Top regulatory trends for 2016 in energy
A forward look
This publication is part of the Deloitte Center for Regulatory Strategies’ cross-industry series on the year’s top regulatory trends. This annual series provides a forward look at some of the regulatory issues we anticipate will have a significant impact on the market and our clients’ businesses in the year ahead.
- Regulatory trends in energy
- Risk and compliance
- Enterprise compliance
- Aggressive enforcement
- Regulations and legislation
A brief overview of the 2016 regulatory trends in energy
For energy companies, regulatory challenges are always complex. In the coming year, those challenges will evolve in numerous ways—some of them very quickly. This report is designed to be a starting point for the many conversations that companies in the industry will have as they work to anticipate, accommodate, and get ahead of the regulatory trends that shape their work.
Download the full report to further examine these trends.
Risk and compliance are converging
Two functions that used to be collaborative but distinct are finding increasing overlap. Where are the boundaries—and the cracks?
Compliance used to be more about box-checking against discrete sets of rules and less about considering the impact of compliance failures on day-to-day business activities. But many regulators have begun to assess compliance more comprehensively. They are looking not only for evidence of adherence to the rules but also a consideration of the underlying objective and mitigation of the operational risks those rules are meant to address. There is also an increased focus by enforcement staff on the organization’s most critical activities and the ways those activities affect an entity’s business, the energy markets, and consumers overall.
In this shift toward a risk-based focus, regulators have turned to enhanced analytics tools that allow them to zero in on specific risk areas. Whether the practice of broad, aggressive oversight will now diminish remains to be seen. However, for organizations under the microscope, the enforcement process of the future is more likely to spend less time on the “check the box” portion of assessments, devote less focus to administrative compliance, and go straight to risk-identified areas where the questions may be tougher. As the industry becomes more sophisticated at identifying, prioritizing, and measuring compliance risk, regulators are also more likely to reserve major enforcement actions for matters of greater significance that affect market integrity and stability, allowing for more effective use of their resources. This means the compliance programs that address the regulatory obligations need to more closely evaluate the underlying safety, reliability, operations, and other business impacts in the design and implementation of compliance controls. Programs will now need to better assess and measure risk associated with compliance failures in addition to monitoring strict compliance to the rules and a basic ability to prove it.
Because of the implementation of new rules, organizations are likely to see an increased overlap in the number of regulatory issues their risk and compliance functions address. This could create a number of possible challenges for the energy industry as organizations work to align and coordinate these organizations, which have traditionally been more distinct. On the other hand, this could also provide an opportunity, because the result of that alignment may be greater internal streamlining of operations, improved standardization of policies and procedures, and technology efficiencies going forward.
To adapt to this change and reap its potential benefits, energy organizations should perform regular compliance risk assessments using a comprehensive compliance risk assessment framework that includes identified key risk indicators such as safety, reliability, regulatory, and compliance. Within such a framework, a company can better allow for assessment and prioritization of compliance activities and resources. Finally, energy companies should take a hard look at their risk management and compliance oversight needs and implementing structures. They may find similarities and overlaps that reporting and data analytics could streamline. Considering these functions from a more holistic perspective can provide for a more strategic use of each and a more unified approach going forward.
Regulators are also more likely to reserve major enforcement actions for matters of greater significance that affect market integrity and stability, allowing for more effective use of their resources.
Awareness of enterprise compliance
Energy operations are increasingly attentive to overall ethics and compliance programs. Compliance can guide the focus to keep up with the shifting landscape and help organizations maximize the use of compliance resources.
Even in a culture of compliance, an era of global austerity can lead into murky territory. For example, a company might venture into an unfamiliar market area in search of new revenue—and run afoul of rules it doesn’t understand as well those of its core market space. A global focus on areas like cyber-crime, terrorism, and money laundering means energy companies need to go beyond trading regulatory areas traditionally associated with the industry and learn more about broader regimes, such as Anti-Bribery and Corruption (ABC), Anti-Money-Laundering (AML), and the Foreign Corrupt Practices Act (FCPA).
What is the path forward amid these compliance changes? Energy companies can start at the most fundamental level by developing and validating their core values to reflect the expectations of the organization’s stakeholders. That validation can be done internally or through venues that offer industry benchmarking and leading practices. This can help mold the vision that in turn shapes the ethics programs to promote a compliance culture. From there, companies can be confident that the practical, actionable, and implementable elements of their compliance frameworks stand for something.
It’s hard to live out a unifying vision if the people living by the rules do so in silos and are not communicating. Breaking the silos down will not only breed consistency of the compliance message, but it can also help eliminate redundancy in the systems, tools, and human capital that compliance requires.
When an organization has a strong enterprise compliance program, it can focus on its strategic priorities and provide meaningful assurances to its customers and business partners.
Keeping the size of the compliance department small, while staffing it in a way that includes comprehensive knowledge of the relevant compliance risk areas, can be difficult.
Aggressive enforcement continues
Regulators continue ramping up their efforts, and changes in FERC leadership reinforce that agency’s continued focus on enforcement.
Enforcement activity over the last 12 months demonstrates that FERC, the CFTC, and the FTC all remain focused on anti manipulation, disruptive trading practices, and the rising number of actions against individuals. It also reinforces the message that market behavior violations are still the top priority. The resulting penalty assessments from these enforcement actions have measurable bottom-line impacts.
