WECC COMPLIANCE 101

Webinar

Thursday, January 22, 2015

Agenda

• Introductions Laura Scholl

• Overview of WECC and Regulatory Structure

Matthew Moore

• Audit – What to Expect Mindee Hawes and Bill Fletcher

• Enforcement Overview Rachael Ferrin, Tyson Jarrett, Carmelina Spina, and Joelle Bohlender

• webCDMS and EFT Brittany Power

2

Overview of WECC and Regulatory Structure

Matthew Moore Manager of Enforcement

COMPLIANCE 101 Overview of WECC

And Regulatory Structure

The Western Electricity Coordinating Council (WECC) is a 501(c)(4) social welfare organization corporation that exists to assure a reliable bulk

electric system in the geographic area of the Western Interconnection. This area includes all or parts of the 14 western United States, two

Canadian provinces, and the northern portion of Baja California, Mexico.

WECC Profile 5

• Incorporated in 2002

• Predecessor, WSCC formed in 1967

• Largest geographic area of the eight Regional Entities o Entire Western Interconnection (1.8 million square miles) -

includes all or part of 14 U.S. states, 2 Canadian provinces and a portion of Baja California Norte, Mexico

• Non-Governmental

• Industry participants join together to promote system reliability

• Bifurcation in February 2014 changed functions

WECC History 6

WECC Coverage Service Area

1.8 million square miles 126,285 miles of transmission Population of 78 million

7

8

WECC Organization

• Independent Board of Directors o 9 members o Committees

• Members Advisory Committee • Members

• Grid owners, operators, users • Stakeholders • State and Provincial

9

WECC separated the registered functions of Reliability Coordinator (RC) and Interchange Authority (IA) in January 2014. Peak Reliability assumed responsibility for the registered functions in January 2014.

o Operate two Reliability Coordination Offices (Vancouver WA and Loveland CO) that provide situational awareness and real-time supervision of the entire Western Interconnection

Bifurcation 10

• Transmission expansion planning o Management of a comprehensive planning database o Provide coordination of sub-regional planning processes o Analyses and modeling

• Studies o Model the system and perform studies under a variety of

scenarios to set operating policies and limits

WECC Services 11

• Loads and Resources Assessments o Perform annual assessment of 10-year loads and resources o Maintain 10-year coordinated plan of system growth o Provide information to NERC for summer and winter assessments of

the reliability and adequacy of the bulk-power system • Operator Training

o Provide training sessions for operators, schedulers and dispatchers

• WREGIS o Hosts the Western Renewable Energy Generation Information

System, which creates and tracks renewable energy certificates

WECC Services 12

Delegation Agreement o Perform functions delegated to WECC as a Regional Entity

under Delegation Agreement with NERC, including; o facilitating development of western interconnection

reliability standards o conducting reliability assessments and event analysis o regulating entities subject to mandatory Reliability

Standards

WECC Services 13

Mandatory Reliability Regulation

• Northeast Blackout of 2003 – 10 Million people

in Ontario, Canada – 45 million people in

eight U.S. states

14

15

16

Task Force Report

• Final report of the U.S.- Canada Power System Outage Task Force on the 2003 blackout concluded: the single most important recommendation for preventing future blackouts, and reducing the scope of those that occur, is for the U.S. government to make reliability standards mandatory and enforceable.

17

Task Force Findings 18

Inadequate System Understanding

Inadequate Situational Awareness

Inadequate Tree Trimming

Inadequate Reliability Center Diagnostic Support

Congressional Action

•Energy Policy Act of 2005 On August 8, 2005, the Energy Policy Act of 2005 (EPAct 2005) was signed into law.

•“Section 215” Section 215 of the EPAct 2005 directed FERC to certify an Electric Reliability Organization (ERO) and develop procedures for establishing, approving and enforcing electric reliability standards.

