Digital Reporting, Dashboards Help Execute Store-Level Audits in Real Time

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Retailers are under increasing pressure from all directions these days. In May, Credit Suisse estimated that a record 8,600 stores will close in 2017 and that 25 percent of U.S. shopping malls will be shuttered by 2020. At the same time, retailers are facing increasingly complex regulations on everything from public health to environmental issues. All of these pressures are creating a need to consistently and continually measure execution at the store level. Timely, accurate and actionable store-level audit data has never been more important.

In our recent report on mobile audits, we explored how internal auditors are applying web-enabled tools to engage stakeholders, automate workflows, improve decision making and drive operational efficiencies. I revisited these change drivers in a recent blog post, advocating for small but meaningful changes in retail digitalization. But with retailers having to make increasingly difficult decisions with less and less lead time in order to stay competitive, I wanted to address two even more important, and often overlooked benefits of digitalization: analytics and reporting.

Traditional paper-based store data collection is time-consuming and has always been fraught with inefficiency and error. Data collected on paper has to be compiled — via fax, scan, or physical transfer — and manually keyed into a computer before it can be analyzed. Digital data, on the other hand, is available in real time, and responses can be standardized for greater consistency to meet both operational and regulatory compliance objectives.

Web-enabled store audit tools provide accurate and actionable data, in real time. Audits performed via mobile app, for example, are updated automatically, eliminating the need to fax, transcribe or email audit results. The reduced cycle time from data entry to reporting eliminates information bottlenecks. Dashboards and other digital reporting tools allow market managers to make informed decisions on the fly, confident that they are working with the latest information, and that all users are looking at the same data — eliminating awkward spreadsheets and version control issues inherent in paper routing.

Application reporting permissions are synched to job titles — an important control given the dynamic organizational hierarchies in retail. At the same time, companies can track a store manager’s performance across multiple locations, or location performance relative to other locations.

Just-in-time feedback encourages user engagement with operational applications, remediation, electronic follow-up and reminders. By accelerating the audit cycle, management can make informed decisions about low-performing stores and implement meaningful change. Trend information can be used by asset protection and store operations to identify negative activity at the stores and potentially across districts and markets.

With this kind of instant reporting gratification, the older, slower, less accurate analog store audits seem well on their way out, and they should be. Digital store audits improve consistency, minimize interpretation, increase the number of locations that can be covered, generate action items immediately and enhance communication to the field.

The graphical interfaces of real-time reporting tools convert mind-numbing columns of numbers into color-coded dashboards for an easily read picture of performance, with drill-down capability to the store and indicator level.

At this point, the question is no longer whether retailers should adopt digital audit technology, but how quickly they can get it done, and what are the risks to their retail organizations if they don’t.

 

 

Life Sciences, Pharmaceutical and Medical Device Companies Need to Trust Less and Question More to Keep High-Value Data Safe

 

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Scot Glover, Managing Director
San Francisco Life Sciences Practice Leader

 

Life sciences, pharmaceutical and medical device companies possess sensitive, high-value data that cybercriminals, hacktivists, unscrupulous competitors and other malicious actors aim to steal or otherwise expose. Personally identifiable information (PII), such as employee data and information about clinical trial participants, is a prime target for compromise. So, too, is intellectual property (IP), like drug formulas, proprietary software and manufacturing processes.

Adversaries are finding success with their campaigns: According to a 2016 study by the Ponemon Institute, which included pharmaceutical and medical device businesses, 90 percent of healthcare organizations (an all-inclusive category for all sectors participating in the survey) have suffered a data breach in the past two years. Ponemon estimates that those incidents cost the healthcare industry US$6.2 billion.

There are other cyber risks, too, that can be even more damaging. The recent, massive WannaCry ransomware attack, for example, shows how the interconnectedness of healthcare systems, and weak security practices, can put both organizations and patients at risk. The malware also affected Windows-based radiology devices at two U.S. hospitals, according to reports. The attackers took advantage of known vulnerabilities in the devices’ software. Many devices across the healthcare system use old software that is difficult to update, which means they are ripe for malicious actors to exploit.

