The 2009 Annual AssurX Electric Reliability Special Interest Group Meeting was a great success. This year we met in Denver on June 9-10, 2009 and kicked the event off with a networking reception that mixed business and great conversations. During the conference sessions, we discussed the latest product upgrades for CATSWeb ER, which makes it easier to import new and revised NERC Standards and RSAWs.

In our open forum we learned about how everyone is using the product to manage compliance to the NERC Standards and much more. Presentations on CIP Compliance, Compliance Framework and a customer presentation were loaded with important, useful information. I want to thank RRI Energy for a very informative presentation on their NERC compliance process: recurring evidentiary documentation/
gap analysis process.

I also want to thank our customers and partners who participated in this great event. We look forward to the next one!

The CATSWeb Measurements feature makes it easy to track performance to goals, monitor trends and automatically send performance-based alerts. Measurements can be added to executive and corporate dashboards to provide important, easy to read, quality metrics information. Not only does this give you feedback about your performance to goal and trends, it also allows you to focus your resources on the areas of the business that need attention. Detailed information can be easily accessed by clicking on the metric of interest. All this is done within CATSWeb without relying on any third party tools or add-ons.

Because most of us don’t have time to look at these dashboards every day, alerts may be configured to automatically send E-mail notifications when the metrics change. Measurements can link to any data source such as internal system data like queries and filters, and with all system reports and graphs in CATSWeb – the source data can even be ‘external’  – such as from ERP and HR systems – or other Oracle and Microsoft databases.

It’s easy to set up a measurement:

1. From the Manage page, click on Measurements and choose “Add” (or copy an existing one)
2. Enter your company goals
3. Then add the measurement to a Dashboard

The CATSWeb Measurements Feature provides an easy way to track progress to goals and alert you when thresholds are crossed. This helps your company to:

• Achieve its corporate goals
• Broaden visibility regarding those goals
• Reduce cycle times
• And ensure that tasks get completed on time

Let us know what corporate goals you are tracking (or would like to track) and how you are using the Measurements Feature in CATSWeb.

When you use AssurX’s CATSWeb Enterprise Quality and Compliance Management system, you enter records and tasks such as:

• Corrective Actions
• Nonconformance Reports
• Defects
• Change Requests
• Audits and Findings
• Complaints
• Training Tasks
• and more

With each of these processes there is usually an associated ‘due date’ or ‘goal date’ and in the system your are automatically notified via email upon assignment and sent reminder emails when these dates are approaching. There is even auto escalation for items that are past due with notifications to management and even auto reassignments for critical items.

All of this functionality is aimed at improving

• responsiveness
• increasing customer satisfaction
• reducing cycle times and
• ensuring the tasks get completed on time — meaning in the end –  costs are reduced

To enhance this BUILT-IN functionality AssurX has added the Calendar Display part. The Calendar Display Part allows you view your quality and compliance records and tasks in a convenient calendar format. Each calendar can be set up to filter data on the fly. For example you can display your personal tasks or your department tasks. It comes with several viewing formats such as multi-month and calendars can be added to a users home page.

Calendars can link to any data source such as internal system data like queries and filters.  And like all system reports and graphs in CATSWeb, the source data can even be external such as from ERP and HR systems or Oracle and Microsoft databases. The Calendar display part also allows you to manage and display the corporate workdays and holidays.

It’s easy to set up a calendar.

1. From the CATSWeb Manager – add the Calendar Display part and fill out the properties
2. Select the data source whether it be from a query or even an external data set
3. Add the Calendar to a user Dashboard – and you’re all set

So in combination with automatic email notifications, reminders and escalation, the Calendar Display Part is an easy way to give employees visibility to important upcoming events and help your company: improve responsiveness, increase customer satisfaction, reduce cycle times and ensuring the tasks get completed on time.

Based on the latest information from NERC, the Critical Infrastructure Protection Standards, CIP-002 thru CIP-009 reach the Auditably Compliant stage on July 1st, 2009. Up until now most of us have been focusing on the Sabotage Reporting Standard, CIP-001. Most of the violations associated with CIP-001 are a result of not having an established contact with the FBI for sabotage reporting or for deficiencies in the procedures or training related to sabotage reporting. Given that CIP-001 is only one standard and is fairly simplistic as compared to the other eight standards we all assume that a lot more effort will be required for compliance.  We also assume there will be significantly more violations and significantly higher fines associated with CIP-002 thru CIP-009.

