Are Energy and Utility Companies Ready for Risk Based Compliance?
Part 1: How the NERC Registered Entities are Preparing
As we enter into the New Year, many NERC Registered Entities are focused on their game plan to prepare and implement the “ERO Enterprise Risk-Based Compliance Monitoring and Enforcement Program.” This new program is different because it places an emphasis on the risk to the bulk power system (BPS) versus the existing oversight where the Regional Entities treat all Registered Entities equal no matter their size or risk to bulk power system.
Since the end of 2012, the ERO Enterprise and the Registered Entities have launched a multi-year effort called the Reliability Assurance Initiative (RAI). There have been multiple initiatives underway with the eight Regional Entities and some Registered Entities that have volunteered for RAI pilot programs. Lessons learned from these RAI pilot programs have been documented on the ERO websites. NERC and the regions continue to conduct outreach efforts throughout North America.
Many Registered Entities are having internal discussions on how to implement this new ERO Enterprise program. Some companies are looking internally to their compliance and risk-management departments to make recommendations for implementation. Other entities are reaching out to third party consultants to assist with their approach and implementation. The program is still voluntary and the ERO Enterprise is focused on the review of the potential risk posed by individual Registered Entities that would have the greatest impact on the reliability of the BPS.
The ERO Enterprise staff, Board of Trustees (BOT), Registered Entities, and the Reliability Issues Steering Committee (RISC) have been working to identify these key risk areas. These risks are identified and prioritized in the “ERO Enterprise Strategic Plan.”
The ERO Enterprise is using the “Risk Based Compliance Oversight Framework” to identify, prioritize and address these risks to the BPS.
AssurX, an industry leading GRC solution provider, is working closely with our energy and utility customers to address the implementation of the “ERO Enterprise Risk-Based Compliance Monitoring and Enforcement Program.” In a series of blog posts, we will be addressing Risk-Management and how having the proper Objectives, Sub-Objectives, Controls, Testing and Mitigation tools in place to successfully implement this new ERO initiative. We have customers that have taken part in the RAI pilot programs. They are working with us to enhance their risk-management and compliance programs and we want to share these lessons learned and best practices with other industry stakeholders.
On the NERC website, there are some excellent resource documents that are posted. We recommend the following documents for a good understanding of this ERO Enterprise program:
- Risk Elements Guide for Development of the 2015 CMEP IP
- ERO Enterprise Inherent Risk Assessment Guide
- ERO Enterprise Internal Control Evaluation Guide
The next area of discussion – addressing the results of the ERO Inherent Risk Assessment (IRA). We will discuss the development of internal controls with each risk including preventive, detective, and/or corrective internal controls.