board finance & audit committee meeting and special smud

Board Finance & Audit

Committee Meeting and

Special SMUD Board of

Directors' Meeting

Date: Wednesday, January 31 , 2018

Time: Immediately following the ERCS Committee

meeting scheduled to begin at 5:30 p.m.

Location: SMUD Customer Service Center, Rubicon Room

6301 S Street, Sacramento, CA

Powering forward. Together.

AGENDA BOARD FINANCE & AUDIT COMMITIEE MEETING

AND SPECIAL SMUD BOARD OF DIRECTORS' MEETING

Wednesday, January 31, 2018 Customer Service Center, Rubicon Room

Immediately following the Energy Resources & Customer Services Committee Meeting Scheduled to begin at 5:30 p.m.

This Committee meeting is noticed as a joint meeting with the Board of Directors for the purpose of compliance with the Brown Act. In order to preserve the function of the Committee as advisory to the Board, members of the Board may attend and participate in the discussions, but no Board action will be taken. The Finance & Audit Committee will review, discuss and provide the Committee's recommendation on the following:

1 . Erik Krause

2. Casey Fallon

3. Casey Fallon

4. Claire Rogers

DISCUSSION ITEMS

Authorize the Chief Executive Officer and General Manager to award a direct procurement contract to Synergy Companies to install energy efficiency measures in mobile homes in the SMUD Service Area for a total contract amount not-to-exceed $1 .5 million, and for a contract term from March 1, 2018, to February 28, 2018. Presentation: 10 minutes Discussion: 5 minutes

Authorize the Chief Executive Officer and General Manager to award a contract to Wilson Utility Construction Company for the Franklin Substation Construction for a contract amount notto-exceed $20,601,367, and for a term from February 16, 2018 to March 3, 2019. Presentation: 10 minutes Discussion: 2 minutes

INFORMATIONAL ITEMS

Quarterly Procurement Report- 4Q 2017. Presentation: 10 minutes Discussion: 5 minutes

2018 Audit and Quality Services Plan. Presentation: 10 minutes Discussion: 2 minutes

Board Finance & Audit Committee Meeting And Special SMUD Board of Directors' Meeting January 31 , 2018

Page 2

5. Claire Rogers

6. Jennifer Davidson

7. Public Comment

8. Rob Kerth

Audit Reports: Status of Recommendations Report for Q4 2017. Presentation: 0 minutes Discussion : 1 minutes

Provide the summary of SMUD's Power Supply Costs through December 31 , 2017. Presentation: 5 minutes Discussion: 0 minutes

Summary of Committee Direction. Discussion : 1 minute

Members of the public wishing to address the Committee should complete a sign-up form available at the table outside of the meeting room. Members of the public shall have up to three (3) minutes to provide public comment. The total time allotted to any individual speaker shall not exceed nine (9) minutes for the entire Committee meeting time.

Members of the public wishing to inspect public documents related to agenda items may call 916-732-7143 to arrange for inspection of the documents at the SMUD Customer Service Center, 6301 S Street, Sacramento, California.

NOTE: Accommodations are available for the disabled public. If you need a hearing assistance device or other aid, please call 916-732-614 7 in advance of this Committee Meeting.

SSS No. SCS 18-014 BOARD AGENDA ITEM Committee Meeting & Date Finance & Audit

STAFFING SUMMARY SHEET Committee Tuesday, January 30, 2018 Board Meeting Date February 15, 2018

" .. .. .

TO TO

1. Alan Sparks 6. Gary King

2. Brian Daly 7. Stephen Clemons

3. Casey Fallon 8. Jennifer Davidson

4. Erik Krause 9. Legal

5. Nicole Howard 10. CEO & General Manager

Consent Calendar I X I Yes I I No lfno, .schedule a dry run I Bud eted l X I Yes I No (If no, explain in Cost/Budgeted presentatwn. g section.)

FROM (IPR)

Douglas Moore I DEPARTMENT MAIL STOP I EXT. I DATE SENT

Supply Chain Services EA404 7069 1/12/2018 NARRATIVE:

Requested Action: Authorize the Chief Executive Officer and General Manager to award a Direct Procurement to Synergy Companies to install Energy Efficiency Measures in Mobile Homes in the SMUD Service Area for a total contract amount not-to-exceed $1 ,500,000, and for a contract term from March 1, 2018 to February 28, 2020.

Summary: The SMUD mobile home Efficiency program plans to reach up to 6,000 SMUD mobile home customers, who are in great need of energy upgrades . This program will provide energy savings to this underserved community, as mobile home customers tend to be a hard to reach market segment with great needs.

Currently, Synergy Companies is implementing a Manufactured and Mobile Homes Program on behalf of PG&E, SCG, SCE, and SDG&E. Since early 2016, Synergy has served over 6,000 mobile home customers in PG&E service territory and is currently preparing to perform water and gas saving services for PG&E mobile home customers who reside in the SMUD service area.