Authority for Compliance Monitoring

• FERC Order 672 (Implementing Rule 18 CFR 39) – Responsibility and oversight assigned to FERC – FERC designated NERC as Electric Reliability

Organization – NERC has delegation agreement with WECC and

seven other regions

20

Implementing Section 215

SECTION 215

• Creates Electrical Reliability Organization (ERO) • FERC names NERC as ERO

Regional Entities

• NERC selects 8 regional entities • WECC is selected for Western Interconnection

Delegation Agreement

• NERC and WECC sign agreements • WECC oversight begins in Western

Interconnection

Development of Mandatory Reliability Standards

Critical Infrastructure Protection (CIP) standards become mandatory and enforceable December 2009

(FERC Order 706)

Operations and Planning (O&P) Standards become mandatory and enforceable

June 17, 2007 (FERC Order 693)

Order 693 & Order 706 Standards

• Order 693 (Operations and Planning) includes: – Resource and Demand Balancing (BAL) – Emergency Preparedness & Operations (EOP) – Facilities Design, Connection & Mtnce. (FAC) – Protection and Control (PRC)

• Order 706 (CIP) includes: – Critical Cyber Asset Identification – Personnel & Training – Electronic Security Perimeters

23

• Recommends Registrations for Entities o Register users, owners, operators according to function

• Monitors Compliance with Standards o Monitor compliance by users, owners and operators of the bulk

power system in the United States

• Enforces Compliance o Violation mitigation and settlement negotiation o Representation of WECC in any hearing or appeal process

• Administration o Audit coordination o Reporting systems o webCDMS and EFT

WECC Compliance 24

Authority

Federal Power Act 2005 Delegation Agreement Reliability Standards

CMEP

Registration

Authority

Reg

istra

tion

Monitoring

Authority

Reg

istr

atio

n

Enforcement

Authority

Reg

istr

atio

n

Mon

itorin

g

Reference Documents • Compliance Monitoring and Enforcement Program

(CMEP) & WECC’s annual plan • Delegation Agreement • Rules of Procedure • NERC Standards and WECC Regional Standards • NERC Guidance, Bulletins, Directives and Compliance

Application Notices (CANs) • FERC Orders

29

Notice of Compliance Audit

Mindee Hawes Compliance Program Coordinator

Audit Frequency 31

3 Year Cycle Balancing Authority Transmission Operator Reliability Coordinator

All other registered functions Subject to flexibility in the future as part of NERC’s Reliability Assurance Initiative

Audit Timeline 32

145 days 90 days 60 days 30 days 15 days AUDIT

Pre-Audit Survey Due

Evidence Due

Objections to Team Members

Notice of

Audit

CIP v5 Request for Information

Notice of Audit Packet 33

Notice of Audit Letter

ATT A: Compliance Monitoring Authority Letter

ATT B: Audit Team Biographies

ATT C: Confidentiality Agreements

ATT D: Audit Scope and WECC RSAWs

ATT E: Certification Letter

ATT F: Pre-Audit Survey

ATT G: Pre-Audit Data Requests

ATT H: Post Audit Feedback Form

Notice of Audit Letter 34

90-Day Notice of Audit Letter Details of your specific audit • Audit Engagement Dates • Audit Period • Registered Functions within Audit Scope • Audit Team Composition Observers (if applicable)

– May include FERC/NERC

• Date/time of proposed Pre-Audit Conference Call • Links to reference documents

Attachments A, B and C 35

Attachment A Explanation of Compliance Monitoring Authority

Attachment B Short Biographies of the WECC Audit Staff

Attachment C Signed Confidentiality Agreements of the WECC Audit Staff

Attachments D and E 36

Attachment D Audit Scope Reliability Standard Audit Worksheets (RSAWs)

Attachment E Certification Letter

• Must be printed on your company letterhead and signed by an Authorized Officer

Attachment F 37

Attachment F Pre-Audit Survey

• Verify Registered Functions • Audit Logistics • Signed by Authorized Officer • Please complete all applicable fields

Attachment G 38

Attachment G Pre-Audit Data Requests – Clarifications for Data Submittal • One Line Diagram • Delegation agreements (if applicable)

• CCA and non-CCA lists • Public Key Encryption

Attachment H 39

Attachment H Audit Feedback

• Sent with initial package

Feedback is encouraged for all phases of audit!

