The Client: The Largest Electric Utilities in the US
The company is a major integrated energy company engaged in power production, transmission and distribution involving natural gas, power and other energy related products. It is one of the largest electric utilities in the US.
The company faces multiple compliance requirements from a number of regulatory bodies that impose regulatory oversight and reporting requirements. Industry regulations from FERC, NERC and state and regional public service commissions combined with cross-industry regulations like Sarbanes Oxley (SOX) impact all business functions operationally as well as strategically. These compliance requirements affect a large number of business processes with many specialized processes being designed solely to meet specific regulatory guidelines. The cost of ensuring compliance in terms of time and resources is substantial. Moreover, the risk of noncompliance and other enterprise risks have to be constantly monitored and mitigated for ensuring business performance and continuity.
The company had internally developed an application for managing SOX and Enterprise Risk Management (ERM) processes using Microsoft Access and SQL Server technology. The system was designed to capture SOX and other risks, associated controls, control test plans, issues to highlight deficiencies when controls failed testing and were deemed unreliable and action plans to resolve the issues.
In the last few years, the company experienced a significant increase in the number of compliance requirements to be met as well as additional scrutiny by the various regulatory bodies to determine that the company does in fact comply with those requirements. As the internally developed application was designed for a narrow set of compliance requirements, the increasing regulatory demands started bringing forth the limitations of the application and its inherent approach.
As newer processes and record keeping was required, they were setup manually outside of the system as the application could not be extended. For example, the system could not map compliance process to the general ledger balances maintained in PeopleSoft and the financial statements managed in the Cognos applications. Keeping the automated processes in synch with the manual processes became a major overhead as new accounts were created.
The internal application allowed for a simplistic and linear organizational setup and did not support the varying reporting relationships and information flows between testers, process owners and those who managed the overall compliance process for their business units.
The compliance surveys and certifications across various departments, locations and business units involved manual distribution, gathering and consolidation of responses. Lack of automation made this activity excessively tedious and error prone with a number of documents being physically circulated and manually signed in the company.
The internal application did not support the periodic cycles and frequency of activities and record keeping for ongoing compliance leading to inefficient data reentry activities. Moreover, the application did not enforce appropriate authorizations to limit users from viewing information and records that they did not have privileges for - violating key compliance principles.