Time to move cybersecurity from “top concern” to “top business priority”

Although cybersecurity is, and has been, a top concern for leadership at life sciences, pharmaceutical and medical device companies and their stakeholders, most of these businesses aren’t doing enough to ensure PII, IP and other vital data, and their critical systems and devices, are protected. There are several reasons for this, including:

  • Too much trust: Companies often outsource key critical functions, such as research and development, marketing studies and patient data analysis. Unfortunately, many companies feel that the risk of a data breach or hack is also outsourced to the business partner, and that the collaborative agreements they’ve established with their commercial or academic partners or contracted research organizations somehow guarantee security.
  • Lack of insight: Businesses may not dig deeply enough into their collaboration networks or supply chains when conducting cyber assessments to identify security gaps and other risks.
  • Too few resources: Many organizations in the industry are small and in startup mode, and therefore operate very lean. They devote most of their time and budget to research and development, which leaves them with little or no funding to put toward enhancing their cybersecurity. Also, many of these businesses rely on cost-effective and easy-to-access technology tools to store and share information, which means information could be exposed to malicious hackers if the tools are not configured and secured properly.

To improve cybersecurity, life sciences, pharmaceutical and medical device companies must stop viewing the issue as a top concern and treat it as a top business priority. As a starting point, these organizations should seek to answer the following questions:

  1. What information do we share with our strategic partners electronically and how is that data protected while in transit or stored? More companies than ever before, big and small, are now working with contract resource organizations (CROs). These CROs exchange sensitive and confidential data over electronic networks continuously, and the potential for loss, compromise or theft of PII or IP is high. Cybercriminals often will target the security weaknesses of third parties to gain access to a targeted company, using tactics such as phishing. Another risk area: Many businesses are relying on third-party vendors, i.e., cloud providers, to manage and store their data.
  2. How are our strategic partners handling our information physically at the research site? This question relates to the earlier point about companies’ lack of insight into their collaboration network. Organizations must understand how their information might be exposed in a lab environment or at a research site. The theft, by an insider, of a researcher’s notebook with details about a new drug formula or a medical device in development could spell the end for a company whose entire value is tied up in that irreplaceable IP.

Medical device companies have a third question they should consider (although, so too should the organizations and patients relying on these devices):

  1. What is the risk that our products could be hacked and/or controlled by malicious actors? The potential for medical device compromise is no longer in the realm of science fiction. And there were warnings that this would become a reality even as the Internet of Things was emerging. Back in 2014, for instance, the U.S. Federal Bureau of Investigation (FBI) issued a report warning that cyber attacks against healthcare systems and medical devices were likely to increase as more healthcare records were digitized and more medical devices were connected to the Internet.

Life sciences, pharmaceutical and medical device companies must think more critically about, and build a better understanding of, their cyber risk exposure and know what digital assets malicious actors would be most likely to target. When it comes to cybersecurity, these businesses would do well to trust less and question more. Failure to do so can put not only their brands and reputations at risk but their entire business — as well as, potentially, the lives of their patients.

Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain

 

Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

“Carpe Diem”: Oilfield Services Companies Eye the IPO Market

 

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and Steve Hobbs, Managing Director
Public Company Transformation

 

Despite the recent downward trend in oil prices, the oil and gas industry overall is feeling optimistic, as evidenced by increased rig counts and production levels. Both are signs that the industry is on the rebound after a downturn that has persisted for well over two years. Renewed confidence and optimism about future growth have many companies in the sector thinking about pursuing an initial public offering (IPO). Among them: fast-growing and capital-hungry oilfield services providers.

These service businesses play an important role in supporting the oil and gas industry. They provide innovative technology, manufacturing of critical equipment, and services that allow oil and gas companies to enhance their existing infrastructure and processes so they can produce more at less cost.

The recent volatility in the oil and gas market hit oilfield services providers hard. In 2015 and 2016, many were burdened with significant debt and selling their services at a discount just to survive; several companies ended up filing for bankruptcy.

