Skip to content

Be a HERO: Incorporating HRO Principles into Internal Compliance Programs

A highly reliable and secure North American bulk power system. This simple concept is Midwest Reliability Organization’s (MRO) vision. Your organization may also have a similar vision. But unfortunately, achieving a reliable and secure North American bulk power system (BPS) is easier said than done. Life in general is unpredictable, and when you consider the complexity of operating a system as intricate as the BPS, the unpredictable challenges become numerous.

NERC Reliability Standards define the reliability requirements for planning and operating a reliable and secure bulk power system, and while the NERC Standards are effective, they are only part of the story. As NERC registered entities, we are obligated to comply with the NERC Standards, but being compliant doesn’t necessarily make us reliable and secure. However, the inverse is also true: If we are reliable and secure, we are most likely going to be compliant, and compliance obligations suddenly become much less burdensome. Win-win, right? Another way to look at it is like this: compliance folks are uniquely positioned to have a hand on the pulse of many aspects of an organization. Why not leverage that wide-angle perspective for the betterment of the entire company? But how do you accomplish that? That’s where the High Reliability Organization principles – also called HRO – come in. Understanding and embracing the HRO principles puts you on the path to becoming an MRO HERO, which enables us to operate reliably and securely while remaining compliant with the NERC Reliability Standards.

MRO uses the theory and principles of HROs as a framework for ensuring reliable operations. This concept has been integrated with MRO’s mission “to identify, prioritize and assure effective and efficient mitigation of risks to the reliability and security of the North American bulk power system by promoting Highly Effective Reliability Organizations® (HEROs).” HEROs are organizations that have succeeded in avoiding catastrophes in environments where accidents can be expected due to complexity, interdependence, and risk.

HEROs are not perfect and will eventually make mistakes. HEROs follow the five main principles of the HRO framework, which were first introduced by MRO staff over a decade ago and have been a fixture in MRO outreach ever since.

HRO principles help to build, thrive in, and sustain healthy cultures. They are a set of tools to have in your toolkit as part of a healthy Internal Compliance Program (ICP), much like incorporating attributes from the MRO’s ICP Questionnaire, answering FERC’s 13 Questions, and being a part of the self-logging or Events Analysis programs. Applying HRO principles – and thus, becoming an MRO HERO – is not a NERC requirement (no audits!), and it doesn’t require any special tools, software, or training, and the best news is, you may already be incorporating some HRO principles without even realizing it.

History of HRO Principles

Until the late 1970s, the primary interest in disasters was in a backwards facing manner (the response) as opposed to forward facing (prevention). There was a general acceptance that “accidents happen” and failures were inevitable. However, during the 1980s and 1990s, focus started to shift to disaster prevention. Among others, Karl E. Weick and Kathleen M. Sutcliffe researched the subject matter, which was eventually published in a book, “Managing the Unexpected: Resilient Performance in the Age of Uncertainty.” It was at that time that Weick and Sutcliffe formally identified the five HRO principles that we are familiar with today. The five principles are:

  1. Preoccupation with failure
  2. Reluctance to simplify operations
  3. Sensitivity to operations
  4. Commitment to resilience
  5. Deference to expertise

Collectively, these principles represent a culture that embraces a state of collective mindfulness. That cultural shift and state of mindfulness are what separates HROs (and MRO HEROs!) from traditional organizations.

The purpose of this article is to continue the discussion on HROs, but within the context of your ICP. Hopefully this article and its suggestions will help everyone develop their own practical application strategies. Keep in mind that the HRO principles often bleed together, so some of the ideas suggested in the sections below may be a good fit for more than one principle. The actual categories aren’t important – the main point is to demonstrate that a strong compliance program that focuses on risk, because of its involvement in many areas of the company, is a great asset that should be leveraged. Soon we can all be on our way to becoming MRO HEROs! 

HRO Principle 1: Preoccupation with Failure

To be preoccupied with failures rather than successes means that HROs encourage reporting errors, they sweat the small stuff, and they use a robust feedback system. They treat even small mistakes as potential symptoms that something is wrong with the system, something that could have severe consequences if several separate small errors coincide. They also make a continuing effort to articulate mistakes they don’t want to make; they have a preoccupation with failure.

Some organizations can ignore small issues. HROs can’t. HROs take any level of failure seriously. Even more, HROs look at possible breakdowns and try to address them before there is an issue.

