The challenge of managing NERC compliance
Take a risk-based approach to compliance monitoring
The North American Electric Reliability Corporation (NERC) is certainly not new, but the approach NERC is taking in regards to its requirements has transformed in recent years. This change was born out of the recognition that all Registered Entities have limited resources for compliance activities, and that not all issues and findings identified to represent the same level of risk to the bulk power system. Taking a risk-based approach to compliance monitoring and enforcement is intended to ensure the greatest resources are used to address the highest risks, while still identifying, correcting, and tracking lower risk issues.
The changes present challenges for almost everyone adhering to NERC, but it takes more than installing a new regulatory compliance software to follow the standards. The good news is that they aren’t impossible, and if needed, there is plenty of help to be found.
Andrew Gunter of Cential GRC recently sat down with me to answer questions about the changes (which went into effect in 2015) and trends related to NERC programs. He also shared his thoughts on what may be on the horizon as it relates to NERC in the near future.
A little background on Andrew. He is a Risk & Compliance expert specializing in the assessment and development of enterprise Risk & Compliance programs. Andrew is also a Corporate Compliance & Ethics subject matter specialist, having served as an Adjunct Professor at the University of St. Thomas School of Law. His knowledge and insight on NERC and GRC is extensive.
Q. How has NERC shifted its focus in taking a risk-based approach to compliance efforts?
In 2015, the Federal Energy Regulatory Commission (FERC) approved NERC’s Reliability Assurance Initiative (RAI), which transitioned NERC to a risk-based approach for compliance monitoring and enforcement. Under this initiative, NERC may tailor compliance oversight for any given Regional Entity to that entity’s risk profile, resulting in a in the narrower scope of reliability standards for which the entity may be audited. The narrowed scope enables a Registered Entity to focus its resources on the highest risk standards while not relieving the entity of its responsibility to maintain compliance documentation for all applicable standards.
Q. How have you seen efforts at organizations mature as they build out their NERC Compliance programs?
Traditionally, organizations have documented compliance narratives for all of their applicable NERC Requirements and maintain their documentation by drafting mock Reliability Standard Audit Worksheets (RSAWs). The NERC’s Reliability Initiative, however, has encouraged organizations to mature their compliance monitoring capability around higher risk standards by identifying, documenting, and testing controls. Utilizing this approach, organizations can identify potential issues before a reportable incident occurs.
Q. Where do you still see inefficiencies in programs as it relates to NERC?
Over the next few years I believe we can continue to see NERC mature in its articulation of risks and its expectations of Registered Entities regarding the quality and level of assurance granted through its Internal Control Evaluation (ICE) program.
Q. Any other thoughts or advice to share with readers?
Managing a NERC Compliance Program with spreadsheets, emails, and a limited workforce can be challenging and can restrict an organization’s ability to adopt a risk-based approach to compliance. Utilizing a technology solution can help your organization continue to mature by creating efficiencies, increasing your oversight capabilities, and reducing the management burden on your team.
If you are new to NERC or looking for ways to mature your existing program, view the Cential and Onspring hosted webinar for a discussion on NERC Compliance trends and requirements. Learn how Onspring can streamline your processes to reduce risk and best leverage your team’s time. You will also learn how to mature your program past NERC Compliance narratives to a Risk & Control framework.
About the author
Beth Strobel
Director at Onspring & Treasurer at Women in Security
15 years GRC experience