SCCE Houston 2014 v6 - SCCE | Resources & Support | SCCE ...

1

Utilities & EnergyCompliance & Ethics Conference

‐ Society of Corporate Compliance and Ethics ‐

NERC Compliance EmbracesInternal Controls

February 25, 2014

1

RSAReliabilityStandardsAdvisoryServiceLLC

Reliability|SustainabilityReliability|Sustainability

Copyright|©2014ReliabilityStandardsAdvisoryLLCAllrightsreserved

ReliabilityStandardsAdvisoryServiceLLC

Fred Anderson, CCEP, CIA, CFEChief Executive Officer & Founder,

Reliability Standards Advisory Service LLC

– More than 20 years experience as Fortune 500Management Consultant:

– Master of Science Corporate Finance

– Bachelor of Business Administration Economics

Randi Nyholm, CCEPTransmission Compliance Specialist Senior,

Minnesota Power

– MS Scientific and Technical Communication

– BS Business Administration

– Five years in development and implementation of NERC compliance programs

2


• Conduct a Risk Assessment for NERC Standards

• Identify and Implement AppropriateInternal Control

• Create Sustainable Models and Tools that don’t Break the Bank


3


1. Principals of risk management

2. Risk identification and quantification methods

3. Managing risk – not all risk is bad

4. RAI and risk management for the BES


To identify and manage risks that are associated with an organization’s objectives. Managing risk is a single continuous process. The objective of managing risks is to decrease the

probability of events that reduce bulk electric system reliability.

4


Risk‐taking in areas of legal and ethical obligations invariably leads to bad outcomes.

• FERC/NERC guidance states “assessment of risk is fundamental to developing a strong compliance program.”

• NERC guidance lists factors that a utility should consider in any risk assessment.

• FERC and NERC look at a utility's overall compliance program and take into account to what degree the entity analyzes risks.

Source ‐ FERC Revised Policy Statement on Penalty Guidelines – Docket No. PL10‐4‐000 (Sep 17, 2010)


The portfolio of risks facing each utility is unique to that business. Some utilities will face severe risks of a nature that are of no significance to another.

Registrants even with similar registered functions are likely to have very different risk portfolios.

Source: NERC CMEP 2014

5


From an ERM Perspective

• Once the utilities’ objectives are concisely established start identifying risk by asking “What can go wrong?”

From a Strictly FERC/NERC Standard Compliance Perspective

• Prioritize standards (AML) based on level of risk to the BES.

• Start identifying all risks by Standard / Requirement by asking “What can go wrong?”

From a Registrant’s Risk to the Bulk Electric System Perspective

• Identify the utilities’ areas of impact to the grid through an agreed list of key indicators – example MRO Risk Based Overview AML.

• Start identifying risk by asking “What can go wrong?”


Methodology: A process of compiling a risk register starts off by identifying a wide variety of risks, but these should then be filtered to allow the utility to concentrate on those with the greatest potential impact to the BES.

Characteristics of Risk Register Approach

Complexity of the business,

Filters applied on risks/opportunities

Opportunity to take a formal look at the specific risks management faces

Not a scientific exercise

Attempts to quantify risks, to a great extent done on a subjective basis

6



Three Tiered System

Primary – Highest or greatest risk to BES reliability

Secondary – Significant reliability risk but due to either severity, probability or a combination of both reliability risk impact from a cost/benefit perspective is more acceptable to assume.

Tertiary – Low reliability risk, minimum impact to reliability. Typically this level of risk is assumed by a utility due to the nature of the cost/benefit outcomes.

7


A Risk Map prioritizes each BES Operations risk according to significance and likelihood and maps the risks into four quadrants.

Once the top BES risks are plotted, look at the quadrant where the risks are located. Position in the quadrant helps prioritize the risks and indicates the level of concern and attention which should be directed toward mitigating that risk given the potential impact on a utility’s ability to accomplish its business strategies


Adequacy – is the ability of a utility’s electric system to supply the aggregate electric power and energy requirements to electricity consumers, at all times, taking into account all scheduled and reasonably expected unscheduled outages of system components.

Operating reliability – is the ability of a utility’s electric system to withstand sudden disturbances such as electric short circuits of unanticipated loss of system components.