Because of the significant untapped potential in this hard-to-reach market, and given the opportunity to leverage PG&E's mobile home program, as well as Synergy Companies ' existing infrastructure and expertise, we propose to design and implement a similar mobile home program for SMUD customers. As the necessary program support infrastructure and trained personnel are already in place, Synergy Companies is well-positioned to implement a full-service SMUD Mobile Home Program that can produce significant energy savings, while providing a valuable service to this market.

Synergy was awarded a competitively bid contract for SMUD's Low-Income home Weatherization Program in February of 2017 with pricing that was 28% lower than the only other bidder. Additionally, Synergy' s unique ability to schedule Mobile home visits in conjunction with the PG&E gas efficiency program creates additional savings potential.. Synergy is the only company in all of California providing these services for Mobile homes.

Board Policy: BL-8; Delegation to the GM with respect to Procurement; Direct Procurement (Number & Title)

Benefi ts: Energy Efficiency for customers and to support SMUD's energy efficiency portfolio and low income strategy with verifiable energy savings

Cost/Budgeted: $1 ,500,000; Budgeted for 2018 and 2019 by Retail Product Delivery and Sales, Cost Center 550

Alternatives: None

Affected Parties: Retail Product Delivery, Supply Chain Services, and Synergy Company

Coordination: Retail Product Delivery, and Supply Chain Services

Presenter: Erik Krause

SUBJECT Award Contract to Synergy Company to Install Efficiencies in Mobile Homes Located in ITEM NO. (FOR LEGAL WEON&.VJ

the SMUD Service Area ITEMS SUBMITTED AFTER DEADLINE WILL BE POSTPONED UNTIL NEXT MEETING.

>MUD-1516 1116 Forms Management PageO

SSS No. SCS 18-027

TO

1. Alan Sparks

2. Brian Daly

3. Casey Fallon

4. Chris Trinidad

5. Mike Deis

BOARD AGENDA ITEM STAFFING SUMMARY SHEET

6. Gary King

7. Stephen Clemons


9. Legal

Committee Meeting & Date

Finance & Audit Committee Tuesday, January 30, 2018 Board Meeting Date

Februarv 15, 2018

TO

10. CEO & General Manager

Consent Calendar I X I Yes I I No If no, schedule a dry run Budgeted I X [Yes [

No (If no, explain in Cost/Budgeted presentation. section.)

FROM (IPR) I DEPARTMENT MAIL STOP I EXT. I DATE SENT

Jesse Mays Sunnlv Chain Services EA404 5744 1/18/2018 NARRATIVE:

Requested Action: Authorize the Chief Executive Officer and General Manager to award a contract to Wilson Utility Construction Company (Wilson) for the Franklin Substation Construction for a contract amount not-to-exceed $20,601,367 and for a term from February 16, 2018 to March 3, 2019.

Summary: SMUD has designed the Franklin Substation Project that consists of constructing and operating a new bulk transmission substation (Franklin Bulk substation) that will receive 230kV to be stepped down to 69kV.

Request for Proposal (RFP) Number 170219 .CAB was issued on October 12, 2017 to solicit proposals for a Construction Contractor to construct Franklin Substation. On October 19, 2019 a WebEx pre-proposal conference was held where seventeen (17) contractors attended. On December 21, 2017 three (3) proposals were received and evaluated in accordance with the advertised criteria. On January 9, 2018, SMUD staff requested a Best and Final Offer (BAFO) from the two (2) highest rated proposers, Wilson and RES System 3. The BAFO requested the Proposers to provide revised pricing based on project schedule that was reduced by forty-six 46 days. This request to accelerate the construction schedule is needed to complete the construction and energization of the substation by Summer, 2019, to meet expected system loads. After receiving the BAFO, Wilson's proposal remained as the highest evaluated proposer.

Board Policy: BL-8; Delegation to the GM with respect to Procurement; Procurement (Number & Title)

Recommendation: A ward to Highest Evaluated Responsive Proposer

Award to:

Wilson Utility Construction Company 1190 NW Third A venue Canby, OR 97013

Bidders/Pronosers Notified: 159

Bids/Pronosals Received: ,., .)

SEED Technical Price Total Responsive Points Points Points Score

Proposal Evaluated

BAFO Proposed

Proposals Pass/Fail Rank Amount

Proposal Amount

Award Received 10 50 40 100 Amount Amount

Wilson Construction Passed 10.00 42.43 38.16 90.58 1 $ 20,277,175 $ 20,123,069 $ 20,601 ,367 $ 20,601,367

RES System 3 Passed 10.00 36.52 40.00 86.52 2 $ 19,850,086 $ 19,600,086 $ 19,662,762

Non-Responsive Proposal Proposals Received Amount

Probst Electric $ 22,549, 153

Comments: Recommended award amount is based on an acceptable Best and Final Offer. Probst Electric was deemed nonresponsive for failing RFP Section 6.10 Detailed Proposal, Subsection A, Pass/Fail Requirements, Questions I and 5. Additionally, Probst Electric was not registered with Department oflndustrial Relations at time of bid.

Supplier Diversity Program: Type below see sample below.

The highest evaluated responsive proposer, Wilson Utility Construction Company, is self-performing 29% of this work. Through outreach efforts, Wilson was able to subcontract with SEED verified subcontractors/vendors for 24% of their contract.

