AICPA SOC Service Organizations

Undertaking Risk Assessment – Determining Proactive Internal Control

January 31st, 2022

Undertaking Risk Assessment – Determining Proactive Internal Control

Facility owners and managers know that risk assessment is one of the key elements of a successful internal controls program. Compliance managers who take a proactive stance toward identifying, prioritizing, and mitigating risks are best positioned to meet their entity’s operational, compliance, and reporting objectives.

But where do you start?

The best place to start is by determining areas that may lead to noncompliance with NERC Reliability Standards and Requirements. These areas are not only risks to your business, but could impact the bulk power system.

Undertaking Risk Assessment – Determining Proactive Internal Control

Maybe PFMEA is right for you.

One tool that can help you make these determinations is PFMEA – Process Failure Mode Evaluation and Analysis. When applied to the requirement-specific language of the NERC Standards, PFMEA reveals the risks from failing to meet the requirements. A great example of how PFMEA can be applied to your entity can be found in an interesting article published by the Western Electricity Coordinating Council (WECC), titled “Risk Assessment Concepts for Internal Controls,” which you can read here.

Undertaking Risk Assessment Determining Proactive Internal Control

As you consider identifying, prioritizing, and mitigating your risks, start with these questions:

  • What are the reliability and security risks to your organization?
  • Are there points within your processes that can result in irreversible outcomes?
  • How often are your risk-related activities accomplished?
  • What controls can you put in place to counter the effects of those risks?
  • Are there potential failure points in your internal controls?
  • At what point in the process can you intervene to effect a positive outcome?
  • Who in the organization is best to implement the control?
  • What approaches can you use to prevent failures?


  • Controls to prevent consequences
  • Controls to detect errors/adverse outcomes
  • Controls to mitigate undesired outcomes
The takeaway:

Compliance managers need to be ever mindful of conformance to NERC Standards and Requirements when assessing risk. A tool such as Process Failure Mode Evaluation and Analysis (PFMEA) is useful for proactively evaluating weaknesses that could lead to noncompliance.

What are your next steps?
  • Visit your Regional Entity’s website to search resources.
  • Evaluate for risks that could impact the bulk power system.
  • Evaluate risks that may lead to noncompliance.
  • Establish controls to prevent failures.

In our next blog, we will discuss the design and implementation of internal controls.

Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.