Energy regulatory compliance Moving forward effectively and strategically

Results from the 2011 Regulatory Compliance Survey

2

ContentsContents

1 Executive summary

2 Addressing uncertainty

3 Key overall finding: Industry needs a sharper focus on compliance

4 Enterprise-wide findings

5 Summary survey results by agency

5 Commodity Futures Trading Commission (CFTC)

6 Federal Energy Regulatory Commission (FERC)

8 North American Electric Reliability Corporation (NERC)

10 Cross–agency

13 Where to start? – The way forward

14 Contacts

1Energy regulatory compliance Moving forward effectively and strategically

Increasingly complex regulation has produced a challenging business environment for a broad set of energy companies. As such, we have created this summary of selected insights about how companies are dealing with their regulatory challenges. It features information gathered in three annual surveys of energy compliance practices, and includes our perspective on industry trends.

Executive summary

As the energy regulatory landscape continues to shift, industry market participants struggle to track all of the many developments that could require their attention and action. In some cases, companies look for the right tools and infrastructure to support known compliance operations, while others face potential challenges from new rules and regulations that require a whole new state of readiness. As in any time of regulatory change, senior company decision makers are confronting basic challenges around compliance planning, project management, and choices about whether and when new investments or approaches could help.

2

Background on the survey

The results for 2011 provide responses from 32 energy

company executives including Chief Compliance Officers

and Directors of Compliance that completed an online

survey during the months of August and September.

The types of companies that responded included those

with commercial interest in the power and utility and oil

and gas sectors. Survey results are provided as collective

data, preserving the anonymity of individual respondents.

Demographic data was collected, however, to enable

relevant comparisons. The respondents cover a broad

portion of energy market activity, with combined reported

revenues exceeding $300 billion. See Figures 1 and 2

for more details about consolidated information on

survey participants.

Figure 1. Number of Employees

Note: Numbers may not add up to 100 percent due to rounding.

>500043%

101-100014%

1001-500043%

Addressing uncertainty

The unpredictable nature of future regulation has led to growing industry concern about how to manage risks in the face of changing rules and requirements.

The approaches used by many energy companies to manage regulatory compliance remain somewhat “fractured,” that is, distinguished by unclear responsibilities that further challenge a company’s people, processes, technology, and governance systems. While some industry associations provide information on leading practices in these areas — and data is available in some areas of specific interest, e.g., Enterprise Risk Management (ERM) systems — limited information is available specific to actual energy industry regulatory compliance practices.

Deloitte’s ongoing discussions with energy industry executives reveal growing interest among senior management and boards in understanding regulatory implications and options for addressing new regulatory risks. Four years ago we saw a trend that included some leading energy companies focusing on integrating and consolidating their compliance activities — similar to the advances in recent years that have strengthened risk management programs.

In response to this trend, Deloitte introduced, nearly four years ago, an Annual Energy Regulatory Compliance

Survey. This research responds to the marketplace desire for substantive information, providing a resource specifically designed to help energy organizations better understand what others are doing and what they may be able to do to manage and mitigate compliance risks.

Figures 1 and 2 profile the employee counts and annual revenues of the participants in our 2011 Annual Regulatory Compliance Survey.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Figure 2. Annual Revenues

0-$250 Million6%

$1 Billion - $5 Billion

35%

$250 Million - $1 Billion

14%

$5 Billion - $15 Billion

20%

> $15 Billion16%

Undefined8%

3Energy regulatory compliance Moving forward effectively and strategically

Figure 3. Key overall findings

Key overall finding: Industry needs a sharper focus on compliance

This paper shares selected results of Deloitte’s 2011 study of energy industry practices aimed at addressing regulatory risks associated with compliance programs. Through the survey results, follow up discussions with many of the survey participants, and Deloitte’s understanding of current industry practices, we have found that while there is growing attention and time devoted to compliance, energy companies have not advanced particularly far along the Deloitte Integrated Compliance Risk Management (ICRM) model framework shown in Figure 3.

Some might consider this result surprising. The energy compliance survey does indicate a generally sophisticated knowledge about the importance of regulation to respondents and keen awareness among respondents regarding the need to address regulatory compliance challenges today and in the future.

