Risk-based compliance monitoring focuses on identifying, prioritizing, and addressing risks an organization’s activities may pose to the Bulk Power System as well as monitoring those risks for deficiencies that may arise as a result of ongoing activities or if your organization undergoes organizational or process changes.
Monitoring internal controls is an ongoing process. If left unmonitored, internal controls may tend to deteriorate over time. Even with all your controls in place, any complacency may reduce your NERC compliance status.
The core of effective and efficient monitoring lies in designing and executing monitoring
procedures that evaluate important controls over meaningful risks to your organization’s
Personnel with appropriate skills, authority, and resources should consider:
Monitoring considers the collective effectiveness of all components of internal control.
The monitoring component of an internal controls program provides value to the organization in three ways:
To get the most effective results from the monitoring process, you should:
|Analyze||Consider Options||Take Action|
|Stay up-to-date on industry standards, laws, rules, and regulations to avoid “blind spots” and the regulatory risks and violations associated with non-compliance.||Conduct reviews of regulatory information sources on a regular basis to capture any potential impacts. Subscribe to a third-party resource to receive "pushed" information important to your organization’s ongoing compliance.||Modify your internal controls as needed to address any new or revised regulatory obligations|
|Know your high-risk areas and routinely monitor your controls that are associated with them.||Prioritize any identified deficiencies according to risk to help you allocate the right time and resources to the most important risk mitigation projects.||Develop corrective action plans so deficient or inadequate control implementation maybe mitigated and program corrections made as appropriate.|
|Establish where you are in your utility compliance efforts to plan for the future, to stay current on regulations, and to reduce violations.||Consider using compliance management software to establish and support the company’s regulatory compliance program; to store information; to extract data from daily work to create, submit, and organize reports; and to trigger alerts for non-compliance.||Report deficiencies to the appropriate individuals who can effectively make change. Correct deficiencies on a timely basis.|
|Evaluate your compliance program baseline and whether your internal controls are appropriate and functioning.||Conduct periodic spot- checks or audits of your internal controls process (consider third-party involvement).|
In our next blog, we will discuss evaluation of internal controls.