Meridian operates an active programme to ensure ongoing risk management across the Group. The Risk Management Framework, Policy and Guidelines have been developed to meet ISO 31000 Risk management – Guidelines. Their purpose is to embed a consistent and integrated approach to risk management that supports delivery of Meridian’s strategic objectives and operational goals.
The Board has overall responsibility for approving Meridian’s Risk Management Policy and Risk Appetite Statements, and ensuring risks are managed appropriately and effectively. In exercising this responsibility, it delegates oversight of risk management activities to the Audit & Risk Committee. The Audit & Risk Committee consists of a minimum of three independent directors.
The Audit & Risk Committee responsibilities include:
The governance framework includes dedicated operational risk management functions:
The first line of defence includes risk owners, who are responsible for identifying, assessing and managing their risks, ensuring mitigations and treatments are being delivered to plan, and subsidiary chief executives and general managers who have responsibility for ensuring risk management is undertaken across the Group and their subsidiary or business unit on an ongoing basis.
A separate Group Risk function works with business unit and subsidiary risk champions who are responsible for ongoing monitoring and reporting of risks in their area, and other second line defence roles and functions who are responsible for setting control standards and overseeing compliance with them (e.g. Health and Safety, Compliance Managers and Security).
The Group Risk function delivers risk management services independently across the Group, including:
The Group Risk function reports directly to Meridian’s Chief Financial Officer and maintains independence from the business by having no direct operational responsibility to ensure objective and independent assessment of the risks faced by Meridian are provided. Additionally, the Group Risk function has a dotted reporting line directly to the Audit and Risk Committee, so has a direct channel for engagement with the Audit and Risk Committee outside of management involvement.
There are established roles and processes to monitor compliance with any breaches of the Code of Conduct (which defines the behaviours expected when working for Meridian) and Meridian policies which are reported and escalated through formal channels, including privacy breaches. To support compliance processes, Meridian has established the following:
Meridian’s Business Assurance function, which operates in a co-sourced arrangement with Meridian’s outsourced internal auditors, is responsible for providing independent assurance on Meridian’s risk management and compliance activities and providing assurance that practices are aligned with risk strategy and policies, as implemented by the first and second line of defence.
The Business Assurance programme is approved by the Audit & Risk Committee every six months. Audit findings are reported to the Audit & Risk Committee quarterly, which provides a level of assurance to the Committee and senior management that key risks are being managed adequately. Status updates on agreed management actions on any medium and high rated audit findings are also reported to the Audit & Risk Committee on a quarterly basis to provide comfort that these are being adequately closed.
Independent third-party assurance, including external audit and business unit driven reviews, provide impartial validation and oversight on how risks are being managed within Meridian.
Risk management is ingrained in all activities, including business planning, investment analysis, portfolio and project management and day-to-day operations. The Risk Management Policy, supporting framework and guidelines outline accountabilities and expectations to ensure risk management is integrated into processes, systems, culture and decision making. This ensures risk is proactively identified, assessed and mitigated across the Meridian Group. This is supported by regular risk management training as outlined in the risk culture section below.
When undertaking projects and developing new assets, business units are supported by frameworks and processes which have risk management practices embedded. These processes include initial and ongoing risk identification workshops and monitoring of project risks, issues and trends to governance committees.
Risk factors, including health and safety, commercial, vendor and delivery risks are considered during the development of new Retail energy products. Commercial, and if required, legal reviews are undertaken, with the Customer Leadership Team providing oversight of risks and decisions. Significant risks are captured and managed within Meridian’s risk management tool.
In line with Global Reporting Initiative (GRI) standards, Meridian undertakes an objective assessment of the positive and negative impacts of our business activities that affect the environment, society and the economy, including human rights. The materiality assessment findings are integrated into our risk management processes and aligned to Meridian's key enterprise risks by the Risk and Sustainability functions. This ensures enterprise risks reflect material topics and their impacts, and that they have appropriate accountability and management, and align to company strategy. A gap assessment is undertaken to ensure new and emerging material issues are translated into risks that are appropriately managed and monitored in line with the Risk Management Policy.
