NERC Reliability Working GroupJuly 25, 2013

A collaborative effort between NERC, the Regional Entities, and registered entities to identify and implement changes that enhance the effectiveness of the Compliance Monitoring and Enforcement Program

Represents risk-based compliance monitoringFocuses on risks to reliabilityEnforcement will be reserved for significant mattersIt is a customized compliance approach Individualized scoping for each registered entityReduces administrative burdens and distractions

If the end state compliance monitoring and enforcement program is effective* at providing reasonable assurance through compliance monitoring, appropriate deterrence through enforcement and a feedback loop to continuously improve reliability standards.

*resources expended to achieve and monitor compliance and carry out enforcement are sufficient on the larger risk areas and not necessarily over applied on the lower risk areas.

The four components of the RAI are:Assessing Reliability RiskScoping Compliance MonitoringProcessing Possible Violations in Accordance with RiskStrengthening the Feedback Loop to the Standards Development Process

Definition of risk to the BESInstability, uncontrolled separation, or cascading failuresSystem-wide risks to the BESEntitys Risk to the BESInherent risk is a function of registrations and other relevant factors like system design, configuration, size, etc.Control risk is a function of the entitys internal controls established to reduce risk of violation or system event.These two components will be considered in determining an entitys risk profile or risk assessment.Project currently underway to determine a regional approach to develop a prototype for risk assessment.

Analysis of risk assists an entity to deploy controls more effectively.Review should focus on greatest threats to reliability based on impact and likelihood of occurrence.Cost of a control should not exceed benefits.Reliability Standards are dynamic and methodology should be flexible enough to adapt with changes.There is no one size fits all model.

One size does not fit all!!!

EntityBADPLSETOGOGOPIAPAPSERCRPRSGTPTOPTSPEntity A (Co-Op)XXXXXXXEntity B (Gen)XXEntity CXXXXXXXXXXXXEntity DXXXXXEntity E (SoCo)XXXXXXXXXXXXXX

Identify RisksPrioritizeRisksAssessRisksDev AssmntCriteriaAssessRisk InteractionRespondTo RisksAssess RisksAKAInternalControls

What are risks to reliability of the bulk electric system?Consider registered functions.Review event analysis of the entity.Review operational issues in the industry.What keeps me up at night relative to reliability?What are compliance risks for the Standards?Are there stumbling blocks to compliance for the entity?Review self-reports for the entity (are there problematic standards?).Review frequently violated standards.What keeps me up at night relative to compliance?Risk InteractionsInteractions between other events/conditions that could increase risk.How do risks rank relative to each other?Formal method to calculate riskLikelihood scale, impact scalePin the tail on the donkey

An internal control program helps provide a Registered Entity with reasonableassurance of compliance with the requirements of the Standards.

*CIP-002CIP-003CIP-004CIP-005CIP-006CIP-007CIP-008CIP-009Device ManagementChange Management & Testing Recovery & Incident ResponseAccess ControlPhysical SecurityInfo. Classification & Handling / Doc ControlCurrent Standards BasedFuture - Functions Based

693 Standards

Policies and procedures ensure managements directives are carried out.Elements of controls work together and collectively reduce risk of not achieving objectives.Should not be considered discretely (defense in depth).

Continuous Improvement Cycle

Internal Controls AnalysisReview existing processes, procedures and policies to determine if they facilitate compliance with the Reliability Standards

Conceptual White PapersERO & Industry DocumentsRAI Q&AInternal Controls Working GuideInitial Phase Plan/DeliverablesAudit HandbookERO & Industry Collaborative GuidesBenefits & ImpactsInternal Control LibraryRAI PilotsMRO - ATCRFC PJM, PPLSERC integrating into auditsSelf-Reporting Process EnhancementSelf-Report GuideMitigation Plan GuideViolation vs Deficiency PilotsFFT EnhancementsRegional Entity Triage Process

Controls Framework DocumentsCommittee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated FrameworkThe Institute of Internal Auditors International Professional Practices Framework Standard 2210 Engagement ObjectivesInformation Systems Audit and Control Association Control Objectives for Information and Related Technology

Auditing Guidance DocumentsAmerican Institute of Certified Public Accountants Professional Standards, vol. 1 AU Section 314United States Government Accounting Office - Government Auditing Standards Chapter 7 Reporting Standards for Performance Audits

NERC RAI Documentshttp://www.nerc.com/pa/comp/Pages/Reliability-Assurance-Intiative.aspx

Questions

*Internal control is a process, effected by an entitys board of directors, management and other personnel (people), designed to provide reasonable assurance regarding the achievement of objectives