NERC Cyber Security Compliance or How to Game the System

From ISA Expo2007:


A panel session was held this morning (Tuesday October 2nd) on NERC Cyber Security Compliance. One of the speakers was Scott Mix from NERC. Scott explained what it meant to be NERC compliant. He mentioned that meeting NERC requirements was what determined compliance. He used the example that if you had a policy, even if   it was the wrong policy, you would be compliant.  He then discussed penalties. One of the factors in determining the level of fines was the threat to reliability. That is, the greater the threat, the greater the fine. This brought up the conundrum - you can be NERC compliant by having the wrong policy which makes the reliability threat high which can lead to significant penalties. Does anyone sense something wrong with this approach?????