Facing Compliance Risks

Deck: 

Enforcement trends call for a proactive approach to complying with market rules.

Fortnightly Magazine - April 2008

Federal regulators have penalized wholesale energy market participants with fines ranging from $300 thousand to $300 million over the past two years. The magnitude of the penalties, along with uncertainty over how to effectively mitigate the risk of any civil action by regulators, has raised concern about how companies are approaching their regulatory obligations.

Enforcement by FERC has taken on a shape that has many wholesale market participants wondering whether they are adequately addressing their existing obligations in a manner that is consistent with regulatory expectations.1 While FERC commissioners and staff have made it clear they want companies to adopt a “culture of compliance,” there remains some ambiguity over what that means from a practical perspec- tive. Whether a company is a gas or power asset owner, operator or user, regulators expect—if not require—the enterprise to have adequate processes, practices, and systems in place to support the demonstration of compliance. With the rising stakes and continued uncertainty around how various rules, statutes and standards will be enforced, companies cannot afford to haphazardly address the regulatory risks inherent within their operations and market activities.

Catalyst for Change?

Adhering to regulatory requirements is not a new phenomenon. Energy companies participating in wholesale markets have had rules, standards, codes and permitting requirements ever since the first wholesale energy contracts were established in the latter part of the 19th century. These collective obligations have addressed nearly every facet of market involvement. The most important variable over time, however, has been the degree of rigor regulators have applied in fulfilling their regulatory responsibilities.

Over time, a combination of factors has changed the regulatory landscape upon which market participants interact. These factors include the enhanced enforcement authority of federal regulators, rising concerns about infrastructure adequacy, shifting stakeholder attitudes toward renewable energy and climate change, and the general rise in capacity and energy prices. In addition to these factors, FERC has been pushing companies across the industry to adopt a culture of compliance as opposed to waiting for an incident, an investigation, or both to prompt attention to this issue. It remains to be seen, however, whether perceptions have changed with regard to the cost of being proactive relative to the risk of experiencing an incident. With this backdrop, it is no surprise regulatory compliance has taken on a higher priority among many energy companies and their senior management, evidenced by the high profile of sponsors that submitted a white paper to FERC on compliance enforcement in November 2007.2 The magnitude of potential penalties and the uncertainty of regulatory risk exposure (not to mention reputation risk) are creating the platform and the impetus for companies to begin re-examining how they go about demonstrating, documenting and reporting compliance.

Evidence of what is at risk related to regulatory compliance can be seen in the different enforcement actions that FERC took in 2007 (See Figure 1, “EPAct Enforcement Actions”). The issues that were identified and settled by FERC fell into five basic categories:

• Standards of conduct violations
• Price reporting disparities/ manipulation
• Ownership identification issues
• OATT/transmission violations
• Other rule/code violations.

Across these categories, there was a combination of both self-reporting incidents and external investigations that gave rise to the enforcement actions. Upon review of the individual cases, most interesting are the insights that can be derived from examining the controllable activities underlying the incidents. As an example, when looking at a number of the transmission violations, the root causes of the incidents stemmed from a variety of factors, including poor procedure enforcement, absence of new policies, disregard for internal reporting requirements, weak control functions, and lack of employee training. Each of these factors suggests the need for developing and deploying an integrated program approach that can give management confidence that the enterprise is taking the necessary steps to address compliance expectations.

More important, the lesson to be taken away should be that attention to these matters is good business practice, not just a check in the box of regulatory compliance.

Mandates vs. Good Practice

The debate between regulators and industry has risen to a fever pitch of late, due to concerns about the ambiguity of what’s expected of companies and how certain rules will be enforced. Companies are keenly sensitive to the reputation risk associated with regulatory incidents, and they worry about violating uncertain compliance requirements that FERC hasn’t enforced, but could decide to prosecute at any time. Concerns range from not receiving enough guidance from regulators to receiving guidance that is too prescriptive. In spite of this debate, key industry stakeholders seem to agree that the directives passed down by federal regulators simply encourage good business practice and should not be viewed merely as a means of regulatory enforcement.

This assumption, however, doesn’t replace the need for a critical examination of the strengths and weaknesses of an individual enterprise’s regulatory compliance efforts. As companies move down the path of either building or creating more effectiveness and efficiency in their compliance capabilities, they should be asking a series of key questions.

