Constellation Energy Builds a Strong Governance, Risk and Compliance (GRC) Foundation
Constellation Energy, headquartered in Baltimore, Maryland, USA, generates, manages and supplies energy for customers across the nation. The Fortune 500 Company serves some of the largest commercial, industrial and public sector power and gas users, in addition to small business and residential communities. The company is also a leading advocate for clean, environmentally sustainable energy sources such as solar and nuclear energy.
The Client: Constellation Energy
Constellation’s competitive business, is a leading supplier of innovative energy products and solutions to wholesale and retail electric and gas customers, including over 1,000,000 residential electric and natural gas customers across the nation. Constellation Generation Group owns approximately 11, 751 megawatts of low cost, efficient generating capacity throughout the country, including through a majority interest in a nuclear energy joint venture.
Baltimore Gas and Electric is a regulated utility providing transmission and distribution services for more than 1.2 million electricity customers and 650,000 natural gas customers in Central Maryland.
Today, the energy industry is under tremendous pressure to comply with a myriad of regulations ranging from state and federal agencies to various industry groups including FERC, NERC, NRC, NIST, OSHA and EPA. These regulations are continuously evolving, thereby requiring companies to build sustainable compliance management programs. Compliance can no longer be a one-time event, but must be an ongoing effort.
Robust strategies for risk, audit, and compliance are necessary controls against deficiencies in corporate governance and inefficiencies in operational and financial processes. These controls safeguard the company’s assets, reputation, and ultimately, the interest of shareholders. However, most risk and compliance strategies are managed through isolated, manual processes and systems. This raises capital and operating costs related to system infrastructure, duplicates efforts across the enterprise, and deflects resources away from key business initiatives.
An integrated GRC approach helps to achieve sustainable compliance programs by facilitating the efficient use of risk information captured throughout the organization in strategic decision-making. Ensuring the usage of consistent terminologies and methodologies across departments encourages a risk-focused corporate culture. Furthermore, the integrated approach provides a comprehensive view of the organization’s overall risk profile, and assures senior management on the effectiveness of internal control environment and risk framework structure.
With integrity, environmental responsibility, customer commitment, and safety as some of its core values, Constellation Energy places high standards on regulatory compliance and integrated risk management.
The company has three main businesses, and over 10,000 full-time employees and contractors. To streamline risk and compliance processes across these entities, the energy company transitioned from a siloed, operational structure to an integrated GRC model. The company established a standardized risk framework and holistic enterprise risk management approach to ensure managed and sustainable growth. A centralized GRC platform was leveraged for better decision making where all GRC initiatives and information are unified, managed, and shared across all business units and functional areas.
Constellation Energy was determined that its GRC system implementation would not merely be a one-time project about demonstrating compliance to regulators but rather the establishment of a robust program consisting of continuous, sustainable and repeatable processes. The company wanted to establish a world-class strategic risk management framework built on the principles of proactive management, transparency, business accountability and integrity. Such a framework would not only ensure sustainable compliance with various regulations, but it would also provide insights for strategic decision making.
To achieve this goal, Constellation Energy created a top-down and bottom-up approach to risk and compliance management. The company strived to not only develop a consistent risk vocabulary, risk monitoring and standard risk reporting but to also facilitate risk and control self assessments across the enterprise. Furthermore, Constellation established a strong communication and education program for employees encouraging them to be more responsible and accountable for risk management and helping them understand how their risks aggregate into a corporate perspective.
Constellation Energy conducted a detailed analysis of industry options and selected MetricStream as the preferred GRC solutions provider. The basis of the selection was MetricStream’s integrated single platform and its broad range of solutions enabling Constellation to harmonize its GRC processes across the enterprise and to achieve its vision of implementing a robust strategic risk management program.
MetricStream delivered a comprehensive set of solutions on a common platform, including enterprise risk management, legal and regulatory compliance, NERC and SOX compliance, business continuity management, action plan management and remediation, and policy/document management. With a view towards the horizon, this platform can be extended to meet the future GRC requirements of the company, such as managing new compliance regulations, risks and audits. Extensions of the GRC framework have little end user impact; to create additional functionality within the application most of the collaboration is with IT and MetricStream resources. Users do not have to undergo additional training, as the usability of the tool is very similar to previous application structure.
MetricStream Integrated GRC Platform: MetricStream Solutions are based on MetricStream GRC Platform, - a Web-based comprehensive application, enabling end-to-end process automation and collaboration between various groups, centralized libraries and an integrated approach to GRC. The platform supports Constellation Energy’s organizational model across all business units and departments, as well as their mapping to different roles and reporting relationships.
Users have role-based access to the GRC. These roles dictate what users are able to view and act upon in the system. For example, initiate actions, respond to events, manage and assign tasks, and view reports and dashboards. The system also triggers email-based notifications and alerts to appropriate personnel to notify them of various events and assignments.
Enterprise risk management: MetricStream Enterprise Risk Management (ERM) Solution helps Constellation Energy identify, assess, quantify, monitor and manage risks from across the enterprise in an integrated manner.
Constellation internally customized the framework to meet it specific business needs while embedding industry best practices defined through COSO, Basel, and OCEG standards.
