FERC/NERC Compliance Self-Assessments and Preparing for an External Audit. Introductions

Transcription

1 FERC/NERC Compliance Self-Assessments and Preparing for an External Audit "Simplicity means the achievement of maximum effect with minimum means. Albert Einstein 1 Introductions Deena King Managing g Director, Pure Knowledge Consulting 30 Year Cross-trained Professional 10 years Audit/Compliance Specialties Compliance Program: Design and Implementation Evaluations and Gap Analysis Continuous o Improvement Industries: Higher Education Utility 2 1

2 Agenda What needs to be self-assessed? Compliance as a Business Process Core Process Components Compliance Program Self-Assessment Risk Assessment Self-Audits Review 3 What needs to be selfassessed? 4 2

3 Self-Assessment FERC Internal Compliance Program FERC Policy Statement on Compliance (SOC) dated October 16, 2008 FERC Revised Policy Statement on Enforcement (SOE) dated May 15, 2008 Two Types Self-Audit Review of Internal Compliance Program 5 Self-Assessment FERC on Self-Audits Systematic internal auditing (SOC, P19) The company has an ongoing process for auditing compliance with Commission regulations (SOE, P58) The importance on good-faith self-reporting (SOE, P62) The compliance plan can call for the company to hire an independent third party auditor to review its business practices in order to ensure compliance (SOE, P45) FERC on Internal Program Reviews Periodic review and evaluation of the effectiveness of the program (SOC, P16) The company frequently reviews and modifies its compliance program (SOE, P58) 6 3

4 Self-Audit Definitions An internal review of compliance with specific regulations and/or requirements Regulation Current State (Evidence) Compliant Y/N? If No, Action Planning (and self-report if necessary) 7 Definitions Self-Assessment An internal review review and evaluation of the effectiveness of the internal compliance program ICP Internal Compliance Program 8 4

5 Internal Compliance Program Self-Assessment Compliance as a Business Process 9 Business Process Example: Advertise an Open Position Hiring Manager 1) Go to HR website 2) Complete Form CorpAd1 3) Submit to Supervisor for Approval Hiring Manager Supervisor 4) Review CorpAd1; Approve 5) Submit to HR for Processing HR (etc.) 10 5

6 Business Process: Example Hiring Manager Go to HR Website Fill in Form CorpAd1 Submit to Supervisor for Approval Hiringi Manager Supervisor Review CorpAd1 and Approve Submit CorpAd1 to HR Etc. HR 11 Business Process Complex: /10/11 6

7 Simplified: Business Process /10/11 Where to begin? Federal Energy Regulatory Commission (FERC) Policy Statement on Compliance (SOC) dated October 16, 2008 Revised Policy Statement on Enforcement (SOE) dated May 15, 2008 North American Electric Reliability Corporation (NERC) 14 7

8 FERC Policy Statements Policy Statement on Compliance 14 pages of legalese 8 paragraphs dedicated to vigorous compliance programs Revised Policy Statement on Enforcement 28 pages of legalese 9 paragraphs dedicated to compliance programs or compliance plans 15 FERC Policy Statements Policy Statement on Compliance 14 pages of legalese 8 paragraphs dedicated to vigorous compliance programs Revised Policy Statement on Enforcement 28 pages of legalese 9 paragraphs dedicated to compliance programs or compliance plans 16 8

9 The Work PKC Did The 7 Elements from the Federal Sentencing Guidelines Best Practice Frameworks (Appendix A) COSO Cube Sarbanes-Oxley Controls CObIT Technology Compliance Process Controls OCEG Red Book Open Compliance and Ethics Group Continuous Improvement Models Deming s Plan, Do, Check, Act 17 The Work PKC Did Using best practice, extract the elements of a compliance process from the FERC/NERC statements Result: Elements of a vigorous compliance program Framework for Assessment Approach Technique Compliance in One Page

