Senior decision-makers come together to connect around strategies and business trends affecting utilities.


Building an Effective Compliance Program

Trevor Stiles's picture
Manager, Reliability Standards Compliance & Associate General Counsel, American Transmission Company

Trevor Stiles serves as Manager, Reliability Standards Compliance & Associate General Counsel with American Transmission Company, a transmission-only utility based in Pewaukee, Wisconsin. The...

  • Member since 2013
  • 4 items added with 5,364 views
  • Nov 2, 2021

Co-authored by Sarah Habriga

The increasing rate at which industry is seeing announcements that a utility has been fined hundreds of thousands or millions of dollars by its regulator for compliance violations sends a strong message. If you work with Federal Energy Regulatory Commission (FERC) or North American Electric Reliability Corporation (NERC) compliance, these stories probably keep you up at night, wondering whether you’ve done everything possible to minimize your compliance risk and avoid being the next utility in the headlines. The goal of a compliance officer is to understand what happened and why. When we see notices of penalty issued, we review them and perform an analysis to understand what went wrong and what we can do to avoid a similar fate. It can be easy to dismiss those violations as resulting from bad intentions or incompetence (i.e., they tried to skirt the rules, or they tried to follow them and weren’t very good at it), but reality is more nuanced: from our review, most compliance violations occur when well-meaning people make honest mistakes.

People make mistakes when they find tasks to be confusing or complicated. A well-executed compliance program, then, makes compliance as simple, straightforward, and easy to implement as possible, while leveraging known human performance tools to minimize error.  The trick is balancing these elements, which can be in tension. For example, human performance experts have touted checklists for years as a simple tool to minimize errors. But such checklists are not a panacea. If you must perform a 74-step checklist every day to perform your basic tasks, the level of complexity creates an incentive to cut corners. This is the ultimate challenge facing compliance personnel: how do you create a clear, repeatable process that isn’t so burdensome that people work to circumvent it?

In this article, we hope to provide a brief overview of steps we’ve taken to minimize our risk of compliance violations. We have taken this approach in building out our compliance program. Whether you are an entity with a mature program in place or just starting out, we hope to provide some practical pointers on building a compliance program.

First, senior management must be engaged in and provide oversight of the compliance program. Through engagement and oversight, senior management will gain a good understanding of the entity’s compliance risks, understand the different aspects of the compliance program, as well as resource requirements, and help determine what success looks like. In addition, the compliance officer should provide periodic updates on the compliance program to the governing body; such updates may include audit results, regulatory docket, and results of compliance monitoring activities.

Second, you must have a clear understanding of what rules you must follow. Between statutes, regulations, administrative guidance, case law, and tribal knowledge gleaned from regulatory interactions, the amount of material that guides performance can be overwhelming. Before you can build an effective compliance program, you must know the universe of items with which you’re complying. For this task, we find it helpful to retain outside counsel to assist in the review and ensure we’re not overlooking anything.   Third, once you have a clear understanding of the rules of the road, you need clear accountability. We create an accountability matrix that shows, for each NERC standard, who is responsible for it – from the subject-matter expert and compliance personnel assisting with review all the way up the chain to the Vice President overseeing the department. When people see their name on an accountability matrix, they take ownership of the requirement and ensure its execution. On the NERC compliance side, this approach particularly helps with standards, such as the CIP Supply Chain standards, that cut across multiple functional areas where confusion easily arises. To be effective, everyone must have a clear understanding of where accountability ultimately lies for ensuring we are taking the right steps to ensure reliability and compliance.

Fourth, individual functional areas develop their own procedures to ensure compliance, based on a standard template. At ATC, we assigned compliance personnel to each functional area in the form of a “Standards Manager.” That Standards Manager, who is part of our compliance team, assists with the development of procedures while bringing in an independent and objective eye with the ability to socialize best practices gleaned from across the industry and organization. In turn, the Standards Manager also serves as a conduit from the functional area back to the larger compliance team. If there are pain points unique to a functional area, the Standards Manager is well-situated to identify those and work to address them (so we don’t end up with a situation reliant on a 74-step checklist to ensure compliance!). This process is necessarily iterative, but it helps reduce complexity by incorporating feedback from frontline contributors who perform day-to-day actions.

Fifth, work with your internal audit organization to establish and test internal controls. Our Audit and Risk Management team has put many hours into building out an internal controls program. This program provides a testable, trackable way of ensuring compliance and detecting mistakes before they rise to the level of a violation. Audit and Risk Management, Reliability Standards Compliance, and functional areas collaborate on the development and testing of internal controls. Our governance, risk, and compliance software documents internal controls and internal control deficiencies, tracks corrective actions, and provides leadership visibility to risk, including risk mitigated by internal controls and acceptable risk.

Finally, be okay with revisiting and revising. What works today may not work in five years, and what you think works today may not work at all. In addition to Standards Managers serving as a conduit to and from functional areas, we recommend checking in with the affected areas on a regular cadence to solicit feedback, look for process improvements, and make necessary changes.

Will these steps guarantee compliance? Of course not. Human performance always remains a risk. But by providing clear guidance, minimizing complexity, leveraging internal controls, and incorporating constant feedback, you can lay a firm foundation to reduce your ongoing compliance risk.


Trevor Stiles is the Manager, Reliability Standards Compliance and Associate General Counsel at ATC. He oversees ATC’s FERC and NERC programs.

Sarah Habriga is a Senior Compliance Specialist & Corrective Action Coordinator. She serves as the Standards Manager for the Asset Management and System Planning departments.

Matt Chester's picture
Matt Chester on Nov 2, 2021

Finally, be okay with revisiting and revising. What works today may not work in five years, and what you think works today may not work at all. In addition to Standards Managers serving as a conduit to and from functional areas, we recommend checking in with the affected areas on a regular cadence to solicit feedback, look for process improvements, and make necessary changes.

Is there a good rule of thumb for what this cadence should be-- is yearly often enough? Is it too often in terms of extra costs/efforts? 

Mark Silverstone's picture
Mark Silverstone on Nov 5, 2021

Excellent advice. Thanks. 
I might add that it behooves a company to foster proper and constructive relationships with regulatory bodies.  
The possibilities for contact with those bodies vary a great deal from country to country and agency to agency. In some countries, all or parts of audits/inspections are public. Some countries publish compilations of findings from audit programs. Most will provide guidance and clarification on what compliance or violation really requires with respect to a specific requirement/law/regulation. 
It is extremely important to ensure that issues/violations/findings from previous inspections are fully resolved prior to the next inspection. 

Trevor Stiles's picture
Thank Trevor for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »