Compliance and Certification Committee Highlights and Minutes 2013...6/02/2014 8 Compliance and...
Transcript of Compliance and Certification Committee Highlights and Minutes 2013...6/02/2014 8 Compliance and...
Agenda Compliance and Certification Committee June 4, 2014 | 1:00 p.m. - 5:00 p.m. ET June 5, 2014 | 8:00 a.m. - Noon ET Hilton Palm Beach Gardens Palm Beach Gardens, FL Introductions and Chair’s Remarks NERC Antitrust Compliance Guidelines and Public Announcement Agenda Items
1. Administrative – Secretary and Terry Bilke
a. Compliance and Certification Committee (CCC) Roster Update* and Hearing Procedures Training
b. Anti-trust Compliance Guidelines
c. Secure document CCC site
i. Registration [LINK]
ii. Secure site (once approved) [LINK]
d. 2015 meeting dates
i. March 3-4, 2015 at NERC Corporate Headquarters in Atlanta, GA
ii. June 10-11, 2015 at NRECA Conference Center in Arlington, VA
2. Committee Business
a. Consent Agenda
i. Meeting Agenda (Approve)
ii. CCC March 2014 Meeting Minutes* – (Approve) Terry Bilke [LINK]
iii. Interim membership – (Approve) Martin Huang
b. Welcome and Introductory comments – Terry Bilke , Roy Thilly
c. NERC Board and MRC Update from May meetings *- Patti Metro
i. Update on Enterprise Wide Risk Committee (EWRC) Activities
d. Reliability Issues Steering Committee (RISC) Update – Terry Bilke
e. Review of CCC action items – Patti Metro
f. CCC 2014 Work Plan – Patti Metro
3. Subcommittee Updates
a. Nominating Subcommittee * – Martin Huang
i. CCC Sector openings
ii. CCC Member Upcoming Term Expirations
b. ERO Monitoring Subcommittee (EROMS) – Ted Hobson
i. Independent Audits* – Mechelle Thomas
• Standards Process Manual (SPM) and Standards Applicable to NERC (SAN)
• Closeout on status of non-conformance findings from audit of NERC Compliance Monitoring Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP)
ii. NERC Self-certification for CMEP and ORCS
iii. 2014 Stakeholders Perception Survey
iv. New procedures to support EWRC
v. Report for Procedure Reviews/Revisions
c. Compliance Processes and Procedures Subcommittee (CPPS) – Matt Goldberg
i. Status of existing RSAW suggested changes for PRC-004
ii. Quality reviews of compliance elements (outreach to NERC Standards Staff)
iii. CCCPP-010 Revisions
d. Organization and Certification Subcommittee (ORCS) – Jennifer Flandermeyer
i. Risk-Based Registration Advisory Group Update
ii. Status of letter for closure of RISC request on Planning Authority /Planning Coordinator issue
iii. Resolution of MRRE action item
4. CCC Ongoing Projects
a. Team 2 - Voluntary vs. Involuntary Internal Controls Whitepaper * (Approve) – Bob Hoopes
b. Team 4- Data Retention (Identify Reasonable Record Retention and Sampling) – Terry Bilke
5. NERC Staff Reports Including Status of CCC Work Plan Deliverables
a. Reliability Assurance Initiative (RAI) Update
i. Regional Pilots (objectives and observations) - Jerry Hedrick
Compliance and Certification Committee Agenda | June 4-5, 2014 2
ii. Enforcement Pilots -Ed Kichline
iii. Communication Plan for Registered Entities with 2015 audits – Jerry Hedrick
iv. RSAW Update on CCC Input – Jerry Hedrick
v. MRRE Status Update and Future CCC Input – Jerry Hedrick/Adina Mineo
b. Enforcement Q&A on violation processing – Ed Kichline
6. Member Round Table – Terry Bilke
7. Review of Action Items and CCC Work Plan Deliverables
8. Future Meeting Dates
a. September 17-18, 2014: Vancouver, BC (Joint Standing Committees location)
b. December 3-4, 2014: Phoenix, AZ (APS host location)
c. March 3 – 4, 2015: Atlanta, GA (NERC)
d. June 10 -11, 2015: Arlington, VA (NRECA host location)
9. Adjourn
*Background materials provided
Compliance and Certification Committee Agenda | June 4-5, 2014 3
Resolution The Compliance and Certification Committee thanks Terry Bilke for his dedication, leadership, and expertise which has helped this committee fulfill its responsibilities. In his role as Chair of the CCC his ideas and enthusiasm have driven improvements to its structure while providing value to stakeholders and the Electric Reliability Organization. Whereas Terry will now transition to a new role representing the CCC on the Reliability Issues Steering Committee it is apparent he will be instrumental in the continued reliability of the North American electric grid.
6/02/2014 8
Compliance and Certification Committee
Chair Terry Bilke
Consulting Advisor
MISO
720 City Center Drive
Carmel, Indiana 46082-4202
(317) 249-5463
(317) 249-5358 Fx
tbilke@
midwestiso.org
Vice Chair Patricia E Metro
Manager, Transmission and
Reliability Standards
National Rural Electric Cooperative
Association
4301 Wilson Blvd.
Mail Code EP11-253
Arlington, Virginia 22203
(703) 907-5817
(703) 907-5518 Fx
patti.metro@
nreca.coop
RE-FRCC Ted Hobson
Chief Compliance & Risk Officer
JEA
21 W. Church St,
Jacksonville, Florida 32202-3139
904-665-7126
904-665-4238 Fx
RE-RFC Robert Hoopes
Senior Director-FERC/NERC
Compliance
PPL Corp.
2 North 9th Street
Allentown, Pennsylvania 18101
610-774-6913
rehoopes@
pplweb.com
RE-SERC Gregory D Pierce
Director, Transmission
Compliance
Entergy Corporation
639 Loyola Ave
L-ENT-24A
New Orleans, Louisiana 70113-3125
(504) 576-4993
gpierc2@
entergy.com
RE-SPP Jennifer Flandermeyer
Senior Manager Compliance
Programs
Kansas City Power & Light Co.
P.O. Box 418679
Kansas City, Missouri 64141-9679
816-701-7851
816-654-1189 Fx
Jennifer.Flandermeye
r@
kcpl.com
RE-WECC Jana Van Ness
Director, Regulatory Compliance
Arizona Public Service Co.
400 North 5 Street
Phoenix, Arizona 85004
602-250-2783
602-250-2783 Fx
jana.vanness@
aps.com
Cooperative Thomas A. Smith
Senior Manager of System
Operations
Tri-State Generation & Transmission
Association, Inc.
P.O. Box 33695
Denver, Colorado 80233
(303) 254-3547
(303) 254-6030 Fx
tsmith@
tristategt.org
Electricity Marketer Richard Comeaux
Director - Regulatory Compliance
NRG Energy, Inc.
112 Telly Street
New Roads, Louisiana 70760
(225) 663-0043
(225) 618-3334 Fx
keith.comeaux@
nrgenergy.com
Federal/Provincial
Utility/Power
Authority
Ajay Garg
Manager, Policy and Approvals
Hydro One Networks, Inc.
483 Bay Street, TCT ST-04
Toronto, Ontario M5G 2P5
(416) 345-5420
ajay.garg@
HydroOne.com
Federal/Provincial
Utility/Power
Authority
(CCC Nominating
Committee)
Martin Huang
Vice President, Grid Operations
British Columbia Hydro and Power Authority
333 Dunsmuir Street 11th Floor
Vancouver, British Columbia V6B5R3
(604) 455-1800
martin.huang@
bchydro.com
(514) 879-4100 dupuis.caroline@ hydro.qc.ca
Caroline DupiusManager, System Control Policies & Planning
Hydro-Quebec TransEnergie
6/02/2014 9
Investor Owned
Utility
Barbara Kedrowski
Project Manager Federal
Regulatory and Policy
We Energies 414-221-3572
barbara.kedrowski@
we-energies.com
ISO/RTO Gregory Campoli
Supervisor, Reliability
Compliance and Assessment
New York Independent System Operator
3890 Carman Road
Schenectady, New York 12303
(518) 356-6159
(518) 356-6119 Fx
gcampoli@
nyiso.com
ISO/RTO Matthew F Goldberg
Director, Reliability & Operations
Compliance
ISO New England, Inc.
One Sullivan Rod
Holyoke, Massachusetts 01040-2841
413-535-4029
mgoldberg@
iso-ne.com
Large End-Use
Customer
Small End-Use
Electricity Customer
To Be Named
Small End-Use
Electricity Generator
James Stanton
Principal Advisor
Quanta Technology
1707 Brill Dr.
Friendswood, Texas 77546
(713) 444-9998
(610) 757-1685 Fx
jstanton@
quanta-
technology.com
U.S. State James E. Spearman
Executive Assistant & Senior
Technical Advisor
Public Service Commission of South Carolina
101 Executive Center Drive
Columbia, South Carolina 29210
(803) 896-5142
(803) 896-5231 Fx
james.spearman@
psc.sc.gov
Canada Federal To Be Named
Canada Provincial To Be Named
State/Municipal Shawn T Abrams
Vice President of Planning and
Power Supply
South Carolina Public Service Authority
Santee Cooper
PO Box 2946101
Moncks Corner, South Carolina 29461
843-761-8000
843-761-7038 Fx
tom.abrams@
santeecooper.com
Small End-Use
Electricity Customer
Kevin Conway
VP Operations
INTELLIBIND
1312 North Monroe Street
Spokane, Washington 99201
Kevinc@
intellibind.com
Federal/Provincinal John Louis Hairston
Chief Compliance Officer
Bonneville Power Administration
905 NE 11th Ave.
DG-7
Portland, Oregon 97232
503-230-5262
503-230-3270 Fx
jlhairston@
bpa.gov
Transmission
Dependent Utility
Daniel Herring
Manager, NERC Training
DTE Electric
2000 2nd Ave
Detroit, Michigan 48226-1279
(313) 235-5365
herringd@
dteenergy.com
Jerry M Maio 801-530-6724
Rick TerrillDirector, Regulatory & MarketSupport
Luminant Mining Company1601 Bryan Street, Suite 24-045DDallas, TX 75201
(214) 875-8750(214) 875-8747 Fx
6/02/2014 10
RE-TRE Charles B Manning
Vice President Human Resources,
Chief Compliance Officer
Electric Reliability Council of Texas, Inc.
