Policy Nov 12 2025

Unknown: sidearm

Unknown: Mic check, mic check, final mic check, mic check, can you hear me?

SPEAKER_11: Online, anyone online?

SPEAKER_11: Can you hear me?

SPEAKER_11: Check, check.

SPEAKER_11: Sounds good in Zoom.

SPEAKER_11: Thank you.

Unknown: All right, Director Sam Boren, can I get a quick mic check?

Unknown: I'm sorry, this is Heidi.

SPEAKER_12: Can you hear me okay?

Unknown: Loud and clear.

SPEAKER_02: Thank you.

SPEAKER_12: Thank you.

Unknown: Five seconds, please.

Unknown: Five seconds.

Unknown: Great.

Unknown: Smart.

Unknown: Good evening and welcome to the Policy Committee and Special Board Meeting of November 12,

SPEAKER_10: 2025.

SPEAKER_10: This room is equipped with a safety alarm.

SPEAKER_10: If the alarm sounds, please leave in an orderly manner via the exits to the lobby or behind

SPEAKER_10: the dais.

SPEAKER_10: Assemble in front of the building and wait to hear the all clear announcement from security

SPEAKER_10: before reentering.

SPEAKER_10: This meeting is being recorded and can be accessed on SMUD's website.

SPEAKER_10: Please remember to unmute your microphone when speaking in order that our virtual attendees

SPEAKER_10: may hear.

SPEAKER_10: The microphone will display a green indicator light when the mic is on.

SPEAKER_10: For members of the public attending in person who wish to speak at this meeting, please

SPEAKER_10: fill out a speaker's request form located on the table outside this room and hand it

SPEAKER_10: to SMUD security.

SPEAKER_10: Members of the public attending this meeting virtually who wish to provide verbal comments

SPEAKER_10: during the committee meeting may do so by using the raise hand feature in Zoom or pressing

SPEAKER_10: star 9 while you're dialed into the telephone toll-free number when the time public comment

SPEAKER_10: is called.

SPEAKER_10: Technical support staff will enable the audio for you when your name is announced during

SPEAKER_10: the public comment period.

SPEAKER_10: You may also submit written comments by emailing them to publiccomment at smud.org.

SPEAKER_10: Written comments will not be read into the record but will be provided to the board members

SPEAKER_10: electronically and placed into the record of the meeting if the comments are received

SPEAKER_10: within two hours after the meeting ends.

SPEAKER_10: Chief legal officer, please conduct the roll call.

Unknown: Director Kurz?

Unknown: Here.

Unknown: Director Herber?

SPEAKER_02: Here.

SPEAKER_10: Chair Sanborn?

SPEAKER_02: Here.

SPEAKER_02: All committee members are present.

SPEAKER_02: Also present are directors Rose, Buie Thompson, Tamayo and President Fishman.

Unknown: Great.

SPEAKER_10: Item number one on tonight's agenda is to discuss the monitoring report for strategic

SPEAKER_10: direction SD16, information management and security.

SPEAKER_10: This will be a consent item.

SPEAKER_10: Go ahead.

SPEAKER_08: Good evening directors.

SPEAKER_08: My name is Steve Custin.

SPEAKER_08: I am the interim director of cybersecurity and I'm here to present the monitoring report

SPEAKER_08: for SD16.

SPEAKER_08: As you know SD16 covers cybersecurity, privacy, information management and compliance and

SPEAKER_08: physical security and I'm here to present with Kirsten DePierces the director of physical

SPEAKER_08: security as well as Kelsey McFaden the manager of information management and compliance.

SPEAKER_08: This is SD16 in its entirety.

SPEAKER_08: I won't go through it.

SPEAKER_08: Next slide, please.

Unknown: I would like to state that SMUD is in substantial compliance with SD16 for both information

SPEAKER_08: management and security policy and recommend that the board accept this monitoring report.

SPEAKER_08: Next slide, please.

Unknown: Okay.

Unknown: Do we have a ‑‑ go ahead.

SPEAKER_10: I'm sorry.

Unknown: No problem, director.

SPEAKER_08: To cover some things quickly over the course of the last couple years within cybersecurity,

SPEAKER_08: we continue to align with the NIST cybersecurity framework and we will discuss our risk management

SPEAKER_08: program and associated risk in our confidential closed session following this open session.

SPEAKER_08: We are continuing to drive initiatives with our zero trust strategy.

SPEAKER_08: We are also focusing on multiple items to build upon enhanced third party risk management,

SPEAKER_08: which again we'll talk about later in our closed session and something I don't have

SPEAKER_08: up here that I do want to recognize is we had a SIP audit earlier this year and not

SPEAKER_08: only did we have no findings, we actually had two net observations.

