september 30, 2020 - wecc

75
1

Upload: others

Post on 12-Jan-2022

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: September 30, 2020 - WECC

1

Page 2: September 30, 2020 - WECC

September 30, 2020

Travis English

Training & Outreach

Specialist

Internal Controls

Practices Group

Page 3: September 30, 2020 - WECC

Antitrust Statement

▪ All WECC meetings are conducted in accordance with the WECC

Antitrust Policy and the NERC Antitrust Compliance Guidelines.

All participants must comply with the policy and guidelines.

▪ This meeting is public—confidential or proprietary information

should not be discussed in open session. Please contact WECC

legal counsel if you have any questions

3

Page 4: September 30, 2020 - WECC

Agenda

4

1. Welcome, Introductions

2. Review WECC Antitrust Policy

3. Opening Remarks—Ruchi Shah, WECC

4. Internal Controls Overview—Jennifer Hart & Sherri Palmer, WECC

5. Interactive Group Exercises

6. Entity Practice Sharing—Chris Johnson, WAPA

7. Facility Ratings Risk and Identified Problems—Hashir Ahmad and Jay

Loock, WECC

8. Question and Answer

9. Wrap-up

Page 5: September 30, 2020 - WECC

September 30, 2020

Ruchi Shah

Director of Entity Risk

Assessment & Registration

Welcome

Page 6: September 30, 2020 - WECC

Welcome

▪ Working from Home Safety!

• Remove obstructions on floor

• Check your fire alarms

• Escape plan in case of fire

• Take breaks and stretch

6

Page 7: September 30, 2020 - WECC

Internal Controls Practices Group

▪ Interactive event

▪ Platform to share best practices

▪ Risk and Controls discussions

▪ Wrap up by 4:00 p.m. MDT

7

Page 8: September 30, 2020 - WECC

Contact:

8

Ruchi Shah

Director of Entity Risk Assessment & Registration

[email protected]

Page 9: September 30, 2020 - WECC

September 30, 2020

Jennifer Hart

Risk Assessment Analyst

Sherri Palmer

Senior Internal Controls Specialist

Internal Controls

Practices Group

Page 10: September 30, 2020 - WECC

10

Page 11: September 30, 2020 - WECC

11

Page 12: September 30, 2020 - WECC

Business Objectives, Risks, and Internal Controls

12

Business goals and

objectives identified

Risks identified and

assessed

Processes andInternal Controls

created

Internal Controlsimplemented and

operating

Internal Controlsmonitored,

evaluated, andimproved

Business goals andobjectivesachieved

Note: Discussions relating to financial reporting objectives are not included in today’s webinar

Page 13: September 30, 2020 - WECC

What is Internal Control?

▪ A process

▪ Effected by people

▪ Actions and supporting technology at all levels

▪ Gives reasonable assurance of—

• Efficiency and effectiveness of operations

• Successful compliance

• Reliability and security

13

Page 14: September 30, 2020 - WECC

ERO Definition of Internal Control

The processes, practices, policies or procedures, system

applications, technology tools, and skilled human capital an

entity uses to prevent, detect, and correct noncompliance with

Reliability Standards and address risks to the reliable

operation of its business.

14

Page 15: September 30, 2020 - WECC

Three Control Types

Preventative

Segregation of duties

Access privileges

Passwords

Physical control over assets

Employee training

Security awareness

Detective

Reconciling two datasets

Reviewing data for appropriateness

Conducting physical equipment/element counts

Corrective

Patching a system

Data backups used to restore a system

Data validity check—may require user to re-enter data if value is outside of parameters

