Self-Logging Program Valerie Agnew-MRO VP Enforcement Bill - - PowerPoint PPT Presentation

Self-Logging Program

Valerie Agnew-MRO VP Enforcement Bill Steiner-MRO Director of Risk Assessment and Mitigation Joseph DePoorter-MRO PROS/NSRF Chair, MGE Mahmood Safi-MRO CC Chair, OPPD

The Self- Logging Program

• Admitted registered entities:
• Maintain a log of minimal

risk noncompliance

• Submit logs to Region on

a periodic basis in lieu of self-reports

• Presumed Compliance

Exception disposition

2

Registered Entity Criteria

Effective processes to:

• Self-identify noncompliances
• Assess risk of

noncompliances

• Correct noncompliances
• Prevent recurrence

Evaluated using the five HRO principles (MRO HEROS)

3

Criteria Resources

MRO Self-Logging Program Eligibility Determination Process

• MRO Website: Assurance/Compliance

Monitoring/Self-Logging Program Participation

ERO Enterprise Self-Logging Program

• NERC Website: Initiatives/Risk-Based

CMEP/Design Resources: ERO Enterprise Self-Logging Program

4

Self- Logging in MRO

• 19 registered entities

participating

• MRO is working with entities
• n what information to

include in logs

• All self-logged instances of

noncompliances have been processed as Compliance Exceptions

5

Logging Assists Entities in Identifying Issues

6

Processing Self-Logged Issues

• MRO’s goal is to process

self-logged items as soon as possible

• MRO is working to eliminate

time consuming RFIs

• Pertinent, concise

information assists with reducing processing time

7

Thorough Self-Log

Having a complete and well documented self-log:

• Provides increased assurance that this issue

was well understood, managed, and minimal risk

• May reduce or eliminate the need for SME

discussions or additional data requests

• Helps focus mitigating activities
• MRO has an “enhanced” template to assist in

providing the required information https://www.mro.net/MRODocuments/Template Self-Log Spreadsheet.xlsx

8

Required Information

Important dates to provide (columns in template)

• Date noncompliance was self-identified
• Date the noncompliance started
• End date of noncompliance (not including

activities for reoccurrence) – this may be in the future.

• Completion date for all mitigating activities

(includes activities for reoccurrence) – also may be in the future

9

Required Information

Information about the discovery

• How the noncompliance was identified
• i.e. internal control, ad-hoc discovery, etc.
• important to determine extent of condition

analysis is required

• Description of noncompliance
• What happened – (aka “condition”)
• Be descriptive if appropriate – should not

be more than a few sentences

10

Required Information

Root cause of noncompliance

• 95% a policy or procedure deficiency or

process implementation issue

• “Human Error” is typically incorrect
• Mitigation for reoccurrence must address

the root cause

• This is the basis for most additional request

for information

11

Required Information

Risk

• Description of potential harm to the BPS at the

time of noncompliance

• System conditions at the time of

noncompliance (stressed system)

• Function Cyber Asset performs (i.e. ICCP)
• Justification of Minimal Risk
• Duration (internal controls key here!)
• Scope – number of assets impacted
• Protection above the requirements
• Limited to substations

12

Required Information

Mitigating Activities

• A formal mitigation plan is typically not required
• Identify extent of condition analysis if applicable
• Identify how the noncompliance was mitigated
• Identify how the root cause was mitigated
• Evidence of completion is not required but

needs to be retained (sampled)

• Inform MRO if future completion dates are

delayed

13

Self-Logging Program Perspectives from Entity Participants

Joseph DePoorter-MRO PROS/NSRF Chair, MGE Mahmood Safi-MRO CC Chair, OPPD

14

Getting Started w ith Self-Logging

Preoccupation with failure (HRO Principle #1) Internal Controls FERC’s Revised Policy Statement on Enforcement (Docket No. PL08-3-000): commitment to compliance Lays out company’s defined process that anyone can use if a possible noncompliance action is found

15

Benefits of Self-Logging Program

You become the Audit Team, Risk Assessment & Mitigation Team and Enforcement Team which shows company’s commitment to being compliant and supporting a reliable BPS Another tool that can identify, find out why, mitigate and log low risk noncompliant actions vs. self- reporting Method to employ HRO Principles and promote system reliability

16

OPPD Self-Logging Overview

Joined the program in 2016 Application process was easy and transparent

• MRO Staff support

Straightforward quarterly reporting process

• If no issue, just an email sent to MRO
• If issue(s) complete the template
• Successful programs may qualify for extended

reporting period

17

OPPD Self-Logging Benefits

Self-reporting & internal controls process

• Self-identify, self-assess, and self-correct

Ownership – the entity is the auditor and the auditee Risk Assessment – define own risks and what qualifies as self-logging items

18

OPPD Self-Logging Benefits

Presumed outcome – Compliance Exception (CE) Self-logging is a Win-Win benefiting both parties Highly Effective Reliability Organizations (HEROs)

19

Vision for the Future

• Develop NERC and FERC

confidence

• Work with NERC, FERC and

registered entities on path forward

• Determine whether minimal risk self-logs

need to be processed

• Determine transparency need for learning

and risk trending purposes

Join the Program

• Notify MRO of interest
• Provide information on how

your entity meets the criteria

• MRO will review your

eligibility

• MRO may call you to ask for

clarification

• MRO will discuss the

determination with you

21

Contact for Program Applications

Jackson Evans, MRO Enforcement Attorney

jackon.evans@mro.net 651-855-1758

22

Presenters’ Contact Information

Valerie Agnew: valerie.agnew@mro.net Bill Steiner: william.steiner@mro.net Mahmood Safi: mzsafi@oppd.com Joseph DePoorter: jdepoorter@mge.com

23

24