After reviewing the survey findings and comparing them in light of our understanding of current industry practices, we believe several key factors help contribute to a lack of greater compliance progress:

• Significantuncertaintysurroundingexpectedregulation• FewrobustITsolutionsthatsupportenterprise

compliance at energy companies • Organizationalinertiainintegratingcompliancewith

other parts of the business when “working in silos” has appeared adequate

• Falsecomfortbyseniormanagementthattheabsenceof regulatory penalties suggests that adequate compliance practices are in place

• Industryfocusonestablishingprogramsthatareadequate for managing compliance, as opposed to leading practice

• Adesiretominimizecomplianceprogramexpenditures

Fragmented Foundational Evolving Advanced Optimized

Fragmented approach to compliance • Unstructured project based

approach to compliance management

• Environment with predominantly manual controls

• Communication is ad-hoc and highly fragmented

• Minimal policy and procedure documentation

• Lack of role clarity

Decentralized approach to compliance• Significant effort spent

on docmentation and maintenance

• Manual testing environment

• Limited use of technology to enable processes

• Lack of peoples and responsibilities

• Manually intensive compliance reporting and internal control assessment processes

Enhanced decentralized compliance program• Enhancements made based

on the previous year• Work with both internal

and external resources to plan the path forward

• Consistent risk assessment/gap analysis by business unit

• Existing program management office to drive the development of a compliance function

• A developed end-state vision

Coordinated compliance program across the business units• Clear roles assigned

to compliance process champions

• Central repository for compliance documentation

• Business process management tools used to support compliance efforts

• Central repository for compliance information

• Integration of documentation and assessment systems

• Cultural DNA changes made

Risk integrated compliance program• Ethics and compliance

function fully integrated with broader organization and supporting the business, legal, and regulatory objectives of the organization

• Program management approach is embedded in the compliance function

• A measurable, effective, and efficient process for testing, remdiation, monitoring, and reporting on controls

• Continuous optimization program for people, process, and technology

• Alignment of compliance activities with corporate performance management

• Technology to enable regulatory compliance, including supporting these integrated processes

• Active controls repository• Tightly integrated systems

Valu

e to

org

aniz

atio

n

Continuousimprovement

4

Enterprise-wide findings

The 2011 survey findings included the following key, enterprise-wide results:

• Boardsofdirectorsnowhavehighinterestinregulatory compliance and most periodically review the compliance programs that are in place

• MorethanhalftherespondingcompaniesnowhaveaCCO who oversees enterprise compliance programs

• Challengesremainregardingtheformalityofprocessesin four key areas:

– Addressing compliance misconduct – Assigning clear accountability for compliance – Updating policies and procedures when

regulations change – Adopting methods to consistently and centrally manage compliance risks, documentation, etc. (e.g., GRC tools)

• Increasingly,oilandgas(O&G)respondentshaveintegrated a percentage of their variable compensation with compliance performance metrics; this level of integration is significantly more than that found among power and utility (P&U) respondents

• Themajorityofrespondentsbelievetheirregulatorshave positive perceptions of their respective corporate compliance cultures

• Themajorityofcompaniesstillhavesomedegreeofuncertainty about how comfortable they are with respect to self-reporting to the regulatory bodies

5Energy regulatory compliance Moving forward effectively and strategically

Summary survey results by agency

The Dodd-Frank Wall-Street Reform and Consumer Protection Act (Dodd-Frank Act) addresses financial reform as its primary purpose. Because of Congress’ expressed concerns about swaps it moved to make more stringent regulatory oversight and regulatory enforcement in the over-the-counter derivatives markets. Dodd-Frank includes provisions that will affect the costs and practices for energy transactions and related risk management. Congress assigned the U.S. Commodity Futures Trading Commission (CFTC) as the lead agency on most of these matters. In some instances, the Securities & Exchange Commission (SEC) and/or the Federal Energy Regulatory Commission (FERC) also have a role.

This legislation represents a major change in the regulatory environment for energy companies and for other entities that manage energy commodity risk.

Survey responses to specific agency activitiesIn response to major regulatory initiatives underway regarding electric power reliability, respondents reported significant increases in staffing for North American Electric Reliability Corporation (NERC) compliance over the year covered in the survey. However, this was not the case for FERC or the CFTC compliance. Here are highlights from the survey related to responses to specific agencies.

Commodity Futures Trading CommissionThe survey indicated that many companies have taken a wait-and-see approach on further CFTC rule development, which is behind the schedule mandated in Dodd-Frank. In our February 2012 Dodd-Frank Dbriefs, “The Dodd-Frank Act: A Path Forward for Energy Companies,” almost 2,000 industry professionals participated and only 22 percent characterized their company’s Dodd-Frank posture as “proactive.”

