Reliability Assurance Initiative (RAI) Update. June 19, 2014, 3 pm 5 pm EDT Industry Webinar
|
|
- Jeremy Cooper
- 6 years ago
- Views:
Transcription
1 Reliability Assurance Initiative (RAI) Update June 19, 2014, 3 pm 5 pm EDT Industry Webinar
2 Administrative Items NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. Notice of Open Meeting Participants are reminded that this webinar is public. The access number was widely distributed. Speakers on the call should keep in mind that the listening audience may include members of the press and representatives of various governmental authorities, in addition to the expected participation by industry stakeholders. 2 RELIABILITY ACCOUNTABILITY
3 A Consolidated ERO Approach to Risk- Based Compliance Monitoring Reliability Assurance Initiative Updates June 19, 2014 Jerry Hedrick, Director Regional Entity Assurance and Oversight NERC Sarah E. Stevens, Compliance Oversight and Assurance Manager SERC Reliability Corporation Thomas P. Tierney, Director of Compliance Midwest Reliability Organization
4 Agenda RAI Status RAI Oversight Plan Framework Risk Elements Inherent Risk Assessment Internal Controls Evaluation Oversight Scoping RAI v. IAC RAI Misconceptions Next Steps
5 RAI Oversight Plan Framework RE Functions Characteristics - ERO / Regional Events RISC Risk Elements Applicable Standards Input I R A Inherent Risk Assessment Scope Input I C E Scope Controls Not Evaluated Internal Controls Evaluation CMEP Tools Oversight Scoping Compliance Oversight Plan
6 RAI Compliance Status Inherent Risk Assessment Complete the guide on approach Risk Elements Identify and determine application of data Incorporate into the AML and IP Internal Control Evaluation Document approach Develop guide Next Steps for RAI and CIPv5 Programmatic approach to risk and discretion 6
7 RAI: Harmonious IAC Effective Compliance Monitoring Entity identifies Internal Controls (RAI) Regional Entity notes Entity s ability to identify, assess, and correct reliability concerns Regional Entity may choose not to test certain standards/requirements as risk assessment shows less risk for certain standards/requirements for that Entity Entity s documented and verified Internal Controls provide reasonable assurance of compliance Focus of compliance monitoring and enforcement activities shifts from finding every incidence of non-compliance to identifying gaps that could result in gaps in Bulk Electric System reliability
8 Risk Elements Identify risks at ERO level NERC/RAPA RISC Regional Risk Groups Identify risks at Regional level Scope Review ICE Identify IRA Transform risks into reliability elements (functional application of risk)
9 Inherent Risk Assessment How susceptible is the entity to identified risk themes? Review Identify Scope IRA Events Entity Specific Data ICE Legal or Regulatory Factors Affecting Reliability Regional Factors Affecting Reliability Compliance History
10 Inherent Risk Assessment Example - CIP Risk Assessment for three entities with no Critical Cyber Assets (CCA) Inherent risk assessment captured unique aspects of each and allowed for tailored monitoring scope Entity #1 BA for many independent municipalities on shared EMS, MRRE Conducted on-site audit of registered entity as MRRE audit Entity #2 BA previously identified CCAs, positive compliance history/mitigation plans, alternative compliance monitoring activities in period Spot check CIP-002 only Entity #3 LCC monitored by RTO Monitor testing by RTO, re-test sub-set of standards/requirements to ensure appropriate and sufficient testing
11 Inherent Risk Assessment Example Risk assessments conducted for three wind farms with similar registrations (GO/GOP) 131 applicable Requirements 28 Requirements on 2014 AML Inherent risk assessment captured unique aspects of each and allowed for tailored monitoring scope Wind Farm #1 Vanilla example 20 requirements in scope for audit (only 5 on AML) Wind Farm #2 Also responsible for interconnection of nuclear facility 25 requirements in scope for audit (only 5 on AML) Wind Farm #3 Doesn t own collector bus 2 requirements in scope (neither on AML) Guided Self-Certifications instead of Compliance Audit
12 Internal Control Evaluation Identification of control activities Existing registered entity documentation Prior knowledge from past interactions Walkthroughs of individual processes Design evaluation Will the control prevent, detect, or correct non-compliance with reliability standards? Operational effectiveness Gather evidence that demonstrates control is implemented as designed Control is achieving desired objective If control is effective, Regional staff may, in some circumstances, rely on control testing in place of testing for strict compliance
13 Internal Control Evaluation Example Internal controls related to COM-002 Preventive control involves random review of operator communications, followed by feedback and corrective actions Registered Entity uses three-part communication for routine communications Detective control involves complete review of any situation in which a directive may be issued Conclusion was that Registered Entity will identify and address issues timely Based on results of internal control testing, Standard was not tested directly
14 Internal Control Evaluation Example Internal controls related to PRC family of Standards Preventive control involves use of work order management system to track testing activities and alert on upcoming or missing tests Detective control involves random monthly management review of 10% of maintenance and testing records Conclusion was that Registered Entity will meet all requirements related to maintenance and testing intervals Criteria for management review not clearly documented Resulted in reduced sampling for related Standards While intervals will likely be met, not sure whether management review is consistent with Region s application of standards
15 Internal Control Evaluation Example Entity has internal control for maintenance Maintenance internal control covers multiple NERC Reliability Standards PRC-005 PRC-008 PRC-011 FAC-003 EOP-005 CIP-003 R6 CIP-006 R8 Regional Entity tests design and effectiveness of one internal control to gain reasonable assurance of compliance with seven NERC Reliability Standards
16 Using Work of Others Entity conducts independent evaluations of individual standards/requirements (entitylevel control governance) Conclusion: Entity effectively implements and independently tests NERC reliability standards/requirements Based on results of internal control testing and Entity independent testing, audit significantly scaled. 43 potential requirements in AML for the audit 13 requirements use work of internal independent audit group 3 standards repeat work of internal independent audit group to confirm adequacy of work Based on results of internal control testing and Entity independent testing, audit significantly scaled. 34 potential requirements in AML for the audit 15 requirements - use work of independent auditor 4 standards - repeat work of independent auditor to confirm adequacy of work
17 Oversight Scoping Example Compliance monitoring activities may become more frequent, but less intrusive Shift from large, infrequent audits to continuous monitoring Focused scope for monitoring places emphasis on areas that present highest risk to reliability of the BES Regions to make better use of all the tools provided by the CMEP, not just audits
18 Oversight Scoping Example ERO-based Oversight Address Interconnection- or Region-wide concerns Guided Self-Certifications, scheduled as needed Functional Oversight Address unique considerations on a per-entity basis Guided Self-Certifications or Spot Checks Compliance Audits based on triggers that merit broader, more comprehensive reviews Event Oversight, as needed Guided Self-Certifications Spot Checks or Investigations as needed
19 Guided Self-Certification Example FAC R6 Self-Certification Focused on narrower scope based on region-wide concerns Emphasis was on How do you know you re compliant? Abandoned check-the-box approach Defined how to perform self-assessment and set expectations for how results were to be communicated to Regional staff Inquired about internal controls How are existing, erroneous facility/equipment ratings identified? How are new errors in facility/equipment ratings prevented?
