White pattern header image

Risk management

Approach to risk management

Meridian operates an active programme to ensure ongoing risk management across the Group. The Risk Management Framework, Policy and Guidelines have been developed to meet ISO 31000 Risk management – Guidelines. Their purpose is to embed a consistent and integrated approach to risk management that supports delivery of Meridian’s strategic objectives and operational goals. 

Governance Framework

The Board has overall responsibility for approving Meridian’s risk management policy and appetite/tolerance levels and ensuring risks are managed appropriately and effectively.  In exercising this responsibility, it delegates oversight of risk management activities to the Audit & Risk Committee. The Audit & Risk Committee consists of a minimum of three independent directors. 

The Audit & Risk Committee responsibilities include: 

  • Ensuring that Management has established a risk management framework which includes policies, procedures and systems to effectively identify, treat and monitor principal business risks.
  • Evaluating the effectiveness of the company’s risk management policies, practices, procedures and systems. 
  • Reviewing the Company’s enterprise risks every six months, new and emerging risks every quarter and ESG risks (including enterprise cyber security and climate-related risks) at least annually, and ensuring mitigation measures are in place to deal with those risks. 
  • Identifying risk reviews to be undertaken and included on the Board agenda and/or relevant Committee as appropriate. 

 

The governance framework includes dedicated operational risk management functions: 

Operational Risk ownership (first line of defence) 

The first line of defence includes risk owners who are responsible for identifying, assessing and managing their risks, ensuring mitigations and treatments are being delivered to plan, and Subsidiary Chief Executives and General Managers who have responsibility for ensuring risk management is undertaken across the Group and their Subsidiary or business unit on an ongoing basis. 

Risk Management and Compliance oversight (second line of defence) 

A separate Group Risk Function works with Business Unit and Subsidiary risk champions who are responsible for ongoing monitoring and reporting of risks in their area, and other second line defence roles and functions who are responsible for setting control standards and overseeing compliance with them (e.g. Health and Safety, Compliance Managers and Security). 

The Group Risk Function delivers risk management services independently across the Group, including: 

  • maintaining the Risk Management Framework and Policy; 
  • compiling corporate risk reporting; 
  • providing support and training to Risk Champions, Risk and Treatment Owners and project managers/sponsors; 
  • monitoring and independent assessment of company risks; and 
  • administering the Meridian risk management tool. 

The Group Risk Function reports directly to Meridian’s Chief Financial Officer and maintains independence from the business by having no direct operational responsibility to ensure objective and independent assessment of the risks faced by Meridian are provided. Additionally, the Group Risk Function has a dotted reporting line directly to the Audit and Risk Committee, so has a direct channel for engagement with the Audit and Risk Committee outside of Management involvement. 

Meridian’s Code of Conduct defines the behaviours expected when working for Meridian. There are established roles and processes to monitor compliance with any breaches of the Code of Conduct and Meridian policies reported and escalated through formal channels, including privacy breaches. To support compliance processes, Meridian has established the following: 

  • A Compliance policy outlining responsibilities for each business unit to ensure processes are established to identify, report and prioritise compliance breaches. 
  • Business unit roles established to support compliance activity. These are individuals embedded within Business Units who have and provide specific compliance and technical support in their chosen field(s). 
  • Monthly reporting of compliance breaches to Meridian’s Chief Executive and Board where applicable.  Any breach of Merdian policy, standards and procedures is viewed as a serious matter that will be addressed by management and may lead to disciplinary action. 
  • Quarterly Business Assurance probity and fraud testing to test compliance with Meridian policy and processes (third line of defence). 
  • Regular review of Meridian’s compliance processes, including tracking and reporting, undertaken by an external third-party provider (third line of defence). 
  • Other third-party engagements which review compliance activity across key business process areas including health and safety, retail processes, resource consenting, building infrastructure, Dam Safety and Sustainability reporting (fourth line of defence). 

Independent Assurance (third line of defence) 

Meridian’s Business Assurance function, which operates in a co-sourced arrangement with Meridian’s outsourced internal auditors, is responsible for providing independent assurance on Meridian’s risk management and compliance activities and providing assurance that practices are aligned with risk strategy and policies, as implemented by the first and second line of defence.  

The Business Assurance programme is approved by the Audit & Risk Committee every six months. Audit findings are reported to the Audit & Risk Committee quarterly which provides a level of assurance to the Committee and senior management that key risks are being managed adequately. Status updates on agreed management actions on any medium and high rated audit findings are also reported to the Audit & Risk Committee on a quarterly basis to provide comfort that these are being adequately closed. 

External Independent Assurance (fourth line of defence) 

Independent third-party assurance, including external audit and business unit driven reviews provide impartial validation and oversight on how risks are being managed within Meridian.

Risk Management Processes

Integration of risk management processes 

Risk management is ingrained in strategic and operational activities, including business planning, investment analysis, portfolio/project management and day-to-day operations. The risk management policy, supporting framework and guidelines outline accountabilities and expectations to ensure risk management is integrated into processes, systems, culture and decision making, ensuring risk is proactively identified, assessed and mitigated across the Meridian Group. This is supported by regular risk management training as outlined in the risk culture section below. 