Benefits: Provides new substation to meet the future energy demands.

Cost/Budgeted: $20,601 ,367 Budgeted for 2018 through March 2019 by Grid Assets, Cost Center 886

Alternatives: None.

Affected Parties: Grid Assets, Supply Chain Services, and Wilson Utility Construction Company.

Coordination: Grid Assets and Ken Groves, and Supply Chain Services.

Presenter: Mike Deis

Additional Links:

SUBJECT Award Contract to Wilson Utility Construction Company for Franklin Substation ITEM NO. (l'ORUCML IJSEOM.YJ

Construction ITEMS SUBMITTED AFTER DEADLINE WILL BE POSTPONED UNTIL NEXT MEETING.

SSS No. 18-019

TO

1. Casey Fallon

2. Gary King

3. Stephen Clemons


6.

7.

8.


Finance & Audit, Jan. 30, 2018 Board Meeting Date

February 15, 2018

TO

4. Jennifer Davidson 9. Legal

5. 10. CEO & General Manager

Consent Calendar I I Yes I I No If no, .schedule a dry run Budgeted I I Yes I No (If no, explain in Cost/Budgeted

presentation. section.)

FROM (IPR) I DEPARTMENT MAIL I I DATE SENT STOP EXT.

Andrew McDermott Procurement EA404 5862 1/ 12/2018 NARRATIVE:

Requested Action: Informational Item - SMUD Procurement Policy Quarterly Report - 4th Quarter 2017

Summary: In August of2003, the Board of Directors approved the SMUD Procurement Policy and as part of that policy, a commitment was made to report on the SMUD Procurement activities on a quarterly basis.

Board Policy: This report is provided to demonstrate compliance with SMUD Policy No. BL-8 and the following (Number & Title) Policy Elements:

• Competition

• Direct Procurement

• Sole Source Procurement

• Inclusiveness

• Economic Development

• Environmental Procurement

• Responsible Bidder

• Best Value Procurement

• Strategic Alliances

• Protest Policy In the presentation, a breakdown of the fourth quarter year-to-date procurement awards for the year 2017 will be shown along with evidence of compliance to each element of SMUD Procurement Policy.

Benefits: NIA

Cost/Budgeted: NIA

Alternatives: No Board action is necessary

Affected Parties: NIA

Coordination: NIA

Presenter: Casey Fallon

Additional Links:

SUBJECT SMUD Procurement Policy Quarterly Report- 4TH Quarter 2017

ITEMS SUBMITTED AFTER DEADLINE WILL BE POSTPONED UNTIL NEXT MEETING.

SSS No. 2018-2

TO


TO


Finance & Audit January 30, 2018 Board Meeting Date

n/a

1. Jennifer Davidson 6.

2. Gary King 7.

3. Stephen Clemons 8.

4. 9. Legal


Consent Calendar I I Yes I I No If no, .schedule a d1y run I Budgeted I X I Yes I No (Jfno, explain in Cost/Budgeted presentallon. section.)

FROM (IPR) DEPARTMENT MAIL STOP EXT. DATE SENT

Claire Rogers Audit and Quality Services ME-2 7122 1/18/18 NARRATIVE:

Requested Action: Provide the Finance & Audit Committee of the Board of Directors with an informational presentation on the 2018 Audit and Quality Services plan .

Summary: The presentation will review the purpose, authority and responsibilities of Aud it and Quality Services. In addition, the organizational relationship and role in SMUD's overall risk management and control will be presented.

Audit and Quality Services takes multiple steps to create the proposed plan. The objective is to develop a plan that is risk based and focused to deliver value to SMUD. The following key steps are completed : understand SMUD's business environment, organization and strategic goals; assess risk and exposure in achieving goals; understand controls/ strategies in place to mitigate risks; obtain input from executives, managers and key stakeholders; assess impact of prior audit work; availability and expertise of resources and best practices. This information is gathered, evaluated and prioritized to develop the final plan . The audits selected reflect greater business risks, audits that are performed cyclically or areas that may not have as robust systems of internal controls to help ensure adequate business risk mitigation.

Board Policy: Board-Staff Linkage, Board-Internal Auditor Relationship (BL-3) (Number & Title)

Benefits: n/a

Cost/Budgeted: n/a

Alternatives: n/a

Affected Parties: Board, Internal Auditor

Coordination: n/a

Presenter: Claire Rogers

Additional Links

SUBJECT Audit and Quality Services 2017 Annual Plan

ITEMS SUBMITTED AFTER DEADLINE WILL BE POSTPONED UNTIL NEXT MEETING. SMUD-1516 1116 Forms Management

I

SSS No. 2018-3 BOARD AGENDA ITEM Committee Meeting & Date

STAFFING SUMMARY SHEET Finance & Audit January 30, 2018 Board Meeting Date

n/a

TO TO


2. Gary King 7.


4. 9. Legal


Consent Calendar I I Yes I I No lfno, schedule a dry run I Budgeted I X I Yes I No (lfno, explain in Cost/Budgeted presentation. section.)