A tailored risk assessment approach has been developed for climate-related risks and opportunities. This is informed by methodologies outlined by the Intergovernmental Panel on Climate Change and Aotearoa New Zealand’s National Climate Change Risk Assessment method report. This approach is supported by internal guidelines which establish clear roles and responsibilities, and provide an overview of the process of identifying, assessing, managing, and reporting on climate-related risks and opportunities, with specific alignment to Meridian’s overall enterprise risk management approach, including the Risk Management Policy. These guidelines were first introduced in 2024 and Meridian is currently working on fully implementing this framework.
Meridian’s climate-related risks are assessed with the same ‘Low’, ‘Medium’, ‘High’ and ‘Extreme’ categories as the Group Risk Management approach. Climate-related risks assessed as ‘High or Extreme’ and requiring near-term action are included in the enterprise risk register. Applying a consistent approach to risk categories and integrating climate-related risks into the risk register enables Meridian to prioritise all risks (including climate-related risks) according to their impact in a consistent way.
More information on the risks and opportunities of climate change on our business can be found in Meridian’s Climate Related Disclosure.
Meridian’s Risk Appetite statements strike a balance between the potential benefits of innovation and growth in delivering our strategy, with the threats and risks that can impact our operations and people across Meridian’s four risk categories:
Meridian’s Risk Appetite statements are approved by the Board and are operationalised through risk escalation levels. These escalation levels along with risk appetite statements were developed as part of workshops with subject matter experts and subsequently validated through reviews by key stakeholders across the business including Executive members.
In accordance with the Risk Management Policy, risk owners review target likelihood and consequence ratings against the escalation levels, to determine whether further action can reasonably be taken to reduce the risk further. Oversight and challenge is provided from Risk champions and the Risk Function. Enterprise risks, where the target risk remains above escalation levels, are reviewed by the accountable General Manager and Chief Executive. High and extreme risks that remain above escalation levels will be reviewed by the Audit & Risk Committee.
The Audit & Risk Committee also review the company’s enterprise risks every six months and new and emerging risks every quarter against escalation levels and uses these when considering the appropriateness of target risk levels and mitigation strategies.
Two priority enterprise risks included in reporting to the Audit & Risk Committee are outlined below as well as their mitigating actions:
Critical asset failure
| Risk | Risk Category | Current Likelihood | Current Consequences | Mitigating actions |
| Component part(s) of our generating assets may fail unexpectedly leading to substantial loss of generation and the potential for environmental damage, injury and loss of life. | People, Environmental, Financial, Reputational | Highly unlikely | Major | Mitigations include a range of engineering protections, ongoing internal and external expert assessments leading to planned engineering works, process safety practices and preventative maintenance activities. Meridian is currently investing in a multi-million-dollar automation upgrade of the Manapōuri site that will improve the monitoring and assessment of asset health in order to assist in managing this risk. |
Adverse hydrological conditions
| Risk | Risk Category | Current Likelihood | Current Consequences | Mitigating actions |
| Dry periods or drought conditions in the Waitaki or the Waiau catchments may reduce water levels and significantly affect our generation capability. | Financial, Reputational | Unlikely | Serious | Meridian has a number of mitigations in place to manage water during a dry period, including wholesale hedge products and a demand response agreement with NZAS to enable demand response flexibility. |
Two long term emerging risks (3-5 years+) which are considered to have the most significant impact on the business in the future are outlined below as well as any mitigating actions that have been taken.
| Emerging risk 1 | Emerging risk 2 | |
| Emerging risk | Thermal fuel risk | Peak Capacity |
| Category | Economic | Societal |
| Description | There is an industry wide risk to thermal fuel availability which is escalating due to dwindling gas investment and hence production. Reduced gas production, combined with the gas industry struggling to attract investors, may mean the electricity system places a greater reliance on coal whilst biomass options are proven. | There is a risk of insufficient national generation and reserve offers to meet electricity demand and provide N-1 security while the margin of generation offered over peak periods will be tight compared to forecasted demand generally. |
| Impact | This could result in increasing wholesale prices and greater carbon emissions which may in turn prompt regulatory intervention potentially increasing operating costs and impacting Meridian’s earnings. | This could impact consumers and investor confidence and could result in market structural changes via regulatory intervention, which has the potential to impact Meridian’s future earnings. |
| Mitigating actions |
Continuing to build our renewal generation portfolio (new wind and solar). Exploring demand response and alternative products to manage electricity security. |
Meridian has reviewed and adapted its asset management processes to reduce the likelihood of a peak capacity shortage event. Additionally, Meridian is also investing in the Ruakākā Battery Energy Storage System, which will make a significant contribution to the reliability of the overall electricity grid allowing more intermittent wind and solar renewable electricity generation to be efficiently accommodated within the system. |
Privacy protection is a fundamental requirement of the overall operational risk and compliance management structures of Meridian, and the Privacy Policy requirements are embedded into the group-wide risk and compliance management programme and framework.