When undertaking projects and developing new assets, business units are supported by frameworks and processes which have risk management practices embedded. These processes include initial and ongoing risk identification workshops and monitoring of project risks, issues and trends to governance committees.  Risk factors, including health and safety, commercial, vendor and delivery risks are considered during the development of new Retail energy products. Commercial, and if required, legal reviews are undertaken, with the Customer Leadership team providing oversight of risks and decisions. Significant risks are captured and managed within Meridian’s risk management tool.  

In line with Global Reporting Initiative (GRI) standards, Meridian undertakes an objective assessment of the positive and negative impacts of our business activities that affect the environment, society and the economy, including human rights. To integrate the results from this materiality assessment into our risk management processes, impacts are reviewed against and aligned to Meridian’s key enterprise risks by the Risk and Sustainability functions. This ensures enterprise risks reflect material topics and their impacts, and that they have appropriate accountability and management, and align to company strategy. A gap assessment is undertaken to ensure new and emerging material issues are translated into risks that are appropriately managed and monitored in line with the Risk Management Policy.  

Risk appetite and tolerance 

Meridian adopts a managed approach to risk that sets tolerances for appropriate risk-taking depending upon the consequences and likelihood of the risks’ occurrence, and the potential associated benefits or opportunities. These tolerance levels along with risk appetite statements were developed as part of workshops with subject matter experts and subsequently validated through reviews by key stakeholders across the business including Executive members. They have been approved by the Board and strike a balance between the potential benefits of innovation and growth in delivering our strategy, with the threats and risks that can impact our operations and people across Meridian’s four risk categories: 

  • People – Including impacts to staff, contractors, suppliers, customers and the public (including communities, iwi and mana whenua)  
  • Financial – Increased costs, loss of revenue and reduction in value 
  • Environmental – Impacts on the environment’s current baseline  
  • Reputational – Events that cause the deterioration of Meridian’s reputation. 

Risk appetite is operationalised through the risk tolerance levels and these are aligned with risk appetite statements and outline the maximum risk level the business is prepared to take on specific risks for each of the four risk categories. In accordance with the Risk Management Policy, risk owners review target likelihood and consequence ratings against the tolerance levels, with oversight and challenge from Risk champions and the Risk Function. Enterprise risks where the target risk sits outside tolerance levels are reported to the accountable General Manager and Chief Executive for approval, with high and extreme risks that sit outside tolerance levels being reported to the Audit & Risk Committee. 

The Audit & Risk Committee also review the company’s enterprise risks every six months and new and emerging risks every quarter against tolerance levels and uses these when considering the appropriateness of target risk levels and mitigation strategies. 

Risk exposure 

Priority enterprise risks

Two priority enterprise risks included in reporting to the Audit & Risk Committee are outlined below as well as their mitigating actions: 

Critical asset failure

Risk Risk Category Current Likelihood Current Consequences Mitigating actions
Component part(s) of our generating assets may fail unexpectedly leading to substantial loss of generation and the potential for environmental damage, injury and loss of life. People, Environmental Highly unlikely Major Mitigations include a range of engineering protections, ongoing internal and external expert assessments leading to planned engineering works, process safety practices and preventative maintenance activities. Meridian is currently investing in a multi-million-dollar automation upgrade of the Manapōuri site that will improve the monitoring and assessment of asset health in order to assist in managing this risk.

 

Adverse hydrological conditions

Risk Risk Category Current Likelihood Current Consequences Mitigating actions
Dry periods or drought conditions in the Waitaki or the Waiau catchments may reduce water levels and significantly affect our generation capability. Financial Unlikely Serious Meridian has a number of mitigations in place to manage water during a dry period, including wholesale hedge products and a demand response agreement with NZAS to enable demand response flexibility through to the end of 2024. 


Emerging Risks 

Two long term emerging risks (3-5 years+) which are considered to have the most significant impact on the business in the future are outlined below as well as any mitigating actions that have been taken.  

  Emerging risk 1 Emerging risk 2
Emerging risk Thermal fuel risk Peak Capacity
Category Economic Societal
Description There is an industry wide risk to thermal fuel availability which is escalating due to dwindling gas investment and hence production.  Reduced gas production, combined with the gas industry struggling to attract investors, may mean the electricity system places a greater reliance on coal whilst biomass options are proven. There is a risk of insufficient national generation and reserve offers to meet electricity demand and provide N-1 security while the margin of generation offered over peak periods will be tight compared to forecasted demand generally.
Impact This could result in increasing wholesale prices and greater carbon emissions which may in turn prompt regulatory intervention potentially increasing operating costs and impacting Meridian’s earnings. This could impact consumers and investor confidence and could result in market structural changes via regulatory intervention, which has the potential to impact Meridian’s future earnings.
Mitigating actions

Continuing to build our renewal generation portfolio (new wind and solar). 

Exploring demand response and alternative products to manage electricity security.

 Meridian has reviewed and adapted its asset management processes to reduce the likelihood of a peak capacity shortage event. Additionally, Meridian is also investing in the Ruakākā Battery Energy Storage System, which will make a significant contribution to the reliability of the overall electricity grid allowing more intermittent wind and solar renewable electricity generation to be efficiently accommodated within the system.