FROM (IPR) DEPARTMENT MAIL STOP EXT. DATE SENT

Claire Rogers Audit and Quality Services ME-2 7122 1118/18 NARRATIVE:

Requested Action: Informational agenda item to provide Board Members with the opportunity to ask questions and/or discuss recent reports issued by Audit and Quality Services.

Summary: Reports Issued by Audit and Quality Services: Title Re12ort Number

• Status of Recommendations Report for Q4 2017 .... .... ...... ........ .... ... ..... .... ...... ... ... n/a

Board Policy: Board-Staff Linkage, Board-Internal Auditor Relationship (BL-3) (Number & Title)

Benefits: n/a

Cost/Budgeted: n/a

Alternatives: n/a

Affected Parties: Board, Internal Auditor

Coordination: n/a

Presenter: Claire Rogers

Additional Links I

SUBJECT Reports Issued by Audit and Quality Services


SMUD-1 516 1/16 Forms Management Page 1

SACRAMENTO MUNICIPAL UTILITY DISTRICT OFFICE MEMORANDUM

TO: Board of Directors DATE: January 23, 2018

FROM: Claire Rogers

SUBJECT: QUARTERLY REPORT ON THE STATUS OF RECOMMENDATIONS AS OF DECEMBER 31, 2017

Attached for your review is the Status of Recommendations report for the Fourth Quarter of 2017. Prior to this report being finalized , all outstanding recommendations were given to the responsible department Manager/Director for follow up.

The attached report does not include those items deemed to be Low Risk.

12 open items were closed during the reporting period. 6 were not implemented by management and AQS agreed to close them (see page 2 for additional information). The remaining 6 were reviewed to assure implementation in accordance with the management response.

None of the remaining 23 items are currently overdue. The chart below is a breakdown by age and risk of the outstanding items:

Risk

• Extremely High

High

Medium

• Low

0-6 Months 7-12 Months 1-2 Years 2+ Years

If you need further information or wish to discuss any aspect of the report, please contact me at 732-7122 or [email protected] .

Recommendations Closed Without Management Implementation

1. Design Change Notice - Recommendation #1 Grid Assets decided to continue using existing technology after completion of an assessment for converting the current processes to Mclaren which determined that the cost estimate of between $3M to $5M will not provide benefiUvalue to its DCN process for the investment.

2. East Campus Close-Out- Recommendations #1- #3 SMUD does not have documentation to refute Turner's response stating that SMUD approved the agreed upon rates throughout the construction project. Therefore, SMUD decided not to pursue reimbursement with Turner.

3. Innovation Generator- Recommendation #1- #2 The Innovation Generator Program has sunset with the creation of the New Business Development Program in August 2017. Management is establishing the new program and working to incorporate recommendations from the Innovation Generator audit.

STATUS OF RECOMMENDATIONS AT12/31/2017 Report 28006022 Records Management (2014)

Risk RECOMMENDATION RESPONSIBLE DEPARTMENT

Item 01 Include the location of records in the Legal records retention schedule, as required by

Medium Process Imp both the Board and SMUD level policies.

Item 02

Medium Process Imp

After the records retention schedule has been revised to meet the requirements of Board and SMUD level policies regarding the location of records, identify and implement a mechanism to help ensure that the records retention schedule remains current.

Until SMUD or the Documentum vendor, EMC, can get the record destruction feature in Documentum to work appropriately, manually identify records at or past their retention period , notify the record owners that the retention period has been reached, and destroy them after record owner approval .

Legal

STATUS I DATE*

Outstanding 12/31/2015

5 Extensions

Revised to 12/3112018


2 Extensions

Revised to 12/31/2018

Date Issued: 2/17/2015

COMMENTS

The Information Governance Committee (IGC) was presented a short-term recommendation to approve the "location of record" as the "Business Function and/or Custodial Business Unit" on August 4, 2016. For the longterm, the IGC will consider an amendment to SD-16 and AP 07.02.01 to remove or modify the "location of record" requirement. An IGC vote is pending and the outcome is to be placed in the next update to MP 07.02.01 .100 Retention Schedule, tentatively scheduled toward the end of 01 2017.

Records Information Management plans to implement a software mechanism (Zasio) to keep the retention schedule current, which will occur enterprise-wide once all the records evaluations are complete.

SRMA (SMUD Records Management Application) has been in production since Dec 21 , 2016, enabling the destruction of records in EDM. The next steps are to assign retention and begin working with record owners to enable SRMA to be used on their respective documents. After a pilot effort with three business units, Records will work with IT to expand the effort enterprise-wide, which will require substantial , incremental customization of EDM.

• Scheduled completion date I Date cleared Page 1

Report 28006022 Records Management (2014)


Item 03

Medium Process Imp

Work with the record owners throughout Legal SMUD to determine what records exist, who owns them, where they are kept, and how long they are to be kept.

When the records coordinator list is updated, attach it to the retention schedule. Like all policies and procedures, the retention schedule and attached records coordinator list should then be reviewed on a regular basis to help ensure they accurately reflect current practices.

Do not list non-records in the retention schedule. If clarification is needed to help employees understand what is and what is not a record, do so in the records management policy or in a part of the retention schedule other than the records matrix section.

