Managing Regulatory Risk with SharePoint

Cooper-Compliance_Global Audit-Ready-03.jpg


The North American Electric Reliability Corporation (NERC) has listened to the electric utility industry! It recently modified its Compliance Monitoring and Enforcement Program (CMEP) as a result of the Reliability Assurance Initiative (RAI) evaluation.

The changes made by NERC, which focus on risk based on size and potential reliability impact, have the potential to benefit your organization in many ways. In this article, we answer some common questions that have arisen amongst power generation entities about the NERC changes below:

The power of Microsoft SharePoint lies in its simplicity; it is user-friendly and you do not necessarily need a computer programmer to implement controls into your compliance program.

Get a more advanced system by using SharePoint applications. Cooper Compliance's Audit-Ready SharePoint applications are a suite of governance, risk and compliance (GRC) SharePoint add-ons that provide a proven platform for designing and embedding controls into your compliance program to manage risk. The applications integrate into your on-premise SharePoint or with Microsoft 365.

The Audit-Ready SharePoint applications can be purchased at a very reasonable price to provide you with the real-time compliance status on a dashboard, drill down reports to ensure that you are audit-ready at all times, and a tool to systematically load data into your SharePoint site once while automatically mapping to all relevant regulations. The Audit-Ready logging system alerts your operators when certain compliance steps need to be taken. The Audit-Ready Maintenance Center ensures timely and complete maintenance records. By using the functionality available in SharePoint along with various off-the shelf products, you can easily identify to NERC where you have directive, preventative, detective, and mitigating controls and your entity can benefit from reduced audit-scope and extending your audit period.

  • Introduces the UFLS-only Distribution Provider for those entities that are registered only because they have an Under-frequency Load Shedding (UFLS) program.
  • Increases registration requirements from 25 MW to 75 MW.
  • Provides real benefit to companies who have introduced a controlled environment to reduce risk.

    Can I still de-register if my load is greater than 75 MW?

    We at Cooper Compliance recommend that you look at where your loads are separated by normally open switches or through noncontiguous geographical locations. Perhaps you have two or more systems, where the load of each is less than 75 MW. If so, you may be able to deactivate your registration as a DP or qualify as a UFLS-only Distribution Provider entity.

    What are the benefits of being an UFLS-only Distribution Provider?

    Entities qualify as an UFLS-only Distribution Provider when they have an UFLS program but are not directly interconnected to the Bulk Electric System with load less than 75 MW. UFLS-Only Distribution Providers have only 2 Standards that they have to comply with. These two Standards require an entity to submit their UFLS program annually and to maintain their UFLS relays and associated protection equipment every 6 to 12 years.

    How do I benefit by managing risk through a controlled NERC program?

    Those entities who have implemented controls into their organization have essentially eliminated the risk of non-compliance. More importantly, in the long term you will improve reliability and reduce workload.

    NERC has observed that those entities with established internal controls do not need to be audited in areas that have internal controls in place. The NERC regional entities, who audit registered entities, will reduce the scope of the audit and extend the period between audits. This reduces your staff's time and effort to prepare for an audit, allowing you to focus on your purpose of bringing reliable electricity to your customers!

    We are limited by our budget and can't afford to have a robust controlled program. How can these changes benefit us?

    We recommend that you consider some of the following options for introducing controls that manage risk into your entity's NERC Compliance program.

    Outsource your NERC Compliance Administration

     Consider outsourcing your NERC Compliance Administration services or expanding your in-house team through an outside vendor. There are many companies that specialize in compliance, that you can outsource your NERC Compliance Administration program to at a reduced cost. These companies focus on NERC Compliance and have more exposure to lessons learned. Using an outsource NERC compliance management company gives you peace of mind, with an entire team of experts working for you rather than relying on limited internal compliance experts. For example, these companies are likely able to provide an expert in risk and controls, operations, maintenance, critical infrastructure, and legal at the same or lower price that you would pay for one full-time compliance staff member.

    Use Microsoft SharePoint to manage your risk.  

    Microsoft SharePoint can be used as a tool to manage your compliance programs in many ways when set up appropriately. You can use your existing on-premise SharePoint or consider using Microsoft 365 SharePoint at a cost as low as $7 per user per month.

    SharePoint can be used to build controls into your compliance program:

    Directive Controls: Use a central library to store all procedures that provide directive controls. Turn on versioning to maintain historical documents, track revision history, and prevent different versions of the same procedures being used throughout your organization. A tip for accomplishing best practice is to use a consistent name for your document when loading into SharePoint. For example, use "Protection System Maintenance Program" instead of Protection System Maintenance Program, v4". Use SharePoint's version and date column to distinguish versions of the same document, with version being required upon check in, and date being automatically populated by SharePoint.

    Preventative Controls: Use workflows that send out escalation emails when work is not performed in a timely fashion.

    Detective and Mitigating Controls: Use forms that alert users when data is entered outside a predetermined range. For example, well-designed Web forms can cause an alert to occur when battery readings are outside of a specified range and corrective actions are required. You can also use SharePoint lists accompanied by workflows to manage lists such as Critical Cyber Assets, approvals for CIP Change Management, or Training requirements.