Compliance Operations Update

Size: px

Start display at page:

Download "Compliance Operations Update"

Helen King
5 years ago
Views:

1 Compliance Operations Update The Reliability Assurance Initiative Earl Shockley, Senior Director of Compliance Operations 2013 NERC Standards and Compliance Fall Workshop September 26, 2013

2 Table of Contents Section 1: Purpose of RAI Section 2: Current and Future Activities Section 3: RAI Informational Resources 2

3 Section 1: Purpose of RAI RAI is the ERO s strategic initiative to transform the current compliance monitoring and enforcement program (CMEP) to one that is forward looking, focusing on high reliability risk areas, and reducing unnecessary administrative burdens. Three main goals: Build on the success of Find, Fix and Track (FFT), developing incentives for registered entities in the compliance and enforcement area that discourage poor performance and encourage behaviors that contribute to higher accountability and improved reliability. Design a compliance program that recognizes an entity s risk to reliability, along with its management controls and corrective action programs used to meet the reliability standards. Reduce unnecessary administrative burdens of the compliance monitoring and enforcement program on all stakeholders. 3

4 Compliance Design a compliance program that recognizes an entity s risk to reliability, along with its management controls and corrective action programs used to meet the Reliability Standards. The tools that support the CMEP process are also being matured. Communication tools are also being redesigned. 4

5 Enforcement Enhancing the FFT process: Consistently apply the process across all eight Regions. Reduce overall processing times, and readdress the associated documentation and reporting requirements. Develop instructions and templates to aid in the determination of minimal risk issues. Improving the self-reporting process: Reduce the time and effort spent on minimal risk issues and reserve the enforcement process for issues that truly pose a risk to the Bulk Electric System (BES). Identify improvements to the self-reporting template and supporting processes. 5

6 Section 2: Current and Future Activities Four Key Areas of Focus for 2013 Areas of Focus for

Four Key Areas of Focus for 2013 Auditor Handbook The auditor handbook is currently under development and is

Prototypes and Pilot Programs The prototypes and pilot programs are currently underway and will continue throughout

By the end of 2013, the results and lessons learned will be evaluated and will serve as inputs into an ERO-wide

Improvements to Self-Reporting Improvements to self-reporting are currently being designed and tested in a series of

7 Four Key Areas of Focus for 2013 Auditor Handbook The auditor handbook is currently under development and is targeted to be completed by the end of The training and rollout efforts will occur in Prototypes and Pilot Programs The prototypes and pilot programs are currently underway and will continue throughout the remainder of the year. By the end of 2013, the results and lessons learned will be evaluated and will serve as inputs into an ERO-wide risk-based auditing approach. Improvements to Self-Reporting Improvements to self-reporting are currently being designed and tested in a series of pilot programs throughout the remainder of In addition, IT system improvements are being assessed. FFT Enhancements Enhancements to the FFT process are currently being designed and tested in pilot programs and IT system improvements are being assessed in conjunction with the self-reporting activities described above. 7

8 Auditor Handbook Organization Manual and Handbook framework completed Present format and selected sections at September 18, 2013 Auditor Workshop Target completion is Dec Auditor training and rollout plan being developed 8

9 Section 3: RAI Informational Resources Current resources and available information Future resources Comments or questions 9

10 Current Resources and Information RAI Web Page [LINK] RAI White Papers: Describe the various elements of RAI, the steps to incorporating a risk-based approach, and the desired end-state: Incorporating Risk Concepts into the Implementation of Compliance and Enforcement [LINK] Restyle the Compliance Monitoring Approach [LINK] Evaluating Compliance Data Requirements [LINK] Refine Compliance and Enforcement Information Flow [LINK] Redesign the Enforcement Strategy [LINK] 10

11 RAI Workshops April 3, 2013 Workshop: Focused on developing and enhancing the strategy for conducting entity risk assessments, internal controls, and improvements to the enforcement strategy. July 10, 2013 Workshop: Focused on RAI prototypes, pilot programs and internal controls. July 23, 2013 Workshop: Focused on improvements to the selfreporting process and enhancements to FFT. **Materials from the RAI Workshops can be found on the RAI page ** 11

12 Internal Controls Working Guide Developed through a collaborative effort between a group of industry stakeholders and NERC. Serves as a guide to help further the understanding of internal control programs and facilitate the development of a common language. The working guide is the first in a series of documents to be developed around the topic of internal controls; a resource library will be created with all of the documents for anyone to use. 12