While policies and procedures are, in general , "living documents" that will undergo changes over time due to changes in regulatory requirements, technology, business needs, etc., do not approve draft, or "straw model" policies or procedures for use.

STATUS I DATE*

COMMENTS


Outstanding 2017 plan: Complete identification of records custodians and 6/30/2016 roadshows. Continue records evaluations.

2 Extensions


The Records and Information Management Department has identified three records custodians and more will be added through the roadshows. The first management roadshow was on 1/11/2017, with more roadshows being scheduled for the remainder of the year. We are continuing records evaluations during this time period

2018 plan: Complete records evaluations and update the Retention Schedule. Planned completion date 12/31/2018.

* Scheduled completion date I Date cleared Page 2

STATUS OF RECOMMENDATIONS AT12/31/2017 Report 28005820 Energy Trading & Risk Management

Risk RECOMMENDATION

Item 06a(1)

Medium Process Imp

Item 06a(2)

Medium Process Imp

Increase the frequency of counterparty credit reports, conduct concentration risk analysis of current transactions, supplement rating agency ratings with independent credit scoring for major counterparties, and review potential credit exposures with counterparties using stress testing (referenced in Observation #8) or potential Credit-At-Risk metrics.

In the short term, CRM needs to add more controls and structure to the current spreadsheet environment with an emphasis on a) reducing the overall number of spreadsheets, b) implementing the use of password protection on spreadsheets, and c) reducing manual cutting and pasting by building macros to automatically download data from the transaction capture system and Kiodex™ pricing curves.

RESPONSIBLE DEPARTMENT

Treasury

Treasury

STATUS I DATE*


4 Extensions



4 Extensions



COMMENTS

Management of the Front and Middle Offices have determined that counterparty credit activities will not be included in the scope of the PCI software tool, and will instead be included in the Energy Trading & Risk Management (ETRM) solution project, targeted for 12/31 /18 completion.

Management of the Front and Middle Offices have determined that commodity risk management activities will be included in the Energy Trading & Risk Management (ETRM) Solution project, targeted for 12/31/18 completion .


Report 28005820 Energy Trading & Risk Management


Item 08

Medium Policy/Proc

A. Develop sensitivity analysis around the Treasury most important drivers in SMUD's portfolio.

B. Expand SMUD's current use of stress testing that a) incorporates percentages that are greater than 10 % and 20% across the portfolio, b) applies escalating percentages to delivery months that grow over time, and c) includes periodic stress testing for major operational events.

C. Develop a long-term plan to incorporate stochastic modeling, which would allow SMUD to test the effect of hedging strategies in terms of risk mitigation and cost impact and also calculate an Income-At-Risk metric.

STATUS I DATE*

COMMENTS


Outstanding A-8. Closed - Commodity Risk & Settlements has 6/30/2015 implemented the recommendations.

5 Extensions


C. Commodity Risk & Settlements (CR&S) completed one stochastic modeling pilot and determined the tool would provide no additional value to the process. The second pilot was cancelled due to a business change by the vendor. As a result, the decision was made to explore stochastic modeling functionality within the existing Energy Trading & Risk Management (ETRM) Solution project, targeted for a 12/31 /18 completion.


STATUS OF RECOMMENDATIONS AT12/31/2017

Report 28006032 Business Continuity Plans

Risk RECOMMENDATION

Item 02

Medium Process Imp

Establish a process to ensure the integration of various SMUD BCPs. A multi-disciplined committee could provide leadership in achieving a well-integrated business continuity management program. Individual committee members would represent their respective organizations and identify critical business processes that must be protected after a major disruption occurs. The committee would serve as the focal point for communications regarding the business continuity planning process.


STATUS I DATE*

Workforce Health & Outstanding Safety 11/30/2016

2 Extensions



COMMENTS

Implementation of the 2017 items is anticipated to be completed by December 31. 04 2017 Response: - Departments will be requested to review and update BC plans quarterly. - Complete in 2017 -Throughout the year, communications were sent to each department requesting for updated business continuity plans based on operational and organizational changes. - Bring a consultant on board to develop a single integrated BC plan for the overall organization. - Complete in 2017 - Consultants were hired in July of 2017. A single integrated Business Continuity Plan structure was completed and will be updated in 2018 based on the Business Impact Analysis (BIA) that is currently in process. - Integrate the BC plans to ensure support is available during an incident and supporting departments are aware of the requirements. - Extension: Will continue to be completed per the following 2018 Goal : Update integrated BC plan with Business Impact Analysis by 7/31/2018 Plans have been integrated to highlight crossfunctional support needs. Minimum support and resources required will be highlighted within the business continuity plans. - Continue to identify and develop workarounds when requested support may not be available. - Extension: Will continue to be completed per the following 2018 Goal : Update Integrated BC Plan with business Impact Analysis by 7 /31 /2018 Workarounds are documented within the existing business continuity plans and will continue to be documented as the plans are reviewed and updated annually. - Expand the use of technology to develop SMUD's overall BC plan. -Complete in 2017 New business continuity BIA and BCP templates have been developed. New framework structure for the business continuity plans have been developed -Continue collaboration and enforcement of data governance and records management directives as they develop. -Complete in 2017 - Business Continuity definitions are continuing to be submitted to the data governance team for incorporation into the Enterprise Data Governance process. Records Management processes are being followed by the Business Continuity Program.


