1 Internal Controls Practices Group September 30, 2020 Travis - - PowerPoint PPT Presentation

1

September 30, 2020

Travis English Training & Outreach Specialist Internal Controls Practices Group

Antitrust Statement

▪ All WECC meetings are conducted in accordance with the WECC Antitrust Policy and the NERC Antitrust Compliance Guidelines. All participants must comply with the policy and guidelines. ▪ This meeting is public—confidential or proprietary information should not be discussed in open session. Please contact WECC legal counsel if you have any questions

3

Agenda

4

1. Welcome, Introductions 2. Review WECC Antitrust Policy 3. Opening Remarks—Ruchi Shah, WECC 4. Internal Controls Overview—Jennifer Hart & Sherri Palmer, WECC 5. Interactive Group Exercises 6. Entity Practice Sharing—Chris Johnson, WAPA 7. Facility Ratings Risk and Identified Problems—Hashir Ahmad and Jay Loock, WECC 8. Question and Answer 9. Wrap-up

September 30, 2020

Ruchi Shah Director of Entity Risk Assessment & Registration Welcome

Welcome

▪ Working from Home Safety!

• Remove obstructions on floor
• Check your fire alarms
• Escape plan in case of fire
• Take breaks and stretch

6

Internal Controls Practices Group

▪ Interactive event ▪ Platform to share best practices ▪ Risk and Controls discussions ▪ Wrap up by 4:00 p.m. MDT

7

Contact:

8

Ruchi Shah Director of Entity Risk Assessment & Registration rshah@wecc.org

September 30, 2020

Jennifer Hart Risk Assessment Analyst Sherri Palmer Senior Internal Controls Specialist

Internal Controls Practices Group

10

11

Business Objectives, Risks, and Internal Controls

12

Business goals and

• bjectives

identified Risks identified and assessed Processes and Internal Controls created Internal Controls implemented and

• perating

Internal Controls monitored, evaluated, and improved Business goals and

• bjectives

achieved

Note: Discussions relating to financial reporting objectives are not included in today’s webinar

What is Internal Control?

▪ A process ▪ Effected by people ▪ Actions and supporting technology at all levels ▪ Gives reasonable assurance of—

• Efficiency and effectiveness of operations
• Successful compliance
• Reliability and security

13

ERO Definition of Internal Control

The processes, practices, policies or procedures, system applications, technology tools, and skilled human capital an entity uses to prevent, detect, and correct noncompliance with Reliability Standards and address risks to the reliable

• peration of its business.

14

Three Control Types

Preventative

Segregation of duties Access privileges Passwords Physical control over assets Employee training Security awareness

Detective

Reconciling two datasets Reviewing data for appropriateness Conducting physical equipment/element counts

Corrective

Patching a system Data backups used to restore a system Data validity check—may require user to re-enter data if value is outside of parameters

15

Control Types

16

Manual Controls IT Dependent Manual Controls Cybersecurity and IT Controls Application Controls Physical and Environmental Controls

17

Internal Control Objectives

Validity of data Accurate and complete reports Segregation of responsibilities Access controls Timeliness Reconciliation Review of

• perations

Security of assets Reviews and approvals Input, process, and output of applications Other—must be tailored

Benefits

Risk Management Accountability Measure Effectiveness Achieve Objectives Adherence to Policy Transparency in Compliance Safeguard Assets Accuracy and Completeness Reliability and Security of BPS

18

19

20

Three Lines of Defense

21 Operational Processes Internal Control Activities Roles & Responsibilities

Governing Bodies/Board /Audit Committee Senior Management 1st Line of Defense 2nd Line of Defense 3rd Line of Defense Management Control Legal Internal Audit Legal Legal Internal Control Risk Management Compliance

Functions Own & Manage Risk I Functions Oversee Risks I Functions Provide Independent Oversight I External Audit Regulators

Security

1st Line of Defense: Operational Management

22

▪ Functions that own and manage risk ▪ Maintain effective internal control ▪ Execute risk and day-to-day control ▪ Identify, assess, control, and mitigate risks ▪ Guide development and implementation of policies, processes, procedures ▪ Implement detailed procedures and Internal Controls ▪ Supervise execution

2nd Line of Defense: Functions That Oversee Risks

▪ Risk management, Internal Control, and compliance functions ▪ Ensure first line is properly designed, in place, and operating as intended ▪ Support policies and define roles and responsibilities ▪ Set goals for implementation ▪ Provide framework ▪ Help management develop processes and controls to mitigate risks and manage issues

