Florida Reliability Coordinating Council, Inc.

Possible Noncompliance Review Processing

July 1, 2017 Version 1.0

RAM-200

3000 Bayport Drive, Suite 600 Tampa, Florida 33607-8410

(813) 289-5644- Phone (813) 289-5646- Fax

www.frcc.com

[ FRCC-RAM-200 Possible Noncompliance Review Processing Page 2 of 13 ! Version 1.0~

Florida Reliability Coordinating Council, Inc.

Th I . t . t . d til e ong1na s1gna ures are ma1n a1ne on 1e.

TITLE NAME

I I Procedure Writer Risk Assessment and Mitigation

Rick Dodd Specialist

Approval Authority /J ~--Manager Risk Assessment and /".-,•~.1 ~-:~/Jvv~~ ... ,;t·-Mitigation

Chrfs ffolm~st . ,....

Director of Enforcement, Risk ~~~ Assessment and Mitigation Andrew Williamson

VP Compliance, Enforcement, and ~~ Reliability Performance Linda Campbell

REVIEW I MODIFICATION LOG

Date Version Description of Change Number

07/01/2017 1.0 New Procedure, replaced ENF-1 02 Noncompliance Processing

Effective Date - July 1, 2017 Responsible Department - Compliance Next Periodic Review Date- 2020 Classification: Public Document

Revision 3.0

DATE

June 16, 2017

?/:tt/17

6/29/J?

Pj__M/JJ

Pages Affected

All

FRCC-RAM-200 Possible Noncompliance Review Processing

Table of Contents

Pa e 3 of 13 Version 1.0

Page

1.0 Purpose and Scope ......................................................................................................... 4

1.1 Purpose ..................................................................... ........................................... 4 1.2 Scope ......................... ............................................................ .............................. 4

2.0 Responsibilities ............................................................................................................... 4

2.1 Procedure Owner .................................................................... .............................. 4

3.0 Procedure ........................................................................................................................ 5

3.1 Overview ............................................................................................................... 5 3.2 Screening Review ................................................................................................. 5 3.3 Notice of Data Hold for Possible Violation .. .......................................................... 7 3.4 Preliminary Violation Risk, Disposition, and Mitigation Plan Review ..................... 7 3.5 PNC Review ......... ..... ... ........................................................................................ 9 3.6 Reviewing Feedback on PNC Review .................................................................. 9 3.7 Completing Preliminary Violation Risk, Disposition, and Mitigation Plan Review 10 3.8 Manager of RAM Preliminary Review Approval .................................................. 11

4.0 Reference Section ......................................................................................................... 12

5.0 Appendix A- High Level Process Overview ................................................................. 13

FRCC-RAM-200 Possible Noncompliance Review Processing

1.0 Purpose and Scope

1.1 Purpose

This procedure outlines the steps to be taken by the Florida Reliability Coordinating Council, Inc. (FRCC) Compliance Staff regarding the review of possible noncompliance cases entered into CTS/CITS.

1.2 Scope

This procedure applies to all Registered Entity (Entity) possible noncompliance cases received by FRCC Compliance Staff regardless of the discovery method.

2.0 Responsibilities

2.1 Procedure Owner

2.1.1 This procedure is the responsibility of the FRCC Manager of Risk Assessment and Mitigation (RAM) to maintain as necessary to keep the procedure current with the latest North American Electric Reliability Corporation (NERC) Rules of Procedure - Compliance Monitoring and Enforcement Program Appendix 4C and established FRCC procedures.

2.1.2 The review of this procedure will be performed when changes to departmental or NERC Rules of Procedure occur and have a potential impact to this processing. In addition, a review will be performed at least once every three (3) years from the last update. The review shall be documented in the Review/Modification section of this document.

2.1.3 The FRCC Manager of Risk Assessment and Mitigation is responsible for assigning related activities to the RAM Staff. RAM Staff will involve other FRCC Compliance groups in all activities referenced in this procedure.

2.1.4 This procedure will be approved by the FRCC Manager of Risk Assessment and Mitigation, the FRCC Director of Enforcement, Risk Assessment and Mitigation, and the VP - Compliance, Enforcement and Reliability Performance.

I FRCC~RAM~200 J Possible Noncompliance Review Processing

3.0 Procedure

3.1 Overview

Page 5 of 13 Version 1.0

3.1.1 Entities may submit cases of possible noncompliance or possible noncompliance cases may be received as a result of FRCC Monitoring activity (e.g., Audit, Spot-Check, Self-Certification). Based on these submissions, RAM Staff will begin this Possible Noncompliance Review processing, track, and update the RAM Active Violation and Mitigation Plan Status workbook to ensure all are processed within the required timelines.

