Risks and missed opportunities of digitalisation – the sleepless nights of an Energy Geek

An energy system built around millions of interconnected assets brings multiple risks but also huge opportunities. In their latest article on digitalisation pathways, in association with CGI, the Energy Geeks explain where they see areas for concern, and for optimism.

The next major disruption in the energy system is unlikely to be caused by the failure of a single organisation. It will more likely emerge from the gaps between organisations.

Many sectors manage risk very effectively across their complex supply chains. These sectors have realised that the weakest links lie between participants and that this needs rigorous and contractually shared risk management processes. As the complexity of the energy supply chain continues its rapid growth, we Geeks are not confident that the energy sector’s current siloed organisational and governance approach is leading to adoption of the best practice in risk management for a much more digitally interconnected whole-system.

The Energy Geeks are a thinktank set up to tackle the thorniest issues of energy policy. They are: Eric Brown; Maxine Frerk; Simon Harrison; Roger Hey; Laura Sandys and Steven Steer

Risk management must also be seen as a key driver of efficiency, reducing cost and accelerating progress. Other sectors use digitalisation as an integral part of their risk management processes. We now need to embed these principles into the energy digitalisation journey. It is not just that we have to mitigate risk, we also have to use digitalisation to drive greater efficiencies, increased resilience and customer benefits through how and what we do. We can learn from other sectors on this.

In the eight years since the Energy Data Taskforce facilitated creation of the sector’s ambition for modernisation, the sector has moved at pace. Existing processes and operations have been digitalised, flexibility markets tested and deployed, data opened as a valued market resource and sophisticated software has begun to be layered over traditional physical infrastructure. As a result, the system is now more information-rich, dynamic and interconnected than at any point in its history. Development is continuing at an ever-faster pace.

This evolved system requires a new approach to risk and opportunity management that enables risk sharing, establishes strong common governance standards and has effective monitoring and scenario planning that can pre-empt vulnerabilities, anticipate impacts and address emerging trends.

Our greater capacity for creating and using information should make the energy system more resilient. But, while we are running ahead fast, adding greater capacity to know things and to act, we have been slow to match this with corresponding modernised governability and resilience.

Startled awake

Risks turned to issues can look like a classic disaster film. The Spanish blackout of 2025 showcased how a tightly coupled system failed on a short timescale – only well governed digital systems could have responded effectively. The winter 2021 Texas blackouts demonstrated how hard it is to integrate information relating to a conflagration of market design, incentives and sustained severe weather conditions that exposed weaknesses in mechanisms for reserves.

The 2019 UK loss of power to 1 million consumers should remain in memory as an example of how complex engineering policy can lead to static compliance requirements that no longer address system risks. It is also a painful reminder of the economic impact and disruption that can result from a loss of supply.

Finally, the 2021 SolarWinds attack evidenced the lengths to which foreign intelligence agencies are willing to go at deploying malicious software into another country’s critical IT infrastructure.

The impacts of risk can also be seen in more subtle ways as well. Even if the system does its job, the lights can still go out home-by-home and business-by-business as costs push energy out of more and more peoples’ reach.

This situation is rising as historic issues are compounding and adding up, each with underlying causes triggered by a lack of control over information.

Take the over-generous Feed-in Tariff subsidies from 2011, which were set using data models that were inadequately stress tested. This could not be reversed so the government ended up being taken to court and losing, costing consumers c£100 million a year for 20 years.

Then there is the balancing mechanism, which has exacerbated exposure to international commodity markets due to automated ‘skip rate’ issues, again costing hundreds of millions pounds.

Leading up to a costly wave of supplier failures from 2022, Ofgem found its ability to govern the market overridden by information complexity.

We can also observe indications that Regulated Asset Base costs have been inefficient when in 2017 a network voluntarily returned £480 million of allowances it was entitled to keep; performance and regulated returns hint at ongoing challenges relating to information asymmetry.

And finally, the cost of delay to system changes, such as Market-Wide Half-Hourly Settlement, adds to the pressure on people’s pockets.

Individually, and certainly together, these costs add up to uncomfortably large, and for many people, unaffordable numbers. It is in no way an exhaustive list.

