Fortune 500 power company unifies compliance programs

With IBM® OpenPages® Policy and Compliance Management (PCM)

Published on 09-Dec-2011

Validated on 03 Jun 2013

"We were able to configure the system so it is almost invisible. People who have seen it come back to me and say, ‘I have this other thing I need to do, can you put this in IBM OpenPages PCM?’ I’m like Tom Sawyer whitewashing the fence. I want to be in the place where people say, ‘That looks like fun, can I try it?’" - Utility company compliance director

Customer:
Fortune 500 power company

Industry:
Energy & Utilities

Deployment country:
United States

Solution:
Business-to-Business, BA - Business Analytics

Overview

Even in the wake of sweeping deregulation of the energy industry, few companies face as much government oversight as utilities. Power generation and distribution companies are subject to a maze of regulatory oversight, from state agencies to high-powered federal overseers, such as the Federal Energy Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC), the Environmental Protection Agency and the Occupational Safety and Health Administration (OSHA).

Business need:
The company needed to unify compliance procedures across all business units; address the entire regulatory spectrum and ensure ownership and a process to complete requirements.

Solution:
The company required a multi-regulation platform approach with one central repository for storing compliance information. They wanted to consolidate documentation of requirements and evidence of completion, be able to assign responsibility to risk owners and automate task reminders with escalation if necessary.

Results:
From idea to implementation in less than a year; essentially transparent to users; framework to combine all compliance programs

Benefits:
The company is now able to monitor and adapt to regulatory changes so that corporate performance is never negatively affected. The organization has the appropriate risk and control framework in place to mitigate the risks facing the organization for each specific regulation. Conditions have an owner and a process to remind that owner of the tasks required, and to escalate the tasks if they weren’t signed off on.

Case Study

Even in the wake of sweeping deregulation of the energy industry, few companies face as much government oversight as utilities. Power generation and distribution companies are subject to a maze of regulatory oversight, from state agencies to high-powered federal overseers, such as the Federal Energy Regulatory Commission (FERC), the Nuclear Regulatory Commission (NRC), the Environmental Protection Agency and the Occupational Safety and Health Administration (OSHA).

Today’s energy and utility companies are typically a mix of regulated and unregulated businesses, subject to a wide variety of compliance mandates covering health and safety issues, environmental protection, rate-setting, consumer protection, Sarbanes-Oxley and other areas. As a result, risk takes on a higher profile and creates greater responsibilities for those who manage it. Executive management and board members want a deeper understanding of how risk is being managed in their businesses, and, in particular, how to manage risk to create the greatest reward for their shareholders.

In recent years, a Fortune 500 power company successfully completed a merger with another multi-billion dollar natural gas and electricity provider to form one of the five largest electric utility holding companies in the United States. But to do so, it had to run the gauntlet of several state utilities commissions, the FERC, the Securities and Exchange Commission (SEC) and the Department of Justice( DOJ).

In the course of gaining state regulatory approval for the merger, the energy company agreed to more than 200 specific conditions that it would meet. That, in and of itself, presented a massive compliance monitoring effort spanning multiple business units and areas of responsibility. The company selected IBM OpenPages Policy and Compliance Management (PCM) for a General Compliance Management solution to automate, monitor and measure its progress in meeting those 200-odd conditions. That project would become the pilot for a corporate-wide IBM OpenPages PCM implementation.

Challenge:
Post merger requirement to have one compliance system
“The merger brought together various entities at different stages with regard to compliance,” says the managing director of corporate compliance for the utility company. “We needed the ability to capture documentation and do certifications and attestations that would provide evidence that we could use for audit purposes.”

Prior to the merger, both companies had good practices in various areas of compliance, including health and safety, nuclear regulations and other areas. The acquiring company had been using IBM® OpenPages® FCM to manage Sarbanes-Oxley issues.

“Compliance management was pretty good, but it was in silos across the company,” says the compliance director. “My job over the last year was to try to figure out how to get our arms around this.”

Like many companies, the power company has built its compliance programs around the concepts embodied in the federal Sentencing Guidelines Manual as it applies to organizations, and which embodies the best practices to maintain a culture of ethics and compliance. “We live and die by the sentencing guidelines,” says the compliance director. “My job is to figure out the rules, figure out how to educate people about those rules and then figure out how to monitor that we’re actually following those rules.”

The organization always had a good compliance culture, he says, but little ability to prove it if the organization had to justify its compliance processes. “There was no automation for reminders, no central repository of documentation and certifications, and no single spot to go to and find out what I should be worried about.”

Solution:
Managing risk and compliance with IBM Open Pages PCM
The key to overcoming the challenges of compliance management is implementation of a centralized multi-regulation platform approach that enables risk interdependencies to be discovered and easily reviewed, and to facilitate management of these interdependencies across resources, processes, policies and regulations.

To manage its compliance with the merger conditions, the energy company selected IBM OpenPages PCM, which delivers a policy-driven, process-centric way to manage compliance through risk and control self-assessments, end-user surveys, automated workflow and executive dashboards that provide management with the visibility, control and decision support required to manage compliance and optimize business performance.