Now, less than a year after that dark period, oilfield services providers are driving IPO activity in the energy sector — outpacing exploration and production companies. Many of these private equity-backed companies have been waiting for conditions in the industry and capital markets to improve so they can execute an IPO as their forward strategy. Others are looking to an IPO as a way to raise much needed capital fast, to fuel growth and innovation.

What many oilfield services providers learn in exploring the IPO idea is that they simply aren’t prepared to make the leap. One reason is that these firms lack maturity in their business processes, and have limited alignment with GAAP accounting and insufficient infrastructure and personnel to support expansion. They are, essentially, startups. And like any startup or other fast-growing private company in any other sector, oilfield services providers must achieve a certain level of “readiness” before attempting to go public.

These firms are also at risk of making a mistake common among other businesses with IPO aspirations: underestimating the amount of time and personnel required to address the demands of a public company transformation. These pre-public companies must address six primary infrastructure elements on their journey to IPO readiness, including:

  • Corporate policies: These include governance, financial reporting and company policies, such as human resource and marketing policies. Like most startups, oilfield services providers are so focused on delivering their technology and services and trying to grow their market that they don’t spend enough time on essential back-office infrastructure for the business, such as creating formal policies. Structure and documentation are needed not only for compliance purposes, but also to help the company communicate to everyone, from investors to current employees and potential hires, how it operates, what its values are, and more — a basic expectation from an IPO candidate.
  • Corporate processes: Financial reporting processes are just one example of corporate processes that many oilfield services providers will need to upgrade substantially and standardize before going public. For instance, documentation about business agreements is likely inadequate because of the informality with which these service companies often approach deals — confirming terms with perhaps little more than a handshake. So, firms preparing to go public need to start moving now to formalize their agreements with business partners and create an appropriate paper trail. Many accounting and financial planning and analysis forecasting processes will also need to be augmented and automated because manual practices are error-prone and time-consuming.
  • People and organization: Any company that wants to go public needs a well-structured and experienced leadership team. The IPO process places huge demands on senior executives — especially the CEO and CFO, who will need to spend much of their time on the road meeting with analysts and potential investors. Once the IPO ball starts rolling, these executives won’t be able to focus much on everyday business needs. There needs to be a strong team in place, especially in the accounting/finance organization, to help guide the company in their absence, address external auditor considerations, and meet SEC filing deadlines on time.
  • Systems and data: Pre-IPO companies frequently report that their IT departments are a major area of focus during their readiness effort. IT general controls that pertain to Sarbanes-Oxley Act compliance and data security and privacy strategies and policies are just two key areas within IT that oilfield services providers will need to pay special attention to as they lay the groundwork for a public offering. A critical risk within the realm of IT system compliance is addressing the organization’s lack of segregation of duties (SoD) and the need for comprehensive monitoring of access for all critical business IT systems. It’s imperative for management to be directly involved in the SoD design process to clearly shape the roles and duties of personnel within the company prior to an IPO. Data security and privacy can be particularly wide in scope, including everything from cybersecurity policies to business continuity management planning.
  • Management reports (e.g., on internal control over financial reporting) and methodologies (e.g., for the offering price, for financial controls, significant accounting estimates) round out the six primary elements. Oilfield services providers must ensure they have them covered — and implement a sustainable infrastructure and strong organizational capabilities as well — before pursuing an IPO.

Addressing all the above is a complex and resource-intensive endeavor, and likely will require expert assistance on many fronts. This fact is not to dissuade oilfield services companies from seizing opportunities in the current oil and gas market.  But seizing the opportunity is one thing; managing the newly public company in the weeks and months following the IPO in a manner that is consistent with the expectations of regulators and shareholders and the company’s own executives’ vision is quite another. At issue here is sustaining confidence with regulators and shareholders. According to our experience across a wide variety of sectors, covering the six elements of infrastructure above in a thoughtful, proactive manner is a vital process in moving to the next stage successfully.

