1

Gerry Cauley

President & CEO

Evaluating Reliability Compliance Programs

Utilities & Energy Compliance & Ethics ConferenceSociety of Corporate Compliance and Ethics

Gerry CauleyPresident & CEO

SERC Reliability Corporation

March 2, 2009

Gerry Cauley

President & CEO

Some Interesting Reactions

• Who the heck are you again….?

• And what if I don’t give you that information….?

• We’re so small and this is all new to us; this doesn’t really apply to us does it….?

• That doesn’t seem like the right penalty, what is everyone else getting….?

• Let us speak with our lawyers first and we’ll get back to you….

2

Gerry Cauley

President & CEO

Volume of Compliance Activity• Over 1,800 entities registered as having impact

on bulk system reliability

• Over 6,000 violations in process or completed (pre & post June 18, 2007)

• Most 2007 minor violations with no financial penalty

• Approximately 100 system events analyzed or investigated (pending and complete)

• Over 400 audits performed

Gerry Cauley

President & CEO

Staffing Effort at NERC and Regions

Key Points• Staffing in the Regions should

begin leveling off after 2009• “Resource peaks” from

system events, investigations, and hearings need to be carefully managed

• Increasing lead times to fill vacancies

3

Gerry Cauley

President & CEO

Bulk Power System

Owners, Operators, and Users Defined

1832

282

0

200

400

600

800

1000

1200

1400

1600

1800

2000

Number of Entities

Voluntary

Regime

Mandatory

under EPAct

As of August 2008

Key Successes• Six fold increase in those

subject to the standards, yet number of appeals to the Commission less than 1%

• Enormous education and outreach effort launched by the Regions

Key Point• Registration is an on-

going effort as the industry and participants change

Gerry Cauley

President & CEO

Enforceable Violations (Post June 18, 2007)

• More than 1900 alleged violations across North America

– Over 140 notice of penalties and settlements approved by FERC

– Violations apply to approximately 350 entities

– Approximately 50% of violations documentation related

– Approximately 14% of alleged violations dismissed

– Approximately 75% of violations from ”new” Registrants

– 361 violations related to failure to complete pre June 18, 2007 mitigation plan

4

Gerry Cauley

President & CEO

Assessment

and ValidationConfirmation Settlement

Pending Regulatory

Filing

Closed

Region Total

FRCC 64 23 13 16 0 116

MRO 9 3 3 33 7 55

NPCC 7 0 26 5 12 50

RFC 32 4 46 14 1 97

SERC 73 1 40 39 70 223

SPP 9 42 1 4 5 61

TRE 20 0 13 22 10 65

WECC 629 316 94 106 0 1145

TOTAL 843 389 236 239 105 1812

7

Status of Violations Being Processed

Gerry Cauley

President & CEO

Reporting Remains High

(No slackening of new violations)

Note: Updated through July 21, 2008.

Self Reports774 (51%)

Self Certification253 (17%)

Exception Reporting25 (2%)

Data Submittal14 (1%)

Compliance Audit

445 (29%)

Investigation4 (0%)

Spot Check1 (0%)

Post June 18th Enforceable Alleged Violations by

Discovery Method

Total Enforceable

5

Gerry Cauley

President & CEO

Mitigation Plans

• Detail schedule of actions to be completed by a entity to correct a violation by a specific deadline

• Region must approve and verify completion of each mitigation plan

• Always required in event of a violation

• Failure to meet deadlines places the entity at risk for additional enforcement actions

Gerry Cauley

President & CEO

Review

Pending by RE/NERC

Entity Working

and/or Region Verifying

Closing

Region Total

FRCC 52 19 7 78

MRO 10 2 1 13

NPCC 30 2 0 32

RFC 54 18 0 72

SERC 91 31 7 130

SPP 33 3 5 41

TRE 34 7 0 41

WECC 644 187 81 912

TOTAL 948 270 101 1319

10

Key Points

• Majority of entities start mitigation plans immediately

• Length and cost of mitigation plan varies by nature and severity (risk) of violations

• High level of scrutiny on mitigation plan milestones and completion

Status of Mitigation Plans

6

Gerry Cauley

President & CEO

Regional Compliance Program Focus

• Backlog reduction (target to be current in 2009)

• Supplementing records to meet NERC July 3 order

• Transparency to stakeholders

– New RE website at www.regionalentities.org

– New updates on Reliability Standard Work Sheets (RSAWs)

• Resource sharing and efficiency

• Settlements

• Short form settlement/misdemeanor violation process

• Cross-regional consistency and commonality

• 6 regions and NERC committed to compliance portal

Gerry Cauley

President & CEO

FERC Policy Statement on Compliance

• Active senior management involvement

– Effective program requires senior management support

– Ensure adequate financial and human resources

– Ensure compliance personnel actively involved

– Sr. managers communicate commitment frequently

– Encourage personnel to discuss compliance issues

– Sr. compliance officers – direct access to board

– Compensation and reporting promotes employees following management’s lead

7

Gerry Cauley

President & CEO

FERC Policy Statement on Compliance

• Effective preventive measures are systematic– Careful hiring, training, accountability, supervision

