Compliance with reliability standards has moved beyond the "check the box" phase to one of regulations with real deliverables and fines for noncompliance. Utilities that aren’t vigorously evaluating and refining their compliance procedures today may find NERC’s 2009 audit cycle much more challenging.
A significant concern for power companies in 2008 was compliance with the North American Electric Reliability Corp. (NERC) Reliability Standards, and this is an issue that will increase in importance in 2009 and coming years. Though NERC began nearly 40 years ago as an industry organization focused on improving electric power reliability, the organization’s responsibility and authority has increased over time, often after a major power disruption.
Following the 2003 Northeast blackout that resulted in the loss of power to nearly 6.5 million customers, the Federal Energy Regulatory Commission (FERC) was given the directive to create a national regulatory organization for electrical reliability. FERC, in turn, delegated to NERC the authority to enforce reliability standards and assess fines.
The NERC reliability standards consist of a wide-ranging set of requirements, from technical controls on the quantity and quality of electricity supplied to the grid to administrative procedures for personnel and staffing. The 14 reliability standards each consist of multiple specific requirements, resulting in 94 mandatory and enforceable reliability standards — each of which has several audit items.
Compounding the breadth of the reliability standards is their relative newness — and potential financial impact. Despite its 40-year history, NERC has only had the authority to enforce reliability standards and assess fines for noncompliance since June 2007. The current audit cycle represents the first year that organizations face significant monetary fines for noncompliance, and though the initial fines have been relatively small, the maximum fines are one million dollars per violation, per day. In addition to the financial penalty, violations are publicly reported, representing potential damage to an organization’s reputation (Figure 1).
1. Pass your audit. The North American Electric Reliability Corp. reliability standards consist of a broad set of requirements, ranging from technical controls on the quantity and quality of electricity supplied to the grid to administrative procedures for personnel and staffing. The 14 standards each consist of multiple specific requirements, resulting in 94 mandatory reliability standards, each of which has several audit items, which a comprehensive compliance program
As this story was being written and the 2008 audit cycle came to a close, the power industry was breathing a collective sigh of relief. Although the 350 scheduled NERC audits were, by all accounts, thorough and represented a significant level of effort for the audited companies, the fines have been relatively few and far less expensive than the potential million dollar ceiling.
As of November 2008, 37 companies had been cited for compliance issues, and only two of those were ultimately fined, for a total of only $255,000. However, this should not indicate that NERC will not assess higher, and more numerous, fines in the future. Many industry observers believe that NERC has taken a more accommodating approach in this first audit cycle, preferring to warn utilities first and follow that warning up with increased observation and higher fines for noncompliance in the future.
One potential mitigating factor against higher, and more, fines in the future is the direction taken by FERC in a revision to its policy statement issued on October 16, 2008. Within that document, FERC states: "Achieving compliance, not assessing penalties, is the central goal of our enforcement efforts." The statement goes on to identify four factors that FERC will consider when assessing or reducing penalties: actions of senior management; effective preventative measures; prompt detection, cessation, and reporting; and remediation.
While at the time of writing this article NERC had not issued updated guidance specific to this revision, the four factors identified by FERC are pillars of any strong compliance program and should be considered part of a best practices approach to compliance. Organizations that commit to the creation of a strong and sustainable compliance program will not only be able to potentially reduce the cost of penalties, but they should also have far fewer violations over time.
The power industry’s initial response to NERC compliance requirements has been similar to initial responses to Sarbanes-Oxley (the 2002 federal law requiring enhanced financial disclosure standards for publicly traded U.S. companies). There has been an immediate effort to "get compliant" and demonstrate compliance by whatever means possible, which in many cases has meant a resource-intensive documentation drill, often captured and exchanged via an innumerable array of spreadsheets. Although this is a normal and perhaps necessary first step, it must be followed by the implementation of a sustainable and cost-effective compliance program.
In developing what FERC calls a "vigorous compliance program," one principle that seems to be lagging at affected organizations is the adoption of a controls-focused approach. In part, this is due to semantics. The NERC reliability standards seldom mention the word "control," and certainly not with the emphasis of Sarbanes-Oxley or other compliance standards. NERC focuses on requirements, and power companies have focused on demonstrating that the requirements have been met (Figure 2).
2. Inspect performance. NERC has only had the authority to enforce reliability standards and assess fines for noncompliance since June 2007. The 2008 audit cycle was the first during which organizations faced significant monetary fines for noncompliance. A robust compliance program must have more than written policies in place; it must also include corporate controls that ensure those policies are complied with. Source: CA Inc.
There is an additional challenge: The technical and engineering staff generally has a specific and different understanding than management of what constitutes a control. Compliance controls are practices established by management to help ensure that business processes are carried out consistently, and in accordance with the compliance standard. They can be either preventative or detective in nature, and they range from entirely manual and administrative to automated and technical. This semantic difference is an important hurdle to overcome, as without clearly defined and regularly tested controls, it is nearly impossible to satisfy two of the four factors proposed by FERC: effective preventative measures and prompt detection, cessation, and reporting of violations.
A robust set of controls and continuous control monitoring provide for a sustainable and ongoing compliance program. Rather than a quarterly or annual fire drill to collect data that demonstrates the meeting of a requirement, the compliant organization is continually monitoring a set of key indicators that align with compliance objectives.