Note: Details of the 6 ALR definitions are available at http://www.nerc.com/docs/pc/Definition‐of‐ALR‐approved‐at‐Dec‐07‐OC‐PC‐mtgs.pdf

Details of the Eight Reliability Principles are available at http:/www.nerc.com/files/Reliability_Principles.pdf

8


NERC’s definition was recently further refined with the identification of specific characteristics that define an Adequate Level of Reliability (ALR)1:

1. The System is controlled to stay within acceptable limits during normal conditions;

2. The System performs acceptably after credible Contingencies;

3. The System limits the impact and scope of instability and cascading outages when they occur;

4. The System’s Facilities are protected from unacceptable damage by operating them within Facility Ratings;

5. The System’s integrity can be restored promptly if it is lost; and

6. The System has the ability to supply the aggregate electric power and energy requirements of the electricity consumers at all times, taking into account scheduled and reasonably expected unscheduled outages of system components.

1 http://www.nerc.com/docs/pc/Definition‐of‐ALR‐approved‐at‐Dec‐07‐OC‐PC‐mtgs.pdf.


A framework provides a standard against which utility’s – large or small, in public or private sector, for profit or not – can assess their control systems and determine how to improve them and consequently bulk electric system reliability.

9


Risk models

Use quantitative or statistical methods to determine the

aggregate risk based on a portfolio of individual risk factors

using a tool such as regression analysis.

Other techniques include:

1. Value‐at‐Risk (VaR),

2. Historical Simulation (HS),

3. Extreme Value Theory (EVT) or Scenario Analysis to

assess a portfolio of risk categories.


Enterprise risk management is….

a process,

effected by a registrant’s board of directors, management and other personnel,

applied in strategy setting and across the enterprise,

designed to identify potential events that may affect the entity, and manage risk to be within its risk tolerance,

to provide reasonable assurance regarding the achievement of utility objectives.

10


COSO formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The Treadway Commission is jointly sponsored and funded by five main professional accounting associations and institutes headquartered in the United States


Within the context of an utility's established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an utility's objectives, set forth in four categories.

These four categories provide a common definition of enterprise risk management and provide a unified approach for the evaluation of enterprise risk management systems.

11


Standard PRC‐005‐1b — Transmission and Generation Protection System Maintenance and Testing

Purpose: To ensure all transmission and generation Protection Systems affecting the reliability of the Bulk Electric System (BES) are maintained and tested. (Source: NERC Standard website)

Risk: Failure to maintain and test all transmission and generation protection systemsaffecting reliability of the BES.

Risk Assessment Output:Identification of two “primary”internal controls.


12



Critical System Components

• Switching Diagrams – select certain items that have critical system protections components

• Hierarchy of Risk – i.e. Top 20

• Generation

• Large Tie‐lines

• Topography Concerns

Long distance of Transmission and Generation Lines


Protection System Maintenance Program Monitoring Components

• Data Request: A list of all substations 100kV and above and generating stations connected to the BES.

• Maintenance and testing intervals

• Basis for maintenance and testing intervals

• Summary document of maintenance and testing procedures

Sample Design ‐ Identify (1) Population and Size(2) Sample Size(3) Sample Method

13


• Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES.

• Internal Control (PRC‐005‐1b‐R1‐R2:(IC1)):What do we need to know to mitigate “maintain” risk?


• Means different things to different people.

• Miscommunication & different expectations.

Internal Controls

• Are put in place to keep the utility on course toward profitability, goals and achievement of its mission, and to minimize surprises / pitfalls along the journey.

• Enable management to deal with rapidly changing economic, competitive environments, shifting consumer and regulatory demands and to ensure compliance with laws and regulations.

14


Why – Myth 1: Internal Control can ensure a Registered Entities success.

Myth 2: Internal Control can ensure compliance with laws, and regulations such as NERC Standards and Requirements.

Can only provide reasonable assurance

Judgments in decision‐making can be faulty

Simple error or mistake

Circumvention or collusion

Ability to override system

Resource constraints – relative to costs


Internal Controls Serve Many Important Purposes, including:

• Past 10 years increasing calls for better internal control systems FERC, DOJ, SEC, IRS, PCAOB

• A means to an end, not the end itself ‐Report cards KPI, KRI, SRI and other metrics

• View by regulators and executives as a solution to a variety of potential problems

15


• Broadly defined terms“An internal control is a process, designed to provide reasonable assurance regarding the achievement of objectives.”