Fever dreams

The energy system’s information risks have grown and evolved. Some are new and some are old, some are likely, some are not, some will crash the system, others will chip away at it. Further, we need to diligently capture the value digitalisation offers – we cannot afford to miss the opportunities provided by digitalisation – effective risk management is needed to overcome risks and to support the opportunities that lie ahead. The variety of modern information risks and opportunities are legion, here are a few:

Data & technology:

  • Monopolies: data and tech companies can be large and act as significant drivers of economic growth. However, we also need to manage monopolies, value capture and predatory business models.
  • Embedded spyware: We need to be hyper vigilant of malign software being installed into critical systems by adversarial actors who seek to monitor and discover further system vulnerabilities and exposures.
  • Destabilising new technology: Encouraging new innovations and technologies to help with the modernisation of the system will drive down its costs. However, rapid adoption of novel technology introduces the possibility of unintended and unexpected consequences that impact safe system operability.
  • International competition: We can drive down the cost of clean power and so attract investment by the world’s most responsible companies, but if we are slow to change, other countries will gain the right to clean growth in our place.
  • Algorithmic cascades: Our system requires a whole raft of new technologies and AI tools to manage its distributed structure. We should encourage this but it cannot be a free for all where millions of software-enabled devices make concurrent decisions that impact the system, but without coordination.

Consumer digitalisation:

  • Digital identity: We need customers to willingly share their data to optimise the system for their benefit and hence bring down the cost of energy for all. But, we must also manage the risk to individuals and whole organisations of exploitation or wilful system miss-management that can cause costs of various types.
  • Personal data: Use of personal data will make available tailored services to key customer segments providing much better outcomes, but we need to be very careful that well-intended mismanagement can never expose vulnerable people, such as by revealing someone’s whereabouts to domestic abusers via time-of-use billing.

Policy development:

  • Planning processes: Information from data is needed to add vital nuance and specificity to critical planning designs. However, as planning becomes more sophisticated, it risks becoming opaque to local stakeholders, eroding support and losing trust. Good use of data can manage this.
  • Regulatory and legislative development: Policy development should be benefiting from deeply informative data feedback loops that ensure each policy is behaving as intended on the ground. In parallel, unless data is used effectively to bring clarity to our growing system complexity, policy-making risks becoming hesitant and naive just at a time when the market needs policymaking to perform confidently and fast.

Grid and system operation

  • Grid access: Clever use of data will allow us to predict a lot better where assets will be installed, but poor forecasting of EV, data centre or housing uptakes will trigger grid connection constraints, costing local jobs and services.
  • Grid controls: We will need much more granular controls to enable large-scale use of distributed assets at local levels to help balance the system, but partially informed balancing software could systemically optimise for one region at the expense of, say, brownouts in others as a new postcode lottery.
  • Complex grid transients: Digitalisation can open the door to moving away from traditional inertial generation to provide system stability using software-enabled methods, but this is novel technology that must be adopted with care or else we may lose our grip on the system.
  • None of these risks originate from a single negligent organisation. They lurk among the interfaces where responsibilities overlap or underlap, where systems and services integrate, where practitioners must take time-pressured actions, with or without sight of the wider system implications. The consequences of these risks are wide-ranging.

Untreated parasomnia

Interconnected data and digitalisation dissolve boundaries. Removing boundaries creates the opportunity to solve problems more easily, to learn, adapt and change. This is a key part of enabling the energy transition to succeed. But removing boundaries also creates greater opportunity for complicated mistakes to be made and for malign intent to pass by unnoticed. Safety and resilience require control and not capacity alone.

Increasingly, market platforms interact with network constraints in real-time; distributed assets are responding to signals generated far beyond their physical location. Remote software updates can alter operational behaviour. Tranches of data tables are populated, exchanged across the system and then trusted to shape dispatch, balancing and investment decisions.

The energy system is no longer the traditional collection of modular functions – production, transportation and retail – it is a tightly coupled machine with interwoven and integrated functions criss-crossing down a growing supply chain. Yet, we still govern the system as if it were a series of simple linearly connected modules.

Risk management is an opportunity

Risk management in the energy sector remains largely organisation-centric rather than system wide. Compliance frameworks are designed to be inward-facing and do not recognise that risk management is one of the key drivers of efficiency, resilience and that it delivers customer benefits. While each actor diligently discharges its own responsibilities, there remains a critical need for system-wide visibility, control and accountability of vulnerabilities as they propagate across organisations and through the gaps between organisations. A system-wide approach is needed.