20 RAI Misconceptions Misconception: When a requirement is removed from scope, the Registered Entity is no longer responsible for compliance with that requirement. Truth: Everything that was enforceable, remains enforceable. Misconception: A reduction in scope or scale will lead to a shorter and less rigorous compliance monitoring engagement. Truth: Removing lower-risk requirements provides Regional staff time to focus on higher-risk requirements. Misconception: There is an old and new way of monitoring compliance. Truth: Regional Entities are identifying common processes and procedures to add more clarity and consistency in the audit process.
21 How You Can Help Establish/identify/evaluate internal controls to effectively manage high frequency security obligations Start transition to CIPv5 Familiarize yourself with Compatibility Matrix Read Lessons Learned from CIPv5 pilots Volunteer within your regions to assist with transition issues
22 Our Next Steps Complete RAI Guidance Documents Risk Elements IRA ICE CMEP Tools Train Regional Entities on high level concepts to ensure consistent application of RAI across 8 regions Evaluate results of RAI and CIPv5 pilots, integrate RAI concepts into CIPv5 compliance monitoring strategies for the regions
23 RAI Enforcement Activities Overview and Examples
24 24 RELIABILITY ACCOUNTABILITY
25 End-State Vision Focus on noncompliance that poses a serious and substantial risk to the reliability of the bulk power system (BPS) exercise discretion whether to initiate an enforcement action for issues that do not pose a serious or substantial risk Encourage registered entities to continue to self-identify, mitigate, and record noncompliance Under oversight of NERC and Regional Entities NERC and the Regional Entities continue to maintain visibility regarding all noncompliance 25 RELIABILITY ACCOUNTABILITY
26 Milestones Reached FFT process used to resolve moderate risk noncompliance Triage process in place throughout the ERO enterprise Dissemination of information on risk assessment and mitigation through the user guides Aggregation and compliance exception programs test processes designed to implement the end-state vision 26 RELIABILITY ACCOUNTABILITY
27 Triage and Process Flow Risk and Control Assessment Input Audit, Spotcheck, etc. Log, Self- Report, Self-Cert. Triage Record Compliance Exception Enforce Feedback to Risk and Controls Assessment 27 RELIABILITY ACCOUNTABILITY
28 User Guides Common understanding of: what constitutes a good initial record how risk of noncompliance is assessed how mitigation is documented and evaluated Final versions posted in May 2014 Available at: 28 RELIABILITY ACCOUNTABILITY
29 Aggregation/Logging Program Who Can Participate? Entities that have been assessed for the capability of self-assessment, continuous monitoring, and mitigation Additional entities will be included throughout the program as they are evaluated by Regional Entities What Can be Aggregated/Logged? Minimal risk issues (see User Guide) What Happens to Items Logged? Presumption that they will be resolved as compliance exceptions 29 RELIABILITY ACCOUNTABILITY
30 What s in the Aggregation Log? Region Name of Entity NCR Std. Req. Issue Description Risk Assessment Mitigating Activity 30 RELIABILITY ACCOUNTABILITY
31 Issue Description Issue Description Entity should provide sufficient details to assist its Regional Entity in making a fair and informed assessment of the noncompliance. These details should include: method of discovery corrective actions taken cause, if determined, of the noncompliance duration of noncompliance the full details surrounding the noncompliance itself 31 RELIABILITY ACCOUNTABILITY
32 Risk Assessment Risk Assessment In assessing risk, Entity should consider all factors that mitigated the actual and potential risk, taking care to avoid after-the-fact determinations. Only minimal risk issues are eligible for aggregation. 32 RELIABILITY ACCOUNTABILITY
33 Mitigating Activity Mitigating Activity Entity must describe its efforts to mitigate the noncompliance. Mitigating activities should resolve the noncompliance and prevent recurrence. 33 RELIABILITY ACCOUNTABILITY
34 Compliance Exceptions What Can be Compliance Exceptions? Minimal risk issues (see User Guide) Who Can Participate? 2014: selected entities 2015: all registered entities Additional entities will be included through RELIABILITY ACCOUNTABILITY
35 Compliance Exceptions All minimal risk issues eligible to be compliance exceptions regardless of discovery method Rebuttable Presumption Decline to Enforce: A self-identified, minimal risk issue, for a registered entity with demonstrated internal controls, that has been allowed to aggregate minimal risk issues 35 RELIABILITY ACCOUNTABILITY
36 Rebutting the Presumption of Discretion Possible decision to enforce if related management practices appear to be failing: Failure to identify noncompliance in a timely manner Failure to properly assess the risk posed by the noncompliance o Risk not minimal, but moderate or serious/substantial Failure to mitigate properly o Possibly demonstrated by: - Same noncompliance in the recent past - Same noncompliance in the near future Other facts and circumstances indicate broader programmatic failures 36 RELIABILITY ACCOUNTABILITY
37 37 RELIABILITY ACCOUNTABILITY
38 CIP Scenario: As a result of performing a required vulnerability assessment (R3), an entity finds a Protected Cyber Asset with software or logical ports that is different from the baseline configuration it developed (CIP-010 R1.1). The entity has identified this issue as posing a minimal risk to reliability. 38 RELIABILITY ACCOUNTABILITY
39 CIP Aggregation Participant Entity logs noncompliance in tracking spreadsheet Logs action plan info (Part 3.4) Triage Process Outcomes: Compliance exception More information needed Enforce Compliance Exception Minimal risk confirmed Presumption of discretion 39 RELIABILITY ACCOUNTABILITY
40 CIP Entity Not Participating in Aggregation Entity self-reports noncompliance to Regional Entity Describes action plan info (Part 3.4) Triage Process Outcomes: Compliance exception More information needed Enforce Compliance Exception Minimal risk confirmed Self-identified issue Eligible for discretion 40 RELIABILITY ACCOUNTABILITY
41 CIP Found at Audit Regional Entity discovers noncompliance Auditors increase testing to determine extent Triage Process Outcomes: Compliance exception More information needed Enforce Enforce Minimal risk confirmed FFT, SNOP or FNOP depending on other issues found 41 RELIABILITY ACCOUNTABILITY
42 CIP Compliance Exception Enforce 42 RELIABILITY ACCOUNTABILITY
43 CIP Factors Supporting Compliance Exception: Internal controls Strong baseline configuration processes Limited number of noncompliance Isolated noncompliance event Factors Supporting Enforcement: After further review, several BES Cyber Systems were not appropriately baselined Numerous related process issues identified in the course of the audit Known vulnerabilities were identified that can affect the poorly baselined machine or other BES Cyber Systems 43 RELIABILITY ACCOUNTABILITY
44 CIP R2 Scenario: An entity discovers that an employee completed CIP cyber security training 15 months and two weeks after the date the employee previously completed the training (Parts 2.2, 2.3). The entity has identified this issue as posing a minimal risk to reliability. 44 RELIABILITY ACCOUNTABILITY
45 CIP R2 Issue will be eligible for discretion and recording as a compliance exception Aggregation o Presumption of discretion Self-report/Audit o No presumption of discretion Whether issue will be a compliance exception depends on: Risk level only minimal risk issues are eligible Other relevant facts and circumstances 45 RELIABILITY ACCOUNTABILITY