13 Internal Controls Working Guide Future papers will address the following topics: Practical examples provided by registered entities, describing internal control programs. Specific examples of internal control activities that registered entities use to comply with Reliability Standards. Examples of audit approaches to understand internal control programs and testing internal control activities. LINK to Internal Controls Working Guide 13

14 RAI Question and Answer Document Developed through collaborative effort of NERC and industry members (representing the Compliance and Certification Committee (CCC)). Addresses topics like: What are the components of RAI? How will registered entities benefit from RAI? Will RAI be voluntary for registered entities? How will a registered entity s risk assessment be determined? What impact will RAI have on scoping audits? LINK to RAI Q&A Document 14

15 Future Resources NERC is planning to provide a number of workshops and webinars as RAI activities continue to progress. RAI Impacts and Benefits document: Discusses the impacts and benefits of RAI in a manner that considers the various perspectives of industry stakeholders. Document will outline the impacts and benefits connected to: Assessing registered entity risk Assessing registered entity internal controls Scoping compliance monitoring Processing violations in accordance with risk Strengthening the feedback loop to the standards development process 15

16 Please send any questions or comments to: 16

17 Find, Fix, Track and Report (FFT) and Enforcement Information Ed Kichline, Sr. Counsel and Associate Director, Enforcement Processing 2013 Standards and Compliance Fall Workshop September 26, 2013

18 Overview FFT changes Enforcement activities under Reliability Assurance Initiative (RAI) Role of registered entities in compliance monitoring and enforcement Using enforcement information 2

19 Changes to the FFT Program in 2013 Incremental enhancements to FFT program implemented in July 2013 Broader scope of issues eligible for FFT treatment o Certain moderate risk issues and issues with open mitigation Additional processing enhancements o Posting followed by 60-day review; annual report Benefits of FFT Average processing time for all violations: 13 months Average processing time for FFTs: 7 months 3

20 FFT and RAI FFT and self-reports are part of RAI Streamline minimal risk noncompliance 4

21 Inclusive Process Industry Input Workshops in April and July 2013 NERC Board of Trustees meetings in February and May 2013 Focus group calls and meetings in June, July, and August 2013 Regional Entity (RE) participation 5

22 Issues Identified by Industry Focus Group (FFT) Overall processing time Requirement of full Mitigation Plan 6

23 Issues Identified by Focus Group (Common Issues for FFT & Self-Report) Lack of sufficient information on content and process Lack of centralized information collection (particularly for multiregion registered entities) Lack of communication during a long process 7

24 Two-Part Approach More efficient process for early identification of minimal risk issues Better information upfront regarding: Risk Mitigation Prevention of recurrence (including detective and correctives controls) 8

25 Short-Term Solutions Additional guidance on self-reports ERO enterprise user guide for self-reports and mitigation Point of contact at RE for additional guidance Early triage with off-ramp for minimal risk issues Better overall processing time More communication between RE and registered entity Multi-Region Registered Entity Process First quarter

26 Medium- to Long-Term Solutions Improved intake form and process Ability to augment information Ability to cross-reference information already provided System enhancements to eliminate remaining FFT process inconsistencies (i.e., Mitigation Plan requirement) 10

27 Medium- to Long-Term Solutions Pilot Programs Aggregation of minimal risk issues o Selected REs o Selected registered entities o Periodic review of aggregated issues by RE o Begin in October 2013; first evaluation of results in April 2014 Alternative path to enforcement o Minimal risk issues from aggregation pilot o Minimal risk issues from audit pilots o Records retained for review by NERC and FERC o Begin in November

28 FFT Basics Noncompliance with a Reliability Standard If no noncompliance, then no possible violation, or possible violation is dismissed Minimal and moderate risk issues Applies to more than just no risk or no impact issues Issues where a financial penalty involves no benefits Applies to more than just violations that would receive a $0 penalty 12

29 Evaluation Criteria Facts and circumstances Reliability Standard Violation Risk Factors (VRFs) and Violation Severity Level (VSLs) Risk to reliability Registered entity s compliance program Registered entity s compliance history 13

30 FFT Information Complete record as early as possible Scope of the noncompliance Number of assets or personnel involved Functions of assets or personnel Duration of the noncompliance System conditions at time of noncompliance Size of the facilities, connection characteristics, frequency of operation, etc. 14