23

3rd Line of Defense: Provide Independent Assurance

▪ Include internal audit, external auditors, and external regulators ▪ Broad range of objectives ▪ All elements of frameworks ▪ Essential governance requirement for all organizations ▪ Important for large, medium, and small organizations ▪ Ensures effective governance and risk management, Internal Control, and compliance processes

24

25

Assignment and Coordination are Essential

Risk & Internal Control Skill Specialties Internal Controls Specialist Risk Analysts Compliance Officers Quality Inspectors Internal Auditors Security Specialists

26

Because risk management and controls specialization are being spread across multiple teams:

The Stakes Are High

▪ Limited resources may not be deployed effectively ▪ Significant risks may not be identified or managed appropriately ▪ Communications among groups could become gridlocked and focus on who’s job it is to accomplish a certain task ▪ It’s not enough that risk and Internal Control functions exist!

• Challenge to assign specific roles and coordinate responsibilities
• Must ensure no gaps in controls nor duplication of coverage

27

Internal Controls Program

28

A Chat About Tailoring

29

30

Control Activities

Reasonable Assurance of Achievement

Entity Strategic Direction & Objectives

• Goals & Values
• Efficient & Effective

Operations

• Reliability & Security of

the BPS

• Successful Compliance

Risk Management

• Business Risks
• Operational Risks
• Technology Innovation

& Emerging Risks

• Compliance Risk

Control Objectives Form a basis for determining how risks should be mitigated through the design and implementation of Internal Controls 31 Must be designed and

• perating effectively

32

33

Identifying & Designing Internal Controls

34

Risk Identified

Facility Ratings Are Not Accurate

Control Objective Identify Associated Processes, Standards, Owners Obtain Understanding

• f Process &

Activities

• Walk Through the process
• Identify who is performing each step
• What is involved in each step
• When does step take place
• Identify resulting documentation and

reports

• Identify systems
• Identify control owners

Only Valid Facility Ratings Must Be Approved & Communicated

Determine if Existing Controls are Sufficient

• If Control Objectives not met or controls are

ineffective - design new or improve controls

• Consider Preventative vs. Detective Controls

& combinations, frequency of control, manual or automated, cost vs benefit

Document Controls

Potential Errors Identified

Facility Ratings Process

• Draft Process Narrative/Flowchart/Key

Activities (keep it brief)

• Draft Risk, Objective, Control, Control

Owner Mapping Matrices

• Identify Controls to be tested

Document Policies & Procedures

• Ensure Policies and Procedures are aligned

with risks and controls

Emerging Risks

Failure Points and Guidance Questions

www.wecc.org/Pages/Compliance-UnitedStates.aspx

35

Failure Point Development Process

▪ Failure Points identify potential risks ▪ Cross-functional effort within WECC

• Based on a Process Failure Modes and Effects Analysis (PFEMA) process
• Experience of WECC subject matter experts
• Data analysis and root cause trends

▪ Risk assessment is a dynamic and iterative process ▪ Industry feedback is welcome!

• Send your comments to InternalControls@wecc.org

36

Example FAC-008-3 Failure Point

▪ Potential Failure Point (R1): Failure to develop a process for identifying the most limiting element in a Facility.

• How does [the entity] identify the most limiting element in a Facility?

▪ Potential Failure Point (R1): Failure to train personnel on developed Facility Ratings.

• How does [the entity] identify which new hires might be subject to this

requirement?

• How does [the entity] ensure that existing personnel are identified for training?
• What about internal transfers from one role to another?

Source: Internal Controls Failure Points- Guidance Questions FAC-008-3, February 2020

37

Using Failure Points and Guidance Questions

▪ Failure Points compliment your Risk Assessment process but must be tailored

• What risks apply to your program?
• What additional risks could your

unique process experience?

• Risk prioritization

▪ Guidance questions aid understanding of process & activities

38

39

Process Flow and Narrative: Example

Walkthrough and inventory all equipment Record all equipment, description, and equipment rating Compare inventory to all documentation in equipment database Populate equipment database showing most-limiting component was selected, and identify second-most-limiting element Determine all element ratings facility rating Validate ratings and approve and communicate facility ratings. Publish final approved facility rating.

