What is risk-based compliance monitoring?
Risk-based compliance monitoring focuses on identifying, prioritizing, and addressing risks an organization’s activities may pose to the Bulk Power System as well as monitoring those risks for deficiencies that may arise as a result of ongoing activities or if your organization undergoes organizational or process changes.
Monitoring internal controls is an ongoing process. If left unmonitored, internal controls may tend to deteriorate over time. Even with all your controls in place, any complacency may reduce your NERC compliance status.
Where should your focus be?
The core of effective and efficient monitoring lies in designing and executing monitoring procedures that evaluate important controls over meaningful risks to your organization’s objectives.
Personnel with appropriate skills, authority, and resources should consider:
- Have the meaningful risks to objectives been properly identified?
- Which “key controls” best support a conclusion regarding the effectiveness of internal controls in those risk areas?
- What information is needed to determine the controls are operating effectively?
How does monitoring provide value to your company?
Monitoring considers the collective effectiveness of all components of internal control.
The monitoring component of an internal controls program provides value to the organization in three ways:
- It lets management determine whether the internal control system operates effectively over time, providing assurance of the system’s ongoing value in risk reduction.
- It provides insights into potential changes or additions to the internal controls that support a more meaningful risk-reduction posture.
- It promotes a sustainable internal control culture. When people who are responsible for an internal control know their work is subject to oversight through monitoring, they are more likely to perform their duties properly over time (what is measured gets done).
What can you do?
To get the most effective results from the monitoring process, you should:
- Analyze
- Consider Options
- Take Action
Analyze | Consider Options | Take Action |
|---|---|---|
Stay up-to-date on industry standards, laws, rules, and regulations to avoid “blind spots” and the regulatory risks and violations associated with non-compliance. | Stay up-to-date on industry standards, laws, rules, and regulations to avoid “blind spots” and the regulatory risks and violations associated with non-compliance. | Modify your internal controls as needed to address any new or revised regulatory obligations |
Know your high-risk areas and routinely monitor your controls that are associated with them. | Prioritize any identified deficiencies according to risk to help you allocate the right time and resources to the most important risk mitigation projects. | Develop corrective action plans so deficient or inadequate control implementation maybe mitigated and program corrections made as appropriate. |
Establish where you are in your utility compliance efforts to plan for the future, to stay current on regulations, and to reduce violations. | Consider using compliance management software to establish and support the company’s regulatory compliance program; to store information; to extract data from daily work to create, submit, and organize reports; and to trigger alerts for non-compliance. | Report deficiencies to the appropriate individuals who can effectively make change. Correct deficiencies on a timely basis. |
Evaluate your compliance program baseline and whether your internal controls are appropriate and functioning. | Conduct periodic spot- checks or audits of your internal controls process (consider third-party involvement). |
In our next blog, we will discuss evaluation of internal controls.
Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.
