Understanding, experience and technology for success
In 1968, the North American Electric Reliability Corporation (NERC) was formed (as the National Electric Reliability Council) to prepare guidelines and practices for power system operations and coordination. But it was not till almost four decades later, after incidents such as the 2003 Northeast Blackout, that NERC’s policies were made mandatory and enforceable across the US.
In 2006, the Federal Energy Regulatory Commission (FERC) appointed NERC as the Electric Reliability Organization (ERO) for the United States. Since then, NERC has been responsible for maintaining the reliability of the North American bulk power system by developing and enforcing reliability standards, monitoring the bulk power system, assessing its adequacy, and educating industry personnel.
|NERC monitors compliance through…
Today, NERC's standards are mandatory throughout all 50 United States and several provinces in Canada. Compliance is enforced through a rigorous program of audits, investigations and reporting. Entities found to be in violation of a standard can be fined up to $1 million per day per violation.
Broadly classified under NERC 693 standards and NERC CIP standards, the NERC standards consist of 14 broad standards, each of which contains multiple specific requirements. These standards define requirements for planning and operating the bulk power system, and are developed through collaboration between the NERC staff and representatives from several electric industry sectors.
Challenges of NERC Compliance
|List of NERC Reliability Standards
Complexity of NERC Standards, High Costs of Compliance
For Electric Utilities, complying with NERC standards is nothing short of Herculean, considering that there are 94 mandatory reliability standards and over 1,000 individual requirements. Many of these requirements are constantly changing, and recommending additional approaches or methodologies to be implemented - NERC CIP, for instance, is already at version 5. That means that Utilities have to constantly keep themselves updated on NERC changes, and alter their policies and controls accordingly. This can be a laborious and resource-intensive process.
Many Utilities use multiple complex spread sheets, email channels and content management sites to record control assessments, prepare reports, and perform NERC compliance tasks and actions. The downside to this approach is that data has to be entered manually, requiring substantial manpower, resources and costs. Moreover, manual data management is a time-consuming and exhausting process that is often prone to errors.
Duplication of Compliance Activities
Many Utilities manage their compliance tasks and control assessments in functional or organizational silos. As a result, collaboration across the enterprise is limited, which leads to inconsistencies in compliance data and activities. It also results in redundant or duplicate compliance activities, which in turn wastes resources and costs.
Visibility into NERC compliance data and processes is essential to track the progress of compliance, and define strategy. Yet most companies lack this kind of visibility because they don’t have a unified reporting system, or their reporting processes are manual and ad hoc. Consolidating reports at the enterprise level is complex and time-consuming, while viewing data at the required levels of granularity is extremely difficult.
Ensuring NERC compliance means effectively managing reams of documentation, ranging from NERC standards, to internal policies and regulations, to Reliability Standards Audit Worksheets (RSAWs) and other proofs of compliance. It takes a lot of time and effort to sift through the documentation, and find the appropriate controls, or link controls to the corresponding compliance standards and requirements. Moreover, it isn’t easy to gain quick access to the required data, and provide proof to external investigators that a particular control was in place and was tested.
Action item /Task Management Complexities
Compliance audits generate a number of tasks that must be assigned to proper employees and tracked throughout the organization. These tasks range from assessing and monitoring controls, to identifying and resolving issues as soon as they occur. Without an integrated and automated task management system, Utilities cannot effectively manage these tasks, and maintain a sustainable and closed-loop compliance program.
Overcoming the Challenges of NERC Compliance
With additional NERC standards coming into force, and existing standards being updated, compliance requirements are shifting, and audits are getting tougher. To top it off, Utilities have to deal with growing customer demands, increasing IT security threats, diminishing budgets, and complex new developments in the industry, such as the Smart Grid. Managing NERC compliance in the face of all these factors requires an efficient, proactive and sustainable approach. But how does one achieve it?
Firstly, Utilities need to develop and enforce effective policies and procedures aligned with NERC standards. Secondly, program managers need to implement a comprehensive, enterprise-wide program for monitoring compliance. Manual processes need to be replaced with automated workflows for compliance measurement, reporting, monitoring, management and issue remediation. This significantly improves resource utilization, and reduces costs.
Many Utilities are also discovering that as they grow and expand their operations, an integrated compliance and control framework is critical to maintaining sustainable NERC compliance. No longer can they operate through fragmented operational/functional silos. Individual workgroups, departments and business units need to collaborate on an ongoing basis to build more intelligent and systematic compliance processes, eliminate duplication of effort, and enable the free flow of information across the enterprise.
Utilities that have implemented an integrated compliance framework have been able to:
MetricStream NERC Compliance Management Solution
MetricStream NERC Compliance Management Solution helps Utilities strengthen and simply the management of all NERC compliance requirements. The solution provides an integrated set of applications to streamline and automate end-to-end NERC compliance processes, while consolidating all compliance activities, data and initiatives in a centralized framework. This enables a systematic, collaborative and closed-loop approach to NERC compliance. In addition, powerful dashboards and reports provide real-time visibility into NERC compliance processes, as well as intelligence and data, facilitatingproactive and sustainable compliance.
Capabilities of the MetricStream Solution
NERC Compliance Environment and Process Design
MetricStream NERC Compliance Management Solution enables Utilities to define and maintain a centralized structure of their overall compliance and control hierarchy, including processes and assets in scope, risks for the processes and assets, controls to address the risks, and mechanisms to assess the controls. With thesolution, Electric Utilities can structure a logical internal control framework, beginning with each standard, and extending down to the associated sub-standards, requirements, controls and control tests. This framework helps streamline compliance activities, make quick associations between controls and regulations, and simplify the tracking of control-based activities across the enterprise.