2705 West Lake Drive
Taylor, Texas 76574
5122483036
(512) 248-3992 Fx
cmanning@
ercot.com
Electricity Marketer Jason L Marshall, P.E.
Director, Reliability Compliance
ACES
4140 West 99th Street
Carmel, Indiana 46032
(317) 344-7204
jmarshall@
acespower.com
Merchant Electricity
Generator
Silvia Mitchell
Director, NERC Reliability
Standards & Compliance
NextEra Energy
700 Universe Boulevard
Juno Beach, Florida 33408
(561) 694-4414
silvia.parada.mitchell @fpl.com
IOU
(Nominating)
Helen Nalley
Compliance Director
Southern Company (205) 257-2055
HRNALLEY@
southernco.com
U.S. Federal Darrell G. Piatt
OER/DRS Electrical Engineer
Federal Energy Regulatory Commission
76 Ridgeview Lane
Birmingham, Alabama 35242
(205) 914-1845
darrell.piatt@
ferc.gov
David Roth
General Counsel
Northern Star Generation Services Company (713) 580-6399
(713) 589-8408 Fx
david.roth@
northernstargen.com
Cooperative Sector Shane Sanders
Director of System Operations
Southwest Transmission Cooperative, Inc. 520-586-5239
ssanders@
swtransco.coop
Cooperative W. Clay Smith
Executive Vice President - Chief
Legal and Compliance Officer
Georgia Systems Operations Corporation
2100 East Exchange Place
P.O. Box 2087
Tucker, Georgia 30085/2087
(770) 270-7660
(770) 270-7938 Fx
clay.smith@
gasoc.com
William Temple
Program Manager, Reliability
Compliance
Northeast Utilities (860)-665-3908
State/Municipal Martyn Turner
Transmission Compliance
Manager
Lower Colorado River Authority (512)-730-6281
(512) 356-6045 Fx
U.S. Federal To Be Named
Thomas DeVita
Associate Counsel
North American Electric Reliability
Corporation
1325 G Street NW
Suite 600
Washington, D.C. 20005
(202) 400-3000
(202) 644-8099 Fx
thomas.devita@
nerc.net
NERC Staff
RE-NPCC
6/02/2014 11
Jerry Hedrick
Director of Regional Entity
Assurance and Oversight
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, Georgia 30326
(404) 446-2560
(404) 446-2595 Fx
jerry.hedrick@
nerc.net
Nina Johnston
Attorney
North American Electric Reliability
Corporation
1325 G Street, N.W.
Suite 600
Washington, D.C. 20005-3801
(202) 400-3000
(202) 644-8099 Fx
nina.johnston@
nerc.net
Edwin Kichline
Senior Counsel and Associate
Director of Enforcement
Processing
North American Electric Reliability
Corporation
1325 G Street, N.W.
Suite 600
Washington, D.C. 20005-3801
(202) 400-3000
(202) 644-8099 Fx
ed.kichline@
nerc.net
Sonia C. Mendonca
Associate General Counsel &
Director of Enforcement
North American Electric Reliability
Corporation
1325 G Street, N.W.
Suite 600
Washington, D.C. 20005-3801
(202) 400-3000
(202) 644-8099 Fx
sonia.mendonca@
nerc.net
Rebecca Michael
Associate General Counsel
North American Electric Reliability
Corporation
1325 G Street, N.W.
Suite 600
Washington, D.C. 20005-3801
(202) 400-3000
(202) 644-8099 Fx
rebecca.michael@
nerc.net
Adina Mineo
Senior Compliance Operations
Auditor
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, Georgia 30326
(404) 446-2560
(404) 561-0484 Fx
adina.mineo@
nerc.net
Earl W Shockley
Senior Director of Compliance
Analysis & Certification
North American Electric Reliability
Corporation
3353 Peachtree Road, N.E.
Suite 600, North Tower
Atlanta, Georgia 30326
(404) 446-2560
(404) 446-2595 Fx
earl.shockley@
nerc.net
116-390 Village Blvd. Princeton, NJ 08540
609.452.8060 | www.nerc.com
1
Antitrust Compliance Guidelines
I. General It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately.
II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions):
• Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs.
• Discussions of a participant’s marketing strategies.
• Discussions regarding how customers and geographical areas are to be divided among competitors.
Antitrust Compliance Guidelines 2
• Discussions concerning the exclusion of competitors from markets.
• Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers.
• Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.
III. Activities That Are Permitted From time to time decisions or actions of NERC (including those of its committees and subgroups) may have a negative impact on particular entities and thus in that sense adversely impact competition. Decisions and actions by NERC (including its committees and subgroups) should only be undertaken for the purpose of promoting and maintaining the reliability and adequacy of the bulk power system. If you do not have a legitimate purpose consistent with this objective for discussing a matter, please refrain from discussing the matter during NERC meetings and in other NERC-related communications. You should also ensure that NERC procedures, including those set forth in NERC’s Certificate of Incorporation, Bylaws, and Rules of Procedure are followed in conducting NERC business. In addition, all discussions in NERC meetings and other NERC-related communications should be within the scope of the mandate for or assignment to the particular NERC committee or subgroup, as well as within the scope of the published agenda for the meeting. No decisions should be made nor any actions taken in NERC activities for the purpose of giving an industry participant or group of participants a competitive advantage over other participants. In particular, decisions with respect to setting, revising, or assessing compliance with NERC reliability standards should not be influenced by anti-competitive motivations. Subject to the foregoing restrictions, participants in NERC activities may discuss:
• Reliability matters relating to the bulk power system, including operation and planning matters such as establishing or revising reliability standards, special operating procedures, operating transfer capabilities, and plans for new facilities.
• Matters relating to the impact of reliability standards for the bulk power system on electricity markets, and the impact of electricity market operations on the reliability of the bulk power system.
• Proposed filings or other communications with state or federal regulatory authorities or other governmental entities.
• Matters relating to the internal governance, management and operation of NERC, such as nominations for vacant committee positions, budgeting and assessments, and employment matters; and procedural matters such as planning and scheduling meetings.
DRAFT Minutes of Meeting Compliance and Certification Committee March 11, 2014 | 1:00 p.m. - 5:00 p.m. EDT March 12, 2014 | 8:00 a.m. - Noon EDT
NERC Atlanta Office 3353 Peachtree Road, NE Suite 600, North Tower Atlanta, GA 30326 (See [LINK] to complete March 2014 Agenda package on the NERC website for all related documents and presentations). Introductions and Chair’s Remarks
NERC Antitrust Compliance Guidelines and Public Announcement
Mr. Terry Bilke explained the Antitrust Guidelines and Public meeting announcement. The Committee approved the agenda.
Agenda Items
1. Administrative – Secretary and Terry Bilke
a. Compliance and Certification Committee (CCC) Roster Update (Primary and Plus)
Mr. Bilke circulated the current roster and requested that member make updates to the roster. Also, subcommittee chairs are responsible for updating subcommittee rosters.
b. Comments by Mr. Jerry Hedrick Mr. Hedrick made welcoming remarks and provided an overview of the NERC Compliance Operations group. Mr. Hedrick is now the Director, Regional Entity Assurance and Oversight. Ms. Adina Mineo will now serve as the NERC contact for the CCC.
2. Committee Business
a. Approve Nominating Subcommittee*
The Committee approved the CCC Nominating Subcommittee (NSC) appointments. The NSC appointments included: Kevin Conway, Ted Hobson, Martin Huang, Jason Marshall, and Helen Nalley. Mr. Bilke also appointed Mr. Huang as the Chair of the NSC.
b. CCC December 2013 Meeting Minutes* –Terry Bilke [LINK]
The Committee approved the CCC December 2013 Meeting Minutes.
Compliance and Certification Committee Agenda | March 11- 12, 2014 2
c. Status of 2014 CCC Work Plan and Goals - Terry Bilke
Mr. Bilke discussed the meeting with NERC Senior Executives regarding the CCC’s 2014 work plan and goals. The CCC will provide the Board of Trustees (BOT) its final work plan that outlines the CCC’s activities at the May 2014 BOT meeting. Ms. Patti Metro will coordinate with NERC staff to develop an executive summary to provide to the BOT that will highlight how the CCC’s work plan and activities align with ERO’s Strategic Plan and how to move forward with the work plan
d. Report of February 2014 Member Representatives Committee (MRC) and Board of Trustees
(Board) Meetings * – Patti Metro
Ms. Metro provided information relating to the MRC, Board, Standards Oversight and Technology Committee (SOTC), Corporate Governance and Human Resources Committee (CGHRC) meetings. Refer to Agenda Item background document for detailed notes.
e. Reliability Issues Steering Committee (RISC) Update* – Clay Smith
Mr. Clay Smith provided update on the RISC roster, included in the agenda package. Additionally, Mr. Smith provide the 2014 RISC meeting schedule, overview of the Reliability Risk Management Process, ERO Priorities-RISC Updates and Recommendations, and the RISC Member Handbook and Charter. The RISC Charter pending approval in May 2014. The Committee should review and make comments.
Refer to agenda package for all RISC-related documents.
3. FERC Enforcement Activities Update* – Roger Morie
Mr. Roger Morie gave an overview of FERC’s role in reliability Enforcement and provided discussion on the 2013 Report on Enforcement. Refer to presentation in the agenda package for further details.
4. Subcommittee Updates
a. Nominating Subcommittee – Martin Huang
The Committee approved Interim CCC membership of Mrs. Caroline Dupuis of Hydro-Québec TransÉnergie as a CCC Representative for the Federal/Provincial Utility Sector.
