Electric utilities face a unique challenge when it comes to compliance management. As one of the most highly regulated industries in the United States, utilities must contend with rapidly changing requirements from multiple different federal, state and local agencies. To manage compliance and exceed what most standards dictate are the minimum requirements, utilities must create a culture of compliance.
Sendero has a long-standing relationship with a large, privately held Texas electric utility and has provided support on several initiatives in the company’s quest to create a culture of compliance, including overseeing the vendor selection process for a new safety management system, providing strategic direction for an internal analytics/automation center, and building and executing organizational change management plans when industry standards change.
To manage compliance and exceed what most standards dictate are the minimum requirements, utilities must create a culture of compliance.
In our experience, there are three key steps electric utilities should consider when building or improving a compliance management program and creating a culture of compliance:
1. Evaluate Compliance Risks
Electric utility workers are taught to perform a job safety analysis before beginning work to identify potential hazards. The same should be applied across the enterprise. It’s not enough to evaluate whether your company is meeting regulatory requirements – utilities must assess the effectiveness of compliance programs and activities and identify at-risk areas requiring attention.
Start by identifying risks within the organization when no controls or strategies are in place to reduce risk. Then, measure the likelihood of occurrence and severity of impact when the company’s risk mitigation activities are applied. If the risk is not reduced to an acceptable level, you’ve identified an area where additional control measures are necessary.
Take, for example, the risk posed to a utility’s critical assets and ability to provide reliable service if a third-party breach occurred. While there is no way to completely eliminate the threat, does the company’s security measures significantly reduce the probability of a breach occurring and the severity of impact? If not, then it might be time to evaluate and improve the company’s security program. Only when you understand your areas of risk and where there are gaps, can you begin to prioritize corrective actions.
2. Create and Enforce Policies and Procedures
A company’s Chief Compliance Officer, Risk Management department, or even Senior Leadership team is not solely responsible for ensuring the organization stays in compliance – it is the responsibility of all employees.
But how do you hold an entire organization accountable? The first step is to create policies and procedures, which help to guide a company’s operations and set consistent expectations for employees in terms of behaviors, actions, and processes to follow in specific situations. For example, a utility might have a policy stating that an inspection is performed before and after a piece of equipment is used; the procedure would explain how the inspections are to be performed in detail.
Policies and procedures alone will not create employee accountability. They are like tools – you can’t hand an employee a set of tools and expect they will know how to use them. Employees need to understand the intended use (communication and training), demonstrate comprehension (supervision) and be acknowledged for a job well done (recognition). They need to see others modeling the correct use (leadership) and understand what can happen with improper use (enforcement). A culture of compliance creates accountability.
3. Adopt Robust Technology and Advanced Analytics
Beyond keeping up with all the different compliance standards and internal policies and procedures, agencies require an extensive amount of documentation and data to demonstrate compliance. This includes everything from inspections, construction drawings, and environmental impact assessments to training records and incident reports. Utilities need to be able to quickly access information both for reporting purposes and when responding to audits. Furthermore, some regulators are beginning to expect digital information. The days of submitting a PDF of a signed inspection report are quickly dissipating. Sooner rather than later, utilities will be forced to digitize, so now is the time to begin investing in technology that will enable organizations to be effective, agile, and efficient in managing compliance.
Advanced analytics and automation techniques are one of the ways utilities can utilize robust technology to identify and understand patterns of risk and non-compliance faster and with greater accuracy. Image recognition, for example, can be used to estimate the rate of vegetation growth near power lines and structures to better predict trimming schedules. Or a comparative analysis of the rate at which certain incidents occur and employee compliance with safe work practices can help determine the efficacy of safety training programs.
Over time, as the volume of information increases, trends start to emerge. Predictive analytics help organizations proactively anticipate where there is risk and the potential for non-compliance.
At the end of the workday, the key to creating a culture of compliance is to be proactive. Don’t wait for an external audit, an employee injury or a breach to highlight where processes and protective measures fell short. Identify risks and gaps, ensure employees understand that compliance is more than checking a box, and leverage technology. Regulatory requirements are a moving target – they will continue to change and shape the utilities industry. Stay a step ahead by being proactive and agile.