Utility Industry Grapples with Larger NERC Enforcement Penalties
As we approach the sixth year of mandatory compliance with the NERC Standards, we can see that NERC and the Regions are becoming more experienced dealing with the audit findings and penalties. As shown in the last two releases of NERC enforcement actions, the non-compliance fines are larger and larger. We have seen some penalties well over $500,000 (see $725,000 and $950,000 fines, too.)
Some registered entities are leading by example, with strong compliance programs and engagement with industry. Registered entities are sharing experiences with each other in forums and workshops. They’re talking about their experience with Electric Reliability compliance software, and hiring consultants for independent reviews. A few companies have even implemented the needed internal corrective action programs (CAPA) that benefit their Find, Fix, Track and Report (FFT) initiatives.
That’s the good news!
The relative bad news is that registered entities are still out there trying to doing the absolute minimum for NERC compliance. There are reasons for this including a tough economy and over-worked resources. Registered Entities that have tried to maintain compliance with limited resources and managing through many spreadsheets, weak document control, and lack of proper compliance participation in the industry. We are still seeing common mistakes out there that can be easily corrected. As the top Electric Reliability software provider, we see best practices that can anticipate or correct these problems. Our customers are sharing their success with other companies. Some of those successes include:
- Using document control for all compliance programs and procedures.
- Training on those documents and having proper training for subject matter experts (SMEs).
- Linking all evidence to the proper NERC and Regional standards and requirements.
- Recurring task to collect evidence from SMEs.
- Reporting tasks for all compliance data submittals.
- An internal issue management/corrective action program to handle mitigations plans and program enhancements.
- Periodic analyses and approvals for the SMEs and their management. Some of the best practices are internal assessments for applicable standards/requirements.
- Risk Based Assessment Methodology
- Cyber Security access management.
- Asset management for maintenance and cyber security.
Registered Entities need to take a look at best practices, talk to their industry counterparts and evaluate their programs. They also need to look at strong compliance software tools, remove burdensome internal processes, and build a reliability culture that will be engaged, proactive and identify issues before they become signification violations.