The INPOWERD Perspective The Former Regulator’s Playbook: What Organizations Still Misunderstand About Enforcement, Self-Reporting, and Defensible Compliance Programs

The INPOWERD Perspective

The Former Regulator’s Playbook: What Organizations Still Misunderstand About Enforcement, Self-Reporting, and Defensible Compliance Programs

By Earl Shockley, President and CEO, INPOWERD LLC

Trust • Accountability • Service

‍

Why This Matters

One of the most common misconceptions I continue to see in the industry is the belief that enforcement outcomes are driven primarily by the violation itself. Enforcement outcomes are often shaped just as much by how the organization identified the issue, understood the risk, responded to the event, and demonstrated management-in-control throughout the process.

That distinction matters.

Over the course of my career in operations, compliance, consulting, and as a former NERC regulator, I learned that strong organizations are not necessarily the ones that avoid every issue. Strong organizations are the ones that identify problems early, understand the reliability implications, respond with discipline, and demonstrate credibility through their actions and governance.

Conversely, weak programs often reveal themselves long before the violation itself becomes the problem.

Inconsistent narratives, poorly structured self-reports, weak internal controls, undocumented decision-making, unclear ownership, delayed escalation, and reactive behavior are often indicators of broader governance and cultural weaknesses. Regulators notice those patterns quickly.

The uncomfortable truth is this:

Organizations are often evaluated on far more than the requirement violation itself. They are evaluated on whether leadership appears to understand and control the risk environment surrounding the violation.

In this blog, I want to outline several realities that organizations often misunderstand about enforcement, self-reporting, and building defensible compliance programs.

‍

Enforcement Is Not Just About the Violation

One of the biggest misconceptions in the industry is the belief that enforcement is purely formulaic. Many organizations assume outcomes are determined solely by the requirement violated, the duration, or the technical facts of the event.

That has never been entirely true.

From a regulator’s perspective, context matters. Risk matters. Organizational behavior matters. Program maturity matters. Leadership credibility matters.

Two organizations can experience similar violations and receive very different regulatory outcomes because the surrounding circumstances are different.

Questions regulators often evaluate include:

• Was the issue self-identified or discovered externally?

• Did the organization understand the reliability risk involved?

• Was the issue isolated or indicative of a broader control weakness?

• Did leadership respond quickly and transparently?

• Was the root cause credible and technically supported?

• Did corrective actions address the actual control failure?

• Was the organization defensive or accountable?

• Did the entity appear to be managing the process or reacting to it?

• Was an extent of condition conducted?

Enforcement is not simply a technical exercise. It is an evaluation of risk, governance, culture, and organizational maturity.

‍

Self-Reporting Is a Leadership Decision, Not Just a Compliance Task

Many organizations approach self-reporting as an administrative requirement. That mindset is dangerous. Self-reporting is one of the clearest indicators regulators have regarding organizational transparency, risk awareness, and leadership accountability. Self-reporting demonstrates that the organization is actively evaluating its program with the understanding that people, processes, and systems are never perfect.

The quality of a self-report often reveals the maturity of the compliance culture behind it. Weak self-reports tend to share common characteristics. Technical analysis is often shallow, timelines are unclear, and the narrative focuses more on minimizing exposure than understanding risk. Extent-of-condition reviews may be incomplete or narrowly scoped, and corrective actions frequently address only the immediate symptom rather than the underlying control weakness. In many cases, leadership ownership and accountability are either unclear or absent altogether.

Strong self-reports look very different. They demonstrate disciplined investigation, technical understanding, clear accountability, credible risk evaluation, and structured corrective action planning. Most importantly, they demonstrate that the organization understands why the issue occurred, what controls failed upstream, and whether similar weaknesses may exist elsewhere in the organization.

One of the most important lessons I learned as a regulator is that credibility matters. If regulators believe an organization is being transparent, objective, technically disciplined, and proactive, the engagement dynamic changes significantly. If the organization appears evasive, reactive, defensive, or inconsistent, trust erodes quickly.

That is why self-reporting decisions should never occur in a vacuum. They require structured governance, technical review, risk evaluation, legal alignment where appropriate, and executive awareness.

‍

The Difference Between “Compliance Activity” and a Defensible Program

Many organizations perform compliance activities. Far fewer operate truly defensible compliance programs. There is a difference.

A defensible program is not defined by the absence of violations. It is defined by whether the organization can demonstrate controlled execution, sustainable oversight, and management-in-control over time. In mature organizations, governance is structured, ownership and accountability are clear, leadership oversight is visible, and escalation paths are understood throughout the organization. Risk discussions occur formally, and decision-making demonstrates engagement rather than passive delegation.

Defensible programs also operate with disciplined internal controls. Requirements are assigned formally, controls are documented and tested, and evidence is engineered into the process rather than reconstructed later. Organizations actively look for weaknesses through monitoring, assessments, peer reviews, and testing activities. Issues are evaluated systematically, root causes are credible, corrective actions address systemic weaknesses rather than isolated symptoms, and effectiveness reviews validate that corrective actions actually worked.