The survey showed that while a significant minority appear to have paid attention to these important regulatory developments, many respondents have tracked developments. Some organizations, in fact, are proactively moving forward on Dodd-Frank requirements, for example, because they see the possibility of specific early-mover commercial opportunities. Figures 4, 5, and 6 provide detail on how the survey participants have approached compliance with the CFTC rules and requirements.

Figure 4. How would you characterize your current approach to the CFTC’s implementation of Dodd-Frank?

Approximately one-quarter of respondents reported having already established internal projects to address Dodd-Frank.

Moderate attention

Vigilant tracking

Moderate planning

Waiting for decisionsbefore focusing

Strategic preparation

Note: Respondents could select more than one answer.

31%

27%

23%

12%

8%

6

Federal Energy Regulatory Commission The FERC is the agency with lead responsibility for most interstate energy matters. FERC delegates some authority to NERC on matters of bulk power system reliability. About 75 percent of respondents have a dedicated compliance oversight group for FERC issues and about two-thirds of respondents reported their organization’s physical and cyber security infrastructure could be improved. Figures 7, 8, and 9 summarize the survey responses related to questions about FERC compliance activities.

Figure 5. CFTCHave you established an internal Project Management Office (PMO) to evaluate the impacts of Dodd-Frank and the CFTC rule making process on your business?

Note: Three-quarters of respondents reported partial or no documentation for the CFTC compliance policies and procedures. The lack of internal resources addressing the CFTC matters was somewhat surprising. Due to the significant authority Congress gave to the CFTC through the Dodd-Frank Act, the CFTC is now a major energy regulator. The CFTC’s rules addressing use of derivatives and other swaps, especially record-keeping requirements, will apply to most energy-derivatives transacting enterprises.

No72%

Yes28%

Figure 6. CFTCHow would you describe the current state of your compliance policies and procedures for complying with rules and requirements enforced by the CFTC?

Note: Slightly more than one-third of the respondents to the question regarding the performance of the self-reporting systems at the CFTC were of the opinion that it works well (included as part of Figure 15).

Partially documented

46%

Notdocumented

29%

Fully documented

25%

Figure 7. NERC / FERCIs your physical and cybersecurity access system for complying with separation requirements integrated with your NERC and/or general corporate security systems?

Note: Related to market matters, almost all respondents — 96 percent — record trader phone communications and 71 percent record other forms of electronic media relevant to traders. This may demonstrate the importance to FERC enforcement staff of this recording practice.

Don’t know/Not applicable

42%

Single purpose system, general corporate security is separate

21%

Multi-purpose system that is integrated with NERC and corporate security

37%

7Energy regulatory compliance Moving forward effectively and strategically

Figure 8a. Are you recording trader communications?

Yes86%

No14%

If yes, see bar chart below.

Figure 8b. If yes, which types of communications? (Select all that apply)

Phone

Other electronic media

Restriction of cell phone use

Social media network

Note: Cumulative percentages may not equal 100 percent since respondents were asked to “select all that apply.”

96%

71%

29%

13%

Less than one-third of respondents managing FERC compliance risks report preparing compliance dashboards to enhance performance. This suggests there is an opportunity to strengthen the interactions among executives about how compliance risks are being managed.

There is an opportunity to strengthen the interactions among executives about how compliance risks are being managed.

Figure 9. Do the FERC compliance groups with compliance oversight responsibility produce dashboards / scorecards that include the results of compliance performance monitoring or compliance controls testing, etc.?

No69%

Yes31%

8

Figure 10. NERCHow many Line of Business personnel (in FTEs) perform compliance-related activities within the following NERC areas:

In addition, NERC-related compliance had the highest levels of reported budget increases for compliance activities over the last 12 months.

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

BAL COM CIP EOP FAC INT IRO MOD NUC PER PRC TOP TPL VAR

0-4 83% 73% 38% 56% 58% 75% 69% 62% 81% 76% 50% 50% 68% 60%

5 or More 17% 27% 62% 44% 42% 25% 31% 38% 19% 24% 50% 50% 32% 40%

The top 5 NERC areas that were

ranked as posing the highest risk

of noncompliance appear to also have

the most FTEs as compared with

other areas.

Based on a scale of 1-5, rate the risk of noncompliance at your company for the following NERC reliability standards.

1

2

3

4

5

CIP PRC VAR FAC EOP COM PER TPL TOP BAL MOD IRO INT NUC

High Risk

Low Risk

NERC-related compliance had thehighest levels of reported budget increases for compliance activities over the last 12 months.

