What are you managing for?

By Jack Jackson, NERC Senior Reliability Specialist

When looking at the verb manage there are number of different possible definitions that can be applied.  And while compliance is certainly something to be managed, it is important to be clear with the compliance team and support staff which kind of manage they are expected to provide.  It is also important to realize that while aspects of management may be distributed, they eventually all interact and rely on one another to achieve compliance.

Managing Documentation

This would be the more technical side of compliance.  It’s important to not only be able to understand what the standard is looking at but to know how to find the documents that demonstrate what the standard is looking for.  Managing documentation is also about communication in the sense that there are more than a few event driven requirements that only require documentation as a response to a change.

Managing Reporting

In comparison to other compliance arenas, the reporting for NERC is relatively light.  At least as far as routine reporting is concerned.  As noted above there are plenty of standards that require documentation as a function of a change.  In most cases that change also has some reporting associated with it.  Those standards with event driven reporting compliance is typically measured in the time it takes to make the report from the event or change.  In some cases, it’s months, in others, minutes.

Managing Awareness

This is the more internal controls kind of managing that is becoming ever more sought after in compliance monitoring events.  Awareness starts with simple training to make sure that operators and staff know that they are not doing something “just because” but that there is something driving an activity.  After the training the next level of awareness is to know that when something related to a standard happens that operators and staff know how to respond.  And that can range from something as simple as a phone call to transmission to activating a cyber security incident response team.

Managing Implementation

Having a well-developed compliance program is certainly a good measure of entity’s commitment to compliance. But that program is only good when it is engaged with.  It is important to never forget that NERC exists and could impact almost any task.  Whether it’s reviewing an electrical work permit, changing a valve, or realizing the phone doesn’t work.  At the very least ask “Does this impact NERC?” until there is an answer. With a well implemented compliance program, the answer shouldn’t be far away.

Every facility ultimately has a different approach to managing reliability compliance and there is no one right way.  What is important is to be intentional and thoughtful in the process.  Compliance should be purposeful not accidental.