The Client: A Premier Electricity and Natural Gas Distribution Company
The NERC reliability mandates consist of 14 broad standards, each of which contains multiple specific requirements, resulting in 94 mandatory reliability standards. Complying with each of these standards in multiple departments across the enterprise is a Herculean task. Compounding the challenge are the growing incidence of security threats, diminishing budgets, accelerating changes in the NERC environment and increasing pressure from NERC to demonstrate compliance. Non-compliance can result in hefty fines, and severely damage one’s reputation.
In this complex environment, the company found that its traditional approach to managing ERC compliance was no longer adequate. Manual and ad hoc compliance and audit processes were only resulting in an innumerable array of cumbersome spread sheets, and were limiting visibility into compliance at an enterprise level. Moreover, the company’s existing systems were unable to adapt to the demands of evolving NERC standards and requirements. Therefore, the company decided to implement a new system that could help automate the entire compliance process, streamline, and improve the efficiency, consistency and reliability of its NERC compliance initiatives, while scaling up to address future GRC demands as well.
The system was required to accommodate disparate or departmentally unique requirements and interests while also providing a unified and comprehensive view of the overall compliance health, efficacy and performance within the organization.
With the aim of achieving sustainable compliance, the company decided to implement an integrated NERC compliance management solution which could leverage the existing control-focused approach / internal control framework, integrate issue management and automate action items/ task management. After considering several vendors, the company selected MetricStream NERC Compliance Management Solution based on its extensive features, scalability of the underlying GRC platform and role-based functionality, as well as its flexibility to adapt to changing compliance demands and regulatory requirements.
MetricStream NERC Compliance Management Solution has built-in Document Management, Issue Management and Action Item / Task Management modules, and is based on the MetricStream GRC platform.
NERC Compliance Management: MetricStream NERC Compliance Management Solution provided the company an integrated and automated approach to NERC Compliance management. The solution is preloaded with all NERC standards and requirements, and automatically alerts users on NERC updates. New requirements are automatically imported, providing users the flexibility to assess and accept relevant requirements and store them in a central library. Gaps in the compliance programs are automatically highlighted.
The solution provides a centralized framework to manage all NERC standards, requirements, associated processes, assets, controls, RSAW templates, policies and procedures, certification and reporting requirements, and filing templates and schedules. Standard role-based dashboards, reports, best-practice templates and workflows can be leveraged by various users such as compliance assurance managers, processes owners, task managers, task owners, subject matter experts and testers.
The solution also monitors the progress of NERC CIP version migration from V2 to V3 to V4. It provides the capability to store various versions of NERC standards and requirements, facilitate migration into new versions, and enable users to track the progress.
With MetricStream solution, the company is easily able to structure a logical internal control framework, beginning with each NERC standard, and extending down to the associated sub-standard, requirement, control and control test. This organized framework helps streamline compliance activities, make quick associations between controls and regulations, and simplify the tracking of control-based activities across the enterprise.
Control assessments and testing are facilitated using predefined criteria and checklists. The solution also supports the preparation of NERC RSAW to evaluate, tabulate, review and report evidence of compliance with NERC regulations. The RSAW worksheets provide a logical structure to compliance reporting, as well as describing and substantiating compliance measures.
NERC Reporting and Documentation: MetricStream solution ensures both accountability and visibility. It enables compliance activities to be conducted independently by each process owner, while consolidating information back upstream for the NERC Compliance Group to gain visibility into various compliance programs and areas at an enterprise level. Powerful compliance dashboards and heat maps compile data in real-time, and highlight issues and vulnerabilities that need to be addressed.
The solution has hundreds of pre-built reports and analytical views highlighting compliance status, gaps, available controls, pending issues and tasks, responsible users and potential risks. Reports are available by asset, program area, department, user and other required parameters.
Document Management: MetricStream solution’s built-in content / document management solution enables the company to adopt an electronic and automated approach to document management across the enterprise. This Web-based system provides a central repository to store and organize documents. Integrated collaboration and workflow tools are available to access, create, modify, review, and approve documents globally in a controlled manner. The powerful analytics and reporting capability with graphical dashboards help track each document from origin to obsolescence.
As each document is updated and routed for review, approvals and certification, MetricStream solution provides complete visibility on the status of the document at each stage. It also sends automatic alerts to the appropriate personnel when it is their turn to review or approve the document.
Action Item / Task Management: MetricStream solution streamlines and automates the tracking of action items/task management related compliance, controls, issues and remediation. The solution automatically assigns and escalates tasks to the relevant users. These tasks range from documenting information about new compliance requirements, controls and issues, to assigning ownership and responsibility for the controls, to providing automatic alerts for task implementation, to resolving issues that arise. The solution also helps implement specific follow-up tasks to track, escalate and confirm when tasks are completed.