15

Page 16: September 30, 2020 - WECC

Control Types

16

Manual Controls

IT Dependent Manual Controls

Cybersecurity and IT Controls

Application Controls

Physical and Environmental

Controls

Page 17: September 30, 2020 - WECC

17

Internal Control

Objectives

Validity of data Accurate and

complete reports

Segregation of responsibilities

Access controls

Timeliness

ReconciliationReview of operations

Security of assets

Reviews and approvals

Input, process, and output of applications

Other—must be tailored

Page 18: September 30, 2020 - WECC

Benefits

Risk Management AccountabilityMeasure

EffectivenessAchieve Objectives Adherence to Policy

Transparency in Compliance

Safeguard AssetsAccuracy and Completeness

Reliability and Security of BPS

18

Page 19: September 30, 2020 - WECC

19

Page 20: September 30, 2020 - WECC

20

Page 21: September 30, 2020 - WECC

Three Lines of Defense

21

Operational

Processes

Internal Control

Activities

Roles & Responsibilities

Governing Bodies/Board /Audit Committee

Senior Management

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Management ControlLegal

InternalAudit

Legal

Legal

Internal Control

Risk Management

Compliance

Functions Own & Manage RiskI

Functions Oversee RisksI

Functions ProvideIndependent Oversight

I

ExternalAudit

RegulatorsSecurity

Page 22: September 30, 2020 - WECC

1st

Line of Defense: Operational Management

22

▪ Functions that own and manage risk

▪ Maintain effective internal control

▪ Execute risk and day-to-day control

▪ Identify, assess, control, and mitigate risks

▪ Guide development and implementation of policies, processes,

procedures

▪ Implement detailed procedures and Internal Controls

▪ Supervise execution

Page 23: September 30, 2020 - WECC

2nd

Line of Defense: Functions That Oversee Risks

▪ Risk management, Internal Control, and compliance functions

▪ Ensure first line is properly designed, in place, and operating as

intended

▪ Support policies and define roles and responsibilities

▪ Set goals for implementation

▪ Provide framework

▪ Help management develop processes and controls to mitigate risks

and manage issues

23

Page 24: September 30, 2020 - WECC

3rd

Line of Defense: Provide Independent Assurance

▪ Include internal audit, external auditors, and external regulators

▪ Broad range of objectives

▪ All elements of frameworks

▪ Essential governance requirement for all organizations

▪ Important for large, medium, and small organizations

▪ Ensures effective governance and risk management, Internal

Control, and compliance processes

24

Page 25: September 30, 2020 - WECC

25

Page 26: September 30, 2020 - WECC

Assignment and Coordination are Essential

Risk &

Internal

Control Skill

Specialties

Internal Controls Specialist

Risk Analysts

Compliance Officers

Quality Inspectors

Internal Auditors

Security Specialists

26

Because risk management and

controls specialization are being

spread across multiple teams:

Page 27: September 30, 2020 - WECC

The Stakes Are High

▪ Limited resources may not be deployed effectively

▪ Significant risks may not be identified or managed appropriately

▪ Communications among groups could become gridlocked and

focus on who’s job it is to accomplish a certain task

▪ It’s not enough that risk and Internal Control functions exist!

• Challenge to assign specific roles and coordinate responsibilities

• Must ensure no gaps in controls nor duplication of coverage

27

Page 28: September 30, 2020 - WECC

Internal Controls Program

28

Page 29: September 30, 2020 - WECC

A Chat About Tailoring

29

Page 30: September 30, 2020 - WECC

30

Page 31: September 30, 2020 - WECC

Control Activities

Reasonable Assurance of Achievement

Entity Strategic Direction & Objectives

• Goals & Values

• Efficient & Effective Operations

• Reliability & Security of the BPS

• Successful Compliance

Risk Management

• Business Risks

• Operational Risks

• Technology Innovation & Emerging Risks

• Compliance Risk

Control Objectives

Form a basis for determining how risks should be mitigated through the design and implementation of Internal Controls

31

Must be designed and operating effectively

Page 32: September 30, 2020 - WECC

32

Page 33: September 30, 2020 - WECC

33

Page 34: September 30, 2020 - WECC

Identifying & Designing Internal Controls

34

Risk Identified

Facility Ratings Are Not Accurate

Control Objective

Identify Associated Processes, Standards,

Owners

Obtain Understanding

of Process & Activities

• Walk Through the process• Identify who is performing each step• What is involved in each step• When does step take place• Identify resulting documentation and

reports• Identify systems• Identify control ownersOnly Valid

Facility Ratings Must Be Approved & Communicated

Determine if Existing

Controls are Sufficient

• If Control Objectives not met or controls are ineffective - design new or improve controls

• Consider Preventative vs. Detective Controls & combinations, frequency of control, manual or automated, cost vs benefit

Document Controls

Potential Errors

Identified

Facility Ratings Process

• Draft Process Narrative/Flowchart/Key Activities (keep it brief)