Silvia Mitchell membership was approved by BOT in February 2014.
b. Openings were shared as well as solicitation for officers for 2 year term beginning on July 1ERO
Monitoring Subcommittee (EROMS) – Ted Hobson
i. Report on recent survey results and future survey timeline
ii. Perception survey wrap-up* Completed ERO Effectiveness and Stakeholder Perceptions Survey Report, dated November 2013. There are three main themes between the 2013 and 2012 report recommendations. The Committee recommends that NERC continue to move forward with the 2012 recommendations which are tied to the three themes that have prevailed over the past three years the survey has
Compliance and Certification Committee Agenda | March 11- 12, 2014 3
been conducted – (1) Return on Investment (ROI) of compliance program; (2) inconsistencies within and across regions; and (3) transparency of the enforcement and penalty processes. In this context, ROI means reliability benefits versus resources expended on compliance. Refer to the full report within the Agenda package for further details on recommendations. The Committee approved the 2013 ERO Effectiveness and Stakeholder Perceptions Survey Report and approved the submittal of the final report to the BOT. The Committee approved EROMS presenting 2013 Comments-Conduct Concern Analysis to NERC staff and to work with NERC on any follow up questions. The Committee approved a third party, independent audit firm for the 2014 audits (Final vote had one abstention by Mr. Kevin Conway, no opposition).
iii. New procedures
Depending on the results of the independent audit CCCPP-002: Compliance Monitoring Program for Reliability Standards Applicable to NERC will either need to be revised or retired if it is determined that there are no standards applicable to NERC.
iv. Report for Procedure Reviews/Revisions
Item not covered due to other discussions
c. Procedures Subcommittee (PROCS)/Standards Interface Subcommittee (SIS) –Matthew
Goldberg
i. Updated Scope Document for Compliance Processes and Procedures Subcommittee (CPPS)*
The Committee re-endorsed the final scope document, as amended, for the CPPS. After discussion, the Committee determined that the final scope document should not reference the Reliability Assurance Initiative, but rather the CPPS will support the development and implementation of enhancements to the CMEP… (See section 2ii of the CPPS scope document).
The Committee will request the Board approve the CPPS scope document, the establishment of the CPPS, and retire the previous two subcommittees ( PROCS and SIS) at May 2014 BOT meeting
ii. CCC Policies and Procedures Review
No report.
iii. Standards Committee Request on Interpretations
The Standards Committee reached out to CCC to determine what happens when FERC rejects or interprets a Reliability Standard or Requirement where a current RSAW exists and what enforcement guidance should be given to Regions and NERC regarding the RSAW. NERC is
Compliance and Certification Committee Agenda | March 11- 12, 2014 4
working to develop a process for further guidance when an existing RSAW needs revised. The CPPS will report more in the future.
Mr. Goldberg provided information on discussion surrounding possible elimination of Violation Severity Levels (VSLs) in the standards. This is awareness that if VSLs would be removed, a Rules of Procedure change would be needed and the CCC would need to be involved.
iv. Support for EROMS on Independent Audit (ROP sections related to Standards Process)
CCC members will volunteer support.
v. RAI Update
The CPPS continues to discuss and support RAI activities. The CPPS will continue considerations of RAI a and work with NERC to identify indicators of success and effectiveness.
vi. Recommendations on RSAWs (Status on prior candidates for correction and any new issues)
Terry Bilke provided an overview of some of the technical issues spotted by the NERC Resources Subcommittee in the BAL RSAWs. The Resources Subcommittee is also willing to offer suggestions on good practices and controls if there is a home for such information.
vii. Quality reviews of compliance elements (outreach to standards staff)
No report.
viii. Feedback from staff on RAI team on RSAW Recommendations
No report.
d. Organization and Certification Subcommittee (ORCS) – Keith Comeaux
i. Risk-Based Registration
Rebecca Michael provided an update on the current status of the risk-based registration and reported a white paper will be released in March. ORCS will continue involvement in the risk-based registration project and will continue to work with NERC staff.
ii. Update and closure of RISC request on Planning Authority /Planning Coordinator issue
Jennifer Flandermeyer will be finishing a draft response to the NERC RISC on this issue in the near future. Mr. Comeaux reported that ORCS review indicated that this issue was primarily limited to WECC.
iii. Status of MRRE
No report.
iv. CCC Policies and Procedures review – ORCS responsibility
No report.
Compliance and Certification Committee Agenda | March 11- 12, 2014 5
5. CCC Ongoing Projects
a. Team 1 – RAI Benefits and Impacts Matrix– Bob Hoopes
NERC posted the team’s RAI Benefits and Impacts Matrix on January 27, 2013, prior to the February 2014 Board meeting [LINK].
b. Team 2 - RAI Question and Answer Document - Bob Hoopes [LINK]
The team provided NERC updates to the RAI Question and Answer document. The team will continue to work with Mr. Hedrick and NERC staff to determine needs regarding updates to this document, as well as other formalized guidance on RAI.
c. Team 3 - RSAW Input Team– Jim Stanton
Mr. Jim Stanton was not present. Mr. Bilke provide a brief overview of team activities. The team completed RSAW recommendations awhile back and will need to determine how the team can support further RSAW activities. And what do they need to do
d. Team 4- Data Retention (Identify Reasonable Record Retention) – Terry Bilke
Mr. Bilke provided an update on possible improvements and recommendations for data retention and sampling. The Committee should review and provide comments to the whitepaper that consolidates recommendations based on the surveys and team research. Comments on white paper are due by March 21. Refer to presentation in the agenda package for further details.
e. Team 5 - Internal Control Guidance (coordination w/RBRCWG) – Martyn Turner
The team needs guidance on whether to continue to request samples of internal controls to provide as RAI guidance. There was discussion on the Committee’s need to determine short and long-term goals for RAI-related guidance documents.
6. NERC Staff Update
a. Reliability Assurance Initiative (RAI) Update
i. Regional Pilots (objectives and observations) - Jerry Hedrick
M. Hedrick provided update on status of the pilots and continued work toward the convergence of audits processes into a single, consolidated process.
ii. Enforcement Pilots -Ed Kichline
Mr. Kichline provided information on the enforcement pilots. Specifically, Mr. Kichline highlighted completed activities, as well as long-term solutions to address the addressed issues concerning processing time, communication during the enforcement process, and processes for multi-region registered entities (Refer to agenda package).
iii. Communication Plan for Registered Entities with 2015 audits – Jerry Hedrick
Compliance and Certification Committee Agenda | March 11- 12, 2014 6
iv. CCC Support of the RAI Activities indefinite
v. CCC Member Initiated RAI Questions
Introduction of the Department of Energy’s Electricity Subsector Cyber Security Capabilities Maturity Model (ES-C2M2) as a framework that is consistent with the RAI to support the removal of the IAC language from CIP Version 5. (Bill Temple) The ERO enterprise is working along with registered entities to manage the transition to compliance with Version 5 of the CIP Standards. RAI efforts, including consideration of a registered entity’s management practices and self-monitoring, offer a broader alternative to including the Identify, Assess, and Correct language in the Standards. ES-C2M2 is one of many frameworks under examination for their effectiveness in demonstrating mature management practices that could afford registered entities the benefits of aggregation of noncompliance and a presumption of enforcement discretion for minimal risk issues.
Updates on the use of the Proforma Internal Controls Document as several regions are beginning to have discussions and ask for internal controls as part of their audits. (Silvia Parada-Mitchell)
Mr. Hedrick stated he will work with the Regional Entities to determine appropriate approach to requesting internal controls and work with Mr. Bob Hoopes (lead on one of the RAI work teams) to draft guidance regarding the voluntary nature of an internal controls review.
b. Enforcement Statistics – Ed Kichline, Sonia Mendonca
Refer to agenda package for statics information.
7. Member Round Table – Terry Bilke Mr. Rick Terill- Expressed concern on how RAI will remove IAC language for CIP v 5 standards and how RAI will address the removal. Mr. Thomas Stickland- Stated that he would like to understand what NERC and the Regions are doing towards making investments into better technology related to operations that auditors may not be familiar with. Ex IPP6 vs IPP4. The Committee approved a motion to thank Mr. Jack Wiseman for his contributions to the CCC. The CCC and ORCS would like to formally thank Jack Wiseman for his support over since 2009. We wish him well in his retirement.
8. FRCC Stakeholder Issue (CIP CAR or other Guidance) – Ted Hobson Refer to the agenda background documents. Mr. Hobson stated this was an older issue and is no longer relevant. The Committee agreed and will remove it from the agenda.
Compliance and Certification Committee Agenda | March 11- 12, 2014 7
9. Review of Action Items
1. Compliance and Certification Committee (CCC) Roster Update (Primary and Plus) - tasked participants to review for accuracy and completeness (All).
2. 2014 Work Plan - develop executive summary with specific deliverables to better communicate the projects to the BOT (Metro and Mineo).
3. Caroline Dupuis approved as an interim member until NERC BOT approval - get on the BOT agenda for approval (NERC).
4. CCC Policies and Procedures Review - CCCPPs review of responsibilities. Action Item – CCC SharePoint site discussion with CCC executive committee (Metro).
5. Nominating Subcommittee - Openings were shared - solicit nominations for openings (Huang and NERC).
6. Update and closure of RISC request on Planning Authority /Planning Coordinator issue – Action Item – Letter to RISC to close this out (Flandermeyer).
7. ORCS will coordinate the review and comments on the Risked Based Registration Whitepaper.
8. Development of a white paper, or expansion of current product, to address voluntary versus non-voluntary related to internal controls (Hedrick and Hoopes team).
9. CPPS scope document provided to the BOT in May 2014.
10. Determine whether there is anything NERC wants the CPPS to assist on the RSAW recommendation.
10. NERC/CCC NERC Internal Audit Update – Mechelle Ferguson-Thomas and Clay Smith
a. Closeout on status of non-conformance findings from audit of NERC Compliance Monitoring Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP
NERC is still on track. Some recommendations will be included with the risk-based registration process.
b. Planning for independent audit of NERC’s conformance to the Standards Process Manual and the Standards Applicable to NERC
Received volunteers for the audit during 2014.
c. Update on RMICS activities
Committee is now becoming a full board committee. Committee work plans and audit plans have been approved and includes EROMs audits and NERCs audit plans.