Report 28006032 Business Continuity Plans

Risk RECOMMENDATION

Item 03

Medium Process Imp

Have various workgroups provide training, including tabletop exercises, to evaluate the adequacy of their plans and determine areas for improvement. There should also be auditable evidence of training and exercise participation.


STATUS I DATE*

Workforce Health & Outstanding Safety 11/30/2016

2 Extensions



COMMENTS

In 2016 the BCP Governance Team was keenly focused on ensuring that all departments developed and updated their BC plans in 2016. In addition, we identified lessons learned and conducted a gap analysis. Implementation anticipated to be completed by December 31,2017. 04 2017 Update Several lessons learned have occurred and 2017 goals have been identified to mature the process. Objectives include: - Conducting one fully integrated exercise resulting in an overall SMUD BC plan, supported by the departmental BC plans. Complete in 2017. Extension: Will occur again per the following 2018 goal : Complete Integrated BC exercise by 9/30/2018 Several integrated exercises were performed in 2017. - Leverage existing preparedness exercises across SMUD. Complete in 2017 The Business Continuity Program team leveraged the following existing emergency preparedness exercises in 2017: •Fire Drills (Fire Protection) •Everbridge Notification System (Security Operations) •Energy Management System (EMS) failover (Grid Operations) •Siemens Failover (Facilities) - Develop an e-learning course to train employees on BC plans. Extension: based on 2019 Goal To Be Determined [Training] Will be a 2019 goal that will be coordinated by Corporate Learning and Development (OWD).


STATUS OF RECOMMENDATIONS AT12/31/2017 Report 28006280 Material Lifecycle


Item 02

Medium Process Imp

AQS recommends Line Assets perform Grid Assets - Line the following : Assets (1) Line Assets establish a process for line foremen/women to submit accurate as-built material list that reflects the net of materials issued and returned for each job. (2) Line Assets implement an independent post audit review process for closed projects. Although line supervisors perform post audit reviews, an independent review by a quality control team (including designers, engineers, and MPCs who did not work on the project) would provide improved internal control and objective evaluation related to materials reserved , materials returned, management of dates, design, engineering standards, and best practices. (3) Line Assets work with Warehouse to review and update accordingly the Enterprise Risk Management (ERM) risk mitigation strategy related to Warehouse Inventory (ERM Dashboard - Operational Risk #38 Supply Chain : Business Disruption) in order to ensure it represents current procedures.

STATUS I DATE*

COMMENTS


Outstanding Line Assets has implemented countermeasures for 6/30/2017 components (2) and (3) and the changes have subsequently

2 Extensions been tested and deemed effective by AQS.


A process to return material and associate it with specific order numbers has been implemented and field foreman were trained in Q4 of 2017. The process enables crews to return overdrawn material to specific order numbers when the warehouse is not open or warehouse staff is not available at the counter. In addition to the manual bin/order number return process, Line Assets has also implemented a weekly post-job audit process that looks at plan/actual labor and material variance and explores the underlying drivers. Line Assets management believes that the combination of the ECOC physical security, post -job audit process, and the order number based return process, provide the first step in implementing controls over the as-built process. To further strengthen the controls over the as-built inventory for each completed job we will explore the feasibility and cosUbenefit of an automated solution to provide controls for as-built inventory. Line Assets will seek the assistance of Supply Chain , Enterprise Performance, and IT. The timeline for the technology and cosUbenefit study should be completed by 7/1/2018. If an operationally feasible technology/process is identified, the target date for a functioning material specific as-built process will be 12/31/19.


STATUS OF RECOMMENDATIONS AT12/31/2017 Report 28006576 2016 General Computer Controls Review


Item 1

Medium Process Imp

SMUD should continue in their efforts to Accounting develop a strategic long term approach for continuous monitoring and reviewing of SOD conflicts within SAP. We understand that SMUD is in the process of determining a plan for an SOD solution and will continue to make progress in 2017. The plan should include these components: •Determine Whether Mitigating Controls Are in Place - Once SMUD's SOD solution is implemented, there should be a regular review of user access and analysis of potential SOD conflicts. For those areas in which gaps persist or SOD conflicts must exist, management should work with business users to implement mitigating control activities to reduce the associated risk. •Develop SOD Compliance Governing Organization - As a long term, strategic effort in identifying and mitigating future SOD conflicts, management should institute a compliance governing organization in order to maintain adherence to end user access conflicts that represent financial risk. This governing body would measure the relevance and risk of new SOD combinations against the organizations business operations, outline and implement mitigating controls, evaluate both SOD conflicts and corresponding mitigating controls annually to ensure both remain valid for the organization.

