This document discusses an energy company's implementation of MetricStream to improve its compliance processes. The company faces numerous regulatory requirements that were previously managed through an internally-developed system. MetricStream will provide the company with an integrated platform to streamline compliance for regulations like SOX, FERC, and NERC. It will establish a centralized framework to map processes, risks, controls and assessments. MetricStream will also automate workflows, surveys, and reporting to improve efficiency and transparency across the large, complex organization.

1. CASE STUDY
MetricStream POWERING COMPLIANCE AT AN ENERGY MAJOR
Overview
The company is a major integrated energy company engaged in power production, transmission and
distribution involving natural gas, power and other energy related products. It is one of the largest
electric utilities in the US.
The company faces multiple compliance requirements from a number of regulatory bodies that impose
regulatory oversight and reporting requirements. Industry regulations from FERC, NERC and state and
regional public service commissions combined with cross-industry regulations like Sarbanes Oxley
(SOX) impact all business functions operationally as well as strategically. These compliance require-
ments affect a large number of business processes with many specialized processes being designed
solely to meet specific regulatory guidelines. The cost of ensuring compliance in terms of time and
resources is substantial. Moreover, the risk of noncompliance and other enterprise risks have to be
Customer
ONE OF THE LARGEST ELECTRIC UTILITIES IN THE US
constantly monitored and mitigated for ensuring business performance and continuity.
Challenge
Benefits The company had internally developed an application for managing SOX and Enterprise Risk Manage-
ment (ERM) processes using Microsoft Access and SQL Server technology. The system was designed
Efficiency: The overall resource requirement and pro- to capture SOX and other risks, associated controls, control test plans, issues to highlight deficiencies
cessing times for compliance programs is expected when controls failed testing and action plans to resolve the issues.
to come down substantially due to an integrated
compliance framework mapped to the organiza- In the last few years, the company experienced a significant increase in the number of compliance
tional structure and responsibilities. The automated requirements to be met as well as additional scrutiny by the various regulatory bodies to determine
workflows will take information and cases through
that the company does in fact comply with those requirements. As the internally developed applica-
the assessment, investigation, reporting and closure
process without delays. Email notifications, task list,
tion was designed for a narrow set of compliance requirements, the increasing regulatory demands
and case status reports on the users’ homepage will started bringing forth the limitations of the application and its inherent approach.
keep pending tasks on top of the mind improving
responsiveness and proactive participation. As newer processes and record keeping was required, they were setup manually outside of the
system as the application could not be extended. For example, the system could not map compliance
Compliance: There will be a significant reduction in process to the general ledger balances and financial statements maintained in PeopleSoft and Cognos
the risk of noncompliance as all the regulatory stan- applications. Keeping the automated processes in synch with the manual processes became a major
dards and requirements will be clearly identified overhead as new accounts were created.
and mapped to the processes, controls, activities
and documents needed for compliance. Well-defined
Another major limitation was that the internal application allowed only for a simplistic and linear orga-
and automated assessments, issue reporting and
remediation management workflows will ensure
nizational setup and did not support the varying reporting relationships and information flows between
sustainable compliance. testers, process owners and those who managed the overall compliance process for their business
units.
Visibility: With MetricStream, the company
executives as well as functional managers will have The compliance surveys and certifications across various departments, locations and business units
complete visibility into compliance programs at their involved manual distribution, gathering and consolidation of responses. Lack of automation made this
respective levels of responsibilities. This transpar- activity excessively tedious and error prone with a number of documents being physically circulated
ency will make compliance and risk management a and manually signed in the company.
predictable process.
The internal application did not support the periodic cycles and frequency of activities and record
keeping for ongoing compliance leading to inefficient data reentry activities. Moreover, the application
did not enforce appropriate authorizations to limit users from viewing information and records that
they did not have privileges for violating a key compliance requirement.
Solution
MetricStream is enabling the company to adopt an integrated compliance strategy through an
enterprise-level framework for managing all regulatory requirements and ERM programs. The solution
will provide comprehensive functionality for managing SOX compliance and ERM as well as FERC and
NERC regulations and corporate policies for standard of conduct.
