AEP Sustainability - Risk Management

Enterprise Risk & Resiliency

AEP’s Enterprise Risk & Resiliency team works with business units and operating companies to proactively identify and mitigate risks, and to respond to and recover from disruptive events. With the collaboration between the Enterprise and Operational Risk teams, the Enterprise Business Continuity Resilience (EBCR) team and the Crisis Response team, AEP is able to see the full picture of a hazardous or threat event.

The team is continuously looking for strategic, financial, operational and regulatory risks across the enterprise, and working with the business units and operating companies to apply our risk management framework. This is the process we use to identify risks, assess the risks and controls, plan mitigation strategies and monitor risks. This process informs and prioritizes asset replacement strategies and enables us to make risk-based investment management decisions.

AEP’s EBCR team provides support to the business units and operating companies for planning, preparation and related activities. This support ensures our organization’s critical business functions and core assets – our people, equipment, technology, facilities and vendors – will either continue to operate in the event of an emergency, or be recovered to operational status within a defined timeframe.

Business continuity planning prepares the enterprise when an event happens that disrupts our operations. The threat of a cyber or physical attack or workplace-related incident is a risk for AEP, as are many other events that could interrupt business operations in one or all of our facilities.

In 2018, our Cyber Attack Resiliency Program focused on protecting AEP’s data from a data destruction event, created operational strategies to sustain the business through an extended business disruption and tested the response and recovery through an enterprise tabletop exercise.

In addition, in 2018, construction began on AEP’s backup data center. This data center will replace our current disaster recovery center. The 10,000-square-foot space is expected to be fully operational by 2020 and will serve as the backup data center for disaster recovery while providing flexibility for business-critical applications and greater resiliency. AEP’s Crisis Response team drives emergency management planning and preparedness that provides a coordinated and standardized approach to responding to emergencies. This team is responsible for maintaining and exercising AEP’s enterprise-wide emergency oversight structure, which includes roles and responsibilities for all levels of leadership and each specific response plan.

Significant environmental, social, and governance (ESG) issues, including climate change impacts, are identified and assessed, and mitigation plans are developed through AEP’s enterprise risk management process. In 2019, we identified ESG and wildfires as additional risks we are monitoring.

As we have seen through recent events in California, wildfires can represent a serious risk to the electric grid and surrounding areas. AEP has evaluated and will continue to evaluate as part of its ongoing enterprise risk management function the risk of wildfires to its system. To the extent that significant risks are identified, the company will appropriately assess and mitigate these risks as it does other enterprise level risks. In addition, the Edison Electric Institute (EEI) has launched a new CEO-led task force to address the growing threat of wildfires to the power sector, and AEP is participating in this ongoing effort.

We have an obligation to maintain reliable service while keeping our customers and our employees safe. We test our plans to continuously improve our ability to effectively respond and recover in the event of an emergency.

Data Privacy and Protection

AEP collects a significant amount of personal data from customers, employees and business partners. When they share information with us, we have a responsibility to protect it. AEP’s Personally Identifiable Information (PII) Data Protection Program seeks to protect and secure the personal data we maintain.

For example, outbound emails containing PII are encrypted or blocked if they are not. We also ask PII owners to confirm they need the data and that it is properly protected. We also use a Personal Data Portal that allows PII to be securely transferred into AEP when new contractors come onboard, including information that was historically transmitted via email or telephone.

Another way we are protecting the data we collect is to classify it based on its sensitivity. In early 2019, we deployed a data classification tool to make it easier for employees to properly classify data before sharing it. This helps us to strengthen our data protection program and is a part of our ongoing efforts to build an industry-leading cyber security program.

AEP continues to advance our data loss prevention program, bolstered significantly by the new data classification tool. We are expanding our focus to prevent the unsecured transmission of other sensitive information, the loss of which can have significant regulatory compliance ramifications. Alerts generated from the data loss prevention tools result in comprehensive response and correction measures, and generate prompts to employees informing them of the appropriate methods of securely transferring sensitive information to external parties.

We are organizing a formal, enterprise-wide data privacy program to weave together our privacy risks, customer data monitoring and protection, and controls to prevent the unauthorized loss or misuse of customer data. While we have had customer data privacy disciplines within the company for years, they have been isolated within each operating company and business unit without a methodology to ensure that privacy practices are not only effective but also consistent across our business and evaluated regularly for improvement opportunities.

To support this, we formed a data governance program focused on defining and sustaining the trustworthiness and “fitness-for-purpose” of data. In the first year of operation, we created governing bodies in three lines of business that are accountable for decision making, priority setting and resource allocation. In addition, data governance and data stewardship roles and activities were formalized through policies, standards, and the addition of tools and technologies for data quality assessment and management. Through this program, we will better understand where data is located and develop methodologies to improve how we manage data across the enterprise.