Six Steps to Implementing a Risk-based Approach to Regulatory and Reliability Compliance in the Energy and Utilities Industry

Today, the Energy and Utilities industry is exposed to challenges and risks that were unknown only a few years ago. The complexity of operations is compounded several times over by the increasing number of stringent reliability standards enforced by the North American Electric Reliability Council (NERC), market and tariff provisions from the Federal Energy Regulatory Commission (FERC), and further compliance requirements from the Environmental Protection Agency (EPA), the Occupational Safety and Health Administration (OSHA) and other regulatory bodies. Many companies have cross-border requirements that complicate compliance even more.

Meanwhile, the adoption of Smart Grid technology continues, bringing with it increased exposure to cyber thefts and attacks. Identifying compliance challenges early, and understanding the specific risks associated with them can help organizations prioritize their compliance assessments and monitoring tasks, save huge losses in the form of penalties and settlements, and maintain their hard-earned reputation and trust.

Every year, a record number of audits and enforcement orders are issued from various federal and state agencies that oversee the energy industry. Companies that get fined for non-compliance face stiffer penalties because of the lack of an implemented and effective compliance program. Gone are the days when companies could assert that they either didn’t understand regulations or weren’t sure how to comply. There is enough information, expertise and tools available for organizations to effectively implement a comprehensive and proactive compliance program.

This paper covers the crucial points for developing a comprehensive approach to compliance risk management as a foundation for developing effective compliance programs. The steps described below are sequential guidelines that many knowledgeable and capable energy companies have developed in partnership with their extended stakeholders: customers, regulators, competitors and consultants.

The Risk Assessment Matrix (RAM) for Efficiently Managing Compliance Programs

The NERC example: In September 2011, NERC filed its new Compliance Enforcement Initiative comprising three tracks:

• Dismissal
• Find, fix, track and report
• Notice of penalty

The dismissal and notice of penalty tracks remain the same; however, the find, fix, track and report section is a new addition which identifies possible violations that are of lesser risk to the grid, and allows registered entities to mitigate them without enforcing penalties.

The new initiative is a paradigm shift in how issues are processed. It reflects a risk-informed approach that recognizes that all possible violations are not equal and should not be treated in the same manner. Instead, it suggests that resources should be spent only on those violations that seriously threaten the bulk power system.

Energy and Utility organizations should adopt a similar approach, focusing on critical risk areas, and accordingly prioritizing their response and recovery efforts. The identification and management of these specific risk areas can be effectively conducted using a Risk Assessment Matrix (RAM) model.

The RAM is fast becoming an essential part of compliance programs for Energy and Utility organizations across the world, especially since regulatory authorities such as FERC and NERC are evaluating how companies use the RAM in their compliance program to detect violations.

Not only does the RAM help design an effective compliance program, it also reduces the likelihood of violations. In essence, it enables a detailed and efficient risk assessment through which organizations can identify their most important processes and functions along with the threats most likely to impact them. Accordingly, resources can be prioritized and deployed to mitigate those risks, and ensure compliance.

Implementing RAM - Six Steps to Achieving Risk-based Compliance 

The six-step RAM process covers the entire risk assessment process in a closed-loop system. Executed properly, it ensures that organizations are completely aware of and prepared for the entire range of potential risks.

The six steps are summarized as follows:

Step One - Identify Applicable Rules, Regulations and Statutes

Energy and Utility organizations - especially those with complex organizational structures spread across multiple countries - are required to comply with an intricate web of numerous regulations at various levels.

In our market research, we observed that most companies are aware of about 70% of their obligations. However, the Compliance departments are usually aware of only about 35% of the applicable rules. The rest are hidden--sometimes deeply - within various business or functional silos across the enterprise. Therefore, identifying and recording the applicable regulations in a systematic manner is a starting point for risk assessment. To effectively maintain sustainable compliance, organizations need to maintain and continually update a complete inventory of rules, regulations, guidelines, directives, and details.