In the spirit of promoting good business practice, the process of assessing compliance capabilities should address four core areas: policies, systems, people, and controls (see sidebar, “Compliance Questions”). Most important, for the capabilities to be effective there must be demonstrable support for—and enforcement of—compliance from the senior levels of an organization. Senior level commitment and attention provides the best foundation for ensuring a robust overall compliance program. Along with this support, attentiion also should be given to the efficiency with which corporate resources are dedicated to compliance activities (i.e., ensuring the highest and best use). Thoughtful answers to questions about compliance capabilities are essential to ensure that whatever the mandates are, the enterprise will be able to respond in a manner that reflects good business practice while promoting effectiveness and efficiency in operations. This perspective appears consistent with what FERC is trying to promote. As evidenced in the dozen FERC enforcement actions from 2007 that resulted in some form of monetary penalty, nearly every one included the development of a compliance report or plan that would be used to help demonstrate the company was adopting a culture of compliance and not approaching compliance in the most politically expedient way.

Furthermore, close examination of each of the enforcement actions reveals that the underlying causes of each of the incidences, or recurring patterns of activity, could be attributed to issues in one or several of the four areas identified above. From a tactical perspective, industry participants increasingly recognize that processes must be in place to assess what is working well and what is not. As noted by Raymond Palmieri, vice president and director of compliance for ReliabilityFirst, “Entities need to be able to break it down. How did it happen? That way they can look at the bigger picture and develop mitigation plans that will help to prevent future occurrences.”3

Three Basic Choices

Companies operating in the wholesale energy markets can take one of three approaches to their regulatory compliance obligations. In the face of regulatory requirements and market behavior expectations, companies can choose to be passive, reactive or proactive (see Table 1). A company taking a passive response to regulatory compliance tends to assume operations are working adequately if no regulatory or legal investigations have been launched and no fines have been levied against the company recently. Many companies approaching regulatory compliance in this manner believe the costs of being proactive outweigh the probability and the magnitude of the perceived regulatory risk. As a result, such companies do little or nothing to be prepared for possible regulatory enforcement action.

A company that takes a reactive approach, however, makes some preparatory effort to be responsive to a regulatory challenge, but its response tends to be ad-hoc rather than strategically planned. When confronted with either an internal or external threat or issue, a company taking a reactive approach will take steps to address the root cause of the issue, remediating problematic areas as they are identified. Specific activities of such a company include conducting gap assessments, deploying disaggregated (or decentralized) compliance programs, and fixing identified problem areas. Efforts to support compliance and mitigate operational risks largely are effective, but struggles remain with ensuring the consistency of execution, whether it is reporting, data management or practice documentation.

On the other hand, a company with a proactive approach will take steps to mitigate the regulatory risks associated with its market activities. Irrespective of the current circumstances, a company following this approach will find ways to be prepared to support claims of regulatory compliance and any associated reporting obligations. Efforts tend to be structured and aimed at stemming the risk of compliance violations. A proactive company’s compliance activities focus on integrating people, processes, systems and controls across the business units that play a role in supporting compliance. Examples include proactive planning efforts, inventorying and classifying regulatory risks, adopting and infusing a compliance culture, providing on-going training regarding compliance, and using regular self-assessments to identify and resolve issues before they cause a problem.

An organization’s tolerance for risk and its confidence in its existing policies and practices will drive it to embrace one of these three basic approaches. A company’s attitude toward regulatory compliance across the enterprise also will play a prominent role in how it faces the challenges associated with demonstrating, documenting and reporting compliance.

Elements of Sustainable Compliance

Whether a company follows a passive, reactive or proactive model, its executives make specific organizational decisions—either deliberately or by default—as to how the company will approach regulatory compliance.

The choice regarding the preferred approach will be driven in part by the organizational culture within the enterprise. As an example, a company with a decentralized operating structure will tend to have separate systems for managing data and documents that support the demonstration of compliance to the respective regulatory bodies. In contrast, a centralized organization will tend to have a central compliance management system and an independent function that holds responsibility for coordinating and monitoring compliance activities (e.g., the chief compliance officer). Regardless of the structure, however, the objective of any enterprise’s efforts will be to minimize the costs incurred in facilitating and demonstrating compliance and to mitigate the risk of non-compliance. In doing so, a company seeking to establish a sustainable program will focus on a series of six key elements:

Governance/Policies: Oversight structure and policy and procedure documentation;

Communication/Training: Methods used to communicate policies and reinforce desk-level procedures within the organization;

Controls & Monitoring: Checks and balances and the frequency of oversight;

Reporting (External/Internal): Frequency, content and distribution of performance data and metrics;

IT Systems & Data/Document Management: Information tools used to monitor, analyze and manage the enterprise’s regulatory compliance obligations; and

Program Integration & Organization: Either a centralized or decentralized approach to compliance across the enterprise affecting both systems and personnel.