IBM OpenPages PCM provides a solution with a single dashboard that allows managers to visualize these links, report on them, and create processes and automated workflows to ensure interdependencies are leveraged, resource redundancies eliminated, and objectives met as cost-effectively as possible.

The energy company utilized IBM OpenPages PCM to maintain a centralized repository that:

  • Consolidates documentation of compliance program requirements and evidence
  • Assigns responsibility to risk owners
  • Automates task reminders with escalation if necessary
  • Interfaces with HR system to reassign owners when employment status changes
  • Consolidates reporting• Provides executive dashboards with drill-through capability

IBM OpenPages PCM automates the ongoing test, review, attestation and remediation process, while helping to identify similarities between regulations to reduce redundancy and duplication of effort. IBM OpenPages PCM is part of the IBM® OpenPages® GRC platform, which enables organizations to utilize a common data repository, workflow and reporting structure for all compliance-related activities. IBM OpenPages PCM delivers a policy and mandate-oriented way to manage and monitor compliance through end-user surveys and questionnaires, risk and control assessments, control testing, key performance indicators and issue remediation. Additionally, executive dashboards and reports provide management with the visibility and decision support required to plan for, prevent, or mitigate compliance risk and optimize business performance.

The IBM OpenPages GRC platform also introduces common object types (entity, process, risk, etc.) “We had to decide what type of objects made sense for a compliance program here,” says the director. The ability to configure the software was important since using terms and language that fit the organization would help ensure acceptance of the system. For each one of the merger conditions, the team created a requirement object and subsequent objects in a parent/child relationship that covered the tasks required to comply with a requirement object and evidence that a task had been completed.

Once they had determined the appropriate model and relationships for the objects, the IT team met with an IBM Managing Consultant to determine what system changes would be required. Those changes took about a week to accomplish, and then the energy company had to ensure the appropriate security safeguards were in place and working because to meet certain regulatory requirements there are groups within the company that are not allowed to share information.

“Once we had done that, we were ready to start loading information, with lots of testing along the way. Once we got IBM OpenPages PCM installed, we wanted to manually upload what ended up being 1,300 objects.” The compliance director says that decision to load the objects manually was made because he felt the benefit of learning from the manual process outweighed the time and expense of having someone develop an automated upload script.

Benefits:
Mitigating risk factors and ensuring a control framework for each Sabrbanes-Oxley regulation
“We’ve gone from idea to implementation in less than a year,” the director said recently. “Almost exactly a year ago, I sat down with the audit committee of the board of directors and told them this is what I wanted to do – to bring in an automated system for compliance. I met with them recently and said, ‘I’m happy to report I did what I said I was going to do.’” And, he added, “Four additional potential clients [in the organization] were interested just from rolling out the pilot version.”

The compliance director says there were two key measurements of success: 1) whether the organization would be able to follow through on the vision that every single condition had an owner and a process to remind that owner of the tasks required, and to escalate the tasks if they weren’t signed off; and 2) whether the systems would be accepted across the organization, rather than being viewed as additional, duplicative effort.

“We were able to configure the system so it is almost invisible,” he says. “People who have seen it come back to me and say, ‘I have this other thing I need to do, can you put this in IBM OpenPages PCM?’ I’m like Tom Sawyer whitewashing the fence. I want to be in the place where people say, ‘That looks like fun, can I try it?’”

IBM OpenPages PCM was designed to ensure that the organization has the appropriate risk and control framework in place to mitigate the risks facing the organization for each specific regulation. Because the regulatory environment is often changing, a critical component of general compliance management is being able to monitor and adapt to these changes so that corporate performance is never negatively affected.

For the future, says the energy company’s compliance director, the organization’s goal is “to combine all of our existing compliance programs at a high level. We want automated reminders, configurable security and the ability to set it up with minimum user interaction – so it’s a tool the users won’t even realize is there. I want my chief compliance officer to be able to walk into a room, open up a laptop and say, ‘Here’s my compliance program. What do you want to know?’”

About IBM Business Analytics
IBM Business Analytics software delivers actionable insights decision-makers need to achieve better business performance. IBM offers a comprehensive, unified portfolio of business intelligence, predictive and advanced analytics, financial performance and strategy management, governance, risk and compliance and analytic applications. With IBM software, companies can spot trends, patterns and anomalies, compare “what if” scenarios, predict potential threats and opportunities, identify and manage key business risks and plan, budget and forecast resources. With these deep analytic capabilities our customers around the world can better understand, anticipate and shape business outcomes.

For more information or to reach a representative: http://www.ibm.com/software/analytics/openpages/

Products and services used

IBM products and services that were used in this case study.

Software:
OpenPages Policy and Compliance Management, OpenPages Financial Controls Management

Legal Information

© Copyright IBM Corporation 2011 IBM CorporationRoute 100Somers, NY 10589USA US Government Users Restricted Rights - Use, duplication of disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Produced in the United States of America September 2011All Rights Reserved IBM, the IBM logo, ibm.com, Cognos and TM1 are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. Other company, product or service names may be trademarks or service marks of others.