Energy and critical infrastructure companies are among the most highly regulated entities in the United States. In addition to multilevel regulatory oversight, these companies face ever-increasing scrutiny from investors, customers and the public at large. Stakeholders expect these companies to implement robust processes to effectively manage risk. With mounting pressure for increased transparency, it is crucial that companies adopt integrated risk management throughout their enterprise, where the general counsel plays a key role.

GENERAL COUNSEL IS UNIQUELY QUALIFIED TO UNDERSTAND THE IMPORTANCE OF NOTICE OF RISK

A company’s failure to adequately address known risks or to avoid foreseeable consequences can have devastating results. The industry’s collective experience is littered with examples of escalated enforcement and litigation arising from allegations that a company’s leadership did not properly address known risks. Consider the following examples.

PG&E Camp Fire

In November 2018, the deadliest wildfire in California’s history was started by a failure of a 99-year-old electrical tower (Tower 27/222), killing 85 people and destroying 19,000 buildings. In 2020, Pacific Gas and Electric Co. (PG&E) plead guilty to 84 separate counts of involuntary manslaughter and one felony count of unlawfully starting a fire. PG&E received the maximum allowable fine of $3.5 million and agreed to a $25.5 billion settlement fund.[1]

A year-long investigation conducted by the Butte County district attorney concluded that outdated power lines had sparked the fire known as the “Camp Fire.” The focus of the investigation and subsequent public outcry centered on allegations that the company had ignored known risks. The media reported: “Long before the failure suspected in the Paradise fire, a company email had noted that some of PG&E’s structures in the area, known for fierce winds, were at risk of collapse. It reported corrosion of one tower so severe that it endangered crews trying to repair the tower. The company’s own guidelines put Tower 27/222 a quarter-century beyond its useful life – but the tower remained.”[2]

Colonial Pipeline Cyberattack

Throughout 2020, the Pipeline and Hazardous Materials Safety Administration (PHMSA) conducted an inspection of Colonial Pipeline’s customer relationship management (CRM) procedures and records for locations in New Jersey, Louisiana, North Carolina and Georgia. Shortly after the inspections concluded, PHMSA gave notice to Colonial that it was in probable violation of several pipeline safety regulations. Among the findings noted in PHMSA’s Notice of Probable Violation (NOPV) were Colonial failed to conduct proper point-to-point verification and failed to prepare an adequate communication plan for manual operation of the pipeline.[3] Less than a year later, the lack of a plan for manual operation is alleged to have contributed to the national impacts when the pipeline remained out of service after a cyberattack. PHMSA proposed a civil penalty close to $1 million.[4] “The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” said PHMSA Deputy Administrator Tristan Brown.[5]

Hawaiian Electric Co. (Maui Wildfires)

In August 2023, a wildfire broke out on Maui that killed over 100 people, and rescue efforts were still underway in Hawaii as of September 2023. Maui County filed a lawsuit against Hawaii Electric Co. (HECO). The lawsuit alleges that HECO was warned of the circumstances that caused the fire a year earlier, referring to a 2022 shareholder report stating that climate change and the resulting effects would be a substantial factor to consider as wildfires increased across the state. Maui County has argued that HECO should have de-electrified many of its electrical wires as Hurricane Dora neared Hawaii with Category 4 winds forecast to hit Maui the day of the fire. The expected cost of the Maui wildfires is estimated at around $5.52 billion to rebuild and does not include any lawsuits that may arise in the coming months and years. HECO has denied responsibility, but the full impact of this incident may not be known for years.

Navitas Pipeline Incident

In 2018, a gas line owned by Navitas Midstream LLC in Midland, Texas, exploded and caused a fire that burned for over an hour, impacting another gas line directly above the Navitas line, which then caused another explosion that killed one Navitas employee and grievously injured first responders. Navitas had 300 leaks reported in the three years they had owned the line prior to the incident, giving rise to allegations of ample notice without mitigating the risk.

These and similar incidents highlight the need for companies to properly identify inherent risks, implement controls and actively monitor and manage residual risk. Enterprise risk management is ineffective if the process happens once a year and sits on a shelf. General counsel has a unique role in this process. As a member of senior management and an advisor to the board, the general counsel’s role entails more than merely managing legal risks. General counsel also validates their enterprise's risk framework, governs risk processes, understands their company’s material risks and controls and verifies that external facing statements are accurate, reasonable and consistent with their company’s actions.

GENERAL COUNSEL ADDS PERSPECTIVE THAT TECHNICAL SUBJECT MATTER EXPERTS (SMES) MAY LACK

Functional groups tend to view risk from tactical and siloed perspectives. While general counsel cannot, and would not desire to, replace SMEs, the nature of the general counsel’s role provides an enterprise-wide field of vision. Some legal departments treat risk management as a compliance issue, but not all risks can be managed through a rules-based paradigm. Additionally, not all risks an enterprise faces will fit neatly into a predefined compliance program.