Critical Condition: Cybersecurity in Healthcare

By Adam Brand, Director,
IT Security and Privacy

 

 

 

On June 2, the Health Care Industry Cybersecurity Task Force issued a draft of its Report on Improving Cybersecurity in the Health Care Industry, an analysis of how to strengthen patient safety and data security in an increasingly connected world.

The Congressional report, which sums up the state of healthcare cybersecurity to be in “critical condition,” may shock outsiders, but should come as no surprise to those in the industry, who are well-aware of the challenges and have been awaiting the report as a preview of potential future government regulatory action.

The report lists six imperatives, along with several recommendations and action items. The recommendations bring to the forefront several issues facing the healthcare industry — most notably the risk to patient safety. That’s a departure from the traditional focus on privacy and data protection, and suggests a regulatory gap that needs to be addressed quickly.

The release of this report could not have been timelier, coming on the heels of the debilitating worldwide “WannaCry” ransomware attack that forced hospitals in England to cancel surgeries. Last week we published a flash report that takes a deeper look into the Task Force’s document.

We think that organizations should not wait for the government to initiate solutions. Instead, healthcare providers and medical device makers should proactively increase efforts to bolster cybersecurity to avoid potentially overreaching or misaligned legislation.

In our flash report, we recommend that healthcare providers consider the following actions, tied to key themes of the report:

THEME: (providers) Existing efforts are not enough and patient safety is at risk.
ACTION: Expand cybersecurity efforts to include patient safety.

Healthcare leaders should note the emphasis on patient safety and ensure their cybersecurity program has fully addressed risks that could result in patient safety issues, not just a data breach.

THEME: (providers) Legacy devices are a significant problem.
ACTION: Create a concrete plan for legacy devices.

Develop a plan to phase out or update insecure legacy devices and operating systems, ideally over the next five years, and implement compensating controls such as network segmentation, enhanced monitoring and application whitelisting in the next 12 months to help address the near-term risk.

THEME: (providers) Lack of standard cybersecurity practices.
ACTION: Start formally aligning to a cybersecurity framework.

The report recommends that the Department of Health and Human Services (HHS) develop a health-care specific framework based on the minimum standard of security provided by the NIST Cybersecurity Framework and the HIPAA Security Rule. Health care organizations should begin now to think about how they would align their controls to the NIST CSF standard.

THEME: (manufacturers) Lack of cybersecurity focus; software development lifecycle (SDLC) gaps.
ACTION: Expand cybersecurity efforts, focus on SDLC.

Manufacturers should use the report as an opportunity to determine whether their medical device security program is adequate, given the increased attention on this area and the risks highlighted in the report. Specifically, manufacturers should be able to demonstrate clear security inclusion from new product model requirements through product retirement.

THEME: (manufacturers) Legacy systems are a hot-button issue.
ACTION: Increase activities for reducing numbers of in-use legacy devices.

To avoid negative impacts, manufacturers should work with healthcare providers to reduce the number of potentially compromised medical devices, through customer education and incentives.

THEME: (manufacturers) Minimum cybersecurity standards for medical devices.
ACTION: Work with industry peers to develop a standard.

We anticipate that future FDA device approvals will be contingent on meeting minimum cybersecurity standards. With the typical device development process of five to seven years, manufacturers need to collaborate now to get ahead of regulations and avoid business disruption.

The task force took a year to complete its report, and the result is a very thorough look at the challenges facing healthcare security today. Healthcare providers and medical device manufacturers would be well-served by a careful review of the report to determine how the adoption of these recommendations might affect their organizations.

Download the Protiviti flash report here.

Manufacturers Are Upbeat About 2017 Business Climate Under New Administration

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

Four straight months of manufacturing job growth through March this year and a decidedly more pro-business climate emerging in Washington have given many manufacturers good reason to consider 2017 off to a good start.

According to the National Association of Manufacturers’ (NAM) first economic outlook survey of manufacturers since Trump took office, more than 93 percent were feeling positive. This not only represents a high-water mark in the survey’s 20-year history, but it is also up from 56.6 percent a year earlier, said NAM, which represents some 14,000 U.S. manufacturers of all sizes.

