March 2017 marked the 10-year anniversary of FERC approving 83 NERC Reliability Standards, the first set of enforceable standards for the bulk power system. Since that time, electric utilities have been racing to stay ahead of compliance requirements and deadlines. As the industry continues to evolve, as operations and regulations become more complex, the need to change how risk is managed becomes more apparent.
Because regulations are increasing and digging deeper into utility operations, Black & Veatch advocates implementing a holistic approach to security and risk management. This approach drives risk-awareness deep into the organizational culture. It involves managing risk across the enterprise, rather than as a regulatory compliance task.
The benefits of managing risk holistically, as demonstrated by early adopters in the electric industry and perfected by the banking industry over the last 20 years, are more resilient and reliable operations, measurable reductions in risk and a proactive approach to regulatory compliance.
Similarities to the Banking Industry
As with the electric industry, regulations regarding how the banking industry manages risk were developed in response to a major incident. The 2003 Northeast Blackout ultimately resulted in the Energy Policy Act of 2005, calling for the development and enforcement of reliability standards that eventually led to the aforementioned initial NERC Reliability Standards in 2007. For the banking industry, it was the Savings & Loan Crisis of the mid-1980s through 1990s that led to, among other legislation, the Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991.
Over the years, as new threats have emerged and crises endured, regulations for both industries continue to evolve to address each. For banking, regulations over the years have covered risks associated with credit, operations and financial health, among others. In the power industry, we’ve seen regulations expand from standardized operations and planning requirements to maintain the bulk power system, to include physical and cyber security requirements, to now addressing risks associated with third-party vendors.
The banking industry eventually began to respond to expanding regulations and complex compliance requirements by creating a top down, risk-aware culture. What is meant by “risk-aware culture” is an organization that empowers every employee, at all levels of the organization, to evaluate decisions and actions based on potential risks and how to mitigate those risks.
How to Create a Risk-Aware Culture
There are many elements involved in establishing and embedding a risk-aware culture at an organization. The following outlines three of the primary initiatives to jump start the process.
Create a responsible party
Embedding risk-awareness throughout an organization requires establishing the importance of risk management at the highest levels of an organization. Best practices show that a company executive tasked with managing organizational risk should report to that company’s Board of Directors, rather than the CEO. However, a direct reporting relationship to the CEO is also a viable solution. The importance and reason for having risk start at the highest levels of an organization is because that is where the proverbial “buck stops” in the event of an incident. If senior leadership are ultimately accountable for a high-profile failure, breach or incident, then responsibility for mitigating that risk should also start at the top.
A company’s risk organization is responsible for creating risk objectives, policies, procedures and processes that enable the coordination across the enterprise.
Create measurable risk objectives
Senior executive leaders tasked with managing risk should set security and risk goals. To do this, you must first quantify current organizational risk. This involves assessing the entire enterprise, including your company’s physical, cyber and human assets, as well as the policies, procedures and investment plans for each. Understanding current risk enables you to identify measurable goals and objectives to reduce risk, including mitigating any critical risks. Establishing risk metrics and understanding the baseline for improvement provides the opportunity to regularly report on security and risk initiatives.
Use Program Management Offices (PMO) to manage change
Any change naturally creates risk. PMOs work in alignment with a company’s risk organization to manage risk around a planned change, such as a new Customer Information System, AMI deployment or implementation of distributed energy resources, or other large capital programs. The purpose of the PMO is to define the processes and methods for how change is embedded into the organization. PMO processes must comply with corporate risk policies and procedures and all involved with a project and program must adhere to established processes.
Electric Industry Early Adopters
SRP, one of the largest public power utilities in the United States, has begun the journey of building a risk-aware culture. A key driver for beginning this organizational change was the growing cost and complexity of maintaining regulatory compliance and elevating and justifying investments to remediate critical risks.
Black & Veatch worked with SRP to guide the restructuring of their cybersecurity governance and risk program. These efforts have helped elevate significant investments in cybersecurity and risk management, including the remediation of 54 critical findings and the creation of a seven-step comprehensive risk remediation process.
Learn more about how and why SRP is building its risk-aware culture by attending a free webinar sponsored by SRP and Black & Veatch on Tuesday, May 2, 2017, at noon Eastern/9 a.m. Pacific. Register now: http://www.theenergytimes.com/regulations-and-laws/how-srp-creating-risk-aware-culture