Governance, Risk & Compliance: GRC
NERC: Electric Regulator Powers GRC with SAI360
Case study at-a-glance
The North American Electric Reliability Corporation (NERC) is the Electric Reliability Organization (ERO) in North America that was created in the Energy Policy Act of 2005, following the Northeast blackout in 2003 that affected 50 million people in eight US states and southeast Canada.
NERC, as the ERO, is charged with assuring the reliability and security of the bulk power system in the United States, Canada, and part of Mexico, which includes the electrical power generation facilities and all high-voltage transmission systems that create and transport electricity. NERC achieves this by developing and enforcing mandatory Reliability Standards, assessing current and future reliability trends, analyzing system events, and recommending improved practices.
NERC began working with SAI360 in 2017 as part of an initiative to streamline business processes across its network and with its six regional entities. The initiative was led by Stan Hoptroff, NERC’s CTO and VP of Business Technology.
“NERC and the six regional entities have the same mission, but each had different tools and processes,” says Hoptroff. “We found more than ten core business processes and dozens of different tools deployed, not unexpected as shared processes and tools weren’t required across the regional entities. Looking forward, we knew introducing common business practices would create a whole new level of efficiency and way of working together.”
NERC looked at other regulated industries for inspiration. Hoptroff explains, “We looked at regulated verticals that deploy governance, risk and compliance (GRC) systems to comply, manage, and conform to standards and regulations such as HIPAA or Sarbanes Oxley. We decided we could use a GRC tool as a regulator because, in one sense, we are auditing six entities and the underlying 1,500 companies that own and operate the electric system in three countries.”
He adds, “We flipped GRC on its head and used a platform as an auditor. And it worked. We manage the compliance of 6,000 named accounts at 1,500 registered entities within six regional entities across three countries– much in part due to SAI360 capabilities.”
COMMITMENT TO MANAGING RISK AND REPUTATION
“In our industry, managing risk is mandatory,” says Hoptroff. “Non-compliance with industry standards can mean fines to the tune of $1.4 million USD a day and incalculable reputational damage – it’s hard to sell reliability and dependability if you play fast and loose with regulations.”
NERC also manages geographic variations, giving each regional entity the ability to use their intimate regional knowledge to support the operational realities of their local utilities. For example, in the Southeastern United States, long growing seasons and wet summers have made vegetation management a focus.
Hoptroff explains, “In 2003, vegetation overgrowth was the cause of a blackout when a conductor came into contact with vegetation and shorted out. So regional entities now audit to ensure vegetation is cleared, but what that looks like will vary by each area. For example, some of the western areas have desert, so instead of monitoring vegetation growth underneath conductors, they’re monitoring brushfires.”
NERC also needs to adapt as the power generation changes, with increasing amounts of wind and solar generation coming onto the grid. These different sources have different characteristics and operational considerations when generating electricity. “The mechanics and management of solar and wind are different from generating electricity from coal, nuclear, or natural gas, which require different processes and management. We need to have business processes that can include all these factors,” adds Hoptroff
EVALUATING A COMPLEX MARKET TO FIND SAI360
“Once we knew we needed a GRC tool, we did research to better understand the market and the key players,” says Hoptroff. “We issued an RFP to learn more about specific vendors and employed a consulting company to assist us.
We were clear about what we wanted from a partner and a solution from the starting point – the solution had to include ease-of-use and outstanding reporting.” “Having a formal selection process was necessary because we needed to ensure the process engaged all our regional entities. As a business technology executive, I know how important it is for users to be involved in buying technology and ensuring it is a collective decision. We didn’t want this only to be NERC making a decision.
“It’s worth adding that if we didn’t find a common platform, each regional entity could have gone to the market themselves, invested in their own technology, and we would never have realized the opportunity for a single system. This was a one-time shot at finding a common system.
All of the regional entities were part of the selection process — and the decision was made to work with SAI360. “During the evaluation process, the SAI360 team would ask why we wanted something a certain way and would then give business or technology-based reasons why functions should work in a specific way. Their insight was genuinely helpful – they showed us that they understood how the technology and processes would work best for us.”
HOW OPERATIONS HAVE CHANGED WITH SAI360
Hoptroff says, “Before we had SAI360 in place, determining whether a specific standard is being violated would take a long time; now, it’s a 30-minute ask: the data comes straight out of the reporting engine. And consistency is vital. Some utilities do business in multiple states. For example, they may have a natural gas facility in Georgia and generate solar power in New Mexico. Previously this would have meant they had two different systems, but now they have the same one.
“Another benefit is mutual aid when one regional entity needs the assistance of another one. Now we have a single system, regional entity staff can guest audit, oversee, and step in to help one another.”
IMPLEMENTATION OF GRC AT A REGULATOR
“Because we are a regulator and have access to sensitive data, we built a secure evidence locker with the evidence bifurcated from self-reporting statements or requests that may contain sensitive data, reliability and self-reporting collectively are a crucial part of our DNA,” says Hoptroff. And we have a consistently high volume of transactions, with thousands of users submitting book transactions, self-certifications, and periodic data submittals.”
ADVISE TO CTOS LOOKING FOR A GRC PARTNER
“It’s not just about having a software solution that fits and delivers the reporting, usability, and functions to support your operations, it’s also about a partnership and working with a team ready to help you succeed,” concludes Hoptroff.
Download a pdf of this case study