We are keeping an eye on Washington’s actions that could have the most impact on manufactures and their investment plans and operations in the near future, including efforts to roll back regulations, reform taxes and renegotiate the North American Free Trade Agreement (NAFTA). We’re also watching how the proposed infrastructure improvements and healthcare overhaul are playing out. They, too, will have a significant bearing on manufacturing decisions.

Big ideas

As we detailed in our Flash Report on the Trump administration’s first 100 days, the focus on deregulation is of critical importance to manufacturers, 94 percent of whom believe that the regulatory burden has increased over the last five years. The new administration has reversed several of the Obama administration policies on environmental reviews related to energy, infrastructure and other projects. President Trump’s executive order for broad regulatory reform, for example, included a public comment period (now closed) on “misaligned regulatory actions” at the Environmental Protection Agency (EPA) that are believed to have impeded economic growth. Congress is also taking up legislation, supported by manufacturers and other organizations, which would require agencies to develop new regulations in the most cost-effective way possible for companies.

Certainly, the media’s attention on the controversies surrounding the administration, including the executive orders, may temper manufacturers’ enthusiasm moving forward. That’s particularly true if, as has been suggested by political observers, the controversies end up thwarting the chances of enacting tax reform and other administration agenda items this year. Geopolitical risks, from North Korea to European terrorist attacks, also could distract attention away from domestic policy making.

Nevertheless, manufacturing leaders to date largely remain optimistic that Washington is focused on their most important interests. Testifying on May 18 at a hearing on how tax reform could spur the economy and job creation, NAM Chairman David Farr told the U.S. House Committee on Ways and Means that “we have the best chance in more than 30 years to advance permanent pro-growth reforms” and to improve the country’s manufacturing competitiveness globally.

At Protiviti, I’ve heard similar sentiments from manufacturers, who say they could make investments to expand, beef up research and development, or accelerate hiring and salaries if tax reform were to include a lower corporate tax rate, favorable treatment of international earnings, and a strong capital-cost recovery system. In 2015, NAM reported that incorporating those and other beneficial tax policies would generate more than $3.3 trillion in new investment and 6.5 million jobs over a decade.

Questions still remain

While it’s clear that the proposed regulation and tax reforms will benefit manufacturers, the effect of a NAFTA remake remains a big question. A 90-day period in which Congress will consult the administration about its goals for an amended pact began in May, and talks with Canada and Mexico officials could begin by the middle of August. Many economists believe that NAFTA has generally benefited the U.S., and some corporations were concerned that a complete withdrawal from the pact would hurt business.

But similar to the recent narrow trade-deal with China, the president has softened his harsh rhetoric on NAFTA in favor of a more judicious approach. The U.S. has proposed a modernization of the agreements, with new provisions on digital trade, regulations, intellectual property rights and other elements. Additionally, automotive executives and labor alike are lobbying for stronger currency manipulation protections in a new deal. Unions are also pushing for updates to procurement and origin rules to better support U.S. workers.

With regard to infrastructure, manufacturing and distribution companies stand to benefit from proposed infrastructure improvements and construction, although as of now it is unclear how much will take place. President Trump’s first proposed budget calls for $200 billion in infrastructure spending, well below the $1 trillion he campaigned on. Some portions of healthcare reform could help companies, as well, particularly the elimination of a special tax on medical devices. But again, these issues continue to evolve and they merit a watchful eye.

Protiviti’s outlook – stay agile

The turmoil in Washington aside, the overall pro-growth tone coming from government has given companies at least some confidence about the industry sector’s outlook in the coming months. Manufacturers that begin planning today will be ready to strike and reap the rewards when policies are enacted. It is best to stay nimble, however, and prepare to address risks in an environment that has the potential for rapid, even tumultuous change.

