Comment On Article About The Author More Articles By This Author Interested in this topic? Need more information? Energy Central has created a complete information service focused only on Asset Management. There is no better way to stay informed. Get more information on Asset Management today!

Let's face it; the fear of non-compliance is daunting, especially when organizations all over the world are imposing huge fines on energy companies. Whether it's the Sarbanes Oxley Act, FERC and NERC regulations (Federal Energy Regulation Commission and North American Electric Reliability Corporation) and requirements from state and regional bodies, complying with them is challenging.

Since their existence, the energy companies have faced hurdles in the form of rules, standards and codes. Unfortunately, in hindsight, what has changed is their rigor. Not only by making regulatory environment very complex and severe but also leaving the energy companies grappling with ways on how they go about demonstrating, documenting and reporting compliance.

Most energy and utilities companies are today required to retrieve, compile and integrate data from multiple sources with accurate, up-to-date information on the state of their business and day-to-day operations. While the geographical spread of the organizations makes listing assets challenging, the manual and paper-based system of storing vital business information makes it subject to much vulnerability.

Geographically spread utilities, with multiple units stretched across different centers, not only complicate the establishment of an effective security perimeter but also makes it harder to collate information at one center for regulatory oversight and reporting.

Guaranteeing availability and security of high-quality information, introduces new vulnerabilities. Rick Sergel, president and CEO of NERC, says, "Cyber security requires a more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."

Incidentally, compliance managers, at times in their surge to find a right balance between achieving compliance with rigorous regulations and performing real-time risk measurement, management and mitigation, compromise with the security measures, making it even more vulnerable to the penalties and risks. As it is, simple processes like meeting the standards of conduct, OATT application and enforcement, GHG registry requirements, ensuring adequate controls, and monitoring of transactions to identify fraud or manipulation, are herculean tasks in the absence of a regulated system.

George Wang, the Chief Information Security Officer, Asia, Reuters Asia Pvt. Ltd., in a speech on the importance of risk strategy being in sync with company's security culture, says, "Battling with legalities and regulations sometimes places a damper on an organization's capacity to pursue the right security measure."

Evidently with the above challenges and vulnerabilities in the picture, companies cannot afford to haphazardly address the regulatory compliance inherent within their operations and market activities.

What companies need at this juncture is a compliance program that can effectively achieve compliance without exceeding the resource capabilities within the company.

Building a road map

There is no one-size-fits-all approach to compliance -- as every enterprise follows a framework that is specific to its own internal operating environment.

A predefined process of effectively achieving compliance should address four core areas: planning, readiness assessment, remediation and monitoring.

Scope and Planning

Management commitment and readiness to comply are essential to any compliance management program. Not only does it streamline an organization's focus towards compliance, but also makes identification, assessing, deciding, implementing, auditing and supervising the robust overall compliance program easier.

Like every business has a unique internal environment, every regulatory body has a unique approach. It's paramount to understand the scope and implications of the regulations such as NERC, FERC or Sarbanes-Oxley Act that apply to your business before internalizing your compliance program.

Whether it's associated policies, procedures, reporting requirements and filing templates and schedules for various regulations, each business has to define an approach for assessing the compliance and keep a check on non-routine and nonsystematic transactions, antifraud programs and loopholes.

Readiness Assessment

Readiness Assessment gives you an easy and effective way to profile the current state or 'maturity' of your organization's processes as expressed by the degree to which they comply with regulations and standards such as NERC and FERC.

Energy companies today need to do more to meet business objectives. While in the past it was sufficient to supervise and control process loops, today it needs everything from advanced control, integrated fire and safety, physical and cyber security, to interfacing with business systems.

The readiness assessment will not only help you understand the core strength of the compliance management process, but will also identify processes, documents and records that are missing or incomplete; making it easier for you to estimate the work required to create or update those compliance artifacts. Each area that needs attention will then be prioritized based on the Implementation Plan.

Remediation

In remediation, the gaps that pose the non-compliance risk are identified and prioritized. It is a clean-up and disinfecting process. A process that can track the progress towards addressing the deficiencies identified during the gap analysis is implemented.

These deficiencies can be caused due to equipment corrosion, failure, outdated infrastructure, obsolete control systems or even cyber threats. If left undetected, they can result in severe consequences including violation of regulatory standards such as FERC and NERC.

Once the gap is identified and documented, it is immediately assigned to the appropriate personnel for investigation and remedial action, saving time, money, work force and critical capacity of your organization.

Monitoring

Ongoing monitoring helps keep track of compliance status, process ownership, assessment plans, etc., for a wide visibility into the compliance process and highlight issues that need to be addressed. The essence of monitoring is to create a sustainable structure, resulting in consistent and efficient reporting and documentation.

For instance, remote monitoring helps plant managers in the energy industry keep track of both condition and performance monitoring -- freeing on-site resources for other critical tasks. It helps plants avoid unplanned losses of capacity, improve asset health, and achieve more stable control.

Conclusion

Remember, regulatory compliance is not a one-time exercise. It's a neverending process; mainly when it involves increasingly complex regulatory requirements, growing cyber threats and vulnerable standardized technology.

As much as the lack of appropriate risk and compliance management frameworks and techniques can lead to undesirable consequences and hefty penalties from national and regional regulators, it can impact all business functions operationally as well as strategically.

With the help of a compliance roadmap and framework in the form of a more integrated and scalable approach, energy companies can achieve their critical business objectives and cope with the complex regulatory landscape.