The IT industry talks a good game of taking a comprehensive approach to governance, risk and compliance (GRC)....
If companies ever hope to contain compliance costs, they must rationalize the redundant processes and technologies implemented helter-skelter to meet the latest mandate. The proverbial silos in IT and the business must be broken down to achieve a unified GRC program. But where to begin?
Not with the technology, according to Michael Sanchez, a regulatory compliance consultant in Houston. Sanchez was brought in by one of the largest power producers in the United States to help it meet new regulations from the North American Electric Reliability Corporation (NERC), the nongovernmental regulatory body for bulk electric systems. As of June 2007, NERC standards became mandatory and brought stiff penalties for the noncompliant: up to $1 million per day, per violation.
As Sanchez soon discovered, the company had a history of buying point solutions for compliance, with the choosing usually done by the business owner of the problem and IT told to implement. Top executives were adamant that NERC be done differently, with "transparency and accountability" built into the solution.
The achievement has been something more. With a year or so of NERC work under its belt, the company is now leveraging a new approach to compliance. Its experience shows that short of doing everything, companies can begin an orderly process toward compliance. The utility also was able to find technology that did help -- in this case GRC Manager, a tool from CA Inc. In fact, Sanchez's company, Sirius Solutions, has become a fan of the CA tool because of its broad applicability to mandates including the Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability acts.
Here are some of the components that helped the power company get out of the starting gate with its GRC program:
1. Understand what is required by the regulation. Elementary? Not really. Because NERC was new, the company needed to understand how it would be measured in an audit and what evidence needed to be retained. Before a single vendor was considered, Sanchez spent six months helping the company figure out which people and processes were touched by the regulation. The aim was to spell out accountability for anyone who might be involved in NERC, down to the individual task performer.
"We wanted to make sure that as these people went out and performed their jobs, they did the right things. We were watching for the attributes we needed and making sure we had a way to retrieve the evidence to review it and include it into our document repository," Sanchez said.
An NERC team that was formed to scope the regulation included people from the company's legal, IT, engineering and human resources departments, as well as from its commercial and power operations.
2. Assess what you have done before. Take a hard look at your compliance solutions. How successful were those implementations? Did the reporting get to the appropriate levels of the organization? How complete is the reporting? The power company's response to past regulations such as SOX was to go for a point solution.
"We thought that was kind of silly. When you build these types of systems, you want to take a holistic approach, because the chief risk officers and top executives want to see the compliance posture of the organization," Sanchez said.
3. Develop the compliance processes with the business units before buying technology. The toughest part of the engagement was developing the NERC workflows. Sanchez's team worked with the business owners, who agreed to adopt the processes into their standard routines. Sanchez had a stick -- make that two: hefty fines for noncompliance and executive backing.
4. Don't fall for a dressed-up point solution. NERC requirements include IT cybersecurity and engineering components, but 90% of the requirements relate to engineering.
"It was funny -- from a point solution standpoint, all these companies got on board, but they lacked all the operations and engineering," Sanchez said. (Gartner Inc. analyst French Caldwell said this happens in other areas, where IT point solutions for SOX, for example, are peddled as GRC platforms.)
When you build these types of systems, you want to take an holistic approach, because the chief risk officers and top executives want to see the compliance posture of the organization.
Michael Sanchez, consultant, Sirius Solutions
Also consider the flexibility of the technology. When Sanchez started, NERC was a regulation in the making, with ever-changing standards. "What I liked about [GRC Manager] was that it was configuration-based, so as our needs changed, we could go back to the system and make whatever modifications were appropriate, rather than wait for a version change from the vendor," Sanchez said.
Sanchez's team configured the system based on the processes developed with the business users. The team set up a hierarchy of user roles -- from the plant manager, who needed to see specific tasks, to the corporate user, who needed to see the NERC regulation, up to the chief risk officer, who needed the broadest possible view.
5. Consider a hosted solution, at least for the start of the program. The power company needed to make this happen as quickly as possible. Sanchez worked closely with IT project managers and business analysts, but the solution is hosted on CA's site.
"I didn't have to go through procurements and put everything into the IT infrastructure," he said, adding that the hosted model was chosen with the understanding that eventually the solution will be brought in-house.
"I wanted to make sure we got everything in place and had the users taking advantage of the functions of the systems. The next step is bringing it back in-house," he said. The company has the servers and infrastructure to support the solution, so bringing it back will save money.
But in the meantime, implementation was really fast. "We were able to put CA in touch with [the utility's] procurement [office], and after the signatures were signed, we very quickly had an instance spun up and we were able to start configuring it."
Sanchez, of course, also makes the case for bringing in an independent consultant. Redefining business processes and getting buy-in is sensitive territory. Sanchez's group takes a phased approach to projects. In this case, his team started with the biggest chunk, the NERC engineering component.
"We set up all the components they needed for a sustainable compliance program. We had the processes in place, and we made sure we could successfully pass audits before we turned it over to the company."
The cybersecurity piece for some 70 plants is under way. Next stop: Federal Energy Regulatory Commission compliance.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.