The company will defined and maintain a centralized structure of the overall compliance and control
hierarchy based on regulatory standards and requirements. It includes processes and assets in scope,
associated risks, controls to address the risks and mechanisms to assess the controls. It covers
associated policies and procedures, reporting requirements and filing templates and schedules for
various regulations.

2. MetricStream
Based on the compliance requirements and associated risk, the assessment plans will be scheduled
Why MetricStream periodically or triggered based occurrence of certain adverse events. The system will integrate with
other enterprises applications and implements rigorous change control to ensure all records, pro-
An integrated platform and application environment cesses and documentation always stay in sync.
to manage compliance with multiple regulations,
corporate policies and industry standards. The system supports risk assessment and computations based on configurable methodologies and
algorithms and will provide a clear view into organizations risk profile enabling managers to prioritize
Comprehensive workflow-based functionality for SOX their response strategies and mitigation plans.
compliance and the flexibility to extend the common
framework and best practices for FERC and NERC
compliance. “The MetricStream solutions will streamline our financial controls processes for SOX compliance as
well as enabled us to employ best practices frameworks for managing compliance with FERC and
Ability to support complex organizational models and NERC,” says a senior compliance officer of the company. For instance, risks such as failure to have a
granular access controls while providing an easy- functioning Incident Response System or to meet Independent Functioning Guideline will be
to-use portal-based interface for end-users for quick documented with their controls as well as their periodic assessment plans. “The framework will cover
adoption. our incident response mechanism to report incidents to the Electricity Sector - Information Sharing
and Analysis Center (ES-ISAC) based on reporting criteria, thresholds and procedures contained in
Powerful reporting and analytics for complete vis-
ibility into risk and compliance data on executive
dashboards, control charts and risk heat maps.
“MetricStream solutions will streamline our financial controls processes for SOX compli-
ance as well as enable us to employ best practices frameworks for managing compliance
with FERC and NERC.” says the spokesperson of the Company.
NERC’s Indications, Analysis and Warning (IAW) Program. And we will conduct periodic assessments
to ensure clearly defined and documented procedure for reporting security incidents, appropriate roles
definition to deal with reporting and responding to security incidents, and a well defined line of com-
munication and escalation path for reporting security incidents,” explains the executive. Hundreds of
such processes, risk and controls will be documented and assessed using the MetricStream solution.
Handling and reporting of noncompliance issues will be streamlined by automated workflows that
document the issue and exceptions that pose a risk of noncompliance. The system will take them
through a systematic mechanism of investigation and remedial corrective action.
Embedded best practices for the energy industry combined with decision tree and workflow func-
tionality will support identification of reportable events as well as the type of report that needs to be
filed. The process of reporting will be simplified as the system automatically generates mandatory
reports in formats and layouts prescribed by the agencies. The reports are generated in standard file
types such as MS Word and can be reviewed before being submitted. “Selfreporting of noncompli-
ance issues is critical for our business and if NERC finds noncompliance during their auditing, they can
impose heavy fines”, says the compliance officer.
MetricStream supports a complex organizational model to cover all the entities, business units and
departments, as well as their mappings to various standards and requirements. With the granular
access controls, the company will ensure confidentiality and the attorney-client privilege principle for
sensitive information and records.
The automated surveys and certifications powered by electronic signatures will be efficient, con-
sistent and reliable. The solution will ensure accountability by enforcing the flow of information and
records and documenting attestations and representations at appropriate stages and by responsible
personnel that roll-up for executive certifications.
Executive dashboards will provide enterprise wide visibility into the compliance and risk management
process and highlight issues that need to be addressed in risk heat maps. The solution will provide the
ability to track risk profiles, control ownership, assessment plans, remediation status, etc. on graphi-
cal charts that can be accessed globally and display real-time information.
For more information, visit
www.metricstream.com
Copyright 2011. All Rights Reserved.