Skip to content ↓ | Skip to navigation ↓

Compliance with NERC regulations begin with defining your organization’s policies, promoting them in the workplace, and reinforcing positive efforts. A key takeaway to transforming your compliance philosophy into a culture of compliance is by standardizing processes to meet requirements and engaging everyone to participate.

Success begins with an assessment of internal controls. Next, harmonize operational policies to fit your risk exposure. Then report, monitor, and align to meet reliability standards.

Top insights to establish, nurture, and maintain a healthy culture of compliance:

  • Evaluate internal controls first. Realistically document your strengths, weaknesses, and deficiencies.
  • Put policies into practice every day.
  • Measure performance across the enterprise and over time. Consistency is what counts.
  • Leverage leadership’s enthusiasm for meeting compliance goals with frequent communications.

Adopting a culture of compliance ensures your entire enterprise has situational awareness. It means you’ve already had the conversations from the C-suite down about NERC compliance. When policies turn into practice and employees are encouraged to champion the monitoring and reporting of threats and changes, it leaves little doubt you’ll be audit-ready.

Tips to consider:

  1. Determine whether you want to self-evaluate, invite your IT or compliance department to lead the effort, or work with an outside consulting firm.
  2. Identify all required policies for each touchpoint and interaction. Document the process steps for tasks, workflows, and data conditions that could adversely affect you.
  3. Do the design up-front when writing procedures to mitigate and prevent exposure to risk. Are there preventative, detective, and corrective controls to address each risk?
  4. Gather all narrative descriptions, questionnaires, checklists, and flowcharts. This establishes credibility and substantiates your policies are enforceable and in place.
  5. Keep your data clean. Designate a repository for all compliance-related documents as the single source of truth. Standardize file names and metadata so contents are easy to access.
  6. Verify all employee training is current and staff know to inform management of incidents, outages, and maintenance schedule changes. This not only pays off in terms of reporting; it demonstrates a culture of compliance at the top.
  7. Consider implementing an intelligent automation tool to further enhance your efforts.

After going through the checklist, your firm will be poised to prevent, mitigate, and respond appropriately to potential threats and ultimately to avoid NERC violations and costly errors.

Here are some reasons to consider an automated compliance solution:

  1. Ensure everyone is following the same (predefined) processes
  2. Avoid duplicate data entry
  3. Identify evidence that can be automatically generated
  4. Identify key dates
  5. Create a central repository
  6. Identify data conditions
  7. Dynamically assign tasks

You’ll save time and energy by streamlining your compliance efforts and activating your defined policies and procedures you worked so hard to nail. Know that NERC compliance is achievable by adopting a suitable culture and activating intelligent automation tools to help.


Jim JanickiAbout the Author: Jim Janicki is Chief Executive Officer of SigmaFlow. He has over 30 years experience in business and software technology leadership. Under Jim’s leadership, SigmaFlow has developed as the leader in compliance management software for utilities in NERC CIP and 693, addressing the needs of low, medium and high impact utilities, while maintaining SigmaFlow’s Well Delivery offering.

Jim is a recipient of the Ernst & Young Entrepreneur of the year award as well as the Dallas Tech Titans CEO of the Year Award. He received his Bachelor of Science Degree in Computer Information Systems from Arizona State University. You can follow him on LinkedIn.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.