Evidence Submittal 40

WECC Enhanced File Transfer (EFT) https://fileupload.wecc.biz

Any questions regarding log in or user

credentials please contact weccsupport@wecc.biz or call 1-877-937-9722

Evidence Submittal 41

Adobe Portfolios

COM

Evidence Submittal 42

File Folder

COM

COM-001-1

Questions?

43

Audit Approach and Best Evidence

William Fletcher Senior Compliance Auditor,

Operations and Planning

Compliance Audit (on-site vs. off-site) 45

• Primary difference is: – Location of audit conduct

• Scope is typically smaller for off site • On Site – Required for RC, BA, TOP functions

• Per NERC Rules of Procedure 403.11.2

Compliance Audit (on-site vs. off-site)

• On-Site – Documentation sent to WECC before audit for preliminary review – The audit team reviews evidence during off-site week or the first week of the

audit and completes its review during the second week or on-site week – Data Requests or DRs – In-person interviews for clarification

• Off-Site – Documentation sent to WECC before audit for preliminary review – Data Requests or DRs – Entity may be present at audit if desired – Telephone interviews for clarification

46

Audit Approaches

•We audit to the Requirements of the Standards. •General Approaches included in RSAW •RSAW may ask specific questions •Always includes the section:

“Describe, in narrative form, how you meet compliance with this requirement.”

Audit Approaches

“Describe, in narrative form, how you meet compliance with this requirement.”

• Describe here how your company knows it is compliant with this requirement and how you know you have been compliant for the entire period of the audit

• Your place to describe your internal controls • Your evidence should support your narrative

48

Audit Approaches

• List the evidence provided in the RSAW

o This road map is important • Compliance Assessment Approach in RSAW is used as

a checklist o Data Request (DR) for gaps or samples

• Document and record review is primary • Interviews and observations are usually for

corroborating

49

Sufficient Audit Evidence

Sufficiency of Evidence • The measure of the quantity of evidence • Quantity of evidence is dependent on the scope of

the audit • Extra quantity does not make up for poor quality • Ensure you provide enough evidence to demonstrate

compliance for the entire audit period

50

Sufficient Audit Evidence

Sampling is used to limit the amount of detailed evidence provided • Normally used in conjunction with summary of a full

set of data • Sampling used to assess details • Reduces the burden on the Audit Team but not really

on the Entity • Audit Team must select the samples

51

Appropriate Audit Evidence

Appropriateness The measure of the quality of evidence • Relevance • Validity • Reliability

52

Appropriate Audit Evidence

Quality of Evidence • Good Internal Controls point to reliable evidence • Direct observation is more reliable than indirect observation • Examination of original documents is more reliable than

examination of copies • Testimonial evidence from system experts is more reliable

than from personnel with indirect or partial knowledge

53

Types of Evidence

• Physical Evidence • Documentary Evidence • Testimonial Evidence

Compliance Audits may use all three types but Documentary Evidence is by far the most frequent type of evidence assessed and relied on.

54

Testimonial Evidence

• Attestations of Compliance or Statements of Compliance are generally not accepted as the only available evidence.

• Attestations may be used to explain minor gaps in documentation or to state if no conditions occurred which are subject to a requirement.

• Attestor must be knowledgeable and qualified.

55

Evidence for Procedural Documents

The characteristics of a valid procedural or policy document include: – Document title – Definition or Purpose – Revision level – Effective dates – Authorizing signatures

56

Non Applicable Requirements

Three instances are acceptable for use of term “Not Applicable” 1) Entity is not registered for the applicable

function (only TOP responsible for TOP requirements)

2) Entity does not own, operate or maintain the equipment addressed by the requirement (UVLS, UFLS, SPS etc.)

3) Entity does not use the program or process specified by the requirement (and is not required to… ATC, CBM, etc.)