11. Future Meeting Dates a. June 4-5, 2014: Juno Beach, FL (FPL host location) b. September 17-18, 2014: Vancouver, BC (Joint Standing Committees location)
Compliance and Certification Committee Agenda | March 11- 12, 2014 8
c. December 3-4, 2014: Phoenix, AZ (APS host location)
12. Adjourn
The Committee approved the motion to adjourn. *Background materials provided
CCC Nominating Subcommittee Summary
May 4th, 2014
2 RELIABILITY | ACCOUNTABILITY
FOR APPROVAL: Interim CCC Membership
• The CCC NSC seeks committee approval of the following interim membership to be effective May 4th
2014 for a 3-year term:
• John Hairston, BPA, representing Federal Utility• Kevin Conway, Intellibind, representing Small End-
Use Electricity Customer
3 RELIABILITY | ACCOUNTABILITY
FYI: BOT Approval of CCC Membership
• NERC Board of Trustees approved the following NERC Compliance and Certification Committee officer/membership appointment at its May 7th, 2014 meeting:
• Officer Appointments:o Ms. Patti Metro as the CCC Chair for the period of July 1st 2014 – Jun 30th 2016
o Ms. Jennifer Flandermeyer as the CCC Vice Chair for the period of July 1st 2014 – Jun 30th 2016
• New Member appointments:o Ms. Caroline Dupuis of Hydro-Québec TransÉnergie representing the
Provincial/Federal Utility sector for a three-year term
o Mr. Rick Terrill of Luminant Mining representing the Large End-Use Electricity Customer sector for a three-year term
• Member reappointments:o Ms. Jennifer Flandermeyer of Kansas City Power & Light representing RE-SPP for a
three-year term
o Mr. William Temple of Northeast Utilities representing RE-NPCC for a three-year term
4 RELIABILITY | ACCOUNTABILITY
Current Membership Vacancies
• Voting Positions (1): Large End-use Electricity Customer Sector (one position)
• Non-Voting Positions (3): Government Sector – US Federal (one position) Government Sector – Canadian Federal (one position) Government Sector – Canadian Provincial (one position)
5 RELIABILITY | ACCOUNTABILITY
Upcoming Term Expirations
• 7 members with term expiring in Feb 2015
Agenda Item 2c Compliance and Certification Committee Meeting
June 4 -5, 2014
Report of May 2014 Member Representatives Committee (MRC) and Board of Trustees (BOT)
Meetings Information
1. For information and discussion only Background The following are notes provided by Patti Metro (CCC vice-chair) and Terry Bilke (CCC chair). These notes are not provided to accurately represent all agenda topics. Finance and Audit Committee (FAC) Agenda Item 2a - 2013 Audited Financial Statements: Review Audit Findings and Recommendations There were no unacceptable findings from the financial audit. The following are recommended adjustments based on the audit:
o NERC expensed the events analysis software rather than capitalized the software. This type of accounting is being discussed to determine the appropriate way manage such expenses.
o In shifting the NERC 401k plan, discovered the need to change a definition of compensation.
Agenda Item 2cii - Total ERO Enterprise – Actual to Budget Variance Analysis NERC was 10% under-budget in personnel expenses including lower travel costs and staffing
delays associated with filling positions. In 2015, NERC plan to cut its budget on meeting expenses.
Compliance Committee Meeting (BOTCC) Agenda Item 2 - Reliability Assurance Initiative (RAI) Progress Report – Presented by Jerry Hedrick, Lane Lanford, Sonia Mendonca
a. RAI Compliance Activities Overview i. Next Steps
Finalize documentation of the single detailed program design Complete the evaluation to assure:
1. Effectiveness 2. Sustainability 3. Transparency
ii. Develop examples to demonstrate methodology iii. RAI Oversight Plan Framework
Inherent Risk Assessment Internal Controls Evaluation – still sounds voluntary Oversight scoping
iv. Timeline for Implementing Single Compliance Design Framework May 2014 – Present the framework overview August 2014 – Finalize documentation of the converged pilots October 2014 – Incorporate single design into the CMEP annual plan December 2014 – Complete regional evaluations and adoption of processes January 2015 – Execute on deployment and training
NOTE: Stressed that this was for those entities that would like to participate in this new program. b. RAI Enforcement Activities Overview – a new process below has been in place in each Region
since January with the goal to process minor infractions within 60 days. c. NERC RAI Program Overview Q&A for Triage, Aggregation, and Discretion Pilots
i. Aggregation pilot Selected entities Minimal risk issues Record corresponds to contents of FFT spreadsheet Presumption of discretion
ii. Discretion pilot Selected entities Minimal risk issues Record corresponds to contents of FFT spreadsheet
Agenda Item 3 - Reliability Standard Audit Worksheet (RSAW) Review and Revision Process Shared the work completed by the MRC work group that Terry Bilke and Patti Metro were the
CCC representatives. There was pushback from John Seelke and Scott Henry. The concerns were noted by the BOTCC and will be discussed at the MRC meeting.
Proposal is ready for approval by BOT, but the topic is not on the BOT agenda for approval. The BOT will work with NERC staff to determine when the proposal can be approved.
Proposal a. Substantive revisions posted for at least 15 business days b. Comments to focus on:
i. Any material change in scope ii. Technical error
iii. Effective date concern iv. Additional postings for further revisions
c. Final revisions reviewed by chair of Standards Oversight and Technology Committee (SOTC)
i. RSAW goes into effect; or ii. RSAW revisions reviewed by full SOTC
Agenda Item 4 Key Compliance and Enforcement Metrics and Trends NERC staff was asked to include FFT information on material posted after the BOT meeting. CIP violations continue to be the type of violations that take longer to process through the
enforcement system. A majority of violations are entity self discovered. In the 1st Quarter of 2014 89% were self
discovered. From January 1, 2013 – April 1, 2014
o FFT – 43%
o NOP – 28% o SNOP -29%
10 Most Violated Standards – remained the same from 2013 to April 2014 o CIP-007 - Cyber Security — Systems Security Management o CIP-006 - Cyber Security — Physical Security of Critical Cyber Assets o CIP-005 - Cyber Security — Electronic Security Perimeter(s) o PRC-005 – Protection System Maintenance (most violated since 2007) o CIP-004 - Cyber Security — Personnel & Training o CIP-003 - Cyber Security — Security Management Controls o CIP-002 - Cyber Security — Critical Cyber Asset Identification o VAR-002 - Generator Operation for Maintaining Network Voltage Schedules o CIP-009 - Cyber Security — Recovery Plans for Critical Cyber Assets o FAC-009 - Establish and Communicate Facility Ratings (Replaced by FAC-008-3)
Standards Oversight and Technology Committee Meeting (SOTC) Agenda Item 2 – CIP Version 5
a. Response to FERC Directives – i. All four directives are being addressed by the drafting team
Modify “identify, assess, and correct” language (IAC) (February 3, 2015) Additional criteria for Low Impact classification category Define “communication networks” and add protections (February 3, 2015) Add protections for vulnerabilities caused by transient devices
ii. Project is on schedule for BOT approval in November 2014 to meet filing deadline of January 2015.
b. Implementation Update i. What has been done
Completed two of the six scheduled transition study pilots Performed initial compatibility assessments Identified initial lessons learned
ii. What is currently being done Completing four remaining transition study pilot Revising FAQs and developing RSAWs Prioritizing and drafting reports on key identified issues
iii. What will be done Complete transition study report Develop guidance for key compatible program elements
iv. Transition Study Key Dates and Activities June
• Completion of initial studies • Begin publishing RSAWs
July • Deliver papers on Impact Rating of Generation Resource Rating, Sub-
Station Transfer Trip, and Programmable Devices • Refresh FAQs
August • Publish findings from the transition studies
Key Outputs
• Collaborative efforts to share information to support the transition • Guidance to support consistency of oversight approach
Agenda Item 3 – Stage 2 GMD Standard Established GMD event and developed TPL-007 draft standard. Draft standard and benchmark GMD event were presented to the GMD Task Force and
standing committees in March, 2014. Benchmark and draft standard posted for informal comment. Stage 2 standard will be presented to the Board of Trustees for approval at its November
2014 meeting.
Agenda Item 4 – Physical Security Standard The ballot concluded on May 5. NERC is on track to deliver this standard within 90 days as directed by FERC.
Agenda Item 5 - ERO Enterprise IT Applications Gerry Cauley gave a presentation on an approach to develop adequate tools to achieve
efficiencies and drive best practices. Process and Internal Control Changes
o Slow-down and regroup on enterprise application development o Demonstrate success and control pace of projects o Move away from custom designed applications o Improve vendor procurement and contracting o Strengthen development oversight and resources o Add CIO with significant application development oversight experience o Improve internal technical resource depth and allocations o Independent consulting support to oversee development vendors o Better development milestone planning and reporting o More periodic code reviews o Improved management reporting
Key projects include o BES exception and standards balloting o CRATS o Reliability Assessment Database System (RADS)
It was found that a key vendor had significant problems with their architecture. NERC will no longer use this vendor which will result in the loss of about $600k.
Agenda Item 6 - TOP/IRO Response Update Goal is to file the revised standards no later than January 31, 2015.
Agenda Item 7 - Reliability Standards Quarterly Status Report (including Standards Committee Report)
NERC is working on items in the 2014-2016 Reliability Standards Development Plan
(RSDP). Focus is on addressing outstanding directives. It is projected that by the end of 2014 there will only be 30 outstanding directives assuming there are no new directives issued in 2014. At one time, there were over 200 outstanding directives including pre-2012 and those issued in 2013 and 2014.
Agenda Item 8 - Periodic Review of NERC ANSI Accreditation NERC initially received its accreditation (standards development process) in 2003. Last accreditation was in May of 2013. ANSI reviews are triggered every 5 years, if processes manual is revised, or by audits by
the ANSI Executive Standards Committee.
Member Representatives Committee Meeting (MRC) Agenda topics provided expanded discussion opportunities from the items discussed at the BOT committee meetings.
Agenda Item 3 – Recommended Slate of Stakeholder-based Members to the Reliability Issues Steering Committee (RISC) Election The slate was endorsed for BOT action with Terry Bilke endorsed as the CCC
representative on the RISC.
Agenda Item 4 - Request for MRC Members to Serve on the Board of Trustees Nominating Committee Solicited volunteers or nominations from the MRC membership to serve on the
Nominating Committee The BOTNC will recommend nominees for election/re-election to the NERC Board of Trustees
(Board) at the Member Representatives. Committee meeting in February 2015. Janice Case will chair the BOTNC. The Board will review the slate for the MRC volunteers
and approve in late May. Bruce Scherr is retiring from the NERC Board.
Agenda Item 5 - Responses to the Board’s Request for Policy Input 5a - Reliability Standard Audit Worksheet (RSAW) Review and Revision Process – Agreed that the
presented material is a workable solution and that improvements will be ongoing. Very clear that the CCC is a resource to provide technical support to the BOTSC and in the development of RSAWs.
5b - Risk-Based Registration Initiative – Mark Lauby gave an update on this. The whitepaper will outline the following:
o Clarification of terms and improved procedures o New BES definition as model and anchor for RBR o Entity risk assessment in a common registration form o Eliminate functional registrations if not material (PSE & IA)
o Threshold synchronization with the new BES definition o Standard requirement applicability (DP/LSE, GO/GOP & TO/TOP) o Status quo for other functional registration categories
5c - Potential Alternative Funding Mechanism to Support Expanded Cyber Security Information o Sharing and Capabilities to determine if there is a need to physically separate the ESISAC
with the staff being in a separate space. This option would cost $250K to $300K annually. o Cybersecurity Risk Information Sharing Program (CRISP) – tool box to share information.