10 Contin nuous Improv vement Compliance as a Business Process: One Page Laws Regulations Regulators Assess Risk/ Identify Requirements Laws Regulations Regulators Monitor, Audit, and Report Leadership/ Corporate Culture Establish/Modify Compliance Organization Document Standards, Implement, Promote, and Enforce Communicate Standards, , All Rights Reserved The Compliance Process: FERC Statement on Compliance Laws, etc Continuous Im mprovement Assess Risk/ Identify Requirements Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17) Laws, etc Establish/Modify Compliance Organization The best program will not succeed unless senior management actively embraces the importance of compliance; Senior management may designate compliance officials within the company (see paras 13 and 15) Monitor, Audit, and Report Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20) Leadership/ Corporate Culture The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see paras 1 and 13) Document Standards, Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission s orders (see para 16) Implement, Promote and Enforce The company must implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21) *The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21) Communicate Standards, Systematic and effective preventative measures such as training; clear direction from the company (see para 16) 2011, All Rights Reserved 20 10

11 Summary Compliance as a Business Process Assess Risk/Identify if Requirements Establish/Modify Compliance Organization Document Standards, Communicate Standards, Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement Leadership/Corporate Culture 21 Questions? Comments? 22 11

12 Internal Compliance Program Self-Assessment Know the Process Assess the Process 23 ICP Self Assessment Areas Assess Risk/Identify Requirements Establish/Modify Compliance Organization Leadership/Corporate Culture Document Standards, Policies, and Procedures Communicate Standards, Policies, and Procedures Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement 24 12

13 ICP Self Assessment Areas What are we doing to accomplish the task? How have we documented: The task itself? Policies and Procedures Desk Procedures (when necessary) That we implemented the task? Proof of Performance Logs, Meeting Minutes, s, Newsletters, etc. 25 ICP Self Assessment Areas Assess Risk/Identify Requirements Establish/Modify Compliance Organization Leadership/Corporate Culture Document Standards, Policies, and Procedures Communicate Standards, Policies, and Procedures Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement 26 13

14 Risk Assessment/ Identify Requirements FERC Prepare an inventory of current compliance risks (SOE, P59) (Note: This will result in a list of current program requirements) Companies are in the best position to determine the risks their activities entail and how best to assure compliance (SOC, P9 and 17) Self Assess: How are we keeping track of current compliance requirements? How are we assessing compliance risk? 27 Risk Assessment Tool

15 Violation Risk Factor BAL R1. Each Balancing Authority shall have access to and/or operate Contingency HIGH Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated adjustments to Interchange Schedules. BAL R1.1. A Balancing Authority may elect to fulfill its Contingency Reserve obligations by HIGH participating as a member of a Reserve Sharing Group. In such cases, the Reserve Sharing Group shall have the same responsibilities and obligations as each Balancing Authority with respect to monitoring and meeting the requirements of Standard BAL-002. BAL R2. Each Regional Reliability Organization, sub-regional Reliability Organization or MEDIUM Reserve Sharing Group shall specify its Contingency Reserve policies, including: BAL R2.1. The minimum reserve requirement for the group. HIGH BAL R2.2. Its allocation among members. LOWER BAL R2.3. The permissible mix of Operating Reserve Spinning and Operating Reserve LOWER Supplemental that may be included in Contingency Reserve. BAL R2.4. The procedure for applying Contingency Reserve in practice. LOWER BAL R2.5. The limitations, if any, upon the amount of interruptible load that may be included. LOWER BAL R2.6. The same portion of resource capacity (e.g., reserves from jointly owned generation) shall not be counted more than once as Contingency Reserve by multiple Balancing Authorities. MEDIUM 29 Violation Severity Level Standard Number Requirement Text of Number Requirement Lower VSL Moderate VSL High VSL Severe VSL BAL R1. Each Balancing Authority shall have N/A N/A N/A The Balancing Authority does not access to and/or operate Contingency Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated have access to and/or operate Contingency Reserve to respond to Disturbances. adjustments to Interchange Schedules. BAL R2. Each Regional Reliability Organization, sub- Regional Reliability Organization or Reserve Sharing Group shall specify its Contingency Reserve policies, including: The Regional Reliability Organization, sub- Regional Reliability Organization, or Reserve Sharing Group has failed to specify 1 of the following subrequirements. The Regional Reliability Organization, sub- Regional Reliability Organization, or Reserve Sharing Group has failed to specify 2 or 3 of the following subrequirements. The Regional Reliability Organization, sub- Regional Reliability Organization, or Reserve Sharing Group has failed to specify 4 or 5 of the following subrequirements. The Regional Reliability Organization, sub- Regional Reliability Organization, or Reserve Sharing Group has failed to specify all 6 of the following subrequirements

