AEP Sustainability - Risk Management

Enterprise Risk & Resiliency

AEP’s Enterprise Risk & Resiliency team works with business units and operating companies to proactively identify, assess, mitigate and manage risks. The team, which is comprised of the Enterprise Risk Oversight (ERO), Crisis Response and Enterprise Business Continuity & Resiliency (EBCR) teams, helps AEP better understand the full picture of a risk and the disruptions it can cause.

AEP’s new 10,000-square-foot, state-of-the-art Tier 3 data center serves as the backup data center for disaster recovery.

ERO defines and oversees the consistent application of AEP’s risk management process in conjunction with our business units and operating companies. Application of the risk management process helps us identify strategic, financial, operational and regulatory risks, assess the threats and controls, evaluate the risk, plan mitigation strategies, and monitor risks for changing conditions.

Risks are reported by business units or operating companies to ERO. The Chief Risk Officer reports a summary view of risks to the Risk Executive Committee, which consists of senior leaders, to illustrate risk ranking and remediation dates and, ultimately, gain consensus on an action plan. This summary is then discussed and reviewed by the Audit Committee of the Board of Directors.

AEP’s Crisis Response team is responsible for the ongoing development and maintenance of emergency response plans and the associated strategies and actions to address our response to an event. Well-planned and executed responses can reduce the impacts to AEP and to our customers, shareholders and communities we serve.

The EBCR team defines and oversees AEP’s business continuity process and supports our business units and operating companies in planning and preparation. This support ensures our organization’s critical business functions and core assets – our people, equipment, technology, facilities and vendors – can continue to operate in the event of an emergency or can recover to an operational status within a defined timeframe. Plans are developed and tested to continuously improve our ability to effectively respond and recover in the event of an emergency.

The risk of a cyberattack is an example of a risk that could interrupt business operations and affect several of our core assets. In 2019, AEP strengthened its integrated cyber response plan, which defines various levels of an event and uses an Incident Command System (ICS) structure to outline roles and responsibilities for response personnel. The plan brings various business units from across the enterprise into a single, unified response and organizational reporting structure if a cyber-incident were to occur. We have conducted exercises through enterprise tabletop incident simulations to test the plan. The ICS structure is also used for other crisis events, including the coronavirus pandemic.

In 2020, AEP’s 10,000-square-foot, state-of-the-art Tier 3 data center became fully functional. This data center serves as the backup data center for disaster recovery, ensuring flexibility and reliability for business-critical applications. It serves as a critical component to AEP’s Cyber Security and Technology Reliability programs.

As we have seen through recent events in California, wildfires can represent a serious risk to the electric grid and surrounding areas. AEP has evaluated this risk, and while our exposure is significantly lower given the location of our service territory, we will continue to monitor it as part of our ongoing risk management process. In addition, AEP is participating in the new CEO-led task force launched by the Edison Electric Institute (EEI) to address the growing threat of wildfires to the power sector.

Data Privacy & Protection

AEP believes that strong data security and privacy protections, utilizing technology and internal policies and practices, are vital for effective and trusted interactions. To accomplish our objective, AEP is enhancing the protection of high-value data through improved data inventory practices, security protocols, data lifecycle management and leadership accountability. This aligns with AEP’s multi-year Personally Identifiable Information (PII) protection program that lays the foundation for this new initiative.

AEP continues to drive down the volume of PII storage repositories, achieving a reduction of 9% in 2019. In mid-2019, AEP completed a two-year project to deploy a Personal Data Portal to better protect the PII of incoming contractors. By the end of 2019, the Portal protected over 16,500 individual pieces of PII during electronic transit and significantly reduced the risk of unauthorized access, inappropriate use and accidental data loss.

AEP continues to leverage its Enterprise Data Privacy Governance Committee to revise our customer data privacy policy, address third-party risk of sharing customer data with aligned business partners, and better coordinate data access and privacy-related activities across our multiple jurisdictions. The Committee also monitors and coordinates our response to the changing legislative and regulatory landscape regarding data access and consumer privacy at the local, state and federal levels. The most consequential data access and privacy proceedings in 2019 were at the federal level, as well as in Ohio, Michigan, Virginia and Arkansas. AEP believes it is our corporate responsibility to advocate for prudent policies related to customer data access and consumer privacy regarding access, use, misuse, disclosure and loss.

The customer data privacy policy revision will incorporate a clearer commitment to customer privacy and data protection, details about the types of data AEP collects from its customers and website visitors, and better transparency into how we use customer data to provide electric power and related services. We remain committed to providing our customers with information about how customer data is collected, stored, protected, used and disclosed.

AEP recently engaged with a certified Capability Maturity Model Integration (CMMI) Institute Partner to facilitate a detailed analysis of its current data management practices against the Data Management Maturity (DMM)SM Model. The analysis provides precise measures and information about strengths and achievements, which can be leveraged. It also illustrates gaps, challenges and a number of specific improvements, as well as a roadmap for rapid acceleration of capabilities. The purpose is to improve and consolidate our data management practices so that we treat our data as an asset that supports our business operations appropriately and is “fit for business.” AEP is the first electric power company in the world to conduct a comprehensive evaluation of data management capabilities against the DMM, taking a leadership role in the industry.