risks, issues and trends to governance committees. Risk factors, including health and safety, commercial, vendor and delivery risks are considered during the development of new Retail energy products. Commercial, and if required, legal reviews are undertaken, with the Customer Leadership team providing oversight of risks and decisions. Significant risks are captured and managed within Meridian’s risk management tool.
In line with Global Reporting Initiative (GRI) standards, Meridian undertakes an objective assessment of the positive and negative impacts of our business activities that affect the environment, society and the economy, including human rights. To integrate the results from this materiality assessment into our risk management processes, impacts are reviewed against and aligned to Meridian’s key enterprise risks by the Risk and Sustainability functions. This ensures enterprise risks reflect material topics and their impacts, and that they have appropriate accountability and management, and align to company strategy. A gap assessment is undertaken to ensure new and emerging material issues are translated into risks that are appropriately managed and monitored in line with the Risk Management Policy.
Risk appetite and tolerance
Meridian adopts a managed approach to risk that sets tolerances for appropriate risk-taking depending upon the consequences and likelihood of the risks’ occurrence, and the potential associated benefits or opportunities. These tolerance levels along with risk appetite statements were developed as part of workshops with subject matter experts and subsequently validated through reviews by key stakeholders across the business including Executive members. They have been approved by the Board and strike a balance between the potential benefits of innovation and growth in delivering our strategy, with the threats and risks that can impact our operations and people across Meridian’s four risk categories:
- People – Including impacts to staff, contractors, suppliers, customers and the public (including communities, iwi and mana whenua)
- Financial – Increased costs, loss of revenue and reduction in value
- Environmental – Impacts on the environment’s current baseline
- Reputational – Events that cause the deterioration of Meridian’s reputation.
Risk appetite is operationalised through the risk tolerance levels and these are aligned with risk appetite statements and outline the maximum risk level the business is prepared to take on specific risks for each of the four risk categories. In accordance with the Risk Management Policy, risk owners review target likelihood and consequence ratings against the tolerance levels, with oversight and challenge from Risk champions and the Risk Function. Enterprise risks where the target risk sits outside tolerance levels are reported to the accountable General Manager and Chief Executive for approval, with high and extreme risks that sit outside tolerance levels being reported to the Audit & Risk Committee.
The Audit & Risk Committee also review the company’s enterprise risks every six months and new and emerging risks every quarter against tolerance levels and uses these when considering the appropriateness of target risk levels and mitigation strategies.
Risk exposure
Priority enterprise risks
Two priority enterprise risks included in reporting to the Audit & Risk Committee are outlined below as well as their mitigating actions:
Critical asset failure
Risk |
Risk Category |
Current Likelihood |
Current Consequences |
Mitigating actions |
Component part(s) of our generating assets may fail unexpectedly leading to substantial loss of generation and the potential for environmental damage, injury and loss of life. |
People, Environmental |
Highly unlikely |
Major |
Mitigations include a range of engineering protections, ongoing internal and external expert assessments leading to planned engineering works, process safety practices and preventative maintenance activities. Meridian is currently investing in a multi-million-dollar automation upgrade of the Manapōuri site that will improve the monitoring and assessment of asset health in order to assist in managing this risk. |
Adverse hydrological conditions
Risk |
Risk Category |
Current Likelihood |
Current Consequences |
Mitigating actions |
Dry periods or drought conditions in the Waitaki or the Waiau catchments may reduce water levels and significantly affect our generation capability. |
Financial |
Unlikely |
Serious |
Meridian has a number of mitigations in place to manage water during a dry period, including wholesale hedge products and a demand response agreement with NZAS to enable demand response flexibility through to the end of 2024. |
Emerging Risks
Two long term emerging risks (3-5 years+) which are considered to have the most significant impact on the business in the future are outlined below as well as any mitigating actions that have been taken.
|
Emerging risk 1 |
Emerging risk 2 |
Emerging risk |
Thermal fuel risk |
Peak Capacity |
Category |
Economic |
Societal |
Description |
There is an industry wide risk to thermal fuel availability which is escalating due to dwindling gas investment and hence production. Reduced gas production, combined with the gas industry struggling to attract investors, may mean the electricity system places a greater reliance on coal whilst biomass options are proven. |
There is a risk of insufficient national generation and reserve offers to meet electricity demand and provide N-1 security while the margin of generation offered over peak periods will be tight compared to forecasted demand generally. |
Impact |
This could result in increasing wholesale prices and greater carbon emissions which may in turn prompt regulatory intervention potentially increasing operating costs and impacting Meridian’s earnings. |
This could impact consumers and investor confidence and could result in market structural changes via regulatory intervention, which has the potential to impact Meridian’s future earnings. |
Mitigating actions |
Continuing to build our renewal generation portfolio (new wind and solar).
Exploring demand response and alternative products to manage electricity security.
|
Meridian has reviewed and adapted its asset management processes to reduce the likelihood of a peak capacity shortage event. Additionally, Meridian is also investing in the Ruakākā Battery Energy Storage System, which will make a significant contribution to the reliability of the overall electricity grid allowing more intermittent wind and solar renewable electricity generation to be efficiently accommodated within the system. |
Privacy risk
Privacy protection is a fundamental requirement of the overall operational risk and compliance management structures of Meridian, with the requirements of the Privacy Policy embedded into the group-wide risk and compliance management programme and framework.
This includes:
- The Business Assurance function conducts annual internal audits of Meridian’s privacy systems and procedures to ensure compliance with Meridian’s Group Compliance Policy. The findings of these audits are reported to the Audit & Risk Committee.
- Our Independent co-sourced partners conduct independent audits of our privacy systems and procedures, as part of Meridian’s 18-month Assurance Plan which is approved by the Audit & Risk Committee.
- Privacy Champions are embedded within the Business Units, who report to the Privacy Officer. These staff members undertake specialised privacy training and work with each Business Unit along with the Legal Team to develop knowledge within the business and ensure compliance with the Privacy Act.
- Meridian reviews and reports any Privacy breaches on a monthly basis to the Board. Any potential breaches noted, are investigated to remediate any weakness in the system(s), with amendments made as required to mitigate the identified risk.
- ICT security has multiple data security and control processes in place that manage data privacy of related systems and processes across the business. For any new system or process introduced where customer data is collected, a risk assessment is undertaken to ensure appropriate controls are in place to protect customer data.
Cyber security risk
Meridian Energy is focused on proactively managing cyber risks. We aim to maintain safe, secure, and reliable Information systems and operational technology infrastructure that supports Meridian’s business goals and upholds the trust of our customers, staff, and stakeholders.