Data is consolidated in a structured library comprising, relevant business processes, risk corresponding controls, self-assessments by business units and functions, key risk indicators, events such as losses and near-misses, issues and remediation plans. Risks are highlighted depending on their probability or impact on earnings, economic value and reputation. This data then rolls up to senior management where they are prioritized. Based upon this evaluation, they assign ownership of these priority risks and undertake initia¬tives to optimize them. The MetricStream solution empowers Constellation to institutionalize its Risk and Control Self-Assessment (RCSA) methodology that supports the philosophy of individuals across the company taking accountability for the management of risks most closely aligned with their daily responsibilities.
Compliance management: MetricStream offers a comprehensive and integrated Compliance and Issue Management solution. It equips Constellation Energy with the technology to ensure continuous compliance with various regulatory requirements, while lowering the associated costs.
The underlying data model is architected to accommodate many-to-many modeling requirements. This centralized repository of information enables users to quickly search for and access information. It also helps managers structure the information in an organized hierarchy, beginning with each compliance regulation, and moving down to their respective requirements, standards and controls. This framework helps improve the efficiency of searching for controls, and coordinating control-based activities, enterprise wide. Furthermore, the document management functionality enables version control. This ensures that changes are efficiently managed.
Managers are free to configure compliance workflows to suit their management of regulatory requirements and controls, as well as various processes such as report creation, feedback approval and assimilation, and version control. An integrated Issue Management module captures all violation issues and monitors remediation plans.
SOX compliance: MetricStream enables Constellation Energy to streamline its Sarbanes-Oxley (SOX) compliance. The solution allows the creation of a comprehensive controls database, consolidates financial reporting risks for SOX 404 annual testing, facilitates control testing and evaluation and simplifies issue management and workflow management. Furthermore, MetricStream automates work plans, control confirmation, executive sub-certification, management of control testing, and partially automates scoping risk assessment. Any issues that arise are immediately routed to MetricStream Issue Management module for investigation and remediation. Automated alerts keep the process on track and ensure that each issue is resolved and closed.
Multiple procedures for control assessments and certifications, which affirm the strength of internal controls and adherence to policies, are supported within the solution. It harmonizes all control frameworks into a centralized library, enabling users across SOX and other control functions, such as Audit and Risk Management to share controls and results of control assessments. This prevents duplication of assessments and hence improves cost-effectiveness and efficiency.
Legal compliance: MetricStream Compliance Solution is leveraged by the Legal and Regulatory Compliance team to efficiently streamline compliance management, and establish a proactive and ongoing process of compliance. The Legal and Regulatory Compliance team uses MetricStream solution for the creation and distribution of online compliance surveys for employees to certify that they are complying with specific standards. The results are automatically collected and stored in a central repository for easy access, attestation tracking and retrieval.
Audit management: MetricStream Solution will permit the Corporate/Internal and Environmental audit management teams to efficiently collaborate, plan, schedule and conduct audits. The solution will facilitate audit and risk information sharing among peers and audit stakeholders. It will also enable Constellation Energy to efficiently manage resources, track budgets and configure audit profiles. The Audit Management Module contains innovative capabilities to improve auditor performance by conducting multiple audit tasks simultaneously, collaborating on reviews, getting fieldwork approvals and delegating tasks. Furthermore, reporting capabilities will track each audit from initiation to closure, giving managers real-time visibility.
Why the Company Selected MetricStream?
Constellation chose the MetricStream platform and solution because it offers:
A unified approach and an integrated solution to meet strategic objectives, as well as regulatory and compliance requirements
An easy replacement for existing ERM, compliance and audit solutions
A centralized data repository to housing policies, certifications, risk and control assessments, compliance requirements and all other documentation for easy review and reference
The ability to handle specific requirements for an ERM framework, risk terminology, consistency, ranking methodology and more
The security of electronic records, as well as time-stamped audit trails, role-based access controls, electronic signatures and password management
The ability to support large leading organizations, and meet their IT requirements in the areas of integration, configurability, scalability and security
A broad set of solutions on a Web-based platform with capabilities to map its offering to governance, risk, compliance, and quality processes within the company
Key services such as workflows, configurable forms, collaboration, real-time exception tracking, email alerts and notifications, reports, executive dashboards, and secure access control
Ultimately, Constellation’s strategic management approach fosters a culture of greater risk awareness and incorporates strategic risk management into management decision-making while simultaneously ensuring compliance with industry and corporate standards. The strategic risk management approach and the GRC system initiatives benefit Constellation Energy by:
Creating an overarching risk framework and a standard set of risk categories and hierarchies that can be aggregated, assessed and ranked to formulate corporate-level priority risks
Enabling business units to identify, evaluate and report risks and control effectiveness across the organization in a single integrated platform
Ensuring common methodology for business process review, risk assessment, control effectiveness assessment and key performance indicator analysis
Developing standardized risk and control vocabulary within the tool to ensure a cohesive approach in support of business decision-making and reporting to senior management
Through this initiative, MetricStream presented the avenue for Constellation to incorporate best practices across the industry into functional processes. The system implementation has led to the following capabilities and benefits:
Lack of common terminology for risk and controls: Prior to the implementation of the GRC, each business unit used their own terminology and process to define and assess risks and controls. The lack of a common risk framework, definitions and rating methodology did not provide a unified perspective on risk. As a result, risk evaluation across the enterprise was disjointed and in turn, hindered data aggregation and consistent reporting to senior management.