North American Electric Reliability CorporationThe progress on electric reliability standards and the NERC’s initiatives on both standards development and enforcement have the attention of organizations subject to NERC standards. For example, almost all respondents report having a dedicated NERC oversight and management team in place.

Of those respondents subject to NERC regulations, almost three-quarters report expenditures from $500,000 to $1 million annually on NERC compliance, with Critical Infrastructure Protection (CIP) standards viewed as the compliance factor generating the most regulatory risk. Figures 10, 11, and 12 summarize the survey responses related to questions about NERC compliance activities.

9Energy regulatory compliance Moving forward effectively and strategically

Figure 11. NERCHas the company’s budget for NERC compliance activities stayed at the same level, increased or declined over the past 12 months?

Respondents were generally satisfied with their NERC self-reporting system and indicated that they would be comfortable self-reporting (included in Figure 15). Almost half responded that the IT in their organization was either inadequate or partially adequate for managing and monitoring NERC compliance obligations.

Figure 12. NERCDo you believe that the information technology in place at your company is adequate for managing and monitoring your company’s compliance obligations related to NERC obligations?

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

No change Increased by 0% - 10%

Increased by 10% - 20%

Increased by more than 20%

Decreased by 0% - 10%

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

Inadequate Partially Adequate

Adequate More than Adequate

23%19%

15%4%

38%

12%

48%

4%

36%

10

Cross–agencyThe survey asked a few identical questions about each of the three regulatory bodies (CFTC, FERC, and NERC). As show in Figure 13, with regard to compliance management functions, when asked whether they believe their controls related to each agency’s requirements are well-documented, respondents demonstrate a high level of agreement with regard to NERC, a generally comfortable level of agreement with regard to FERC, but less certainty about their controls documentation for CFTC. About half the respondents find FERC rules clear and understandable and a similar number reported that their controls related to FERC are well-documented as displayed in Figure 14. Figure 15 shows survey responses in regards to how well regulators’ self-reporting systems work. Half the respondents believe their IT is either inadequate or partially adequate, and almost half do not have confidence in how their FERC compliance controls are documented, a split that significantly suggests room for improvement in the control environment.

Figure 13. Enterprise complianceHow would you describe the current state of your compliance policies and procedures for complying with rules and requirements enforced by CFTC, NERC, and FERC?

With regard to clarity of regulations, NERC and FERC have similarly favorable responses in that about 50 percent strongly agree or agree that these regulations are clear. On the other hand, with regard to the CFTC, less than 25 percent strongly agree or agree that the regulations are clear and understandable.

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

Not documented Partially documented Fully documented

29%

4%0%

46%

31%42%

25%

65%58%

Many companies have not fully documented their policies and procedures for complying with CFTC, NERC, and FERC

rules and requirements

CFTC

NERC

FERC

11Energy regulatory compliance Moving forward effectively and strategically

With regard to self-reporting systems, NERC’s system is seen as the one that works best compared to FERC and CFTC.

Figure 15. All regulatorsDo you find this regulator’s self-reporting system to work well?

Historical comparisonThis survey has included a few selected questions that were also asked in each of the past three surveys. One such question asked about how a company’s board of directors is informed about compliance issues. As seen in Figure 16, the 2011 survey results show increasing communication from three sources: COO report, a compliance committee report, and the CEO report. The data suggest that boards are now receiving a greater amount of information about compliance issues from a variety of sources than they had in the recent past. Figure 17 provides details on how often senior executives meet with the Board or Board Committee regarding compliance issues.

Figure 16. Enterprise complianceHow does the Board of Directors get informed about compliance issues for the company? (Select all that apply)

In addition to the increased sources of information for the board, companies report that senior executives with oversight of the company’s compliance program continue to meet with the board regarding compliance issues at roughly the same frequency with the majority meeting quarterly.

Figure 14. All regulatorsRegulation by the regulator is clear and understandable

Strongly agree

Agree

Neutral

Disagree

Strong disagree100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

CFTC NERC FERC

Yes

Yes, but

some problems

No

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

CFTC NERC FERC

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

Chief Compliance Officer (CCO) report

Through a dedicatedcommittee

No established process in place

45%

35%

59%

Since the start of our annal survey we have seen a significant increase in formalized reporting techniques.

2009

2010

2011

15%

31%

44%

9%12%

22%

CBO report

18%

10%13%

Other(please specify below)

18%12%

9%

12

Figure 17. Enterprise complianceHow often does the senior executive(s) with oversight of the company’s compliance program meet with the board or board committee regarding compliance issues?

