Compliance Oversight Plan

Transcription

1 October 31, MON Bayport Drive, Suite 600 Tampa, Florida (813) Phone (813) Fax

2

3 Table of Contents Page 3 of 13 Page 1.0 Purpose and Scope Purpose Responsibilities Procedure Owner COP Process Risk Element Considerations Entity Performance Considerations Internal Controls and Mitigating Activities COP Key Outputs COP Triggers Template document (COP) Process Appendix 1 Process Flow Appendix 2 Process Workflow Reference Section 6.1 NERC Rules of Procedure (ROP) Annual ERO CMEP Implementation Plan... 13

4 Page 4 of Purpose and Scope Purpose This document provides an outline of the steps to be taken by FRCC Compliance Monitoring staff to assess the output of the information provided from the Inherent Risk Assessment (IRA) on each Registered Entity (RE) in developing a (COP). It also captures how FRCC will monitor a registered entity s inherent risks and compliance with NERC Reliability Standards. 1.0 Responsibilities Procedure Owner This document is the responsibility of the FRCC Manager of CIP Monitoring and Manager of O&P Monitoring to maintain as necessary and to keep the document current with the latest Risk-based Compliance Monitoring guidance as identified by the North American Electric Reliability Corporation (NERC). The review/modification of this document is required at least once every three years. The review shall be documented in the Review/Modification log of this document. This document will be approved by the FRCC Vice President of Compliance, Enforcement and Reliability Performance.

5 2.0 COP Process Page 5 of 13 CMEP Tools and COP The COP tailors compliance monitoring activities, such as Compliance Audits, Spot Checks, and Self-Certifications, with entity-specific risks and associated NERC Reliability Standards. The COP is dynamic (which will require updating from time to time) as it identifies and prioritizes risks, considering risk mitigation activities, such as an entity s internal controls, and determines the interval of monitoring and depth of testing. The COP considers Risk Elements, IRA results, and other risk inputs and regional considerations. Considerations may include, but are not limited to, the following: ERO Enterprise Risk Elements, identified in the Annual ERO Enterprise CMEP IP Regional Risk Elements identified by the FRCC Regional Risk Assessments conducted by the FRCC NERC Reliability Issues Steering Committee Event Analysis NERC Alerts Evaluations of internal controls and mitigating activities Additional qualitative and performance related factors (e.g. compliance history) Risk Element Considerations Although each registered entity has a unique inherent risk to the Bulk Power System (BPS), how the inherent risk is monitored by FRCC can be impacted by broader regional or continent-wide risks. For instance, if a registered entity has a high inherent risk in one particular area that could impact a regional or continentwide risk, FRCC may elect to monitor the registered entity accordingly to ensure broader risks are not actualized. As a result, both ERO Enterprise and regionspecific Risk Elements developed by FRCC serve as an input in determining the appropriate monitoring method and frequency of risks and related Reliability Standards and requirements in the COP.

6 Page 6 of 13 Entity Performance Considerations Based on the output of the overall data analysis and Risk Factor review, FRCC may use additional regional considerations 1 and professional judgement to further refine the risk associated with the registered entity. For example, compliance history, event analysis trends, or other performance data may impact FRCC s decision to monitor a specific risk area or NERC Reliability Standard assessed during the IRA. FRCC may also weigh the registered entity s compliance monitoring history and those areas that have been monitored frequently in the past. Entity performance considerations also reflect the notion that inherent risk alone is not the only consideration in developing COPs. Internal Controls and Mitigating Activities Internal controls and other mitigating activities implemented by a registered entity may impact compliance monitoring determinations. FRCC will utilize available information to determine whether internal controls provide reasonable assurance of compliance with mandatory NERC Reliability Standards. FRCC may obtain an understanding of internal controls through the evaluation of a registered entity s internal control review conducted during a monitoring engagement, an Internal Control Evaluation (ICE) and through ongoing activities and interactions with the registered entity. In general, FRCC staff should obtain an understanding of internal controls related to the scope of work performed during compliance monitoring activities. In addition to the ICE process, FRCC staff can obtain an understanding of internal control through inquiries, observations, inspection of documents and records, review of other FRCC staff reports, or direct tests. The nature and extent of procedures FRCC staff perform to obtain an understanding of internal control may vary among compliance monitoring activities based on compliance monitoring objectives, inherent risk, known or potential internal control deficiencies, and FRCC staff s knowledge about internal controls gained in prior compliance monitoring activities. A good sound business approach to incorporating effectively designed and implemented internal control improves operational and compliance performance. Through evaluations, FRCC may take into account good governance practices of 1 Additional regional considerations might be additional qualitative information identified by the CEA that can help refine the risk

