Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Gleb Tsipursky
Use this three-step process to prevent disasters in implementing decisions
Jason Chester
Making information accessible, understandable, and actionable is essential for optimizing every level of your organization
Donald J. Wheeler
While this worldwide, unintended experiment continues we won’t immediately know if we have passed the peak
Eric Stoop
Quality and safety may occupy two different departments, but the reality is that safety is an aspect of quality
Jon Speer
There’s always a way for medical device engineers to create and focus on true quality

More Features

FDA Compliance News
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy

More News


FDA Compliance

Utility NERC Compliance Programs Challenged by New Risk-Based Approach

Solid record-keeping and document management are key

Published: Monday, January 9, 2017 - 12:05

If compliance with the North American Electric Reliability Corp. (NERC) Reliability Standards wasn’t complex enough, registered utilities must also factor in the regulatory nuances of the bulk power system’s (BPS) eight regional entities (RE), even as NERC emerges with new risk management expectations. Although there is plenty of regulatory—and physical—overlap amongst the eight REs, it is essential for utilities to understand where they fit in the puzzle.

Clear away the fog, and one fact comes into view: Solid record-keeping and document management are central to meeting NERC’s evolving risk-based approach to compliance monitoring and enforcement.

NERC’s risk-based registration initiative

Much has changed since NERC launched its Risk-Based Registration (RBR) initiative in 2014 and subsequently phased it in over the next two years. The vast majority of its final requirements became effective in 2016. Designed to streamline the approach to identifying and evaluating any risks to reliability throughout the electric reliability organization (ERO) enterprise, NERC pledged to continue to work with REs throughout 2016 and beyond to monitor the effects of the new RBR approach, and to assess any potential impact of the RBR on other, ongoing risk-based compliance monitoring and enforcement plan (CMEP) activities. In addition, NERC and the REs will determine if other processes can be streamlined.

Risk management capabilities: time to reassess?

The new NERC RBR landscape also means regulated entities should examine their own compliance programs to make certain they know how to assess, track, and mitigate risk with effective controls that meet internal objectives and comply with regulations. Managing the details of the activities and relationship between activities in a solid compliance plan is key to success.

Broadly speaking, NERC’s ERO Enterprise Risk-Based Oversight Framework focuses on identifying, prioritizing, and addressing risks to the BPS, which in turn enables each CEA to focus resources in the appropriate place. REs are responsible for tailoring the monitoring of registered entities using this framework. Because reliability risk is not the same for all registered entities, the framework examines BPS risks—as well as an individual registered entity’s risk—to determine the most effective CMEP tool to use when monitoring a registered entity’s compliance with the NERC Reliability Standards.

In order to develop a comprehensive risk-based compliance program, registered entities should focus their efforts on comprehending the framework and its approach. The framework identifies and prioritizes continent-wide risks based on that risk’s potential to affect the reliability of the BPS and the likelihood it will occur.

The implementation plan contains the ERO Enterprise risk elements, which in turn provide guidance to the REs in preparing their own implementation plans. Further, REs are expected to consider local risks and specific circumstances associated with individual registered entities within their regulatory territory.

How NERC categorizes risk: a closer look

After risk elements and associated areas of focus are identified and prioritized, NERC uses an inherent risk assessment (IRA) to review potential risks posed by an individual registered entity to the reliability of the overall BPS. An IRA considers a number of factors, including assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition.

At the end of the day, the RE will determine the type and frequency of the compliance monitoring tools to employ, e.g., offsite or onsite audits, spot checks, or self-certifications. The RE may modify the set of core NERC Reliability Standards or pursue compliance assurance through any monitoring considerations. The determination of the appropriate CMEP tools will be adjusted, as needed, within a given implementation year.

Software automation eases risk management and NERC compliance efforts

Let’s not forget why these constantly evolving and stringent standards exist: to protect the grid and prevent disruptions like the cyberattack on the Ukraine electric grid. As it becomes increasingly difficult to maintain compliance with evolving NERC standards, the industry is turning toward automated compliance management systems. To ease the burden, energy and utilities providers are using single, flexible automated NERC compliance management platforms like AssurX to consistently manage operations, coordinate and track compliance activities, identify risks, and demonstrate compliance.

First published Nov. 30, 2016, on the AssurX blog.


About The Author

AssurX’s picture


AssurX Inc. develops quality management and regulatory compliance software solutions to help companies in any industry exceed quality expectations, ensure compliance, manage risks, and better govern their enterprise. AssurX solutions securely handle manufacturing defects, complaints, change control, regulatory compliance, supplier quality, audits, risk, corrective and preventive actions, and more.