Operationalizing Internal Controls

Size: px

Start display at page:

Download "Operationalizing Internal Controls"

Olivia Wilkerson
5 years ago
Views:

1 Operationalizing Internal Controls Terry Bilke MISO MRO Representative on the NERC Compliance and Certification Committee (CCC) MRO s 2017 CMEP Conference November 28, 2017

2 Agenda Quick survey NERC CCC observations on internal controls Tips if you haven t started your program MISO s experience (if time allows) Reliability and Security Risk This Presentation s Focus Your Company s Risks NERC Compliance Risk

3 Quick Survey A. Who has undergone a pre-audit Internal Control Evaluation (ICE) from your Region? B. Who is planning to participate in an ICE in the near future? C. Who hasn t pursued an ICE because you haven t seen the value for the effort involved? D. Who hasn t pursued an ICE because you are struggling a little on what s needed and how to get started? E. Don t know or not applicable

4 NERC CCC Observations There is not a one size fits all approach for implementing internal controls All entities have many internal controls, they just might not have documented them While ICE has been discussed as primarily a pre-audit engagement, this is not the sole nor primary Compliance Monitoring and Enforcement Program (CMEP) touchpoint related to internal controls To meet its obligation to ensure an adequate level of reliability, the ERO needs to understand how Entities address their reliability and security risks

5 NERC CCC Observations (continued) You cannot be found non-compliant for your controls or controls approach (unless the Requirement is a control*) While not required, it is in the Registered Entities bestinterest to present their controls as opportunities arise Priority on controls should be on reliability and security risk, not audit evidence collection Requirements cannot be made foolproof via preventative controls Multiple layers needed for higher risk issues Can never get to zero risk * lack of effective controls could lead to an event that results in non-compliance

6 Controls Evaluation Touchpoints Compliance program controls evaluation (to obtain selflogging authority) Intra-audit (periodic evaluation as part of oversight plan) Guided self certifications CMEP focus areas Assistance visits Pre-audit ICE (to refine audit scope) During audits (to gain assurance) Enforcement Mitigation

7 Value Proposition Fewer and less severe reliability and security issues Focuses on reliability and security as opposed to stacking multiple layers of evidence Quicker path to gain assurance Potential support for Self-Logging authority (potential game-changer for efficiency and reliability and security) Possibly refine the scope of on-site audits Can demonstrate that the risk associated with a violation was reduced, which should lead to favorable consideration in enforcement Builds knowledge base and trust both within your organization and with your regulators Long term could result in an ongoing oversight approach that eliminates the need for major audit engagements

8 An Operator s Perspective on Internal Controls

9 One Operator s Definition Internal Control: A tool, training, procedure, or other aid intended to prevent or reduce the likelihood and/or impact of something evil happening on the grid *While not a primary objective, an internal control can also be used to collect necessary compliance evidence.

10 Name That Control Example controls Training and drills Procedure, checklist, form or other job aid Performance review (e.g. reviewing tapes of operator instructions and providing feedback) Security constrained dispatch Mantrap or intrusion alarm to control access EMS alarm with instructional note on actions to take Computer script to save daily operating plans Tailgate session prior to a unique operating evolution Corrective actions from a post-event or near-miss review Periodic reminder to perform a task Backup tool to continue operations should the primary tool fail Preventive, detective, corrective? Automatic, manual? Reliability/security, compliance/evidence?

11 Starting a Simple Program Select a risk approach Risk assessment is an art not a science Likely 50-80% of your risk lies in 10-20% of the NERC Requirements Next slide suggests a way to categorize the risk of a Requirement Start with highest risk Requirements and work your way down over time Look at the purpose of the standard to get an idea of your control objective Document current controls (pick your people s brains, review existing procedures, plans, etc.) Add controls where gaps exist (focusing on reliability/security) Create a simple narrative that describes the controls for each requirement Consolidate redundant and out of date controls to gain efficiencies Create an elevator speech and get buy-in Don t be shy about presenting controls

12 Risk Inputs You Might Consider Your inherent risk assessment (IRA) Requirements where you had near misses or violations NERC and your Region(s) CMEP Areas of Focus Requirements NERC compliance statistics Most violated standards Serious risk standards Standards with reliability or security impact when violated High Violation Risk Factors (see VRF matrix) * If the standard is new (no similar prior version) and it has not been through an audit cycle No documented/tested controls in place *Using the VRF matrix, you have a ready-made tool to add the risks you choose to include Total Risk Requirement

Compliance Program Self-Evaluation Up to date owner status for each Requirement? Know your top 10-20% highest risk requirements and are you reviewing their compliance and controls at least annually?

13 Compliance Program Self-Evaluation Up to date owner status for each Requirement? Know your top 10-20% highest risk requirements and are you reviewing their compliance and controls at least annually? Have corporate or department goals for compliance and do the goals incent rather than discourage self-reporting? Corrective action: Do you have visibility on the number of near-misses? Does Compliance sit in on event and near miss reviews? Are near miss causes being mitigated? Controls focused more on reliability & security rather than evidence collection?

14 Appendix MISO s Experience Useful Resources Acronyms

off to each other) 1 backup Distributed Compliance Process based on 3 lines of defense First line, divisional

15 MISO Overview Generation Capacity 174,724 MW (market) 191,062 MW (reliability) 52 Members 437 Market Participants 291,538 SCADA measurements Registered as RC, BA, PC, TSP 4 Control Centers 3 primary (that can hand off to each other) 1 backup Distributed Compliance Process based on 3 lines of defense First line, divisional managers, compliance liaisons and requirement owners Second line, supporting central compliance group Third line, internal audit

16 MISO s Internal Controls Journey Compliance responsibilities reside in line divisions In 2010, MISO s board approved an incentive goal to create controls for all regulatory obligations At least two controls (some used multiple times) were created for over 3500 NERC and tariff requirements Limited success in sustaining these Some divisions actively maintaining and testing controls Migrating to software that will capture/manage Obligations (requirements) Control objectives Controls Testing In discussions with our lead Region on conducting an ICE

17 Useful Resources ERO Enterprise Internal Control Evaluation Guide ERO Enterprise Self-Logging Program NERC Enforcement and Mitigation website MRO Governance Risk Program MRO Highly Effective Reliable Organizations (HERO) website and associated quiz

18 Acronyms ERO: Electric Reliability Organization ICE: Internal Control Evaluation CCC: Compliance and Certification Committee CMEP: Compliance Monitoring and Enforcement Program EMS: Energy Management System IRA: Inherent Risk Assessment