Pro-Growth Signs in Washington Present Opportunity for Power and Gas Capital Investments

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Power utilities trying to gauge what the future regulatory landscape will look like are likely getting frustrated with the political cacophony in Washington. Yet judging by legislative activities in Congress and some of President Trump’s executive orders to date, pro-growth and job-creation policies are clearly top-of-mind among the nation’s lawmakers. For organizations that have been putting off capital programs to expand or upgrade facilities and infrastructure, the business-friendly tone could signal a chance to launch these deferred capital investment programs.

As we pointed out in our Flash Report on the new administration’s first 100 days, Trump reversed a handful of Obama administration memoranda, reports and executive orders that were largely considered by the industry to be red tape bogging down capital investment. Among other actions, Trump eliminated multiple policies that built climate change considerations into federal decision-making and ended White House guidance on energy, infrastructure and other proposed projects. Additionally, in mid-May the Senate Committee on Homeland Security and Government Affairs advanced several bills aimed at regulatory reform that could affect utilities. One of these bills, the Senate version of the Regulatory Accountability Act, would require agencies to develop new regulations in the most cost-effective way possible and has the broad support of power, utility and other industrial organizations.

It is still too early to predict how much of Trump’s proposed agenda will ultimately end up as policy, but clearly the need for new and continued investment in the power and gas sectors is not diminishing. According to the American Society of Civil Engineers (ASCE), which this year gave U.S. energy infrastructure a D+, most of this country’s electric transmission and distribution lines date to the 1950s and 1960s, have a 50-year life expectancy, and were not designed to meet today’s energy demands. ASCE also anticipates a $177 billion funding shortfall for generation facilities and infrastructure through 2025.

Meanwhile, increasing the mix of power generation sources to include wind, solar, geothermal and hydrothermal alternatives, along with a retirement of coal-fired plants in favor of natural gas-fueled facilities, requires expansion investment to ensure the transmission grid’s reliability. As we mentioned in our 100 days Flash Report, Trump policies may ultimately relax federal emphasis on renewable energy sources like wind and solar, but that won’t curtail state mandates for more alternative generation or the progress that utilities are making in that area. A case in point is a 2015 California law requiring utilities to procure 50 percent of their energy from renewable sources by 2030, an increase from an earlier target of 33 percent.

Similarly, while the Trump administration has loosened coal regulations to make the commodity more competitive, the U.S. Energy Information Administration reported in January that the electricity industry was planning to increase natural gas-fired generating capacity by more than 35 gigawatts through 2018. Successful completion of the expansion surge would mark the largest net addition in natural gas generating capacity since 2005 and follows five years of net reductions in coal-fired generating capacity.

Protiviti’s perspective — proceed with caution

Though excitement may be building as a result of the new winds in Washington, organizations pursuing plant or infrastructure capital improvements need to keep in mind the pitfalls and risks that could derail the projects. Power and gas industries are still heavily regulated, and environmental constraints still exert influence on right-of-way, for example. To avoid risks, utilities need insightful and skillful management over planning and execution, including oversight of contract compliance, utilization of efficient and well controlled processes, and project risk assessments, among other services.

If your organization is planning or embarking upon a large capital expenditure to expand or upgrade its plant or infrastructure, here are some questions to ask before proceeding:

  • Will existing management processes provide sufficient visibility into decisions that impact project costs?
  • How are project risks identified, communicated and mitigated throughout the project lifecycle?
  • Are current resources capable of managing the project’s complexity?
  • Is the team of engineers, procurement staff, construction managers, trade contractors and material suppliers familiar with and comfortable working in a regulated environment?
  • Is the organization prepared to vigorously defend project costs during review by regulators, intervenor groups, and the public?

Some companies may be willing to wait and watch until the uncertainty over the implementation of Trump’s agenda begins to clear. Wall Street is certainly cautious and jitters in the market have given some investors pause. Nevertheless, lawmakers largely appear to be concentrating on economic policies intended to create and promote growth. Given the shape and age of the transmission grid along with the continuing transformation of power generating sources, the time is certainly ripe for a conversation about capital investment projects that position utilities for future growth while bolstering grid reliability.

Protiviti subject-matter experts Jon Critelli and Marius Anelauskas contributed to this blog.