SPEAKER_08: So kudos to the cybersecurity team, compliance team and everybody involved in that practice.

SPEAKER_08: Covering customer privacy, SD16 requires an annual notice of privacy practice which was

SPEAKER_08: sent out in the May billing cycle and was sent out both via physical and electronic

SPEAKER_08: copies to our billing recipients and no personal customer data was shared with third parties

SPEAKER_08: for SMUD business purposes.

SPEAKER_08: Our data sharing policy and associated processes are in place to ensure privacy is maintained.

SPEAKER_08: Since SMUD affects customer payments, we are subject to PCI, DSS or payment card industry

SPEAKER_08: data security standards and this year we have again been certified as compliant by

SPEAKER_08: a PCI certified consultant and have submitted the necessary attestation questionnaires to

SPEAKER_08: our merchant bank which is Chase and the reason why we put our numbers here is to show that

SPEAKER_08: our credit card transaction numbers have increased year over year.

SPEAKER_08: Next slide, please.

SPEAKER_08: Next I will hand it over to Kirsten DePersis who will cover physical security.

SPEAKER_08: Thank you.

Unknown: Good evening, everyone.

SPEAKER_01: I'm Kirsten DePersis.

SPEAKER_01: I'm the director of facilities security and emergency operations.

SPEAKER_01: So I wanted to cover a couple of the things that we've done over the past year.

SPEAKER_01: Within the 2024 to 2025 cycle, we have approval of an off cycle budget request of approximately

SPEAKER_01: $2 million per year for the next couple of years for the upper American river project

SPEAKER_01: which will help us expand our technology in that space.

SPEAKER_01: We are currently in the process of implementing our new computer aided dispatch system which

SPEAKER_01: will really help us with our tracking and our metrics.

SPEAKER_01: We have conducted a risk threat and vulnerability assessment for all of our SMUD assets and we're

SPEAKER_01: currently just awaiting that report now and what that has done is looked at all of our

SPEAKER_01: facilities and given us feedback on what we can do to mitigate all the risk that we

SPEAKER_01: have so that we have a roadmap for the future.

SPEAKER_01: We've continued our partnership with volunteers of America.

SPEAKER_01: In fact, we recently just signed a new contract with them.

SPEAKER_01: That's been very successful.

SPEAKER_01: I have to give immense kudos to our substation team and specifically Eric Poff for working

SPEAKER_01: with them very well on the future station J. Volunteers of America did a great job for

SPEAKER_01: us of helping move some folks off of that property so that we could get set up for construction.

SPEAKER_01: So that's been a great partnership there.

SPEAKER_01: We also conducted situational awareness training for all of our field crews this year.

SPEAKER_01: We are continuing to harden our landscape at all of our substation locations.

SPEAKER_01: So this includes putting in rock and native plants which is not only a sustainability

SPEAKER_01: measure, but it helps keep folks off of our property which helps keep them safe as well

SPEAKER_01: as our employees safe.

SPEAKER_01: We have worked with the substation team to incorporate security standards into the substation

SPEAKER_01: plans for when we build new substations.

SPEAKER_01: We entered into a couple letters of agency agreements this year with both Sacramento

SPEAKER_01: Sheriff and Sac PD which allows them to enter our properties and deal with any sort of situations

SPEAKER_01: that are of a law enforcement nature without having to come to us and ask for permission

SPEAKER_01: first.

SPEAKER_01: We passed the 2025 NERC audit with no findings as well this year which was one of our EPGs.

SPEAKER_01: We've also started a see something say something and the power of hello campaign which helps

SPEAKER_01: with workplace violence and also with folks that are on our properties that probably shouldn't

SPEAKER_01: be.

SPEAKER_01: And we've also done some improvements to our customer service center lobby which has really

SPEAKER_01: been great for our CSC teams.

SPEAKER_01: Thank you.

SPEAKER_00: Next slide.

Unknown: Awesome.

SPEAKER_00: Good evening everyone.

SPEAKER_00: My name is Kelsey McFadden.

SPEAKER_00: I'm the manager of information and compliance here at SMUD.

SPEAKER_00: Thank you for the opportunity to present what our program has accomplished in 2025 in support

SPEAKER_00: of SD60.

SPEAKER_00: Last year I shared that we had entered a proactive maturity at information management which means

SPEAKER_00: that information management is integrated into routine business decisions and aligned

SPEAKER_00: with industry best practices.

SPEAKER_00: Today I'm proud to report that we've built upon that foundation by nearly completing

SPEAKER_00: one of our largest endeavors to date and in partnership with cybersecurity we have

SPEAKER_00: launched a new program that's going to shape the future of SMUD's information protection.