In my experience, mature organizations understand that regulators evaluate not just the issue itself, but whether leadership demonstrates sustained management-in-control over the environment producing those issues

‍

The Root Cause Trap

Another recurring problem in enforcement engagements is weak root cause analysis. Organizations often confuse immediate cause, human error, procedure noncompliance, and the underlying control or organizational weakness that allowed the issue to occur. These are not the same thing.

Statements such as “the employee failed to follow the procedure,” “the wrong setting was entered,” or “personnel oversight occurred” rarely explain why the failure was possible in the first place. From a regulator’s perspective, those explanations often raise additional concern because they suggest the organization may not fully understand the control environment surrounding the event.

The real questions are usually upstream. Why did the control environment allow the error? Why was the issue not detected earlier? Were controls weak, absent, or not operating effectively? Was training insufficient? Was oversight ineffective? Were workload, complexity, or organizational drift contributing factors?

Strong root cause analysis requires organizations to examine systems, governance, internal controls, culture, and operational pressures, not just individual actions. It also requires meaningful extent-of-condition reviews to determine whether the same weakness exists elsewhere in the organization. One of the most common mistakes organizations make is correcting the immediate issue while failing to identify similar vulnerabilities in other departments, facilities, processes, or compliance areas.

In mature organizations, root cause analysis is not about assigning blame. It is about understanding how the system allowed risk to develop, evaluating whether that risk exists elsewhere, and strengthening the control environment to prevent recurrence.

‍

Compliance and Organizational Maturity Matter

One area organizations consistently underestimate is the role culture plays in compliance and enforcement outcomes. In my experience, regulators can often identify the maturity of a compliance culture within the first several interactions of an engagement.

Over the years, I have found that compliance performance and enforcement outcomes often correlate directly to organizational maturity. Informal, reactive, chaotic organizations tend to struggle with consistency, sustainability, and risk visibility, while best in class organizations are predictable, strategic, with structured governance, integrated controls, disciplined accountability, and proactive risk management.

This maturity progression is visible both organizationally and within compliance programs themselves. At lower maturity levels, organizations are often informal, reactive, inconsistent, and heavily dependent on tribal knowledge or individual effort. Compliance activities may exist, but they are frequently localized, disconnected, and difficult to sustain under operational stress. As maturity increases, organizations become more structured and standardized. Processes are defined, accountability becomes clearer, controls become measurable, and leadership oversight becomes more visible and engaged.

The same progression occurs within compliance programs. Early-stage programs tend to focus primarily on identifying requirements and responding to issues as they arise. More mature programs establish formal governance, assign ownership, monitor key indicators, integrate compliance activities across business units, and build repeatable control processes into daily operations. At the highest maturity levels, compliance becomes sustainable because controls, accountability, monitoring, and operational execution are fully integrated into the organizational culture rather than operating as isolated compliance activities.

This distinction matters because mature organizations manage reliability and compliance risk differently. They do not rely solely on individual knowledge, heroic effort, or last-minute preparation. Controls are embedded into operations, escalation paths are understood, risk discussions occur formally, and organizations continuously evaluate whether processes remain effective as standards, operational conditions, and risk environments evolve.

In my experience, regulators are often less concerned about whether an organization has experienced issues and more concerned about whether leadership appears to understand, control, and continuously improve the environment producing those issues. Mature organizations recognize that sustainable compliance is not achieved through periodic audit preparation. It is achieved through disciplined governance, integrated controls, continuous improvement, and management-in-control over time.

‍

Leadership Implication

One of the biggest mistakes organizational leadership can make is assuming compliance risk can be delegated entirely to a compliance department. It cannot. Compliance performance is ultimately a reflection of operational discipline, management oversight, internal controls, decision-making quality, and organizational culture. Those are leadership responsibilities.

In today’s environment, regulators increasingly evaluate whether organizations demonstrate management-in-control, not simply whether policies, procedures, or evidence exist on paper. That means leadership must ensure internal controls are functioning effectively, accountability structures are clear, self-identification mechanisms are active, corrective action programs are disciplined, and risk discussions occur at the appropriate levels throughout the organization. Just as importantly, leadership must foster a culture that supports transparency, escalation, and continuous improvement. Compliance is not a paperwork exercise. It is a governance and reliability discipline.

‍

The INPOWERD Perspective

The organizations that navigate enforcement most effectively are usually not the organizations that never experience problems. They are the organizations that build disciplined systems capable of identifying, understanding, correcting, and learning from issues before those issues become larger reliability risks. Defensible compliance programs are not built during audits, investigations, or enforcement engagements. They are built every day through structured execution, credible controls, disciplined oversight, and leadership accountability.

One of the most important lessons I learned over decades in operations, regulation, and consulting is that regulators ultimately look for evidence that leadership understands the system it is responsible for managing. Not just the requirement. Not just the violation. The system itself. That distinction often determines the difference between organizations that simply respond to enforcement and organizations that build long-term regulatory credibility.

‍