16 Risk Limits Found in violation of BAL-002-0, R1 What are the penalty Risk Limits? Found in violation of BAL-002-0, R2; specifically R2.2 and R2.3 What are the penalty Risk Limits? With limited resources, where would you focus compliance efforts? 31 Other Risks Potential Penalties (Obviously) Other Risks Reputation Health and Safety Stock Price (for public companies) Vendor Relations Customer Relations Etc

17 Questions on Risk Assessment? 33 ICP Self Assessment Areas Assess Risk/Identify Requirements Establish/Modify Compliance Organization Leadership/Corporate Culture Document Standards, Policies, and Procedures Communicate Standards, Policies, and Procedures Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement 34 17

18 Organizational Structure FERC Create an independent Compliance Officer who reports to the Chief Executive Officer and the Board, or to a committee thereof (SOE, P59) The program is supervised by an officer or other high-ranking official; this official has independent access to the board and/or CEO (SOE, P58) Senior management may designate compliance officials within the company; This may be a position devoted exclusively to compliance matters or may be an assigned duty of an employee (SOC, P13 and P15) Self Assess: What does our organization look like? Have we defined roles and responsibilities? How can we show engagement by each person? 35 Leadership/Corporate Culture FERC The responsibility for a culture of compliance rests squarely on the shoulders of senior management (SOC, P13) Senior management actively involved in compliance efforts (SOE, P58) Senior management provides adequate resources for the compliance program to operate adequately (SOC, P14 and SOE, P58) These factors include the active support of senior management (SOC, P5) Senior management should communicate to employees its commitment to compliance frequently, both thformally and dinformally (SOC, P14) Self Assess: How can we show proof of performance by senior management? How are we show adequate resources and communication? 36 18

19 Documented P&P FERC Company has in place rigorous procedures and processes (SOC, P4) Companies should invest in systematic preventive measures to keep the company in compliance with the Commission s statutes, regulations and orders (SOC, P16) The company has an established, formal program (i.e. plans, policies, and procedures) for internal compliance. It is well documented (SOE P58) An inventory of compliance practices (SOE, P59) Promote compliance by identifying measurable performance targets (SOE, P59) Self Assess: Have we documented standards, policies, and procedures? Do we include measureable targets? 37 Communication and Training FERC The ICP is widely disseminated within the company (SOE, P58) These factors include the scope and depth of employee training (SOC, P5) The importance [of] tools and training sufficient to enable employees to comply with Commission requirements (SOC, P6 and SOE, P59) Systematic and effective preventive measures (such as careful hiring, training, accountability, and supervision), are fundamental to an effective compliance program (SOC, P16) The company frequently provides training to all relevant employees; the training is sufficiently detailed and thorough to instill an understanding of relevant rules and the importance of compliance (SOE, P58) Self Assess: How are we communicating compliance policies and procedures? How are we training on compliance policies and procedures? 38 19

20 Implement, Promote, Enforce FERC It is not enough to create a good compliance program on paper; the company must carry through to implement the program (SOC, P16) A company has rigorous procedures and processes that provide effective accountability for compliance (SOC, P4 and SOE, P58) The company responds to wrongdoing (SOE, P58) Steps taken by a company to end violations and remedy the misconduct (SOC, P21) Self Assess: Have we implemented the program? Can we document accountability and enforcement? 39 Questions? 40 20

21 ICP Self Assessment Areas Assess Risk/Identify Requirements Establish/Modify Compliance Organization Leadership/Corporate Culture Document Standards, Policies, and Procedures Communicate Standards, Policies, and Procedures Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement 41 Monitor, Audit, and Report FERC ICP Review Periodic review and evaluation of the effectiveness of the program (SOC, P16) Auditing and Reporting Systematic internal auditing (SOC, P19) The company has an ongoing process for auditing compliance with Commission regulations (SOE, P58) The importance on good-faith self-reporting (SOE, P62) 42 21