Asking the right questions can help in avoiding unintended consequences. For example, prioritizing work or replacement of assets involves technical expertise, but justifying which assets are prioritized and documenting how those decisions were made can save a company from allegations of ignoring risk or failing to evaluate consequences. Companies can survive mistakes but will have a more difficult time defending action or inaction absent a robust process supporting the approach taken. The reasonableness of that process can be the difference between a regrettable incident and a devastating, company-ending failure. Beyond asset management and integrity management, the general counsel has a view into operational, budgetary and regulatory workforce management. This enterprise-wide perspective uniquely avails the general counsel of the opportunity to anticipate risks and threats, allowing the company to respond more efficiently and economically than when it must rely on after-the-fact issue management.

GENERAL COUNSEL IS THE BEST POSITION TO UNDERSTAND THAT WORDS MATTER

The stakes have never been higher for ensuring clear and effective communication.

Environmental, social and governance (ESG) disclosures, corporate responsibility messaging and environmental reporting continue to be under a bright spotlight. In some cases, the desire of companies to jump on the ESG bandwagon put messaging before actual programs and created risk for companies whose commitments were principally aspirational. ESG ratings, with varying models and unvalidated scoring, gave rise to a proliferation of sustainability messaging and broad commitments to green and clean practices without a solid connection to process, practices and measurable progress.

In response to wide-ranging variations in disclosures and the perceived difficulty for investors to assess climate-related financial risks, the U.S. Securities and Exchange Commission (SEC) published a final rule to standardize climate-related disclosures for investors on March 6, 2024. The rule was built upon the Taskforce on Climate-Related Financial Disclosures (TCFD) framework and requires disclosure of material information related to the management of climate-related risks, with metrics including greenhouse gas emissions.[6]

Greenwashing is now a dictionary-defined term[7] and part of our vernacular. From unsupported claims to overexaggerated environmental benefits, corporations have been called out for allegations of deceptive and misleading messaging in advertising and mainstream corporate reporting. Until 2017, the total number of climate litigation cases was 884 across a total of 24 countries, with 654 of these cases being in the United States.[8] As of July 1, 2020, the number of cases has nearly doubled, with 1,200 cases filed in the United States and 350 filed in 37 other countries combined.[9] The litigation includes both claims around failure to adequately disclose material climate change risks to investors and claims of false or misleading statements about efforts to address environmental and climate-related impacts.

Even well-intentioned environmental commitments can backfire if they are not tied to demonstrable investment and measurable progress. In the context of hyperpoliticized attention being paid to fossil fuel companies, messaging must be examined with a critical eye. The general counsel is often in the best position to ask the right questions to map messaging to programs, practices and metrics. Simply put, the general counsel should evaluate whether the messaging passes the red-face test.

GENERAL COUNSEL UNDERSTANDS HOW TO MANAGE ETHICAL OBLIGATIONS

Effective communication and transparency with regulators are essential. However, multiple channels for communication may create risk, particularly where personal and professional lines become blurred. Emails and texts can trend toward more informal communication than traditional correspondence. Without guardrails in place to define and enforce rules of engagement, agency staff and company personnel may inadvertently step over ethical lines.

There have been several instances covered in the media purporting to demonstrate inappropriate familiarity between regulated companies and regulators. For example, in the aftermath of the PG&E San Bruno pipeline incident, thousands of emails were uncovered between high-ranking California Public Utilities Commission (CPUC) staff and PG&E regulatory affairs officers. Some of the emails included PG&E asking for off-the-record favors, such as a change of focus for commission audits. Other emails included PG&E’s former vice president of regulatory affairs making dinner invitations and discussing sharing bottles of wine with the CPUC president. The communications led to significant penalties for PG&E and forced resignations for PG&E and CPUC.[10]

In 2018, texts were disclosed between an Arizona corporation commissioner and Arizona Public Service lobbyists, where the commissioner appeared to commiserate and strategize with the utility. The texts were characterized by the media as “playing digital footsie with those they regulate.”[11] The long-term consequences for the energy industry are that these cases shake the public’s trust and create avoidable obstacles to achieving corporate goals.

No one is positioned better than the general counsel to provide governance for regulatory interactions and, in doing so, advise on how to avoid these potential ethical conflicts. Controls to address this risk should include training, written policy and internal oversight.

GENERAL COUNSEL CAN DETECT SHINY OBJECT SYNDROME

The development of novel ideas, programs and practices are good, but they can have unintended consequences. Where company action is driven by a perceived need to match or outpace efforts taken at peer companies, the risk of producing unintended consequences rises dramatically. Assessing risk in advance of pursuing a change allows for the evaluation of the true cost against anticipated benefits for the specific enterprise contemplating the change. What works well for one company may not work well for another, and identifying the risks related to a new project or commitment from an organizational, operational and stakeholder perspective is critical.

