Risk Management and NERC Compliance
The more I look at NERC Compliance the more I see the need for Risk Management. The rationale for this statement is based on the reality for most utilities – they are compliant but have minimal program oversight and almost no Risk analysis. This is a big problem and right now there is no get-out-of-jail-free-card.
Stated another way, the vast majority of utilities have no mechanism to identify and quantify Risks to being compliant with the NERC Standards (Operations and Planning, CIP – Critical Infrastructure Protection). That really bothers me so I’m for some time now I’ve been working to unravel this problem and I think I’ve finally nailed it. More on this topic coming soon…
What would Risk Management actually do? In an ideal world it would identify risk for each applicable Standard and Requirement and Subpart (can’t forget those). This requires a means to collect the appropriate information from the people involved in NERC Compliance so that the practice and evidence can be evaluated with a programmatic set of risk measures.
The resulting “risk map” (I’m just making this stuff as I go along) would textually and visually (color) show where the greatest risks to compliance exist so they can be targeted and improved.
This should be done yearly (although some risks may require more frequent risk reviews) so that we can see the risk we have either eliminated or reduced. As we continue forward, the risk map gets greener and greener. The result is an effective Risk Management program for NERC compliance with visibility into every aspect of the program.
Am I dreaming? Stay tuned for future discussion on the subject!