Internal Controls: Capitalizing on Embedded Processes
In the interest of shining some light into the dark corners of compliance processes, today’s issue is Internal Controls and how many entities have perfectly effective controls though they may not have been identified.
Within the labyrinth of dozens of mandatory reliability standards and hundreds of requirements in the world of NERC compliance, one of the most discussed and misunderstood features of the process is not mandatory at all. Unlike issues unique to the Bulk Electric System like voltage control, operating limits, and system operator training, internal controls are a common feature of nearly every industry and process where rules need to be followed.
In one sense, the requirements within the reliability standards are numbingly simple. One must either have a procedure to do something and/or evidence one did something. What those “somethings” are can be quite detailed, but the basic process of compliance is simple.
NERC guidance delineates three types of controls for helping assure the actions required to maintain electric system reliability are followed. They are: Preventive, Detective, and Corrective controls. These steps point to eliminating, to the extent possible, errors of omission or commission.
Like a lot of things, there is a continuum of approaches to controls for adherence to the reliability standards. Some entities begin with and stay with the basics, maintaining they have procedures for fulfilling their compliance responsibilities, and as such they are done. Period. On the other end are dedicated teams, internal processes, working groups, and stand-alone manuals. The creation, tracking, dissemination, maintenance, and testing of controls is laid out in exhausting detail and becomes a kind of cottage industry within the organization, often working hand in hand with the internal audit group.
A robust and logical compliance program has an infinite number of ways to address controls. A review and cataloging of current practices are excellent ways to assemble the basic structure of a controls function. Time and again we have found, to their surprise, many entities have perfectly effective controls already in place.
- Training that includes basic reliability responsibilities for new employees – Preventive
- Creation of compliance related procedures that are periodically reviewed and updated –
Preventive, Detective, Corrective
- Periodic internal or third-party review of compliance evidence – Preventive, Detective, Corrective
- Attending NERC and Regional Entity webinars on reliability issues – Preventive, Detective
- Staff augmentation with a documented goal of continuous audit readiness – Preventive, Detective, Corrective
- Successful use of a quality Reliability Management System (software program) – Preventive, Detective, Corrective
- Training of visitors and vendors on location compliance expectations – Preventive
- Mock audits of compliance evidence – Preventive, Detective, Corrective
- Subject Matter Expert training on specific reliability tasks – Preventive, Detective
- Maintaining a Roles and Responsibilities matrix noting each standard and requirement, how it is applicable to your operation, who is primarily responsible for ensuring compliance, who has secondary responsibility, what constitutes acceptable evidence, where the evidence is archived, links to relevant procedures, and periodicity of review. High risk standards can be highlighted. Briefly, the who, what, when and where of compliance practices - Preventive, Detective, Corrective
Ultimately, Registered Entities should do what works for them based on their size, tools, and risk to the Bulk Electric System. There is no one-size-fits-all for a controls program. Do what works and be flexible if you find out something works better.