22 Monitor, Audit, and Report FERC ICP Review Periodic review and evaluation of the effectiveness of the program (SOC, P16) The company frequently reviews and modifies its compliance program (SOE, P58) Self Assess: How do we review and evaluate the effectiveness of our program? How do we modify the program after a violation? 43 Monitor, Audit, and Report FERC Auditing and Reporting Systematic internal auditing (SOC, P19) The company has an ongoing process for auditing compliance with Commission regulations (SOE, P58) The importance on good-faith self-reporting (SOE, P62) The compliance plan can call for the company to hire an independent third party auditor to review its business practices in order to ensure compliance (SOE, P45) Self Assess: Can we show that we audit, internal & external? Can we show self-reporting (when necessary)? 44 22

23 The Audit Process Types of Auditors Internal External Regulatory FERC NERC Regional Entity WECC FRCC MRO NPCC RFC SERC SPP TRE WECC General Process Notification Opening Conference Walkthrough Field Work Data Requests Interviews Preliminary Findings Final Findings Audit Report 45 Preparing for Regulators Leverage Internal Audit Department Peer Audit Engage External Audit Specialists Big 4 - Specialty Mid-Tier Encari Grant Thornton Jefferson Wells Resources Global SAIC etc ICF Industrial Defender etc 46 23

24 Questions? 47 ICP Self Assessment Areas Assess Risk/Identify Requirements Establish/Modify Compliance Organization Leadership/Corporate Culture Document Standards, Policies, and Procedures Communicate Standards, Policies, and Procedures Implement, Promote and Enforce Monitor, Audit, and Report Continuous Improvement 48 24

25 Continuous Improvement FERC Are new or modified prospective controls needed to prevent a recurrence? (SOC, P21) Ensure that steps are taken within the company to improve compliance practices (SOE, P44) Describe measures taken by the company to end the practices that led to the violations (SOE, P45) Work with industry associations to develop compliance best practices (SOC, P7) Encourage the continuing exchange of ideas and best practices among regulated companies (SOC, P7) Self Assess: How do we improve compliance programs? How are we leveraging best practice? 49 The Really Good News WECC Internal Compliance Program Self Assessment Purpose is to measure how well entities: Assess Risk/Identify Requirements Establish/Modify our Compliance Organization Document our Standards, Communicate our Standards, Implement, Promote, and Enforce Monitor, Audit, and Report Continuously Improve Leadership/Corporate Culture 50 25

26 The Really Good News Internal Compliance Program Self Assessment Will be published imminently i by WECC Cover all 8 Areas Discussed Above 20 Questions To get a copy: Taud Olsen Managing Director of Compliance, WECC tolsen@wecc.biz 51 The Really Good News Pure Knowledge Consulting Generic Compliance Program Assessment Tool Standards, Best-Practice Based Federal Sentencing Guidelines FERC Policy Compatible Available in May

27 Questions? Comments? 53 Review 54 27

28 Contin nuous Improv vement Compliance as a Business Process: One Page Laws Regulations Regulators Assess Risk/ Identify Requirements Laws Regulations Regulators Monitor, Audit, and Report Leadership/ Corporate Culture Establish/Modify Compliance Organization Document Standards, Implement, Promote, and Enforce Communicate Standards, , All Rights Reserved Compliance in One Page Assess Risk/Identify Requirements Establish/Modify our Compliance Organization Leadership/Corporate Culture Document our Standards, Policies, and Procedures Communicate our Standards, Policies, and Procedures Implement, Promote, and Enforce Monitor, Audit, and Report Continuously Improve 56 28

29 Achieving Excellence Through Best Practices Compliance, IT, Leadership, Audit ~~~~~~ For additional information on products and services, please contact: Deena King, CCEP, CISA* Managing Director Cell: (702) Village Center Circle #3-20 Las Vegas, NV Appendix A Additional Information on Using Best Practice Frameworks in Compliance 58 29