46 CIP R2 Examples of Factors Supporting Compliance Exception: Employee was on leave and did not receive automated reminder s Entity self-identified issue through regular training log reviews Limited number of employees completing training late Unforeseeable technical issue with reminder messages Issue with employee was addressed promptly Employee completed CIP training in previous years Employees are generally aware of CIP obligations 46 RELIABILITY ACCOUNTABILITY
47 CIP R2 Examples of Factors Supporting Enforcement: No effective control, practice, or system in place to ensure training is completed in a timely manner Employees generally not aware of CIP obligations Multiple employees completing training late (or not at all) Entity did not discover issue promptly Entity did not mitigate issue promptly Underlying was foreseeable and could easily happen again (poor internal controls) 47 RELIABILITY ACCOUNTABILITY
48 CIP R2 Scenario: Entity staff discovers that, after a group of five visitors leaves its facility, the security guard only noted four of the visitors in the visitor log. (Part 2.2) The entity has identified this issue as posing a minimal risk to reliability. 48 RELIABILITY ACCOUNTABILITY
49 CIP R2 Issue will be eligible for discretion and recording as a compliance exception Aggregation o Presumption of discretion Self-report/Audit o No presumption of discretion Whether issue will be a compliance exception depends on: Risk level only minimal risk issues are eligible Other relevant facts and circumstances 49 RELIABILITY ACCOUNTABILITY
50 CIP R2 Examples of Factors Supporting Compliance Exception: Issue was promptly discovered Logs are regularly reviewed according to a process or procedure Other protections were in place at the time of the issue and were used to detect the noncompliance: o Video monitoring o Continuous escort with authorized staff o Visitor access proximate card were used Issue promptly mitigated: o Technical error resolved and backup solution implemented o Second security guard added at entrance to assist at busy times 50 RELIABILITY ACCOUNTABILITY
51 CIP R2 Examples of Factors Supporting Enforcement: Security guard at entrance is regularly overwhelmed with visitors and badged employees and no guard is added to assist Missing visitors/logs not discovered promptly (or at all) Issue not mitigated promptly or properly Escort was responsible for ensuring all visitors were logged and failed to do so Other protections were not in place or failed: o Continuous escort not maintained o Access controls or video monitoring not present or non-operational 51 RELIABILITY ACCOUNTABILITY
52 NERC Webinar Reliability Assurance Initiative Update MRO Pilot Company Experience Doug Johnson American Transmission Company LLC June 19, 2014 atcllc.com
53 Scope of RAI Pilot Project Testing New Compliance and Enforcement Models Midwest Reliability Organization (MRO) engaged American Transmission Company LLC (ATC) as a RAI pilot company in early Working with the MRO executive team, ATC is piloting the following RAI concepts and models: Use of the compliance exception concept as an enforcement discretion tool Use of self-logging and aggregation for minimal risk potential violations as an enforcement discretion tool Entity risk assessment process for compliance oversight scoping Processes to evaluate the capabilities of an entity s internal controls / management practices for compliance oversight scoping atcllc.com 53
54 Overview of Reliability Assurance Initiative ATC s Perspective The NERC Reliability Assurance Initiative (RAI) will redefine how NERC and the Regional Entities will regulate the industry. Focus of RAI has been on making NERC and the Regional Entities more effective / efficient regulators. RAI is about how NERC and the Regional Entities will execute new compliance and enforcement models. RAI is not about substantially altering how companies assure reliability. Cost effective regulatory oversight which continues to aid companies in assuring the secure and reliable operations of the Bulk Electric System is the expected outcome. atcllc.com 54
55 Purpose of RAI ATC s Perspective Enforcement Discretion Elimination of zero tolerance model Not all violations need to be processed with the same rigor Minimal risk violations should be self-logged and administered internally via the company s Corrective Action Program Minimal risk violations should be processed as compliance exceptions Compliance Oversight Need to stop chasing compliance at the detriment to reliability Elimination of one size fits all approach resulting in right sized oversight programs Risk-based determination of compliance oversight scoping More effective utilization of industry and regulator resources on higher risk activities 3-year audits should not remain NERC s/ MRO s primary oversight tool atcllc.com 55
56 Piloting the Enforcement Discretion Models Compliance Exceptions Non-Material and minimal risk violations identified during ATC s November 2013 compliance audit have been categorized and are being processed as compliance exceptions. Self - Logging and Aggregation ATC has recently begun self-logging minimal risk violations pursuant to NERC s aggregation program. ATC believes these enforcement discretion concepts are the most important benefits from RAI atcllc.com 56
57 Self-Logging and Aggregation New Compliance and Enforcement Models atcllc.com 57
58 Compliance Exceptions New Compliance and Enforcement Models atcllc.com 58
59 Piloting the Risk Assessment & Oversight Scoping Models Entity Risk Assessment In early 2013, ATC conducted an internal company assessment to identify applicable higher risk Reliability Standards ATC responded to a pre-audit survey which provided information to allow MRO to test their Entity Risk Assessment process. The ATC internal and MRO risk assessments resulted in similar results - some 35 Reliability Standards were determined to be of higher risk. Evaluation of Management Practices / Internal Controls ATC assembled the management practices / internal controls for our identified higher risk Reliability Standards. MRO tested their internal controls assessment process on a sample of ATC s management practices. atcllc.com 59
60 Piloting the Risk Assessment & Oversight Scoping Models (Cont.) Audit Scope MRO right-sized ATC s November 2013 audit scope based upon their risk assessment and internal controls evaluation. Future Compliance Oversight Model Risk based oversight model should not be limited to simply adjusting audit scopes. ATC expects that the new risk based compliance oversight model will result in the more effective and targeted utilization of all of the compliance oversight tools available for use by the Regional Entities. atcllc.com 60
61 Compliance Oversight Programs New Compliance and Enforcement Models atcllc.com 61
