Transition into Risk Based Audit Reliability Compliance Using ISO31000 Methodology By: Ed Sattar

Transcription

1 Transition into Risk Based Audit Reliability Compliance Using ISO31000 Methodology By: Ed Sattar 5910 Courtyard Drive Suite 170 Austin, Texas USA 78731,

2 Transition into Risk Based Audit Reliability Compliance Using ISO3100 Methodology History The Energy Policy Act of 2005 (the Act) created a committee to monitor and enforce reliability issues affecting the Bulk Electric System of North America. The entities that make up the compliance monitoring and enforcement body are the Federal Energy Regulatory Commission, the Electric Reliability Organization and eight regional entities. Per provisions of the Act, the body s primary responsibilities are to develop standards, promote and monitor compliance with those standards and enforce acts of non-compliance with the standards. In 2007, North American Electric Reliability Corporation (NERC) applied to become the electric reliability organization (ERO) and filed the NERC Rules of Procedure to support their application. Based on the Rules of Procedure, NERC s compliance enforcement scope is limited to the NERC approved reliability standards.

3 Current State of Compliance Monitoring What is the basis for a NERC audit? The NERC standards are the basis for all NERC audits. When carrying out compliance monitoring activities, NERC compliance enforcement staff reviews the documentation that a registered entity provides as proof of compliance. If the entity s documentation is found to map to the standard requirement and the entity s stated performance criteria, the entity passes the review. When the Compliance Monitoring & Enforcement Program (CMEP) was initially developed, a registered entity s risk to the Bulk Electric System (BES) was determined by their registered functions and that registration type determined the entity s audit cycle. This was the case regardless of its true risk to the BES. For example, a wind farm registered as a Generator Operator (GOP) would have the same audit cycle as a reliability must-run (RMR) generation unit. What are the current auditing standards? The US Government Accountability Office and its Government Auditing Standards, known as the Yellow Book [ i ], provide the professional standards for NERC auditors. Primarily, the focus has been on Section 7 of the Yellow Book as it describes performance audits rather than financial audits. The Yellow Book will continue to provide the professional auditing standards for NERC auditors into the future.

4 How do NERC auditors perform an audit? NERC and the regions will have the primary responsibility for executing the steps in this procedure. The steps are summarized as follows: Development of the overall audit schedule Initiation of the audit process for an entity Provision of criteria and documentation Identification of readiness audit team members Coordination of the audited entity and neighboring entity questionnaires Publication of audit findings NERC compliance monitors look for three types of documentation: 1 2 Required Primary Usually a policy or process/procedure Performance Based The evidence that the entity performed according to the policy or process/procedure in its primary evidence 3 Basis This is not always needed It is important to note that within NERC s current scope there is no review of best practices, controls or risk. All registered parties are monitored equally without any differentiation of their potential to affect the BES. However, there is a difference in audit time line based on registered function. What is an Internal Compliance Program? Currently, NERC and the regional entities evaluate a company s internal compliance program (ICP). The pre-audit material sent by the auditor contains questions regarding the registered entity s compliance program. NERC uses this information to credit the registered entity or a penalty is assessed on the entity. In the Federal Energy Regulatory Commission (FERC) Policy Statement on Enforcement (May 15, 2008), Section 57 states the presence of a robust internal Compliance Program is a mitigating factor that may result in a reduced penalty. A robust ICP consists of the following:

5 1. Risk Assessment All activities are systematically evaluated for compliance risks. A process is instituted to ensure risks are regularly evaluated. Internal controls are matched to the severity of risk What Auditors Look For : Is there a regular process to identify what the compliance obligationsare (compliance risk)? 2. Identification of Responsible Parties and Roles Roles and responsibilities for compliance risk areas are clearly defined and documented. People are adequately empowered to carry out their responsibilities. What Auditors Look For : This element is demonstrated with organization charts, job descriptions, resource allocation and training. 3. Program Oversight A compliance officer and other appropriate bodies (e.g., compliance committees) are designated and charged with the responsibility for developing, operating and monitoring the compliance program with authority to report directly to the Board of Directors and/or the President/CEO. 4. Standards and Procedures Compliance standards, practices and procedures are written, clearly established and reasonably designed to reduce the risk of non-compliant conduct. Clear standards of conduct are established and widely distributed. What Auditors Look For: Is there a code of conduct that adequately establishes the ethical expectations for those whose conduct exposes the company to compliance risk?

6 5. Awareness, Education and Training The company ensures that responsible people receive timely and appropriate education and training, as demonstrated by training records and corporate communication postings. What Auditors Look For: Is there a process to identify who needs training, education, or awareness about compliance risks? 6. Lines of Communication An effective method of communication is developed between the compliance function and all employees, including a hotline to receive complaints, as well as a mechanism to respond to questions. 7. Monitoring and Auditing Monitoring Auditing systems are implemented to detect noncompliant conduct and identify problems areas. 8. Enforcement Standards are consistently enforced through identification of noncompliance and appropriate consequences based upon clear and specific disciplinary policies. 9. Corrective Action Systems effectively ensure prompt investigation of non-compliance, reporting where appropriate and proper responses to prevent similar breakdowns in the future, including modifying the compliance program. 10. Adequate Resources -Company commits appropriate resources to implement a compliance program. 10. Adequate Resources Company commits appropriate resources to implement a compliance program.