SPEAKER_00: So we'll go ahead and go to the first major milestone, the enterprise content migration

SPEAKER_00: project.

SPEAKER_00: So the enterprise content migration project was done in collaboration with the enterprise

SPEAKER_00: content management team where we identified classified and migrated content from where

SPEAKER_00: employees have happened to put it over the years to where it should be.

SPEAKER_00: By year end we will have completed all 41 plus business areas in scope.

SPEAKER_00: This represents nearly 7 million documents reviewed, classified, and migrated to approved

SPEAKER_00: repositories.

SPEAKER_00: During these migrations we also worked with the business areas to implement comprehensive

SPEAKER_00: information management procedures so that these improvements can be sustainable for

SPEAKER_00: years to come even after the project closes.

SPEAKER_00: So what this means in practice is simpler, faster, and more reliable access to information.

SPEAKER_00: So for example, say someone retires or leaves SMUD unexpectedly instead of their files being

SPEAKER_00: in random email folders or wherever they've happened to put it, which only they know,

SPEAKER_00: these newer repositories will make sure that we know the file's classification, their retention,

SPEAKER_00: and where they're at.

SPEAKER_00: So in short, information is going to be much easier to find, easier to trust, and easier

SPEAKER_00: to protect.

SPEAKER_00: And this goes right into our next milestone, which is the data loss prevention program.

SPEAKER_00: So we did this in partnership with cybersecurity and the organizational change management program.

SPEAKER_00: It's about strengthening how we classify SMUD's most sensitive information across this

SPEAKER_00: entire life cycle.

SPEAKER_00: So to illustrate the change we're making, let's think about a really common scenario.

SPEAKER_00: So say an employee downloads a document out of a repository because they want to work

SPEAKER_00: on it offline or collaborate with another employee.

SPEAKER_00: The thing is the repository is what's protecting this document itself.

SPEAKER_00: But the moment it's pulled out, say you save it to a desktop, you email or you move it

SPEAKER_00: out of the repository, it becomes dependent on that individual to employ the safeguards

SPEAKER_00: that it needs to be protected.

SPEAKER_00: So even with the best intentions, obviously this leaves room for mistakes.

SPEAKER_00: So through pilots we're testing new Microsoft peer review tools that embed protection into

SPEAKER_00: the document itself.

SPEAKER_00: So think about the document having its own automatic seat belt that goes across it and

SPEAKER_00: falls at everywhere it goes.

SPEAKER_00: So it will click into protection the second that document is emailed, copied or downloaded

SPEAKER_00: out of the repository.

SPEAKER_00: So the document now knows who's supposed to access it, where it can go, and how it can

SPEAKER_00: be used.

SPEAKER_00: It's just protection from being manual or more person oriented to being automatically

SPEAKER_00: enforced by technology.

SPEAKER_00: So as we expand in the next year, we want to roll this out into the entire enterprise,

SPEAKER_00: which will build a future where sensitive information at SMUD is consistently and proactively

SPEAKER_00: protected.

SPEAKER_00: So this reduces the risks of breaches and safeguards SMUD's reputation and information

SPEAKER_00: protection.

Unknown: So none of this work happens in isolation.

SPEAKER_00: We work in collaboration with many different and great business partners across SMUD, cybersecurity,

SPEAKER_00: being one, data governance, and enterprise content management team being another.

SPEAKER_00: So together we're all working to reinforce one another using technology processes and

SPEAKER_00: policies that we can all do.

SPEAKER_00: And in closing, in 2025, we're closing the chapter on enterprise content migration and

SPEAKER_00: opening the chapter on data loss prevention.

SPEAKER_00: Both efforts directly support SC16 by ensuring that SMUD information is managed responsibly

SPEAKER_00: and securely and with the future in mind.

SPEAKER_00: Thank you and I'm happy to answer any questions.

Unknown: Wonderful.

SPEAKER_10: Does anyone have any questions?

Unknown: Yes, Director Tamaya.

SPEAKER_10: Yeah, I've got a couple of questions for Kirsten.

SPEAKER_05: One is you mentioned the risk threat and vulnerability assessment.

SPEAKER_05: Who's conducting that?

SPEAKER_05: I'm going to have to look to my team.

SPEAKER_01: What was the name of the company that did our?

Unknown: ANCO, AA and CO.

SPEAKER_05: But it's a third party group that does that sort of thing.

SPEAKER_05: Correct.

SPEAKER_05: Another thing was you also mentioned that SACPD and the sheriff, we have that agreement

SPEAKER_05: for them to enter our facilities.

SPEAKER_05: What sorts of training do they get?

SPEAKER_05: I know each of them has many officers and deputies who could potentially be doing that.

SPEAKER_05: So how do we address the safety concerns of them going into our facilities?