62 ATC s Risk Based Oversight Scope Interconnection-Wide FAC-003 (Vegetation Management): 2003 blackout (tree contact). COM-002 (Communications and Coordination): 2003 blackout (emergency coordination, clear communications). PRC-001 (System Protection Coordination): Protection system schemes must be coordinated between multiple operators to ensure adequate performance. PRC-005 (Protection system, UFLS, UVLS and SPS maintenance): Identified by RISC as high priority, protection systems need to act in virtually every power system event, and are key to limiting cascading. CIP-005 (ESP), CIP-006 (PSP), CIP-007 (CCAs): For entities with CCAs, the protection of the networks,cyber assets, and physical perimeters of critical infrastructure is a high risk in today s environment. Region-Wide TPL-002 (Cat B Transmission Planning) MRO is limited both thermally and by stability, the EHV transmission infrastructure was originally built up in the 70s and is now expanding a lot of new transmission infrastructure is required so TPLs are important. FAC-008 (Facility Ratings) MRO has identified a trend in its region related to incorrect element ratings used for Facility Ratings. A focused self cert has already taken place to address. Candidate for future removal if the trend ceases based on these efforts. PRC-023 (Transmission Relay Loadability) The inclusion of this standard is linked to the trend seen on FAC-008, but is important as well to ensure that operators have a chance to remediate operating conditions before equipment trips. TOP-002 (Requirement 11, short-term operations planning) MRO wants to ensure that each TOP has the necessary tools to adequately perform analyses of real-time operations. atcllc.com 62
63 ATC s Risk Based Oversight Scope (Continued) ATC Risk Based Scope CIP standards (balance of CIP not listed above, if CCAs) COM-001 (Telecommunications) EOP-001 (Emergency Operations Planning) EOP-003 (Load Shedding Plans) EOP-004 (Event Reporting) EOP-005 (System Restoration) EOP-008 (Loss of Control Center) FAC-010 (System Operating Limits Methodology for Planning Horizon) FAC-013 (Assessment of Transfer Capability) FAC-014 (Establish and Communicate System Operating Limits) NUC-001 (Nuclear Plant Interface Coordination) PER-005 (System Personnel Training) PRC-004 (Analysis of Misoperations) PRC-006 (UFLS programs) PRC-017 (Special Protection System Maintenance and Testing) TOP-004 (Transmission Operations) TOP-006 (Monitoring System Conditions) TOP-008 (Response to Transmission Limit Violations) TPL-001 (System Performance Under Normal Conditions) TPL-003 (System Performance Following Loss of 2 or More BES Elements) Summary of ATC s Overall Baseline Audit Scope Approx. 35 Reliability Standards and 100 Requirements atcllc.com 63
64 ATC s Ongoing Compliance Program Enhancements ATC will continue to adapt to the anticipated new compliance and enforcement models ATC s compliance program will be further enhanced and structured based upon the COSO internal control integrated framework The COSO framework includes the following components: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities atcllc.com 64
65 ATC s RAI Transition Focus ATC s short-term transition focus includes the following activities: Strengthen processes and programs which support the COSO fundamental concepts associated with the COSO components and principles. Continue to build-out and refine internal controls with focus on the Reliability Standard requirements (high-risk) which are expected to represent MRO s customized oversight program for ATC Better define and execute activities to monitor the execution and effectiveness of internal controls Bring more formality and structure to ATC s Corrective Action Program Strengthen our position of being audit ready atcllc.com 65
66 Summary New Compliance and Enforcement Models Pilot Results ATC believes the new compliance and enforcement models which are being piloted have been demonstrated to be successful. A paradigm shift to these new models is necessary to achieve more cost effective regulatory oversight while sustaining secure and reliable operations. Benefits of RAI ATC s Perspective ATC s ability to self-log non-material / low-risk potential violations without the need to make self-report submittals. The self-logging would be supported by much less burdensome mitigation plan development and review processes. The efficient processing of non-material / low-risk violations through a compliance exception process which results in no enforcement reviews or actions. Right-sized compliance oversight programs based upon risk and more effective and targeted use of oversight tools with the likely elimination of the 3-year cycle audits. Less intrusive oversight engagements by our regulators due to demonstrated ability by ATC to find, assess, correct, and preclude recurrence of issues. Ability of ATC and regulators to focus resources on issues of greater risk to the BES. Overall a more cost effective approach to regulating. atcllc.com 66
67 Reliability Assurance Initiative Update A Registered Entity s Experience Aggregation of Minimal Risk Issues and Compliance Exceptions June 19, 2014
68 Outline The Pilot Program Aggregation of Minimal Risk Issues Compliance Exceptions Implementation Aggregation Results Lessons Learned Next Steps 2
69 The Pilot Program Aggregation of Minimal Risk Issues Program Period: October 2013 April 2014 NPCC requested NYPA s participation Registered Entity: Maintain and submit a tracking spreadsheet to the Regional Entity at least once every six months Regional Entity: Determine if any of the issues require further mitigation or enforcement action If no concerns, the issues may be eligible to be compliance exceptions 3
70 Implementation NYPA and NPCC Monthly conference calls Notification process for a possible minimal risk issue Process to determine actual and potential risk Process to track and remediate the issue 4
71 Monthly Conference Calls NYPA and NPCC Reviewed actions from last meeting Reviewed the tracking spreadsheet Reviewed and discussed each issue Discussed implementation matters Reviewed RAI pilot program status 5
72 Notification Process NYPA and NPCC NYPA leveraged its internal controls Discovery and investigation of possible violations NYPA s investigations included: Description of the issue and fact-finding Identification of standard(s) and requirement(s) Mitigation actions taken or proposed Potential and actual risk assessments Previous violations related to the issue NPCC was notified of possible violations, once confirmed internally 6
73 Notification Process NYPA and NPCC NPCC affirmed inclusion of minimal risk issues in the pilot program based on: NYPA s internal investigation documents Concurrence with NYPA s risk assessment Upon affirmation by NPCC: Issue was added to tracking spreadsheet NYPA issued an internal legal hold Supporting materials were submitted to NPCC If not affirmed by NPCC, the issue was self-reported 7
74 Aggregation Results for NYPA and NPCC For October 2013 to April 2014: NYPA discovered seven (7) possible violations through application of its internal controls All were or are being investigated internally o Three (3) are currently being investigated o One (1) was closed not a violation o Three (3) were affirmed by NPCC as minimal risk issues and included in the pilot program Compliance Exceptions: NYPA expects compliance exceptions for the minimal risk issues in the aggregation pilot Disposition as compliance exceptions is pending 8
75 The Challenge: Lesson Learned Violation Risk Assessments Alignment of Registered Entity s and the Regional Entity s assessment of the risks Factors considered: o Facilities associated with the issue o System conditions during the period of non-compliance o Input from internal Subject Matter Experts NYPA developed an internal procedure / control: o A consistent assessment of the risks specific to a possible violation o Aligned with NPCC s assessment Illustrated importance of having a dialogue with the RE to establish an acceptable level of trust 9 Helpful References: NERC s Self-Report and Mitigation Plan User Guides and the Aggregation Pilot Program Document