57

Evidence for Tasks Performed

• When the standard calls for a task to be performed it must be documented. – Records – Logs – Reports – Work Orders – Phone recordings – Transcripts of phone recordings – Shift Schedules

• Dates & Times are critical

58

Evidence of “Coordination” with other entities

• Typical evidence provided initially is a single email. “…If you have any comments please contact ______”

This alone is neither sufficient or appropriate to demonstrate coordination between two or more parties.

• If emails or correspondence are used – Two way communications are needed

• Better are: – Meeting Agendas – Meeting Minutes – Attendance Lists

59

Evidence of “Distribution” of information

• Typical evidence provided initially is a single email with a large distribution list. “…please see attached”

This alone is typically neither sufficient or appropriate to demonstrate distribution to others.

• If emails or correspondence are used – Need clear identification of the personnel on the distribution list.

• Even Better is corroboration by receipt acknowledgement

60

Enforcement 101

Rachael Ferrin Tyson Jarrett

Carmelina Spina Joelle Bohlender

Agenda

• What is a violation?

• How does WECC know about a violation?

• What is the submittal and review process for possible violations?

• What is the submittal and review process for Mitigation Plans?

62

What is a violation?

A violation is a failure to demonstrate compliance

pursuant to applicable NERC Reliability Standard

Requirement – Possible Violation (PV)

• The identification by the Compliance Enforcement Authority of a

possible failure by a registered Entity to comply with a Reliability

Standard that is applicable to the Registered Entity. NERC Rules of

Procedure, Appendix 2 (January 31, 2012).

63

How does the Entity discover a possible violation?

64

Ongoing Compliance Assessments

Internal Assessments

Internal Audits

Compliance Culture

How does WECC know about a possible violation?

Compliance Monitoring • Self-Reports • Self-Certifications

– New possible violation – Change in scope

• Compliance Audits • Spot Checks • Compliance Investigations • Periodic Data Submittals • Complaints

65

Possible Violation Submittal

• Submit Self-Reports and Self-Certifications via

webCDMS

• Self Report/Self Certification Content Checklist

66

Self-Report/Self-Certification Content Checklist

• Is the version of the standard (in effect at the time of the violation) identified?

• Are all multiple subrequirements in scope identified?

• Has this violation been previously reported?

• Does the violation description include: – All devices/facilities/personnel in scope? – Names/IDs of devices/facilities/personnel? – Where are these devices located? – What are these devices used for? – What type of access do the personnel have? – Any additional information to assess the VSL?

• Is the start date and end date identified?

• Are the compensating measures identified?

67

Possible Violation Review

• WECC Subject Matter Experts (SME) reviews the “possible violation”

• Analyze facts and circumstances • Data Requests/conference call if necessary • Technical assessment

– Facts and Timelines – Risk Assessment

• Recommendation of Dismissal or Acceptance to Case Managers

68

Entity’s next step after reporting a Possible Violation

• Submit Mitigation Plan – Notice of Alleged Violation triggers

Mitigation Plan due date – Timely Mitigation is encouraged – Not admission of violation

69

Every violation goes through the same process.

Mitigation Plan Submittal

• Submit via webCDMS – One violation per plan

• Eight Steps to Prevention and Mitigation • Mitigation Plan Content Checklist

70

Mitigation and Prevention Checklist

• Symptom • Root Cause • Corrective Actions • Preventive Actions • Detective Actions • Assign tasks • Timeline and milestones • Interim Risk

71

Mitigation Plan Content Checklist

• Has the scope of the violation being mitigated changed?

• Has the root cause been identified?

• Does the mitigation plan include:

– What is being fixed? – How it is being fixed? – When it is being fixed?

• Do the mitigation actions:

– Relate to the requirements in scope? – Identify preventative measures? – Identify detection measures?

72

Mitigation Plan Review

• WECC Subject Matter Experts (SME) conduct reviews

• Review the mitigation plan – Actions (Corrective, Detective and Preventive) – Duration

• Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto

notification or EFT server

73

Mitigation Plan Extensions

• Extension Requests – Accepted Mitigation Plan completion date =

date Completion Certification and evidence submitted to WECC

– Five business days prior to completion date

74

CMP Submittal

• Submit Completion Certification and evidence

via webCDMS

• CMP Content Checklist

75

CMP Content Checklist

• Has the scope changed since the Mitigation Plan was accepted? – Have you included a brief statement to confirm the

scope?