MetricStream’s Value Proposition
Build an integrated and collaborative approach to NERC compliance that transcends organizational/functional silos, and eliminates redundancies.
Stay informed on NERC changes and updates through automatic alerts.
Streamline compliance activities, including mapping of regulations to policies, developing controls, assessing risks, performing compliance audits, preparing and implementing action plans, and identifying and remedying issues.
Enable risk-based compliance through configurable methodologies for risk assessments, risk heat maps and dashboards.
Automate critical compliance workflows for improved efficiency.
Optimize resource utilization, reduce costs.
Increase transparency into the status of compliance processes, and data for improved decision-making.
Enhance the effectiveness of reporting and self-certification.
Automatic Alerts of Updates to NERC Reliability Standards
The MetricStream solution automatically identifies and imports NERC regulations/rules from the NERC website or other external information sources. The solution captures information such as the standard, requirement, effective date (application date) and application zone. Users can filter out the relevant content, accept or reject updates, and import the content to a centralized library for creating actions, tasks, controls and compliance assessment processes.Users can also maintain multiple versions of regulatory requirements (e.g. NERC CIP v3.0, v 4.0 and v5.0), and compare them to identify noncompliance gaps or risks.
NERC Compliance Assessments
The MetricStream solution supports assessments based on predefined criteria and checklists, and has a mechanism for scoring, tabulating and reporting the results. Control assessments can be designed and assigned based on roles and responsibilities, and scheduled either periodically or based on the compliance requirements and associated risk.For compliance requirements supported by IT applications(especially NERC-CIP), assessments can be configured to analyze application data for its completeness, accuracy, validity, authorization and access rules. A centralized repository of all assessments, with easy search capabilities, ensures that internal auditors can easily provide documentation and evidence of compliance.
Risk Assessment and Management
MetricStream NERC Compliance Management Solution allows organizations to adopt a risk-based approach to NERC compliance. The solution supports risk assessments and computations based on configurable methodologies and algorithms, providing a clear view into each Utility’s regulatory compliance risk profile, and enabling auditors to develop audit strategies for optimal risk/reward outcomes. A built-in risk library enables all risks and controls to be maintained in a centralized and organized manner. In addition, graphical dashboards, risk heat maps and detailed reporting capabilities provide real-time insights into compliance risks across the enterprise.
The MetricStream solution helps in managing the complete audit lifecycle, including audit planning, resource management, task scheduling, escalation, monitoring and reporting. The solution includes capabilities for preparing a compliance questionnaire, conducting mock audits, communicating with external/internal auditors, tracking issues, and negotiating with auditors to resolve these issues. Using the solution, internal auditors can conduct checklist based or work paper based audits, including activities such as searching and selecting checklistsfrom the central repository, creating new checklists, and saving multiple checklist versions in the central repository.
"Reliability compliance is a critical program for us. We must report on over a thousand standards and requirements for the large number participants in our energy market. By using MetricStream we will be able to enhance our compliance efforts. We selected MetricStream because it was user friendly, secure and will integrate easily with our existing systems."
- Dan Rochester, Manager, Reliability Standards and Assessments
Risk Based Asset Management
MetricStream NERC Compliance Management Solution provides a comprehensive asset management module to identify and manage all physical and cyber assets. The solution helps define various risk methodologies to identify and rate the assets, and classify them as critical or non-critical. It also maintains detailed asset profiles in a central repository, and enables scheduling and tracking of asset installations/re-deployment, maintenance, refurbishments and disposal. Asset information can be imported from other databases or directories such as IBM Tivoli, HP Asset Manager, BMC Remedy and CA IT Asset Manager, using MetricStream’s unique Infolet technology. In addition, built-in dashboards provide aggregated views, trends and analyses to determine long-term asset needs, capital requirements, and potential threats.
Self-Certification Report Management
The MetricStream solution helps prepare self-certification documentation, including NERC RSAWs, to evaluate, tabulate, review and report evidence of compliance with NERC regulations. The solution automates the self-certification and reporting process, and facilitates the storage of associated policies and procedures, reporting requirements, filing templates and schedules for various regulations. The solution also provides the flexibility to configure standard compliance reports, as well as ad-hoc or scheduled reports.
Issue Management and Remediation
For issue and exceptions that pose a risk of non-compliance, the MetricStream solution triggers a systematic mechanism of investigation and remediation. Automatic alerts and notifications are sent to the appropriate personnel for task assignments, and exception cases remain open till action plans are carried out, and results are verified for effectiveness. All issues can be automatically tracked as they move from one stage to the next. In addition, root causes analyses can be mapped to any entities including processes, regulations, requirements, assets and asset classes.
Real-Time Compliance Monitoring
MetricStream NERC Compliance Management Solution contains powerful executive dashboards with drill-down capabilities that provide enterprise-wide visibility into the NERC compliance process, and highlight issues that need to be addressed. Users can track the status of compliance, as well as process ownership, assessment plans, etc. on graphical charts that can be accessed globally, and display real-time information. The solution’s quarterly and monthly trending analysis capabilities enable compliance managers and process owners to stay in constant touch with the ground reality and progress on compliance programs. In addition, automated alerts for events such as exceptions and failures eliminate any surprises, and make the process predictable.
MetricStream is a market leader in Enterprise-wide Governance, Risk, Compliance (GRC) and Quality Management Solutions for global corporations. MetricStream solutions are used by leading corporations such as UBS, P&G, Constellation Energy, Pfizer, Philips, BAE Systems, Twitter, SanDisk, Cummins and Sonic Automotive in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their risk management, quality processes, regulatory and industry-mandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the www.ComplianceOnline.com portal. MetricStream is headquartered in Palo Alto, California and can be reached at www.metricstream.com