Committing to a sea change is easy to say but hard to properly implement. Multiyear commitments of resources can compete with other corporate goals and objectives. General counsel should be asking critical questions on the management of change in advance of any bold statements committing to a path forward. Understanding who will be impacted, what work will change and what the potential risks are will be the key to success. Establishing and maintaining realistic expectations around how long a program will take to implement and planning stage gates to determine next steps safeguards against prematurely abandoning an initiative for the next shiny object. A fulsome analysis of the project components and budget variables is needed to manage messaging so the company does not have to walk back commitments or projections in response to foreseeable complications. 

HOW TO ENGAGE WITH INTERNAL CLIENTS ABOUT RISK MANAGEMENT

It is important for the general counsel to consistently think beyond defensibility to strategic, holistic, integrated risk management. The first step in that process is to gather information to determine the current state of your company’s risk management. Start with the basics. Determine how many risk registers the company currently maintains. The answer may surprise you. Many companies have multiple risk registers that have been created in functional departments or corporate divisions. Multiple risk registers may include conflicting data and competing priorities. These siloed risk registers are evidence of the company’s notice of risks that may never have been escalated to senior leadership in a meaningful way. They may demonstrate a lack of understanding about relative risk, use over or underrated risk scoring and may have been created to make a case for funding. Importantly, they are generally discoverable, and the siloed nature in which they are maintained does nothing to absolve the company of having been on notice about the entire contents of each risk register.

Dive into the process to determine the effectiveness of the company’s risk management process. Here are some questions to get you started:

• What is the current risk process for identifying, assessing, scoring, prioritizing and managing risk?
• How are changes to risk management – including controls – evaluated, communicated and implemented?
• How integrated are risk decisions?
• Who is involved and at what level?
• How is the risk-management process governed? Are the doers also accountable for governance?
• Are there multiple processes to determine materiality, and who manages that process?
• What does assurance look like enterprise-wide? Are there independent processes in place to determine whether existing controls have been implemented as designed and are effectively addressing risk?
• Effective risk management does not happen once a year. Ask questions to verify how risk is managed and monitored on a daily, weekly, monthly and quarterly How is it documented? What tools facilitate monitoring of risk by senior leadership?

CONCLUSION

Regardless of whether your company is taking the first step or the 100th step at maturing an integrated risk management process across the enterprise, the work is valuable. At every stage, it is worth the time and resources to affect outcomes proactively and safeguard strategic goals. By implementing and monitoring controls, the company can reduce the likelihood of a risk event as well as mitigate potential consequences. For a general counsel who has not historically had a seat at the table to discuss the company’s risk processes, consider this your call to action. Your duties to the company as a member of senior management and as an advisor to the board require you to have visibility of potential vulnerabilities across the enterprise. It is no longer enough to validate compliance and manage litigation. Stakeholders are more sophisticated than ever before. They know the questions to ask. Be prepared to answer the question, “How do you know the company is effectively managing risk?”

---

ABOUT THE AUTHOR

Charlene Wright is managing partner of Wright & Associates, a law firm focused on environmental, regulatory, transactional, risk management, corporate governance, compliance and ethics, and litigation on behalf of energy and infrastructure companies. She is licensed to practice in Texas, Oklahoma, Missouri, Kansas and Illinois and has handled litigation in 14 states in both federal and state courts.

---

ENDNOTES

[1] National Public Radio, “PG&E Pleads Guilty On 2018 California Camp Fire: ‘Our Equipment Started That Fire,’” https://n.pr/49OBwkp.

[2] New York Times, “California Wildfires: How PG&E Ignored Risks in Favor of Profits,” https://bit.ly/3xynshg.

[3] U.S. Department of Transportation, https://bit.ly/4d7mCZp.

[4] U.S. Department of Transportation, https://bit.ly/3TXHDgl.

[5] Id.

[6] Federal Register, https://bit.ly/3UcfMKC.

[7] “Greenwashing,” Merriam-Webster, https://bit.ly/3VUDkok (last visited Nov. 2, 2022).

[8] Subodh Mishra, “The Rise of Climate Litigation,” Harvard Law School Forum on Corporate Governance (March 3, 2022).

[9] U.N. Environment Programme; “Global Climate Litigation Report: 2020 Status Review” (Jan. 26, 2021), https://bit.ly/3UepzQe.

[10] KQED, “10 Emails That Detail PG&E’s Cozy Relationship With Regulators,” https://bit.ly/3VOMumu.

[11] AZCentral, “Texts show utility regulator Andy Tobin is way too cozy with APS,” https://bit.ly/3VXv6w0.