Let's face it; the fear of non-compliance is daunting, even more when federal regulators are penalizing energy market participants with fines ranging from $300 thousand to $300 million over the past two years. Whether it's Sarbanes Oxley Act (SOx), FERC and NERC regulations (Federal Energy Regulation Commission and North American Electric Reliability Commission) and requirements from state and regional bodies, complying with them is challenging.
The regulatory requirement is not a new phenomenon - The energy companies have faced rules, standards and codes ever since they came into picture. But the important variable today is the rigor regulators have applied in fulfilling their regulatory responsibilities, making the regulatory environment very complex and severe; leaving the energy companies grappling with ways on how they go about demonstrating, documenting and reporting compliance.
Most energy and utilities companies are today required to retrieve, compile and integrate data from multiple sources with accurate, up-to-date information on the state of their business and day-to-day operations. While the geographical spread of the organizations makes listing assets challenging, the manual and paper-based system of storing vital business information makes it subject to much vulnerability.
Geographically spread utilities, with multiple units stretched across different centers, not only complicate the establishment of an effective security perimeter but also makes it harder to collate information at one centre for regulatory oversight and reporting.
Guarantying availability and security of high-quality information, introduces new vulnerabilities. Rick Sergel, president and CEO of NERC says, "Cyber Security requires a more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment".
Incidentally compliance managers, at times in their surge to find a right balance between achieving compliance with rigorous regulations and performing real-time risk measurement, management and mitigation, compromise with the security measures making it even more vulnerable to the penalties and risks. As it is, simple processes like meeting the standards of conduct, OATT application and enforcement, GHG registry requirements, ensuring adequate controls, monitoring of transactions to identify fraud or manipulation, are a herculean task in the absence of a regulated system.
George Wang, the Chief Information Security Officer, Asia, Reuters Asia Pvt. Ltd., in his keynote speech on the importance of risk strategy being in sync with company's security culture, says, "Battling with legalities and regulations sometimes places a damper on an organization's capacity to pursue the right security measure."
Evidently with the above challenges, and vulnerabilities in picture, companies cannot afford to haphazardly address the regulatory compliance inherent within their operations and market activities.
What companies need at this juncture is a compliance program that can effectively achieve compliance without exceeding the resource capabilities within the company.
Building a road map
There is no-one-size fits all approach to compliance - as every enterprise follows a framework that is specific to its own internal operating environment.
A predefined process of effectively achieving compliance, should address four core areas: planning, readiness assessment, remediation and monitoring.
Scope and Planning
Management commitment and readiness to compliance is essential to any compliance management program. Not only does it streamline an organization's focus towards compliance, but also makes identification, assessing, deciding, implementing, auditing and supervising the robust overall compliance program, easier.
Like every business has a unique internal environment, every regulatory body has a unique approach. It's paramount to understand the scope and implications of the regulations such as NERC, FERC or Sox that apply to your business before internalizing your compliance program.
Whether it's associated policies, procedures, reporting requirements and filing templates and schedules for various regulations, each business has to define an approach for assessing the compliance and keep a check on non-routine and nonsystematic transactions, antifraud programs and loopholes.
Readiness Assessment gives you an easy and effective way to profile the current state or 'maturity' of your organization's processes as expressed by the degree to which they comply with regulations and standards such as NERC, FERC.
Energy companies today need to do more to meet business objectives. While in the past it was sufficient to supervise and control process loops, today it needs everything from advanced control, integrated fire and safety, physical and cyber security, to interfacing with business systems. Readiness assessment provides a simple way to check point maturity in the midst of increasingly complex and expanding functional breadth.
The readiness assessment will not only help you understand the core strength of compliance management process, but will also identify processes, documents and records that are missing or incomplete; making it easier for you to estimate the work required to create or update those compliance artifacts. Each area that needs attention will then be prioritized based on the Implementation Plan.
In remediation, the gaps that pose the non-compliance risk are identified and prioritized. It is a clean-up and disinfecting process. A process that can track the progress towards addressing the deficiencies identified during the gap analysis is implemented.
These deficiencies can be caused due to equipment corrosion, failure, outdated infrastructure obsolete control systems or even cyber threats. If left undetected, they can result in severe consequences including violation of regulatory standards such as FERC and NERC.
Once the gap is identified and documented, it is immediately assigned to the appropriate personnel for investigation and remedial action, saving time, money, work force and critical capacity of your organization.
Ongoing monitoring helps keep track of compliance status, process ownership, assessment plans, etc. for a wide visibility into the compliance process and highlight issues that need to be addressed. The essence of monitoring is to create a sustainable structure, resulting in consistent and efficient reporting and documentation.
For instance, remote monitoring helps plant managers in the energy industry keep track of both condition and performance monitoring - freeing on-site resources for other critical tasks. It helps plants avoid unplanned losses of capacity, improve asset health, and achieve more stable control.
Remember, regulatory compliance is not a onetime exercise. It's a never ending process; mainly when it involves increasingly complex regulatory requirements, growing cyber threats and vulnerable standardized technology.
As much as the lack of appropriate risk and compliance management frameworks and techniques can lead to undesirable consequences and hefty penalties from national and regional regulators, it can impact all business functions operationally as well as strategically.
With the help of a compliance roadmap and framework in the form of a more integrated and scalable approach, energy companies can achieve their critical business objectives and cope with the complex regulatory landscape.
A major integrated company engaged in power, production, transmission and distribution involving natural gas, power and other related products in worldwide locations faced major challenges while complying with the regulations. Being one of the largest electric utilities in the US, with more than 2.6 million retail customers and a generation capacity of about 30,000 MW and revenue of more than $10 billion, it faces multiple compliance requirements from a number of regulatory bodies. However, in the last few years, the company faced daunting challenges along with additional scrutiny by various regulatory bodies. As the internally developed application was designed for a narrow set of compliance requirements, the increasing regulatory demands started bringing forth the limitations of the application and its inherent approach.
However it was not too late before the company was able to adopt an integrated compliance strategy through an enterprise-level framework for managing all regulatory requirements and ERM programs. The road map provided comprehensive functionality for managing SOX compliance and ERM as well as FERC and NERC regulations and corporate policies for standard of conduct.
"The solution streamlined our financial controls processes for SOX compliance as well as enabled us to employ best practices frameworks for managing compliance with FERC and NERC," said a senior compliance officer of the company.