This is part of my ongoing series “Unraveling the Mysteries and Complexities of NERC Compliance.” Read the previous part here: Step Three – Develop a Seamless Internal Controls Framework.
When it comes to designing a great internal controls framework, the single determining factor for how great our controls are is… people.
That’s right, people. Here’s the problem. We often get focused on dissecting compliance requirements and creating controls designed to serve them. This is the wrong approach. Of course, the controls must help achieve and assure compliance, or what’s the point in creating them? However, the real design activity going on here is not creating a compliance framework, we are creating a framework to help people behave in a compliant manner.
When I look back to when I first started dissecting the NERC Standards eight years ago, I realize my own personal first phase was, indeed, really getting my head around what the standards expected from utilities to demonstrate compliance. The problem wasn’t “how do I do that?” it was “what do I need to do?”
We all start there. It’s just the way things work. However, as we mature in our understanding of NERC compliance this opens the door to new opportunities for us to make compliance operations easier with higher assurance. You must know the Standards and Requirements before you can take the next step.
Understanding of the Standards and Requirements is enough to build a controls framework, but the first pass is often ugly and will result in more lessons-learned than real value in many cases. Sometimes you just put your feet in the fire to learn what you need to know.
This can be avoided. In fact, that’s the whole point. It can be avoided by approaching the controls framework from the perspective of people and compliance outputs.
Which leads us to the elements required to create that great internal controls framework! What we need to do is:
Step 1 – Identify all the Outputs (documents/reports) required for Compliance.
Step 2 – Map them to the Standards and Requirements, so that you know you have everything covered and you can see how Outputs relate to the Standards.
Step 3 – Determine the processes (controls) you need to manage those Outputs! Include in your assessment the triggers (schedule, event) for each. This activity defines your controls.
Step 4 – Design a common User Experience. This is critical. Most compliance activities are quite similar in nature, so the control framework should provide a common user experience. Designed properly, the training burden on using the framework is heavily minimized and it is much easier for people to perform their activities consistently and correctly.
Step 5 – Simplify, Simplify, Simplify. Once you have that user experience, look at it from the perspective of being each User. If you are the User would you want improvements? This step is the most overlooked yet critical part of designing a great controls framework. If you don’t take on the responsibility and ownership to create a great user experience its simply not going to happen. Do not include things because you can, include things because you must. Every aspect of the user experience should be scrutinized and challenged if you really want to have that great internal controls framework. It’s well worth the effort.
Now, once you have that great controls framework, you need to deploy. I’ll be demystifying that subject in my next installment!
Have I piqued your interest? Then drop me a line or head over to the Contact Us page and fill out the form there. I would love to show you how we’re simplifying evidence management in our new controls-based model.