It is a public/private partnership. It shares near real time information on cyber threat and develops tools
to enhance awareness to prioritize protection of its critical infrastructure
Entities that have a “front end box” collects data and sends it encrypted to a national lab for analysis.
There are two companies with this hardware and software in place. The goal is to have 22-23 entities from different sectors by the end of
the year. Expected cost is 100-125k per year per user. NERC looking to deploy “basic” CRISP service, which would be $200-
300k/year. If enough users deploy CRISP, NERC would like to get extended services (an additional $600-$850k per year)
Agenda Item 6 - Additional Policy Discussion from Board Committee Meetings Finance and Audit Committee – no additional discussion Compliance Committee - no additional discussion Standards Oversight and Technology Committee
o Critical Infrastructure Protection (CIP) Version 5 Response to FERC Directives and Implementation Update – Stressed the need to get guidance out soon.
o Stage 2 Geomagnetic Disturbance (GMD) Standard - The standard is not intended to be prescriptive on the solution to mitigate problems. Operating procedures can be part of the solution.
o Physical Security Standard - Gerry Cauley noted that a lot of hard work went into this and hopes that the FERC doesn’t expect that all standards should follow this expedited path.
Agenda Item 7 - 2015 Business Plan and Budget Mike Walker provided update. Gerry Cauley noted a new strategic metric that is a composite of category 1-3 events. Many initiatives forecasted or in progress that will impact the budget. See presentation
beginning 23 at http://www.nerc.com/gov/bot/MRC/Agenda%20Highlights%20nad%20Minutes%202013/mrc_presentation_May_2014.pdf
NERC projects <1% operating expense increase an <2% increase.
No net increase in FTE, but reallocation, but will decrease budget adjustment by 6% due to attrition, hiring delays.
Incentives 18.4% of total salary expense. NERC’s consulting budget goes down except in CIP, where it more than doubles. NERC setting aside $3.6M for IT capital.
Agenda Item 8 - 2014 Long-Term Reliability Assessment: Development Plan and MRC Input Presented by John Maura. NERC will be conducting a survey of the MRC with the expectation to receive more input
from the MRC on the following emerging issues” o Accommodating system needs and adapting to change o Continued integration of variable generation o Generation retirements and coordination of outages o Increased dependence on natural gas o Increased use of demand-side management o Nuclear generation retirements and/or long-term outages
Agenda Item 9 - Essential Reliability Services Whitepaper Presented by Tom Burgess. This is a thirty person task force lead by Ken McIntyre from ERCOT. The task force will develop a whitepaper of what it determines are “essential services”. Initial discussions propose the following core services:
o Operating Reserve o Frequency Response o Ramping Capability o Active Power Control o Reactive Power and Voltage Control o Disturbance Ride-Through Tolerance
Agenda Item 10 - Five-Year Performance Assessment NERC posted its 5 year assessment and only received a few sets of comments. Time-line
o May 4: Preview Regional Entity assessments with ERO Boards o End of May: Finalize Regional Entity assessments o June: Post revised draft of five-year assessment o July 21: File five-year assessment with FERC
Board of Trustees Meeting (BOT) Agenda Item 2 - Committee Membership and Charter Changes Approved the Compliance and Certification Committee membership and leadership
changes. o New Member Appointments:
Mr. Rick Terrill of Ruminant Mining.
Ms. Caroline Dupuis of Hydro-Québec TransÉnergie. o Member Reappointments:
Mr. William Temple of Northeast Utilities. Ms. Jennifer Flandermeyer of Kansas City Power & Light.
o Officer Appointments: Ms. Patti Metro as the CCC chair for the period of July 1, 2014 – Jun 30, 2016. Ms. Jennifer Flandermeyer as the CCC vice chair for the period of July 1, 2014 –
Jun 30, 2016. Approved the formation of the CCC Compliance Processes and Procedures
Subcommittee and the retirement of the SIS and PROCS. Approved the Critical Infrastructure Protection Committee membership. Approved the Personnel Certification Governance Committee membership.
Agenda Item 3 Remarks by Board Chair – Fred Gorbet He shared his thoughts from pre-meetings with NERC senior Management and Regional
Entities senior management. Appreciated the policy input and how beneficial that input is to the Board in making decisions. Thought the discussion on RSAWs was helpful and the Board will use the information to influence the decision on steps to improve the RSAW process.
Agenda Item 4 Remarks by FERC Commissioner John Norris Thanked the industry for the good work as the ERO has evolved and matured. An
example is the shift from CIP3 to CIP5. He is concerned that people are confusing critical loads with critical assets that support the Bulk Electric System. He encouraged the industry to ask the right questions when looking critical assets and to do what the industry thinks is best. Don’t just respond to the politics of the day.
Agenda Item 6 - Remarks by Mr. Denis O’Brien, CEO, Exelon Utilities Welcomed the group to Philadelphia. He spoke about the history of Philadelphia and his
history with Exelon. Job is to keep the lights on and the gas flowing. # 1 priority is safety when doing that job.
Agenda Item 7 - President’s Report by Gerry Cauley He has seen the maturation in standards development including the orders that are
issued from the Commission. The process is working as it should always have been working. Basically, that the industry, the ERO and the Commission are communicating and working together to develop standards that improve reliability.
Agenda Item 8 - Standards Demand Data (MOD C) – MOD 031-1 — Adopted Voltage and Reactive Control – VAR-002-3 – Adopted Operating Personnel Communications Protocols – COM-002-4 – Adopted Violation Risk Factor/Violation Severity Level Revisions – Adopted
o TPL-001-4
o CIP Version 5 (CIP-003-5, CIP-004-5.1, CIP-006-5, CIP-008-5, CIP-009-5) o MOD-026-1 and MOD-027-1 o PRC-005-2 and PRC-005-3 o BAL-003-1
Physical Security Standard - Large ballot pool with 500 participants
Agenda Item 9 - Amendments to SERC Bylaws – Approved Agenda Item 10 - State of Reliability Report Presented by Tom Burgess. The purpose of the report is to provide an independent view of performance. The
results indicate that there has been sustained highly reliable performance. The report identifies trends and risks to reliability and provides recommendations for
improving reliability. The report can serve as risk- informed input to:
o Reliability Issues Steering Committee (RISC) project prioritization o Standards projects o Reliability assurance initiatives o Event analysis reliability assessment, and critical infrastructure protection
During the report period there were no high stress days in 2013. The Transmission system was highly reliable with no identified cascading events. Frequency Response has remained stable. There has been a decline in the severity of transmission outages due to relay mis-
operations. Roughly 1 in 10 relay operations are mis-operations. The number of Energy Emergency Alerts has declined
Agenda Item 11 - Summer Assessment Presented by John Moura. All Regions meet summer capacity margins. The Board will approve the Summer Assessment on it May 13 conference call.
Agenda item 12 - ERO Strategic Plan Metrics – Approved Gerry Cauley noted NERC is collaborating with the Regions on a 3 year strategic plan. Some of the metrics are being adjusted and the plan will be updated fairly often.
Agenda Item 13 - Canadian Affairs – Jim Burpee Exports to the US have increased since 2012 with a vast majority from Manitoba,
Ontario, and Quebec. None of the exports are from coal generation sources. Minnesota Power is building an additional transmission tie with Manitoba which can be
used to balance against the large wind farms in the MRO regions Expect that by 2050, all nuclear and fossil fuels will be retired replaced with hydro,
renewables and gas generation.
Canada is concerned with the FERC language regarding the physical security standard order. Feel these critical stations designations will draw attention to critical facilities.
Agenda Item 14 - Committee Reports Operating Committee Planning Committee Critical Infrastructure Protection Committee Member Representatives Committee Personnel Certification Governance Committee Standards Committee Reliability Issues Steering Committee
o Charter Amendments – Approved o Committee Membership Appointments – Approved
Compliance and Certification Committee o 2014-2016 Work Plan – Approved – Gerry suggested because of the unique
structure of the CCC, that the CCC augment the RAI efforts to provide stakeholder input prior to the implementation of the new CMEP structure.
o 2013 Stakeholder Perception Survey Results and Report Recommendations – Accepted
Electricity Sub-Sector Coordinating Council
Agenda Item 15 - Forum and Group Reports North American Energy Standards Board Regional Entity Management Group North American Transmission Forum
o 345kV breaker issue: 945 of the approximately 1000 have been identified and data collected and mitigation steps are under way.
o Next focus will be on protection system misoperations. Work on best-practices is underway.
o Working with EPRI on resiliency and developing a set of best practices. o Conducted an assistance visit along with INPO with one of its members on off-
site power to nuclear stations. North American Generator Forum
Agenda Item 16 - Board Committee Reports Corporate Governance and Human Resources
o Compliance Committee Mandate Amendments – Approved Compliance – Met in both open and closed session. BOTCC recommends that the RSAW
process presented at the MRC be implemented. Not looking for formal Board approval, but the Board is suggesting tweaking of language to incorporate the comments received during the various meetings. The minutes will reflect next steps and once the procedure is finalized the SOTCC mandate will be modified to reflect the additional role related to RSAWs.
Finance and Audit – Major responsibility is the oversight of the NERC/RE business plan and budget.
o 2013 Audit Financial Statements – Accepted o First Quarter Statement of Activities – Accepted
Enterprise-wide Risk – first meeting of the new committee which meets in closed session. Mentioned the inclusion of the Chair of the CCC and REMG are members of the committee. Reviewed the CCC work plan which was approved by the Board.
Standards Oversight and Technology – Gerry mentioned the transition of the IDC to the Eastern Interconnection RCs. He is committed to provide a report at the August Board meeting.
Closing Remarks by the Board Chair - Appreciated the comments by Commission Norris on the maturing of the organization.
Agenda Item 2d NERC Compliance and Certification Committee
June, 2014
NERC RISC Update for the CCC The following are personal notes taken during the May 7, 2014 Reliability Issues Steering Committee (RISC) meeting. There may be inaccuracies.
Background Introductory Remarks-Tom Burgess
• Tom Burgess would like to see the RISC taking actionable items to benefit reliability.