• Draft Risk, Objective, Control, Control Owner Mapping Matrices

• Identify Controls to be testedDocument Policies &

Procedures

• Ensure Policies and Procedures are aligned with risks and controls

EmergingRisks

Page 35: September 30, 2020 - WECC

Failure Points and Guidance Questions

www.wecc.org/Pages/Compliance-UnitedStates.aspx

35

Page 36: September 30, 2020 - WECC

Failure Point Development Process

▪ Failure Points identify potential risks

▪ Cross-functional effort within WECC

• Based on a Process Failure Modes and Effects Analysis (PFEMA) process

• Experience of WECC subject matter experts

• Data analysis and root cause trends

▪ Risk assessment is a dynamic and iterative process

▪ Industry feedback is welcome!

• Send your comments to [email protected]

36

Page 37: September 30, 2020 - WECC

Example FAC-008-3 Failure Point

▪ Potential Failure Point (R1): Failure to develop a process for identifying

the most limiting element in a Facility.

• How does [the entity] identify the most limiting element in a Facility?

▪ Potential Failure Point (R1): Failure to train personnel on developed

Facility Ratings.

• How does [the entity] identify which new hires might be subject to this

requirement?

• How does [the entity] ensure that existing personnel are identified for training?

• What about internal transfers from one role to another?

Source: Internal Controls Failure Points- Guidance Questions FAC-008-3, February 2020

37

Page 38: September 30, 2020 - WECC

Using Failure Points and Guidance Questions

▪ Failure Points compliment your Risk Assessment process but must

be tailored

• What risks apply to your program?

• What additional risks could your

unique process experience?

• Risk prioritization

▪ Guidance questions aid

understanding of process

& activities

38

Page 39: September 30, 2020 - WECC

39

Page 40: September 30, 2020 - WECC

Process Flow and Narrative: Example

Walkthrough and inventory all equipment

Record all equipment, description, and equipment rating

Compare inventory to all documentation in equipment

database

Populate equipment database showing most-limiting component was selected,

and identify second-most-limiting element

Determine all element ratings facility rating

Validate ratings and approve and communicate facility ratings. Publish

final approved facility rating.

40

Process Narrative

Field Engineers walk down the plant and

identify all elements and record all the details

on a spreadsheet. Photos of nameplates are

taken and filed in the equipment database.

Engineering drawings are used to ensure all

elements are identified and any elements not

on the drawing is also documented in the

spreadsheet. Once the walkdown is

complete, all the data is entered from the

spreadsheet into the equipment database.

The rating process is used to rate all the

elements and identify the most limiting and

next limiting element. All this data is

maintained in the equipment database.

Automated processing determines the facility

normal and emergency ratings. Once

approved by the rating change committee, the

facility rates are published and

communicated to all personnel requiring this

data to perform their job responsibilities.

Any rate changes must follow the change

control process.

Page 41: September 30, 2020 - WECC

Facility Ratings Controls Discussion

41

• Track rating & equipment data

• Track changes – newly commissioned & field changes

• Track changes to project plans and rating database

Inventory & Change Management

• Limit and track rating database edits

• Limit and track source documents & print editsAccess Controls

• Specific training for contractors to understand process & procedures and oversight of contractor activitiesContractor Management

• Risk-based plan for facility walkdowns to ensure rating matches “current” elements within the field to supporting documentation

Data Verification

• Reconcile field prints with information stored in rating database Reconciliation

• Data entry reviews

• Peer review from someone that did not enter the data

Periodic Facility Reviews

Page 42: September 30, 2020 - WECC

42

Page 43: September 30, 2020 - WECC

43

Page 44: September 30, 2020 - WECC

Internal Control Program Journey

44

Page 45: September 30, 2020 - WECC

Support From the Top Down

45

Senior management must support the Internal Control Program

Senior Management defines the culture and communicates views and expectations at all levels

All levels of management and employees mustbelieve Internal Controls are important

Page 46: September 30, 2020 - WECC

46

Page 47: September 30, 2020 - WECC

RMR FAC-008 Field

Verification Project

Christian Johnson

RMR Reliability Compliance Manager

WECC Internal Controls Webinar, Sept. 30, 2020

47

Page 48: September 30, 2020 - WECC

RMR Operational Risks requiring

Internal Controls

• Why implement Internal Controls for Facility Ratings?• Risk: Missing or incorrect information could result incorrect Facility

