The Fifth Factor
Many organizations are grappling with these issues and looking for better ways to centralize data, manage projects and programs, and monitor controls. Technology can play a vital role in helping organizations develop and maintain a sustainable compliance program. There are many tools that can help store data and provide appropriate access to it, as well as applications that can assist with managing projects while automating some of the tasks and workflows.
One newly emerging solution area that brings many of these capabilities together is called governance, risk, and compliance (GRC). In FERC’s October policy statement, governance and compliance remain front and center as key priorities. Many organizations find that the same tools used, and much of the same data collected, to support compliance can also be applied to identifying organizational risk and minimizing excess risk. GRC solutions bring these related subjects together in an attempt to gain the most insight with the least impact on operations.
The path to a sustainable compliance program is neither short nor easy. In order to reach this goal, it is important to choose clearly defined and funded intermediate steps rather than attempting to implement a systematic change all at once. Multiple shorter-duration iterations will demonstrate progress and improve external perceptions of the compliance organization while yielding continuing improvements.
Several sources for guidance should be considered, not only those that are specific to NERC. For example, organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Open Compliance and Ethics Group (OCEG) have amassed volumes of information that provide valuable advice for designing compliance and risk management programs. Furthermore, the ISO 27001/2 and CoBit standards provide frameworks for IT security and compliance that are relevant to NERC’s Critical Infrastructure Protection standards.
A final consideration in constructing a compliance program is deciding if there is an organizational need to address additional regulations, beyond NERC’s and FERC’s, with the same systems and processes. Although instituting a compliance program can be labor-intensive at the start, having one will save time and money in the long term. Given the size of the potential fines from NERC and FERC, a compliance program could potentially save money in the short term, as well (Figure 3).
3. More than a paperwork drill. The response of industry to the NERC reliability rules has been similar to the initial efforts of publicly traded companies in dealing with Sarbanes-Oxley. There has been an immediate effort to “get compliant” and demonstrate compliance by whatever means possible, which in many cases means a resource-intensive documentation drill. Though this is a normal, and perhaps necessary, first step, it must be followed by a sustainable and cost-effective compliance program. One approach is to use computer-based compliance management software, such as CA GRC Manager. Source: CA Inc.
The power industry faced only moderate enforcement activities in 2008; however, there is no guarantee that 2009 will not be more challenging. In addition to the potential for a stricter enforcement environment, there is the likelihood of future regulation related to the grid modernization needed to support renewable power and an increased focus on risk management by North American corporations. These factors added to the FERC revised policy statement argue for current investment in and focus on implementing sustainable compliance programs for the future.
--Peter Stapleton (peter.stapleton@ca.com) is senior principal product manager for CA Inc.'s GRC Manager.
Email
Comments
Print
Reuse
