Operational Integrity CENTER for Enhancement REGULATORY STRATEGY Energy Industry Analysis AMERICAS Operational Integrity Enhancement | Energy Industry Analysis
Energy Physical infrastructure and (c) the transition of customers from Operational integrity in the energy industry Much of our nation’s underlying energy deregulation, which froze rates and for many is a broad and complex issue that includes infrastructure has exceeded its useful life years insulated consumers from natural key physical infrastructure components— and needs to be replaced. For example, in marketdriven rate increases that would have such as power plants, oil rigs, power some places, the underground pipes that occurred in smaller increments. lines, and underground pipes—not just carry natural gas have deteriorated to a information and control systems. The point where the gas is essentially traveling The need to fix big-dollar problems in aging complexity is amplified by the fact that through tunnels of dirt—creating a infrastructure—combined with an inability some parts of the energy industry are highly significant risk of leaks and explosions. to generate sufficient revenue due to market regulated and subject to explicit regulatory To address this issue, many regulators conditions, as well as increased pressure requirements about all aspects of their are responding by requiring utilities to on regulators to mitigate the “sticker shock” business, while other parts are much less implement long-term infrastructure to consumers in deregulated territories— regulated and most of their regulatory replacement programs. increases the burden of proof for utilities requirements focus only on safety. Also, when proposing rate recovery for day-to-day while some energy industry sectors are The business of a utility is to provide and long-term operations. All of this leads regulated nationally or globally, many others safe, reliable, and cost-effective service to to numerous levels and forms of risk in are regulated at the state or local level. customers, while also generating sufficient both operations and financial planning. The For example, utility companies typically fall revenue to ensure a reasonable rate of increased burden of proof is being enforced under the purview of state regulators and return. Since the services being provided in a variety of ways, including: more specific are often subject to detailed requirements are “necessary,” regulators (generally in regulation; the use of more sophisticated about everything from maintenance, the form of commissions) are designated analysis tools and resources by commissions inspection, and reliability to how much they at the state and federal levels to manage in rate cases; government initiatives with a can charge and how much profit they can and protect these interests. “Keeping the focus on infrastructure management; and make. In contrast, oil pipelines are much less lights on” or “keeping the gas and water imposition of “recommendations” (guidance regulated, although some attention is given flowing” is the number one objective, and that is labeled as voluntary but in reality is to safety and environmental impacts. capital investment in infrastructure is vital to mandatory). meeting this objective. Because of this breadth and complexity, All utilities are vulnerable to change. the industry’s drive to improve operational While infrastructure planning and However, some types of utilities are more integrity is scattered across countless management has always been an area likely to be targets for change. For example, rules and regulations that vary by sector of scrutiny in any rate case or utility the gas utility sector is likely the highest and jurisdiction—and thus cannot be fully management audit, commissions have priority for regulators looking to drive captured simply by describing a handful of begun imposing more sophisticated financial widespread infrastructure improvement key emerging regulations. However, and risk assessment requirements as part because reliability failures in the sector generally speaking, it would be fair to say of the associated justifications in order to pose the greatest safety risks. Other that the energy industry recognizes the clear the approval processes. This is likely sectors may be vulnerable to more targeted importance of operational integrity and that attributable to a few key factors: (a) aging enforcement of regulatory change. This various regulatory bodies in the industry are infrastructure and the lack of sufficient includes, for example, utilities that for a actively working to address the issue. longterm plans to address the rapidly variety of reasons—relationships, bad actor increasing risk of major failures, particularly reputation, poor filings—have historically Regulatory requirements and guidance in gas and water infrastructure; (b) market not been very successful in rate recovery or related operational integrity in energy conditions that have driven prices down, other regulatory proceedings. generally fall into four major categories: creating a “do more with less” environment;
02 Operational Integrity Enhancement | Energy Industry Analysis
to protect those systems from abuse. concerns, such as cost allocation regulations Cybersecurity1 Headlines and perceived major failures, for shared assets and services. The energy sector is seeing a rise in risks, and threats will drive increased cyber threats—particularly against critical legislative focus. This will likely spur support Additional complexity exists for entities that infrastructure—and regulators are working from regulators for the development and are regulated for some cyber assets and not hard to increase and improve cybersecurity implementation of rules that allow for better for others. Many organizations think they and compliance controls to address those monitoring, tracking, and enforcement already have robust processes and are in threats. Publicized threats, such as of specific cybersecurity controls and compliance. But assessments of controls Dragonfly and Black Energy, target industrial compliance obligations similar to the NERC for unregulated assets often reveal that control systems (ICS) and other energy CIP requirements. the controls are not being implemented as assets, while quieter threats and the intended. Utilization of different processes, expanded use of cyber assets in day-to-day Recent versions of NERC’s CIP framework controls, and frameworks while leveraging operations add to the need to transform expanded the scope of cyber assets that the same resources, assets, and controls cybersecurity programs. power and utility companies must monitor can create confusion and cause many of the —an increase for some utilities of more than gaps or implementation failures. Complicating all of this is the use of different 1,000 percent. The effect of these changes frameworks (i.e., Critical Infrastructure applies unevenly. For example, a challenge Cybersecurity efforts in energy are focusing Protection (CIP), NIST) by many entities, for small and mid-sized companies is that on non-ICS cyber assets as well. The CFTC as well as inconsistent implementation of the expected