There is a lot of discussion in the industry on the value of a database for NERC compliance versus using tracking systems such as Sharepoint or Excel spreadsheets. There are severe limitations placed on a compliance program that is still using these systems compared to a comprehensive compliance database. I have personally worked with both and there is no comparison when you properly use and implement a NERC compliance database.
There is a caution, you must have senior management and stakeholders sponsoring the implementation of a compliance database from a top-down approach and using metrics to ensure that the compliance department is getting the support they need with the buy-in from the Subject Matter Experts (SMEs). If you do not get this support, then most likely the implementation will fail, thousands of dollars will be wasted, and the team with the best intentions for bringing in a needed system will be to blame.
NERC registered entities (such as; utilities, municipalities, cooperatives, and independent power producers) are still having difficulties with findings during NERC audits because they do not have automated tasks and schedules set up to directly notify the SMEs. Many are still missing the requirement deadlines, like Patch Management reviews, because they are trying to manage through tools like MS Excel.
In the wake of the latest FERC/NERC fines, we see a heightened awareness from senior management on the risks that are out there for registered entities. There will certainly be more scrutiny by the Regions and NERC on compliance programs and their implementations.
There are several key areas that a Compliance team struggles with when they’re handling a NERC audit manually:
- Compliance teams are overwhelmed by the many requirements and mandatory timeframes that are required for evidence collection in managing company risks.
- Subject Matter Experts are performing their day-to-day jobs and without automated notifications from a compliance tool, they do not always complete their compliance tasks in a timely manner.
- Without a comprehensive compliance tool, the Compliance group responsible for monitoring compliance within the registered entity cannot see the “Big Picture” within the company. There are no notifications that tasks are not being completed, charts and Key Performance Indicators (KPIs) are unavailable.
- There is no centralized system for collecting the required compliance evidence and preparing for NERC audits, data requests or internal reviews.
- Document management is another part of compliance that must be maintained. This cannot be done by spreadsheet alone.
Still Not Convinced? Two Use Cases!
Without naming the Entities:
One: A company in the eastern region had a cybersecurity audit on one of their operating companies. They had several Potential Non-Compliance (PNC) because the SMEs were not performing the CIP requirements at the timeframe that was required within the standards. This was because the SMEs were not getting reminders/notifications of these tasks and with their day-to-day activities and duties were missed. Since this company, did not have these tasks automated in their CIP program they have mitigation plans are now underway. One action is looking at automated systems instead of managing by spreadsheets.
Two: A southwest generation company also had Potential Non-Compliance (PNC) because their maintenance testing was not properly scheduled for their substations. They did not have the proper work orders in place or an automated system that would notify the maintenance supervisor of the upcoming test and then send out reminders to ensure that the testing was completed and the evidence collected. These are just part of a good compliance program that needs to be in place for the reliability of the electric grid.
The Need For a Solution to NERC Challenges
Even though the NERC standards have been mandatory going on 12 years, there still is a need for stronger compliance programs. The outdated, manual way of handling NERC compliance won’t cut it for the long-term, and it’s costing your organization time and resources. This need for a better solution takes commitment from senior management, a good compliance team engaged with NERC, the Regions, and their SMEs, and it also includes the implementation of a compliance database to assist with the compliance controls that are needed to mitigate risk.
About the Author
As Vice President at ABZ Incorporated, Trey has over 25 years of experience in generation, transmission and regulation for the utility and energy industry. Trey works with customers to improve their business processes through the successful attainment and implementation of resources and solutions. Trey has worked with large energy companies in North America working on the implementation of the compliance programs.
Trey has worked with some of the largest registered entities including utilities, independent power producers, and cooperatives in North America helping them to implement NERC and CIP compliance software solutions.
In previous roles, Trey worked for the Northeast Power Coordinating Council (NPCC) regional entity and served as Chairman of the NPCC Compliance Committee (CC) and the NERC compliance subcommittees.
Trey also has served as the Manager of Reliability Compliance at Northeast Utilities (now Eversource) and was appointed to the NERC Compliance and Certification Committee (CCC). Trey has experience in the nuclear industry and worked in power generation for some of the largest nuclear facilities on the east coast.