SPEAKER_01: That's a great question.

SPEAKER_01: So they're not actually entering any of our substation facilities.

SPEAKER_01: So if somebody were going into the substation, then they would reach out to us and we would

SPEAKER_01: need to assist at that point.

SPEAKER_01: So it's really just on our physical property but not within any sort of substation location

SPEAKER_01: or anything that would put them in harm's way.

Unknown: Okay.

SPEAKER_10: All right.

SPEAKER_01: Thank you.

Unknown: You're welcome.

SPEAKER_10: Any other questions from board members?

Unknown: Okay.

SPEAKER_10: Oh, Director Brennan.

SPEAKER_13: I want to point out sort of a little commentary in light of some of the privacy questions

SPEAKER_13: we got over the summer and fall that we see our customer privacy strategic direction language

SPEAKER_13: at the beginning of the presentation.

SPEAKER_13: And I just read through it again.

SPEAKER_13: And it looks pretty good to me.

SPEAKER_13: But I just sort of I think it was interesting when people asked us, hey, who is our privacy

SPEAKER_13: safeguard?

SPEAKER_13: We have in fact a strategic directive that specifically talks about it.

SPEAKER_13: And it addresses a lot of those concerns that were really on top of the ball.

SPEAKER_13: So I just wanted to point that out.

SPEAKER_10: Thank you.

SPEAKER_10: And we want to thank our presenters, Steve Kustin, Kristin DePierras and Kelsey McFadden.

SPEAKER_10: We'll go ahead and put this on the consent calendar.

SPEAKER_10: I do want to check and see if we have any comments.

SPEAKER_03: No we do not.

Unknown: Okay.

SPEAKER_10: Item number two is to discuss the monitoring report for strategic direction SD17 enterprise

SPEAKER_10: risk management.

Unknown: Good evening, board of directors.

SPEAKER_07: My name is Michelle Kirby.

SPEAKER_07: I'm a director of enterprise strategy and planning.

SPEAKER_07: So I am here today to present our monitoring report for SD17, our enterprise risk management.

SPEAKER_07: I'm not going to read the whole thing here, but it's basically our fundamental values

SPEAKER_07: might identify, protect and prudently manage our risk.

SPEAKER_07: Our recommendation that we are in compliance with SD17, and this will be the fourth time

SPEAKER_07: me or my team has been in front of you to talk about our enterprise risk framework.

SPEAKER_07: We've walked you through this over the quarters and the courses of this year.

SPEAKER_07: First quarter as a reminder, we laid out the new risk framework and our communication strategy

SPEAKER_07: and connected that bottom up and top down risk.

SPEAKER_07: And spent the second and third quarter going through five of the seven strategic risks

SPEAKER_07: that we've laid out.

SPEAKER_07: And today I will wrap that up and go through the last two of the seven risks.

SPEAKER_07: And you'll see everything together in this new format.

SPEAKER_07: Next slide, please.

SPEAKER_07: All right.

Unknown: So here is the overall enterprise risk heat map.

SPEAKER_07: Before I delve into the details, just wanted to give you a little bit of background.

SPEAKER_07: This is a re-baseline of all of our enterprise risk levels.

SPEAKER_07: So in the past you've seen 85 risks.

SPEAKER_07: We've now narrowed it down to those seven strategic risks and the 27 enterprise risks.

SPEAKER_07: So with that, we've also spent the course of the year calibrating all the risks as we

SPEAKER_07: have looked at them.

SPEAKER_07: So if you see some of these scores or ratings, they may vary a little bit from earlier in

SPEAKER_07: the year as we've done this calibration holistically.

SPEAKER_07: And we did that with our executive team and the directors that are closely related to

SPEAKER_07: and owning these risks.

SPEAKER_07: In your information packet, you should have detailed definitions of all of the enterprise

SPEAKER_07: risks.

SPEAKER_07: It gives the full scope of the risk and helps with a lot of the details if you need to reference

SPEAKER_07: them.

SPEAKER_07: And the last thing here is what you're seeing in this chart and all the colors will be the

SPEAKER_07: residual risk rating.

SPEAKER_07: So this is the risk that is left over after we put in controls and mitigations.

Unknown: Okay, so let's get into the meat of things and walk you through this chart.

SPEAKER_07: Across the top you'll see the rating scale, rating from red and extremely high down to

SPEAKER_07: green and low.

SPEAKER_07: And the top bar you see are seven strategic risks, safety and security all the way through

SPEAKER_07: our people.

SPEAKER_07: And that colored bar right underneath those strategic risks represents the overall residual

SPEAKER_07: risk rating for those strategic risks as a whole.

