Board of Trustees Compliance Committee August 13, 2014 | 10:00 a.m. - - PowerPoint PPT Presentation

Board of Trustees Compliance Committee

August 13, 2014 | 10:00 a.m. – 11:00 a.m. Pacific The Westin Bayshore 1601 Bayshore Drive Vancouver, BC V6G 2V4

Reliability Assurance I nitiative (RAI ) Progress Report

Jerry Hedrick, Director of Regional Entity Assurance and Oversight Sonia Mendonca, Associate General Counsel and Director of Enforcement

Compliance Committee Open Meeting

August 13, 2014

RELI ABI LI TY | ACCOUNTABI LI TY 3

• RAI Project Overview
• Progress Report
• Compliance Exception Program
• Aggregation / Logging Program
• RAI Project Timelines
• Regional Implementation Update
• Joint Regional and Registered Entity RAI Discussions
• WECC / Tucson Electric
• SERC / Georgia Transmission
• Texas RE / ERCOT

Agenda

RELI ABI LI TY | ACCOUNTABI LI TY 4

• Compliance monitoring activities focused on risks to reliability
• Enforcement resources focused on noncompliance that poses a

serious and substantial risk to reliability

• Continued oversight and visibility
• Discretion on whether to initiate an enforcement action to

resolve noncompliance Overview

RELI ABI LI TY | ACCOUNTABI LI TY 5

Progress Report

• Develop industry and auditor training for risk elements and Inherent Risk

Assessment

Resources and Tools

• Finalizing the Inherent Risk Assessment Guide and examples
• Developing the Risk Elements methodology and procedures for the IP/AML
• Beginning work on the Internal Control Evaluation Guide

Single Compliance Design

• Finalized user guides to support improved self-reporting process
• Implemented improved process flow across ERO enterprise
• Expanding aggregation/logging and compliance exception programs

Enforcement Processes

• Integrating program design feedback loops and processes
• Finalizing program documents for multi-regional registered entities

Compliance and Enforcement Integration

RELI ABI LI TY | ACCOUNTABI LI TY 6

Compliance Exceptions Program

MRO, 14 NPCC, 3 RF, 3 SERC, 4 WECC, 4

Items Closed as of August 1, 2014

RELI ABI LI TY | ACCOUNTABI LI TY 7

Aggregation/ Logging Program

Regional Entity Registered Entity Participants as of August 1, 2014 MRO Alliant Energy East Alliant Energy West Nebraska Public Power District MidAmerican Energy Company American Transmission Company NPCC New York Power Authority RF American Electric Power (jointly with SPP and TRE) PJM Interconnection (jointly with SERC) SERC Associated Electric Cooperative, Inc. TRE CenterPoint Energy Luminant Energy Luminant Generation Lower Colorado River Authority

RELI ABI LI TY | ACCOUNTABI LI TY 8

2 1 5

Compliance and Enforcement Timeline

May 2014 User guides posted; Compliance Exceptions and Aggregation programs reviewed and expanded (throughout 2014) July 2014 Published the Inherent Risk Assessment Guide for comment

• Aug. 2014 Publish the Risk Elements Methodology for the modified

Implementation Plan (IP) and Actively Monitored List (AML) Multi-Region Registered Entity (MRRE) program documents finalized (monitoring and enforcement activities)

• Sept. 2014 Finalize Inherent Risk Assessment based on industry feedback

July Aug Sep Oct Nov Dec Jan Feb Mar June May

2 1 4

RELI ABI LI TY | ACCOUNTABI LI TY 9

Compliance and Enforcement Timeline

• Oct. 2014

Publish the 2015 IP and AML Develop and begin delivering training on completed modules to industry and regional auditors Publish the Internal Control Evaluation (ICE) and Compliance Monitoring and Evaluation Program (CMEP) Tools Modules Q4 2014 FERC informational filing submitted Q1 2015 MRRE program implemented Deploy ICE and Compliance Monitoring Tools

2 1 5

July Aug Sep Oct Nov Dec Jan Feb Mar June May

2 1 4

RELI ABI LI TY | ACCOUNTABI LI TY 10

• Regional Lessons Learned From the Compliance Pilots
• Risk Assessment and Scoping
• Controls Evaluation and Testing
• Training and Education
• RAI Regional Program Implementation
• Compliance Activities
• Enforcement Activities
• Organizational Alignment
• Creation of Risk teams

Regional I mplementation Update

Constance B. White Vice President of Compliance

WECC’s RAI Experience NERC Board Presentation August 13, 2014

12

• IRA (Inherent Risk Assessment)
• WECC reviewed TEPC’s compliance and event

history to determine any entity specific risks

• ICE (Internal Controls Assessment) focused
• n Operations and Planning Standards in

the following risk areas:

• Configuration Management
• Operations
• Information Management
• Planning

Tucson Electric Power –Preparation

13

• Sample Question 1: How do you control and manage

changes to configuration of protection system devices?

