As an electric utility, you know that NERC compliance is both critical and incredibly cumbersome. You need to comply with NERC requirements, and you need to be able to prove that you complied, but you also need to run your business in a time- and cost-effective way. Those objectives can often seem at odds.
So you get a compliance management tool. Compliance solutions are designed to make processes like those required by NERC much easier. But here’s the rub: not all compliance solutions are created equal. Some specialize in specific requirements, like NERC, while some try to be all things to all people. Some act as serviceable project management tools, but fail to carry their weight above the task management level.
In this blog series, we will look at what your compliance engine should be doing for your business. Day-to-day process management is certainly part of it – more on that in a bit – but your compliance solution should also enable you to take all that day-to-day data and turn it into powerful insights that drive business value.
Let’s start small. As every compliance manager knows, NERC compliance requires a seemingly endless amount of work. You need policies and procedures for every standard. Each of these policies and procedures comes with its own workflows and tasks.
Say you need to do a change ticket for every change. Your auditor requires evidence that you followed this process for every change ticket for the last two years. To meet this requirement, your compliance engine should kick off a workflow for every change ticket. That workflow may include five tasks or 20 tasks. The workflows should notify relevant people, track activities, allow you to upload evidence that those activities have been accomplished, and coordinate the approval process. So far so good.
You should also be able to manage requirements proactively. Every three years, your employees must complete a personnel risk assessment (PRA). The compliance engine should be able to manage who has a PRA that’s coming due, within 30 days for instance, whose are due immediately, which PRAs are late, etc. You should be able to assign those tasks, taking things like vacation into account to ensure that they are still completed on time.
Same thing with an RSAW. You know it’s due every year. With 13 standards and 5-6 requirements for each standard, you’re looking at somewhere around 72 RSAW sections that must be completed. Your compliance manager should help you generate your RSAW, from task management to evidence management to people and project management, so you can submit it to your NERC regional entity when required. The good ones streamline this process dramatically; one SigmaFlow customer spent 2000 man hours per year to get their RSAW done before implementing Compliance Manager, and now spends less than 200.
Policies and procedures. Change management. Evidence generation and collection. PRAs, RSAWs, and the rest of the alphabet soup. As a compliance manager, this is your world, and you’re well aware of the challenges. But once you’ve got that organized, what’s next? What do you do with all the data generated by those day-to-day activities? You could sit on it and wait for an audit, or make it work for you: improve processes, boost efficiency, gain transparency analyze corporate risk profiles, and more.
In the rest of this series, we’ll cover how to make the data work for you. Stay tuned for best practices on how to get more from your compliance engine at every level of the organization.
SigmaFlow is a leading provider of Process Execution solutions. The company’s NERC Compliance Solution is a real-time, evidentiary based software solution that solves the challenges of CIP & 693 Compliance. The SigmaFlow Compliance Solution manages all documents, data, and work activities while automatically collecting and building the evidence for NERC compliance in a real-time repository. SigmaFlow products place a strong emphasis on embedding domain knowledge through a process-driven template-based-architecture. Contact us at email@example.com to learn more.