Each of these six elements represents a discrete regulatory area that deserves individual consideration by an enterprise that owns, operates, or purchases services from assets used in wholesale energy markets. The list of affected parties includes, but is not limited to, owners, operators, and users of transmission, generation, gas storage, or natural gas pipeline assets.

Across each of these program elements, a company will possess different levels of maturity and sophistication. The objective is to develop, deploy and manage the program elements in such a way as to create a sustainable structure, resulting in consistency in reporting and documentation.

As an example of this point, FERC’s Policy Statement on Natural Gas and Electric Price Indices, dated July 24, 2003, documents the requirements and expectations for submitting data to index price developers such as Platts and Argus. Although natural gas wholesale price reporting is voluntary, there are specific regulatory expectations that accompany data submittal, data retention, and the delegation of responsibility for submission of data to index developers. The absence of consistency threatens both the integrity and reliability of the data and exposes the company to the risk of regulatory inquiry if there is a perceived issue with the data being submitted.

The severity of penalties for not approaching price-reporting expectations in a diligent manner suggests there is much at risk. During the period January 2005 to December 2006, the enforcement division of the Commodities Futures Trading Commission (CFTC) brought 40 enforcement actions, resulting in nearly $435 million in civil monetary penalties. Charges included such violations as false price reporting, attempts to manipulate markets, cornering a market and wash trading.4

Giving attention to regulatory compliance program elements results in several potential direct benefits to an enterprise, including the mitigation of substantial fines (both civil and criminal), reducing the risk of regulatory inquiries, minimizing the costs of compliance, and ensuring the most efficient use of capital and human resources to achieve compliance. Last, creating an integrated compliance risk-management program across the six elements promotes consistency and sustainability.

Warning Signs

Regardless of a company’s current position with respect to its approach to regulatory compliance, the preferred solution is to find the optimal means of controlling the cost of compliance, mitigating the probability of investigations, and minimizing the risk of civil or criminal sanctions. While having an integrated enterprise-wide approach to regulatory compliance is optimal for addressing each of these risks, companies face varying situations and are driven by different factors with respect to their compliance capabilities. Whether addressing organizational design, policies and procedures, data and document management systems, or procedural and IT controls, efforts to strengthen regulatory compliance capabilities should focus on finding ways to be more efficient and more effective.

Companies can take different approaches to regulatory compliance; however, there is significant variability in the cost and risk among the approaches. With the challenges regulators have presented for companies to adopt and infuse a culture of compliance in their organizations, the question becomes “how will you respond as an enterprise?”

While uncertainty remains regarding what it means to be regulatory compliant and how federal regulators will enforce certain rules and provisions, the costs and risks of not being proactive can be quite large and should drive companies to ask questions about the adequacy of their approach. Furthermore, ignoring federal mandates because of compliance uncertainties will not provide adequate defense if a company is perceived to be falling short of regulators’ expectations. The magnitude of the penalties ($41 million in penalties paid across thirteen cases in 2007 alone, plus CFTC penalties exceeding $400 million) should be enough motivation to at least establish some consistency and verifiability of the overall regulatory compliance program a company chooses.5 A company that ignores these clear warning signs proceeds at its own risk—and the risk of its shareholders and governing board.

One of the preeminent 20th century American poets, Robert Frost, provided an apt description of the assumption of risk related to regulatory compliance: “We took risks. We knew we took them. Things have come against us. We have no cause for complaint.” Companies choosing to be passive or reactive will have limited defenses and should be prepared to accept the consequences.

 

Endnotes:

1. “Implementation of the Federal Energy Regulatory Commission’s Enforcement Authority: A White Paper,” November 2007.

2. Ibid.

3. Inside FERC, Nov. 26, 2007.

4. The Desk, Dec. 14, 2007.

5. FERC’s “Report on Enforcement,” in Docket No. AD07-13-000, Nov. 14, 2007.