2020 Energy Regulatory Outlook

The pace of digital development is reaching a feverish level, making it essential for energy companies to focus on evolving their key business activities and managing risk. Meanwhile, the sophistication of external oversight from regulators continues to grow, highlighting the need for accelerated innovation.

Today, there are countless tools—fit-for-purpose and open-source—that enable real-time automation, machine learning, and other previously aspirational capabilities to be more easily implemented. Where does your organization sit on the maturity curve, and is it where you need to be? Learning by example and looking ahead can help you answer those questions.

• The supply, trading, and marketing business units at energy companies provide useful examples of how change and innovation are taking hold.

• Most regulators have demonstrated an understanding that major shifts are occurring, and several have already taken significant action. The Department of Energy (DOE) has also demonstrated a strong commitment to digital innovation.

As energy companies adapt their business models to fit today’s fast-paced market environment, their legal and compliance functions must adapt as well. Digitization offers adaptable capabilities that can be combined and built upon to help solve real problems and improve functional and process efficiency using technology.

Digital enablement of energy regulatory and compliance monitoring processes can help address those problems and issues through a unified solution. Specific opportunities for digitization include:

• Automation to reduce or eliminate the need for human involvement in repeatable tasks

• Analytics to turn the rich data generated by digitization into valuable business insights

• An improved user experience that boosts productivity and helps overcome resistance to change

See how regulatory compliance digitization can drive significant operating efficiencies and reduce the time required to complete tasks.

Cyber threats are not just increasing in number; they are evolving to become more intelligent and more damaging—seeking to break into the industrial control systems that operate our power grid and the systems used to move oil and gas across North America. To manage the impact of cyber threats and reduce the risk to the Bulk Electric System, as well as the vast network of oil and gas transport systems, there is an immediate and continuous need to evolve the action plan for protecting existing critical and sensitive infrastructure.

There are important opportunities for improvement, particularly in two key areas:

• Further, improve asset management capabilities: Asset information is often scattered across multiple areas, lists, inventories, and systems—resulting in multiple "sources of truth."

• Manage critical infrastructure risks: As technological advancements continue to reshape the energy sector’s business, operational, and cybersecurity landscape, it is becoming increasingly important to manage and evolve the critical infrastructure.

Learn how energy companies can protect themselves from cyber-related disruptions by sharing intelligence, lessons learned, new solutions, and technology ideas.

The FERC recently approved the latest additions to the CIP requirements, and entities registered with the NERC are now working to meet the new standards by the July 1, 2020, enforcement date. The updated CIP standards apply to assets rated high- and medium-impact based on the NERC criteria.

Overall, these updates represent some of the most broadly reaching standards to date in the affected business areas, which include areas that have not traditionally had CIP responsibilities, such as supply and procurement, third-party vendors, system integrators, and software providers. The standards are:

• CIP-013/Cyber Security–Supply Chain Risk Management, which calls on registered entities to develop documented cyber supply chain risk management plans

• CIP-005/Cyber Security–Electronic Security Perimeters, which requires registered entities to uphold new standards that involve active vendor remote access sessions

• CIP-010/Cyber Security–Configuration Change Management and Vulnerability Assessments, which makes it mandatory for an entity to analyze the source from which its software originates

As in all security operations, the balance between containing risk and sustaining operations can be challenging. However, it may be more acute with CIP-013. Explore the requirements and next steps in more depth.

With emerging technologies spreading to the energy industry, concerns about data privacy regulations are increasing. These privacy concerns are not just the domain of the legal and compliance functions. They touch a wide range of business areas.

Success in meeting privacy rules and consumer expectations will require modern approaches to data architecture and governance, as well as long-term investments in data integration, cataloging, security, lineage, and many other areas.

The challenges associated with privacy regulations typically fall into three domains:

• Legal and compliance: An emphasis on organizational accountability requires robust privacy governance.

• Technology: Privacy requirements affect how technologies are designed and managed.

• Data: Parties responsible for information management need to provide transparent oversight on data storage, journeys, and lineage.

Data privacy offers an opportunity for energy companies to drive business performance and growth through improved efficiency, risk management, and innovation.

As energy companies become more nimble—and their operations become more complex—the need for transparency has never been greater. Yet the realities of dealing with more complex systems and operations may make transparency difficult to achieve. These challenges can affect the reliability and integrity of financial statements and energy regulatory reporting.

To help improve transparency and manage data more effectively, a growing number of energy companies are implementing advanced systems that include sophisticated capabilities for DTCA. These capabilities enable energy companies to:

• Access an interactive snapshot of the entire control environment on demand

• Continuously monitor real-time results and provide insights to share with key stakeholders

• Unleash the power of the control environment by seamlessly consolidating data from various systems

• Reduce the time needed to meet internal control requirements

• There are three key criteria to consider when deciding which controls to automate or what testing to digitize: format, location, and volume. To implement DTCA successfully, it helps to involve key stakeholders and to carefully rationalize the controls to be automated.

A thoughtful approach to DTCA implementation can deliver immediate benefits with minimal disruption to the business.

The energy sector continues to face increased risks in the areas of fraud, waste, and abuse, with risk levels fueled by the high volume of procurement spend, frequent use of consultants and subcontractors, foreign activity, and corruption related to the awarding and execution of large contracts. In addition, regulators are continuing to scrutinize the energy sector for problems related to corruption and fraud.

Organizations around the world, including energy companies, are adopting advanced technologies and capabilities to help detect and mitigate red flags early. These tools include:

• Analytics solutions based on artificial intelligence that can help detect potential problem areas

• Proactive analytics and simulations that can help address operational issues

Learn more about these advanced technologies and how they can be a powerful supplement to traditional fraud management techniques.

KYC refers to the process by which businesses verify the identity of their counterparties and assess potential risks associated with establishing business relationships with them. A strong KYC process is a key element of a comprehensive due diligence program designed to protect businesses, including energy companies, from various forms of financial fraud.

Government regulators around the world have increased their scrutiny of the energy industry, and violations of these laws and regulations carry stiff fines, potential criminal penalties, and reputational risks.

Establishing a strong KYC program is critical to helping energy companies maintain compliance with the Foreign Corrupt Practices Act, the UK Bribery Act, and international trade sanctions regulations. Key elements include:

• Identifying and verifying the owners and controllers of the company’s corporate counterparties

• Implementing a customer risk rating system that takes into consideration multiple factors, such as geographic risk

• Continuously monitoring the company’s counterparty population to identify any impacts

• Reviewing each counterparty’s risk profile periodically

Find out about recent actions taken by governments and regulators, and components of a strong KYC process.

Earlier in 2019, the Department of Justice (DOJ) and the Department of the Treasury (Treasury) published different sets of guidance on essential compliance program elements and operations. The DOJ guidance and the framework from Treasury’s Office of Foreign Asset Controls (OFAC) show two different prosecutorial perspectives on the evaluation of a compliance program—and what the essential components of a compliance program should be.

Armed with this guidance, energy companies should take stock of their compliance programs to ensure they have the capabilities in place to achieve adequate and effective compliance. Initial steps include:

• Reviewing the two publications and assessing the compliance program at a high level against what the DOJ and OFAC deem essential

• Conducting a detailed risk assessment of the compliance program against DOJ and OFAC expectations and OFAC Root Causes of Compliance Breakdowns and Deficiencies

Learn more about how your organization can address compliance-related issues before they become serious problems.