SPEAKER_07: And then underneath that you'll see the subsequent enterprise risks and their subsequent risk

SPEAKER_07: ratings.

Unknown: All right, so as you can see our highest risk are in orange represented there at the top

SPEAKER_07: that safety and security in financial.

SPEAKER_07: And our second highest risk categories are in yellow, those reliability, environmental,

SPEAKER_07: process and technology.

SPEAKER_07: And then in green, the lowest risk across our strategic risk, our customer and community

SPEAKER_07: and our people.

SPEAKER_07: And so just generally as you look at this you see the ones that are in green are those

SPEAKER_07: risks that we may have more control over in impacting the outcome.

SPEAKER_07: And those that are on the higher side of the risk level increasingly have more complexity

SPEAKER_07: or we are influenced by external factors such as policy or the economy so we have less control

SPEAKER_07: over some of those risks.

Unknown: All right, so go ahead and go to the next slide.

SPEAKER_07: So I won't go over all seven of these again as you've seen them throughout the year.

SPEAKER_07: So I'll go over the last two which will be the reliability risk and our environmental

SPEAKER_07: risk and then I'll talk about our two highest risks as well.

Unknown: All right, and so again a reminder of kind of the layout of the slide.

SPEAKER_07: This one is reliability risk underneath there.

SPEAKER_07: These are risks related to keeping the lights on and these are related to our SD4 reliability

SPEAKER_07: and SD14 system enhancements.

SPEAKER_07: And that colorful bar across the top demonstrates our risk environment so you can see the inherent

SPEAKER_07: risk is at high overall for reliability and you see that arrow is the efficacy of our

SPEAKER_07: controls and mitigations to get to the remaining residual risk exposure of medium overall.

SPEAKER_07: So what I would highlight here is if you look at operational adequacy it still is one of

SPEAKER_07: the higher risks around medium high.

SPEAKER_07: This is largely driven by these extreme weather events that really can impact our operations

SPEAKER_07: or service interruptions.

SPEAKER_07: But as you can see we did put in several mitigations and controls and we continue to do so and

SPEAKER_07: modernize, continue to implement some of our controls such as veg management, continuing

SPEAKER_07: to inspect our assets and really manage and maintain those assets.

SPEAKER_07: As you can see for reliability compliance along the bottom that has the lowest remaining

SPEAKER_07: risk exposure and that's in large part due to the NERC audit that we recently completed

SPEAKER_07: with no financial penalties.

SPEAKER_07: All right, next slide please.

SPEAKER_07: All right, and the last slide I want to cover and round this out is environmental risk.

SPEAKER_07: So these are risks related to our clean energy goals and our environmental stewardship related

SPEAKER_07: to SD7, environmental leadership and SD9 resource planning.

SPEAKER_07: So of course these are the risks that are really closely tied to SMUD's clean energy

SPEAKER_07: goals and our zero carbon plan.

SPEAKER_07: As you can see we also introduced this fourth column where you can see that 2026 risk trend.

SPEAKER_07: So in the past we just showed you the inherent risk and the residual risk but we've also

SPEAKER_07: added this risk trend so you can think of that as kind of the forecast going forward

SPEAKER_07: for 2026.

SPEAKER_07: And so you see for the top two line items, clean energy resources and community decarbonization,

SPEAKER_07: the staff has determined where we forecast kind of an increasing risk trend for 2026.

SPEAKER_07: This is largely driven by the federal level impacts that we're seeing on the affordability,

SPEAKER_07: the timing for us to be able to execute on our clean energy resources and goals in some

SPEAKER_07: of our programs.

SPEAKER_07: But as we are embarking on a refresh of our RFP, our integrated resource plan, and the

SPEAKER_07: next year and a half, I anticipate that this is a trend that we would monitor and probably

SPEAKER_07: adjust once we kind of flush out the mitigations that we will do for the next five years.

Unknown: Okay, so while we're still on this slide, I'm wondering why three out of the four, I

SPEAKER_05: realize these may be weighted, but three out of the four elements of this are medium high

SPEAKER_05: and then the conclusion for the category as a whole is medium and it doesn't seem, that

SPEAKER_05: doesn't make sense to me.

SPEAKER_07: Great question.

SPEAKER_07: And it's one as we present this, it's a question that comes up every time.

SPEAKER_07: So each one of these are of the enterprise risks in these rows are rated on a scale of

SPEAKER_07: one to 30 and then we add them and kind of average, we average them out and that for

SPEAKER_07: the total score for this whole strategic risk, it's that same scale one through 30.

SPEAKER_07: So when you do average all of these out, it does actually get you to a medium.

SPEAKER_07: It's on those medium highs or their lower end of a number of the rating on that medium

SPEAKER_07: high scale.