vigilance and compliance recently approved the NFA’s cybersecurity processes and controls depending on the infrastructure of the expanded CIP guidance that will require members nature of the assets to be protected. Finally, regulations is not scalable. They face the to adopt—and enforce—policies and lack of focus on assurance activities to verify need to implement the same changes as procedures to secure customer data and the proper execution and effectiveness of larger companies, but with smaller budgets protect their electronic systems. The CFTC is existing controls—and to identify areas for and staffs. Larger companies, however, may also considering some proposals to ensure improvement or remediation—increases the face significant expansion of the number that the major exchanges, clearinghouses, risk of a major failure. of assets requiring protection and the and swap data repositories are doing challenge of managing compliance programs adequate evaluation and testing of their As the Smart Grid grows and evolves and and resources that are spread across a own cybersecurity and operational risk energy companies increase their use of much larger organization (or even separate protections. ICS, there will likely be a mounting need entities). This could trigger other regulatory
03 Operational Integrity Enhancement | Energy Industry Analysis
Operational integrity related to •• Swap data repositories. Tracking swap the Bureau of Safety and Environmental energy trading transactions and resolving problems Enforcement (BSEE) develop and adopt Regulatory scrutiny and guidance related to before the transactions are reported to a probability-based approach to risk energy trading have increased significantly regulators. management. The idea is to shift the focus in the wake of the financial downturn and from subjective/qualitative risk factors •• Price data reporting. Updating FERC’s other headline-grabbing problems. This is an to objective/quantitative risk factors (i.e., price data reporting guidelines (which area where specific regulations have been setting standards based on probability were originally issued in 2003/2004) to introduced, and where enforcement actions percentages—for example, requiring a capitalize on the latest technologies. are increasingly common. Here are some of project to achieve expected reliability of 99.9 the key focus areas and trends: •• Real-time trade surveillance. Increased percent based on quantitative probability scrutiny from regulators and the market estimates). •• Regulation automated trading (Reg emergence of new surveillance platforms AT). This regulation includes a series of are getting the attention of corporate The emphasis is on identifying and risk controls, transparency measures, and boards. In response, many companies are addressing operational risks early (i.e., in other safeguards to improve transparency considering focusing more resources on the planning and design phase), rather and reduce the potential risks associated trade surveillance and monitoring and on than reacting to problems after the fact. with automated trading on DCMs. Reg the creation of comprehensive compliance Risks that are not identified and addressed AT requires the implementation of risk policies that include financial and physical early can lead to problems that are controls—such as maximum order trade surveillance. Firms have traditionally extremely expensive to resolve—and that message and maximum order size monitored trades at the end of each day, potentially threaten the ultimate success parameters—as well as the establishment looking for prohibited activities—often of the project. This is especially relevant of standards for the development, testing, using basic tools such as spreadsheets. in the oil and gas sector, where projects and monitoring of algorithmic trading Now leading firms are moving to real- time can cost tens of billions of dollars—and systems. It also requires high volume monitoring that looks at trades as they are where problems can have catastrophic traders that use algorithmic trading for being entered and executed. This helps impacts on the environment. Also, this key futures products to register with the internal compliance groups proactively issue is especially relevant today because CFTC. Other requirements include the use identify and investigate problems before (1) in the past, high oil prices made it easy of self-trade prevention tools by market regulators initiate an action or inquiry. to throw money at problems, but now participants on DCMs, and the disclosure that oil prices are low companies cannot of rules and attributes of DCM electronic Because some of these areas of increased afford expensive snafus and (2) numerous trade matching platforms that materially regulatory focus are not strictly mandated headline-grabbing environmental disasters affect factors such as: the time, price, or by the government (for example, some have put the industry under the microscope quantity of execution of market participant industry groups such as Deloitte’s Risk from regulators, the public, and the media. orders; the ability to cancel or modify Council, are developing leading practices to For example, oil spills have increased orders; and the transmission of market help address surveillance responsibilities), the pressure for tighter regulations on data and order or trade confirmations to companies should consider putting in an operational reliability and safety and for a market participants.2 effort to seek senior management support better methodology to manage risk and •• Counter-party credit assessment. The to obtain budget and/or resources to reduce the probability of accidents. supply chain for energy involves numerous address them. steps and numerous counterparties. Real-time credit assessment and scoring Quantitative risk management for enables traders to assess the financial major projects viability of counterparties before deciding In the oil and gas sector, Deloitte is to execute a trade. working on a five-year project to help
04 Operational Integrity Enhancement | Energy Industry Analysis
Contacts Mike Prokop Managing Director Deloitte Advisory Deloitte & Touche LLP [email protected]
Endnotes 1. “Forward look: Top regulatory trends for 2016 in energy”, Deloitte, 2015
2. “CFTC Unanimously Approves Proposed Rule on Automated Trading”, www.cftc.gov, November 24, 2015
05 CENTER for REGULATORY STRATEGY AMERICAS
The Deloitte Center for Regulatory Strategy provides valuable insight to help organizations in the financial services, health care, life sciences, and energy industries keep abreast of emerging regulatory and compliance requirements, regulatory implementation leading practices, and other regulatory trends.
Home to a team of experienced executives, former regulators, and Deloitte professionals with extensive experience solving complex regulatory issues, the Center exists to bring relevant information and specialized perspectives to our clients through a range of media including thought leadership, research, forums, webcasts, and events.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
© 2016 Deloitte Development LLC. All rights reserved.