• Is the evidence uploaded with a description for each file?

• Is there a mapping of actions to evidence?

• Is there a completion date for each action?

76

Mitigation Plan Completion Review

• WECC Subject Matter Experts (SME) conduct reviews

• Analyze Evidence – Were all actions outlined in the plan completed? – Has both procedural and implementation evidence been

submitted?

• Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto

notification or EFT Server

77

Summary

• Violation life cycle – Submitting violations and mitigation plans – WECC’s review of violations and mitigation plans

78

The Hand-Off 79

Possible Violation Submittal

Technical SME

Review

The Hand-off to Case Manager

Case Manager Review

4 Methods of PV

Disposition

Confirmed Violation

WECC Enforcement Case Managers

Primary Role: Determining Violation Disposition (disposition analysis)

• Violation Disposition • Case analysis • Policy analysis • Assess penalties • Conduct settlements • Build relationships

80

Enforcement Processes 81

Disposition Analysis

• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)

82

Dismissal

• Disposition method used when the Case Manager determines the possible violation is not enforceable – For Example… – Standard Requirement does not apply to Entity – Facts and circumstances warrant a violation of a

different Standard Requirement – Entity produced additional evidence

demonstrating compliance

83

What does a dismissal look like?

• Case Manager will issue a “Notice of Dismissal and Completion of Enforcement Action”

• WECC: – Withdraws the Possible Violation from Entity’s compliance

record – Any data retention directives relating to the possible

violation are released

• Entity: – Does not need to respond to notice – Questions/concerns contact Case Manager

84

Not a Dismissal, Now what?

• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)

85

PVs for FFT Review

WECC Reviews All PVs for FFT Treatment “Strong” FFT Candidates: • Are not Repeat PVs • PV does not reveal programmatic or systematic

shortcomings • Found and Fixed by the Entity • Mitigation Plan has been submitted

86

What does an FFT look like?

• WECC Enforcement will issue a “Notice of Find, Fix and Track” – Remediation Required – No Penalty or sanction – FFT is filed with NERC but does not become a

“confirmed violation”

• FFT will become part of an Entity’s compliance history

87

What to do with an FFT?

• Within five (5) days of receiving an FFT Notice an Entity Must:

• Submit to WECC an affidavit, signed by an officer with knowledge of remediation,

OR • Submit to WECC written notification opting out of

the FFT processing – If an Entity opts out of the FFT disposition, then WECCs

policy is to issue the violation through the traditional NOAV process.

88

4 Disposition Methods

• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)

89

What does a NOAV look like? CMEP Section 5.3

• NERC Rules of Procedure, Appendix 4C §5.3 (“CMEP”) • Alleged Violation Facts • Mitigation Plan Summary (if applicable) • Enforcement Violation Determinations

– BES Impact Statement • Minimal • Moderate • Severe

– Violation Severity Level (“VSL”) – Violation Risk Factor (“VRF”)

• Penalty

90

What to do with a NOAV?

• Submit a NOAV Response within 30 days • The NOAV Response must conform to one of

three options – Agree with the violation AND penalty – Agree with the violation, but contest penalty – Contest both the violation AND penalty

• Failure to submit a NOAV Response within 30 days will automatically result in confirmed violations with penalties

91

NOAV Response: “Option 1” Does not contest

• Does not contest violation facts as alleged in the NOAV

• May identify errors that should be corrected in the “Notice of Confirmed Violation” (“NOCV”)

• Submit a Mitigation Plan

92

Enforcement will issue a Notice of Confirmed Violation within ten (10) days of receiving a NOAV Response that “agrees with or does not contest an alleged violation.”

NOAV Response: “Option 2” Contests Penalty

• NOAV Response will be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.

