a registered entities view of an internal controls evaluation › knowledgecenter › workshops ›...
TRANSCRIPT
A Registered Entities View of an
Internal Controls Evaluation
STEVEN HUBER
PSEG SERVICES CORPORATION
April 15, 2015
Agenda• Background
• PSEG NERC Compliance Program
• Overview of PSEG Internal Control Program
• Preparation for RF Internal Control Evaluation Program
• Lessons Learned
• Overall Impressions
2
Background• PSEG has a centralized NERC Compliance Organization (NCO)
responsible for the governance and oversight of all PSEG NERC-registered entities (PSE&G, PSEG Fossil, PSEG Nuclear, PSEG Power
Connecticut, PSEG New Haven, and PSEG Power NY)
• The NCO initiated an effort to develop a NERC internal controls program in 2013. At that time, NERC began issuing “White Papers” on the matter, but no formalized internal controls program (ICP) guidance was in place.
• Since NERC did not have any formal guidance at the time, and it was unclear how the Reliability Assurance Initiative (RAI) would progress, PSEG’s developed its (ICP) program to incorporate some basic principals: risk assessment, clear lines of accountability, process adequacy, evidence retention.
• PSE&G volunteered to participate in a ReliabilityFirst (RF) Internal Controls Evaluation in order to assess the strengths and weakness of our ICP.
3
PSEG NERC Compliance Organization
4
PSEG Internal Controls Framework• Includes principals from other internal
control program frameworks (e.g., COSO), but does not strictly adhere to any particular framework. Includes preventive and detective controls, accountability, best practice identification, and documentation adequacy components.
• Rigor is scaled to risk profile. Risk assessment based on factors including:• Inherent risk to BES from system or process
failure.
• Complexity of Standard or compliance processes.
• Extent of documentation required to demonstrate compliance.
• PSEG Internal Assessment Document:• One Page summary for each standard &
requirement
• Used at audit to provide up to date RSAW & evidence
• Internal, management & process controls are listed.
• Sign off after bi-annual assessment by accountable SME and manager.
5
Sample Compliance Documents
6
PSEG NERC SELF - REPORT STATUS
Registered Entity Reporting Date Docket Number/ Password Region Violation ID Standard Discovery Method Brief Description Violation Status NOPV Mitigation Plan Notice of FFT Settlement/Payment Date & Amt.
Date of
last assessment Standard
Date of
last RSAW Req't # Ref # Evidence Document Page # Section #
Document
Date Version
Owner of
Evidence
IRO-001-1.1 R3 3 Delegation of Authority Letter N/A N/A 12/10/2012 N/A Wharton
IRO-001-1.1 R3 4 PJM Manual 1 30 4.2.4 10/12/2011 20 Wharton
IRO-001-1.1 R3 5 PJM Manual 3 7 1.2 12/1/2012 41 Wharton
IRO-001-1.1 R3 6 PJM Manual 37 4 1 6/1/2011 7 Wharton
IRO-001-1.1 R3 7 PJM Operating Agreement 90 11.3 2/6/2012 N/A Wharton
StandardEnforcement
DateActively
MonitoredDescription Function
RSAWdate
Self-certDate
Reporting Period
Periodic Data Submittal
AssessmentDue Date
Self-assessmentCompleted?