This includes:
Meridian Energy is focused on proactively managing cyber risks. We aim to maintain safe, secure, and reliable information systems and operational technology infrastructure that supports Meridian’s business goals and upholds the trust of our customers, staff, and stakeholders.
The following training and material is provided to Meridian staff to support a positive risk culture and raise awareness of risk management accountabilities and our risk management framework and processes:
Meridian requires all Directors to participate in an induction process coordinated by the Company Secretary, which provides a smooth transition for new Board members. The induction process for Directors includes fulsome briefings from Executives on Meridian’s structure, strategy, business operations, the sectors and environments in which we operate, our material risks and our people. All Directors undertake a yearly visit of one of our generation sites on a rotating basis, with the opportunity to attend an additional site with the Safety and Sustainability Committee who visit two sites annually.
We also have a continuing education programme in place for Directors and other professional development opportunities to further develop their skills and knowledge. In addition, a wide variety of training modules relating to different aspects of Meridian’s business are also available to Directors.
The FY24 education programme included:
This education programme provided to the Directors varies each year depending on specific focus areas and rotation of visits to the generation sites. This is decided between the Chair, Directors and Management with consideration of the following topic areas; Legal and Regulatory, Leadership and Governance, Risk Management and any other topics of interest.
Meridian’s annual report provides a detailed description of its approach to remuneration. Pay for Executives includes a 30% Short term incentive (STI) component and 50% for the Chief Executive. Up to 40% of the STI is based on performance against a Board-approved scorecard. When annually setting and assessing performance against the Executive Scorecard, the Board considers key initiatives that are designed to address material risks, opportunities and to execute Meridian's strategy. In FY24 this included the following performance areas:
| Performance Area | Description | Enterprise Risk |
| Decarbonisation Led Growth | Complete Harapaki project and deliver the FY24 stage of the Ruakākā battery project within the revised cost, time and quality envelope (while completing the project safely). Lodge two more consents and have a clear line of consent paths for other development sites | Development pipeline |
| NZAS closure mitigation | Have confidence in 1,000GWh of new consumption while finding ways to conclude NZAS and support meaningful progress of a scale hydrogen facility in Southland. | Demand Risk |
| Investment Stability | Regulatory influence shapes continued decarbonisation of the economy at speed through electricity market. | Change in regulation |
| Optimise business performance | Meet targeted lift in peaking capacity across wind and hydro fleet in FY24, deliver a prioritised list of generation asset capacity and operational flexibility options, initiate a trial predictive management system and demonstrate clear business improvements driven by a change in data utilisation. | Peak Capacity |
Permanent employees may participate in variable pay via a short-term incentive (STI) scheme at the discretion and invitation of the Board. The STI is an at-risk incentive, which is offered for a specific year. Potential STI payments reflect achievement of certain company profit levels and individual performance objectives aligned to business strategy and goals. For example, this may include individual objectives relative to operational risk.
In line with best practice, the Business Assurance 18-month programme includes regular internal audits of Meridian’s risk management framework, including methods, tools and processes measured against best practice and standards. These are conducted by an independent external provider who sits outside Meridian’s co-sourced Business Assurance function on a two-year cycle. The last audit conducted in May 2024 assessed the effectiveness of the risk management framework and maturity of Meridian’s risk management processes. The overall review rating was assessed as good, which is the highest rating, indicating that the control environment is strong. Some low-level improvement opportunities were identified to support further maturity.
Meridian’s Risk Management Policy outlines specific responsibilities for risk management at Meridian.