Internal controls to ensure NERC Compliance
Since 2007, the utility industry has been working to improve their compliance programs based on guidance from NERC and the regional entities, as well as lessons learned through audits. NERC has also been on a learning curve and is in the process of defining a Reliability Assurance Initiative (RAI). The key element of the RAI is internal controls. A simplified diagram of a typical NERC Compliance Program is seen in Figure 1.
Most company’s internal compliance programs do a reasonable job of addressing three of the four items. Many of those programs took their cue from FERC’s Policy Statement on Enforcements, which laid out a series of questions to guide companies on how to address the basics of establishing a “robust” internal compliance program.
Risk assessment is inserted to ensure the company stays focused on identifying risks to achieve and maintain compliance efforts as well as to perpetuate ongoing process management. Significant risks must be identified and appropriately mitigated. Such an assessment may trigger from one or more of the following actions:
- New or revised standards
- New or revised agreements
- New or repeat excursions
- New or revised processes
- Major new technology
One of the compliance team’s main duties is to closely monitor an implemented alternative’s performance after-the-fact until they are confident risk is mitigated.
Information and communication
Information and communication is addressed on several fronts in FERC’s Policy Statement on Enforcements. Important among these are:
- Periodic reminders from senior management on the importance of compliance within the company
- Routine awareness education
- New employee orientation to compliance program
- Procedures for reporting excursions
- Notice of audits and/or spot checks to affected operational organizations
- Internal training
- Procedures for responding to specific inquiries and release of generation information
Culture of compliance
Culture of compliance speaks to the value the company places on encouraging individuals to report excursions and lapses in compliance without fear of retribution. To this end, companies have put processes in place to ensure excursions are reported, fairly evaluated, and escalated as needed through appropriate channels. Emphasis is placed on creation of an independent oversight team that reports directly to the highest levels of senior management, thus, ensuring accountability at the highest level of the company.
Internal controls is a topic that most believe has been reasonably addressed in their programs. But in the real world as self-certification and audits arise, we find our internal controls don’t work as well as they should. More often than not we find ourselves in a pants-on-fire mode trying to locate evidence and mobilize for the audit. NERC has recently published some suggestions for elements of a compliance program, which will include internal controls that put less emphasis on audits and more focus on reliability.
Internal controls are a key element of the RAI. The RAI affirms that audits will continue to be scheduled, but the actual audit date may not be announced until 90 days prior to the audit date. Furthermore, the audit may not be scheduled at a regular periodicity (e.g., every three years). Instead, regional entities will be called upon to use a risk-based approach to determine who will be audited each year. This could result in a high-risk entity being audited as frequently as once a year. If this occurs, entities will need to notch up their programs to ensure they are compliant all of the time for all of the requirements. Additional staffing and more effective tools will become a necessity to perform the additional monitoring required to cover all the requirements. Depending on registration, monitoring tasks performed on a continuing basis by a compliance monitor might include:
- Listening to operator wav files
- Verifying inspection and testing schedules have been met
- Verifying evidence of compliance associated with activities and events has been retained
- Verifying training schedules have been followed and evidence of training exists
- Verifying reports have been transmitted and evidence of such retained
Activities we purposely did not include as monitoring tasks are those associated with the creation or storing of the compliance evidence. Why is that? Think about it. If a compliance monitor is also charged with creating and handling evidence, who’s going to monitor what the compliance monitor is doing?
So where does this leave us? The utility of the future will need to have a compliance program in place, which assures reliability standards are being met on a continuous basis. NERC has indicated that an entity demonstrating effective internal controls will lower its risk factor when it comes time for the regional entity to determine who gets audited next year.
 Federal Energy Regulatory Commission (FERC) “Policy Statement on Enforcement”, Docket No. PL06-1-000, Issued October 20, 2005, pages 9-13.