AssessmentReceived
LastAudited
CommentsAccountable SME
Owner
Communications
COM-001-1.1 5/13/2009 N TelecommunicationsTOP
*PJM TO/TOP Matrix
Ramtin PourmandJeff Mueller
9/2012 2/28/2013 Y 2/26/201310/2012(TO/LCC)
COM-002-2 6/18/2007 N Communications and CoordinationTOP
*PJM TO/TOP Matrix
Bob GreenRon WhartonJeff Mueller
9/2012 2/28/2013 Y 2/26/201310/2012(TO/LCC)
Critical Infrastructure Protection
CIP-001-2a 10/1/2011 Y Sabotage Reporting TO, LSELeslie MortonJeff Mueller
8/15/2013
Emergency Preparedness and Operations
EOP-001-2.1b 7/1/2013 N Emergency Operations PlanningTOP
*PJM TO/TOP Matrix
Ron WhartonJeff Mueller
2/28/2013 Y 1/30/201310/2012EOP-001-0(TO/LCC)
- RSAW form for v2.1 was not available at time of assessment- v5.1 of PJM TO/TOP was not complete at time of assessment; assigned tasks for new version of standard unknown at time of assessment
Accountability Matrix
Evidence Tracker
Self Report Status
• PSE&G was very interested in participating in an assessment to evaluate how the ICP we developed integrated with the NERC Internal Controls Evaluation Framework.
• We reached out to RF in the late summer of 2014.
• The assessment was conducted during the fall, with and on-site evaluation in early December.
• The process started with a selection of key standards to be evaluated, which we felt had higher risk. We agreed upon 7. (PRC-004, 005, 008,017,023, and FAC-
003, FAC-008).
• At that time we began the process of evaluating our ICP in the context of the GRIPM framework.
7
PSE&G Experience with RF Internal Controls Evaluation
• At first we were
overwhelmed by the
GRIPM framework.
• There was very little
alignment with our ICP.
• RF clarified that we would
be evaluated under four of
the GRIPM elements:• Asset Configuration and
Management
• Grid Maintenance
• Risk Management
• Reliability Quality Management
8
First Impression of the Grid Reliability Improvement and
Performance Model (GRIPM) Framework
Mapping
• Mapped all of GRIPM attribute
areas with existing process
documentation.
• Created spreadsheets with Q&A
sections to provide additional details
on compliance processes for
integration into submittal packages.
• NERC issued RAI guidance in
October 2014, which RF
incorporated into the review. This
was something of a curveball, and
resulted in some additional inquires.
• In order to address those inquires,
PSE&G reassessed some responses
and provided some alternative
compliance artifacts.
Project Management
• Managed ICE as if it were an audit.
• Identified subject matter experts.
• Assigned tasks and deadlines.
• Some SMEs identified outside
normal NERC universe (e.g. Vice
President and Chief Risk Officer for
some Corporate level risk
management processes.
• Created submittal packages
including documentation such as
processes, flow charts and
evidentiary-type compliance artifacts.
9
Preparation for PSE&G’s Internal Control Evaluation
PSE&G prepared for the ICE by developing a project plan while simultaneously mapping the GRIPM elements to elements within PSE&G’s control processes.
Example Mapping Document
10
Observations and Recommendations• PSE&G’s experience with the ReliabilityFirst Internal Controls
Evaluation was extremely positive.
• The process was collaborative and cooperative.
• The GRIPM framework has some valuable attributes, but not all of the elements apply to all of the standards. • Consider using it as something of a tool box. Depending upon the situation and
standard, certain tools (objective and activities in the GRIPM) should be applied. They will vary by standard, and even by registered entity.
• The 5 point assessment scale is good, but could be improved. • During our review, we didn’t get any recommendations on control improvements,
but we did get some overall recommendations.
• NERC might want to separate the assessment of controls from the assessment of some of the other elements of a compliance program (e.g. bench strength for critical positions, clear and unambiguous procedures, etc.)
11
Lessons Learned
• Preparation time was substantial, but not of the magnitude
required for a standard 693-audit.
• Needed to consider “best practices” and other processes which
are outside the “four corners” of our compliance program.
• Since the ICE was voluntary, convincing the subject matter
experts and Line-of-Business management that the time required
to prepare for the endeavor took some effort.
• PSE&G feels that the process was extremely valuable, and we
would recommend it to others.
• It provided us with insight into how RF views the control environment and gave
us some ideas on how to improve our ICP.
• It was a factor in the scoping of our upcoming 693 audit, and resulted in a
significant reduction in audit scope.
• It has provided us with an opportunity to obtain self-logging privileges.
12
13