An additional level of maturity occurs when the controls are mapped against a set of higher-level control objectives, which in turn are derived from governance directives that include regulatory documents, industry best practices, and corporate policy. Establishing control objectives and identifying the associated controls allows for standardization and reuse of work across all of the compliance programs, which reduces costs and minimizes the impact on operations.
Along with the creation of controls, and the rationalization of controls across different regulatory standards, the centralization of compliance data and records is an essential element in a sustainable compliance program. Centralization of data enables the reuse of data and a reduction in duplicative testing, which is a significant area for cost savings, as well as providing a compliance repository of key documentation that can reduce the time and effort required to prepare for audit actions.
Though the tasks and activities involved in implementing and testing controls are often distributed throughout an organization — and can include service providers, consultants, and third parties — the collection and maintenance of records must be consolidated. Data consolidation is also important for making compliance activities visible within an organization and for reporting purposes.
Though program visibility and detailed reporting may sound like nice-to-have capabilities rather than requirements for a strong and sustainable compliance program, they are actually key elements. FERC describes the "critical importance of the role of senior management in fostering a strong compliance ethic within a company" and expands upon that theme by detailing the expectations for executives to establish a culture of compliance.
Executives must not only express a commitment to regulatory compliance but also take an active interest in the results and actions of any compliance program for reasons beyond the importance of compliance itself. Reviewing the status of critical controls and key performance indicators provides a deep view into the operations of the business, the level of organizational risk, and the alignment of operations with the business’s stated goals and objectives. Finally, significant amounts of money are at stake, both in potential fines and in possible risk to the business resulting from noncompliant operations.
Compliance audits generate large numbers of tasks that must be assigned and tracked throughout the organization, including service providers and third parties. Ideally, individual tasks would be approached as audit projects, allowing them to be managed more effectively, and the multiple projects would together constitute an ongoing compliance program. This project- and program management – focused approach provides a number of benefits, not the least of which is ensuring timely and accurate completion of the work.
With a more formalized approach to managing compliance projects, barriers to success — such as key personnel who are over-allocated or key resources that are unavailable — become apparent, as do duplicate or unneeded tasks. The goal is to reduce costs, ensure the consistency and predictability of the process, and eliminate expensive last-minute surprises.
When difficulties are discovered, the same project management tools and techniques can be used to plan and execute remediation, thereby providing a history of the steps taken to remedy the problem.
Finally, for central compliance groups, this approach provides a transparent record of work completed and planned, which is essential to support either charge-backs to the appropriate business unit or future budgeting requirements.
The Fifth Factor
Many organizations are grappling with these issues and looking for better ways to centralize data, manage projects and programs, and monitor controls. Technology can play a vital role in helping organizations develop and maintain a sustainable compliance program. There are many tools that can help store data and provide appropriate access to it, as well as applications that can assist with managing projects while automating some of the tasks and workflows.
One newly emerging solution area that brings many of these capabilities together is called governance, risk, and compliance (GRC). In FERC’s October policy statement, governance and compliance remain front and center as key priorities. Many organizations find that the same tools used, and much of the same data collected, to support compliance can also be applied to identifying organizational risk and minimizing excess risk. GRC solutions bring these related subjects together in an attempt to gain the most insight with the least impact on operations.
The path to a sustainable compliance program is neither short nor easy. In order to reach this goal, it is important to choose clearly defined and funded intermediate steps rather than attempting to implement a systematic change all at once. Multiple shorter-duration iterations will demonstrate progress and improve external perceptions of the compliance organization while yielding continuing improvements.
Several sources for guidance should be considered, not only those that are specific to NERC. For example, organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Open Compliance and Ethics Group (OCEG) have amassed volumes of information that provide valuable advice for designing compliance and risk management programs. Furthermore, the ISO 27001/2 and CoBit standards provide frameworks for IT security and compliance that are relevant to NERC’s Critical Infrastructure Protection standards.
A final consideration in constructing a compliance program is deciding if there is an organizational need to address additional regulations, beyond NERC’s and FERC’s, with the same systems and processes. Although instituting a compliance program can be labor-intensive at the start, having one will save time and money in the long term. Given the size of the potential fines from NERC and FERC, a compliance program could potentially save money in the short term, as well (Figure 3).
3. More than a paperwork drill. The response of industry to the NERC reliability rules has been similar to the initial efforts of publicly traded companies in dealing with Sarbanes-Oxley. There has been an immediate effort to “get compliant” and demonstrate compliance by whatever means possible, which in many cases means a resource-intensive documentation drill. Though this is a normal, and perhaps necessary, first step, it must be followed by a sustainable and cost-effective compliance program. One approach is to use computer-based compliance management software, such as CA GRC Manager. Source: CA Inc.
The power industry faced only moderate enforcement activities in 2008; however, there is no guarantee that 2009 will not be more challenging. In addition to the potential for a stricter enforcement environment, there is the likelihood of future regulation related to the grid modernization needed to support renewable power and an increased focus on risk management by North American corporations. These factors added to the FERC revised policy statement argue for current investment in and focus on implementing sustainable compliance programs for the future.
–Peter Stapleton (firstname.lastname@example.org) is senior principal product manager for CA Inc.’s GRC Manager.