NERC Reliability Working GroupJuly 25, 2013

A collaborative effort between NERC, the Regional Entities, and registered entities to identify and implement changes that enhance the effectiveness of the Compliance Monitoring and Enforcement Program

Represents risk-based compliance monitoring◦Focuses on risks to reliability◦Enforcement will be reserved for significant matters It is a customized compliance approach

◦Individualized scoping for each registered entity◦Reduces administrative burdens and distractions

If the end state compliance monitoring and enforcement program is effective* at providing reasonable assurance through compliance monitoring, appropriate deterrence through enforcement and a feedback loop to continuously improve reliability standards.

*resources expended to achieve and monitor compliance and carry out enforcement are sufficient on the larger risk areas and not necessarily over applied on the lower risk areas.

The four components of the RAI are:1.Assessing Reliability Risk2.Scoping Compliance Monitoring3.Processing Possible Violations in Accordance with Risk4.Strengthening the Feedback Loop to the Standards Development Process

Definition of risk to the BES◦ Instability, uncontrolled separation, or cascading failures◦ System-wide risks to the BES

Entity’s Risk to the BES◦ Inherent risk is a function of registrations and other

relevant factors like system design, configuration, size, etc.

◦ Control risk is a function of the entity’s internal controls established to reduce risk of violation or system event.

◦ These two components will be considered in determining an entity’s risk profile or risk assessment. Project currently underway to determine a regional approach

to develop a prototype for risk assessment.

Analysis of risk assists an entity to deploy controls more effectively.◦ Review should focus on greatest threats to

reliability based on impact and likelihood of occurrence.

◦ Cost of a control should not exceed benefits. Reliability Standards are dynamic and

methodology should be flexible enough to adapt with changes.

There is no “one size fits all” model.

One size does not fit all!!!

Entity BA DP LSE

TO GO GOP

IA PA PSE

RC RP RSG

TP TOP

TSP

Entity A (Co-Op)

X X X X X X X

Entity B (Gen)

X X

Entity C X X X X X X X X X X X X

Entity D X X X X X

Entity E (SoCo)

X X X X X X X X X X X X X X

Identify Risks

PrioritizeRisks

AssessRisks

Dev AssmntCriteria

AssessRisk Interaction

RespondTo Risks

Assess Risks

AKAInternalControls

What are risks to reliability of the bulk electric system?◦ Consider registered functions.◦ Review event analysis of the entity.◦ Review operational issues in the industry.◦ What keeps me up at night relative to reliability?

What are compliance risks for the Standards?◦ Are there stumbling blocks to compliance for the entity?◦ Review self-reports for the entity (are there problematic standards?).◦ Review frequently violated standards.◦ What keeps me up at night relative to compliance?

Risk Interactions◦ Interactions between other events/conditions that could increase risk.

How do risks rank relative to each other?◦ Formal method to calculate risk

Likelihood scale, impact scale◦ “Pin the tail on the donkey”

Control Program

Control Activities Processes Practices Policies Procedures

Outputs Compliance with the Reliability Standards

Inputs Reliability Functions

Systems Approvals Authorizations Reviews

An entity’s control activities facilitate compliance to the Reliability Standards

Information / Communication Control Environment (Culture)

Risk Assessment Monitoring

An internal control program helps provide a Registered Entity with reasonableassurance of compliance with the requirements of the Standards.

11

CIP-002

CIP-003

CIP-004

CIP-005

CIP-006

CIP-007

CIP-008

CIP-009

Device Management

Change Management & Testing

Recovery & Incident Response

Access Control

Physical Security

Info. Classification & Handling / Doc Control

Current – Standards Based Future - Functions Based

693 Standards

Policies and procedures ensure management’s directives are carried out.

Elements of controls work together and collectively reduce risk of not achieving objectives.

Should not be considered discretely (defense in depth).

Continuous Improvement Cycle

Internal Controls AnalysisInternal Controls Analysis Review existing processes, procedures and policies to

determine if they facilitate compliance with the Reliability Standards

Conceptual White Papers ERO & Industry Documents

◦ RAI Q&A◦ Internal Controls Working Guide

Initial Phase Plan/Deliverables◦ Audit Handbook◦ ERO & Industry Collaborative Guides

Benefits & Impacts Internal Control Library

◦ RAI Pilots MRO - ATC RFC – PJM, PPL SERC – integrating into audits

◦ Self-Reporting Process Enhancement Self-Report Guide Mitigation Plan Guide Violation vs Deficiency Pilots

◦ FFT Enhancements Regional Entity Triage Process

Controls Framework DocumentsCommittee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated FrameworkThe Institute of Internal Auditors – International Professional Practices Framework – Standard 2210 – Engagement ObjectivesInformation Systems Audit and Control Association – Control Objectives for Information and Related Technology

Auditing Guidance DocumentsAmerican Institute of Certified Public Accountants – Professional Standards, vol. 1 – AU Section 314United States Government Accounting Office - Government Auditing Standards – Chapter 7 – Reporting Standards for Performance Audits

NERC RAI Documentshttp://www.nerc.com/pa/comp/Pages/Reliability-Assurance-Intiative.aspx

QuestionsQuestions