3.1.2 In general, spreadsheets, and computer programs or other tools may be used to assist in the review of possible noncompliance cases, but all actions will be recorded in the Compliance Information Tracking System (CITS). Designated information will be available to the Entity through the FRCC Compliance Tracking System (CTS) Portal. Email notifications may be used to advise the Entity on some aspects of the Possible Noncompliance Review processing including the need to extend the review periods or obtain additional information.

3.1.3 In order to facilitate oversight, FRCC reporting to NERC of possible noncompliance cases will be thorough and in sufficient detail such that NERC can understand and reasonably accept the outcome reached.

3.1 .4 Refer to the diagram in Appendix A for a high-level overview of the process flow.

3.2 Screening Review

3.2.1 RAM Staff will be notified via email {automatic notification from CITS) when a new potential noncompliance has been reported {e.g., Self-Report from Entity, Audit Finding from Auditor).

3.2.2 The designated RAM Staff member will perform an initial review (screen) within five (5) business days of the potential noncompliance being identified, except for those identified during a Compliance Audit which will be screened immediately following the exit briefing with the Entity. The screening will evaluate the potential noncompliance to determine the applicability and enforceability, and the RAM Staff member will:

3.2.2.1 Review the Screening tab in CITS and resolve any discrepancies with applicable functions, appropriate contact information, Standard Requirement reference information, and

FRCC-RAM-200 Possible Noncompliance Review Processing Pa e 6 of 13 Version 1.0

any other incomplete information. Complete the following fields and ensure all others have valid information:

• Self-Log- Normally "No" unless this noncompliance case was entered as a result of a Self-Logging turned in by an Entity.

• Violation Risk Factor (VRF) - Ensure value entered by the Entity is valid and correct if necessary. Use the current VRF Matrix provide on the NERC website under the Standards web page.

• Violation Severity Level (VSL) - Review Initial Violation Description to determine magnitude of reported noncompliance and set the VSL according to the current VSL Matrix provide on the NERC website under the Standards web page.

• Violation End Date - If this date is not known at the time of this Screening, leave blank. Note: It may be necessary for mitigating activities to be completed before the correct violation end date can be determined.

3.2.2.2 Complete the following fields on the Review tab:

• Regional Violation Description: Use the information from the Screening tab to develop the first two statements as described in the PNCR Form.

• Regional Reliability Impact Statement: "This potential noncompliance is under review."

3.2.2.3 Check the Screening is Complete and the Sent to NERC checkboxes after completing the initial Screening tab. Click the Save button to save the record in CITS. Once the CITS sync to NERC has been completed, a NERC ID should be assigned to the record. If you have any sync errors and/or do not get a NERC ID assigned, open a ticket to IT to resolve.

3.2.2.4 Forward the original email identifying the report of the possible noncompliance to frccenf@frcc.com adding the NERC ID to the end of the subject line and a brief message in the body such as "Screening is complete for the referenced noncompliance" to inform Enforcement that screening has been completed. Once the NERC ID has been assigned and the screening has been completed, the noncompliance case should be in the Review in Progress state.

FRCC-RAM-200 Possible Noncompliance Review Processing Page 7 of13 Version 1.0

3.3 Notice of Data Hold for Possible Violation

3.3.1 Once notified via email of the completed Screening Complete, the FRCC Enforcement Legal Assistant will then issue the Data Hold letter within seven (7) business days after the date reported.

3.4 Preliminary Violation Risk, Disposition, and Mitigation Plan Review

3.4.1 The designated RAM Staff member will begin a review of all information provided in CITS and prepare the initial Possible NonCompliance Review (PNCR) Form using the template in SharePoint and store in the appropriate document set for that Entity. The initial form should be completed within 14 days from the initial report of the possible noncompliance and scheduled for review as noted further in this section.

3.4.2 The RAM Staff member will gather pertinent noncompliance facts as the PNCR Form is being prepared and complete all available information within the form including:

• The underlying facts and circumstances, including what happened, why, where, and when (relevant dates);

• The Reliability Standard at issue;

• The applicable Violation Risk Factor (VRF) and Violation Severity Level (VSL);

• Extent of condition;

• Root cause;

• The Entity's description of the potential and actual level of risk to reliability, including mitigation factors during pendency of the noncompliance including controls in place at the entity during the issue/violation;

• The Entity's mitigating activities for preventative and corrective processes and procedures, including internal controls; and

• Identify appropriate Monitoring Team Lead and Enforcement Specialist.