7 Why Change? In determining success, most would agree that at a minimum there needs to be a goal and a way to measure effort expended in achieving the goal. Course correction is desirable when analysis determines that the goals are not met and/or the effort to achieve the goal is inefficient. In the last five years, NERC, including Regional Entity staff, has expended valuable resources monitoring entities that have little to no effect on the BES. With the goal being improved BES reliability and efficient use of limited resources, NERC issued a white paper Incorporating Risk Concepts into the Implementation of Compliance and Enforcement and in that document NERC points to the experience gained in the last five years both from the ERO and registered entity perspectives. The current approach is historical and the zero tolerance application of compliance and monitoring without regard to the risk to the BES has unduly focused attention and resources on compliance risk and administrative processes as opposed to reliability risk. As evidence of the need for change, the FERC stated, between 2005 and 2007, FERC enforcement staff closed approximately 75% of its investigations without any sanctions being imposed, even though enforcement staff found a violation in about half of those closed investigations. This is because the violations identified were primarily due to non-compliance in documentation. Entities corrected their documentation and without achieving the goal of increased reliability.

8 Top 10 Violation Statistics for the near term in all Regions and Interconnection for all reliability standards Top 10 Violation Statistics for all time in all Regions and Interconnection for O&P all reliability standards

9 Moving to Risk Based Compliance Monitoring NERC proposes to move to a risk based compliance monitoring program where scrutiny is directly proportional to the risk or impact posed to the reliability of the Bulk Power System (BPS) by a registered entity [ ii ]. In other words, the regulators and industry s valuable resources will be directed toward the highest impact. Through committee participation and commenting on standards and NERC material, NERC staff and industry participants have recognized that entities risk profiles in regards to their practical or potential impact on the BES are not equal. Starting with that fact, NERC is identifying ways to review the real risk an entity poses and create categories that will determine the audit cycle for that entity. On the NERC website under Compliance, there is a section on NERC s Reliability Assurance Initiative. NERC has drafted a white paper on this initiative [ iii ]. How Does the New Approach Work? In order to initiate the risk analysis process, NERC created a draft document called the Entity Impact Evaluation [ iv ]. A registered entity would complete the evaluation and submit it to their Regional Entity for review and risk monitoring regimen determination. 1 The Regional Entity will discuss the review and determination with the Registered Entity during this process and address any questions or differences that arise. At the end of the process, the Registered Entity s risk profile and compliance monitoring schedules would be recognized. This process is voluntary and is currently in test mode. Registered Entities who are interested in being a part of the test should contact their region for more information.

10 Do I Need A Risk Management Framework? To support a risk and controls focus, the Registered Entity should adopt a risk management framework. In May 2012, the Department of Energy issued a Risk Management Process (RMP) guideline (DOE/OE-0003) [ v ] for the electric cyber security subsector. This guideline was developed in coordination with the National Institute of Standards (NIST) and NERC. Even though the guideline was specifically developed for the cyber security world, the framework is appropriate for all sectors and sizes and is comprised of three tiers: Tier 1 focuses on the organization and its strategic focus. In developing this tier, the organization would establish and implement a governance structure that provides direction and oversight for risk management activities. Tier 2 focuses on the mission and business processes. In this tier, the organization would focus on addressing risk from a process perspective. Activities in this tier are generally done by operational and operational management staff. The information obtained in Tier 2 activities serves as inputs to Tier 1 and Tier 3. The process could also be initiated by the Regional Entity. Tier 3 focuses on information technology and industrial control systems. Activities in this tier are system selection, deployment, and monitoring of system level controls. Tier 1 and Tier 2 provided guidance and input to the Tier 3. Tier 3 provides feedback to Tiers 1 and 2. What is a Risk-Based Audit Approach? As the NERC CMEP states, One of the key components of and effective risk-based audit approach is the incorporation of performance-based audition. The US Government Accountability Office defines performance audits as engagement that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria such as requirements, measures or defined business practices.

11 When Will the New Approach Begin? In March 2013, NERC will file an informational filing with FERC that will begin the transition. NERC will make modifications to the Rules of Procedure that will better fit the new compliance and enforcement model. NERC intends to begin the 3 to 5-year migration process in In that period, NERC standards will be modified to capture more measurements and control objectives. Also, the NERC Rules of Procedure will be modified to more closely match the new monitoring focus. What Roles Does Technology Play? Technology is the key to demonstrating a good internal compliance program to regulators. A technology solution should map the regulatory requirements to the organization s policies, procedures and training. The system should facilitate risk analysis and risk management. Also, the right solution can provide communications targeted to responsible parties. A robust system will provide dashboards, compliance monitoring, case management, document management and work flow. 360factors Solution to NERC s Risk Based Audit PREDICT360 is state of the art unique NERC Compliance software has a regulatory applicability tool that helps identify which standards and regulations apply to which type of utility. The key to comprehensive internal audit is to ensure you are measuring gaps from the actual standards and not from internal compliance surveys. Regulatory knowledge base updated with NERC, FERC and regional standards along with a breakdown of the standards into a series of color coded actions, evidence and the traits that is mapped to your individual evidence, corrective and preventive actions. The audit module uses an effective IS approach to transition an Audit into a Risk Based Audit. It translates IS attributes of excellence into five tactical areas to give you a performance based audition experience: Enforce accountability Embed risk management Link risk management to strategic making decisions, objectives and actions Communicate widely using reports, events and notifications Manage individual performance monitoring tasks and measuring maturity and high risk reports You will always be Audit Ready with the ability to access all current standards, risk based audit system and corrective and preventive action system that documents and tracks all the evidence.

12 Summary With all the changes anticipated, it is crucial for organizations to review and adjust their compliance objectives. Organizations should analyze their risk management processes and consider adopting the DOE risk management framework. Most importantly, organizations should choose a technology solution that addresses all the elements of a good compliance program. i ii iii iv v ERO Compliance Monitoring and Enforcement Program 2013 Implementation Plan