While this change in activity patterns is visible on an anecdotal level, a lack of transparency into enforcement activity can make it difficult to figure out the extent of the impact. For example, what activities FERC is focused on, and how to track all those activities, even where a particular action is fairly far along in the process, is difficult to discern. While the annual FERC Report on Enforcement helps, and recent decisions that add more detail to the application of the Penalty Guideline Factors help as well, there is still a need for much greater transparency. It is not clear that this will be provided any time soon.
What can energy companies do to keep up? The answer begins with assessment and verification of the existence of a robust compliance program. This means not only documented controls, but effective and working controls that are designed to prevent, detect, and mitigate potential compliance issues. High-level documents that only relay compliance philosophies or basic ideas are not sufficient without actual guidance on how to implement compliance controls to the regulations. FERC has been enforcing the culture of compliance concept—and even where a program is heavily documented, it may be viewed as an underlying compliance failure if it is not operating as documented or it is considered ineffective. The regulators continue to spend time and resources on refining their enforcement approaches and assuring their processes are in place and working. Entities should do the same by verifying compliance programs and controls are effective (especially long-standing programs) and assessing for continuous improvement opportunities to assure efficient, responsive approaches to regulatory enhancements.
This means not only documented controls, but effective and working controls that are designed to prevent, detect, and mitigate potential compliance issues.
Unfolding uncertainty about regulations and legislation
In this perennial focus area, some old concerns have slowed to a simmer, but new ones arise.
There’s a lot going on in energy compliance headlines: Clean Air Act updates, possible regulation of Financial Transmission Rights markets and other instruments, positions limits, new and increased focus on Regional Transmission Operator and Independent System Operator (RTO-ISO) activities, and expanded clean energy portfolio standards, to name just a few hot topics.
The implications for energy companies are multiplying along with the headlines. Customer-owned generation is just one innovation that will likely affect all aspects of power and utility operations, especially generation, transmission, and distribution. It has the potential to shake up rate structures and also has potential implications for reliability, displacement of traditional generation resources, and a significant change in the relationship between utilities in delivering electricity to customers. All this in the midst of declining support for less environmentally friendly generation, competition from non-utility sources, and increased and new uses of technology that alter the landscape even more.
To adapt to this pace of change, energy companies should consider their processes for collecting information on and assessing updated regulations for impact; developing plans to accommodate them within core business practices; and performing strategic assessments of the impact disruptive technologies are going to have on reliability, operations, markets, and rates.
It has the potential to shake up rate structures and also has potential implications for reliability, displacement of traditional generation resources, and a significant change in the relationship between utilities in delivering electricity to customers.
Cyber-security becomes a larger, broader concern
Increased reliance on cyber technology for day-to-day business and operations exposes physical, financial, and intellectual property assets to more impactful risks and dangers.
The energy sector is seeing a rise in cyber threats, and it is working hard to increase and improve its cyber security and compliance controls to meet those threats. The CFTC recently approved the National Futures Association’s cybersecurity guidance that will require members to adopt—and enforce—policies and procedures to secure customer data and protect their electronic systems. The CFTC is also considering some proposals to ensure that the major exchanges, clearinghouses, and swap data repositories are doing adequate evaluation and testing of their own cybersecurity and operational risk protections.
Organizations should look to examine their overall internal and external compliance postures beyond CIP jurisdictional assets. Strong cyber security should be a primary focus and compliance to regulatory and internal processes and controls should be a secondary focus. Energy companies can mitigate risks and failures by assessing existing programs with a broader perspective, taking into account all implementing frameworks, controls, and assets leveraged specifically for cyber security. Each entity should assess how to integrate those frameworks so programs that apply to regulated and non-regulated assets all drive toward the core objective of robust security.
While formal compliance structures for unregulated assets may not need to be as extensive as those required for CIP regulated assets, building formal compliance processes and controls around NIST and these other cyber security frameworks can enhance cyber security and drive business and technology efficiencies. Finally, entities should evaluate who is responsible for assuring compliance to regulations and cyber frameworks within the company. Security and information technology personnel may not have the skill sets needed to assess, implement, and enforce compliance processes and controls. A robust program should be led by a diverse team that includes compliance, internal audit, and legal personnel partnering with security and IT. With the daily headlines and continuously increased focus on cyber security, entities need to shift their thinking to a more strategic, all-inclusive, and long-term approach.
There will likely be a mounting need for big data management and analytics—and a corresponding need to protect those systems from abuse.
Trade surveillance requires more attention
Energy companies need to be ahead of regulators in assessing risks associated with commercial activity. The need for clear, secure archiving of compliance data is correspondingly important.
Increased scrutiny from regulators and the market emergence of new surveillance platforms are getting the attention of corporate boards. In response, many companies are considering focusing more resources on trade surveillance and monitoring and on the creation of comprehensive compliance policies that include financial and physical trade surveillance.
Whether or not these changes arise from legislative action, it’s important to document and archive management and operational decisions and parameters on all data fronts. It’s also important to use the correct surveillance algorithms that match and monitor the company’s business, commodities, and risks. Just as critical, the surveillances that are established need to evolve over time with the changes in commercial activity of the company, as well as the dynamics observed in the markets in which companies are transacting.
What surveillance regimen makes sense for your business? That decision requires multiple inputs besides cost. Imagine hearing a regulator say “Prove it!” and then having to build the evidence approach, processes, and controls that can help the company answer effectively.
Just as critical, the surveillances that are established need to evolve over time with the changes in commercial activity of the company, as well as the dynamics observed in the markets in which companies are transacting.