Utility NERC Compliance Programs Challenged by NERC’s New Risk-Based Approach
If compliance with the North American Reliability Corporation (NERC) Reliability Standards wasn’t complex enough, registered utilities must also factor in the regulatory nuances of the bulk power system’s (BPS) eight Regional Entities (RE), even as NERC emerges with new risk management expectations. While there is plenty of regulatory – and physical – overlap amongst the eight REs, it is essential for utilities to understand where they fit in the puzzle.
Clear away the fog and one fact comes into view: solid record keeping and document management are central to meeting NERC’s evolving risk-based approach to compliance monitoring and enforcement.
NERC’s Risk-Based Registration Initiative
Much has changed since NERC launched its Risk-Based Registration (RBR) initiative in 2014 and subsequently phased it in over the next two years. The vast majority of its final requirements became effective in 2016. Designed to streamline the approach to identifying and evaluating any risks to reliability throughout the ERO Enterprise, NERC has pledged to continue to work with REs throughout 2016 and beyond to monitor the effects of the new RBR approach and to assess any potential impact of RBR on other ongoing risk-based CMEP activities. In addition, NERC and the REs will determine if other processes can be streamlined.
Risk Management Capabilities: Time to Reassess?
The new NERC RBR landscape also means regulated entities should examine their own compliance programs to make certain they know how to assess, track, and mitigate risk with effective controls that meet internal objectives and comply with regulations. Managing the details of the activities and relationship between activities in a solid compliance plan is key to success.
Broadly speaking, NERC’s ERO Enterprise Risk-Based Oversight Framework (Framework) focuses on identifying, prioritizing, and addressing risks to the BPS which in turn enables each CEA to focus resources in the appropriate place. REs are responsible for tailoring the monitoring of registered entities using this Framework. Because reliability risk is not the same for all registered entities, the Framework examines BPS risks – as well as an individual registered entity’s risk – to determine the most effective CMEP tool to use when monitoring a registered entity’s compliance with the NERC Reliability Standards.
In order to develop a comprehensive risk-based compliance program, registered entities should focus their efforts on comprehending the Framework and its approach. The Framework identifies and prioritizes continent-wide risks based on that risk’s potential to impact the reliability of the BPS and the likelihood it will occur.
The Implementation Plan contains the ERO Enterprise risk elements which, in turn, provide guidance to the REs in the preparation of their own Implementation Plans. Further, REs are expected to consider local risks and specific circumstances associated with individual registered entities within their regulatory territory.
How NERC Categorizes Risk: A Closer Look
After risk elements and associated areas of focus are identified and prioritized, NERC uses an Inherent Risk Assessment (IRA) to review potential risks posed by an individual registered entity to the reliability of the overall BPS. An IRA considers a number of factors, including assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition.
At the end of the day, the RE will determine the type and frequency of the compliance monitoring tools to employ, e.g. offsite or onsite audits, spots checks or self-certifications. The RE may modify the set of core NERC Reliability Standards or pursue compliance assurance through any monitoring considerations. The determination of the appropriate CMEP tools will be adjusted, as needed, within a given implementation year.
Software Automation Eases Risk Management and NERC Compliance Efforts
Let’s not forget why these constantly evolving and stringent standards exist – to protect the grid and prevent disruptions like the cyberattack on the Ukraine electric grid. As it becomes increasingly difficult to maintain compliance with evolving NERC standards, the industry is turning towards automated compliance management systems. To ease the burden energy and utilities providers are using single, flexible automated NERC compliance management platforms like AssurX to consistently manage operations, coordinate and track compliance activities, identify risks and demonstrate compliance.