76 Lesson Learned Issue Tracking NYPA used its internal controls to: Maintain all relevant records for review Populate the tracking spreadsheet from internal investigation documents The Pilot Program tracking spreadsheet: Find, Fix and Track reporting format No NPCC or NERC IDs were initially assigned Not practical for supporting documentation Version control 10
77 Importance of Registered Entity s internal controls for a self-policing culture Less frequent dialogue with RE as comfort with Entity's internal controls increases In NYPA s case: Lessons Learned Other Reduction in internal discovery and investigation activities may be possible There is a possible significant benefit, if confirmed minimal risk violations become compliance exceptions 11
78 Developed an appreciation of NPCC enforcement staff s challenges Final disposition of violations processed under the Pilot Program is uncertain Final Comment: Lessons Learned Other Aggregation of minimal risk issues can benefit a Registered Entity provided: o The Entity has internal controls that are aligned with the objectives o Minimal risk issues are processed as compliance exceptions 12
79 Next Steps NYPA and NPCC NPCC entered NYPA s Pilot Program violations into its compliance tracking application (CDAA) to generate NERC and NPCC Tracking IDs NPCC is developing modifications to CDAA to allow an entity to directly enter violations and provide NPCC with enforcement options NYPA agreed to extend its participation in the RAI enforcement pilots NPCC plans to expand the number of Registered Entity s in its RAI enforcement pilots 13
80 80 RELIABILITY ACCOUNTABILITY
Reliability Assurance Initiative. Sonia Mendonca, Associate General Counsel and Senior Director of Enforcement
Reliability Assurance Initiative Sonia Mendonca, Associate General Counsel and Senior Director of Enforcement Agenda Reliability Assurance Initiative (RAI) Overview 2015 ERO CMEP Implementation Plan Inherent
More informationIndustry Outreach Workshop
Industry Outreach Workshop ERO s Risk-based Approach to Compliance Monitoring and Enforcement November 6, 2014 Welcome! NERC Antitrust Guidelines It is NERC s policy and practice to obey the antitrust
More informationMRO s CMEP Approach Ten-Year Retrospective and A Bright Future
MRO s CMEP Approach Ten-Year Retrospective and A Bright Future Sara Patrick, MRO Vice President, Compliance Monitoring and Regulatory Affairs Joint Standards and Compliance Committees Meeting August 3,
More information2018 ERO Enterprise Compliance Monitoring and Enforcement Implementation Plan
2018 ERO Enterprise Compliance Monitoring and Enforcement Implementation Plan Version 2.0 November 2017 NERC Report Title Report Date I Table of Contents Revision History... iv Preface... v Introduction...
More informationCIP Cyber Security Security Management Controls
A. Introduction 1. Title: Cyber Security Security Management Controls 2. Number: CIP-003-5 3. Purpose: To specify consistent and sustainable security management controls that establish responsibility and
More informationNERC Reliability Update Power System Reliability Regulation Overview
NERC Reliability Update Power System Reliability Regulation Overview Herb Schrayshuen Principal Power Advisors, LLC November 3, 2014 CNY Engineering Expo 1 Learning Objectives By the conclusion of this
More informationCIP Cyber Security - Supply Chain Risk Management. A. Introduction
A. Introduction 1. Title: Cyber Security - Supply Chain Risk Management 2. Number: CIP-013-1 3. Purpose: To mitigate s to the reliable operation of the Bulk Electric System (BES) by implementing security
More informationERO Enterprise Inherent Risk Assessment Guide
ERO Enterprise Inherent Risk Assessment Guide October 2014 I Table of Contents Introduction... ii Revision History... ii 1.0 IRA Introduction...1 1.1 IRA Role within the Overall Risk-Based Compliance Oversight
More informationExternal Document Links
External Document Links Relay Misoperations Reliability Indicators Dashboard http://www.nerc.com/page.php?cid=4 331 400 Misoperations Template: http://www.nerc.com/docs/pc/rmwg/protection_system_misoperation_reporting_template_final.xlsx
More informationPRC Under Voltage Load Shedding
A. Introduction 1. Title: Undervoltage Load Shedding 2. Number: PRC-010-2 3. Purpose: To establish an integrated and coordinated approach to the design, evaluation, and reliable operation of Undervoltage
More information2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014
2014 Integrated Internal Control Plan Contents Definitions Integrated Components of COSO Internal Control Framework The COSO Internal Control Framework and Seminole Control Environment Risk Assessment
More informationOPERATIONAL EXCELLENCE ACROSS THE ERO ENTERPRISE: Adding Value to the Compliance Monitoring and Enforcement Program
OPERATIONAL EXCELLENCE ACROSS THE ERO ENTERPRISE: Adding Value to the Compliance Monitoring and Enforcement Program A Discussion Paper By the Midwest Reliability Organization I. INTRODUCTION This discussion
More informationGUIDE. Part 11.1: Applicability Criteria for Compliance with NERC Reliability Standards and NPCC Criteria PUBLIC
PUBLIC IESO_GDE_0364 GUIDE Market Manual 11: Reliability Compliance Part 11.1: Applicability Criteria for Compliance with NERC Reliability Standards and NPCC Criteria Issue 6.0 Public Disclaimer The posting
More informationBP Wind Energy s Perspective on Internal Controls. Carla Holly, Regulatory Compliance Manager October 8, 2013
BP Wind Energy s Perspective on Internal Controls Carla Holly, Regulatory Compliance Manager October 8, 2013 BP Wind Energy BP Wind Energy is a principal owner and operator of wind power facilities with
More information2017 MRO Regional Risk Assessment
2017 MRO Regional Risk Assessment March 2017 380 St. Peter Street, 800 St. Paul, MN 55102 P. 651.855.1760 F. 651.855.1712 W. MidwestReliability.org CLARITY ASSURANCE CLARITY RESULTS ASSURANCE RESULTS Page
More informationRisk-Based Registration Technical Justification. August 26, 2014
Risk-Based Registration Technical Justification August 26, 2014 Table of Contents Preface and NERC Mission... iv Executive Summary... v Introduction...1 Background...1 Functional Entities Considered...1
More informationReport on 2011 NPCC Culture of Compliance Survey Initiative
Report on 2011 NPCC Culture of Compliance Survey Initiative Development In September 2010, NPCC Staff began an initiative that would attempt to identify a registered entity s Culture of Compliance. NPCC
More informationCompliance Monitoring and Enforcement Program Implementation Plan. Version 1.7
Compliance Monitoring and Enforcement Program Table of Contents TABLE OF CONTENTS NERC Compliance Monitoring and Enforcement Program... 1 Introduction... 2 NERC Compliance Monitoring and Enforcement Program
More informationMOD Data for Power System Modeling and Analysis
MOD-032-1 Data for Power System Modeling and Analysis A. Introduction 1. Title: Data for Power System Modeling and Analysis 2. Number: MOD-032-1 3. Purpose: To establish consistent modeling data requirements
More informationStandard EOP Load Shedding Plans
A. Introduction 1. Title: Load Shedding Plans 2. Number: EOP-003-2 3. Purpose: A Balancing Authority and Transmission Operator operating with insufficient generation or transmission capacity must have
More informationStandard EOP System Restoration from Blackstart Resources
A. Introduction 1. Title: System Restoration from Blackstart Resources 2. Number: EOP-005-2 3. Purpose: Ensure plans, Facilities, and personnel are prepared to enable System restoration from Blackstart
More informationA. Introduction. B. Requirements. Standard PER System Personnel Training
