NERC Reliability Working Group July 25, 2013. A collaborative effort between NERC, the Regional...
-
Upload
erica-french -
Category
Documents
-
view
214 -
download
0
Transcript of NERC Reliability Working Group July 25, 2013. A collaborative effort between NERC, the Regional...
NERC Reliability Working GroupJuly 25, 2013
A collaborative effort between NERC, the Regional Entities, and registered entities to identify and implement changes that enhance the effectiveness of the Compliance Monitoring and Enforcement Program
Represents risk-based compliance monitoring◦Focuses on risks to reliability◦Enforcement will be reserved for significant matters It is a customized compliance approach
◦Individualized scoping for each registered entity◦Reduces administrative burdens and distractions
If the end state compliance monitoring and enforcement program is effective* at providing reasonable assurance through compliance monitoring, appropriate deterrence through enforcement and a feedback loop to continuously improve reliability standards.
*resources expended to achieve and monitor compliance and carry out enforcement are sufficient on the larger risk areas and not necessarily over applied on the lower risk areas.
The four components of the RAI are:1.Assessing Reliability Risk2.Scoping Compliance Monitoring3.Processing Possible Violations in Accordance with Risk4.Strengthening the Feedback Loop to the Standards Development Process
Definition of risk to the BES◦ Instability, uncontrolled separation, or cascading failures◦ System-wide risks to the BES
Entity’s Risk to the BES◦ Inherent risk is a function of registrations and other
relevant factors like system design, configuration, size, etc.
◦ Control risk is a function of the entity’s internal controls established to reduce risk of violation or system event.
◦ These two components will be considered in determining an entity’s risk profile or risk assessment. Project currently underway to determine a regional approach
to develop a prototype for risk assessment.
Analysis of risk assists an entity to deploy controls more effectively.◦ Review should focus on greatest threats to
reliability based on impact and likelihood of occurrence.
◦ Cost of a control should not exceed benefits. Reliability Standards are dynamic and
methodology should be flexible enough to adapt with changes.
There is no “one size fits all” model.
One size does not fit all!!!
Entity BA DP LSE
TO GO GOP
IA PA PSE
RC RP RSG
TP TOP
TSP
Entity A (Co-Op)
X X X X X X X
Entity B (Gen)
X X
Entity C X X X X X X X X X X X X
Entity D X X X X X
Entity E (SoCo)
X X X X X X X X X X X X X X
Identify Risks
PrioritizeRisks
AssessRisks
Dev AssmntCriteria
AssessRisk Interaction
RespondTo Risks
Assess Risks
AKAInternalControls
What are risks to reliability of the bulk electric system?◦ Consider registered functions.◦ Review event analysis of the entity.◦ Review operational issues in the industry.◦ What keeps me up at night relative to reliability?
What are compliance risks for the Standards?◦ Are there stumbling blocks to compliance for the entity?◦ Review self-reports for the entity (are there problematic standards?).◦ Review frequently violated standards.◦ What keeps me up at night relative to compliance?
Risk Interactions◦ Interactions between other events/conditions that could increase risk.
How do risks rank relative to each other?◦ Formal method to calculate risk
Likelihood scale, impact scale◦ “Pin the tail on the donkey”
Control Program
Control Activities Processes Practices Policies Procedures
Outputs Compliance with the Reliability Standards
Inputs Reliability Functions
Systems Approvals Authorizations Reviews
An entity’s control activities facilitate compliance to the Reliability Standards
Information / Communication Control Environment (Culture)
Risk Assessment Monitoring
An internal control program helps provide a Registered Entity with reasonableassurance of compliance with the requirements of the Standards.
11
CIP-002
CIP-003
CIP-004
CIP-005
CIP-006
CIP-007
CIP-008
CIP-009
Device Management
Change Management & Testing
Recovery & Incident Response
Access Control
Physical Security
Info. Classification & Handling / Doc Control
Current – Standards Based Future - Functions Based
693 Standards
Policies and procedures ensure management’s directives are carried out.
Elements of controls work together and collectively reduce risk of not achieving objectives.
Should not be considered discretely (defense in depth).
Continuous Improvement Cycle
Internal Controls AnalysisInternal Controls Analysis Review existing processes, procedures and policies to
determine if they facilitate compliance with the Reliability Standards
Conceptual White Papers ERO & Industry Documents
◦ RAI Q&A◦ Internal Controls Working Guide
Initial Phase Plan/Deliverables◦ Audit Handbook◦ ERO & Industry Collaborative Guides
Benefits & Impacts Internal Control Library
◦ RAI Pilots MRO - ATC RFC – PJM, PPL SERC – integrating into audits
◦ Self-Reporting Process Enhancement Self-Report Guide Mitigation Plan Guide Violation vs Deficiency Pilots
◦ FFT Enhancements Regional Entity Triage Process
Controls Framework DocumentsCommittee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated FrameworkThe Institute of Internal Auditors – International Professional Practices Framework – Standard 2210 – Engagement ObjectivesInformation Systems Audit and Control Association – Control Objectives for Information and Related Technology
Auditing Guidance DocumentsAmerican Institute of Certified Public Accountants – Professional Standards, vol. 1 – AU Section 314United States Government Accounting Office - Government Auditing Standards – Chapter 7 – Reporting Standards for Performance Audits
NERC RAI Documentshttp://www.nerc.com/pa/comp/Pages/Reliability-Assurance-Intiative.aspx
QuestionsQuestions