Internal Controls - Home - Southwest Power Pool OGE Internal Controls Spreadsheet - CIP Standard...

download Internal Controls - Home - Southwest Power Pool OGE Internal Controls Spreadsheet - CIP Standard Req.

of 37

  • date post

    04-Apr-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Internal Controls - Home - Southwest Power Pool OGE Internal Controls Spreadsheet - CIP Standard...

  • Internal Controls

    Tiffany Lake – WESTAR Terri Pyle – OG&E

    Jim Nail - IPL

  • Compliance – • a: the act or process of complying to a desire,

    demand, proposal, or regimen or to coercion • b : conformity in fulfilling official

    requirements (Merriam Webster definition) In other words…… …..the things we do to fulfill the Requirements of

    the NERC Standards.

  • Internal Controls – systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to ….deter and detect errors….ensure accuracy and completeness of its data…..and ensure adherence to its policies and plans. (Business Dictionary.com)

    In other words…. Internal Controls are those additional things we do to

    ensure our Compliance activities • Get Done On Time • Get Done Correctly • Get Documented Properly

  • Internal Controls come in many shapes and sizes • Processes and Procedures • Checklists • Spreadsheets • Calendar/Email reminders • Training and Qualification

  • SPP RE FALL COMPLIANCE WORKSHOP

    Westar Energy’s Approach to Internal Controls • Traditional vs. Risk-Based Compliance Approach • What is the impact to Westar Energy? • Roles and Responsibilities • Assessing Process-Level Risks • Identifying Internal Controls

    6

  • NERC 693 COMPLIANCE WORKSHOP

    Transition to Risk-Based Compliance

    7

    Traditional Approach

    • Review all applicable standards every year • Collect evidence • Conduct testing • Update RSAWs

    Risk-Based Compliance

    • Review higher risk standards • Utilize internal risk assessment

    results • Collect evidence • Conduct testing

    • Conduct process-reviews • Identify and prioritize process-

    level risk • Identify and document internal

    controls • Perform gap analysis

  • NERC 693 COMPLIANCE WORKSHOP

    How does Risk-Based Compliance Impact Westar?

    • Focus resources on higher risk areas

    • Positive effect on reliability

    • Better internal controls and management processes

    • Incorporate 2015 lessons learned into 2016 work plan

    • CIP Audit – April 2016

    • 693 Audit – November 2016

    8

  • SPP RE FALL COMPLIANCE WORKSHOP

    Roles and Responsibilities

    9

    Internal Audit

    NERC Compliance

    Business Units

  • SPP RE FALL COMPLIANCE WORKSHOP

    Assessing Process-Level Risks

    • Review reliability-related processes • Misoperations • Transmission Vegetation Management

    • Identify process-level risks • Perform a risk assessment • Document risks

    10

  • SPP RE FALL COMPLIANCE WORKSHOP

    Identifying Internal Controls

    • Identify and document existing internal controls • Perform a gap assessment • Implement internal controls where necessary

    11

  • SPP RE FALL COMPLIANCE WORKSHOP

    Tiffany Lake Manager, NERC Reliability (785) 575-8193 Tiffany.Lake@WestarEnergy.com

    12

    mailto:Tiffany.Lake@WestarEnergy.com

  • OG&E

    OG&E Approach

    • OG&E Compliance Progression • Risk-Based Approach

    – Risk Assessment – Process Review & Mapping – Internal Controls

    • Documenting Internal Controls • Current Focus Areas • Benefits • Examples

  • 14

    OG&E Compliance Process Progression

    • Foundation - Compliance Management Program – Compliance Management Tool - Define compliance,

    Collect evidence, Update RSAWs

    • Compliance Assurance Process (CAP) – Procedures, Process Flow Charts, Trained SMEs,

    Documented Evidence, RACIs, Controls

    • Risk-Based Approach – Documented risk assessment – emphasis on higher risk

    areas – In depth process review and mapping – Identify and document new internal controls

