It’s the day and age of automation and data tracking. It’s also the era of a global pandemic, unprecedented cybersecurity threats and risk exposure for organizations. Surprisingly, many electric transmission, generation, and distribution utilities (“NERC entities”) still rely on spreadsheets to manage NERC compliance.
Manual tools for compliance management and recordkeeping like Excel and Sharepoint are accessible, easy, convenient and low cost—until they are not. They also allow for duplication of work, human error, missed tasks and when an auditor comes knocking, pulling your paperwork will be nightmarish. This is why managing a compliance program this way has been coined death by spreadsheet.
Let’s look at this phenomenon, how it takes shape, and better alternatives NERC entities use for compliance and risk management.
When are spreadsheets an effective tool for compliance tracking?
There are instances where Excel or a similar simple tool is sufficient. A spreadsheet would be adequate for small NERC entities with manageable minimal, unchanging compliance obligations and a small number of people working on compliance-related tasks. For companies with no compliance management system in place nor any knowledge about where they stand in terms of regulatory requirements, spreadsheets can be a useful starting point.
Outside of the simplest of cases, any organization with multiple personnel involved in compliance activity and reporting would reap sufficient benefits from using a purpose-built tool to justify the cost. A typical NERC entity has multiple people, many standards to comply with, much evidence to store, and they must monitor constant changes to the NERC standards. The complexities of such a program require a lot of work and oversight if managed through spreadsheets.
The risks and downside of managing compliance using spreadsheets
There are several risks associated with using spreadsheets to track compliance:
Ownership: The one person managing Excel leaves. When they walk out, so does the knowledge of the intricacies of your spreadsheets. Without documentation, the person who assumes the role next will likely modify the sheets to their preferences and aptitude.
NERC updates: NERC standards change often. Your employees must proactively watch for the changes and regularly adjust the spreadsheets and processes.
File size & speed: Once a spreadsheet gets big and complex, you might encounter slow load time, or worse, the file will stop opening. Most recently, we heard this happening to someone with over 20 operations running on their spreadsheet.
User permissions: Internal control poses another issue. Who’s in charge of the spreadsheet? Who updates it, and what is the process to keep it updated?
Audit preparation: When an audit notice comes in, organizations need to produce an audit trail showing how data has been updated and modified over the years. A spreadsheet shows where an organization stands today, but typically not historical information. If you have the historical records, pulling them in prep for the audit will take many hours. What’s more, organizations using spreadsheets need to draft an audit response manually. In contrast, a purpose-built tool populates the audit response in the required format, saving time and money.
Version control: How do you ensure each person is accessing the most recently created and updated version? Typically, a spreadsheet is shared by many users. When an error occurs, backtracking to find the point of error–even if you have version control as a built-in feature–is difficult and time-consuming.
Human error: Spreadsheets are created and maintained manually, so they are prone to errors. Utility companies should consider the fatal impact of incorrect data going into regulatory filing.
Spreadsheet-based entity management creates more work than it takes off your plate. Also, in terms of the financial and reputational risk exposure, they are problematic. As a result, they’re an expensive tool with inherent risk.
Spreadsheets vs. IRM solution for compliance management
An integrated risk management (IRM) solution positively impacts one person the most: the person tasked with managing compliance as part of their job. In the bigger picture, an IRM solution benefits the organization and everyone involved.
Audit notices often turn into an organization-wide ruckus when employees drop what they are doing or work extra hours to complete the necessary paperwork. And frequently, these organizations realize in the end that they were not in compliance.
What ensues isn’t a pretty picture. Non-compliance puts a NERC entity at the risk of fines and reputation loss. Here’s how an IRM solution helps:
- Time is money. Since an IRM solution automates compliance management, it pays for itself over time in saved costs.
- Audit readiness is critical for all NERC entities. If a tool can give you an idea of where you stand, it takes away much stress and fear in an organization, which happens to be around “where we stand when an audit happens and how do we put this paperwork together.” With an automated tool, you know in real-time that you continuously comply.
- IRM solutions offer a workflow that always keeps you audit-ready. If you are informed that you’re going to be audited, the preparation isn’t onerous or particularly stressful. And it eliminates the need for an “all hands on deck” approach to audit preparation.
- An IRM solution allows your employees to focus on their primary job and not be torn between their day-to-day activities and compliance management. It introduces an upfront cost but proves cost-effective in the long run.
- Organizations can safeguard their reputation and reliability through a compliance management solution that demands less of them and offers the necessary security.
Why organizations are skeptical about compliance management solutions
A Turkish proverb says, “If your mouth is burned by milk, you blow before you eat yogurt.” We all know of an organization that had a bad experience with an IRM solution. Maybe it was difficult to use, and there were adoption issues, or it wasn’t well-planned and designed, so it never fit with the internal requirements.
Most senior people in compliance have seen enough to know that all compliance management tools and vendors aren’t created equal. You also need the right internal processes and systems to understand, manage and maintain it. In the best scenario, your IRM vendor will see you through the process.
When is the right time for a company to move from spreadsheets to IRM?
A company with no idea of its audit readiness should look at an IRM solution. It’s also the right move for an organization whose compliance program involves several or more people, or one that had compliance or audit prep issues in the past.
Finally, when an audit is around the corner, having an IRM implementation underway can significantly reduce your risk by showing the right efforts to the auditors. Auditors will consider the effort of setting up an IRM tool, so it is not too late to start in the right direction to stay compliant.
Shifting to an IRM solution can be disruptive and often gets put off for that reason. However, a good vendor makes the process manageable and efficient.
Yes, mounting a new IRM solution is an investment of time, money and effort, but so is non-compliance in the form of reputation dent and hefty fines. The main difference is that investing in an IRM solution will safeguard you for years to come.