Step Two - Identify Business Functions and Processes

Business functions and processes that fall under the purview of “compliance” extend across different departments: Communications, Operations, Legal, Service, Finance, Human Resources, Training, Marketing, Facility Management and Information Technology. Virtually every corporate function has some role to play in maintaining compliance. The best way to identify these roles is to do an inventory of who is doing what with respect to compliance. Determine the functions and processes relevant to each applicable rule, regulation and statute, looking within the organization as well as other stakeholders in the business process.

Step Three - Determine the Compliance-Criticality of Functions and Processes

It is crucial to map those business processes that are most critical to the ongoing compliance of the organization. This phase is based on questions such as: How important is this business function to the company’s state of compliance with the identified rules and regulations? How would a loss or disruption in that business function/process affect the bottom line?

Organizations need to identify if a particular business function has very specific compliance responsibilities, or if it contributes to the overall compliance culture of the company. It is also crucial to understand how important the function is to the continuity of the business and compliance. Are there are too many silos involved in the process of complying with certain rules and regulations? Has the continuity of compliance operations been broken?

Step Four - Identify Threats to Ongoing Compliance 

Organizations should identify and manage threats that have a likely chance of occurring. For instance, if only one employee is responsible for filing the Quarterly report to FERC, it should be counted as a threat because the employee could suddenly leave the company. Similarly, multiple threats could arise from multiple sources, and converge to form a single large threat. Organizations need to identify similar sets of threats, rank them, and determine their impact and likelihood. They also need to consider the threats that have occurred in the past.

Threats can be identified and classified in groups such as:

• Natural disasters (tornados, floods, earthquakes, tsunamis, heavy snowfall)
• Events caused by humans (workplace violence, criminal activities, kidnapping, terrorist attacks, cyber-attacks, sabotage)
• Facility-related emergencies (hazardous materials, loss of utilities)
• Asset protection incidents (inadequate systems, untrained personnel, unprotected machines)
• Information system difficulties (lack of backup)
• Employee-related problems (lack of training, bad attitude, misconduct/ grievances)

Step Five - Determine Vulnerability

Organizations should determine the threats that are most likely to disrupt each of the critical business functions. They need to ask themselves how likely it is for a threat to occur, and how often the threat will occur.

One of the suggested methods to determine threats is to use a three-step approach which classifies business functions into:

• Highly Vulnerable - most likely to experience the threat
• Vulnerable - may experience the threat
• Not Vulnerable - not likely to experience the threat

Compliance risk can be quantified based on various approaches such as:

• Using simple mathematical models as well as complex algorithms to calculate the probability of non-compliance events occurring.
• Determining the number of risk source points. For instance, if 3 people are responsible for completing and submitting FERC Form 1, then the number of risk source points is 3.
• Measuring controls and accountabilities, and assigning a relative value to them such as highly effective, effective and not effective.
• Measuring the potential severity of non-compliance (fines and penalties). Organizations don’t have to focus all their actions and attention on those areas for which non-compliance doesn’t pose a significant risk.

Step Six - Plan Resources to Address Threats and Vulnerabilities

It is imperative that plans and capabilities to handle threats are current and adequate. To plug in the gaps or overcome inadequacies, companies need to concentrate on solution areas such as appropriate tools, planning, organization, facilities, operational processes and training. Companies also need to determine whether the programs and solutions can be managed by the available company personnel and extended stakeholders, or a combination of the two. Tabletop, functional and full-scale exercises must be conducted at regular intervals to assess the efficiency of plans and resources.

One of the most common claims asserted by companies that have been cited for a substandard compliance program is a lack of resources to ensure that requirements are being addressed within the organization. Agencies have little to no tolerance for these claims in the current regulatory climate.

