Meeting FERC Compliance Head-on: Learn How to Play the Game of Risk by Your Own Rules
The majority of utilities today are potentially at risk with minimal or no policies in place to control data shared through every–day communications.
By Chris Bradley
Create the right email controls for your organization before it's too late
The majority of utilities today are potentially at risk with minimal or no policies in place to control data shared through every–day communications. According to Enterprise Strategy Group (ESG), more than 65 percent of an average company's intellectual property is sent both internally and externally via e-mail and resides somewhere within the messaging infrastructure. In addition, according to an Osterman Research December 2008 report, only about one-third of organizations have what they consider to be detailed and thorough e-mail policies, while the vast majority of organizations have only basic, relatively incomplete, policies in place.
It is clear that many utilities today have not taken the necessary steps to implement and automate the policies needed to protect their organization's electronic data. For those who do have systems in place, email is often overlooked.
This situation can leave organizations in a more precarious situation than executives initially realize, especially for organizations in highly regulated industries such as utility companies. After all, e-mail has replaced memos, voice mails and face-to-face meetings as a means of sharing information and getting work done. Many employees prefer e-mail over telephone conversations because it allows for easy and efficient communication with multiple parties, with the added benefit of a paper trail that can be tracked and referenced as needed.
As e-mail further becomes a workflow tool, its relevance deteriorates in many ways. Most see e-mail as somewhat of a burden in the work day, despite it being a necessary communications tool. Users are copied and blind copied as both a courtesy and requirement. Other "opt-in" e-mail traffic, such as periodicals, newsletters, order confirmations and personal e-mails, only add to the volume of messaging activity. With e-mail now considered a legal business record, this growing volume of information signals a source of increased legal liability within the enterprise.
FERC Order 717 requires that all employees in shared functions (e.g. IT and HR) must also observe ethical walls. Yet because these shared functions still require the ability to communicate across all employee groups, companies must create a "semi-permeable" wall. However, this requires more sophisticated e-mail controls that allow communication to some, while denying correspondence with others based on group affiliation, content, attachment or even context of the email. This ability to inspect incoming and outgoing content as well as messages sent within an organization, including email body and attachments, is crucial in allowing only compliant messages that adhere to FERC's "No Conduit Rule."
The tightening of FERC regulation also signals an increased risk of violation to organizations lacking the necessary policy controls. C-level executives must find methods to comply with laws and regulations while keeping capital expenditures and operating budgets at a minimum. For example, some organizations have taken to targeted archiving: only archive the users that might be involved as custodians in the future. For many organizations this represents only a small fraction of the total user base and also discounts the fact that e-mail is stored in other organizations, which means it can potentially be uncovered during the discovery process at another organization. In any case, the best approach is a comprehensive, proactive one to avoid costly litigation fees or fines from triggering a regulatory violation.
With regulatory and e-discovery deadlines in full effect, organizations of all sizes are pressed to implement a proactive approach based on cost-effective e-mail retention and archiving policies that can be consistently enforced. Implementing enterprise e-mail risk management is a strategic priority that requires business driven polices and a flexible technology deployment to enforce them. To improve disclosures and safeguard against potential regulatory violations within enterprise e-mail traffic, consider integrating your IT, compliance, HR and legal departments into a cohesive team to implement an ongoing proactive strategic approach to regulatory risk management.
Due to the recent updates to FERC regulation, simply reporting email behavior is no longer sufficient. FERC regulations require that energy companies prevent transmission function employees (TFEs) and marketing function employees (MFAs) from communicating intentionally or unintentionally via e-mail or any other medium. This mandate is necessary to prevent unfair trade advantages between energy companies and their affiliates. However, knowing the best practices to adhere to these regulations is a daunting task.
To get a start on implementing an ongoing preventative approach to enterprise e-mail management, the following are suggested steps to help utilities address regulatory compliance risks by creating a true culture of compliance without additional expense in time or business interruption:
- Manage intentional and unintentional employee misuse: The instant and casual nature of e-mail poses a risk for all organizations. Without effective safeguards in place, information can be inadvertently shared between restricted groups and adds to the risk of triggering a FERC violation. To secure casual conversations and avoid routine routing of inappropriate e-mails to compliance departments, consider e-mail controls as a low-cost insurance and a critical component to preventing information from unauthorized use, disclosure or modification.
- Practice smart archiving: Many companies try to retain all e-mails, but the huge and growing volume of e-mail impacts storage budgets and resources. When e-mail is requested by a regulatory body, the retrieval time is immediate, usually within the next 24 hours. By applying real-time analysis through consistent e-mail archiving controls before messages enter the archive, companies can avoid costly e-discovery litigation fines.
- Create e-mail controls and policies that can intercept at-risk e-mails: Different employee groups without automated internal e-mail safeguards in place lack the necessary policy-specific e-mail controls to centrally manage electronic exchanges. As an active form of secondary insurance against a potential FERC violation, a proactive policy enforcement solution can search for policy breaches, review e-mails and implement actions based on group affiliation, policies, e-mail/attachment content and context, all within the live e-mail stream.
- Audit and profile e-mail usage in real time: To safeguard against any potential e-mail risks, build custom policies that look for specific criteria in e-mail attachments, including file formats and usage patterns. For example, FERC requires that shared employees observe ethical walls to preserve ongoing communications. Compliance officers should have the ability to utilize pre-defined policies to review e-mails and implement actions based on group affiliation as well as e-mail and attachment content and context in real-time. To reduce the risk on your organization and focus instead on employee behavior, consider a solution with features that provide an opportunity to stop the email before it is sent.
- Provide real-time blocking and re-routing of outbound e-mails: Companies need a solution that can stop the risk of incident at ingestion of the e-mail and provides IT or compliance officers with the ability to review and monitor e-mails within the live e-mail stream through a network implementation. For utilities companies to meet FERC requirements, a proactive e-mail risk management approach is required in order to block and prevent restricted information contained within e-mail from ever reaching restricted individuals based on group designations, or the parameters of content in the message or attachment.
Beyond these suggested steps, consider how non-compliant activities impact an organization on many levels, ranging from reputation damage to legal liability to stock price declines. Firms that have public trust built into their share price run the risk of substantial declines if non-compliant activity is allowed to occur, and is then made available to the public in the form of e-mails.
Regulatory compliance is moving from being necessary to do business, to being essential to stay in business. The time has come for practical enterprise e-mail controls to become a strategic business priority as well. Companies can no longer ignore e-mail related risks and must take proactive measures to meet compliance mandates, safeguard intellectual property, maintain shareholder value and prevent embarrassing headlines. The key is to start with the issues that are most pressing from business perspective, and evaluate how they might translate into enforceable policies in electronic communications. Only then can enterprises build an effective culture of compliance within the organization to prevent recurring violations and implement an ongoing proactive and strategic approach to e-mail derived risks.
About the Author:
Chris Bradley is vice president of marketing and business development at MessageGate, a leading provider of e-mail controls for enterprise risk management.