SPEAKER_07: So when you average them out, it does get to medium.

SPEAKER_07: And we can follow up with the actual numbers and the calculations that will help demonstrate

SPEAKER_07: that.

SPEAKER_05: Yes, I can see that that's a question we get.

SPEAKER_07: So if you were to see the actual numbers, the calculations, you can see the justification

SPEAKER_07: that that does still fall in that medium range.

SPEAKER_07: But happy to provide that.

SPEAKER_07: All right.

SPEAKER_07: Next slide.

Unknown: Okay.

SPEAKER_07: So the last two slides are strategic risks that will go through our highest current risk.

SPEAKER_07: So this is safety and security risk.

SPEAKER_07: And you can see that these are the risks related to our safety and security events

SPEAKER_07: involving our people, community and critical assets.

SPEAKER_07: My predecessors that stood up before me here really talked about a lot of the mitigations

SPEAKER_07: that we put in place around cybersecurity and our physical asset security.

SPEAKER_07: So you heard a lot about those mitigations.

SPEAKER_07: And so though cybersecurity inherently is extremely high, one of our highest risks,

SPEAKER_07: a lot of those mitigations help us get down to a remaining residual risk of high.

SPEAKER_07: It still is high because cybersecurity is just a complex environment in terms of threats

SPEAKER_07: that can come from a lot of different directions.

SPEAKER_07: And as you heard, one person just making a mistake can impact that.

SPEAKER_07: But this is why in response we're putting in a lot of controls, ensuring that everybody

SPEAKER_07: in enhancing that everybody is doing our cybersecurity mandatory training.

SPEAKER_07: As you heard Kirsten talk about earlier, we have just finished a comprehensive physical

SPEAKER_07: security assessment and put in a lot of controls over this year.

SPEAKER_07: And that's where you see that physical security residual risk down to a medium.

SPEAKER_07: And then the last one I'll just cover on there would be the third party risk.

SPEAKER_07: That still remains as medium high because we do a lot of work with a lot of contractors

SPEAKER_07: and third parties.

SPEAKER_07: And so we put controls in place, but it is up to those external parties to adhere and

SPEAKER_07: follow them.

SPEAKER_07: So that's why it's still at a medium high risk.

Unknown: Michelle, does that third party category, does that include just members of the public

SPEAKER_04: as well?

SPEAKER_04: Or is that really third parties that we're working with on a project or something?

SPEAKER_07: Yeah, the latter.

SPEAKER_07: So really on our contracts, whether they're contractors working physically here or if

SPEAKER_07: it's the contracts that they're executing on our own behalf.

SPEAKER_04: Thank you.

Unknown: All right.

SPEAKER_07: Next slide, please.

SPEAKER_07: So the last risk that I'll go over is financial risk.

SPEAKER_07: Again, this is one of our higher risks today.

SPEAKER_07: And you'll see, if you recall earlier in the year, we did report this as a risk trend that

SPEAKER_07: we were monitoring and that was going up earlier in the year.

SPEAKER_07: I think along with most of the United States, as we went and changed the federal administration,

SPEAKER_07: introduced tariffs, were watching inflation.

SPEAKER_07: We were definitely monitoring our financial risk and the economic conditions.

SPEAKER_07: In response to that, we set aside, we have our stabilization funds, ensured they're well-funded.

SPEAKER_07: We set aside insurance reserves and did a lot of mitigations and controls to make sure

SPEAKER_07: that our ratepayers wouldn't see the impacts of that volatility in the market.

SPEAKER_07: We also got a tax credit for Solano IV, which was helpful.

SPEAKER_07: And we also took the opportunity to do the consolidation of our JPA, the SMUD Financial

SPEAKER_07: Authority, if you recall earlier this year.

SPEAKER_07: And then the last item on the run, commodity management, it still remains at medium-high.

SPEAKER_07: As you've heard in the past, commodity is a very volatile.

SPEAKER_07: There's a lot of volatility from month to month, so it does remain medium-high even

SPEAKER_07: though we're looking at a pretty good environment right now.

Unknown: Okay.

Unknown: Okay.

SPEAKER_07: The last slide here is now that we have this comprehensive risk framework in place, what's

SPEAKER_07: it look like for 2026 for enterprise risk management?

SPEAKER_07: So we will continue to improve upon the risk management framework.

SPEAKER_07: We're going to build that risk-intelligent culture within SMUD, improve our tools and

SPEAKER_07: internal reporting, really working with the directors to more closely align all of their

SPEAKER_07: BU risk to our enterprise and strategic risk.

SPEAKER_07: And then identify and track leading indicators and risk tolerances.

SPEAKER_07: By that, I mean when it says our residual risk is at medium, is that an acceptable level

SPEAKER_07: of risk?