Teaming Up with Other Internal Functions - RAM Integration

The Reliability Compliance team should collaborate with other teams to gain the information and experience required for risk assessments. Internally, the best possible teams to work with are those that manage:

• SOX Compliance processes
• Financial risk assessments (multiple types)
• Audits (regular and ad hoc)
• Information Technology Vulnerability Assessments

Avoiding RAM Duplication: While developing the RAM, the Compliance team should identify existing frameworks where risks and controls have already been processed. For example, in many HR functions, Key Performance Indicators (KPIs) are already part of the compensation incentive program. Similarly, many Risk Management and Audit departments have identified Key Risk Indicators (KRIs) as part of their normal process of evaluating risks to the company.

Communication is critical. People with compliance responsibilities need to be kept informed about new regulations, guidelines, interpretations and expectations. In addition, the organization should define roles and responsibilities, and make people responsible for reducing the number of risk assessments.

How Technology Can Enable a Risk-based Approach to Compliance

To ensure sustainable compliance, organizations must build a proactive and risk-based compliance approach that not only addresses today’s requirements, but also future requirements. While IT solutions and systems alone can’t drive risk and compliance programs, the right solutions and technologies can provide measureable value by improving the efficiency and effectiveness of the people and processes that businesses rely on for success.

There are various approaches and solutions available in the market for enabling a risk-based approach to compliance. These solutions:

• Enable policies, frameworks and multiple compliance requirements to be managed on a single platform so that organizations need not have to deploy separate systems or point solutions for each regulation.
• Support risk assessment and computations based on configurable methodologies and algorithms, providing a clear view into the organization’s regulatory compliance risk profile, and enabling auditors to develop audit strategies for optimal risk/reward out¬comes.
• Use a flexible framework for configuring multiple methodologies and approaches, and help maintain a many-to-many relationship between various objects, including policies and procedures, regulations, standards and requirements, risks, controls and issues.
• Provide centralized risk libraries where risks and their corresponding controls can be maintained by compliance area/program, standard and requirements.
• Provide capabilities for risk identification and assessment along with risk heat maps and detailed reporting tools.

Compliance assessments and audits require a number of tasks such as assessments and surveys, polling, documentation and issue management. Without an integrated and automated task management system, companies cannot effectively manage and schedule these tasks, optimize resource requirements, or establish standardized escalation mechanisms.

A compliance management solution should automatically streamline and automate the track­ing of action items - ranging from documenting information about new compliance requirements and issues, to assigning ownership and responsibility for the issues, to providing automatic alerts for task implementation, to resolving issues that arise. Ideally it should help users implement specific follow-up activities to track, escalate and confirm task completion.

The solution should also enable organizations to structure a logical internal con­trol framework, beginning with regulations and standards, and extending down to the associated sub-standards, requirements, controls and control tests. This organized framework helps streamline compliance activities, make quick associations between controls and regulations, and simplify the tracking of control-based activities across the enterprise. Risk control assessments and testing should be facilitated using predefined criteria and checklists.

The solution should also help users prepare self-certifications (including NERC RSAW) to evaluate, tabulate, review and report evidence of compliance with NERC regulations. In short, the solution should enable organizations to set up controls for every compliance risk requirement, and assess these controls periodically to ensure they are working. This promotes a proactive outlook in the organization where all risks are covered with efficiently working controls.

Conclusion

The energy industry is in a state of intense transformation due to the forces of technology, competition and regulation. As the industry adapts to these changes, company personnel are seeking to maintain their value proposition for their customers in a climate of uncertainty and risk. Regulatory compliance, once a footnote in the company annual report, has now become a major driver of profits and shareholder return.

The best run companies have compliance programs that recognize the full set of risks, enable compliance, and then substantiate the results. Risk assessment is a starting point for building a compliance program. In fact, a structural risk assessment is necessary for a company to build a truly effective compliance program.

Regulators now know that many companies “get it” and that they have moved compliance from the basement to the boardroom. That recognition by regulators only serves to spotlight those that still lag behind the best practices of regulatory compliance.

With such a wide availability of tools, knowledge and experience, energy companies can understand and manage risks better than ever before.