• Controls Reviewed: Maintenance and testing program,

systems and tools, interaction between systems

• Result: Risks identified
• Sample Question 2: Explain how you ensure Blackstart

Resources are capable of meeting the requirements of its restoration plan

• Controls Reviewed: Annual testing of entity’s two

Blackstart Resources, management observes testing, test results are documented and reviewed

• Result: Low Risk

Tucson Electric Power – ICE Example

14

• WECC identified some strong controls
• Based on the results, the WECC audit team

customized the audit

• Removed 7 low risk requirements
• Heightened focus on PRC-005 and PRC-008
• WECC plans to significantly reduce TEPC’s

2015 Self Certification

• WECC selected specific TEPC issues for

the compliance exception process

Tucson Electric Power – ICE Results

15

• Entities are receptive
• Training and education is necessary
• Risk-based process is effective but will take

time to develop

• WECC refined the processes for another

entity scheduled for audit and is focusing on CIP standards for the Internal Controls Evaluation process

• Additional clarity is needed

Tucson Electric Power – Lessons Learned

Tucson Electric Power Feedback

• Opportunity to allow for open dialogue and

to tell/show our compliance “story”

• Opportunity for additional education and

discussion on internal controls

• Reduced administrative burden
• Suggestion: provide additional clarity of and

context for data requests in future reviews -- may facilitate obtaining desired responses from registered entities

RAI Experience at SERC

August 12, 2014 Vancouver, BC

Angie Sheffield VP, General Auditor and Chief Regulatory Compliance Officer Georgia Transmission Corporation Scott Henry President and CEO SERC Reliability Corporation

17

• Inherent Risk Assessment

– Data collection regarding GTC risks through pre-audit survey – SERC’s consideration of risks resulted in adjustment of standards in scope as compared to AML

 Focus on communication and coordination of operators

due to arrangement of entity with other entities for performance of registered functions

 Scope increased by eight Requirements

Pre-Audit Preparation

18

• Internal Controls Evaluation

– SERC auditors reviewed GTC’s Independent Audit Reports (IAR) – SERC accepted GTC’s IAR

 For 18 of the 38 requirements in scope, SERC did little to

no additional testing

Pre-Audit Preparation

19

• Audit team deemed IAR adequately addressed

Standards/Requirements.

• IAR reflected an appropriate level of rigor for

SERC staff to draw the same conclusions.

• Audit team determined the IAR was relevant to the

audit period.

• Audit team requested minor supplemental

evidence.

Independent Auditor Evaluation

20

• Improved focus from prior audit in 2008

– Still required same level of effort from GTC – However, more focused on GTC’s inherent risk – Did not duplicate effort by re-testing areas that GTC was adequately monitoring

• Encouraged GTC to continue building its internal

control program and endorsed our focus on self- monitoring

Benefits

21

• Additional communication/collaboration should occur

during IRA

• Further training for entity and regional staff is essential

– Timing

• Audit should be focused on the “what”
• Risk assessment results could be used to scope other

types of compliance monitoring

– Self-certifications – Spot-checks

Lessons Learned

22

Curtis Crew s, Texas Reliability Entity, Inc. Chuck Manning, Electric Reliability Council of Texas

RAI w ithin the ERCOT Region

24

ERCOT Audit/Spot Check Experience

• Registered as BA, IA, PC, RC, RP, TOP, TSP
• 2008 Compliance Violation Investigation 693
• 2008, 2009, 2010 693 Audit
• 2009 CIP Spot Check
• 2010 CIP Audit
• 2011 FERC, NERC and Texas RE Investigation

(Cold Weather)

• 2011, 2012 Four 693 Spot Checks
• 2012 693 Audit
• 2013 CIP Audit

NERC BOTCC August 2014

25

ERCOT 2012 and 2013 Engagements

Attention to high risk areas Reliability-focused engagements In-depth review Address risk appropriately Risk Elements w/ Key Resources Risk-Based Benefits to ERCOT Audit was efficient and focused Both teams had the same goal of reliability and security Recommendations and concerns versus compliance only Productive recommendations Curing period allowed for further dialogue among experts

NERC BOTCC August 2014

RELI ABI LI TY | ACCOUNTABI LI TY 26

RAIcomments@nerc.net

Physical Security I mplementation

Steven Noess, Associate Director of Standards Development Compliance Committee Meeting August 13, 2014

RELI ABI LI TY | ACCOUNTABI LI TY 28

• CIP-014-1 Purpose: “To identify and protect Transmission

stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.”*

*Note: (“widespread” proposed for removal by FERC in NOPR issued July 17, 2014)

Overview

RELI ABI LI TY | ACCOUNTABI LI TY 29

• Applies to certain Transmission Owners (TOs) and Transmission

Operators (TOPs)