SPEAKER_07: And then what steps would we have to take to get to that next level if we were to pursue

SPEAKER_07: that?

SPEAKER_07: And then finally, I do want to thank you, the board, for going along in this journey

SPEAKER_07: for enterprise risk and updating this model.

SPEAKER_07: I appreciate all of your feedback that's been incorporated in here.

SPEAKER_07: And then that's going to allow us to move from those quarterly updates back to an annual

SPEAKER_07: board presentation on enterprise risk.

SPEAKER_07: But we will continue to provide quarterly risk memos outlining commodity risk and any

SPEAKER_07: changes to the enterprise risk.

SPEAKER_07: So we'll continue to monitor those and send those memos.

SPEAKER_07: Any questions?

Unknown: Seeing no questions, I want to thank you, Michelle, and also just make note that Julian

SPEAKER_10: Rich, who would normally make this presentation, is out sick.

SPEAKER_10: And so good for her.

SPEAKER_10: She's very sick.

SPEAKER_07: She was trying to come today and I insist that she can see more.

SPEAKER_07: I'm glad you're not here, Julian.

SPEAKER_10: Do we have any comments from the public?

SPEAKER_10: No we do not.

SPEAKER_10: We do not.

SPEAKER_10: Okay.

SPEAKER_10: Well then this will also go on our consent calendar.

SPEAKER_05: Chair Herber.

SPEAKER_05: Yes.

SPEAKER_05: I would just say that after I gave it a little more thought, I figured out what you meant

SPEAKER_05: as far as where they are in the range.

SPEAKER_05: So you don't really need to do the follow-up.

SPEAKER_05: But thank you very much.

SPEAKER_10: Thank you, Director Dave.

Unknown: Okay.

SPEAKER_10: Now let's see.

SPEAKER_10: We don't have anybody online who wants to speak to this.

SPEAKER_10: So we will go to the third item, which is to discuss the election of officers for 2026,

SPEAKER_10: President and Vice President for this MUD Board of Directors.

Unknown: And we'll turn it over to our President.

SPEAKER_04: Well taking a cue from the national scheme, I'm just going to stay.

Unknown: No.

SPEAKER_04: No.

SPEAKER_04: Teasing, of course.

SPEAKER_04: Given our sort of standing practice over the last several years, I assume that Vice

SPEAKER_04: President Tamayo will be ascending to the presidency.

SPEAKER_04: And again, it's not written down anywhere, but we sort of have been in a rotation.

SPEAKER_04: And I understand that it would be Director Kurth's turn to become Vice President if we

SPEAKER_04: stick with that.

SPEAKER_04: So with that as kind of the opening discussion, I'd be willing to hear any other thoughts

SPEAKER_04: on this matter.

Unknown: What do you say, guys?

SPEAKER_04: I would be happy to move that that's the order and nominate Vice President Tamayo to be President

SPEAKER_12: and to see Director Kurth come back as Vice President.

SPEAKER_10: Thank you, Director Sanborn.

SPEAKER_10: Do we have any other comments?

Unknown: Okay.

Unknown: I just affirm that I'm happy to serve in that role.

SPEAKER_05: But also process-wise, are we doing nominations tonight or in the next board meeting?

SPEAKER_10: I think we do it at the board meeting, yes.

SPEAKER_10: So this is just the in-between time where we talk about who's going to do what.

SPEAKER_10: So we'll have to save that motion for another time.

SPEAKER_10: Do we have anybody in the public who would like to speak to this?

Unknown: No, we do not.

SPEAKER_10: Okay.

SPEAKER_10: Next, item number four is to discuss the annual review of standing committees.

SPEAKER_10: And I'm wondering if we have a chart of what the committee's...

SPEAKER_10: Yes, there we go.

SPEAKER_10: We have the Finance and Audit Committee.

SPEAKER_10: And we also have the Energy Resources and Customer Services Committee.

SPEAKER_10: We also have the Strategy Committee.

SPEAKER_10: And last but not least, we have the Policy Committee.

SPEAKER_10: So I am sure that all of you have had a chance to read through these descriptions.

SPEAKER_10: Do any of you have any proposed changes or concerns?

SPEAKER_10: Seeing none, then I would ask if we have any comment from the public?

SPEAKER_03: No, we do not.

SPEAKER_10: Okay.

SPEAKER_10: And so item number five is the board work plan.

SPEAKER_10: And we'll turn that over to the soon to be not presidents.

SPEAKER_10: Where did that go?

SPEAKER_04: Oh, there it is.

Unknown: So with just two meetings left in the year, I'm not going to go through every single item

SPEAKER_04: that's coming up in the next few meetings.