3.4.3 Once the basic information in the PNCR Form along with Entity provided information from the CITS Screening tab has been populated on the form, the assigned RAM Staff member will review the Entity's related compliance history and complete the appropriate section in the form. The review will include:

FRCC-RAM-200 Possible Noncompliance Review Processing

3.4.3.1 An assessment of relevance will be made for all prior compliance history related to the same Standard/Requirement.

3.4.3.2 An assessment of the previous mitigation plan and evaluate why a plan was not successful in preventing this possible noncompliance to ensure the mitigation plan for the current noncompliance does not contain the same weakness.

3.4.3.3 Professional judgement will be used to provide a conclusion in the PNCR Form regarding the impact of the compliance history and whether or not it should be considered an aggravating factor in the processing of this noncompliance. If no related compliance history is available, a summary statement will be provided indicating no compliance history was available.

3.4.4 The assigned RAM Staff member will then prepare the Regional Violation Description and Regional Reliability Impact Statement in the PNCR Form. They will also document any questions for a potential Data Request to the Entity to clarify the facts and circumstances of the reported possible noncompliance as well as considerations for inclusion in the Entity's mitigating activities in the PNCR Form.

3.4.5 The assigned RAM Staff member will then use professional judgement to provide an initial recommendation on the Recommended Disposition, Preliminary Filing Mechanism, Region Reliability Impact, Mitigation Plan Type (Formal or Informal), and need to Perform Verification of Completion in the PNCR Form.

3.4.6 When the initial PNCR Form has been populated with the above information, a comment will be added to the FRCC Region ID I NERC ID field on the form with the following text:

PNCR Team: Please review, comment accordingly, and reply to this comment when complete with an indication of agreement or dissent as appropriate.

3.4.7 The RAM Staff member will then enable "track changes" and save the form in SharePoint as noted above.

3.4.8 The RAM Staff member will then generate an email to the identified Monitoring Team Lead, Enforcement Specialist, and RAM Staff with a copy to both Monitoring Managers and the Enforcement Director using the template in SharePoint PNC Review Request Email- Template requesting the review to be completed within 14 days of the email notification.

I FRCC-RAM-200 I Possible Noncompliance Review Processing

Page 9 of 13 Version 1.0

3.5 PNC Review

3.5.1 Each recipient of a PNC Review Request email will review the content of the completed form identified in the email within the 14 day timeframe. Should the original reviewer be unavailable, their manager will be responsible for completing the review on their behalf or assigning it to another member of their team. Professional judgement will be used to:

• Ensure all facts and circumstances are clearly identified and understood;

• Risk has been appropriately identified;

• Noncompliance disposition is appropriate (Note: Enforcement will note any unique variance with an explanation); and

• Mitigation Plan handling is appropriate.

3.5.2 The reviewer will provide any required wording adjustments to add clarity to the Regional Violation Description and Regional Reliability Impact Statement in the PNCR Form.

3.5.3 The reviewer will add comments in the appropriate locations where questions or concerns arise during their review.

3.5.4 The reviewer will note any potential Data Request questions that may be necessary as well as mitigating activities that we will ensure the Entity addresses.

3.5.5 The reviewer will reply to the comment located at the top of the PNCR Form on the FRCC Region ID I NERC ID indicating their completion of the review and concurrence or disagreement with proceeding.

3.5.6 After completing their review, the reviewer will reply to the email received with a brief note indicating they have completed their review.

3.6 Reviewing Feedback on PNC Review

3.6.1 Once the period for review has passed or feedback has been received from all required members, the RAM Staff member will review and comment on the feedback provided.

3.6.2 The RAM Staff member will send Data Requests to the Entity as needed to obtain sufficient information to determine risk and make a preliminary determination within 30 days of the report date of the noncompliance. The request will require that responses are uploaded to the FRCC Entity Security File Transfer location or FRCC Evidence Vault, as appropriate. All Data Requests will be uploaded to the violation record in CITS as a

FRCC-RAM-200 Possible Noncompliance Review Processing I

document type "Request for Additional Information" with an event "Region Sent Document to Registered EntitY' with the date the request was sent to the Entity. When a response to the Data Request is received from the Entity, the event "Region Received Document from Registered Entity'' will be added to the appropriate document type with the date the infonnation was received (Note: Do not load the document(s) received from the Entity into CITS). The Data Requests may require the following infonnation including, but not limited to:

• The underlying facts and circumstances, including what happened, why, where, and when;

• The Reliability Standard at issue;

• The applicable VRF and VSL;

• The Entity's description of the potential and actual level of risk to reliability, assessment of extent of condition, any root cause analysis perfonned, and mitigation factors during pendency of the noncompliance; and

• The Entity's preventative and corrective processes and procedures, and internal controls;

3.6.3 The RAM Staff member will document the data request responses received from the Entity in the PNCR Form and advise the team members of such response.