In addition to the increased sources of information for the board, companies report that senior executives with oversight of the company’s compliance program continue to meet with the board regarding compliance issues at roughly the same frequency with the majority meeting quarterly.

100%

80%

60%

40%

20%

0%

% o

f Res

pons

es

Annually Quarterly Rarely

25%

13% 13%

2009

2010

2011

35%

53%50%

3%7% 5%

Monthly

10%2%

5%

Never

5%0%

3%

Other

18%23%

22%

Participants who chose “Other” specified responses such as: • “The Board meets monthly. Compliance is discussed on as needed basis.”• “Oversight committee meets once per year with the full board; two times per year with the audit committee; and in person every audit

committee session”• “U.S. Business Conduct Committee, which handles all issues of non-compliance, meets quarterly. The Reliability Compliance Steering

Committee, which includes relevant executives, meets monthly. The Energy Procurement FERC Compliance Committee meets on an as needed basis when procurement deals are being considered.”

• “As needed”• “As a municipal utility, we do not have a Board of Directors. Meet with the executive team quarterly or more frequently, as needed.”• “Semi-annually”

13Energy regulatory compliance Moving forward effectively and strategically

Where to start?

As a result of the survey responses and our insights from working with a variety of energy organizations on Dodd-Frank, we have identified three categories of challenges, each with its own level of urgency:

1. Lay the groundwork for readiness Our survey along with subsequent briefings and our

understanding of industry readiness with survey participants indicates that many of the surveyed energy companies are not at an adequate state of readiness, nor have they engaged in sufficient planning to maintain their compliance programs sustainably. That is, they are not ready to focus on their greatest risks without significant effort (and possibly, delay). There are basic challenges around project management, planning, and governance.

We recommend starting with a unified vision of your compliance program, then agreeing on an appropriate compliance governance model tailored to your specific needs. Next, use the adopted model to clarify ownership and accountability for compliance responsibilities. Enhance the prospects for success by developing metrics to track progress. Follow up with employee training that thoroughly ties back to business activities and challenges. Creating a program that fits you business model and culture and can be implemented efficiently and effectively is important to success and in turn can enhance a regulators’ perceptions of your compliance program.

2. Put compliance infrastructure and tools in place Companies can start equipping themselves with

the tools and infrastructure that will help support compliance operations. What some companies are experiencing with NERC audits now, for example, represents real challenges concerning documentation and centralization of data and records. Companies can act now to prepare necessary infrastructure to meet internal record management needs and respond to external regulatory inquiries.

3. Integrate/consolidate information and systems to better manage risks

Deloitte anticipates energy regulatory compliance evolving in a pattern similar to ERM. A decade ago, ERM was fragmented across different functions. It is now consolidating such that many companies take an integrated view of their energy risks and are, in some cases, further linking energy risks with enterprise risks. Once a model, such as ICRM, is in place, compliance has the potential to be managed more effectively than in a “silo” situation, providing transparency into risk exposure and may provide better information for managing the business overall. Deployment of compliance management systems may help centralize the core areas of performance information, roles and responsibilities, and reporting. New automated tools help track performance metrics and drive decision-making and management. Corporate governance functions can help ensure that energy compliance risk management is effectively coordinated through enterprise risk management.

The way forward

Risk is inherent in the energy business, but today’s pace and complexity of regulatory changes further increase regulatory risks. The ability to effectively address and achieve regulatory compliance is rapidly becoming a factor in competitiveness. Acknowledging this reality, many boards and senior management teams are putting regulatory risks near the top of their strategic priorities and taking steps to address these challenges. Management teams are rethinking business models and organizing to better manage the people, processes, and technology that contribute to avoiding and mitigating compliance risks that can have consequences far beyond sanctions and fines.

Our survey indicates signs of change. But, is change happening fast enough? Companies that wait too long to develop a plan of action may find they have to react to new rules and compliance deadlines without an appropriate strategy. This may result in higher costs due to the need to depend on external resources, or on the short-term reallocation of internal resources and risk for not being compliant in the new regulations.

William HedermanDirector Deloitte & Touche LLP+1 703 885 6450whederman@deloitte.com

Paul CampbellPrincipalDeloitte & Touche LLP+1 713 982 4156paulcampbell@deloitte.com

Howard FriedmanSenior ManagerDeloitte & Touche LLP+1 713 982 3065hfriedman@deloitte.com

This document contains general information only and Deloitte is not, by means of this document, rendering ac-counting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this document contains the results of a survey conducted in part by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this document.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2012 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

Contacts