Some organizations isolate, blame, or punish people who make mistakes. HROs don’t. They don’t because most failures are more systemic in nature. HROs have a culture that encourages employees to raise concerns and they also have a tone from the top that is consistent with HRO principles, which include the promotion of transparency.

HROs recognize that no matter what the issue, or how many people may be involved, small problems are easier to fix than large ones.

Here are some ideas for incorporating the preoccupation with failure principle into your own ICP:

  1. Perform a detailed assessment of possible noncompliance (PNC), close calls, near misses, issues and circumstances that are gray. Not only does this help to determine whether a PNC has occurred, but it also helps to determine if there was an impact to reliability or security of the BPS or your own local electric system. Make sure you have a solid investigation process that includes a reporting template. The assessment should include recommendations to prevent reoccurrence, with a method for accountability, even for issues that do not need to be reported.
  2. Another idea is to keep a log of self-identified close calls and near misses. This will help to identify trends and higher risk areas, and help you learn from events. Near misses are an opportunity for improvement and not necessarily a bad thing. When assessing a near miss, be sure to think about the “what ifs” and “how can we do it better?”
  3. Finally, when a PNC is identified, absolutely do report it to the MRO. This gives MRO some indication of detective and corrective internal controls. And speaking of engaging with the MRO, whether you’re working with the auditors during an audit, RAM staff while working through a PNC/self-log/self-report, or RAPA working through the Event Analysis process, be sure to encourage open, technical discussions focused on reliability and security. This creates a shared understand of the risk profiles of your organization, how that risk is managed, as well as the controls, procedures, processes, and tools that are in place to mitigate risk.

HRO Principle 2: Reluctance to Simplify

To be reluctant to simplify interpretation means that HROs take deliberate steps to create a complete picture. They encourage varied experiences and differences of opinion without destroying nuances that diverse people detect. HROs understand that a simple answer to a complex problem may indicate a less than full understanding of the problem. When they “recognize” an event as something they have experienced before and understood, that recognition is a source of concern rather than comfort. The concern is that superficial similarities between the present and the past mask deeper differences that could prove significant.

Reluctance to simplify is largely about culture: A culture of trust. A culture of respect. A culture of inclusion. A culture where people can feel free to express their views without worry of being attacked and know that others will listen. The cliché “seeing is believing” is well known. But how about if we reverse it and say instead, “believing is seeing”? We can only see what we are prepared to see. The way to be prepared is to diversify, which means having a variety of ideas, opinions, and experiences available when forming teams, making plans, and making decisions. Diversity enables preparedness and the ability to identify, acknowledge, and address a complex situation.

In short, doing the hard work now will position your organization for greater reliability over the long run.

Looking to pursue reluctance-to-simplify within your own ICP? Here are a few tips to get started:

  1. Make sure employees know they will not be punished or blamed for coming forward with an identified issue, so they are not inclined to downgrade or hide accidents, near misses, or other issues. Create a safe space and an environment for people to learn from mistakes so that small mistakes don’t become big problems. As a certain compliance manager says, “Fail Fast, Fail Cheap, and Fail Forward.”
  2. Seek out root causes, not easy fixes. When performing root cause analyses, work with Subject Matter Experts (SMEs) and don’t try to do the investigations yourself.
  3. When performing a root cause analysis, have a questioning attitude and ask, “Did we go far enough?” Root cause analysis can be challenging, so make sure you have trusted tools. One great tool is the “five whys.” If at any point during a root cause analysis, the conclusion is “human error,” you likely did not go far enough.
  4. When identifying a solution to a problem, take the time to understand how the solution could impact other business units. Consider if any unintended consequences could occur and involve other business units in that assessment.

HRO Principle 3: Sensitivity to Operations

To be sensitive to operations means that HROs want to know how things work, not just how they are supposed to work. They treat deficiencies in normal operations as “free lessons” that signal the development of unexpected events. HROs are attentive to the front line where the real work gets done. People who refuse to speak up out of fear undermine the system, resulting in less knowledge than is needed for the system to work effectively. It makes no difference why the information is withheld—whether it is for reasons such as fear, ignorance, or indifference—the result is the same.

Sensitivity to operations is focused on making sure tools and resources are available at the business unit level to enable staff to handle changing situations, so as situations change, decisions and modifications can be made accordingly. It also means that managers pay attention to whether processes are effective and that they are in fact, serving the needs of the organization. And finally, when changes are needed, HROs make sure they are not adversely impacting field personnel while implementing continuous improvement opportunities. Trust is placed in front-line employees, and they are encouraged to speak up with problems and suggestions for improvement. In addition, all staff either directly have authority or have access to someone with authority.