SPEAKER_04: But please remember, we do have the budget to approve in December at our final meeting

SPEAKER_04: of the year.

SPEAKER_04: And I was struck that we have nothing in the parking lot.

SPEAKER_04: So as we approach the ascendancy of Tomayo, I think for next year, it's time to start

SPEAKER_04: thinking about what else we'd like to put in there, if there's anything burning that

SPEAKER_04: we want to get on the agenda for one of the meetings.

SPEAKER_04: And obviously, staff will be putting things in there as we move forward.

SPEAKER_04: But now is the time to speak up if there's something you want to throw in the parking

SPEAKER_04: lot that we can get to next year.

SPEAKER_04: And if not, then I'm sure it will hold until next year.

SPEAKER_13: Anybody got anything?

SPEAKER_13: Director Morrandon?

SPEAKER_13: Probably like AI, energy demand drivers at some point.

SPEAKER_13: It's the merging topic.

SPEAKER_13: It's the hot topic.

SPEAKER_13: There seems to be an article every week in the Wall Street Journal, Monica.

SPEAKER_04: So I know that we have people actively working and thinking on that, so it's not a bad idea.

SPEAKER_04: And one thing that Paul and I were at a conference that Eppry put out a few months ago, and they

SPEAKER_04: talked about AI not only how do you serve the load, but how do you use AI effectively

SPEAKER_04: as a utility.

SPEAKER_04: And so maybe there's room to talk about both sides of that coin.

SPEAKER_04: I don't know.

Unknown: I thought that we had previously put both of those subjects in the parking lot.

SPEAKER_04: If we did, they fell out.

SPEAKER_04: So let's put them back in.

SPEAKER_04: Yeah, they drove away.

SPEAKER_10: Frankie?

SPEAKER_09: Frankie McJermont, Chief Operating Officer.

SPEAKER_09: You had put on a request in how we were approaching large loads, and we sent a memo to the board

SPEAKER_09: on that just recently.

SPEAKER_09: Paul, do you want to take a follow-up?

SPEAKER_14: One of the things that we actually discussed about talking about AI and how AI impacts the

SPEAKER_14: industry, especially the electric industry.

SPEAKER_14: So that is one of the things that we talked about, but we didn't officially put it on

SPEAKER_14: the parking lot.

SPEAKER_14: So it was one of the first things that we do in the beginning of the year in the meeting

SPEAKER_14: with President Noamayo, incoming President Noamayo, then we actually go through that

SPEAKER_14: list of what we've heard so far and what staff is going to propose to put on there.

SPEAKER_14: So there will be a list at the beginning of the year that we'll be reviewing with you.

SPEAKER_14: Okay, thanks.

SPEAKER_14: And Vice President Kurtz, in the same meeting, to talk about what we heard, what staff recommends,

SPEAKER_14: and then what we heard from the board members.

Unknown: Okay.

Unknown: Great.

Unknown: Anybody else?

SPEAKER_10: Anything else?

SPEAKER_10: Okay.

SPEAKER_10: Well, moving along with our agenda, next is comments for items not on the agenda.

SPEAKER_10: Do we have any comments for that?

Unknown: No, we do not.

Unknown: Okay.

SPEAKER_10: I just want to remind folks that written comments received on items not on the agenda will be

SPEAKER_10: included in the record if received within two hours of the end of the meeting.

SPEAKER_10: The last item on the agenda is to provide a summary of committee direction.

SPEAKER_02: The only thing I have, do we want to add AI energy demand and the impact of AI on the

SPEAKER_02: industry to the parking lot?

Unknown: I think so.

SPEAKER_10: I'd like to get a presentation on that.

SPEAKER_02: That's the only thing I have.

SPEAKER_10: Okay.

SPEAKER_10: Thank you.

SPEAKER_10: The board will now enter into a closed session to discuss the following item, threats to

SPEAKER_10: public buildings, services, and facilities pursuant to Section 54957 of the Government

SPEAKER_10: Code.

SPEAKER_10: And we will be consulting with several of our staff members.

Unknown: Cherèche Cotha, who is our Chief Information Officer, Jose Bodipa-Memba, who is our Chief

SPEAKER_10: Diversity Officer, Laura Lewis, who is our Chief Legal and Government Affairs Officer,

SPEAKER_10: Steve Custin, our Interim Director of Cybersecurity, and Kirsten DePersis, okay, sorry, Director

SPEAKER_10: of Facilities, Security, and Emergency Operations.

SPEAKER_10: The board will not be taking any action during this closed session, so there will be nothing

SPEAKER_10: to report to you at the end of the session.

SPEAKER_10: No further business has appeared before us, so the board will now adjourn into our closed

SPEAKER_10: session.

Unknown: Thank you.