AEP Sustainability - Risk Management

Risk & Resiliency

AEP faces many different risks to our business that we must manage. Fueled by major events such as the global pandemic; racial, social and political unrest; extreme weather; and security breaches, companies require dynamic and agile risk management efforts now more than ever. As we navigate the unpredictable future, we must identify the appropriate levels of risk-management while simultaneously detecting and deflecting new potential risks and weaknesses. This is imperative to keep pace with the ever-changing environment around us while adapting to the next level of normal.

Enterprise Risk Oversight (ERO) defines and oversees the consistent application of AEP’s risk management process, as noted below, in conjunction with our business units and operating companies. Application of the risk management process helps us identify strategic, financial, operational and regulatory risks, assess the threats and controls, evaluate the risk, plan mitigation strategies and monitor risks for changing conditions.

Our risk management process is used to facilitate the identification of a risk and discussion on the possible consequences resulting from the event.

Risks are reported by business units or operating companies to ERO. The Chief Risk Officer reports a summary of risks to the Risk Executive Committee, which consists of senior leaders, to illustrate risk ranking and planned mitigations. This summary of risks is then discussed and reviewed by the Audit Committee of the Board of Directors.

Identifying and managing risk is one part of the equation; it is equally as important to be prepared in the event a worst reasonable case occurs – such as the loss of a data center or a global pandemic. Our Enterprise Resilience team functions on a 24 x 7 x 365 day basis and is charged with sustaining the enterprise’s emergency management and business continuity capabilities. Our Emergency Management Core Plan aligns with the National Incident Management System and adopts the principles of the incident command system, which government agencies across the U.S. use to respond to local emergencies and large disasters. Our emergency management framework is an integral part of how we efficiently respond to and manage events to keep critical operations functioning.

To prepare, the Enterprise Resilience team works closely with ERO to identify the drivers that could trigger an event; the controls for preventing it or reducing the frequency of it occurring; and mitigation strategies if it does occur. We try to anticipate high-impact, high-probability events to prepare for the ripple effects they could have and to limit the negative consequences. We’ve established business unit-based and hazard-specific plans aligned to our emergency management framework to manage the strategic response. Business unit and operating company-specific resilience plans are in place to protect our critical and non-critical processes to support continuity of operations during business disruptions.

This framework proved critical in responding to the COVID-19 pandemic, when the Enterprise Infectious Disease Response Plan was activated, guiding preparedness activities ahead of the pandemic and ensuring a comprehensive and coordinated response. Learn more in the COVID-19 section.

The global pandemic is an example of a risk that could interrupt business operations. In 2020, we strengthened the existing business continuity plans that support critical and non-critical business processes. These plans were expanded to include more depth around loss of facilities, personnel and supply chain due to coronavirus impacts. This was to ensure all business functions and assets – critical and non-critical – could continue to operate during the pandemic with little to no disruption. Well-planned and executed responses can reduce the impacts to AEP and to our customers, shareholders and communities we serve.

Our business continuity plans evaluate:

  • Our business resilience plans, which include continuity and emergency response plans, serve as important training tools to prepare our workforce to respond and recover when an event occurs. During event response and recovery, real-time adjustments are made based on planning assumptions specific to the event size, complexity, and timing.
  • Prioritization of critical business process recovery with consideration for special circumstances or cyclical events that may worsen the impacts of the disruption.
  • Staffing considerations for critical business processes and identification of niche or highly specialized skillsets.
  • Adequacy of workarounds specific to the event complexity and estimated time to recover critical business processes.

Third-party vendors, contractors/consultants, and outsourced partners are also key to our business continuity in a crisis. Business units and operating companies within AEP that own these relationships must review the external party’s business resilience plans to determine whether or not they meet our criteria and to guide adjustments that may be required to our response and business recovery capabilities.

We believe that strong data security and privacy protections, using technology and internal policies and practices, are vital for effective and trusted interactions. To accomplish this, we are enhancing the protection of high-value data through improved data inventory practices, security protocols, data lifecycle management and leadership accountability. This aligns with our multi-year Personally Identifiable Information (PII) protection program that lays the foundation for this new initiative.

For several years, we have focused on minimizing the volume of PII storage repositories to better protect employee, customer and contractor PII. In 2020, we expanded our PII protection program as we transitioned more than 60% of our workforce to remote work. Working remotely opened up new vulnerabilities that required adapting enhanced data security protocols such as tightening administrative controls around installing personal printers on company devices and printing sensitive company documents.

We continue to leverage the Enterprise Data Privacy Governance Committee to update our Privacy Policy, address third-party risk of sharing customer data with aligned business partners, and better coordinate data access and privacy-related activities across our multiple jurisdictions. The Committee also monitors and coordinates our response to the changing legislative and regulatory landscape regarding data access and customer privacy at the local, state and federal levels. We have a responsibility to advocate for prudent policies related to data access and customer privacy regarding collection, notice, use, misuse, disclosure, retention, destruction and loss.

AEP’s Privacy Collaboration Efforts:

  • Enterprise Data Privacy Governance Committee
  • Internal stakeholder partnerships
  • Privacy Champions
  • Privacy Legislation and Regulatory Risk Working Group
  • Enterprise Risk Register

Our Privacy Policy incorporates a clear commitment to customer privacy and data protection, includes details about the types of data we collect from our customers and website visitors, explains how customers can access the data and offers information regarding how we use customer data to provide electric power and related services. We remain committed to providing our customers with information about how customer data is collected, stored, protected, used and disclosed.