by Tanya Bodell, CRA International Inc.
July 1, certain North American Electric Reliability Corp. (NERC) requirements will be in the auditably compliant (AC) stage. Pre-identified companies subject to cybersecurity standards of the critical infrastructure protection (CIP) rules will be subject to spot-checks and audits, harkening investigations across companies, functions and requirements.
Enforcement officials will monitor compliance. Upon discovery of possible violations, they will launch investigations and possibly formal notices of violation. Our experience helping clients with regulatory compliance points to three ways a market participant can prepare for upcoming regulatory checks: self-audits, mock audits and assessments.
In a self-audit, an outside team or compliance staff within your company takes the role of enforcement officials and conducts the level of investigation that is anticipated from the regulator. A self-audit allows you to find potential red-flag issues and allows time to understand the issue prior to review with the regulator.
Despite the strategic value of self-audits, many companies have been reluctant to undertake a thorough vetting of their past processes and outcomes. Such an exercise might uncover a violation of regulatory compliance rules, thereby mandating a self-report to the enforcement authorities and associated repercussions. In the NERC-mandated self-investigations, almost all companies found more than one violation to report, and NERC frequently responded with fines.
In contrast, self-audits are not Federal Energy Regulation Commission (FERC)-mandated, and the economic decision about whether to engage in such an audit is driven by the potential benefit vs. cost of violation discovery.
The benefits of finding past violations might seem much lower than the costs of having to report such violations, resulting in a strategy of blind hope that past violations did not occur or will not be discovered. But wishing it does not make it so, and prompt self-reporting of past violations might result in lower fines and indicate a mature compliance program that could mitigate future penalties.
Mock audits are different from self-audits in that they are preparation for the official audit without the deep dive into details that might disclose a violation. Mock audits help walk you through the process, work through request for documentation, identify the information that will need to be disclosed and identify personnel responsible for gathering, preparing and presenting that information. Someone who has participated in regulatory investigations should lead the mock audit to provide the perspective of enforcement officials and insight into the information required to be disclosed.
Benefits of mock audits are increased efficiency and effectiveness in response to actual audits. Costs include the time and resources required to organize and execute the mock audit. Personnel who eventually will deal directly with regulators place greater weight to the benefits because their reputations and time will be at risk during the real event. Those required to prepare for the mock audit might find the time and resources costs overbearing. Finding the balance between the cost and benefits is essential if mock audits will be part of your compliance strategy.
Regulatory compliance program assessments are a higher-level approach to understanding the potential for a company to violate a compliance requirement and the risk of such violations. Assessments can estimate the probability of violation, likely type of violation and expected severity to determine the enterprisewide risk of noncompliance.
Most assessments require:
- A framework against which the state of the program can be measured;
- An understanding of the metrics against which a regulatory compliance program will be held; and
- A common language for communicating between the existing and desired state. One such framework is the regulatory compliance maturity model where a program is not in or out of compliance–but is either more or less mature–consistent with FERC’s emphasis on a strong compliance program.
Upcoming NERC audits will extend beyond identifying violations to assessing the state of the company’s regulatory compliance program. Performing a self-assessment before a regulatory investigation provides significant benefits without the associated risk of finding the violations. A self-assessment can identify areas of strength and weakness and allow you to rationalize your compliance efforts accordingly. It also documents the status of your compliance programs to respond to NERC inquiries.
Preparing for investigation requires consideration of costs and benefits of actions. At least assess your compliance program to determine whether to invest in mock audits and self-investigations.
Tanya Bodell is vice president of CRA International Inc. E-mail her at Tanya.email@example.com
“I do not know which makes a man more conservative–to know nothing but the present, or nothing but the past.”
John Maynard Keynes, “The End of Laissez-faire” (1926)