Traditional energy risks were more localised and organisations were designed to contain them. A plant failed, a storm hit, a substation reached capacity, spinning reserve proved insufficient. Our traditional system risks were visible, bounded and attributable.

Today’s risks are different; they’ve evolved. They are systemic, nuanced and straddle old boundaries. Fortunately, today’s opportunities have evolved too. Our path to drive down energy costs and to accelerate adoption of clean technology requires us to take an integrated system-of-systems approach to risk management.

Following routine will help us benefit from a good night’s sleep

The energy system only works when the whole energy system works. Our new system design is to have millions of assets held in millions of peoples’ hands. These all need to be safe, trusted and coordinated not just in aggregate, but at each location and at all times – otherwise the system is critically failing someone, somewhere.

Risk does not respect organisational boundaries and so needs integrated oversight; our risk management needs to adapt to keep pace with the realities of evolved risk – while not crushing the opportunities. Modern digital-physical infrastructure requires our market design to include a mechanism explicitly responsible for whole-system governability. Not just strategy. Not just policy positions and visions. We need a process for operational oversight of cross-boundary risk. Our mitigations will need architecture coherence and systemic observability, planning and programme management.

This is one of the key roles for which we Energy Geeks are advocating creation of a Modernisation and Digitalisation Unit (MDU). While its main purpose is to unlock the potential opportunities deeper digitalisation of the energy system offers, one of its key capabilities is to facilitate establishing new risk processes for whole-system observability, monitoring and management.

The MDU will need to use its time to help the sector to set into place integrations across assets, markets, data and physical and digital infrastructure. The resulting ‘security architecture’ will need to complement the system’s overall architecture, all this is essential to achieving whole-system resilience. The MDU should help the sector establish:

  • Clear ownership and accountability for systemic risk signals managed through a central whole-system risk register and sectoral oversight capability.
  • Observability and monitoring of the whole integrated system-of-systems, including data about the assets, flows, and operational states across networks, markets, and supporting systems. This will Inform the sector about vulnerabilities, threats, and patterns for handling these.
  • Threat modelling and adaptive planning informed by ‘digital twins’, sandboxes and scenario modelling that directly inform energy system design via continuous feedback loops.
  • Security Operations to provide live monitoring, active scanning and alerts and an integration of security operations not only across organisations, but in situ within the environments of the people and assets working all day, every day.
  • A whole system security strategy, to set direction and hold all other aspects of risk management together so that they work in concert. We can keep lying awake, hoping the noises in the dark are nothing. Or, we can turn the lights on and regain control. Every day we wait costs time and money that people cannot spare.

Comment:

Rich Hampshire, vice president, digital utilities, CGI

Comment:

Rich Hampshire, vice president, digital utilities, CGI

In their latest article, the Energy Geeks turn their collective intellect and experience to the challenge of managing risks in an energy system where system boundaries are expanded and system dynamics, both physical and commercial, are fundamentally different.

The article addresses a risk landscape that is being transformed by the energy transition. And that, in an increasingly interconnected and distributed system, risks emerge at the interfaces between system actors and in their extended supply chains. Whilst a more distributed system architecture can provide greater resilience, risks need to be managed effectively to ensure that risks can’t compound and cascade across the system.

The Geeks balance these concerns with opportunities that outweigh the risks when effectively managed. They make the point that effective risk management drives efficiency and reduces costs. Implicitly, the reduction in costs will flow through to consumers’ bills in a well-functioning market. Effective risk management should also give consumers confidence and increase trust in the energy transition, essential if progress towards a clean energy system is to accelerate.

The energy system can learn from and leverage best practices from other sectors. One key message is that, whilst digitalisation introduces new risks to the system, it also provides the visibility across the system that is essential to effective management of risk.

The ‘Paving the way to net zero report’, a previous collaboration between CGI and Utility Week, to which some of the Geeks contributed, highlighted that the energy sector has an excellent track record and culture for managing risks associated with physical assets. But the report also found that culture change and new attitudes to risk are required for a transitioned, digitalised energy system. This is a theme highlighted by the Geeks in this article. They call for a new approach to risk and opportunity management by establishing strong, common governance that enables risks to be shared (and, implicitly, therefore managed by those system actors best able to do so). Certainly, regulation has its role to play in providing the right incentives to encourage and reward that cultural shift in attitudes to risk management.