 Within your own ICP, consider these examples of implementing a sensitivity to operations:

  1. Think about how you can improve on your management of change as it relates to people. One idea is to implement a “Job Change Workflow” so that every time someone enters or departs the organization, transfers jobs, or changes SME duties, a “Job Change Workflow” is triggered in your compliance management system. This workflow enables the Compliance Department to review physical, electronic, and information access rights, documentation responsibilities, SME assignments, etc., and update accordingly. The Compliance Department receives immediate notification from Human Resources of all personnel changes, and this notification is what triggers the workflow.
  2. Another example is a centralized Facility Ratings database – all work is planned and scheduled in a corporate database, so any ratings changes are identified there, and all crews/staff are alerted to the change. Weekly meetings allow coordination of ratings changes.
  3. Finally, for whatever process improvements you set out to make, begin with the end in mind. Once you know where you’re going, ask: “How do we get there?” or “What do we need to get there?” Look at how the problem has been solved in another part of the organization, or even reach out to your Compliance contacts for ideas!

 HRO Principle 4: Commitment to Resilience

A commitment to resilience means that HROs develop capabilities to detect, contain, and recover from those inevitable errors that are part of an indeterminate world. HROs develop behaviors that allow individuals and their organizations to be resilient. HROs approach unplanned events in terms of mitigation and rapid recovery. The hallmark of an HRO is not that it is error-free, but that errors don’t disable it. Resilience is a combination of keeping errors small and of improvising workarounds that allow the system to keep functioning. Both these pathways to resilience demand deep knowledge of the technology, the system, one’s coworkers, and most of all, oneself.

A commitment to resilience means a willingness to learn from past incidents, both within and external of the organization. HEROs quickly contain errors and still function despite the occasional setback. Training is a big part of this principle, but so is the concept of communal knowledge. Are employees able to rely on one another? Are they able to participate in special projects or “stretch” assignments?

There are many ways to incorporate a commitment to resilience within your ICP. Here are just a few:

  1. Does your Compliance Department read MRO’s annual Regional Risk Assessment (RRA)? Yes? Good! Does anyone else within your organization? If not, they should be. The RRA is a highly beneficial document chock-full of information related to the identification of risks within MRO’s regional footprint. This information is invaluable as you pursue your own risk assessment.
  2. Does your company read NERC’s Lessons Learned and other industry Lessons Learned reports? If not, you ought to be. And in addition to simply reading the documents, consider developing a process to distribute that information to the appropriate SMEs, and follow up with them on any changes made as a result.
  3. Another aspect of the commitment to resilience principle is internal controls. Internal controls are a forward-facing mechanism to ensure that what you want to happen in the future happens (and what you don’t want to happen, won’t). Consider making internal controls a part of everything you do.
  4. When it comes to interacting with the MRO staff, don’t only discuss your internal controls within the context of an audit. Make them a part of everyday conversations! MRO wants to understand your internal controls as context to how you identified a risk, how you addressed it, and what you are doing to mitigate it. When it comes to internal controls, if you are in an audit and internal controls are being discussed, sometimes an auditor might ask questions that don’t obviously tie to the requirement that’s in scope. One reason for this is to better understand upstream and downstream processes. Another might be to have a frame of reference for future responses. Remember: Audits are an opportunity for improvement – an outside look at the organization to see how well controls are working, how well risk is being managed, and how best to leverage continuous improvement opportunities.
  5. Processes are an implementation of this principle. Design processes so that they are as simple as possible, as well as standardized, so that people are able to do things the same way every time. Standardization makes it easier to train people on the processes, and it is apparent when a process fails, and when there is a failure, it’s easier to target areas for improvement. Remember: When documenting your processes, sometimes fewer words are better. Checklists and flowcharts can be a wonderful way to document a procedure!

HRO Principle 5: Deference to Expertise

HROs make decisions based on the technical truth and rely on the people with the most expertise. They understand that decisions that defer to technical expertise are likely to be timelier and more correct. Decisions made on the front line migrate to the people with the most expertise, regardless of their rank.

In an HRO, team members defer to individuals with the most knowledge or experience in any given situation – regardless of title or rank. This is important because employees with the most experience are likely to have a better perception of where errors can occur and what changes or internal controls should be implemented to prevent them. These individuals should be allowed to ask questions freely, ask for and receive feedback, and suggest innovative ideas without being perceived as disruptive.

