Operational SOPs and safety procedures, governed across dispersed sites

The situation before

Dolomiti Energia operates across multiple utility sectors — electricity generation from hydroelectric plants, electricity distribution across a regional grid, natural gas distribution, district heating, and water services — in the Trentino region of northern Italy. The operational footprint spans roughly twelve geographically dispersed sites, from generation facilities in mountain valleys to urban customer-service centers to central corporate offices.

Before the consolidation, operational documentation reflected the geographic dispersion. Each site maintained its own SOPs, safety procedures, and operating instructions. Corporate-level policies and the ISMS documentation for ISO 27001 sat with central teams. Cross-site coordination happened but was informal — a site could revise its own SOP without triggering a tenant-wide review. An auditor asking about a specific SOP at a specific site received evidence assembled by that site; an auditor asking about consistency across sites received the honest answer that consistency was enforced socially, not systematically.

This worked reasonably well for day-to-day operations. It worked less well for audits. ISO 9001 surveillance and ISO 27001 recertification both expect controlled documentation with demonstrable consistency. Dolomiti Energia’s program passed previous audits but always with the team working at high intensity in the weeks leading up to them.

Why the utility sector has specific challenges

Utilities operate under multiple intersecting regulatory frameworks. Italian sector-specific rules (from ARERA, the national energy regulator), ISO 9001 quality management, ISO 27001 for the ISMS that governs grid-operations data, GDPR for customer data, and increasingly NIS2-adjacent requirements for critical infrastructure cybersecurity. Documentation requirements cut across all of these.

A specific operational pressure: field-operations SOPs must be accurate and current because field teams act on them. A safety procedure that’s three revisions out of date doesn’t just create an audit finding — it creates a potential safety risk. The operational and regulatory pressures align: both want the published version to be the approved version, reliably.

What Dolomiti Energia adopted

Over approximately three months, Dolomiti Energia rolled out docs365.ai across operational SOPs, safety procedures, ISMS documentation, and selected corporate policies. The implementation happened inside the existing Dolomiti Energia M365 tenant — SharePoint Online as the substrate, the active-lifecycle layer providing governance.

The operational patterns:

• Sequential approval with site-specific middle steps but organization-wide fixed approvers. Central Quality, central HSE (Health, Safety, Environment), and central Legal are fixed approvers for specific document types. A site can initiate a revision to its own SOP, but the revision goes through the central approvers for content types where organization-wide consistency matters.
• Automatic PDF publication replacing the manual site-level export-and-upload routine. The moment approval completes, the PDF lands in the public area of the library, visible to everyone at every site.
• Distribution lists configured per document type, so when an SOP publishes, the specific teams who need to know get notified automatically. No manual “please forward to everyone” emails.
• Expiration reminders driving annual review for operational SOPs, biennial review for corporate policies, and regulatory-change-triggered review for documents tied to specific sector rules.
• Audit log on every document, providing the clause 8.5 evidence for ISO 9001 and the documented-information evidence for ISO 27001’s ISMS.
• Versioning — critical for the “what procedure was in force when this field incident occurred” question that sometimes arrives.

The ISO 27001 angle

ISO 27001 requires controlled documentation for the ISMS itself — the information-security policies, procedures, and records that define how the organization manages security. Dolomiti Energia’s ISMS scope includes grid-operations data, customer billing data, and IT infrastructure documentation.

The active-lifecycle product provides the documented-information control that ISO 27001 expects. Versioning preserves the ISMS’s evolution. The audit log shows review-cadence adherence. Sequential approval produces evidence that changes to ISMS documentation are reviewed by the right roles before publication.

During the most recent ISO 27001 recertification, the auditor sampled ISMS documents directly from the library. The evidence was available as retrieval rather than reconstruction. Zero findings in the document-control domain.

How field operations changed

The most visible change happened at the field-operations level. Before, a hydroelectric plant technician opening a maintenance SOP would check the local copy in their site’s folder — which might or might not be the current version, depending on whether corporate had last synchronized the update. Now, the same technician opens the procedure from the shared library, and the version they see is definitionally the current one: it was approved, published automatically, and distributed to their team’s notification list.

This sounds like a minor operational improvement. It isn’t. In utility operations where a wrong procedure can have safety consequences, the reliability of “the version I see is the version in force” matters disproportionately. Incident investigations over the past year haven’t surfaced any “but the technician was following an old version” findings. Partly because of improved operational discipline; partly because the documentation system no longer allows that failure mode.

What changed for Quality and Compliance

Audit preparation time. Previous ISO 9001 surveillance audits involved one to two weeks of Quality-team preparation: pulling documents, reconciling versions, verifying approval evidence. The most recent audit involved about two days of preparation. The difference is roughly two Quality-team weeks per surveillance cycle, recovered.

Cross-site consistency. The dashboard shows cadence adherence and approval patterns across sites. Outliers — a site whose SOPs are trending overdue, a document type where rejection rates are unusually high — surface in the quarterly management review. Cross-site consistency became a managed metric rather than a hoped-for quality.

ISMS maturity. The ISO 27001 program moved from “we have the documentation” to “we can prove the documentation was reviewed on cadence by the right roles.” The audit log is the evidence; the dashboard is the aggregate view.

What we’d point other utility organizations to

If you run a similar profile — multi-site utility operations, dispersed field teams, ISO 9001 + ISO 27001 double certification, sector-specific regulator oversight, safety-critical SOPs where operational consequence matches regulatory pressure — the Dolomiti Energia pattern is worth examining.

The key architectural decisions that made the program work:

1. Centralized governance, site-specific content. The template library is organization-wide; the actual SOPs reflect site-specific operations.
2. Fixed approvers for organization-wide roles (Quality, HSE, Legal); variable middle approvers for site-specific expertise.
3. Automatic publication eliminates the manual sync step that was the main source of version drift.
4. Distribution lists ensure the people who need to know about a new SOP version hear about it in the same transaction as the publication.

A thirty-minute conversation walks your operational profile against this pattern and identifies where the fit works and where it doesn’t.