NEWS

The Emergence of Risk-Based Compliance Monitoring

by Dan Jenkins – NERC Reliability Specialist

The Realization

NERC has in recent years adopted a risk-based Compliance Monitoring and Enforcement Program (CMEP), motivated by the realization that its enforcement program had become focused more on complying with rules than ensuring a reliable Bulk Electric System (BES). Simply stated, registered entities were more worried about incurring fines than about taking the proper operational and security measures to make sure power would be reliably available.

By 2012, however, it had become evident that the CMEP, as implemented by NERC and the regional entities, was neither practical nor sustainable as a zero-tolerance monitoring regime due to the administrative burden it imposed. To remedy this, NERC then launched the Reliability Assurance Initiative (RAI), which incorporated lessons learned from other agencies that monitor compliance, including OSHA, EPA and the Securities and Exchange Commission (SEC). NERC leaders concluded that a risk-based program would make more efficient use of resources – while encouraging a focus on reliability as well as compliance.

The Changes

The RAI created a process for regional entities to use annually in identifying an individual entity’s risks to BES reliability and in allocating resources for monitoring and enforcement more efficiently when determining the scope of audits, spot checks and self-certifications. NERC now classifies an entity’s risks as follows:

  • Inherent Risk: based on size, function(s) and location;
  • Control Risk: based on procedures and controls in place;
  • Detection Risk: based on risk to reliability caused by failure to identify an issue.

NERC begins the annual process by identifying the current risks to BES reliability as part of its CMEP Implementation Plan. The regions then supplement the plan with their respective priority areas and risks. Once the final Implementation Plan has been released, each region then conducts compliance monitoring of individual entities. For this purpose, they use an Inherent Risk Assessment (IRA) to identify specific risks to the BES based on an entity’s operational characteristics. They can then focus mitigation efforts on each area of concern using an audit, spot check or other measure.

In addition, entities are encouraged to self-report any potential violations. The region can then issue a notice of compliance exception, which commits the entity to mitigate the subject violation but imposes no monetary penalty.

The Implications for Registered Entities

While this risk-based approach may appear to lighten the compliance load for registered entities, it in fact shifts the burden of compliance monitoring rather than removing it. This makes it more critical than ever that registered entities establish and maintain a comprehensive NERC compliance program, while also balancing the demands of compliance and reliable operations.

Using such tools as an internal compliance program, a root cause analysis process and an internal review process that periodically assesses all applicable standards, an individual entity can more effectively demonstrate to the regional entity that it maintains a robust culture of compliance. This in turn is the best way to demonstrate both adherence to the NERC standards and a commitment to maintaining BES reliability —which can ultimately serve to reduce the scope of future NERC audits.