40

Process Narrative Field Engineers walk down the plant and identify all elements and record all the details

• n a spreadsheet. Photos of nameplates are

taken and filed in the equipment database. Engineering drawings are used to ensure all elements are identified and any elements not

• n the drawing is also documented in the
• spreadsheet. Once the walkdown is

complete, all the data is entered from the spreadsheet into the equipment database. The rating process is used to rate all the elements and identify the most limiting and next limiting element. All this data is maintained in the equipment database. Automated processing determines the facility normal and emergency ratings. Once approved by the rating change committee, the facility rates are published and communicated to all personnel requiring this data to perform their job responsibilities. Any rate changes must follow the change control process.

Facility Ratings Controls Discussion

41

• Track rating & equipment data
• Track changes – newly commissioned & field changes
• Track changes to project plans and rating database

Inventory & Change Management

• Limit and track rating database edits
• Limit and track source documents & print edits

Access Controls

• Specific training for contractors to understand process & procedures

and oversight of contractor activities Contractor Management

• Risk-based plan for facility walkdowns to ensure rating matches

“current” elements within the field to supporting documentation Data Verification

• Reconcile field prints with information stored in rating database

Reconciliation

• Data entry reviews
• Peer review from someone that did not enter the data

Periodic Facility Reviews

42

43

Internal Control Program Journey

44

Support From the Top Down

45

Senior management must support the Internal Control Program Senior Management defines the culture and communicates views and expectations at all levels All levels of management and employees must believe Internal Controls are important

46

RMR FAC-008 Field Verification Project

Christian Johnson RMR Reliability Compliance Manager WECC Internal Controls Webinar, Sept. 30, 2020

47

RMR Operational Risks requiring Internal Controls

• Why implement Internal Controls for Facility Ratings?
• Risk: Missing or incorrect information could result incorrect Facility

Ratings

• Risk of incorrect Facility Ratings
• Safety issues for workers and public
• Damage to equipment
• Pre-contingent mitigating activities address potential overloads
• Lack of mitigating activities address potential overloads
• Impact to BES reliability if out of normal system configuration due to mitigating

activities

• Lost revenue

RMR FAC-008 Field Verification Project

48

Background for Field Verification Project

• June 2018 - RMR begins using a new tool to document the rating
• f transmission Elements
• The tool is a spreadsheet - Facility Equipment List (FEL)
• FEL details include
• Itemizes current carrying Elements of a Facility
• Information source (e.g. specific drawings), Designation/Item #,

material, rating, and Facility Rating Methodology Variants (if applicable)

RMR FAC-008 Field Verification Project

49

Field Verification Project Overview

• During the FEL creation, questions were encountered requiring

field visits

• Planning Engineers identifies question(s)
• Requests sent to Maintenance Field Supervisor
• Field visit performed by Maintenance personnel
• Supplemental data sent to Planning Engineers
• Results incorporated into FEL sent to Facility Rating Change Control

Committee (FRC3) for Rating approval

• Objective: Improve accuracy of data used for determining

Facility Ratings

RMR FAC-008 Field Verification Project

50

Field Verification Activity

• Maintenance personnel perform field visit to address questions

from Planning Engineers

• Submit field visit results to Planning Engineers
• Results incorporated into FEL for FRC3 for approval
• Action Items can be assigned to update

documentation/drawings post FEL approval

• Objective: Supplemental data should be incorporated in a

permanent Information Source (e.g., engineering drawing or asset database)

RMR FAC-008 Field Verification Project

51

Field Verification Activity - Results

RMR FAC-008 Field Verification Project

52

Field Verification Activity - Results

RMR FAC-008 Field Verification Project

53

Field Verification Activity - Results

RMR FAC-008 Field Verification Project

54

Field Verification Project

• Questions for Chris

RMR FAC-008 Field Verification Project

55

Let’s Review Some Control Examples

Risks & Potential Failure Points

Facility Rating changes are not communicated to all necessary personal and not communicated promptly Field elements do not match system one-lines or design drawings Equipment ratings are not determined according to Facility Rating method

Internal Control Objectives

Facility Rating changes are communicated promptly and to appropriate personnel, who need this information to carry out their responsibilities Facility Ratings are accurate and complete Supporting documentation has been validated against field elements to ensure it is accurate and complete

Control Activities

FRC3 Change Committee meets weekly; all changes are published and distributed to appropriate personnel after each meeting Periodic Facility “walkdowns” are performed to ensure that field matches the supporting documentation Facility Rating list is reviewed independently for accuracy and is consistent with Facility Rating method