STATUS I DATE*

Outstanding 12/31 /2018


COMMENTS

In 2016, SMUD remediated all high risk conflicts that were identified in the 2015 ERP Maestro report. In 2017, SMUD will identify best practices and possible technology solutions to support efficient SOD management. SMUD will evaluate various SOD automation tools and initiate setting up a governing body as a long term effort in maintaining and managing SOD conflicts. The goal at the end of 2017 is to design a best fit , efficient and sustainable SOD management process that helps meet internal and external auditing standards. By the end of 2018, the SOD management process and automation tool will be implemented and a governance team will be identified and functional as an ongoing long-term strategic effort to identify and mitigate future SOD conflicts.


STATUS OF RECOMMENDATIONS AT12/31/2017 Report 28006242 GO 17 4 Distribution Substations - 2016

Risk RECOMMENDATION

Item 03

Medium Policy/Pree

Records Repository: Utilize SMUD's electronic document management system, EDM to manage records. Until DSIR records are kept in EDM, restrict the ability to modify them to employees who have a business need to do so.

Multiple Copies of Records: After validating the electronic file is a "true" representative of the original document,

destroy the convenience copy within 180 days.

RESPONSIBLE DEPARTMENT Grid Assets -Substation, Telecomm & Metering Assets

STATUS I DATE*


1 Extension

Revised to 12/3112018


COMMENTS

Substation Maintenance had requested that the GO 17 4 process be included in the upcoming Information Technology (IT) multi-year EDM rollout to Grid Assets. The planning phase of the project has been completed. An estimate completion date to migrate the G0174 records to EDM has been set to 12/31 /18. The plan will address both existing and ongoing GO 174 records.


Report 28006242 GO 174 Distribution Substations - 2016


Item 04

Medium Process Imp

Review and update the Distribution Grid Planning Substation statuses (Decommissioned, Non-Operational , Sold, etc.) in SAP and develop and implement a process to keep the Distribution Substation data in SAP current.

Update the List of SMUD Distribution Substations (Appendix 8.2 of the DSVIP) and develop and implement a process to keep it current.

Develop and implement a process to review samples of the notifications for accuracy after they have been created to prevent individual inspection notifications from being associated with two locations.

STATUS I DATE*



COMMENTS

Grid Planning has begun implementation of the recommendations as follows: The review and update of the Distribution Substation statuses in SAP was completed by September 8, 2016. Also, process improvements were implemented by November 30 , 2016 to ensure Distribution Substation status is kept current in SAP. The process improvements will be documented in the next update of the DSVIP. A planned completion date of December 29, 2017 has been set for the update. Once the status of the Distribution Substations was updated in SAP, this information was used to update the list of SMUD Distribution Substations on Appendix 8.2 of the DSVIP. Also, an annual review process was implemented to capture changes that may occur throughout the year. The 2016 update of the DSVIP was completed on October 10, 2016. The annual review process will be documented in the next update of the DSVIP. A planned completion dafe of December 29, 2017 has been set for the update. Grid Planning will create a quality control process to ensure accuracy of information in notifications. This process will be implemented by November 30, 2017, prior to releasing the notifications to Grid Assets for execution. As part of the multiyear SAP EAM process improvement effort, ultimately, creation of G.O. 174 inspection notifications will be automated, reducing data entry errors. This component of the multi-year effort has a planned completion date of fourth quarter 2018.



Report 28006263 Fall Protection


Item 01

Medium Process Imp

SMUD's fall protection equipment was Procurement, selected and procured through a Warehouse & Fleet collaborative effort of Health & Safety and Grid Assets. Fall protection equipment manufacturers were invited to the Sacramento Power Academy (SPA) to demonstrate equipment and allow line crews to try out belts and gear. While all the fall protection products are advertised as compliant with OSHA safety regulations on marketing literature and manuals, test performance data for selected fall protection equipment was not requested to ensure compliance to applicable safety standards.

STATUS I DATE*

COMMENTS


Outstanding For all future purchases of fall protection or related tools and 1 /1 /2018 equipment, solicitation documents and procedures will

include mandatory requirements for suppliers to submit test data with bids or proposals. For any purchases of fall protection tools or equipment, documented test data will be a requirement.



Report 28006486 IT Configuration Management


Item 001

Medium Process Imp

The Endpoint Support Staff in IT IT Operations Operations should: 1. Establish a procedure to update and maintain the accurate inventory of all IT End-User computing assets. 2. Establish processes to regularly generate inventory reports for connection policy and software policy compliance. 3. Establish processes to provide the inventory report to management for followup on the status of devices not connected to network in 45 days. 4. Establish processes to monitor and follow-up on the status of discovery of unapproved software installed on devices that are connected .

STATUS I DATE*



COMMENTS

1. IT Operations Management will establish a Group Policy (GPO) that will mandate that devices that have not logged on to the SMUD network within 45 days will require administrator level rights to enable those devices to attach to the trusted SMUD network. All physical computing devices are encrypted so that SMUD data is protected and cannot be accessed. 2. The establishment of inventory reports will be addressed with the implementation of Asset management within the "Service Now" tool set with an implementation date of July 2019. 3. IT Operations Management will establish a process in support of the 45 day reporting requirement per MP 07.03.01.106 Information Security. 4. IT Operations Management will work with Information Security to establish a process to monitor and provide feedback to Information Security regarding unapproved software in accordance with MP 07.03.01 .105 Information Security. With the exception of the Service Now tool set due date of July 2019; documentation will be in place by July 30, 2018.