• In business, internal controls are deployed for:

o Effectiveness and efficiency of operations

o Reliability of financial reporting

o Compliance with applicable laws and regulations


The Institute of Internal Auditors (IIA) defines control and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.

16


• Derived from how utility management runs business & integrated with management processes

1. Control Environment

2. Risk Assessment

3. Control Activities

4. Information & Communication

5. Monitoring


1. Poor Judgment in Cognitive Decision Making

2. Human Error – Culture Influences & Intuitive Failures

3. Control Processes deliberately Circumvented by Employees and Others

4. Management Overriding Controls

5. The Occurrence of Unforeseeable Circumstances

*Surveys conducted by AICPA and IIA

17


Effective• Control environment is the company's attitude toward internal controls.

Known as "tone‐at‐the‐top," the control environment is a necessary condition for effective internal control.

• The "what could go wrong?" stage, in completing a formal risk assessment.

• Business systems that gather information related to internal control and management that uses this information to support employees in doing their job.

• Monitoring is the ongoing feedback mechanism that ensures that internal control systems that are effectively designed remain that way.

• Control activities are the specific activities performed by company personnel to ensure that internal control is effective.


Efficient (measuring efficiency)• Provides reasonable assurance business objectives are met

• Realistic expectations

• Benefit greater than resource expenditure

• Sustainable model

• Automated communication channels

18


Standard PRC‐005‐1b — Transmission and Generation Protection System Maintenance and Testing

Purpose: To ensure all transmission and generation Protection Systems affecting the reliability of the Bulk Electric System (BES) are maintained and tested. (Source: NERC Standard website)

Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES.

Output: Identification of two “primary” internal controls.


R1. Each Transmission Owner and any Distribution Provider that owns a transmission Protection System and each Generator Owner that owns a generation Protection System shall have a Protection System maintenance and testing program for Protection Systems that affect the reliability of the BES. The program shall include:

R1.1. Maintenance and testing intervals and their basis.

R1.2. Summary of maintenance and testing procedures.

19


• Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES.

• Internal Controls PRC‐005‐1b‐R1‐R2:What do we need to know to mitigate “maintain” risk?– Six Activities:

Identify population of protective relay systems including elements

List of protective relay schemes & link to PSR

Maintenance schedule for each PSR

Create & archive PSR maintenance records

Who is responsible for performing PSR maintenance?

Management responsible for oversight of PSR maintenance?


• To Maintain:

Identify population of protective relay systems including elements

• Information Criteria: SRRU

• Sufficient – information is factual, adequate, and convincing so that a prudent, informed person reaches similar conclusion

• Reliable – information is best attainable information

• Relevant – information supports and is consistent with objectives

• Useful – information helps organization meet its goals

• Ask yourself ‐ Is the information SRRU compliant?

20


• 8 Internal Control Design Attributes A Protection System maintenance program. (R1, M1)

Maintenance intervals and their basis. (R1.1)

Summary of maintenance procedures. (R1.2)

Provide documentation of its Protection System maintenance program and implementation of program to its Regional Reliability Organization on request (within 30 calendar days). (R2)

Evidence Protection System devices were maintained within the defined intervals. (R2.1)

Date each Protection System device was last maintained. (R2.2)

Evidence it provided documentation of its Protection System maintenance program and the implementation of its program. (M2)

Data retention requirements of one calendar year and 3 years.


[Company Name] has a documented Protection System maintenance program(R1, M1) that contains maintenance intervals, their basis (R1.1) and includes a Summary of maintenance procedures (R1.2). This document is reviewed by oversight management and updated annually. This program includes a process that documents notification of its Protection System maintenance program and implementation of that program to its Regional Reliability Organization on request (within 30 calendar days)(R2, M2). Program includes a process that provides evidence that Protection System devices are maintained within the defined intervals (R2.1) and a date each Protection System device was last maintained (R2.2). The Protection System program, maintenance records and data are archived for three years. Responsibility for this control is assigned to [Job Title]. This control is annually tested. A review of the appropriateness of the control’s attributes are reviewed and updated annually prior to testing.