    OG&E

  • Risk Assessment Considerations • NERC Risk Elements • SPP Risk Elements • Top 10 Most Violated Standards • Standard VRFs • Audit and Self-Certification Lists • NERC Projects – pending Standards • Past OG&E Compliance History • Compliance Assurance Process (CAP) Score • Other

    OG&E

  • Process Review and Mapping

    • Process Mapping – Detailed review with process owners – Understand how work is done – Incorporate compliance requirements – Identify touch points within processes

    • Business groups • NERC Standards

    – Include controls already in place – Identify weak areas in the process and develop new

    controls

    OG&E

  • Internal Controls • Level

    – Entity – Process – Compliance assurance

    • Type – Preventive – Detective – Corrective

    • Application – Automated – Manual – Hybrid

    • Frequency – Daily – Weekly – Monthly – Quarterly – Annually

    OG&E

  • Documenting Internal Controls

    OGE Internal Controls Spreadsheet - CIP

    Standard Req. NERC Risk Element SPP Risk Element

    OGE Risk Ranking (High, Medium, Low) Requirement Text

    Internal Control ID Control Title Control Area Internal Control Description Goal of Controls

    Control Type (Preventative,

    Detective, Corrective)

    Control Application (Automated,

    Manual, Hybrid)

    Control Frequency (e.g. real-time, daily, monthly,

    quarterly, annual, etc.) Control Owner

    • Start with what you have • Review processes to identify new controls

    • Consider process mapping as a tool

    OG&E

  • Current Focus Areas

    OPS (693) – Facility Ratings – Operations Personnel Training – Misoperations

    CIP – Recovery Plans – Change Management

    OG&E

  • Benefits

    • Better understanding of internal processes • Improved processes • Better defined roles and responsibilities • Improved compliance assurance • Improved reliability

    OG&E

  • 21

    Terri Pyle Manager, NERC Compliance (405) 553-3215 pyleta@oge.com

    mailto:pyleta@oge.com

  • • Municipal Utility • Registrations:

    TO/TOP/GO/GOP/TP/RP/DP/LSE • 26 miles of 161KV Transmission • 4 BES Substations • 1 BES Generation asset

  • Risk Assessment

    • IPL system design very stable • Maintenance program effective • Program documents stable • System events very rare

    • Biggest risk is Awareness

  • Approach to Internal Controls

    • Management focused – Lead Team, Reliability Team, CIP Team

    • Monthly meetings with division managers and primary SMEs

    • Develop tools (spreadsheets, checklists, procedures) to help supervisors monitor performance of compliance activities

  • Examples

  • CMT: Compliance Event Form

    OG&E

  • CMT: Compliance Event Modification Form

    OG&E

  • PER-005-1: Checklist for New Tasks or Identified Task Modifications

    OG&E

  • PER-005-1: Review and Management of Training Process

    OG&E

  • Facility Ratings Process Map and Standard Touchpoints

    OG&E

  • Other Internal Control Examples

    • Monthly CIP Team Meetings – Review changes that could impact CIP compliance

    • Monthly Blackstart Restoration Calls – Review system changes that could impact plan

    • Flowgate application in SCADA EMS – Displays permanent and temporary flowgates and

    alerts • Anti-virus software with automated removal

    and alerting

  • Questions?

    Internal Controls Slide Number 2 Slide Number 3 Slide Number 4 Slide Number 5 Slide Number 6 Slide Number 7 Slide Number 8 Slide Number 9 Slide Number 10 Slide Number 11 Slide Number 12 OG&E Approach OG&E Compliance Process Progression Risk Assessment Considerations Process Review and Mapping Internal Controls Documenting Internal Controls Current Focus Areas Benefits Slide Number 21 Slide Number 22 Risk Assessment Approach to Internal Controls Examples CMT: Compliance Event Form CMT: Compliance Event Modification Form Slide Number 28 Slide Number 29 Slide Number 30 PER-005-1: Checklist for New Tasks or Identified Task Modifications Slide Number 32 PER-005-1: Review and Management of Training Process Facility Ratings Process Map and Standard Touchpoints Slide Number 35 Other Internal Control Examples Slide Number 37