Report 28006486 IT Configuration Management

Risk RECOMMENDATION

Item 002

Medium Process Imp

Item 005

Medium Process Imp

Recommendations: IT Operations should : 1. Conduct and record the device and user physical inventory of all devices on an annual basis. 2. Provide the results of the device physical inventory location and user information to IT Operations to update and maintain accurate inventory of all IT End-User and other computing assets information that will be used to generate the compliance status reports. 3. Establish a process to regularly review the inventory report and follow-up on the status of devices not connected to network in 45 days, or status of unapproved software installed on connected devices.

Recommendations: IT Operations should: 1. Configure service request status reports for the Support Center Staff to run weekly. 2. Review the status reports for service requests that are unresolved and provide direction on the recommended methods to follow up, assign or re-assign and ultimately resolve the service requests. 3. Develop and implement processes to review inventory reports to discover whether hardware and software control policies are being followed . 4. Document the incident reporting processes for situations when control policies are not being followed .

RESPONSIBLE DEPARTMENT IT Operations

IT Operations

STATUS I DATE*




COMMENTS

Management Responses: 1. IT Operations Management will address the conducting and recording of the device and user physical inventory of all devices with the implementation of Asset Management in Service Now tool with an implementation date of July 2019 and will have the compensating controls in place for encryption as well. 2. IT Operations Management will establish a process in support of the 45 day reporting requirement per MP 07.03.01 .106 Information Security. 3. Documentation in support of the 45 day reporting requirement will be completed by July 30, 2018.

Management Responses: 1. IT Operations Management will implement Service Now tool dashboards that will allow managers and technicians to see the data in a real-time view. 2. IT Operations Management will review service requests status on a monthly basis which we currently have in place with subsequent follow-up as required. However, with the implementation of Service Now, it is anticipated that the management and review of tickets will lend itself to a reduced interval for review by assigning more discreet categories. 3. The documentation of incident reporting will be part of the Service Now implementation. 4. Documentation incident reporting will be completed by July 30,2018


SSS No.

CFO 17-013


2. Stephen Clemons

3. Gary King

4.

5.

Consent Calendar I I Yes


TO

6.

7.

8.

9. Legal


Finance & Audit 2018 Board Meeting Date

TO

10. CEO & General Manager

I xi No If no, schedule a dry run presentation. Budgeted I I Yes I No (If no, explain in Cost/Budgeted section. )

FROM (IPR) I DEPARTMENT MAIL STOP I EXT. I DATE SENT

Jennifer Davidson Business Planning & Budget A312 6343 NARRATIVE:

Requested Action: Provide the Board ' s Finance and Audit Committee with a summary of SMUD's Power Supply Costs for the year-to-date period.

Summary: Staff will present the Board's Finance and Audit Committee with a summary of SMUD's Power Supply Costs for the year-to-date period.

Board Policy: GP-3 (Number & Title)

Benefits: Provides the Board Members with the current information on power supply costs for SMUD.

Cost/Budgeted: NIA

Alternatives: None

Affected Parties: Business Planning & Budget

Coordination: NIA

Presenter: Jennifer Davidson

Additional Links:

SUBJECT Review of SMUD's Current Power Supply Costs

ITEMS SUBMITIED AFTER DEADLINE WILL BE POSTPONED UNTIL NEXT MEETING.

SMUD-1 516 1/16 Forms Management Page O

SSS No.

BOD 2017-035

TO



Finance & Audit 20 I 8 Board Meeting Date

TO


2. Gary King 7.


4. 9. Legal


Consent Calendar I I Yes I xi No If no, schedule a dry run presentation. Budgeted I I Yes I No (If no, explain in Cost/Budgeted

section.) FROM (IPR) I DEPARTMENT MAIL STOP I EXT I DATE SENT

Rob Kerth I Donna Lofton Board Office A310 5079 NARRATIVE:

Requested Action: Committee discussion and consensus on any directives provided to Staff during the Committee meeting.

Summary: Wrap up period at the end of each committee meeting to summarize various Board member suggestions and requests that were made at the meeting in an effort to make clear the will of the Board. Finance and Audit Committee Chair, Rob Kerth , will summarize Board member requests that come out of the committee presentations for this meeting.

Board Policy: GP-4 - Agenda Planning states the Board will focus on the results the Board wants the organization to (Number & Title) achieve.

Benefits: Having an agendized opportunity to summarize the Board 's requests and suggestions that arise during the committee meeting will help clarify the will of the Board.

Cost/Budgeted: NIA

Alternatives: Not summarize the Board's requests at this meeting.

Affected Parties: Board of Directors and Executive Staff.

Coordination: Donna Lofton, Special Assistant to the Board.

Presenter: Rob Kerth, Finance and Audit Committee Chair.

Additional Links:

SUBJECT Summary of Committee Direction


board finance & audit committee meeting and special smud

Documents