In part 1 of this blog series, we covered the day-to-day challenges faced by organizations (and compliance managers in particular) in meeting NERC requirements. From task management to change management to evidence collection, NERC certainly knows how to keep us busy. But compliance doesn’t have to be only a headache. Meeting all those requirements generates a tremendous amount of data, and that data is an often-unmined opportunity for adding serious business value.
Data typically delivers value when examined in aggregate. For compliance managers, that starts with looking at all of those processes and tasks at a higher level. Once your compliance engine is running smoothly, you can start assessing your activities as a whole. Your compliance management solution should make it easy to pull information like:
- How many processes and activities you have in flight
- Who is responsible for each of those processes and activities
- How many tasks each person is currently assigned and has coming up
- How many tasks are late, by person, department, requirement, or standard
- What tasks and activities are coming up
- Who has activities due in the next 1, 7, 30 days
- Who is on vacation, and have their tasks been reassigned to someone else
Questions like these allow you to examine your compliance data and activities through a management lens. As a result, you can both streamline your processes and report more efficiently and accurately on your efforts as a whole. This comes in handy both for audits and for sending information up the chain internally.
Once you’ve pinned down these KPIs at a general level, you can slice and dice them further by department and facility. This process uses similar KPIs as listed above, but at a different aggregation level. Say that Facility 1 is never late, evidence is always current, and they always keep up with policy and procedure changes. Facility 2, on the other hand, is rarely on time and struggles to stay up to date. What’s going on here?
The goal is not to go out and punish Facility 2, but rather to understand root causes. Perhaps Facility 1 has plenty of people and domain expertise, but Facility 2 is understaffed or staffed with the wrong folks. Similarly, maybe Facility 2 has 200 tasks in flight and Facility 1 only has 20; do you have a workload management issue? Or Facility 2 is doing 10 times as much work as Facility 1, but with many more late tasks and activities that need to be redone; is Facility 2 understaffed? Analyzing your compliance data can help extract problems so that you can find solutions.
You can also apply high-level metrics by standard. Perhaps you need a better understanding of how your change management processes are performing. You could pull metrics from your compliance solution like how many change requests you performed in the last month, how many were on time, what types of change tickets came in, etc. Same deal for other standards. You could explore your adherence to personal risk assessment standards by examining how many PRAs you performed in the last month and how many are coming up this month, or the timeliness of your PRAs across the entire year.
When you analyze your compliance data at these different, higher levels, it can be helpful to think of it in three categories:
- Aggregate reports. These provide concrete numbers on what happened in the past and are useful as a baseline and for showing trends over time. For example: Show me all the change tickets. How many change tickets have I had? How many of each type of change ticket have I had?
- KPIs. Key performance indicators map the numbers from your aggregate reports to your business objectives. You may, for instance, have a goal to complete 98% of activities on time. To evaluate how well you met that goal, you can pull numbers like how many tasks were completed on time during a specific time range, how many were late, how many are still open, and use that information to identify potential problems. We will discuss more on KPI’s in the next blog in this series.
- Calendaring. If aggregate reports demonstrate what happened in the past, calendar-based reports show what’s going to happen in the future. While you may not have visibility into some standards – it’s hard to know when a change ticket is coming down the pipe – you can plan for things like PRAs and RSAWs. Calendaring allows you to be proactive about your compliance management processes, which often positively influences your ability to meet your KPIs.
By upleveling the information in your compliance engine, you can gain significant insight into the overall health of your compliance programs. Looking at your data through different lenses enables you and your compliance management solution to go far beyond process and task management to start optimizing and improving your adherence across the board.
SigmaFlow is a leading provider of Process Execution solutions. The company’s NERC Compliance Solution is a real-time, evidentiary based software solution that solves the challenges of CIP & 693 Compliance. The SigmaFlow Compliance Solution manages all documents, data, and work activities while automatically collecting and building the evidence for NERC compliance in a real-time repository. SigmaFlow products place a strong emphasis on embedding domain knowledge through a process-driven template-based-architecture. Contact us at firstname.lastname@example.org to learn more.