Per NERC, Internal Controls are referred to as “Processes, procedures, systems, tools or any other resource implemented by an Entity to proactively identify, assess, and minimize the risk of noncompliance with the NERC Reliability Standards and reduce risks to the reliability of the BES.” CRSI identifies a strong set of policies and procedures as the focal point of an entity’s compliance structure; however, CRSI stresses additional internal controls for a comprehensive and well-rounded compliance program.
Basic control elements may include oversight, risk assessment, control activities, communications, training, and monitoring. While approaches to internal controls will differ by nature and complexity per electric utility, most programs follow a similar methodology which follows three main guidelines. These include:
- Preventative Controls – designed to prevent an incident or error from occurring. These are proactive controls that help ensure managements’ compliance objectives.
- Detective Controls – to evaluate an incident or error that may have already occurred. An example of a detective internal control could be the use of a formal root cause analysis program.
- Corrective Controls – designed to correct the incident or error that has occurred and help return the entity to a normal state. Entities generally will need to assess instances of noncompliance to provide a broader understanding of how the error occurred.
A strong internal controls program does not mean that compliance of applicable NERC Standards and Requirements can be condensed or altered. Encouraging additional compliance-driven controls are in place to ensure the existence of and the effectiveness of policies, procedures, systems and processes to promote managements’ buy-in and accountability for effective implementation of the requirements. The experienced CRSI team is readily able to help with these needs by providing services which include:
- Development and implementation of enterprise-wide internal controls program or enhancement of utility’s current programs.
- Internal controls evaluation of current added protections and recommendations of how the utility may enhance its controls.
- Annual or quarterly review of utility’s added controls and suggestions on how utility might strengthen its culture of compliance.
CRSI strategically partnered with more than 250 electric utilities in the last five (5) years for their NERC CIP Compliance Solutions. To find out more about how to create your Security Compliance Roadmap, call us today to schedule a free, no obligation consultation.