Five Simple Points for Preparing for Reliability Compliance Audits
- December 14, 2016
- 1618 views
Five Simple Points for Preparing for Reliability Compliance Audits
Does your utility go through North American Electric Reliability Corp. (NERC) reliability compliance audits? Do you or your colleagues put in significant hours to prepare for one of these NERC reliability compliance audits? If you answered yes to one of those questions, this article will be of significant help in preparing you for your next reliability compliance audit. Most importantly, these recommendations will help put time back into your work week and get you on the path to getting through a compliance audit without losing (too much) sleep.
The Reliability Compliance World
For the past 9 years, utilities with bulk electric system assets have been subject to mandatory and enforceable NERC Reliability Standards. If you are a part of this professional world, you already know the challenges posed by the dynamic nature of the reliability compliance world: nothing is static and the audit approaches seem to change on a weekly basis. With the recent implementation of the Critical Infrastructure Protection (CIP) Version 5 standards, FERC, NERC, and the eight regional US entities have illustrated that this trend is likely to continue. Additionally, NERC and the regional entities have fully implemented the risk-based framework, which has customized the regional approach to reliability compliance monitoring. This somewhat new and continually evolving process has changed the overall reliability compliance regulation for some utilities. The inevitable change pertaining to reliability compliance regulation has prompted utilities to change their internal approach to reliability compliance—and rightfully so.
With all of this change, it is difficult to see that one thing hasn’t changed much at all: the reliability compliance audit engagement. Navigant Consulting, Inc. (Navigant) has noticed that the look and the feel of an audit are typically the same, such as audit time period, audit notices, audit data requests, and the audit process itself. Interviews are still commonplace for standards pertaining to vegetation management, relay maintenance, cybersecurity, etc. But for the inclusion of some controls-based questions, audit questions haven’t changed much at all. So, change continues to be the norm within the reliability compliance regime and, accordingly, utilities must adapt and change internal process to account for this change. However, in this article, we want to remind you that the fundamentals underlying the compliance monitoring process have not changed. Thus, you can implement several practices to plan for and manage the most important regulatory oversight process that hasn’t changed much: the reliability compliance audit engagement.
Five Things to Remember
- Don’t lose sight of the obvious: Continuously manage the RSAWs for medium to high risk standards. In the new risk-based regime, the regional entities conduct an inherent risk assessment (IRA) that, from a risk perspective, scopes the risk elements and identifies standards that will be audited and/or monitored. The annual, actively monitored list of standards is gone. In its place, the regional entities craft a compliance oversight plan (COP) specific to your characteristics (i.e., risks), which includes the individualized monitoring plan for each utility. The results of the IRA and COP, which are given to each utility, include the list of standards that the regional entity will monitor (as well as the monitoring type).
To use an analogy from college, the professor (the regional entity) is essentially giving the student (the utility) the exact areas that it will be testing (auditing) on. Students (utilities) know the areas before the class (audit engagement) even starts. Thus, while complete neglect of all other reliability compliance standards is not advisable, utilities must keep a strong focus on the standards that will be on the test. Keep your RSAW updated and be ready for the current test: the upcoming audit.
Navigant has seen companies continuously manage their RSAW, updating it when business processes change, updating it when the requirements or audit approaches change, updating it to facilitate an annual self-assessment, etc. As a best practice, continuous RSAW management typically entails a collaborative approach between the standard owner, subject matter expert (SME) owner, and the regulatory compliance department. This customized, risk-based approach to preparation will save utilities time by enabling them to focus on the areas that really matter.
- Don’t lose your support: Continuously review and refresh evidence for the key standards. Each RSAW will have associated evidence attached. Using the focused approach recommended above, utilities should establish a process to consistently update evidence (i.e., quarterly, semiannually, or annually). A best practice here is periodic collaboration between compliance staff and SMEs to ensure required evidence is being collected at the predetermined frequency. Once the audit engagement begins, a strong process will result in a simple roll up of all compliance evidence. This will save a significant amount of time compared to scrambling to compile all evidence for a 3-year or 6-year audit period a few months prior to the reliability compliance audit.
- Don’t do it alone: Appoint backup SMEs through formal succession plans. Knowledge management is one of the most important aspects of any organization. The utility industry does not generally adhere to formal knowledge management practices. Moreover, the aging workforce is a risk phenomenon in this industry, whereby each year a good number of knowledgeable, highly experienced utility experts are leaving companies. This exposes utilities to some risk, particularly in the reliability compliance audit arena. The proactive, best practice to mitigate this risk is to nominate a backup SME for each standard that is trained to be an expert in the standard area and the audit process itself. In addition, this backup should be given formal interview training to ensure he or she is ready for the engagement, in case the primary SME is not available. And lastly, this individual will be trained to be the primary SME in the future. This will create a more effective and efficient audit.
- Don’t forget about controls: Identify, document, and continuously improve internal controls. The new risk-based initiative includes a voluntary process called the internal controls evaluation (ICE). The ICE is essentially an evaluation, by the regional entity, of the utilities’ internal controls that support compliance with the reliability standards. As one of the founders of this process, I know that NERC and the Regional Entities aimed to create an incentive structure for utilities to focus on process improvement and not just “check the box” compliance. If a utility proves to the Regional Entity that it has strong internal controls, the degree of monitoring and overall regulation will be significantly reduced. While this is currently voluntary, the trend in the industry is that controls-based auditing is the future, especially given the NERC and regional focus on reliability versus compliance. At workshops such as the Western Electricity Coordinating Council’s (WECC’s) Compliance Workshop in Scottsdale, Arizona, utilities have indicated that one of the biggest changes to their audit was that auditors were asking controls-based questions.
Lastly, utilities that have taken the time to document internal controls have received favorable feedback from regional audit teams. Thus, Navigant recommends that utilities should identify, document, evaluate, and continuously improve their internal controls. Further, if you choose not to do the formal, regional ICE process, we recommend noting your internal controls as part of your RSAW that could be shared with auditors during the regional audit. This will help with the compliance documentation and could reduce the overall monitoring and/or regulation the Regional Entity conducts on your utility.
- Don’t forget to validate: Conduct annual, independent internal audits for medium to high risk standards. This defense in-depth governance approach ensures that all standards are reviewed from an independent standpoint each year. This can be done by the compliance department, an internal audit department, or an independent third party. The audit should consist of an RSAW review, an evidence review, and a compliance validation, depending on the standard requirements. Most importantly, the internal audit should render actionable recommendations to improve the overall compliance posture and test your processes for dealing with the audit. This will help the effectiveness of your audit preparation and will save you a significant amount of time while preparing for the regional audit engagement.
Change Is the Norm: Plan Ahead
As the former creator of many of the compliance processes as the former director of Compliance Risk Analysis and Enforcement at WECC, it is clear to me that change has been a significant part of this regime from the beginning. More change is inevitable. There will be new standards, which will necessitate new processes. Industry, NERC, and FERC will modify or retire existing standards and you will have to adapt again. The key is to focus on what you can control. In this case, the reliability compliance audit is the most important aspect of this regime. The good news is that utilities can establish processes and internal controls to manage it.
From 2008 to 2015, I saw the effects of establishing good processes around the audit engagement. At Navigant, I am able to help utilities prepare for audits. It is this experience that gives me confidence to state the following: establishing strong process around managing the reliability compliance audit and associated process will help your utility be more effective and efficient.
Perhaps the best way to put it is this: ask your compliance staff and associated SMEs if they would like to avoid working nights and weekends in reactively preparing for an audit. If the answer is yes, you should make the development of strong audit preparatory processes a priority next year and get on the path to a successful audit.