As you ponder deference to expertise for your own ICP, here are a few ideas:

  1. Hold compliance team meetings with all SMEs to deliver a consistent and far-reaching message, to tell stories, get to know each other, develop trust, and understand each other’s work.
  2. Lean on your SMEs. The SME concept is incredibly important. Don’t try to tell your SMEs exactly what they should do. Ask them, “What’s the best way to accomplish this task/comply with this standard/implement this control?” They will know if something will work or not.
  3. In addition, be sure to involve SMEs in the standard development process. Look to them to provide feedback during the commenting process. It’s easy to make this a low priority, but getting staff involved in reviewing and commenting avoids questions like, “What is the intent of the requirements?” and “How do we prove compliance?” The SME may not be as savvy as you in reading the standard, so be ready to help them out. Speaking of standards development, once a new standard is identified, perform an impact assessment right away, even before the standard is approved by FERC. A strong process, templates, and defined roles in the standards development process will make this much easier to manage.
  4. As your SMEs approach retirement, allow them the time to document as much of their knowledge as possible and pass it along to those who will take the reins. Doing this builds “bench strength” and shortens the learning curve where inexperience can be costly.
  5. Finally, when writing procedures, clearly lay out roles and responsibilities throughout. Another note on procedures: Don’t have two sets of “books” (one for compliance and one for other/maintenance activities). Blend them together. Fit compliance into what they are already doing whenever possible.

Leadership Role in HROs

Strong leadership, beginning with the “tone at the top,” is imperative in successful implementation of these principles. Leadership has to believe that focusing on reliability and security will allow compliance to simply be a byproduct of your everyday work. However, leadership within a HRO is not confined to specific positions or job titles. Leadership exists at all levels and in all groups, both formally and informally. As stated before, the HRO principles, and becoming a HERO, have as much to do with culture as anything. However, leadership will foster trust and respect, which ensures that people feel their opinions are valued and that negative behavior will be addressed. Strong leadership can set the stage for a commitment to becoming an MRO HERO.

MRO firmly believes applying the HRO principles into your own organization will reduce your performance risk and lead to improved reliability and security of the BPS. Developing an HRO state of mindfulness leads to more repeatable and better refined internal controls, policies, procedures, and tools to help manage the risk that your organization inherently has. It will also help with open, transparent communication so that the auditors, RAM, or RAPA teams will more quickly understand your organization and how the information you provide to MRO is part of the bigger picture.

At the end of the day, both NERC registered entities and MRO ultimately have the same goal – to manage risk in pursuit of a highly reliable and secure North American bulk power system. Embracing the HRO principles and becoming an MRO HERO will get us all well on our way to achieving that goal. Challenge yourself to try something new, because standing still is not moving forward.

How do you know if your organization is a HERO?

MRO adapted a HERO Survey that allows companies to assess how well they implement several activities that support the five HRO principles. The survey results inform respondents of where they are highly effective and reliable, and where work remains to be done. The survey can be downloaded from MRO’s website and shared across your organization. You can take the survey now, and then take it again after implementing changes based on the survey results. The survey is an excellent tool to strengthen awareness and build a capacity for mindfulness within your organization.



Theresa Allard is the NERC Compliance Manager at Minnkota Power Cooperative (MPC), a generation and transmission cooperative that serves eastern North Dakota and northwestern Minnesota.  Allard became involved in NERC Compliance in 2010 as a Compliance Coordinator and has been the Compliance Manager since 2015.  She is responsible for implementing MPC’s NERC Compliance Program, which includes oversight of both the Critical Infrastructure Protection (CIP) program and Operations and Planning standards.  Allard is currently a member of the MRO CMEPAC. She earned a Bachelor of Science in Industrial Technology from the University of North Dakota and has been a member of the Minnkota team since 2007.  In her free time, Allard enjoys warm weather outdoor activities such as running, golfing, kayaking, and camping.

Kevin Lyons has 22 years of electric utility experience, serving the last 12 as Regulatory Compliance Administrator at Central Iowa Power Cooperative.  His education includes a BA in Marketing and an MBA in Finance, both from the University of Iowa.  Kevin currently serves on the CMEP Advisory Council and the MCCF Board of Directors.  He and his wife Jennifer have three children and one grandchild.  In his free time, Kevin enjoys golfing, fishing, shooting pool, and playing cards.


MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO.