AICPA SOC Service Organizations - Certrec

Building a Solid NERC Compliance Culture—Management Commitment is Key

Management Meeting - Certrec
Do you have a solid compliance culture?

The importance of senior management in building a solid compliance culture within a company cannot be overstated. Even the best compliance program will fail unless top management actively embraces compliance and sets the norm for proactive compliant conduct. Developing and maintaining a strong and ongoing culture of compliance is a key undertaking for any organization subject to NERC regulations, and senior management bears primary responsibility for creating such a culture.

How do you measure up?

Each company’s circumstances are unique. Smaller companies have more limited resources. There is no template nor one-size-fits-all compliance program. Management must analyze their regulatory risks, create an appropriate combination of measures to ensure ongoing compliance, and determine the optimum investment to make in compliance measures in light of its resources and risks.

Building a Solid NERC Compliance Culture Management Commitment is Key - Certrec

How do you instill a culture of compliance?

In addition to providing adequate funds and resources, there are some common steps that senior management can take to instill a culture of compliance.

  • Ensure designated compliance personnel are actively included in the development of business initiatives.
  • Engage in systematic and effective preventive measures, such as careful hiring, training, accountability, and supervision.
  • Communicate commitment to compliance to employees frequently, both formally and informally.
  • Encourage employees to raise questions and to obtain the views of supervisors or designated compliance personnel.
  • Provide tools and training sufficient to enable employees to comply with regulatory requirements.
  • Establish systems and protocols for monitoring, identifying, and correcting possible violations.
  • Set aside necessary time to address compliance issues as they arise.
  • Take prompt action to correct any activity that produces a violation.
  • Address misconduct situations promptly.

The takeaway:

Your company’s commitment to compliance needs to include a program with effective compliance accountability as well as periodic review of the program’s effectiveness.

Why is a compliance-centric culture important?

While an aggressive compliance program and strong direction by senior management to search out and report regulatory compliance issues may result in an increase of self- reported violations, over time the successful implementation of such a program should result in fewer violations.
Where there is evidence that the company has adopted effective preventive measures with the appropriate accountability and review mechanisms, penalties for any noncompliance may be reduced or negated.

What can you do to demonstrate commitment to compliance?

  • Establish a well-documented, formal program for internal compliance, and disseminate it widely within the company.
  • Ensure the program is supervised by an officer or other high-ranking official.
  • Enable the compliance official to report to or have independent access to the chief executive officer and/or the board of directors.
  • Ensure the program is operated and managed so as to be independent.
  • Dedicate sufficient resources to the compliance program.
  • Guarantee that compliance is fully supported by senior management (e.g., Is senior management actively involved in compliance efforts? Do company policies regarding compensation, promotion, and disciplinary action take into account the relevant employees’ compliance with regulations and the reporting of any violations?).

Review and modify the compliance program frequently.

Building a Solid NERC Compliance Culture Management Commitment is Key - Certrec
  • Provide sufficiently detailed, frequent, and thorough training to all relevant employees to instill an understanding of relevant rules and the importance of compliance.
  • Establish an ongoing process for auditing compliance with Commission regulations.
  • Respond to wrongdoing through disciplinary action against employees involved in violations, and adopt and ensure enforcement of new and more effective internal controls and procedures to prevent a recurrence of misconduct.

In addition, these actions make preventive measures more effective, encourage detection and reporting of violations, and should lead to prompt and effective remediation of violations.

Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.

Share