21


Create an Internal Control Registry that captures all regulatory controls with important information such as: risk, severity index, review dates, manual / automated, frequency, testing dates, control function, control owner, Standard and/or requirement, evidence required, CSA, KRI, SRI, KPIs, etc.

FERC received 45 full Notices of Penalty (NOP) from NERC encompassing 520 possible or confirmed violations (375 of which involved the Critical Infrastructure Protection (CIP) reliability standards), and 12 Spreadsheet NOPs encompassing 575 possible or confirmed minimal or moderate risk violations; NERC also filed or posted 796 possible violations in Find, Fix, and Track (FFT) reports (456 of which were CIP‐related). The NOPs and Spreadsheet NOPs collectively proposed $8.6 million in penalties, all of which FERC declined to review.

‐ source FERC 2013 Report on Enforcement


22

RSATM

Copyright | © 2014 Reliability Standards Advisory LLC All rights reservedTM

RELIABILITY |SUSTAINABILITY

ProcessName: EventReportingOperatingPlan(EROP)

Control No:EOP‐‐004‐‐2‐‐R1‐‐IC1 ProcessOwner:

Name/JobTitle

HR:JobDescriptionY/N

Objective:

EachResponsibleEntity shall haveanEROP in accordance

with EOP‐‐

004‐‐2Attachment1thatincludes

protocols forreportingtothe EROand otherorganizations.

Standard(s):

EOP‐‐004‐‐2

Requirements:

R1

Risk:FailuretohaveadatedEROPwithprotocols includingorganizations toreceivereport,eventtypesandinaccordancewith EOP‐‐004‐‐2Attachment1.

Control Type:

Preventative

Automated/Manual:

Manual

Control:[CompanyName]hasadocumentedEROP(R1,M1)in accordancewith EOP‐‐‐004‐‐2Attachment1,andincludesprotocolsforreportingtotheEROandotherorganizations.Thisdocumentisreviewedbyoversightmanagementandupdatedannually. EROPprotocols,eventreports anddataarearchivedforthreeyears.Responsibilityforthiscontrolisassignedto[JobTitle].Thiscontrolisannuallytested.Areviewoftheappropriatenessofthecontrol’sattributesarereviewedandupdated annually priortotesting.

Frequency:

(C,D,W,M,Q,A)

A‐‐Annual

ControlOwner:NameandJobTitle

HR:JobDescription

Y/N

EvidencetoDemonstrateCompliance:

1.)EROPPublication comportstoAttachment1specificattributes.

2.)JobTitle,SignatureandDateofreview.3.)EvidencethatEROP

document

availabilityto individualstaskedwithoperating process.

4.)Evidencethat individuals taskedoperating processareproficient

in

operating plan.

Documents:

1.)EROPPublicationName

2.)Reviewpage

3.)Screenprint4.Coursetrainingmaterials&attendance record

Monitoring:

a.Reviewevidence

documents1

&2.b.Confirmindividualshave accesstoprocessdocuments.c.Confirmtrainingeffectiveness



1.) Risk Assessment – SME Table Top DiscussionsCurrent State vs. Future State: Policies, Procedures, Controls, Evidence

* Readiness Assessment Gap Analysis Diagnostic ToolIdentify Risks

* Risk Register Reporting Tool

2.) Quant. / Qualification of Risk – Select Methodology* Risk Register Reporting Tool

3.) Key Risk Indicators (KRI) – Risk Model / Cycles* Risk Register Reporting Tool

4.) Risk Taking Statement – 7 Areas Addressed• Risk Register Reporting Tool

5.) Design Management Process Internal Controls* Internal Control Register Reporting Tool

23



• What Internal Control Can & Cannot Do

• Internal Control Definition & 5 Interrelated Components

• Internal Control Lessons Learned from Historic Examples

• Aspects of BES Internal Control Systems Framework & Elements

• Why & How Internal Controls are the “Life” to Stakeholders

• Diagnostic Steps in Designing & Testing an Internal Control

24


Fred Anderson CIA, CFE, CCEPReliability Standards Advisory Service [email protected](770) 547‐3369

Randi K. Nyholm, CCEPMinnesota [email protected](218) 723‐7466

SCCE Houston 2014 v6 - SCCE | Resources & Support | SCCE ...

Documents

Transcript of SCCE Houston 2014 v6 - SCCE | Resources & Support | SCCE ...