Excel spreadsheets are workhorses. There isn’t a business in any industry in the world that doesn’t have someone, somewhere, using Excel to track or calculate something. Some utilities insiders estimate that nearly 50% of companies, subject to NERC compliance requirements, use Excel to manage their NERC compliance data/activities.
Logic helps explain why such a ubiquitous tool is often used for a complicated responsibility. People are familiar and comfortable with Excel. They’ve made Excel work for other business needs; surely, they can use its smooth interface to patch together a system that can manage NERC compliance. Perhaps they started with a simple asset list in an Excel, and the spreadsheets and formulas organically multiplied from there.
They soon realize that Excel buckles under its own weight as they have to invest hours “managing” their Excel sheets. Furthermore, compliance teams have to graft together a variety of external tools to make up for Excel’s deficiencies.
- Email to manage communication and notifications
- Manual checklists to provide workflow guidance, and
- Document management folders to hold evidence and provide verifications.
- Calendar tools to manage the various recurring tasks
Using these disparate tools only fragments a company’s compliance efforts.
Excel does not offer the data quality checks, validations and enforcements needed to manage compliance. A comprehensive, NERC-focused compliance tool, like SigmaFlow’s Compliance Manager, provides both process and data management through an intuitive solution that makes it easy for companies to handle their compliance obligations.
|Real-Time Compliance Dashboard||Limited
Data sits in silos across countless spreadsheets, making centralized oversight impossible.
Integrated dashboards and reports provide comprehensive, real-time oversight into evidence collection across your organization and across all the relevant standards and requirements.
100% visibility into task schedule adherence, compliance dates at risk, and compliance dates missed.
|Data Quality||Very Limited
Relies on error-prone human data entry that propagate through other spreadsheets due to inadequate data validation controls.
Pulls current, accurate data directly from integrated, external data sources.
Manual data entry is subjected to company-defined validation rules, as well as managerial review for confirmation, where required. For example, require all virtual guests asset fields are tagged to their respective host(s) and Firewalls to the applicable ESP(s).
|Security & Audit Logging||Limited Security
Provides only rudimentary security and permissions management.
Lack of audit log prevents identifying source and timing of errors.
Granular security and permissions settings protect screens and documents from being seen or updated by the wrong users.
Real-time metadata is generated with each data and document change, which is immediately available in an Audit report showing the time, that particular actions were taken and by whom.
|Integrated Compliance Data Repository||None
Can only hold data entered into a spreadsheet.
Has no capabilities to trigger automatic data collection or even notification for data to be manually updated.
Automated integration and task management tools import external data or push out alert to update data on scheduled basis.
System-scheduled data collection ensures comprehensive compliance evidence is current, keeping company audit-ready.
|Complex Data Modeling||None
Single table structure prevents capturing or presenting complex data relationships
Capture attributes about related subjects, such as Cyber Assets, BES Cyber Systems, Facilities.
Enforce data modeling rules users set up through graphic interface, no coding required.
|Task Management/ Business Process Controls||None
Provides no task notification or process management tools.
Compliance teams are forced either to use manual checklists or develop external process management tool.
Provides library of pre-configured business processes, which can be used as-is or customized.
Automated task notifications go to the right people at the right time, to enforce compliance tasks and system updates are completed on time.
The solutions automatically tags the information and evidence to the correlating NERC standard(s)/requirement(s).
The SigmaFlow Compliance Manager does retain one of Excel’s best attributes: It has the familiar spreadsheet interface and expected functions, like common keyboard shortcuts. Providing this recognizable user experience speeds up user adoption and proficiency rates in the Compliance Manager.
Risks of using Excel for NERC Compliance
Excel’s deficiencies in managing NERC Compliance data sets compound the costs and risks of compliance because they require constant internal audits. How many hours are wasted having to identify errors and correct them through manual validation? Then there’s the resource and time taken to self-report anomalies that had not been found during formal compliance processes. While the compliance team uses Excel to manage compliance, they also spend considerable overhead managing Excel.
Excel may work for some low-asset utilities that do not have a lot of data to manage. For everyone else, the regulatory burden is too significant to be successfully managed in Excel. As every compliance manager knows, NERC compliance requires a seemingly endless amount of work. Your world revolves around the Policies and procedures, Change management, Evidence generation and collection, PRAs, RSAWs, and the rest of the alphabet soup.
You shouldn’t have to carry the additional burden of “managing Excel” and inherit its fatal shortcomings. Leverage an automated solution like SigmaFlow and let it do your heavy lifting. SigmaFlow’s NERC Compliance Manager allows NERC registered entities to ensure their records are up-to-date, accurate, secure, and fully-auditable with task automation. Explore the full functionality of the tool in detail to see first-hand how it can improve your compliance program.