– May result in a penalty reduction

• Prompt detection, cessation and reporting– No specific timeframe identified for discovery/reporting

– However, violations should be reported promptly

– Violations identified during systematic internal audit and supervision program given substantial credit

• Remediation– Steps taken to end violations and remedy misconduct

– Controls to prevent future misconduct

Gerry Cauley

President & CEO

Foundations of Effective ComplianceCompliance is not an event, it is a continuous process

• Know what standards apply to you• Find and fix compliance gaps• Provide sufficient funding and dedicated resources• Set measurable performance targets • Tie results to performance and compensation• Provide mandatory training programs• Set up internal hotline for anonymous reports • Set up internal audit program• Track and review of any noncompliance• Present results to management and board

8

Gerry Cauley

President & CEO

Compliance Culture

• Reliability important to everyone – CEO and senior management involvement

• All employees involved; clear responsibilities• Compliance excellence is a core expectation• Dedicated compliance personnel working with

functional areas• Prompt reporting of violations and mitigation• Training• Documentation• No Compromise!

Gerry Cauley

President & CEO

Like good yogurt – it’s all about the culture…

9

Gerry Cauley

President & CEO

Self-Assessments

• Ongoing effort to detect possible alleged violations

• Designated self-assessment leader and team– Consider outside participation

• Clarify self-assessment scope and objectives– Promote identification, emulation of “best practices”

– Over time, want to establish added margin from minimum

• Conservative threshold to classify findings as possible alleged violations (PAVs)– SERC staff will evaluate each PAV on it’s own merits

• Prompt self-reporting of PAVs

• Prompt initiation of mitigation and remediation

Gerry Cauley

President & CEO

Self-Reporting• Discovered through self-evaluation, internal audit?• Initial notice when suspected with follow up later

– Prompt notification encouraged by management

• Immediate steps to correct possible violation– Adequate response to violation

• Provide full disclosure of facts and evidence sufficient for region to understand how/why violation occurred– Full cooperation of personnel with direct knowledge

• Immediate actions to cure violation and prevent further recurrence

• Additional investigation performed by entity– Root cause analysis, duration of violation, assessment of actual and

potential risk to reliability

• Single greatest factor in mitigating penalties• Different than ‘self-certification’

– Periodic reporting of compliance or non-compliance for a specified period – required by compliance authority

10

Gerry Cauley

President & CEO

Self-Report (Good Example)• Entity identified possible gap in compliance while performing self-assessment

– Submitted detailed self-report of possible violation– Promptly mitigated possible violation prior to receiving Notice of Alleged Violation

• Self-report included details under following headings:– Violation description - text from standard and details of nature, scope and

duration of possible violation– Timeline of events - chronology of events leading to possible violation, and

entity’s actions thereafter– Why did non-compliance occur - discussion of root cause of possible violation,

acknowledging staff lack of knowledge of the requirement – How non-compliance was found - entity’s self-assessment efforts led to

discovery of possible violation– Cure and prevention - what entity is doing to ensure continued compliance with

the standard and lessons learned to ensure a similar possible violation does not occur; also addresses entity’s review of all applicable reliability standards to ensure other gaps do not exist

– What entity is doing to improve its compliance program - description of existing program and changes as result of discovery of this possible violation

– Reliability impact of possible violation - references assigned VRF/VSL � describes how reliability risk was mitigated during the period of violation� provides rationale for entity’s assessment if reliability risk was low

Gerry Cauley

President & CEO

Self-Report (Needs Improvement)

• Lack of specificity and self-assessment– “Out of an abundance of caution, we are self-reporting that we may

not be in compliance with XYZ Standard pending a review of applicable standards”

– Incorrect standard or requirement cited

• Self-report emailed to serccomply@serc.org immediately prior to submitting self-certification form or audit

• Entity discovered and corrected possible violation but did not self-report at the time– Discovered and corrected in 2007– Gap in compliance discovered by audit team in 2008– Could have been zero-penalty if self-reported during 2007

• Entity self-reports but is “in denial”– “We believe we are in compliance but are self-reporting because

we don’t have documentation, and besides we don’t have an impact on reliability”

11

Gerry Cauley

President & CEO

Successful Audit• Dedicate resources• Conduct internal audits (ongoing, not when noticed)• Structure around standards/RSAWs• Documents

– Title, definition– Revision history and effective dates– Authorizing signatures

• Track changes to standards• Organization wide commitment to compliance• Get clear on division of responsibilities, asset owner

or operator, market functions, RTO functions

Gerry Cauley

President & CEO

Compliance Evidence

• A well documented procedure to do something; ability to demonstrate continuously in effect– Evidence you did it over the period of review– Scattered documentation is not good.

