Due in Q1: GRC for Energy Solutions, 2023; Market and Vendor Landscape

Report in brief

Due to the size and increasing complexity of the GRC universe, Chartis now analyzes certain sectors individually to provide more focused and granular insight. This report focuses on the forces driving the rising importance of GRC in the energy sector.

Key takeaways: market landscape

The energy industry is characterized by a variety of subsectors with different and specific GRC requirements, including power networks, oil and gas producers, and energy-intensive end users. GRC systems for energy organizations include all major GRC subsections ‒ internal audit, operational risk, conduct risk and controls, IT and cyber risk, supply chain and third-party risk, model risk and GRC analytics – but applied to the specifics of the energy industry. While underdeveloped, GRC in energy is increasing in importance and sophistication.

IT risk is increasingly important to energy companies as they digitalize their infrastructure. Energy firms now face as much risk from their IT infrastructure as their physical infrastructure, yet many are still not fully equipped to manage this risk. The integration and networking of physical assets has become a complex challenge for energy companies, requiring an understanding of their IT risk profile and network architecture.

Cyber risk has become a major issue for energy companies, but the fact that software often runs on variable operating systems and is locally sensor-driven can make mitigating a cyberattack more difficult. Energy software is often embedded by physical asset suppliers with fewer security capabilities than traditional software companies. Energy companies’ IT risk strategy must therefore consider the ‘islanded’ nature of software and risk exposures in traditional energy systems.

The increasingly complex regulatory environment, with its growing emphasis on carbon accounting, carbon disclosures and environmental footprint, is creating new risks and requirements. All energy verticals have some carbon disclosure and carbon accounting requirements, whether regulatory or related to financing and markets. Specialist accounting tool providers enable granular and mathematical analysis, with proxies for calculation in different parts of the energy business, while traditional GRC tools simply provide general aggregation frameworks.

Model risk for energy organizations now exists not just in the trading or risk reporting functions, but also in operations. Energy companies are using a broader set of models to manage trading activities and business operations. Chartis believes that comprehensive model risk validation is an opportunity for growth within the energy industry. Model validation and efficient model organization should be important aspects of the modeling and analytics function for energy firms.

Supply chain risk in the energy sector is generally focused on physical assets. It can vary significantly among industry verticals, with differing requirements for oil and gas upstream, downstream and midstream companies and retail power network providers. The interconnectedness of energy and geopolitical risks heightens supply chain risk in the energy sector, as regime change, political instability and political violence arguably affect the energy industry more than any other sector.

Key takeaways: vendor landscape

Vendors addressing the energy GRC market include traditional and specialist GRC vendors. Traditional GRC providers offer solutions with standard EGRC and auditing systems that work across the finance and auditing functions in energy companies. Specialists focus on supply chain and third-party risk, physical facility maintenance, physical systems, IT risk and cyber risk management. Given the shifting trends in the energy sector, Chartis believes that vendors with supply chain, cyber risk or IT risk expertise, and those with strong controls and analytical capabilities, will prevail in the market.

For more information about this and other Chartis reports, in GRC [ADD LINK TO GRC PAGE] and other core research areas, contact us [LINK].