30 2011, All Rights Reserved and Ethics Conference, Houston, TX, The Compliance Process and the FERC Policy Statement on Compliance* + Assess Risk/ Identify Requirements Establish/Modify Compliance Organization Document Standards, Communicate Standards, Promotion and Enforcement Monitor Compliance Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17) Leadership/ Corporate Culture The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see The best program will not succeed unless paras 1 and 13) senior management actively embraces the importance of compliance; Senior management may designate compliance officials within the company (see paras 13 and 15) Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission s orders (see para 16) Systematic and effective preventative measures such as training; clear direction from the company (see para 16) The company must implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21) +Also note that paras 23 and 25 and footnotes 23, 28, 29 and 30 reference the Federal Sentencing Guidelines. Continuous Improvement The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21) Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20) *FERC Compliance with Statues, Regulations, and Orders, 2011, Docket All Rights No. PL Reserved , All Rights Reserved The Compliance Process Mapped to the FERC Policy Statement on Enforcement* Assess Risk/ Identify Requirements Establish/Modify Compliance Organization Document Standards, Communicate Standards, Implement, Promote, and Enforce An inventory of current compliance risks (see paragraph 59) An independent Compliance Officer or other high-ranking official who reports to the Chief Executive Officer, the Board, or a committee; Tie regulatory compliance to personnel assessments and compensation, including compensation of management (see paragraphs 58 and 59) An established, formal, well documented program for internal compliance; an inventory of current compliance practices (see paragraphs 58 and 59) Training on rules and regulations that is sufficiently detailed and thorough is provided to all relevant employees; frequent mandatory training programs that include real world examples (see paragraphs 58 and 59) There are identifiable, measurable performance targets; there are disciplinary consequences in place for infractions of Commission requirements; the company looks for repeat offenses (see paragraph 59) Leadership/ Corporate Culture Compliance is fully supported by senior management and they are actively involved in compliance efforts; company policies on compensation o and promotion take into consideration employee compliance; sufficient funding is provided for the administration of compliance programs (see paragraphs 58 and 59) Continuous Improvement The company frequently modifies the compliance program; the company implements more effective internal controls and procedures to prevent recurrence of misconduct (see paragraph 58) Monitor, Audit, and Report The company frequently reviews the compliance program; the company audits internal compliance with regulations and tracks and reports results; the company reports violations to management and self-reports; the company has an internal hotline (see paragraphs 58, 59, and 61) *FERC Enforcement of Statues, Regulations, and 60 Orders, Docket No. PL , May , March All 2, Rights 2011Reserved 30

31 Compliance as a Process: Mapped to the 7 Elements Contin nuous Improv vement Assess Risk/ Identify Requirements Response and Correction Monitor, Audit, and Report Monitoring, Auditing, and Reporting Leadership/ Corporate Culture High-level Oversight Establish/Modify Compliance Organization High-level Oversight Screening Document Standards, Standards and Procedures Implement, Promote and Enforce Promotion and Enforcement Communicate Standards, Training and Education 2011, All Rights Reserved 61 The Compliance Process: Federal Sentencing Guidelines Laws, etc Continuous Im mprovement Assess Risk/ Identify Requirements The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement ( 8B2.1.c). Deliverables: Annual/Quarterly l Risk Assessments; Compliance Inventories Establish/Modify Compliance Organization Governing authority shall be knowledgeable and exercise reasonable oversight; High-level personnel shall ensure the organization has an effective compliance program; Specific individuals shall be delegated day-to-day operational responsibility; Exercise due diligence ( 8B2.1.b.2.A-C & 3). Deliverables: Org Chart; Job Descriptions; Background Checks Monitor, Audit, and Report Monitoring and auditing to detect criminal conduct; Periodically evaluate the effectiveness of the organization s compliance program; Publicize a reporting system ( 8B2.1.b.5.A-C). Deliverables: Audit Program; Program Evaluation; Hotline; Audit Reports Leadership/ Corporate Culture Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law ( 8B2.1.a.2 and b) Deliverable: Leadership Document Standards, The organization shall establish standards and procedures to prevent and detect criminal conduct ( 8B2.1.b.1). Deliverables: Documentation Implement, Promote and Enforce The organization s compliance and ethics program shall be reasonably implemented, promoted and enforced consistently throughout the organization ( 8B2.1.a.2 & b.6). Deliverable: An Implemented Program *After criminal conduct has been detected, the organization shall take steps to respond appropriately including making modifications to the program ( 8B2.1.b.7) Deliverables: Enforcement; Modifications to any or all noted deliverables Communicate Standards, Communicate periodically standards and procedures, and other aspects to employees by conducting effective training programs and otherwise disseminating information ( 8B2.1.b.4). Deliverables: Communication and Training Plans and Ethics Conference, Houston, TX 2011, All Rights Reserved 62 31

