Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Taran March @ Quality Digest
The Olympus CIX100 inspection system enables 21 CFR Part 11 compliance
Wade Schroeder
Gleaning best practices from regulatory standards
Adrian Hernandez
Current manufacturing oversight in the United States and overseas is hampered by staff shortages and limited funding
Del Williams
Tubular cable conveyors can be flushed with water, rinsed, and sanitized without disassembly
Jon Speer
How to do it in real time

More Features

FDA Compliance News
First trial module of learning tool focuses on ISO 9001 and is available now
Free education source for global medical device community
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities
Creates adaptive system for managing product development and post-market quality for devices with software elements
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals

More News


FDA Compliance

Utility NERC Compliance Programs Challenged by New Risk-Based Approach

Solid record-keeping and document management are key

Published: Monday, January 9, 2017 - 12:05

If compliance with the North American Electric Reliability Corp. (NERC) Reliability Standards wasn’t complex enough, registered utilities must also factor in the regulatory nuances of the bulk power system’s (BPS) eight regional entities (RE), even as NERC emerges with new risk management expectations. Although there is plenty of regulatory—and physical—overlap amongst the eight REs, it is essential for utilities to understand where they fit in the puzzle.

Clear away the fog, and one fact comes into view: Solid record-keeping and document management are central to meeting NERC’s evolving risk-based approach to compliance monitoring and enforcement.

NERC’s risk-based registration initiative

Much has changed since NERC launched its Risk-Based Registration (RBR) initiative in 2014 and subsequently phased it in over the next two years. The vast majority of its final requirements became effective in 2016. Designed to streamline the approach to identifying and evaluating any risks to reliability throughout the electric reliability organization (ERO) enterprise, NERC pledged to continue to work with REs throughout 2016 and beyond to monitor the effects of the new RBR approach, and to assess any potential impact of the RBR on other, ongoing risk-based compliance monitoring and enforcement plan (CMEP) activities. In addition, NERC and the REs will determine if other processes can be streamlined.

Risk management capabilities: time to reassess?

The new NERC RBR landscape also means regulated entities should examine their own compliance programs to make certain they know how to assess, track, and mitigate risk with effective controls that meet internal objectives and comply with regulations. Managing the details of the activities and relationship between activities in a solid compliance plan is key to success.

Broadly speaking, NERC’s ERO Enterprise Risk-Based Oversight Framework focuses on identifying, prioritizing, and addressing risks to the BPS, which in turn enables each CEA to focus resources in the appropriate place. REs are responsible for tailoring the monitoring of registered entities using this framework. Because reliability risk is not the same for all registered entities, the framework examines BPS risks—as well as an individual registered entity’s risk—to determine the most effective CMEP tool to use when monitoring a registered entity’s compliance with the NERC Reliability Standards.

In order to develop a comprehensive risk-based compliance program, registered entities should focus their efforts on comprehending the framework and its approach. The framework identifies and prioritizes continent-wide risks based on that risk’s potential to affect the reliability of the BPS and the likelihood it will occur.

The implementation plan contains the ERO Enterprise risk elements, which in turn provide guidance to the REs in preparing their own implementation plans. Further, REs are expected to consider local risks and specific circumstances associated with individual registered entities within their regulatory territory.

How NERC categorizes risk: a closer look

After risk elements and associated areas of focus are identified and prioritized, NERC uses an inherent risk assessment (IRA) to review potential risks posed by an individual registered entity to the reliability of the overall BPS. An IRA considers a number of factors, including assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition.

At the end of the day, the RE will determine the type and frequency of the compliance monitoring tools to employ, e.g., offsite or onsite audits, spot checks, or self-certifications. The RE may modify the set of core NERC Reliability Standards or pursue compliance assurance through any monitoring considerations. The determination of the appropriate CMEP tools will be adjusted, as needed, within a given implementation year.

Software automation eases risk management and NERC compliance efforts

Let’s not forget why these constantly evolving and stringent standards exist: to protect the grid and prevent disruptions like the cyberattack on the Ukraine electric grid. As it becomes increasingly difficult to maintain compliance with evolving NERC standards, the industry is turning toward automated compliance management systems. To ease the burden, energy and utilities providers are using single, flexible automated NERC compliance management platforms like AssurX to consistently manage operations, coordinate and track compliance activities, identify risks, and demonstrate compliance.

First published Nov. 30, 2016, on the AssurX blog.


About The Author

AssurX’s picture


AssurX Inc. develops quality management and regulatory compliance software solutions to help companies in any industry exceed quality expectations, ensure compliance, manage risks, and better govern their enterprise. AssurX solutions securely handle manufacturing defects, complaints, change control, regulatory compliance, supplier quality, audits, risk, corrective and preventive actions, and more.