Energy companies are grappling with issues such as cyberthreats, cost inflation and the increasing demand for renewable energy. In addition, they are under tremendous pressure to comply with regulatory requirements from national, state and regional organizations. One such organization is the Federal Energy Regulatory Commission (FERC).
FERC compliance is important. First, it symbolizes integrity and good business practices that strengthen company reputation. Second, it builds more transparent, ethical and accountable organizational cultures. Third, it helps avoid expensive civil and criminal penalties and legal expenses.
The third point is becoming increasingly important. FERC has issued $172 million in fines across energy companies since 2007. Recently FERC penalized a Fortune 500 energy company millions of dollars — its largest fine yet — over charges of power market manipulation that resulted in economic losses for market traders.
Despite these fines, FERC’s primary goal is ensuring compliance, not penalties. It wants to ensure organizations have effective controls and compliance measures, are promptly detecting and reporting violations, are correcting issues, and have strong roles etched out for senior management to foster compliance. It is in the best interests of energy companies to implement robust, sustainable FERC compliance programs.
Building a FERC Compliance Program
An effective FERC compliance program is made of three core components:
1. Policies address why and how FERC regulations are relevant to the company and reflect the company’s commitment to compliance. Policies also include a summary of the applicable regulations.
2. Procedures deal with who, what, where, when and how a company will implement each policy. These documents bring a compliance program to life and enable it to be implemented as a daily business function.
3. Controls address how to evaluate a company’s compliance program and its regulatory policies through strategies such as course audits and committee oversight.
Developing Policies, Procedures
FERC compliance policies must lay out specific rules and compliance protocols such as details about the personnel or departments that administer compliance programs, monitoring and oversight responsibilities, internal and external reporting responsibilities, training and certification processes, record keeping, hotlines, audit calendars, and disciplinary policies and procedures.
While developing the compliance policies and procedures, companies should determine who would approve these policies: the CEO, chief compliance officer or the board. Audit trails and records of these approvals should be maintained in the form of emails, approval forms or committee minutes.
When approved, the policies should be distributed to the organization. A great way is to put it up on the internal intranet Web page. Many companies do this but forget to review and update the content when policy changes occur.
At each stage, companies should maintain an audit trail of policy management activities. This makes it easier to prove the companies have done what is expected for compliance.
Technology plays a significant role in simplifying and strengthening policy management. A centralized information repository, for instance, helps store and maintain all policies, regulatory requirements, risks, controls and control tests in a single framework. This helps users easily search for and access the data they need.
It also helps connect elements of the compliance program. Each policy can be mapped to the appropriate regulatory requirements, risks, controls, auditable entities and tasks to create a clear, top-level view of the compliance hierarchy and compliance health of the company.
Another advantage of technology is its ability to automate processes such as tracking new regulatory requirements, importing regulatory updates and notifying users about policy management tasks.
Assessing the Compliance Program With the Risk Matrix
The first step in the assessment of a compliance program is to determine its scope. Are you measuring the compliance program itself, are you measuring the regulatory requirements and restrictions that have been placed on your company, or both?
The entire chain of authority should be included in the scope with all the employees whose jobs are involved in a regulated activity (including employees from the information technology and accounting departments).
To determine the scope of assessment, a risk matrix should be used as directed by FERC. The risk matrix was first mentioned in FERC’s Policy Statement for Penalty Guidelines and is required for a company to get mitigation credit if needed. A risk matrix includes elements such as:
“- All FERC reporting and filing requirements;
“- All information in the FERC application and data request deadlines;
“- Tariff and communication requirements;
“- Contracting limitations for customers and suppliers;
“- Restrictions and requirements regarding affiliates; and
“- Training requirements imposed by the company along with details of the presentation, attendees list and deadlines for each training requirement.
The risk matrix is helpful during audits or assessments, but it also should be assessed during evaluations.
Other compliance elements that must be assessed include record keeping, regulatory and training files, and committee and minute meetings. Company policies and form contracts must be reviewed at least once a year to ensure they are current. Phone calls, text messages and emails also should be reviewed to ensure employees are not sending inappropriate communications.
A survey is a great control tool for assessing compliance and is much easier than an audit. It can help determine if the board and employees understand FERC regulations and their responsibilities toward compliance. Surveys usually include 10 to 12 multiple-choice questions and can be customized to each department or focused on multiple issues.
Surveys work best if administered in person during meetings and training. The aggregate results may be shared across the company, and individual results may be used as part of metrics for evaluating employees’ performances.