• There should be solid metrics around the risk control.
• NERC’s business plan and budget is designed around risk.
• NERC looking to create a risk management dashboard of risk management (Are we accomplishing the desired reliability objectives?).
Board Meeting Review
• Commissioner Norris’ comments at the BOT meeting were helpful in that the focus for NERC should be on those things that matter to BES reliability.
• The state of reliability and summer assessment reports were good work products that note the involvement of RISC.
• The “Essential Reliability Services” effort is forward looking and something that will support reliability.
• The Cyber Risk Information Sharing Program (CRISP) can play a big role in Cyber Security.
• Can there be metrics established for cyber security to track posture and trends? The challenge with this is entities don’t report the little things.
Reliability Leadership Summit
• The draft agenda is for the September 11, 2014 is attached below.
• If people have thoughts on speakers, sent a note to Tom Burgess and Bob Schaffeld.
Summary_Agenda_RLS_2014-09-11__5-5 Future RISC Meetings a. June 17, 2014 8:00-5:00 CDT - In-Person Meeting Atlanta, GA b. July 10, 2014 9:00-12:00 EDT - Conference Call c. August 14, 2014 12:30-2:30 PDT - Post-BOT Meeting, Vancouver, BC d. September 11, 2014 9:30-4:30 EDT - Reliability Leadership Summit, Washington, DC e. September 12, 2014 8:00-2:30 EDT - In-Person Meeting, Washington, DC f. October 07, 2014 9:00-12:00 EDT - Conference Call g. November 13, 2014 12:30-2:30 EST - Post-BOT Meeting, Atlanta, GA h. December 02, 2014 8:00-5:00 MST - In-Person Meeting, Phoenix, AZ
Compliance and Certification Committee MeetingAgenda Item 3bi – SPM and SAN Audit Update
Mechelle ThomasDirector, Internal Audit and Corporate Risk Management
RELIABILITY | ACCOUNTABILITY2
NERC SPM and SAN Audit
Audit Objective: • Ensure NERC’s compliance with Standards Applicable to NERC
and the Standards Processes Manual.
Audit Scope:• NERC Standard Process Manual;• Reliability Standards Applicable to NERC (to be determined).
Audit Team:• PwC - Independent Auditor (will serve as audit team lead);• CCC Observers;• NERC Internal Audit.
RELIABILITY | ACCOUNTABILITY3
NERC SPM and SAN Audit Timeframe
Sep 19th
Finalize Audit Report &
Implementation Plan
2014Mar Apr May June July Aug Sep
Audit Planning Activities Audit Testing & Reporting
June 26th
Audit Kick-off Meeting with
NERC Staff
July 7th
Audit Commencement
Aug 15th
Issue Initial Draft Report
RELIABILITY | ACCOUNTABILITY4
NERC SPM and SAN Audit
Next Steps: • CCC Observers to provide Conflict of Interest Forms and Bios
(due in June)• NERC Staff to gather requested data• Continued planning activities (e.g., mapping risk matrix to shall
statements)
Compliance and Certification Committee MeetingAgenda Item 3bi – CMEP and ORCP Remediation Status
Mechelle ThomasDirector, Internal Audit and Corporate Risk Management
RELIABILITY | ACCOUNTABILITY6
NERC CMEP & ORCP Audit
Non-Compliance Findings
# NERC ROP Auditor Observation Auditor Recommendation
Management Action Plan & Implementation
DeadlineStatus
1 501.3.3: NERC shall develop and maintain a program to monitor and oversee the NERC Organization Registration and Organization Certification Programs activities that are delegated to each Regional Entity through a delegation agreement or other applicable agreement.
While documentation provided evidenced NERC’s oversight for Regional Entities’ (RE) responsibilities for ROP Statement 501 Sections 1.4.1, 1.4.2, and 1.4.4 for certified entity functions, support did not evidence NERC’s oversight of the RE’s ORCP activities included in ROP Statement 501 Section 1.4.3 for non-certified functions TP and PA.
ROP 501 1.4.3 Ensure that all transmission Facilities of the bulk power system are the responsibility and under the control of one and only one Transmission Planner, Planning Authority, and Transmission Operator.
NERC provided evidence that it initiated a project to map the functions in the fourth quarter of 2012.
NERC should implement a periodic monitoring procedure to confirm that all Transmission Facilities are mapped to one and only one TP, PA and TOP.
Compliance operations will complete a Common Registration Form (CRF) for implementation to provide for the correct and complete registration of owner, users and operators of the Bulk Electric System. In addition, it will provide for the complete mapping of all the inter-relationships between registered entities on the NCR.
Implementation Deadline: The completion of the CRF will be by December 31, 2014. Milestones will be tracked on a three month basis through completion.
Open
RELIABILITY | ACCOUNTABILITY7
NERC CMEP & ORCP Audit (cont’d)
Non-Compliance Findings
# NERC ROP Auditor Observation Auditor Recommendation
Management Action Plan & Implementation
DeadlineStatus
2 501.3.3.1: This program shall monitor whether the Regional Entity carries out those delegated activities in accordance with NERC requirements, and whether there is consistency, fairness of administration, and comparability.
In accordance with the December 23, 2010 NERC filing with FERC, NERC planned to develop spot checks of registered entity functions to assess whether REs are consistently applying compliance evaluations of Reliability Standards for each registered entity function by December 31, 2011; however, no evidence was provided to demonstrate the results of this program.
NERC should implement a program to monitor the RE implementation of the ORCP requirements and include an evaluation of the consistency, fairness in administration, and comparability of registered entity functions across RE’s.
Compliance operations will complete the review of all eight REs by December 31, 2014. The purpose of this review is to procedurally identify how NERC performs its registration and certification oversight activities through onsite engagements with the REs. These engagements will confirm the consistency, fairness in administration, and comparability of registered entity functions across REs regarding the ORCP.
Implementation Deadline: December 31, 2014. Milestones will be tracked on a three month basis through completion.
Open
RELIABILITY | ACCOUNTABILITY8
NERC CMEP & ORCP Audit (cont’d)
Process Improvement Opportunities
# NERCROP Auditor Observation Auditor Recommendation
Management Action Plan & Implementation
DeadlineStatus
3 Section 400 and 500: CMEP and ORCP
NERC processes and procedures related to the CMEP and ORCP are not consistently maintained, organized and updated.
NERC should require annual updates to its CMEP and ORCP process manuals which support the ROP. NERC should enhance the organization, maintenance, and storage of its CMEP and ORCP process manuals by utilizing a consistent document retention tool across the organization.
Review and update any Audit, Registration and Certification, and Compliance process manuals.Implementation Deadline: December 31, 2014 and annually thereafter by December 31.
Open
4 Section 402.1
While NERC has a variety of procedural documents supporting its monitoring program of the RE’s CMEP, it has not developed a concise document that summarizes all activities of its monitoring program.
NERC should develop an overall monitoring procedural document to summarize the activities it uses to conduct monitoring of the RE’s CMEP and how those activities are designed to address ROP requirements.
NERC Compliance Operations will develop /review and update present process procedures.Implementation Deadline: December 31, 2014 and annually thereafter by December 31.
Open
5 Section 402.1
While NERC has a variety of procedural documents supporting its monitoring program of the RE’s CMEP, it has not developed a concise document that summarizes all activities of its monitoring program.
NERC should develop an overall monitoring procedural document to summarize the activities it uses to conduct monitoring of the RE’s CMEP and how those activities are designed to address ROP requirements.
NERC Enforcement will develop /review and update present process procedures.Implementation Deadline: December 31, 2014 and annually thereafter by December 31.
Open
RELIABILITY | ACCOUNTABILITY9
NERC CMEP & ORCP Audit (cont’d)
Process Improvement Opportunities
# NERCROP Auditor Observation Auditor Recommendation
Management Action Plan &
Implementation Deadline
Status
6 Section 402.1.2
The independent auditors observed that activities conducted by NERC to evaluate the goals, tools and procedures of the REs occur regularly throughout the year; however, no evidence was observed supporting NERC’s overall annual evaluation of the RE’s CMEP goals, tools, and procedures.
Within the CCCPP-10 filing, the CCC developed a list of criteria for use by NERC in evaluating the compliance programs of each RE. NERC should ensure these criteria are addressed as part of the RE CMEP annual report process. To enhance evidence of NERC’s annual evaluation of RE CMEP goals, tools, and procedures, NERC should develop a response to the RE annual report that addresses the RE responses and summarizes NERC’s own observations of the RE throughout the year.
NERC Compliance Operations will develop /review and update present process procedures .Implementation Deadline: December 31, 2014 and annually thereafter by December 31.
Open
7 Section 402.2
To enhance the implementation of the FFT and SNOP processes in late 2011 and 2012, NERC provided support to select REs to streamline the development of documentation associated with the FFT and SNOP enforcement requirements; however, NERC’s role in executing the RE requirement was not clearly documented in RE delegation agreement.
In cases where NERC provides assistance to REs, NERC should document such support as a part of its oversight responsibilities.
Document NERC’s support to REs if and when NERC provides extraordinary assistance to REs.Implementation Deadline: As necessary.
RELIABILITY | ACCOUNTABILITY10
NERC CMEP & ORCP Audit (cont’d)
Process Improvement Opportunities
# NERCROP Auditor Observation Auditor Recommendation
Management Action Plan & Implementation
DeadlineStatus
8 Section 402.3
NERC’s Agreed Upon Procedures (AUP) audits and AUP Spot Checks of the Regional Entities included a review of the RE’s data management procedures; however, based upon the significance of data in supporting other CMEP procedures, NERC should complete monitoring of RE data management more timely than the current five year audit schedule of RE compliance with the overall CMEP.
Leading practices in data management indicate a more frequent monitoring program is required to address emerging technology risks. As a result, in addition to the ROP five year monitoring requirement, NERC should develop a more frequent monitoring program to evaluate the Regional Entities’ data management procedures over data reporting requirements, data integrity, data retention, data security, and data confidentiality.
NERC Compliance Operations will develop a plan on how to assess the data management /reporting requirements as it relates to emerging technology risks in oversight activities.Implementation Deadline: December 31, 2014.
Open
9 Section 402.9
NERC has a manual process for communicating auditing skill training opportunities and monitoring who is required to complete training for NERC and RE compliance audits.