56

57

58

September 30, 2020

Hashir Ahmad, WECC

Senior Risk Assessment Engineer

Facility Ratings FAC-008-3

Facility Ratings Current State of Controls

NERC Facility Ratings Problem Statement

▪ NERC’s observations about the state of Facility Ratings and the use of Internal Controls to mitigate risks:

• Discrepancies between documented and actual field conditions of equipment and Facility

Ratings

• Incorrect calculations
• Incorrect ratings
• Missing equipment types

▪ Entities with strong controls have better data for more accurate ratings than those who have not taken steps to develop controls ▪ ERO Enterprise believes the issue is more widespread than what has been discovered to date

60

Inaccurate Facility Rating Risks

▪ Incorrect Facility Ratings pose significant risk ▪ Facility Ratings have not taken into account the most limiting series element, creating large de-rates ▪ Discrepancies include some significant and widespread across the ERO Enterprise ▪ Incorrect Facility Ratings can cause equipment operated beyond capability, causing damage or line sagging ▪ Cause unplanned outages ▪ One of the contributing factors to the August 2003 blackout ▪ An ERO Area of Focus

61

Common Failures

Discrepancies between documentation and field conditions of Equipment

• r Facility Ratings

Missing equipment from Facility Ratings report/database (e.g., jumpers, bus bars, CTs, wave traps) Changes not tracked in the field (emergency or planned) and lack of proper communication to update the Facility Rating Incorrect identification of Most Limiting Series Element Lack of communication with neighboring entities to develop Facility Ratings for jointly owned Facilities Lack of internal communication (e.g., substation and transmission) Inaccurate/outdated documentation and prints (e.g., one-line diagrams, as-built drawings) Incomplete Facility Ratings Methodology Lack of Emergency Ratings including Dynamic Ratings Insufficient training of staff

62

A Sustainable Path Forward—Internal Control Enhancements

• Track Rating & Equipment Data
• Track Changes—newly commissioned & field changes
• Track Changes to project plans and Rating database

Inventory & Change Management

• Limit and track Rating database edits
• Limit and track source documents & print edits

Access Controls

• Specific training for Contractors to understand process & procedures and oversight
• f Contractor activities

Contractor Management

• Data entry reviews

Data Verification

• Reconcile field prints with information stored in Rating database

Reconciliation

• Risk Based Plan for Facility walkdowns to ensure Rating match “as-builds”

Periodic Facility Reviews

63

Perform Self - Assessments

Contact:

Hashir Ahmad Senior Risk Assessment Engineer hahmad@wecc.org

September 30, 2020

Jay Loock, WECC

Senior Compliance Auditor

Facility Ratings FAC-008-3

Risks of Inaccurate Facility Ratings

Risks of Inaccurate Facility Ratings

▪ Operational Risks ▪ Planning Risks ▪ Compliance Risks ▪ Loss of Revenue

66

Accurate Facility Ratings

Accurate Facility Ratings involves coordination across multiple models, departments, and entities. This may involve coordination of short- term ratings that must be integrated into the energy management systems and considered in real-time assessments. Correct application of Facility Ratings is paramount to maintaining a highly reliable and secure Bulk Electric System.

67

System Operating Limits

The purpose of approved FAC- 008-3, which is applicable to both Generation and Transmission Owners, is to ensure that Facility Ratings used in the reliable planning and operation of the BES are determined based on technically sound principles. A Facility Rating is essential for the determination of System Operating Limits (SOL).

68

Standards that Require Accurate Facility Ratings

Operations

▪ Standard FAC-010-3—System Operating Limits Methodology for the Planning Horizon

• R1.2. States that SOLs shall not exceed associated Facility Ratings.

▪ Standard TOP-001-4—Transmission Operations

• R13. Each Transmission Operator shall ensure that a Real-time Assessment is performed at least
• nce every 30 minutes.

69

Standards that Require Accurate Facility Ratings

Protection

▪ Standard PRC-023-4— Transmission Relay Loadability

Criteria: 1. Set transmission line relays so they do not operate at or below 150% of the highest seasonal Facility Rating of a circuit for the available defined loading duration nearest 4 hours. 2. Set transmission line relays so they do not operate at or below 115% of the highest seasonal 15-minute Facility Rating of a circuit.

70

Standards that Require Accurate Facility Ratings Planning

▪ Standard TPL-001-4—Transmission System Planning Performance Requirements

• Steady State Studies—Applicable Facility Ratings shall not be exceeded.

71

Contact:

Jay Loock Senior Compliance Auditor jloock@wecc.org

73

74

Contact:

75

internalcontrols@wecc.org