The News from RF, Part IV: The Causes of CIP Non-Compliance

I’m still working through the list of posts I wanted to write about interesting things I learned or observed at the RF Spring CIP Compliance Workshop in April. I hope to have them finished by the fall workshop in October, at which point I’ll no doubt have another set of posts to write.

The workshop started out with a very interesting presentation called “2016 CIP Violation and Themes Update” (to get the slides, go here and find the “Spring CIP v5 Workshop” under Seminars/Workshops 2017. This presentation is the first one, starting on slide 2). Rather than introduce it, I’ll refer you to an article about it by Peter Behr in the daily Energywire newsletter published by Energy and Environment News (that is a subscription service, but I highly recommend it as having the best original reporting – as opposed to restating press releases - of any of the energy news services).

In addition to what is said in the article (which includes a quotation from me toward the end), here are some random points I noted as I listened to the presentation:

• The presentation discusses five primary causes (they use the word “themes”) of CIP violations. These are compliance silos, disassociation, inadequate tools, outsourcing and lack of awareness.
• Regarding silos, this means both different “vertical” silos – HR, IT, etc. – but also horizontal silos, such as executives/managers/field people, etc.
• Horizontal silos can lead to “analysis paralysis”, in which self-reports and other documents take an excessively long time to work their way through the different layers of the organization.
• Another reason that silos develop is acquisitions. RF recommends learning all you can about the acquired company and their culture before you simply impose your compliance program on them; a different program may be warranted.
• Here are three symptoms of lack of awareness: First, middle management only provides good news to executives, not bad news. Second, experts aren’t in the right roles. Third is inadequate root cause analysis of violations. A sign that this is the problem is when there are a lot of self-reported violations that are attributed to user error, which list training as the mitigation.

  

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.