In addition to notifying auditors of training opportunities via email, NERC should create a catalog of available auditing skill trainings and publish the list to the appropriate individuals. NERC should utilize available training technology to enhance monitoring the satisfactory completion of training requirements by compliance auditors.
NERC Compliance Operations will work with NERC training department and the REs to develop an integrated schedule of available training activities.Implementation Deadline: December 31, 2014 and will be updated as needed (ongoing process).
Open
RELIABILITY | ACCOUNTABILITY11
NERC CMEP & ORCP Audit (cont’d)
Process Improvement Opportunities
# NERCROP
AuditorObservation
Auditor Recommendation
Management Action Plan & Implementation Deadline Status
10 Section 403.11.1
Although performed once every three years, due to on-going enforcement activities and/or confidentiality requirements, the BA, RC and TOP audit reports evidencing the three year audit performance requirement may not be publicly posted to NERC’s website.
To enhance transparency associated with this requirement, NERC should confirm that each RE has appropriately satisfied the function audit requirement as a part of NERC’s response to the RE annual report.
NERC Compliance Operations is updating the present process procedures for the management of audit reports.Implementation Deadline: December 31, 2014 and will be a standard operating type of procedure (ongoing process).
Open
11 Appendix 4C.5
Although all REs agreed to use the FFT enforcement treatment during its issuance in September 2011, consistent implementation of the new enforcement treatment was not applied across the registered entities until FERC responded to the filing in March 2012.
For all new ROP requirements, NERC should develop a procedure to ensure Regional Entities are implementing these updates consistently across their registered entities.If the REs cannot implement these processes consistently, NERC should confirm that this difference is clearly documented.
As part of its oversight obligations, NERC will review Regional Entity processes that implement currently effective Rules of Procedure.NERC will document any differences in implementation, as discovered, for tracking and training purposes.Implementation Deadline: December 31, 2014.
Open
RELIABILITY | ACCOUNTABILITY12
NERC CMEP & ORCP Audit (cont’d)
Process Improvement Opportunities
# NERCROP
AuditorObservation Auditor Recommendation Management Action Plan &
Implementation Deadline Status
12 Section 502.2.2.7
NERC has a manual process for communicating auditing skill training opportunities and monitoring who is required to complete training for Certification evaluations.
In addition to notifying auditors of training opportunities via email, NERC should create a catalog of available auditing skill trainings and publish the list to the appropriate individuals. NERC should utilize available training technology to enhance monitoring the satisfactory completion of training requirements by compliance auditors.
Compliance operations will work with the NERC training department and the REs to develop an integrated schedule of available training activities. Compliance operations will also develop a notification process to inform auditors of this training.Implementation Deadline: December 31, 2014 and will be updated as needed (ongoing process).
Open
13 Appendix 5B
While NERC and the Regional Entities do identify users, owners and operators of the Bulk Power System that are not appropriately registered in the NERC Compliance Registry, there is only an informal process.
While Appendix 5B outlines the criteria NERC and the REs utilize to identify whether a user, owner, or operator of the BPS should be registered in the NCR, NERC should develop a formal process document that describes its best effort procedures to identify all owners, users, and operators that should be registered.
Compliance operations will complete a formal process document that outlines the Common Registration Form (CRF) for implementation to provide for the correct and complete registration of owner, users and operators of the BES. In addition, this process document will outline how it will provide for the complete mapping of all the inter-relationships between registered entities on the NCR.Implementation Deadline: The completion of the CRF will be by December 31, 2014.
Open
Compliance and Certification Committee MeetingAgenda Item 3bi – Enterprise-wide Risk Committee (EWRC)
Mechelle ThomasDirector, Internal Audit and Corporate Risk Management
RELIABILITY | ACCOUNTABILITY14
Enterprise-wide Risk Committee (EWRC)
• 2014 EWRC Chairman : David Goulding
• EWRC Members include:
NERC Board of Trustees; the chair of the Compliance and Certification Committee; the chair of the Regional Entity Management Group.
• EWRC Roles and Responsibilities remain the same as the Risk Management and Internal Control Sub-Committee
CCC CPPS Report
Matt Goldberg & Jim StantonJune CCC Meeting
West Palm Beach Gardens
RSAWs (Work Plan Deliverable 12)
• BOT approved RSAW Review & Revision Process • Opportunity for comment when RSAWs are posted• CPPS will take as a Standing Item review of RSAW-
related questions. Actions from today’s meeting:– NERC should revise RSAWs that still include, or do not
indicate, retirement of Paragraph 81 Requirements– Issue identified with document retention provisions of
Draft PRC-026 RSAW– NERC should coordinate with Regions on how certain data
is being requested via audits versus 1600 data requests, specifically for PRC-004
• Supports NERC BOT Assignment (Work Plan, p16)
PRC-004 Audit Item
At least one region has been requesting protection system operations data as a part of compliance audit data requests for PRC-004. “Operations” are not part of the requirements noted in PRC-004. The data requests appear to stem from the NERC ERO-RAPA group. Recommend the data request not be associated with an audit/and or clearly noted as not being a compliance element of the audit.
CMEP Effectiveness (Work Plan Deliverable 13)
• CPPS will draft CCCPP-010 revisions to include effectiveness assessment criteria– Focus on results-based criteria that support NERC
objectives/goals for risk-based CMEPs– Reduce number of existing Criteria– NERC will coordinate with CPPS to provide an
overview of the Compliance & Enforcement trends matrix presented to the BOTCC quarterly and Aggregation of Minimal Issues Pilot conclusions. (Work Plan Deliverable 14)
• Possible completion by September
RAI Oversight Plan Framework
ScopeScope
Applicable Standards
RiskElements
Controls Not Evaluated
CMEP Tools
IRA
ICE
Com
plia
nce
Ove
rsig
ht P
lan
Oversight Scoping
Inherent RiskAssessment
Internal ControlsEvaluation
Input Input
CMEP Tools
NotificationsFocused: 90 DaysNarrowly Focused: 30 Days
Scheduling ofTasks
• RE Functions• Characteristics - ERO / Regional• Events• RISC
Other Work Plan Deliverables
• Internal Controls Q&A Document and Internal Controls Guide – in holding pattern pending release of NERC documents
• RAI Data Retention and Sampling – Waiting for comment period
Other CPPS Work Plan Activities • Review criteria for audit/review of NERC adherence to Standards
Processes Manual.• Review existing CCC Procedures to support 2014 NERC Internal
Audits and CCC oversight (i.e., CCCPP-005, CCCPP-006, CCCPP-008, CCCPP-009 and CCCPP-010), and identify any necessary work for 2014 to carry out these CCC Procedures.
• Review relationship between NERC’s RAI and ROP. • Revise CCC Procedures to conform to the new monitoring model
that includes NERC internal auditor and EWRC involvement. Receive reports from NERC on status and execution of RAI and to NERC from ad hoc Working Groups.
• Provide input on development of work plan related to RAI elements not part of Calendar Year 2013 RAI work effort.
• Assess how CMEP practices change after RAI is adopted in regards to: (a) monitoring practices (as embodied in CCCPP-010 and also including assisting EROMS in the annual Regional Entity Audit Criteria work); (b) enforcement; and (c) Standards development.
ORCS Update
Jennifer Flandermeyer, ORCS ChairNERC CCC MeetingJune 4, 2014
RELIABILITY | ACCOUNTABILITY2
• Risk Based Registration (RBR)• Status of RISC request for Planning Coordinator• 2014 Work Plan discussion• ORCS Leadership discussion and selection
Discussion Items
RELIABILITY | ACCOUNTABILITY3
• June 2 Posting: Draft design framework, proposed revisions to Appendix 2b/Appendix 5b of Rules of Procedure Comments due June 23, 2014
• July: draft for MRC• August: Final Package will be posted for 45-day comment
period • November: Presented to the NERC Board• File with FERC by end of calendar year• Implement in 2015
RBR Timeline for 2014
RELIABILITY | ACCOUNTABILITY4
Update on ORCS Work Plan
• Risk Based Registration (previous slides)• MRRE
– Process in formation by ECEMG– ORCS will offer preliminary comments in June– Process to facilitate consistency projected implementation by end of
2014
• Monitoring of impacts of NERC initiatives to guidance documents– RoP changes proposed– Coordination with Standards and Enforcement
RELIABILITY | ACCOUNTABILITY6
• Details of Risk Based Registration
Appendix
RELIABILITY | ACCOUNTABILITY7
• Comments and issues discussed Reciprocal relationships among de-registered entities and RC/BA/TOP Entities that de-register but have an “orphaned” BES Element Relationship of materiality and BES exception process Materiality factors of registration BES “User” category Functional Model relationship and Registration Criteria Speed of implementation of the RBR process Common registration form for consistent RBR implementation Use of a one-time attestation for compliance
o Obligation on registered entity to update for any changeso Used in compliance monitoring and enforcement areas
• Everyone is encouraged to submit comments by June 23, 2014
Risk Based Registration (RBR)
RELIABILITY | ACCOUNTABILITY8
• 15 functions currently listed• 3 proposed functions for removal: PSE, IA, LSE• NERC is conducting technical reviews for Registry Criteria• Proposed changes for roles of other entities:
Thresholds for GO/GOP and TO/TOPo Align threshold criteria with BES criteriao Change Generating “Units” to “Facilities” to tie in BES Definition
Threshold change for DPo Section 3a: increase from 25 MW to 75 MWo Section 3b: DPs under 75 MW that have UFLS programs will be subject to
PRC-006 and other applicable Regional Standards
• 12 remaining functions (RC, BA, TOP, etc.) will not change
RBR Proposed Changes
RELIABILITY | ACCOUNTABILITY9
• Rebuttable presumption that an entity is material to BES• Five factors to consider for registration materiality• Burden of proof:
If an Entity is proposing to be removed from the registry, the entity has the burden to show that they are not material to BES
If a Region/NERC is proposing to add an entity to the registry, Region/NERC has the burden to show that they are material
• Materiality determinations will be made by a centralized panel• Materiality test for registration is separate from the BES
exception process, but they are closely linked
Registration Materiality Test
RBRCWG May 7, 2014
Voluntary Nature of RAI Internal Controls Assessments
Developed by the NERC Compliance and Certification Committee’s Risk-based Reliability Compliance Working Group (RBRCWG)
Background The assessment of Registered Entity internal controls associated with NERC’s Reliability Assurance Initiative (RAI) has been the subject of some confusion across the industry. There are currently two (2) documents posted to the NERC website that address this concept: RAI Q&A document and the RAI Benefits and Impacts document. These documents indicate that the assessment of Registered Entity internal controls by NERC and/or the Regional Entities is voluntary on the part of the Registered Entity. Related excerpts from these two documents are included in Appendix 1. The complete documents are posted on the NERC website.1 Recently, some Registered Entities have been receiving requests from the Regional Entities for internal controls documentation in 90-day audit notification letters. Additionally, some Registered Entities have reported being provided with feedback from Regional Entities that the assessment of a Registered Entity’s internal controls must be performed as part of their compliance monitoring. This feedback is consistent with the NERC presentation to the CIP V5 Standards Drafting Team on March 18, 2014, “Enforcement Approach to CIP Version 5 Under RAI.” In particular, Slide 6 provided:
• Internal Controls Reliance o The Registered Entity’s internal control practices will be provided and reviewed by the
Regional Entity. o The Regional Entity will evaluate the level of the entity’s internal control program to
tailor compliance activities in conjunction with the Risk Assessment. As some Registered Entities believe that the review of internal controls is an area of its business management, there is concern that a required review of internal controls by the ERO Enterprise is beyond the scope of compliance to the NERC reliability and cyber security standards. The intent of this white paper is to establish assumptions and to provide a proposed solution to resolve the conflicting messages from the ERO Enterprise with respect to the voluntary nature of the assessment of Registered Entity internal controls. Assumptions The following assumptions were developed by the Risk-based Reliability Compliance Working Group (“RBRCWG”) with respect to the members’ understanding of internal controls.
