What is an Internal Compliance Program (ICP)?

Compliance is an integral part of everyone’s day-to-day activities.  Whether it be Operations personnel or those in Management, each is responsible for incorporating all aspects of compliance activities, documentation, training, and reporting into their daily operations.  That’s where an Internal Compliance Program comes into play…

An ICP is, in essence, another Procedure developed to detect and prevent company violations of NERC Electric Reliability Standards.  The Federal Energy Regulatory Commission (FERC) has stated on numerous occasions that it expects to see a "culture of compliance" in place and in force for each registered entity.

Although Internal Compliance Programs are not mandatory, FERC has been consistent in their message that if a company acts aggressively to adopt, foster, and maintain an effective corporate culture of compliance, and has in place rigorous procedures and processes that provide effective accountability for compliance, but a violation nonetheless occurs, the Commission may provide a significant reduction in, or even in some cases the elimination of, the civil penalty that otherwise would be imposed.  This has been noted in several FERC policy statements that I’ve referenced and linked for you at the end of this article.

Factors that FERC is looking for in an ICP are specified in their Revised Policy Statement on Enforcement.  Along with this, the Regional Compliance Implementation Group (a working group overseen by NERC’s Regional Entity Management Group) developed a Policy Statement to create a Compliance Guidance Document that outlines attributes of a good compliance program.

Some finer points from both of these sources include the following:

  • Have a well-documented Internal Compliance Program (ICP).
  • Disseminate the ICP throughout the entity.
  • Name and staff an ICP oversight position.
  • The ICP oversight position is supervised at a high level in the entity.
  • The ICP oversight position should have independent access to the CEO and/or Board of Directors.
  • The ICP is operated and managed so as to be independent of those responsible for compliance with the Reliability Standards.
  • The ICP has the support and participation of senior management (Officer Level).
  • The entity regularly review and modify its ICP.
  • The ICP includes appropriate and sufficient training for all the staff.
  • The ICP includes formal, internal self-auditing for compliance with all applicable Reliability Standards on a set periodic basis.
  • The ICP includes disciplinary action for employees involved in violations of the Reliability Standards, if appropriate.
  • The ICP has internal controls including self-assessment and self-enforcement to prevent reoccurrence of Reliability Standard violations.
  • The ICP provides sufficient funding for the administration of compliance programs by the Compliance Officer.
  • The ICP promotes compliance by identifying measurable performance targets.
  • The ICP ties regulatory compliance to personnel assessments and compensation, including compensation of management.
  • The ICP provides for disciplinary consequences for infractions of Commission requirements.
  • The ICP provides frequent mandatory training programs, including relevant ‘real world’ examples and a list of prohibited activities.
  • Implement an internal Hotline through which personnel may anonymously report suspected compliance issues.
  • Implement a comprehensive compliance audit program, including the tracking and review of any incidents of noncompliance, with submission of the results to senior management and the Board.

It may seem like a huge undertaking, but can be well worth the effort.  Take some time and develop a comprehensive Internal Compliance Program (ICP), it’s good business practice and can help mitigate a penalty.  If you need help, let me know, it’s one of the great services my team provides!

For additional reading regarding the benefits of an ICP, go to:

FERC Revised Policy Statement on Enforcement – Docket No. PL08-3-000 (May 15, 2008)
FERC Policy Statement on Compliance – Docket No. PL-09-1-000 (Oct 16, 2008)
FERC Revised Policy Statement on Penalty Guidelines – Docket No. PL10-4-000 (Sep 17, 2010)

Latest News

Proven Compliance Solutions Inc. Announces the Addition of Rick Terrill, P.E. as the Director of NERC Consultation Services

Rick Terrill brings a tremendous amount of operations and compliance experience to PCS and is highly respected among industry peers for his participation and active leadership role with NERC and TRE/ERCOT.

Read more ...

Proven Compliance Solutions Inc. Partners with NERC Low Impact Entities to Meet CIP V5/6 Compliance Deadlines

Proven Compliance Solutions Inc. (PCS), industry recognized for excellence in North American Electric Reliability Corporation (NERC) Reliability Standards Compliance Consulting Services, is pleased to partner with NERC Critical Infrastructure Protection Standards CIP V5/V6 Low Impact Entities to prepare them to meet the 2017 and 2018 compliance deadlines. Electric utilities across North America are preparing for full implementation of the latest versions of the CIP Reliability Standards that became mandatory and enforceable on July 1, 2016 and require companies to complete an impact assessment to identify their High, Medium, and Low Impact Bulk Electric System (BES) assets. While High and Medium Impact assets require the majority of CIP controls, Low Impact assets also require some cyber protections, which many small companies have to apply for the first time.

Read more ...

Proven Compliance Solutions Inc. adds Jared Shakespeare to its NERC Critical Infrastructure Protection Compliance Staff

Proven Compliance Solutions Inc. (PCS), industry recognized for its excellence in North American Electric Reliability Corporation (NERC) Reliability Standards Compliance Consulting Services, is pleased to announce the addition of Jared Shakespeare to its Critical Infrastructure Protection (CIP) team.  Jared holds a Bachelor of Science in Business Administration, along with the professional credentials of Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Information Systems Auditor (CISA), Certified Business Resilience Manager (CBRM), Certified Business Resilience Auditor (CBRA) and Masters Achievement in Business Resilience (MABR).

Read more ...