A. Introduction 1. Title: System Personnel Training 2. Number: PER-005-1 3. Purpose: To ensure that System Operators performing real-time, reliability-related tasks on the North American Bulk Electric
More information2015 Fall Workshop. Download Materials and Submit SPP.org ->Regional Entity ->2015 Fall Workshop:
2015 Fall Workshop Download Materials and Submit Questions @ SPP.org ->Regional Entity ->2015 Fall Workshop: Online question box submits generates email to staff from anonymous@reworkshop.spp.org You can
More informationDon t make the same mistake twice! Avoiding repeat violations of Reliability Standards
Don t make the same mistake twice! Avoiding repeat violations of Reliability Standards 17 November 2010 www.morganlewis.com www.ey.com Welcome to Don t Make the Same Mistake Twice! Avoiding Repeat Violations
More informationStandard TPL Transmission System Planning Performance Requirements
A. Introduction 1. Title: Transmission System Planning Performance Requirements 2. Number: TPL-001-4 3. Purpose: Establish Transmission system planning performance requirements within the planning horizon
More informationCompliance Monitoring and Enforcement Program Standards and Guidance
Compliance Monitoring and Enforcement Program Standards and Guidance This document is based on the standards found in the Yellow Book of the United States Government Accountability Office, produced by
More informationAUSTRALIAN ENERGY MARKET OPERATOR INDEPENDENT ASSURANCE REPORT ON AEMO S COMPLIANCE WITH THE GAS SERVICES INFORMATION RULES AND GSI PROCEDURES
AUSTRALIAN ENERGY MARKET OPERATOR INDEPENDENT ASSURANCE REPORT ON AEMO S COMPLIANCE WITH THE GAS SERVICES INFORMATION RULES AND GSI PROCEDURES 11 SEPTEMBER 20 Prepared by: Sue Paul, Tim Robinson Robinson
More informationN ORTH A MERICAN E LECTRIC R ELIABILITY C OUNCIL
N ORTH A MERICAN E LECTRIC R ELIABILITY C OUNCIL Princeton Forrestal Village, 116-390 Village Boulevard, Princeton, New Jersey 08540-5731 September 11, 2006 VIA OVERNIGHT MAIL Deb Young, Minister s Secretary
More informationFAC Facility Interconnection Requirements
FAC-001-2 Interconnection Requirements A. Introduction 1. Title: Interconnection Requirements 2. Number: FAC-001-2 3. Purpose: To avoid adverse impacts on the reliability of the Bulk Electric System, Transmission
More informationInternal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC
Internal controls over Financial Reporting Key concepts Presentation by Jayesh Gandhi at WIRC Page 1 ICFR Key Concepts WIRC 28 May 2016 Agenda Scope and requirements Overview of internal controls as per
More informationStandard PRC-002-NPCC-01 Disturbance Monitoring
A. Introduction 1. Title: Disturbance Monitoring 2. Number: PRC-002-NPCC-01 3. Purpose: Ensure that adequate disturbance data is available to facilitate Bulk Electric System event analyses. All references
More informationTransmission Function Employees - Job Titles and Descriptions 18 C.F.R 358.7(f)(1)
Transmission Function Employees - Job Titles and Descriptions 18 C.F.R 358.7(f)(1) Date of Last Change to the Provided Information - September 1 st, 2017 Director, Transmission Operations The employee
More informationPER Operations Personnel Training
A. Introduction 1. Title: Operations Personnel Training 2. Number: PER-005-2 3. Purpose: To ensure that personnel performing or supporting Real-time operations on the Bulk Electric System are trained using
More informationStandard EOP Loss of Control Center Functionality
A. Introduction 1. Title: Loss of Control Center Functionality 2. Number: EOP-008-1 3. Purpose: Ensure continued reliable operations of the Bulk Electric System (BES) in the event that a control center
More informationCover Your Assets in Version 5. August Webinar #CIPv5
Hosted By: Sponsored By: Cover Your Assets in Version 5 August 21 2013 Webinar Welcome! Why are we doing this webinar? The transition from CIP v3 to v5 is a big deal Bright line criteria require new attention
More informationDraft Electric Reliability Organization Enterprise Strategic Plan
Draft Electric Reliability Organization Enterprise Strategic Plan 2017 2020 NERC Report Title Report Date I Table of Contents Preface... iii Introduction...1 Vision, Mission, and Values...2 Goal 1: Timely
More informationBrent Read Compliance Engineer - Enforcement. NERC PER Standards January 29, 2013 Compliance User Group
Brent Read Compliance Engineer - Enforcement NERC PER Standards January 29, 2013 Compliance User Group 2 Personnel, Training, and Qualifications System Operators are single handedly the most important
More informationA. Introduction Balancing Authority Reliability Coordinator Transmission Operator. 5. Effective Date:
A. Introduction 1. Title: Emergency Operations 2. Number: EOP-011-1 3. Purpose: To address the effects of operating Emergencies by ensuring each Transmission Operator and Balancing Authority has developed
More informationPeriodic Review Template INT Implementation of Interchange
INT-009-2.1 Implementation of Interchange Executive Summary The Subject Matter Expert (SME) stakeholder team completed an initial comprehensive review of INT- 009-2.1 Implementation of Interchange. The
More informationREPORT 2015/077 INTERNAL AUDIT DIVISION
INTERNAL AUDIT DIVISION REPORT 2015/077 Advisory engagement to assist the International Trade Centre in its efforts to develop a risk management framework 29 July 2015 Assignment No. VE2014/350/01 CONTENTS
More informationDefinition of Adequate Level of Reliability
Definition approved by Operating Committee and Planning Committee at their December 2007 OC and PC meetings Definition of Adequate Level of Reliability 116-390 Village Boulevard, Princeton, New Jersey
More informationNERC Standard PRC-005:
COurse NERC Standard PRC-005: Compliance Management Warwick Allerton Hotel EUCI is authorized by IACET to offer 1.0 CEUs for the course. 1 Overview PRC-005 is the NERC Standard for Protection Systems Maintenance
More informationCertification and Training Requirements
PJM Manual 40 Certification and Training Requirements Revision: 03 Effective Date: 1/25/2008 Prepared by System Operations Division PJM 2008 PJM 2008 1 Table of Contents PJM Manual 40 Certification and
More informationMOD Steady-State and Dynamic System Model Validation
MOD-033-1 Steady-State and Dynamic System Model Validation A. Introduction 1. Title: Steady-State and Dynamic System Model Validation 2. Number: MOD-033-1 3. Purpose: To establish consistent validation
More informationThe Sector Skills Council for the Financial Services Industry. National Occupational Standards. Risk Management for the Financial Sector
The Sector Skills Council for the Financial Services Industry National Occupational Standards Risk Management for the Financial Sector Final version approved April 2009 IMPORTANT NOTES These National Occupational
More informationPJM TO/TOP Matrix of Shared or Assigned Tasks
PJM TO/TOP Matrix of hared or ssigned Tasks Draft Version 11 s of eptember 8, 2017 Finalized pproved by the TO/TOP Matrix ubcommittee: June 16, 2017 pproved by the Transmission Owners greement-dministrative
More informationStandard PRC-004-2a Analysis and Mitigation of Transmission and Generation Protection System Misoperations
A. Introduction 1. Title: Analysis and Mitigation of Transmission and Generation Protection System Misoperations 2. Number: PRC-004-2a 3. Purpose: Ensure all transmission and generation affecting the reliability
More informationInternal Oversight Division. Audit Report. Audit of Enterprise Risk Management
Internal Oversight Division Reference: IA 2016-08 Audit Report Audit of Enterprise Risk Management December 16, 2016 IA 2016-08 2. TABLE OF CONTENTS LIST OF ACRONYMS... 3 EXECUTIVE SUMMARY... 4 1. INTRODUCTION...
