Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Jon Speer
A proactive approach in a high-risk sector
Robert M. Califf
Progress and potential report
Dirk Dusharme @ Quality Digest
FDA’s MRI program, better coaching, Olympus Vanta XRF analyzer, and more
Dara Corrigan
A new path for pharmaceutical inspections in Europe and beyond
AssurX
Solid record-keeping and document management are key

More Features

FDA Compliance News
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place
Four guidelines for industry offer useful tools for manufacturers

More News

  •  

  •  

  •  

  •  

     

     

  • SUBSCRIBE

AssurX

FDA Compliance

Utility NERC Compliance Programs Challenged by New Risk-Based Approach

Solid record-keeping and document management are key

Published: Monday, January 9, 2017 - 11:05

If compliance with the North American Electric Reliability Corp. (NERC) Reliability Standards wasn’t complex enough, registered utilities must also factor in the regulatory nuances of the bulk power system’s (BPS) eight regional entities (RE), even as NERC emerges with new risk management expectations. Although there is plenty of regulatory—and physical—overlap amongst the eight REs, it is essential for utilities to understand where they fit in the puzzle.

Clear away the fog, and one fact comes into view: Solid record-keeping and document management are central to meeting NERC’s evolving risk-based approach to compliance monitoring and enforcement.

NERC’s risk-based registration initiative

Much has changed since NERC launched its Risk-Based Registration (RBR) initiative in 2014 and subsequently phased it in over the next two years. The vast majority of its final requirements became effective in 2016. Designed to streamline the approach to identifying and evaluating any risks to reliability throughout the electric reliability organization (ERO) enterprise, NERC pledged to continue to work with REs throughout 2016 and beyond to monitor the effects of the new RBR approach, and to assess any potential impact of the RBR on other, ongoing risk-based compliance monitoring and enforcement plan (CMEP) activities. In addition, NERC and the REs will determine if other processes can be streamlined.

Risk management capabilities: time to reassess?

The new NERC RBR landscape also means regulated entities should examine their own compliance programs to make certain they know how to assess, track, and mitigate risk with effective controls that meet internal objectives and comply with regulations. Managing the details of the activities and relationship between activities in a solid compliance plan is key to success.

Broadly speaking, NERC’s ERO Enterprise Risk-Based Oversight Framework focuses on identifying, prioritizing, and addressing risks to the BPS, which in turn enables each CEA to focus resources in the appropriate place. REs are responsible for tailoring the monitoring of registered entities using this framework. Because reliability risk is not the same for all registered entities, the framework examines BPS risks—as well as an individual registered entity’s risk—to determine the most effective CMEP tool to use when monitoring a registered entity’s compliance with the NERC Reliability Standards.

In order to develop a comprehensive risk-based compliance program, registered entities should focus their efforts on comprehending the framework and its approach. The framework identifies and prioritizes continent-wide risks based on that risk’s potential to affect the reliability of the BPS and the likelihood it will occur.

The implementation plan contains the ERO Enterprise risk elements, which in turn provide guidance to the REs in preparing their own implementation plans. Further, REs are expected to consider local risks and specific circumstances associated with individual registered entities within their regulatory territory.

How NERC categorizes risk: a closer look

After risk elements and associated areas of focus are identified and prioritized, NERC uses an inherent risk assessment (IRA) to review potential risks posed by an individual registered entity to the reliability of the overall BPS. An IRA considers a number of factors, including assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition.

At the end of the day, the RE will determine the type and frequency of the compliance monitoring tools to employ, e.g., offsite or onsite audits, spot checks, or self-certifications. The RE may modify the set of core NERC Reliability Standards or pursue compliance assurance through any monitoring considerations. The determination of the appropriate CMEP tools will be adjusted, as needed, within a given implementation year.

Software automation eases risk management and NERC compliance efforts

Let’s not forget why these constantly evolving and stringent standards exist: to protect the grid and prevent disruptions like the cyberattack on the Ukraine electric grid. As it becomes increasingly difficult to maintain compliance with evolving NERC standards, the industry is turning toward automated compliance management systems. To ease the burden, energy and utilities providers are using single, flexible automated NERC compliance management platforms like AssurX to consistently manage operations, coordinate and track compliance activities, identify risks, and demonstrate compliance.

First published Nov. 30, 2016, on the AssurX blog.

Discuss

About The Author

AssurX’s picture

AssurX

AssurX Inc. develops quality management and regulatory compliance software solutions to help companies in any industry exceed quality expectations, ensure compliance, manage risks, and better govern their enterprise. AssurX solutions securely handle manufacturing defects, complaints, change control, regulatory compliance, supplier quality, audits, risk, corrective and preventive actions, and more.