Given companies have limited resources and time it may be helpful to look at what is ‘common’ amongst these standards as they relate to processes and workflows. One process that repeatedly shows up in the requirements are reviews or assessments.  For example, CIP-006 Requirement 1.9 says that companies need to establish a process for ensuring that the physical security plan is reviewed at least annually. CIP-009 Requirement 1 says that companies should perform a review of their recovery plans for Critical Cyber Assets annually. While each of these processes must be tailored to meet their specific requirements, there are many common elements that can be leveraged to save time. For example a typical ‘review’ process includes the following steps:

• Initiate the review
• Perform the review and document any recommendations for change
• Approve the determination and recommendations
• Implement all approved changes
• Request approval that that changes were implemented and close the review
• Schedule the next review based on the required period

Once you have agreed on a general workflow you can then customize the process to meet specific needs. For example, determine who should be approving recommend changes and closure for the specific processes being implemented. So prior to developing your workflows read through the entire set of CIP Standards and look for repeated processes. It may help you to save time and money. Let me know what processes you have found in the CIP Standards that may be repeated.

As we all know on August 8, 2005, President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards among all market participants.  The electric industry has had to adjust to the change from a voluntary system of compliance to a mandatory system of reliability standards compliance.  In order to deal with this situation most organizations decided to use their favorite weapon – the spreadsheet. It was a great choice given there was a lot of information that needed to be organized in a very short period of time, including: standards, requirements, entities, measures, subject matter experts, applicable procedures, evidence of compliance and the list goes on.

However, once these spreadsheets were filled up with reams of data on dozens of interconnected worksheets, problems began to surface:

• Complexity: Documenting the relationships of each applicable requirement to applicable procedure, compliance rationale for each of the registered entities within the organization quickly becomes a rat’s nest of intertwined data.

• Maintenance: As new and revised standards are released just managing changes to these spreadsheets becomes more then a full-time job.

• Doesn’t Manage Tasks: Analysis of compliance to requirements usually requires assigning tasks, which implies management of assignees, due dates along with documenting the task and the outcome.

• Silos of Information: Spreadsheets by their vary nature are typically owned by one person and are located on that individual’s computer. After a while most companies learn that there is more than one spreadsheet. In fact several people in various parts of the organization are maintaining this information with overlapping data and most of the time without knowledge of each other.

This is when it makes sense to use a corporate-wide compliance management system that can deal with the complexity of the data, can be easily maintained with new and revised standards and manage task assignments, due dates (with automatic email reminders) and associated procedures and evidence.

Technorati Profile

When President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards, market participants faced sea change.  The voluntary system of compliance had morphed into a mandatory system of reliability standards compliance backstopped by audits and fines. Even though this was something brand new for energy companies – it is not the first time an industry has had to deal with such a regulatory shift.

Lessons can be learned from similar events in other industries:

• 1990’s: Manufacturers scramble to obtain ISO 9000 certification
• 2000: FDA regulated medical device and pharmaceutical companies face increased scrutiny regarding management of electronic quality records
• 2005: Publicly traded companies deal with Sarbanes Oxley laws

Here are some ‘lessons learned’ I have encountered while helping companies implement compliance management systems:

Top-Down Approach: The most successful companies implement corporate-wide compliance programs with a clearly stated purpose initiated from the top. The best illustration of this is President Kennedy’s 1961 ‘Man on the Moon’ speech. Kennedy (the top executive) described the goal (“landing a man on the moon and returning him safely”) and deadline (“before this decade is out”).

Compliance for Cost and Reliability Improvement: Given the tight deadlines and overwhelming workload most companies set up a compliance program with one goal in mind ‘pass the audit’. While this may be a necessary first focus; companies that raise their sights towards actually ‘improving reliability’ and ‘reducing costs’ gain the biggest benefit from compliance expenses.

Enterprise Management Systems: Managing everything associated with compliance (data, tasks, documents, evidence, due dates, etc.) quickly outgrows spreadsheets and homegrown databases. It is best to reap the benefits of a commercial-off-the-shelf (COTS) system designed specifically for their industry. COTS vendors like AssurX typically host user group meetings and continually improve the system to keep up with regulatory changes.

Post by Sal Lucido