Self-Logging Program Valerie Agnew-MRO VP Enforcement Bill - PowerPoint PPT Presentation

Self-Logging Program Valerie Agnew-MRO VP Enforcement Bill Steiner-MRO Director of Risk Assessment and Mitigation Joseph DePoorter-MRO PROS/NSRF Chair, MGE Mahmood Safi-MRO CC Chair, OPPD

• Admitted registered entities: • Maintain a log of minimal The Self- risk noncompliance Logging • Submit logs to Region on Program a periodic basis in lieu of self-reports • Presumed Compliance Exception disposition 2

Effective processes to: • Self-identify noncompliances Registered • Assess risk of noncompliances Entity Criteria • Correct noncompliances • Prevent recurrence Evaluated using the five HRO principles (MRO HEROS) 3

MRO Self-Logging Program Eligibility Determination Process Criteria • MRO Website: Assurance/Compliance Monitoring/Self-Logging Program Resources Participation ERO Enterprise Self-Logging Program • NERC Website: Initiatives/Risk-Based CMEP/Design Resources: ERO Enterprise Self-Logging Program 4

• 19 registered entities participating • MRO is working with entities Self- on what information to Logging in include in logs MRO • All self-logged instances of noncompliances have been processed as Compliance Exceptions 5

Logging Assists Entities in Identifying Issues 6

• MRO’s goal is to process self-logged items as soon as possible Processing • MRO is working to eliminate Self-Logged time consuming RFIs Issues • Pertinent, concise information assists with reducing processing time 7

Having a complete and well documented self-log: • Provides increased assurance that this issue was well understood, managed, and minimal Thorough risk Self-Log • May reduce or eliminate the need for SME discussions or additional data requests • Helps focus mitigating activities • MRO has an “enhanced” template to assist in providing the required information https://www.mro.net/MRODocuments/Template Self-Log Spreadsheet.xlsx 8

Important dates to provide (columns in template) • Date noncompliance was self-identified Required • Date the noncompliance started • End date of noncompliance (not including Information activities for reoccurrence) – this may be in the future. • Completion date for all mitigating activities (includes activities for reoccurrence) – also may be in the future 9

Information about the discovery • How the noncompliance was identified • i.e. internal control, ad-hoc discovery, etc. Required • important to determine extent of condition analysis is required Information • Description of noncompliance • What happened – (aka “condition”) • Be descriptive if appropriate – should not be more than a few sentences 10

Root cause of noncompliance • 95% a policy or procedure deficiency or process implementation issue • “Human Error” is typically incorrect Required • Mitigation for reoccurrence must address Information the root cause • This is the basis for most additional request for information 11

Risk • Description of potential harm to the BPS at the time of noncompliance • System conditions at the time of Required noncompliance (stressed system) • Function Cyber Asset performs (i.e. ICCP) Information • Justification of Minimal Risk • Duration (internal controls key here!) • Scope – number of assets impacted • Protection above the requirements • Limited to substations 12

Mitigating Activities • A formal mitigation plan is typically not required • Identify extent of condition analysis if applicable • Identify how the noncompliance was mitigated Required • Identify how the root cause was mitigated Information • Evidence of completion is not required but needs to be retained (sampled) • Inform MRO if future completion dates are delayed 13

Self-Logging Program Perspectives from Entity Participants Joseph DePoorter-MRO PROS/NSRF Chair, MGE Mahmood Safi-MRO CC Chair, OPPD 14

Getting Started w ith Self-Logging Preoccupation with failure (HRO Principle #1) Internal Controls FERC’s Revised Policy Statement on Enforcement (Docket No. PL08-3-000) : commitment to compliance Lays out company’s defined process that anyone can use if a possible noncompliance action is found 15

Benefits of Self-Logging Program You become the Audit Team, Risk Assessment & Mitigation Team and Enforcement Team which shows company’s commitment to being compliant and supporting a reliable BPS Another tool that can identify, find out why, mitigate and log low risk noncompliant actions vs. self- reporting Method to employ HRO Principles and promote system reliability 16

OPPD Self-Logging Overview Joined the program in 2016 Application process was easy and transparent • MRO Staff support Straightforward quarterly reporting process • If no issue, just an email sent to MRO • If issue(s) complete the template • Successful programs may qualify for extended reporting period 17

OPPD Self-Logging Benefits Self-reporting & internal controls process • Self-identify, self-assess, and self-correct Ownership – the entity is the auditor and the auditee Risk Assessment – define own risks and what qualifies as self-logging items 18

OPPD Self-Logging Benefits Presumed outcome – Compliance Exception (CE) Self-logging is a Win-Win benefiting both parties Highly Effective Reliability Organizations (HEROs) 19

• Develop NERC and FERC confidence • Work with NERC, FERC and Vision for registered entities on path the Future forward • Determine whether minimal risk self-logs need to be processed • Determine transparency need for learning and risk trending purposes

• Notify MRO of interest • Provide information on how your entity meets the criteria Join the • MRO will review your Program eligibility • MRO may call you to ask for clarification • MRO will discuss the determination with you 21

Jackson Evans, MRO Enforcement Attorney jackon.evans@mro.net 651-855-1758 Contact for Program Applications 22

Valerie Agnew: valerie.agnew@mro.net Bill Steiner: william.steiner@mro.net Mahmood Safi: mzsafi@oppd.com Joseph DePoorter: jdepoorter@mge.com Presenters’ Contact Information 23

24