3.6.4 The RAM Staff member will directly contact any team member with significant questions or concerns to resolve. If necessary, the RAM Staff member will immediately schedule and coordinate any required meeting.

3.6.5 Updates regarding these conversations and/or meetings should be noted in the PNCR Form.

3.6.6 Once concurrence with the description, risk, disposition, and mitigation plan handling has been obtained, the RAM Staff member will complete the preliminary review in CITS using the next section.

3. 7 Completing Preliminary Violation Risk, Disposition, and Mitigation Plan Review

3. 7.1 The RAM Staff member will update the violation record Review Completion and Mitigation tabs within CITS for the possible noncompliance using the following steps.

3.7.2 Using the updated information in the PNCR Form, complete the Review Completion tab in CITS by filling in the Preliminary Filing Mechanism and Region Reliability Impact. Update the Region Violation Description and Region Reliability Impact Statement fields using the agreed wording in the

FRCC-RAM-200 Possible Noncompliance Review Processing Page 11 of 13 Version 1.0

PNCR Form. The first two sentences of the Region Violation Description field description must be formatted as shown in the PNCR Form to be used for the Notice of Possible Violation (NPV) letter.

3. 7.3 The RAM Staff member will also add a review record on the same tab (i.e., Add Review button) indicating if it is a noncompliance or dismissal, and provide Reviewer Notes regarding the completion of the PNC Review (including date completed). The Review is complete and move to the FOLLOWING review radio button should be selected, and the Compliance Enforcement Manager (CEM) selected in the drop down. Click the Apply button.

3.7.4 Update the violation record in CITS, if necessary, to require or not require a Formal Mitigation Plan using the Is Formal Mitigation Plan Required radio button on the Mitigation tab. In the case that a noncompliance requires a Formal Mitigation Plan, the RAM Staff member will contact the Entity regarding submittal of a Formal Mitigation Plan in addition to the automated email that will be generated by CITS when the flag is changed. With all the updates made, check the Send to NERC box, and Save the violation record.

3. 7.5 The RAM Staff member will then forward the screening completed e-mail to the Manager of RAM that the Review Completion tab is ready for CEM review and copy frccenf@frcc.com .

3.8 Manager of RAM Preliminary Review Approval

3.8.1 The Manager of RAM will review the noncompliance once the Review Completion tab in CITS has been completed and they have been notified via email.

3.8.2 The Manager of RAM will accept or reject the preliminary determination by adding a review record on the same tab (i.e., Add Review button) indicating if it is a noncompliance or dismissal, and provide Reviewer Notes regarding their concurrence or disagreement. The Review is complete and this is the LAST review radio button should be selected. Click the Apply button and then confirm this is the last review. With the updates made, check the Send to NERC box, and Save the violation record.

3.8.3 Once the CEM review has been completed, the Manager of RAM will reply to the received email notifying the RAM Staff member and Enforcement (copy reply email to frccenf@frcc.com) the CEM review has been completed.

3.8.4 The RAM Staff member will use the RAM-201 Mitigation Plan Processing procedure to continue Mitigation Plan processing.

FRCC-RAM-200 Possible Noncompliance Review Processing

4.0 Reference Section

4.1.1 NERC Rules of Procedure - Appendix 4C Compliance Monitoring and Enforcement Program document.

4.1.2 NERC Rules of Procedure - document.

I FRCC-RAM-200 I Possible Noncompliance Review Processing

5.0 Appendix A - High Level Process Overview

~~l l · l(JM•ri!J/1.' MRRl L~ N<tl dir.;hon~ ol

NcOCJ:Irrl pi !.'In~;;< Ac u~i!~

5t ·lt .a~p0 11

~J oncomp~nnce 11£11•!11 '/

Po;;slblt> Noncomjli3Il~-:

l'!£!V'ev.

L------------,-------TI VM---------------------,--------------------------~

-------~·-·-··--------- --~-----· ----------- --- r··---.-----~--------.

[On'lfl1.i!l.!!r.l Wlllllr ' d.!y' o1 rt'Jl\l1i

~------------------ IH

'um 1~~1~t,J wllltln 1 L.r, 1 al r'!ca•t

-~-----------------------1 ~1

IIlii Ioii 1~1111'1 i~ rt '-'lt ~JIIM jJ tb-~" (If 11'[)1~ I

f"'ll------------------------r---------------.------..

Note: Data Request(s) during PNC Review may delay 30 day timelin e.

Page 13 of 13 Version 1.0

MitigiillM i'l.m tor (~r:•"lllj

----- ----------·-·-··------------,--------------- ·

PNC P.~<i"W con.pJEI:rl Willi n ~ :l ctily:. ul r~pml