The Client: The Largest Electric Utilities in the US
The company is a major integrated energy company engaged in power production, transmission and distribution involving natural gas, power and other energy related products. It is one of the largest electric utilities in the US.
The company faces multiple compliance requirements from a number of regulatory bodies that impose regulatory oversight and reporting requirements. Industry regulations from FERC, NERC and state and regional public service commissions combined with cross-industry regulations like Sarbanes Oxley (SOX) impact all business functions operationally as well as strategically. These compliance requirements affect a large number of business processes with many specialized processes being designed solely to meet specific regulatory guidelines. The cost of ensuring compliance in terms of time and resources is substantial. Moreover, the risk of noncompliance and other enterprise risks have to be constantly monitored and mitigated for ensuring business performance and continuity.
MetricStream is enabling the company to adopt an integrated compliance strategy through an enterprise-level framework for managing all regulatory requirements and ERM programs. The solution will provide comprehensive functionality for SOX compliance and ERM as well as FERC and NERC regulations and corporate policies for standard of conduct.
The company will defined and maintain a centralized structure of the overall compliance and control hierarchy based on regulatory standards and requirements. It includes processes and assets in scope, associated risks, controls to address the risks and mechanisms to assess the controls. It covers associated policies and procedures, reporting requirements and filing templates and schedules for various regulations.
Based on the compliance requirements and associated risk, the assessment plans will be scheduled periodically or triggered based occurrence of certain adverse events. The system will integrate with other enterprises applications and implements rigorous change control to ensure all records, processes and documentation always stays in sync.
The system supports risk assessment and computations based on configurable methodologies and algorithms will provide a clear view into organizations risk profile enabling managers to prioritize their response strategies and mitigation plans.
"The MetricStream solutions will streamline our financial controls processes for SOX compliance as well as enabled us to employ best practices frameworks for managing compliance with FERC and NERC," says a senior compliance officer of the company. For instance, risks such as failure to have a functioning Incident Response System or meet Independent Functioning Guideline will be documented with their controls as well as their periodic assessment plans. "The framework will cover our incident response mechanism to report incidents to the Electricity Sector - Information Sharing and Analysis Center (ES-ISAC) based on reporting criteria, thresholds and procedures contained in NERC's Indications, Analysis and Warning (IAW) Program. And we will conduct periodic assessments to ensure clearly defined and documented procedure for reporting security incidents, appropriate roles definition to deal with reporting and responding to security incidents, and a well defined line of communication and escalation path for reporting security incidents," explains the executive. Hundreds of such processes, risk and controls will be documented and assessed using the MetricStream solution.
Handling and reporting of noncompliance issues will be streamlined by automated workflows that document the issue and exceptions that pose a risk of noncompliance. The system will take them through a systematic mechanism of investigation and remedial corrective action.
Embedded best practices for the energy industry combined with decision tree and workflow functionality will support identification of reportable events as well as the type of report that needs to be filed. The process of reporting will be simplified as the system automatically generates mandatory reports in formats and layouts prescribed by the agencies. The reports are generated in standard file types such as MS Word and are reviewed before being submitted. "Self-reporting of noncompliance issues is critical for our business and if NERC finds noncompliance during their auditing, they can impose fines as high as $1 million per day", says the compliance officer.
MetricStream supports a complex organizational model to cover all the entities, business units and departments, as well as their mappings to various standards and requirements. With the granular access controls, the company will ensure confidentiality and the attorney-client privilege principle for sensitive information and records.
The automated surveys and certifications powered by electronic signatures will be efficient, consistent and reliable. The solution will ensure accountability by enforcing the flow of information and records and documenting attestations and representations at appropriate stages and by responsible personnel that roll-up for executive certifications.
Executive dashboards will provide enterprise wide visibility into the compliance and risk management process and highlight issues that need to be addressed in risk heat maps. The solution will provide the ability to track risk profiles, control ownership, assessment plans, remediation status, etc. on graphical charts that can be accessed globally and display real-time information.
An integrated platform and application environment to manage compliance with multiple regulations, corporate policies and industry standards.
Comprehensive workflow-based functionality for SOX compliance and the flexibility to extend the common framework and best practices for FERC and NERC compliance.
Ability to support complex organizational models and granular access controls while providing an easy-to-use portal-based interface for end-users for quick adoption.
Powerful reporting and analytics for complete visibility into risk and compliance data on executive dashboards, control chards and risk heat maps.
The company had internally developed an application for managing SOX and Enterprise Risk Management (ERM) processes using Microsoft Access and SQL Server technology. The system was designed to capture SOX and other risks, associated controls, control test plans, issues to highlight deficiencies when controls failed testing and were deemed unreliable and action plans to resolve the issues.
In the last few years, the company experienced a significant increase in the number of compliance requirements to be met as well as additional scrutiny by the various regulatory bodies to determine that the company does in fact comply with those requirements. As the internally developed application was designed for a narrow set of compliance requirements, the increasing regulatory demands started bringing forth the limitations of the application and its inherent approach.
As newer processes and record keeping was required, they were setup manually outside of the system as the application could not be extended. For example, the system could not map compliance process to the general ledger balances maintained in PeopleSoft and the financial statements managed in the Cognos applications. Keeping the automated processes in synch with the manual processes became a major overhead as new accounts were created.
The internal application allowed for a simplistic and linear organizational setup and did not support the varying reporting relationships and information flows between testers, process owners and those who managed the overall compliance process for their business units.
The compliance surveys and certifications across various departments, locations and business units involved manual distribution, gathering and consolidation of responses. Lack of automation made this activity excessively tedious and error prone with a number of documents being physically circulated and manually signed in the company.
The internal application did not support the periodic cycles and frequency of activities and record keeping for ongoing compliance leading to inefficient data reentry activities. Moreover, the application did not enforce appropriate authorizations to limit users from viewing information and records that they did not have privileges for - violating key compliance principles.