1 See NERC website at: Program Areas and Departments / Compliance & Enforcement / Reliability Assurance Initiative / NERC and Industry Collaborative Documents / NERC RAI Q&A document at Question A.8 and the RAI Benefits and Impact document at Section E.2.
1
RBRCWG May 7, 2014
1. Most Registered Entities have internal controls that support compliance to the NERC standards,
whether they refer to them as internal controls, management controls, policies, procedures, practices, or some other description.
2. A Registered Entity’s internal controls, in some cases, may be documented, but, in other cases, they may not be documented.
3. A Registered Entity’s internal controls may or may not be documented in a “program” that readily lends itself for review by the Regional Entity but the internal control(s) may exist in actual practice.
4. There is no expectation on the part of the ERO Enterprise that Registered Entities will expend resources “packaging” internal controls into an internal controls program for the benefit of the Regional Entity.
5. In whatever form the Registered Entity’s internal controls exist, if they are assessed by the Region to be effective, the entity may benefit from some reduction in compliance monitoring scope commensurate with the effectiveness of the its internal controls.
6. Should the Registered Entity decline to share its internal controls with the Region, the entity probably will not benefit from compliance monitoring scope reduction based on its internal controls.
7. Should the Registered Entity decline to share its internal controls with the Region, the entity should not expect to receive an expansion of compliance monitoring from its previous level of compliance monitoring, solely on the basis of its decision not to share internal controls with the Region.
Proposed Solution The ERO Enterprise should reach a common understanding between NERC and the eight Regions on the issue of whether evaluation of Registered Entity internal controls by the Regions or NERC is either a voluntary or mandatory aspect of compliance monitoring activities. Once consensus is reached regarding this determination, if it is made in the affirmative regarding the mandatory nature of the evaluation of internal controls, the ERO enterprise should amend their respective Compliance Monitoring and Enforcement Programs to add this method of compliance monitoring, including citation to the section of the Rules of Procedure that documents the authority to evaluate Registered Entity internal controls. In addition, all references to the voluntary nature of internal controls assessments should be deleted from the CMEP and other related documents currently posted to NERC’s website. Additional outreach should also be performed regarding this determination. On the other hand, if the ERO Enterprise concludes that it does not have the authority to compel entities to share internal controls or does not intend to compel entities to share internal controls, NERC should ensure that the use of evaluation of internal controls is consistently represented in documentation utilized across the ERO enterprise, noting the voluntary nature of a Registered Entity’s decision to share its internal controls for evaluation. This includes specific language to be consistently used by the Regions in their audit preparation communications to entities with respect to the voluntary nature of
2
RBRCWG May 7, 2014
internal controls assessments. Additional outreach should also be performed regarding this determination. The RBRCWG volunteers to provide assistance to the ERO enterprise regarding the necessary and appropriate communications discussed above once a final determination regarding internal controls assessments has been made by the ERO enterprise.
3
RBRCWG May 7, 2014
Appendix 1
References to the “Voluntary” Nature of RAI Internal Controls Assessments The two excerpts listed below from the referenced NERC documents indicate the voluntary nature of the RAI internal controls assessments. 1. Risk‐Based Reliability Compliance Working Group (RBRCWG) NERC Reliability Assurance Initiative
Program Overview Q&A, Initial Version: May 7, 2013. FAQ A.8 http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/RAI%20QA%20Document.pdf
Q&A# A.8 Is the RAI intended to be voluntary for registered entities? Certain aspects of the RAI will be voluntary for registered entities; others will not. Scoping Compliance Monitoring. The ERO Enterprise will scope the compliance monitoring for each registered entity in accordance with results of the entity’s risk assessment. An entity can voluntarily establish internal controls designed to reduce its control risk (see A.3.), which could have a positive influence on the scoping of compliance monitoring by the Regional Entity. Conversely, the entity can voluntarily elect to not establish internal controls or share them with the Regional Entity.
2. Reliability Assurance Initiative (RAI) Benefits and Impact (Initial Version: September 30, 2013),
Section E.2. http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/RAI%20Impacts%20and%20Benefits%20V1.pdf
Section E.2. Assessing Registered Entity Internal Controls Impact: In accordance with GAGAS practices, the CEA will implement a systematic process to understand and evaluate internal controls as they relate to compliance with the Reliability Standards. A general benefit is that the entity will receive compliance-related feedback from the CEA on its internal controls. This could lead to developments that strengthen entity controls, improving compliance and enhancing operations, thereby resulting in a more reliable BES. While the Rules of Procedure (ROP) clearly express the use of GAGAS and Institute of Internal Auditor guidelines with regards to conducting audit engagements which in turn require the evaluation of internal controls, an entity cannot be found in noncompliance based on any activity related to its internal controls. Additionally, entities with effective internal controls in place may be given credit when assessing civil penalties. The additional work required to organize and present its internal controls to the CEA in support of the assessment may create a need for additional resource attention. Two scenarios can occur in the context of this RAI item. a. The entity declines to share its internal controls with the CEA.
Potential Outcome: The nature, timing, and frequency of audit engagements will be adapted to appropriately address risk in the absence of the ability to effectively understand and evaluate
4
RBRCWG May 7, 2014
controls. Further, the entity would not benefit from the CEA’s experience gained from reviewing internal controls of other entities.
b. The entity shares its internal controls with the CEA, and the CEA determines the controls to be
effective. Potential Outcome: The CEA accrues the benefit of increased understanding of how the entity, through its internal controls, ensures it is in compliance with the Reliability Standards. The entity can benefit from this assessment in several ways. First, the entity receives the feedback that the CEA believes the entity’s internal controls are effective. Second, the entity—via the dialog with the CEA in the course of the assessment—may learn about potential enhancements to its internal controls. Third, the entity may benefit from a reduction in compliance monitoring scope, testing, or frequency, as determined by the CEA.
5
NERC CCC Reliability Assurance Initiative (RAI) Data Retention and Sampling Team UpdateCompliance and Certification Committee Meeting, June, 2014
2 RELIABILITY | ACCOUNTABILITY
Topics
• Team members• Team scope and deliverables• Survey summary• Project timeline and next steps
3 RELIABILITY | ACCOUNTABILITY
Team Members
• Ed Kichline [email protected] • Leigh Anne Faugust [email protected]• Christina Bigelow [email protected]• Terry Bilke [email protected] • Kevin Conway [email protected]• Jennifer Flandermeyer [email protected]• Ajay Garg [email protected]• Lou Oberski [email protected]• Rick Terrill [email protected]• Bill Graham [email protected]• Barb Kedrowski [email protected]• Derrick Davis [email protected]
4 RELIABILITY | ACCOUNTABILITY
Team Scope and Deliverables
• Objective: Identify/recommend improvements to make data retention and sampling more efficient/effective and less burdensome
• Catalog existing data retention requirements (differences in standards, RoP, Compliance Process Bulletin, etc.)
• Identify the types/classes of data and information audited (Real time data, documentation, event triggered, etc.)
• Outline principles of data retention and sampling What amount of data is necessary to satisfy compliance Amount needed to provide assurance the reliability goals are being met
• Identify, via survey and other outreach, problems experienced in data retention and sampling
• Draft whitepaper/report with recommendations based on survey and team research• Assist NERC with creation of/changes to documents based on recommendations.
5 RELIABILITY | ACCOUNTABILITY
159 Survey Respondents
0
20
40
60
80
100
120
FRCC MRO NPCC RFC SERC SPP TRE WECC
Your Region(s) and Audit Cycle (check all that apply, including if you are subject to two audit cycles)
3 Year Audit Cycle
6 Year Audit Cycle
Not Applicable
6 RELIABILITY | ACCOUNTABILITY
Data Retention Challenges
0
20
40
60
80
100
120
140
160
Differing retentionperiods among the
standards
Being asked for data thatis no longer relevant
The volume of datarequested
The storagerequirements
Conflicts between thedata retention in the
standards and my otherretention obligations
Which do you consider the most challenging or problematic issue with regard to data retention for compliance (where 1 is the most problematic and 5 is the least troublesome)
1
2
3
4
5
N/A
7 RELIABILITY | ACCOUNTABILITY
Next Steps
• Revise draft whitepaper based on comments by RAI leadership and CPPS feedback
• Post paper for public comment mid June• Make changes based on comment late June• Draft RoP changes: TBD• Draft supporting documents (e.g. process bulletin,
audit handbook supplement):TBD• Post changes to RoP for comment:TBD
8 RELIABILITY | ACCOUNTABILITY
Questions and Answers
Whereas, Greg Pierce is retiring from Entergy and departing the CCC. Whereas, Greg Pierce has faithfully and effectively represented SERC and the Industry on the CCC for six years. Whereas, Greg Pierce has lead the metrics-related work within the CCC to include chairing the Performance Metrics Task Force. Resolved, the CCC thanks Greg for his service and wishes him success in his future endeavors.