• Submit a Mitigation Plan. • NOAV Response must explicitly contest penalty and

request settlement. – NOAV Response must articulate basis for each penalty – NOAV Response should include a proposed penalty the Entity

believes to be reasonable including the basis for proposed penalty

93

NOAV Response: “Option 3” Contests Alleged Violation & Penalties

• NOAV Response must be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.

• NOAV Response must explicitly contest each alleged violation and proposed penalty and request settlement.

• Each Contention must be supported by: – An explanation of the Entity’s position – Basis for Contention – Additional Information or evidence

94

A Word on Penalties

• Attached to violations disposed of using the NOAV or ESA processes

• Based on: – NERC Sanction Guidelines (January 31, 2012) – Penalty Range

• Penalty range depends upon Violation Severity Level (“VSL”) and Violation Risk Factor (“VRF”)

• Penalties are then adjusted for either Mitigating or Aggravating Factors

95

Reaching Settlement 96

NOAV

NOAV Response

C & T Agreement

Schedule Settlement

Work with Case

Manager

Settlement Negotiation

Settlement Agreement

4 Disposition Methods

• Dismissal • Find, Fix and Track (“FFT”) • Notice of Alleged Violation (“NOAV”) • Expedited Settlement Agreement (“ESA”)

97

ESA: Expedited Settlement Process 98

ESA Settlement Agreement

What does an ESA look like?

• Expedites Formal Settlement Negotiations

• The ESA will contain

– Facts and circumstances of the violation – Mitigation Plan Summary – Risk Assessment Summary – VSL and VRF determinations – Penalty determination

99

What to do with an ESA?

• Entity will have 15 days to review the ESA… – The Entity will contact Case Manager with questions or concerns.

• If the Entity accepts the terms of the ESA… – The Entity must submit a signed copy of the ESA to WECC within 15

days of receipt of the ESA issuance.

• If the Entity rejects the ESA or does not respond within 15 days… – WECC will issue a Notice of Alleged Violation and Proposed Penalty

and Sanction.

100

Settlement Agreements & Expedited Settlement Agreements

101

Payment & Closure of Enforcement Action

102

• After NOP becomes effective, WECC issues a “Payment Due Notice”

• The Penalty will be due thirty (30) days from the date the Notice is issued

• Public NOP filings can be found on the NERC website

Enforcement Process Summary 103

Possible Violation Submittal

Technical SME Review

The Hand-off to Case Manager

Case Manager Review

4 Methods of PV

Disposition

Confirmed Violation

• Lifecycle of a Possible Violation • Best Compliance Practices

• http://www.wecc.biz/compliance/Pages/Best-Practices.aspx

• Possible Violation Disposition and Entity Responses

Compliance 101

Brittany Power Data Coordinator

webCDMS 105

• Web-based Application used to collect: o Periodic Data Submittals o Self-Certifications o Misoperations Reporting o Technical Feasibility Exceptions o Self Reports o Mitigation Plan Data

webCDMS 106

• WECC utilizes your entity contact information • Quick Start Guides are available in webCDMS

o From the Help menu, select Documentation • A Digital Certificate is required to use webCDMS

webCDMS Regions

1.WECC 2.MRO 3.SPP 4.TRE 5.RFC

107

EFT Server

WECC EFT Server

108

• Used to collect: o Audit Data o Spot Check Data o Enforcement Data Requests

WECC.biz 109

• Information about WECC Outreach Events • Reliability Standards Subject to WECC

Monitoring – 2015 • Reporting Forms • RSAWs • WECC Compliance Standards Index • Entity Registration • BESnet Login

Compliance Standards Index 110

Standards Resources 111

Reminder: Help Desk 112

WECC Support • Call (801) 883-6879 or (877) 937-9722 • Types of calls for WECC

o WECC.biz Questions o EFT Questions o Registration Questions o Standard Questions o Non-technical Questions

• support@wecc.biz

OATI Support • Call (763) 220-2020 • Types of calls for OATI

o Technical Problems o webCDMS Login Problems o Certificate Problems o Access Problems