Issue and Remediation Management: Issues and exceptions that pose a risk of NERC noncompliance are immediately routed to the MetricStream Issue Management module where a systematic mechanism of investigation and remediation is triggered by the underlying workflow and collaboration engine. Simultaneously, automatic alerts and notifications are sent to the appropriate personnel in the company.
The exception cases remain open till the action plan is carried out, and results are verified for effectiveness. At every stage, the company’s managers are able to track the status of issues and ensure that they are closed.
GRC Platform: MetricStream NERC Compliance Management solution is based on MetricStream GRC platform which provides a centralized, integrated framework and collaboration capabilities to give users and management a single, seamless system for managing regulatory and compliance-related processes, issues, and data.
The platform provides key services such as configurable forms, real-time exception tracking, email alerts and notifications, reporting, executive dashboards, business intelligence, analytics, and secure access control. Silo based activities are eliminated in favour of seamless collaboration and coordination, while end-to-end workflows are streamlined and automated.
Heightened regulatory pressure: As NERC regulations continually evolve, the electric utility company found it increasingly difficult to manage and demonstrate compliance from a process, administrative and technological perspective. The number of regulatory requirements was increasing across various standards, and every NERC sufficiency review program recommended additional approaches or methodologies to be implemented. For instance, to identify critical assets, a risk based assessment methodology had to be employed.
The company wanted to adopt a control-based approach for better compliance, assign responsibilities, schedule, automate and enforce tasks to demonstrate compliance, and introduce escalation mechanisms if task deadlines were missed. However, the level of effort required to manage and monitor these activities was high.
Users needed to manually monitor updates on standards and new requirements which were published on the NERC website, interpret NERC alerts, define which needs should be included in the compliance program, identify affected entities and responsible owners, and initiate processes to identify and mitigate gaps in the compliance program.
Limited efficiency: The NERC compliance group used various manual tools such as spreadsheets to create, manage and assess controls, and monitor the status of compliance activities across the enterprise. This proved to be an effort-intensive and time-consuming activity, requiring significant manpower, resources and costs. It also prevented top management from gaining a real-time view into compliance processes at an enterprise level. Managers had to wait for data to be painstakingly compiled from various reports across departments before they could examine the status of controls and risks. To top it off, the threat of errors associated with manual data entry was ever-present.
Record Keeping Challenges / Extensive documentation: Document management is critical for effective compliance. The company had to maintain substantial amounts of documentation, ranging from NERC standards, to internal policies and regulations, to Reliability Standard Audit Worksheets (RSAW) and other proofs of compliance. It became increasingly laborious and time-consuming to sift through this documentation manually, and find the appropriate controls, or link controls to the corresponding compliance standards and requirements. Making matters more complex was the large number of controls that the company had to monitor – preventive, detective, administrative, technical, manual and automated.
Moreover changes in the requirements and updates on NERC standards require storing and managing multiple versions of regulatory requirements. The company had to closely track changes and monitor gaps as its compliance program moved from one version to another.
Siloed systems: The company followed a fragmented, ad hoc approach to compliance wherein departments and business units managed their compliance activities separately. They did not have an integrated view of end-to-end processes and workflows for various compliance programs. The lack of collaboration meant that controls and control assessments would be duplicated across the organization, resulting in the unnecessary expenditure of resources and costs. Besides, point technology solutions used in these processes, made it difficult to integrate data and information at an enterprise level.
Action item /Task management complexities: Compliance audits generate a number of tasks that must be assigned to the right employees, and tracked throughout the organization. These tasks range from assessing and monitoring controls, to managing documentation, to identifying and resolving issues as soon as they occur. Without an integrated and automated task management system, the company was unable to effectively manage and schedule tasks, manage resource requirements establish standardized escalation mechanisms and maintain a sustainable compliance program.
The company also found it difficult to identify and track control-related issues at an enterprise level. Issues were usually managed in independent silos, and little, if no information was shared on them with other departments. This prevented the company from ensuring efficient, closed-loop compliance and issue management processes.
MetricStream solution provides a framework for compliance oversight and efficiency by automating the management, measurement, remediation and reporting of regulatory and policy compliance activities.
MetricStream solution improves transparency, process efficiency, productivity and the overall compliance risk profile.
MetricStream solution contains out-of-the-box capabilities such as best practices templates and role-based dashboards that are already pre-defined. This enables the solution to be implemented quickly.
MetricStream integrates the full spectrum of compliance processes while aligning compliance with business strategy.
MetricStream solution is equipped with rich, out-of-the-box capabilities to efficiently address all compliance demands.
MetricStream ensures the security of information through time-stamped audit trails, role-based access controls, electronic signatures and password management.
MetricStream platform is flexible enough to span the entire enterprise, and extendable enough to scale up to future GRC requirements