More informationEducating System Operators in the New Millennium! Background. Course Level. Target Audience. NERC Continuing Education Hours
Background The class will be delivered over a 3-day period. The class is comprised of three training modules covering the areas of: Communications, Critical Thinking, and Restoration. The course consists
More informationSarbanes-Oxley Act of 2002 Can private businesses benefit from it?
Sarbanes-Oxley Act of 2002 Can private businesses benefit from it? As used in this document, Deloitte means Deloitte Tax LLP, which provides tax services; Deloitte & Touche LLP, which provides assurance
More informationStandard Development Timeline
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard is adopted by the NERC Board of Trustees (Board).
More informationTOP TOP TOP 003 3
TOP 001 3 TOP 002 4 TOP 003 3 September 20, 2016 Fall Workshop Allen Klassen, Westar Mike Hughes, SPP RE Use of Presentation For simplicity, some wording from the standard has been shortened, paraphrased,
More informationLIST OF TABLES. Table Applicable BSS RMF Documents...3. Table BSS Component Service Requirements... 13
General Services Administration NS2020 Enterprise Infrastructure Solutions EIS RFP #QTA0015THA3003 Volume 2: Management BSS Risk Management Framework Plan LIST OF TABLES Table 8.2-1. Applicable BSS RMF
More informationPeriodic Review Template INT Evaluation of Interchange Transactions
INT-006-4 Evaluation of Interchange Transactions Executive Summary The Subject Matter Expert (SME) stakeholder team completed an initial comprehensive review of INT- 006-4 Evaluation of Interchange Transactions.
More informationSAP Road Map for Governance, Risk, and Compliance Solutions
SAP Road Map for Governance, Risk, and Compliance Solutions Q4 2016 Customer Disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More information2018 Business Plan and Budget
2018 Business Plan and Budget Draft 2 July 17, 2017 I Table of Contents Table of Contents... ii About NERC... 1 Overview... 1 Membership and Governance... 2 Scope of Oversight... 2 Statutory and Regulatory
More informationNERC Standard PRC-005:
COurse NERC Standard PRC-005: Compliance Management Hotel Monaco Baltimore EUCI is authorized by IACET to offer 1.0 CEUs for the course. 1 Overview PRC-005 is the NERC Standard for Protection Systems Maintenance
More informationFacility Interconnection Requirements
Facility Interconnection Effective 1/1/2016 1. Purpose Facility Interconnection Facility Interconnection (FAC-001-2) To avoid adverse impacts on the reliability of the Bulk Electric System (BES), RPU documents
More informationSecurity Guideline for the Electricity Sector: Business Processes and Operations Continuity
Security Guideline for the Electricity Sector: Business Processes and Operations Continuity Preamble: It is in the public interest for NERC to develop guidelines that are useful for improving the reliability
More informationINTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS
INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT (Effective for audits of financial statements for periods beginning
More informationUNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )
UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION North American Electric Reliability Corporation ) ) Docket No. PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION FOR
More informationSee your auditor clearly. Transparency report: How we perform quality audit engagements
See your auditor clearly. Transparency report: How we perform quality audit engagements February 2014 Table of contents 1) A message from the CEO and Managing Partner Assurance 2 2) Quality control policies
More informationProject and Process Tailoring For Success
Project and Process Tailoring For Success 1 Key Learning Objectives Demonstrate how project/process tailoring can decrease cost by aligning process intensity with project risk and complexity Provide a
More informationCase Report from Audit Firm Inspection Results
Case Report from Audit Firm Inspection Results July 2014 Certified Public Accountants and Auditing Oversight Board Table of Contents Expectations for Audit Firms... 1 Important Points for Users of this
More informationRegulation Systems Compliance and Integrity Considerations for the AWS Cloud
Regulation Systems Compliance and Integrity Considerations for the AWS Cloud November 2017 We welcome your feedback. Please share your thoughts at this link. 2017, Amazon Web Services, Inc. or its affiliates.
