Risk-Based Compliance Monitoring & Enforcement Oversight Framework. FRCC Spring Compliance Workshop April 14 16, 2015

Transcription

1 Risk-Based Compliance Monitoring & Enforcement Oversight Framework FRCC Spring Compliance Workshop April 14 16, 2015

2 Upcoming Events FRCC is Conducting Individual Outreach NERC CIP Version 5 Workshop & SGAS Sessions: 4/21-4/23 FRCC CIP Workshop: 5/11-5/13 2

3 Objective Discuss Risk Based Compliance Monitoring & Enforcement Inherent Risk Assessment & when an entity will receive their IRA Touch on the impact of Internal Controls Evaluation Compliance Oversight Plan & when an entity will receive their COP 3

4 Acronyms RAI Reliability Assurance Initiative Risk Based Compliance Monitoring & Enforcement IRA Inherent Risk Assessment ICE Internal Controls Evaluation COP Compliance Oversight Plan CMEP IP Compliance Monitoring and Enforcement Program Implementation Plan 4

5 Framework Overview 5

6 Initial Identification of Requirements Targeted for Monitoring Risk Based The CMEP IP Areas of The Standards Focus applicable and to Requirements the Registered that pose Entity the most probable Risk to the BPS by the Registered Entity Entity Attribute CMEP IP Areas of Focus M R All Applicable Standards The Standards and Requirements listed in the CMEP IP The Standards and Requirements applicable to the Registered Entity 6

7 IRA Guide Risk Factors - Examples 7

8 Determining Inherent Risk * Risk Considerations Impact Low Medium High No changes to Organization Positive Compliance History Minimal Standard/Requirement change Not or N/A ERO/FRCC Risk Element Organization changes affecting Compliance Average Compliance History Some Standard/Requirement change ERO Applicable Risk Element Significant Organizational changes Poor Compliance History Significant Standard/Requirement change FRCC Applicable Risk Element <1500MW of load <1500MW of Generation <1500MW for BA/TOP operations No EMS or SCADA systems MW of load MW of Generation MW for BA/TOP operations EMS/SCADA providing data to ICCP >7500MW of load >7500MW of Generation >7500MW for BA/TOP operations EMS/SCADA for BA/TOP functions * Illustration only 8

9 Determining Inherent Risk - Example Inherent Risk Low Considerations Medium High Low Low Low Moderate Impact Medium Low Moderate High High Moderate High High 9

10 Potential Inherent Risk Assessment Triggers Time based three year maximum Relevant Events Regional Risks/Trends Changes in compliance history Changes in organization i.e. portfolio, ownership, CFR, JRO, Sr. Leadership Registration changes/certification reviews Control center/ems changes Significant standards changes or additions 10

11 Potential IRA Questions Has entity shed customer load (manual or automatic) as a result of operating with insufficient generation or transmission capacity. Has entity within the last year upgraded your EMS/SCADA or plan to within the next year. Has entity experienced any transmission Protection System misoperations. 11

12 FRCC Audit Year Process T-210: Begin IRA Inputs: Risk Elements/CMEP IP/Applicable Standards/Entity Attributes IRA Questionnaire to Entity T-180: IRA, Draft COP and ICE Invitation sent to Entity T-165: Voluntary ICE List Received, ICE Information Request to Entity T-150: Voluntary ICE Information Received, FRCC ICE review starts T-105: ICE Results to Monitoring T-90: Audit Notification Letter to Entity T-0: Audit starts *NOTE: 2015 is a transition year and times may vary 12

13 FRCC Audit Year Timeline Example 13

14 Typical FRCC COP Timeline (outside of scheduled audit year) T-120: Begin IRA Inputs: Risk Elements/CMEP IP/Applicable Standards/Entity Attributes IRA Questionnaire to Entity (if necessary) T-75: Voluntary ICE List Received, ICE Information Request to Entity T-60: Voluntary ICE Information Received, FRCC ICE review starts T-15: ICE Results to Monitoring T-0: Updated COP Date Selected Based on Risks and Resources *NOTE: 2015 is a transition year and times may vary 14

15 FRCC Non-Audit Year Timeline Example 15

16 Compliance Oversight Plan Entity specific FRCC RAM creates and maintains IRA/ICE IRA informs draft COP IRA, ICE, events, and history inform updated COP FRCC monitoring creates and maintains COP Typically an initial COP is a three-year plan which includes the monitoring methods For 2015, initial efforts are for audit entities Year 1 = Requirements selected for audit Year 2 = Potential requirements and monitoring method selected Year 3 = Potential requirements and monitoring method selected 16

17 Compliance Oversight Plan (cont d) Changes in risk can initiate an IRA refresh and potential COP changes When will I get my first and subsequent COP First COP will be an output of the IRA Initial IRA should be issued to each entity by the end of 2015 If an entity chooses to ICE then an updated COP will be issued Any revisions to an IRA may require an updated COP 17

18 Questions? 18