• Standard requires owners or operators to:
• Identify critical facilities on the Bulk-Power System
• Evaluate threats on those facilities
• Implement plans to protect critical facilities against those threats

Requirements

RELI ABI LI TY | ACCOUNTABI LI TY 30

All TOs and TOPs (CIP-014-1 not applicable to all) Applicable TOs who must determine if stations/substations are “critical” TOs/TOPs with critical facilities (full standard applies)

Tiered Applicability

RELI ABI LI TY | ACCOUNTABI LI TY 31

• Critical facility identification must be verified by third party
• Directed by FERC order
• Verifier must be a Planning Coordinator, Transmission Planner, Reliability

Coordinator, or entity with transmission planning experience

• Verification may recommend addition/subtraction
• Threat evaluation and security plan reviewed by third party
• Directed by FERC order
• Reviewer must meet certain experience criteria
• Review may recommend changes to security plan

Third-Party Verifications/ Reviews

RELI ABI LI TY | ACCOUNTABI LI TY 32

• NOPR proposing approval issued July 17, 2014
• Forty five-day comment period from federal register

publication, September 22, 2014

• NOPR proposes to direct two modifications:
• Governmental authorities may add or subtract from critical facilities
• Revise certain wording that may narrow scope (“widespread”)
• NOPR proposes to direct two informational filings:
• “High Impact” Control Centers (six months of effective date of final rule)
• Possible resiliency measures, in addition to those required by standard,

following loss of critical facilities (one year of effective date of final rule)

FERC Proposes Approval

RELI ABI LI TY | ACCOUNTABI LI TY 33

• Critical facility identification: complete before effective date (six

months following FERC approval)

• Standard filed with FERC May 23, 2014
• NOPR proposing approval (with directives) issued July 17, 2014
• Tiered timeline for balance of requirements (within 15 months)
• Training and other coordination
• Audit and Enforcement
• Common approaches (Planning Committee, regional groups, etc.)

I mplementation

RELI ABI LI TY | ACCOUNTABI LI TY 34

• NERC Board of Trustees directed NERC management to monitor

and assess implementation on ongoing basis:

• Number of assets critical under the standard
• Defining characteristics of the assets identified as critical
• Scope of security plans (types of security and resiliency contemplated)
• Timelines included for implementing security and resiliency measures
• Industry’s progress in implementing the standard

ERO to Monitor I mplementation

RELI ABI LI TY | ACCOUNTABI LI TY 35

Key Compliance Enforcement Metrics and Trends

Compliance Committee Open Session August 13, 2014

RELI ABI LI TY | ACCOUNTABI LI TY 37

ERO Enterprise 2014 Goals— Compliance Enforcement

• Timeliness and transparency of

compliance results (caseload index and violation aging)

• Promotion of self-identification of

noncompliance

• Timeliness of mitigation
• RAI enforcement reforms

2014 Goals

RELI ABI LI TY | ACCOUNTABI LI TY 38

Caseload I ndex as of July 1, 2014

Target: 7 months Threshold: 8 months ERO Enterprise 9.5 months Regional Entities 8.3 months NERC 1.2 months

* Excludes violations that are held by appeal, a regulator, or a court.

RELI ABI LI TY | ACCOUNTABI LI TY 39

Caseload Reduction as of July 1, 2014

Target: 0 Threshold: 65

* Excludes violations that are held by appeal, a regulator, or a court.

RELI ABI LI TY | ACCOUNTABI LI TY 40

Violation Age in the ERO Enterprise

* Excludes violations that are held by appeal, a regulator, or a court.

RELI ABI LI TY | ACCOUNTABI LI TY 41

Violation Age in the ERO Enterprise – I nventory by Discovery Year

* Excludes violations that are held by appeal, a regulator, or a court.

RELI ABI LI TY | ACCOUNTABI LI TY 42

Promoting Self-Assessment and I dentification of Noncompliance

Target: 75% Threshold: 70%

RELI ABI LI TY | ACCOUNTABI LI TY 43

Monitoring Mitigation Completion Pre-2014 Progress

Time frame Progress toward the goal Threshold Target 2013 56% 75% 80% 2012 87% 90% 95% 2011 94% 95% 98% 2010 and

• lder

99% 98% 100%

RELI ABI LI TY | ACCOUNTABI LI TY 44

FFT Utilization – ERO Enterprise

RELI ABI LI TY | ACCOUNTABI LI TY 45

FFT Utilization By Regional Entity

RELI ABI LI TY | ACCOUNTABI LI TY 46

Risk Assessment

RELI ABI LI TY | ACCOUNTABI LI TY 47

Trends by Standard in 2013 and Q1 and Q2 2014

RELI ABI LI TY | ACCOUNTABI LI TY 48

Risk Assessment for Top 10 Violated Standards (2013)

RELI ABI LI TY | ACCOUNTABI LI TY 49