Strengthening FERC Compliance Audits
A FERC compliance audit can focus on departments, regulations or policies. Compliance and audit personnel must work together to determine whether compliance responsibilities have been fulfilled in a proper, timely manner.
Compliance auditors must look at the risk matrix and decide what should be reviewed: FERC reports, operating and information technology systems, shippers’ contracts, price reports, meeting minutes, accounting books or internal and external communications.
It is important to talk to employees and review reports and other compliance documents. Employees sometimes can provide information that is not apparent in reports.
If there are shortcomings or violations, the auditor must grade them as a one-time offense or recurring issue and justify the grading with appropriate documentation. A grading scale of 1-5 provides more scope for meaningful grading than the often used 1-3 scale.
Results should help the company decide appropriate discipline. For instance, if a regulatory violation has been discovered, policies might need to be changed. If employees are noncompliant with regulatory requirements, training presentations must be revised. Alternatively, bonuses can be reduced to drive home the importance of compliance.
Technology can be effective use in strengthening FERC compliance audits and assessments. An integrated technology framework, for instance, can bring together enterprisewide compliance audit processes in a single system and enable a systematic approach that minimizes redundancies. It also can help capture issues from compliance and audit processes and enable a streamlined approach to investigation and corrective action.
Enterprise-level dashboards and reports are valuable in providing a complete overview of issues, as well as where the organization stands in compliance, the performance of controls, gaps that must be remedied and similar critical issues.
Coping With External Investigations, Audits by FERC, CFTC
Audits can be initiated by FERC through a private party, a regional transmission organization market monitor or another government agency. They can be initiated by complaints through the FERC hotline or formal filings. Also, if counterparty to a contract is investigated, the other company (party) also could be pulled into an audit.
Effective preparation for a FERC audit is crucial to saving time, resources and money. FERC investigations can take several years, and if companies are not organized, they will spend much money in legal and consultant fees to deal with potential violations.
To prepare for a FERC investigation, a company must:
1. Inform senior management and the board of the investigation.
2. Have a procedure to activate the internal investigation team and plan.
3. Issue an appropriate do not destroy directive.
During any investigation, the company being audited had best have a team from relevant organizational departments along with the special compliance team to answer specific queries that might arise. For instance, the information technology staff might be called in case of an e-discovery that requires blocking system access for suspended employees or researching electronic storage files.
The auditing staff might need to answer on the effectiveness of controls. Other possible members of the investigation team may be legal staff, corporate security personnel, forensic accounting and technology, senior management and external legal counsel.
As part of an internal investigation before the regulator arrives, three kinds of investigation logs should be maintained:
“- Case log: Case logs are the facts and findings of the investigation with legal conclusions and advice.
“- Documents log: All relevant documents are indexed in a document log so information can be located easily and a record can be kept of what documents have been reviewed.
“- Procedure log: Procedure logs keep a record of all searches, data requests, interviews and other investigation activities.
These logs ensure essential information is shared with the right people while privileged information is maintained. The case logs usually are confidential and attorney-client privilege if maintained properly. The document and procedure logs usually are shared with regulators.
Technology can enable consistent, structured management of external audits. All internal audit reports, records of internal disciplinary actions and other critical data may be organized and stored in a centralized electronic repository to ensure they can be accessed easily and made available to regulators on a timely basis.
During the examination, work papers, interim status report and other findings also can be stored in a centralized location to keep the organization aware of any issues. After the examination, a systematic, automated approach may be enabled to manage and monitor corrective action for issues identified.
Conclusion
Compliance has a dual purpose: prevention and mitigation of violations. Prevention measures keep the company out of trouble, save the company money and strengthen its compliance health. When it comes to FERC, mitigation measures are implemented after a violation is discovered.
Managing a FERC investigation can cost much time and effort, and if a violation is discovered, it could cost a company millions of dollars in penalties and disgorgements and harm a company’s reputation. Energy companies must adopt strong compliance programs to protect their companies from noncompliance risks and costs and to gain the trust and confidence of regulators, stakeholders and customers.
Authors: Brenda Boultwood is vice president of industry solutions at MetricStream. She has served as senior vice president and chief risk officer at Constellation Energy. She has a bachelor’s degree in international relations from the University of South Carolina and a doctorate in economics from the City University of New York.
Bridget Shahan is a regulatory compliance consultant and former chief compliance officer of Nicor Inc. She has been an energy attorney for 19 years. She received a J.D. from The Catholic University of America in Washington, D.C., and is a member of the Tennessee Bar, D.C. Bar and Illinois Bar.