Ad hoc compliance initiatives: Constellation Energy is subject to multiple compliance requirements, including SOX, NERC, FERC, and other Legal and Regulatory mandates. Compliance with each of these regulations was managed independently by each department. There was no common platform unifying the processes or associated controls. Consequently, controls and other related efforts were sometimes unnecessarily duplicated across the enterprise.
Difficulty in enterprise-wide auditing: Risk based auditing was challenged as risks were not centrally managed. Furthermore, coordination of resources was inefficiently managed through complex spreadsheets and added time and effort required to execute audits. The lack of integration among highest business-identified risks and the linkage between the associated end-to-end process and control deficiencies made it difficult to prioritize activities in the audit plan.
Siloed systems: Historically, each department developed their own solutions to meet their individual requirements. The result was isolated solutions that made it difficult to track the enterprise-wide status at any given time. Operational risks, vulnerabilities, and mitigations were tracked in one system; Financial and SOX risks and controls in another, and audits in a third. The compliance team managed its own set of applications, as did the risk team. This siloed approach hampered visibility into risks and controls, and their relation to business processes. It also resulted in inconsistent standards and redundancy of risk and compliance management efforts, not to mention duplicate costs. Spreadsheets and email communications were used to track and monitor compliance, as well as to assess risks and controls within departments. These tools required a large amount of coordination and involved laborious processes which heighten the risk of manual reconciliation errors.
Insufficient reporting capabilities: Without unified reporting, managers had difficulty in compiling the required information quickly in the desired format. It was also challenging to merge large sets of data on processes, risks and controls at various levels of granularity to provide value-added information to various stakeholders.
Automation of risk and compliance workflows:
Automated workflows on the MetricStream integrated platform free Constellation Energy from the extensive use of spreadsheets and other manual tools. MetricStream Solution also has capabilities to enhance IT risk management and business continuity by automating risk assessment workflows for applications, infrastructure, and disaster recovery and cyber security. This dramatically increases efficiency, shortens completion periods, reduces coordination efforts, and diminishes errors and possibilities of duplicate efforts.
MetricStream Solution helps consolidate various data including processes, risks, controls, tests and action plans into a central library. This information aggregated via the common library through standardized business units, functions, and processes. The latest information is made available across the organization, increasing visibility for the management to assess risk and control activities, utilize existing sets of controls, avoid duplication of assessments, and decide whether to enhance controls or accept current risk levels.
Centralized, sustainable risk management:
MetricStream GRC platform provides a centralized framework for risk management, thus eliminating the need for multiple systems and lowering maintenance costs. It has enabled Constellation Energy to eliminate four redundant risk systems, over hundreds of spreadsheets and over multiple content management sites. These tools have been replaced with MetricStream’s suite of modules including Risk Management, Compliance Management, Issue and Action Plan Management, Audit Management and Document Management.
Improved risk framework:
MetricStream Solution supports the implementation of a unified rating methodology to measure and document risk impacts categorized by seven risk types – Liquidity, Market, Credit, Operational, Environmental, Business, Strategic and Reputational. Using the risk assessment data, the organization will be able to determine if controls are adequate, or if risks can be accepted. The solution also enables Constellation Energy to discover incidents and issues, resolve them quickly and efficiently manage loss event data.
Creation of a strong risk culture:
MetricStream Solution helps Constellation Energy establish an enterprise-wide risk-focused culture through a top-down and bottom-up approach to risk identification and management. It also helps educate individuals on understanding risks, and taking responsibility to maintain them at acceptable levels. Being built on a centralized platform, the solution creates the structure required for Constellation Energy to identify risks in any area, and map them back to each business process. It also delivers risk assessment results in real-time, providing managers the ability to review activities for the completeness of risk identification, and the efficacy of plans to enhance controls or accept risks.
Decreased costs of regulatory compliance:
With automated and streamlined compliance activities, quality time and resources can focus on high risk areas. For example, MetricStream Solution enables compliance training that manages registration, remote participation, feedback and course material. Employees are able to respond directly to training through the system. Therefore, compliance coordinators can easily track and report on the status of employee training, without resorting to manual tracking measures.
Enhanced audit management:
MetricStream Audit Management Solution will strengthen the organization’s audit processes by streamlining audit planning, scheduling and execution, and improving the efficiency of resource management and document management. The company can rely on audits to embed a strong risk culture across the enterprise. For instance, self-identified control deficiencies may not be penalized, and risk ratings can be based on residual risk levels.
Strengthened compliance controls:
MetricStream Solution helps the organization create a comprehensive database of financial controls. It also consolidates financial reporting risks for SOX 404 testing, partially automates the scoping of risk assessment, facilitates and certifies control testing and evaluation, simplifies issue management and streamlines workflow management. Consequently, the company can ensure consistent SOX compliance.