Privacy risk 

Privacy protection is a fundamental requirement of the overall operational risk and compliance management structures of Meridian, with the requirements of the Privacy Policy embedded into the group-wide risk and compliance management programme and framework. 

This includes:  

  • The Business Assurance function conducts annual internal audits of Meridian’s privacy systems and procedures to ensure compliance with Meridian’s Group Compliance Policy. The findings of these audits are reported to the Audit & Risk Committee.  
  • Our Independent co-sourced partners conduct independent audits of our privacy systems and procedures, as part of Meridian’s 18-month Assurance Plan which is approved by the Audit & Risk Committee. 
  • Privacy Champions are embedded within the Business Units, who report to the Privacy Officer. These staff members undertake specialised privacy training and work with each Business Unit along with the Legal Team to develop knowledge within the business and ensure compliance with the Privacy Act.  
  • Meridian reviews and reports any Privacy breaches on a monthly basis to the Board. Any potential breaches noted, are investigated to remediate any weakness in the system(s), with amendments made as required to mitigate the identified risk. 
  • ICT security has multiple data security and control processes in place that manage data privacy of related systems and processes across the business. For any new system or process introduced where customer data is collected, a risk assessment is undertaken to ensure appropriate controls are in place to protect customer data.

Cyber security risk

Meridian Energy is focused on proactively managing cyber risks. We aim to maintain safe, secure, and reliable Information systems and operational technology infrastructure that supports Meridian’s business goals and upholds the trust of our customers, staff, and stakeholders.


Learn more

Risk Culture

Training 

To support a positive risk culture and raise awareness of risk management accountabilities the following training and material is provided to Meridian staff: 

  • Risk Management E-Learning modules outlining our Group risk management processes and how Meridian’s risk management tool can help staff to administer, track and manage risk effectively.  
  • Risk Management tool ‘How to videos’. 
  • In person risk management training, tailored to specific needs for Risk champions, Leadership teams, and Meridian Group staff as requested which includes accountabilities and our risk management framework and processes. 

Specific risk management education is also provided to non-executive directors. All new Directors participate in an induction process coordinated by the Company Secretary, which assists in providing a smooth transition for new Board members.  The induction process for Directors includes fulsome briefings from Executives on Meridian’s structure, strategy, business operations and the sectors and environments in which we operate, our material risks and our people.  Meridian also arranges site visits.

We also have a continuing education programme in place for Directors and we provide other appropriate professional development opportunities for Directors to develop and maintain the skills and knowledge needed to effectively perform their role as Directors. During FY24, the programme included: 

  • Board site visits to the Harapaki Wind Farm in Hawkes’ Bay, Benmore and Waitaki Power Stations to understand the relevant teams, people and assets at an operational level, focusing in particular on health and safety attitudes, culture and practices. 
  • Ongoing education sessions on NZX and ASX continuous disclosure requirements, Meridian’s internal transfer price methodology, the legal structure of the joint venture operations contemplated in respect of Te Rere Hau wind farm and our Southern Green Hydrogen large scale hydrogen production project, solar storms and their potential impact on the electricity system and the range of current issues currently impacting the New Zealand gas sector. 
  • Board Tech Study Tour to Australia and the USA to understand new customer trends, innovative business models and the impact of disruptive technologies on the current and future electricity system. 

Risk management incentive metrics 

Meridian’s annual report provides a detailed description of its approach to remuneration. Pay for Executives includes a 30% Short term incentive (STI) component and 50% for the Chief Executive. Up to 40% of the STI is based on performance against a Board-approved scorecard. When annually setting and assessing performance against the Executive Scorecard, the Board considers key initiatives that are designed to address material risks, opportunities and to execute Meridian's strategy. In FY23 this included the following performance areas: 

Performance Area Description Enterprise Risk
Decarbonisation Led Growth Develop a high-quality diverse suite of renewable energy options Development pipeline
NZ Aluminium Smelter (NZAS) Closure Mitigation Find new sources of demand in the South Island to mitigate the impact of potential NZAS closure Demand Risk
Investment Stability Regulatory, legal and government relations accelerate and improve New Zealand’s decarbonisation transition Change in regulation

Permanent employees participate in variable pay via a short-term incentive (STI) scheme at the discretion and invitation of the Board. The STI is an at-risk incentive, which is offered for a specific year. Potential STI payments reflect achievement of certain company profit levels and individual performance objectives aligned to business strategy and goals. For example, this may include individual objectives relative to operational risk. 

Risk Management Audit 

In line with best practice, the Business Assurance 18 month programme includes regular internal audits of Meridian’s risk management framework, including methods, tools and processes measured against best practice and standards. These are conducted by an independent external provider who sits outside Meridian’s co-sourced Business Assurance function. The last audit outlined recommendations to further develop the maturity of risk management activities. These have been progressed with a follow up audit undertaken in May 2024 followed by regular audits on a two-year cycle. 

Meridian’s Risk Management Policy outlines specific responsibilities for risk management at Meridian.