Ratings

• Risk of incorrect Facility Ratings• Safety issues for workers and public

• Damage to equipment

• Pre-contingent mitigating activities address potential overloads

• Lack of mitigating activities address potential overloads

• Impact to BES reliability if out of normal system configuration due to mitigating activities

• Lost revenue

RMR FAC-008 Field Verification Project 48

Page 49: September 30, 2020 - WECC

Background for Field Verification

Project

• June 2018 - RMR begins using a new tool to document the rating of transmission Elements• The tool is a spreadsheet - Facility Equipment List (FEL)

• FEL details include• Itemizes current carrying Elements of a Facility

• Information source (e.g. specific drawings), Designation/Item #, material, rating, and Facility Rating Methodology Variants (if applicable)

RMR FAC-008 Field Verification Project 49

Page 50: September 30, 2020 - WECC

Field Verification Project Overview

• During the FEL creation, questions were encountered requiring field visits• Planning Engineers identifies question(s)

• Requests sent to Maintenance Field Supervisor

• Field visit performed by Maintenance personnel

• Supplemental data sent to Planning Engineers

• Results incorporated into FEL sent to Facility Rating Change Control Committee (FRC3) for Rating approval

• Objective: Improve accuracy of data used for determining Facility Ratings

RMR FAC-008 Field Verification Project 50

Page 51: September 30, 2020 - WECC

Field Verification Activity

• Maintenance personnel perform field visit to address questions from Planning Engineers

• Submit field visit results to Planning Engineers

• Results incorporated into FEL for FRC3 for approval

• Action Items can be assigned to update documentation/drawings post FEL approval

• Objective: Supplemental data should be incorporated in a permanent Information Source (e.g., engineering drawing or asset database)

RMR FAC-008 Field Verification Project 51

Page 52: September 30, 2020 - WECC

Field Verification Activity - Results

RMR FAC-008 Field Verification Project 52

Page 53: September 30, 2020 - WECC

Field Verification Activity - Results

RMR FAC-008 Field Verification Project 53

Page 54: September 30, 2020 - WECC

Field Verification Activity - Results

RMR FAC-008 Field Verification Project 54

Page 55: September 30, 2020 - WECC

Field Verification Project

• Questions for Chris

RMR FAC-008 Field Verification Project 55

Page 56: September 30, 2020 - WECC

Let’s Review Some Control Examples

Risks & Potential

Failure Points

Facility Rating changes are not communicated to all necessary personal and not communicated promptly

Field elements do not match system one-lines or design drawings

Equipment ratings are not determined according to Facility Rating method

Internal Control

Objectives

Facility Rating changes are communicated promptly and to appropriate personnel, who need this information to carry out their responsibilities

Facility Ratings are accurate and complete

Supporting documentation has been validated against field elements to ensure it is accurate and complete

Control Activities

FRC3 Change Committee meets weekly; all changes are published and distributed to appropriate personnel after each meeting

Periodic Facility “walkdowns” are performed to ensure that field matches the supporting documentation

Facility Rating list is reviewed independently for accuracy and is consistent with Facility Rating method

56

Page 57: September 30, 2020 - WECC

57

Page 58: September 30, 2020 - WECC

58

Page 59: September 30, 2020 - WECC

September 30, 2020

Hashir Ahmad, WECCSenior Risk Assessment Engineer

Facility Ratings

FAC-008-3

Facility Ratings Current State of Controls

Page 60: September 30, 2020 - WECC

NERC Facility Ratings Problem Statement

▪ NERC’s observations about the state of Facility Ratings and the use of Internal

Controls to mitigate risks:

• Discrepancies between documented and actual field conditions of equipment and Facility

Ratings

• Incorrect calculations

• Incorrect ratings

• Missing equipment types

▪ Entities with strong controls have better data for more accurate ratings than those

who have not taken steps to develop controls

▪ ERO Enterprise believes the issue is more widespread than what has been discovered

to date

60

Page 61: September 30, 2020 - WECC

Inaccurate Facility Rating Risks

▪ Incorrect Facility Ratings pose significant risk

▪ Facility Ratings have not taken into account the most limiting series element,

creating large de-rates

▪ Discrepancies include some significant and widespread across the ERO

Enterprise

▪ Incorrect Facility Ratings can cause equipment operated beyond capability,

causing damage or line sagging

▪ Cause unplanned outages

▪ One of the contributing factors to the August 2003 blackout

▪ An ERO Area of Focus

61

Page 62: September 30, 2020 - WECC

Common Failures

Discrepancies between documentation and field conditions of Equipment

or Facility Ratings

Missing equipment from Facility Ratings

report/database (e.g., jumpers, bus bars, CTs,

wave traps)