More informationPeriodic Review Template INT Dynamic Transfers
INT-004-3.1 Dynamic Transfers Executive Summary The Subject Matter Expert (SME) stakeholder team completed an initial comprehensive review of INT- 004-3.1 Dynamic Transfers. The SME stakeholder team finds
More informationRequest for Proposal: Controlled System Separation Feasibility Study
Request for Proposal: Controlled System Separation Feasibility Study I. INTRODUCTION A. Overview The New York Independent System Operator ( NYISO ) is requesting proposals for professional services from
More informationIndustry Webinar. Project Geomagnetic Disturbance Mitigation. Frank Koza, PJM Interconnection July 27, 2017
Industry Webinar Project 2013-03 Geomagnetic Disturbance Mitigation Frank Koza, PJM Interconnection July 27, 2017 Agenda Administrative Items Review of TPL 007 1 Benchmark GMD Event Directed Revisions
More informationReport on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8433 www.pcaobus.org Report on 2014 (Headquartered in Toronto, Canada) Issued by the Public Company Accounting Oversight
More informationMOD Demand and Energy Data
A. Introduction 1. Title: Demand and Energy Data 2. Number: MOD-031-1 3. Purpose: To provide authority for applicable entities to collect Demand, energy and related data to support reliability studies
More informationC-TPAT Minimum Security Requirements Importers
Customs and Border Protection, U.S. Department of Homeland Security C-TPAT Minimum Security Requirements Importers Released March, 2005 Prepared by Prep4Audit, LLC Version 2: August, 2014 www.prep4audit.com
More informationNERC Reliability Functional Model Technical Document Version 5
Reliability Functional Model Technical Document Version 5 Prepared by the Functional Model Working Group This document is a companion to Version 5 of the Functional Model. It provides context, explanations,
More informationSTANDARDS OF CONDUCT IMPLEMENTATION AND COMPLIANCE. Standards of Conduct for Transmission Providers Pursuant to FERC Order No. 717
STANDARDS OF CONDUCT IMPLEMENTATION AND COMPLIANCE Standards of Conduct for Transmission Providers Pursuant to FERC Order No. 717 In compliance with Chapter I, Title 18, Part 358 of the Code of Federal
More informationIn Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015
In Control: Getting Familiar with the New COSO Guidelines CSMFO Monterey, California February 18, 2015 1 Background on COSO Part 1 2 Development of a comprehensive framework of internal control Internal
More informationAICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS. Effective for Peer Reviews Commencing on or After January 1, 2009
AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS Effective for Peer Reviews Commencing on or After January 1, 2009 Guidance for Performing and Reporting on Peer Reviews Copyright 2008 by American
More informationKPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication
KPMG Global Energy Institute KPMG International KPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication Stakeholder management and communication is critical to
More informationMODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING
MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING 2 0 1 4 A Message From Our CEO and Compliance Officer At PacificSource, we pride ourselves on maintaining a culture of compliance and high ethical
More informationStandard MOD Verification of Models and Data for Turbine/Governor and Load Control or Active Power/Frequency Control Functions
Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed:
More informationSiebel CRM On Demand Administrator Rollout Guide
Siebel CRM On Demand Administrator Rollout Guide This Administrator Rollout Guide consolidates tips and lessons learned from implementing Siebel CRM On Demand, discusses your role as an administrator,
More informationEffective implementation of COSO s new anti-fraud guidance
Effective implementation of COSO s new anti-fraud guidance In September 2016, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a new Fraud Risk Management Guide (Anti-fraud
More informationValidation and Automated Validation
TOP INDUSTRY QUESTIONS Validation and Automated Validation 1 Table of Contents 03 04 07 10 13 16 19 INTRODUCTION SECTION 1 - Validation Standards How is validation defined under Title 21 CFR Part 11? What
More informationFRCC - PROC - RC - EOP-004. FRCC Disturbance Reporting Procedure
FRCC - PROC - RC - EOP-004 FRCC Disturbance Reporting Procedure Revisions Rev. No. Date Description Developed by: Approved by: 1 September 2, 2009 Conversion of RRO Legacy document FRCC Disturbance Reporting
More informationReliability Assurance Project
Reliability Assurance Project 2017 Findings December 2017 155 North 400 West, Suite 200 Salt Lake City, Utah 84103-1114 Reliability Assurance Project 2017 Findings Introduction The September 2011 Southwest
More informationJob Descriptions. Title & Job Functions: Transmission Function Employees
Job Descriptions In accordance with its Standards of Conduct Implementation and Compliance Procedures, City Utilities of Springfield, Missouri will post on these pages the job titles and job descriptions
More informationReport on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8433 www.pcaobus.org Report on 2016 (Headquartered in Berlin, Federal Republic of Germany) Issued by the Public Company
More informationBusiness Continuity Management Policy. Guidance
Management Guidance Document Type: Guidance Parent Policy: Management Policy Policy Owner: Chief Supt Department: Document Writer: Co-ordinator Effective Date: 12 th March 2015 Review Date: 12 th March
More informationSPP RE Regional Reliability Standards Development Process Manual
SPP RE Regional Reliability Standards Development Process Manual FERC Approved January 31, 2014 Table of Contents I. Introduction...2 II. Background...3 III. Regional Reliability Standard Definition, Characteristics,
More informationAgenda Board of Trustees Compliance Committee
Agenda Board of Trustees Compliance Committee May 11, 2010 4:00-5:00 PM EDT Hyatt Regency Baltimore on the Inner Harbor 300 Light Street Baltimore, MD 21202 (410) 528-1234 Welcome and Determination of
More informationCertified Identity Governance Expert (CIGE) Overview & Curriculum
Overview Identity and Access Governance (IAG) provides the link between Identity and Access Management (IAM) rules and the policies within a company to protect systems and data from unauthorized access,
More information(Non-legislative acts) REGULATIONS
11.12.2010 Official Journal of the European Union L 327/13 II (Non-legislative acts) REGULATIONS COMMISSION REGULATION (EU) No 1169/2010 of 10 December 2010 on a common safety method for assessing conformity
More informationGUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))
GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2)) Operational Risk Management MARCH 2017 STATUS OF GUIDANCE The Isle of Man Financial Services Authority ( the Authority ) issues guidance for
More informationSTANDARDS OF CONDUCT IMPLEMENTATION AND COMPLIANCE. Standards of Conduct for Transmission Providers Pursuant to FERC Order No. 717
STANDARDS OF CONDUCT IMPLEMENTATION AND COMPLIANCE Standards of Conduct for Transmission Providers Pursuant to FERC Order No. 717 In compliance with Chapter I, Title 18, Part 358 of the Code of Federal
More informationTPL Transmission System Planned Performance for Geomagnetic Disturbance Events
A. Introduction 1. Title: Transmission System Planned Performance for Geomagnetic Disturbance Events 2. Number: TPL-007-1 3. Purpose: Establish requirements for Transmission system planned performance
More informationBHG Operational Awareness Program May 8, 1998 Hazard Identification, Analysis, Control and Abatement Revision 0 Page 1 of 10
Page 1 of 10 HAZARD IDENTIFICATION, ANALYSIS, CONTROL, AND ABATEMENT 1.0 SCOPE This Performance Assessment Guide for Hazard Identification, Analysis, Control, and Abatement will be used to carry out the
More informationReady Logistics. Carrier Compliance Policy
Ready Logistics Carrier Compliance Policy October 1, 2017 Carrier Compliance Policy Code of Conduct As a carrier partner with Ready Logistics, you are an extention of our team and you represent Ready Logistics
More informationAudit Report. Audit of Contracting and Procurement Activities
Audit Report August 2012 Recommended for Approval to the Deputy Minister by the Departmental Audit Committee on October 12, 2012 Approved by the Deputy Minister on October 18, 2012 Table of Contents Table
More informationSOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE. Simplify Identity Governance and Reduce Risk With the CA Identity Suite
SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE Simplify Identity Governance and Reduce Risk With the CA Identity Suite 2 SOLUTION BRIEF: IDENTITY AND ACCESS GOVERNANCE Section 1: Challenge Identity Governance
More informationSPP at a Glance. Located in Little Rock. Approximately 600 employees
SPP at a Glance Located in Little Rock Approximately 600 employees Primary jobs electrical engineering, operations, settlements, and IT 24 x 7 operation Full redundancy and backup site 2 Regulatory Environment
More information