– Highlight evidence for ease of auditor

• Standardize your process/procedure template

• Establish a procedure for revisions

• Track your staff’s awareness

• Have a central repository for tracking– Data, mail, memos, or email

– Screenshots, meeting minutes

– Diagrams, voice recordings

– Logs, staff reports

12

Gerry Cauley

President & CEO

Audit Preparation (Good Example)

• Entity is extremely well prepared and organized months in advance of audit

• Entity populates RSAW’s for all applicable standards with specific examples of evidence; links to evidence in RSAW

• Performs dry run audit using internal and external resources

• Management committed to successful audit preparation

• Key employees available to audit team, even if not actively participating

• Other sample evidence readily accessible

• Project manager assigned for audit preparation

• Personnel have participated in other compliance audits

• Even small entities have exhibited excellent preparation

Gerry Cauley

President & CEO

Audit Preparation (Needs Improvement)• Entity waits until Audit Detail Letter before preparing

• Single individual assigned to prepare for audit without support from management and other employees

• Ambivalent attitude; lack of focus on seriousness

• Evidence poorly organized and not readily available

• Key personnel unavailable to respond to questions

• Evidence not clearly marked – audit team spent a large amount of time searching through voluminous records to find evidence

• Documents created shortly before audit, no record of previous document– Document control and version control are important indicators of

ongoing, competent compliance program

13

Gerry Cauley

President & CEO

Event Analysis and

Compliance Investigations

• Increased FERC/NERC involvement and leadership

• Timelier overall, with initial alerts in 2-3 weeks

• Compliance investigation, if warranted, should begin early and run in parallel

– Entity should be informed early that information may be used for compliance

• Need more work on triage for event analysis

– OE-417 alone is not sufficient trigger

Gerry Cauley

President & CEO

Violation Remedies• Penalty ($0 must be well justified)

• Fix the noncompliance

• Measures to prevent similar future noncompliance

• Improvements to compliance program

• Additional reliability measures

14

Gerry Cauley

President & CEO

Mitigation Plans• Entity encouraged to mitigate ASAP• Mitigation plan submittal is NOT an admission• Offers cover from added violations and penalties while

completing approved plan• Mitigation plans

– Correct the violation– Prevent recurrence

• Confidential until Notice of Penalty• Mitigation plan is a CONTRACT (Entity & Region)

– Quarterly status update against milestones– Entity MUST complete milestones and full mitigation prior to end

date or request extension (at least 5 days notice required)– Entity MUST certify completion and provide evidence– Serve the purpose of improving reliability– Region reviews plans, monitors performance

Gerry Cauley

President & CEO

Mitigation Plan (Good Example)• Clear description of steps to remedy possible violation• Demonstrates commitment to promptly resolve

deficiencies leading to the possible violation• Detailed action plan to prevent recurrence• Mitigation plan submitted promptly, even though no Notice

of Alleged Violation has been issued• Describes root cause analysis and actions to be

implemented, based on the results of root cause analysis• Addresses full scope of reliability standard to ensure

compliance is achieved• Entity submits Certification of Completion, along with

comprehensive evidence of completion and compliance– Evidence is well organized and clearly marked to facilitate regional

staff review and concurrence

15

Gerry Cauley

President & CEO

Mitigation Plans (Needs Improvement)

• Entity submits certification of completion but cannot produce supporting evidence

• Entity fails to complete mitigation plan before the scheduled completion date

• Entity insists on waiting for Notice of Alleged Violation before submitting mitigation plan– While allowed under CMEP, does not demonstrate entity’s

voluntary actions to promptly remedy possible violation

• Milestones not included for mitigation plans with durations in excess of 3 months

• Milestones that are more than 3 months apart

Gerry Cauley

President & CEO

Mitigation Plans – Other Issues• Missing or incorrect standard/requirement reference• Missing violation description• Violation description inconsistent with Region’s understanding• Failure to include actions to prevent recurrence• Timetable for completion of mitigation plan includes words like

"anticipated" or "target" completion date• "We will prepare and implement a plan to correct the violations"• "We are initiating a compliance program that when

implemented will correct this violation"• “We hired consultant to determine a plan to become compliant”• “We hired consultant to implement the mitigation plan”• “We aren't doing anything" or "we don't need to do anything“

because either (i) "the violation has no impact on the reliability of the bulk power system" or (ii) "we have no impact on the reliability of the bulk power system"

16

Gerry Cauley

President & CEO

Benefits of Effective Compliance Program

• Good business sense to be compliant

• Good business sense and good for customers to improve reliability and fix shortcomings

• Significant consideration given if a violation occurs

• Can an excellent, effective compliance program be less costly than a minimal effort – probably yes!

– Reliability problems found and fixed before a problem

– Avoidance/mitigation of penalties and enforcement actions

– Culture of reliability excellence carries over to other areas of operational excellence