Changes not tracked in the field (emergency or planned) and lack of

proper communication to update the Facility Rating

Incorrect identification of Most Limiting Series

Element

Lack of communication with neighboring entities

to develop Facility Ratings for jointly owned Facilities

Lack of internal communication (e.g.,

substation and transmission)

Inaccurate/outdated documentation and prints (e.g., one-line diagrams,

as-built drawings)

Incomplete Facility Ratings Methodology

Lack of Emergency Ratings including Dynamic Ratings

Insufficient training of staff

62

Page 63: September 30, 2020 - WECC

A Sustainable Path Forward—Internal Control Enhancements

• Track Rating & Equipment Data

• Track Changes—newly commissioned & field changes

• Track Changes to project plans and Rating database

Inventory & Change Management

• Limit and track Rating database edits

• Limit and track source documents & print editsAccess Controls

• Specific training for Contractors to understand process & procedures and oversight of Contractor activities

Contractor Management

• Data entry reviewsData Verification

• Reconcile field prints with information stored in Rating database Reconciliation

• Risk Based Plan for Facility walkdowns to ensure Rating match “as-builds”Periodic Facility Reviews

63

Perform Self - Assessments

Page 64: September 30, 2020 - WECC

Contact:

Hashir Ahmad

Senior Risk Assessment Engineer

[email protected]

Page 65: September 30, 2020 - WECC

September 30, 2020

Jay Loock, WECCSenior Compliance Auditor

Facility Ratings

FAC-008-3

Risks of Inaccurate Facility Ratings

Page 66: September 30, 2020 - WECC

Risks of Inaccurate Facility Ratings

▪ Operational Risks

▪ Planning Risks

▪ Compliance Risks

▪ Loss of Revenue

66

Page 67: September 30, 2020 - WECC

Accurate Facility Ratings

Accurate Facility Ratings involves coordination across multiple models, departments, and entities.

This may involve coordination of short-term ratings that must be integrated into the energy management systems and considered in real-time assessments.

Correct application of Facility Ratings is paramount to maintaining a highly reliable and secure Bulk Electric System.

67

Page 68: September 30, 2020 - WECC

System Operating Limits

The purpose of approved FAC-008-3, which is applicable to both Generation and Transmission Owners, is to ensure that Facility Ratings used in the reliable planning and operation of the BES are determined based on technically sound principles.

A Facility Rating is essential for the determination of System Operating Limits (SOL).

68

Page 69: September 30, 2020 - WECC

Standards that Require Accurate Facility Ratings

Operations

▪ Standard FAC-010-3—System Operating Limits Methodology for the Planning Horizon

• R1.2. States that SOLs shall not exceed associated Facility Ratings.

▪ Standard TOP-001-4—Transmission Operations

• R13. Each Transmission Operator shall ensure that a Real-time Assessment is performed at least

once every 30 minutes.

69

Page 70: September 30, 2020 - WECC

Standards that Require Accurate Facility Ratings

Protection

▪ Standard PRC-023-4—Transmission Relay Loadability

Criteria:

1. Set transmission line relays so they do not operate at or below 150% of the highest seasonal Facility Rating of a circuit for the available defined loading duration nearest 4 hours.

2. Set transmission line relays so they do not operate at or below 115% of the highest seasonal 15-minute Facility Rating of a circuit.

70

Page 71: September 30, 2020 - WECC

Standards that Require Accurate Facility Ratings

Planning

▪ Standard TPL-001-4—Transmission System Planning

Performance Requirements

• Steady State Studies—Applicable Facility Ratings shall not be exceeded.

71

Page 72: September 30, 2020 - WECC

Contact:

Jay Loock

Senior Compliance Auditor

[email protected]

Page 73: September 30, 2020 - WECC

73

Page 74: September 30, 2020 - WECC

74

Page 75: September 30, 2020 - WECC

Contact:

75

[email protected]