32 2011, All Rights Reserved Using the Compliance Process To Design/Enhance Compliance Programs Assess Risk/ Identify Requirements Deliverables: - Annual/Quarterly Risk Assessments - Compliance Inventories Leadership/ Corporate Culture Deliverables: - Leadership Establish/Modify Compliance Organization Deliverables: -Org Chart - Job Descriptions - Background Checks Document Standards, Communicate Standards, Deliverables: - Documentation Deliverables: - Communication - Training Plans Continuous Improvement Deliverables: - Enforcement - Modifications to any or all noted deliverables e es Implement, Promote and Enforce Deliverable: - An Implemented Program Monitor, Audit, and Report Deliverables: - Audit Program - Program Evaluation - Hotline - Audit Reports 63 March 2011, All 2, 2011 Rights Reserved COSO Management Controls At Multiple levels across multiple functions: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Communication Monitoring 64 32

33 Compliance as a Process: Map to COSO Contin nuous Improv vement Assess Risk/ Identify Requirements Objective Setting Risk Assessment Monitor, Audit, and Report Monitoring Reporting Leadership/ Corporate Culture Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law ( 8B2.1.a.2 and b) Establish/Modify Compliance Organization Internal Environment Strategic; Operations Compliance Entity-level; Division, Business Unit; Subdivision Document Standards, Control Activities Implement, Promote and Enforce Risk Response Communicate Standards, Communication , All Rights Reserved CObIT Process Controls 66 33

34 Compliance as a Process: Map to CObIT Processes Contin nuous Improv vement Assess Risk/ Identify Requirements Goals and Objectives Performance Improvement Monitor, Audit, and Report Compare Measurements (Performance Improvement) Leadership/ Corporate Culture Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law ( 8B2.1.a.2 and b) High-level Oversight Establish/Modify Compliance Organization Ownership Document Standards, Repeatability Define Policies, Plans, Procedures Implement, Promote and Enforce Performance Metrics (Performance Improvement) Communicate Standards, Roles and Responsibilities Communicate Policies, Plans 2011, All Rights Procedures Reserved 67 OCEG Foundation-level Guidelines Culture Ethics Risk Governance Workforce Organization/Personnel Leadership Oversight Strategy Operations Process Plan/Organize Prevent/Protect/Prepare Monitor/Evaluate Respond/Improve Technology 68 34

35 Compliance as a Process: Map to OCEG Foundation Contin nuous Improv vement Assess Risk/ Identify Requirements Culture: Risk Leadership: Strategy Process: Respond, Improve Monitor, Audit, and Report Process: Monitor, Evaluate Leadership/ Corporate Culture Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law ( 8B2.1.a.2 and b) Establish/Modify Compliance Organization Culture: Ethics, Governance, Workforce Organization: Leadership Leadership: Oversight, Operations Document Standards, Process: Plan, Organize Implement, Promote and Enforce Process: Prevent, Protect Communicate Standards, Process: Prepare , All Rights Reserved Compliance Action Plan: One Possible Configuration Risk Assessment Program Identifying Requirements Compliance Inventories Compliance Plan Org Chart Roles and Responsibilities Annual Plan Evaluation Policies and Procedures Lots and Lots Communications Plan Training Plan Annual Action Plan Implementation Program New or Improved Monitoring Program Hotline Background Checks Compliance Audit Program Leverage Corporate Leadership Training 70 35

36 The Compliance Process: Organizational Levels Governance Management Performance/Operational Risk: Mid-level Org: Management Document and Communicate: Departmental Compliance Programs; Policies and Procedures Promote and Enforce: Departmental Policies and Procedures Monitor: Effectiveness of departmental programs; Departmental Policies and Procedures Risk: Operational Org: Front-line Professionals Document and Communicate: Operational Procedures Promote and Enforce: Operational Procedures Monitor: Operational Procedures *Companies subject to the FERC Standards of Conduct must designate a Chief Compliance Officer 71 36