7 Page 7 of 13 registered entities that effectively reduce and manage risk to BPS reliability risks in the development of the COP. FRCC recognizes that internal controls cannot provide absolute assurance of compliance with Reliability Standards, but may modify the nature, timing, or extent of compliance monitoring activities based on its understanding and evaluations of internal controls. When developing a registered entity COP, FRCC may work with the entity to identify and review existing internal controls, which may be used to focus and select appropriate tools under the Compliance Monitoring and Enforcement Program. COP Key Outputs When complete, the COP will include at a minimum, the following items: A list of the NERC Standards and Requirements identified for monitoring CMEP methods used for monitoring the identified requirements Interval of monitoring to be performed Note that a COP is dynamic and subject to change. CMEP Tools are used, as needed, by FRCC to evaluate compliance and are implemented considering numerous factors including, but not limited to, the required notification periods within the ROP. Registered entities are required to be compliant with all applicable Standards and requirements at all times. The COP is subject to change and adjustments may be made as needed. FRCC s staff have the responsibility to change compliance engagement scopes if there is a recognized need based on facts and circumstances. COP Triggers FRCC can review and revise the COP of a registered entity at any time and should be cognizant of the effect that a registered entity s risks may pose to maintaining a reliable BPS. This understanding is essential in developing a COP, as it establishes a frame of reference by which the COP is implemented. Importantly, a COP may need to be revised as new, emerging, or unique information is obtained either about the registered entity or about risks to the reliability of the BPS. The COP will be developed or updated on a periodic basis as determined by FRCC, including consideration for IRA refreshes that contain material changes. Additional triggers for producing a COP may include (but are not limited to) changes to a registered entity such as a change in registration, a change in the entity IRA, new

8 Page 8 of 13 Reliability Standards, changes in controls, emerging risks, changes in performance considerations, and feedback from FRCC staff or CMEP activities. Some changes may impact both the IRA and the COP, while others may only inform one process or the other (e.g. entity involvement in an event may trigger monitoring adjustment in the COP, but does not impact Inherent Risk). FRCC Compliance will utilize the Inherent Risk Assessment process within the Risk-based Compliance Oversight Framework as a key input to the development of each COP for a Registered Entity. FRCC Monitoring will create an entity specific COP which will include the following: Standards and requirements selected for monitoring within the 3-year plan, depending on an entity s risk to the Bulk Electrical System (BES). The selection of the Standards and Requirements is based on an IRA, which includes the ICE which may or may not adjust the scope of the COP. Compliance monitoring tools such as Compliance Audits, Self- Certifications and Spot Checks. Interval of compliance monitoring Template document The Audit Team Lead (ATL) will use the COP template document located on the FRCC Document Management System (DMS) to develop the COP. Appendix 1 documents the workflow process of the COP, and Appendix 2 shows the workflow of the process. (COP) Process FRCC Compliance Monitoring staff will develop an entity specific COP based on the Risk Assessment and Mitigation consideration of the ERO risk elements and FRCC s Regional Risk Assessment. The Monitoring ATLs and the Risk Assessment and Mitigation (RAM) Lead will collaborate in developing each IRA for a Registered Entity. The RAM lead will finalize and provide a signed IRA summary identifying the inherent risk levels to the reliability of the Bulk Electric System (BES) that are applicable to the Registered Entity. Prior to developing a new COP, the ATL shall consider events, misoperations, and other known Compliance information that is more