31 Components of a Risk Assessment Surrounding facts and circumstances Protections in place that may have reduced the risk Continuous monitoring physical, video, or automated (e.g., intrusion detection system) Redundancy Alarms, automated notices, or warning messages 15

32 Fixing the Noncompliance If fixed, provide the details Ending the noncompliance Preventing recurrence Completion date If not fixed, can it be fixed within a short period? Simpler mitigation may indicate lower risk FFTs must be fixed within 90 days of posting 16

33 Resources Learn from the experience of others All FFTs and Notice of Penalty violations are posted on the NERC Enforcement and Mitigation page Identify differentiating characteristics Talk to RE staff 17

34 18

35 Compliance and Enforcement Trends Enforcement statistics and metrics are available on the compliance violation statistics page. The data related to violations filed with FERC is publicly available. Analysis of the data related to violations that have not been disposed of is publicly available. 19

36 Locating Compliance and Enforcement Trend Analysis 20

37 Reviewing Compliance and Enforcement Trends The average processing times for violations vary by disposition method. 21

Compliance Program resources for internal audits.

38 Reviewing Compliance and Enforcement Trends Registered Entities could use this information as an indicator to focus Internal Compliance Program resources for internal audits. 22 Registered Entities could use this information to guide compliance objectives.

39 Reviewing Compliance and Enforcement Trends Find, Fix, Track and Report usage has increased and has helped reduce processing times. 23

40 Reviewing Compliance and Enforcement Trends Disposition tracks generally serve as a proxy for the risk posed by actual violations. 24 Overall throughput is high.

Enforcement Public Data Enforcement Data Data on Notice of Penalty (NOP), Spreadsheet Notice of Penalty (SNOP), and FFT is available on the NERC website.

41 Enforcement Public Data Enforcement Data Data on Notice of Penalty (NOP), Spreadsheet Notice of Penalty (SNOP), and FFT is available on the NERC website. All public data for filed violations is available on the Enforcement and Mitigation Page. Resource for self-monitoring, mitigation, and self-reporting. All Enforcement Action data by year SNOP Worksheets Searchable NOP DATA FFT Worksheets 25

42 Enforcement Public Data Enforcement Actions The Enforcement Action page includes information on all filed violations organized by the year they were filed. This page has links to the actual filed document and FERC orders. 26

43 Searchable Notices of Penalty The Searchable Notice of Penalty Spreadsheet is available on the Enforcement and Mitigation Page. Full NOP and SNOP publicly available data is searchable by the fields seen above. 27

44 FFT Example All FFT data is available in searchable Excel spreadsheets. 28

45 SNOP Example All SNOP data is available in searchable Excel spreadsheets. 29

46 NOP Example Individual NOPs can be viewed by clicking on the View Filing link on the Enforcement Action page. 30

47 Conclusion Enforcement continues to evolve under RAI Significant enhancements to FFT in 2013 Registered entities can facilitate compliance monitoring and enforcement in their roles on the frontline of compliance monitoring A wealth of enforcement information is available as a resource for registered entities 31

48 32

49 How NERC Communicates Mallory Huggins, Standards Developer Kristin Iwanechko, Manager of Standards Information 2013 Standards and Compliance Fall Workshop September 26, 2013

50 Communication & the Standard Processes Manual Section 1.4: Essential Attributes of NERC s Reliability Standards Processes Processes must provide reasonable notice and opportunity for public comment, due process, openness, and balance of interests Section 14.1: Online Reliability Standards Information System Obligation to maintain an electronic copy of information regarding Reliability Standards Development process creates a public record 2

51 General Philosophy Balance volume of communication with need for transparency and reasonable notice Empower stakeholders to access standards information and develop monitoring strategies that work for them 3

52 Key Communication Tools Regular Announcements Weekly Standards Bulletin Projected Posting Schedule Project Tracking Spreadsheet NERC News Webinars Workshops Standard Drafting Team Plus Lists New Website 4

53 Stakeholder Participation Retirement of Standards Committee Communications and Planning Subcommittee to incorporate communication function into Standards Committee and its subcommittees New Standards Communication Roster 5

54 Feedback: Key Themes Weekly Standards Bulletin Website Communication Standards Tools and Documents 6

55 Feedback: Future Participate on Standards Communication Roster Contact Mallory or Kristin Always looking for ways to improve 7

56 8