9 Page 9 of 13 recent than the entity s IRA to ensure all appropriate information is included in the new 3-year plan. The ATL will place a copy of the IRA worksheet in the Entity Worksheets folder of the Library, and document decisions and professional judgement in developing the new COP within the worksheet. Using the steps from Appendix 1 and 2, the COP should be developed based on the following guidelines: For an entity registered as a Balancing Authority or Transmission Operator, a Compliance Audit will be performed at least once every three years. Depending on risk however, an audit may be performed in more frequent intervals. Compliance Audits should consist of a minimum of five requirements, and may include Moderate or Low Risk requirements as needed. Compliance Audits, Spot Checks and Self-Certifications should focus on the High-Risk requirements as identified in the entities IRA. However, resource limitations may result in not all High-Risk requirements being identified for monitoring during the 3-year plan. The IRA risk scores are the key driver for developing a COP. The ATLs should assign a monitoring method based on these risk scores, and should align with the ranges shown below. Deviations should be documented in the entity s COP worksheet: Risk Guide 3.26 to 5.00 High Risk and should be included in a Compliance Audit or Spot Check 3.00 to 3.25 High Risk and should be included in Self-Certification 1.00 to 2.99 Moderate to Low Risk and should be monitored via Self- Report

10 Page 10 of 13 Previous monitoring of requirements may be considered by the ATL when deciding how or if to include the requirement in the 3- year plan. Once the COP has been finalized by both the CIP and O&P ATLs, it is to be submitted to the Managers of CIP Monitoring and O&P Monitoring for final review and approval.

11 Page 11 of Appendix 1 Process Flow The steps below comprise the Compliance Oversight Process methodology. Appendix 2, Process Workflow, shows the process steps required to complete a COP. These steps match the Workflow process in Appendix 2. RAM group completes a signed Inherent Risk Assessment document The Monitoring CIP and O&P auditors use the information in the IRA to complete the initial COP. Note: The CIP and O&P auditor can add or subtract Standards and Requirements as appropriate. Question: Is the COP Approved o No Go back to the creator of the COP for update(s), explanation or redo o Yes If the COP is approved, do the following: CIP, O&P and the Compliance Mangers sign the COP The ATL will hand-deliver the signed COP to the Compliance Program Administrators. The Compliance Program Administrators will then scan the signed document and upload the signed document to the appropriate folder within the Signed COPs folder of the Library The Compliance Program Administrators will upload the document to the entity s secure folder and notify the primary compliance contact The Compliance Program Administrators will also update RAM IRA and ICE Status database in the Ram Group Page with the date the new/revised COP was sent to the entity The CIP and O&P ATLs are responsible for updating their portion of the Self-Certification Plan spreadsheet in the Self-Certification Library If there were additions/subtractions to the COP after the ERA was approved, provide an to the RAM group stating what was added and/or removed and why Once the signed document is uploaded to the entity s secure folder, the Compliance Admins will notify the entity and the ATLs that the document is ready for download. The paper copy of the COP should be shredded and the scanned electronic document will remain as the official document of record. At this point, the process ends. The workflow for the COP process can be found in Appendix 2.

12 Page 12 of Appendix 2 Process Workflow

13 Page 13 of Reference Section Below is a list of references that support the basic principles, concepts, and approaches within this guide. FRCC Monitoring and RAM staff can use these references assist in applying information discovered in the IRA process. These references can assist with determining: 1) where and to what extent professional judgment should be applied, 2) the sufficiency and appropriateness of documentation and evidence to be examined. NERC Rules of Procedure (ROP), located at: Annual ERO CMEP Implementation Plan, located at: