Board of Trustees Compliance Committee

Transcription

1 Board of Trustees Compliance Committee August 13, :00 a.m. 11:00 a.m. Pacific The Westin Bayshore 1601 Bayshore Drive Vancouver, BC V6G 2V4

2 Reliability Assurance Initiative (RAI) Progress Report Jerry Hedrick, Director of Regional Entity Assurance and Oversight Sonia Mendonca, Associate General Counsel and Director of Enforcement Compliance Committee Open Meeting August 13, 2014

3 Agenda RAI Project Overview Progress Report Compliance Exception Program Aggregation / Logging Program RAI Project Timelines Regional Implementation Update Joint Regional and Registered Entity RAI Discussions WECC / Tucson Electric SERC / Georgia Transmission Texas RE / ERCOT 3

4 Overview Compliance monitoring activities focused on risks to reliability Enforcement resources focused on noncompliance that poses a serious and substantial risk to reliability Continued oversight and visibility Discretion on whether to initiate an enforcement action to resolve noncompliance 4

5 Progress Report Resources and Tools Develop industry and auditor training for risk elements and Inherent Risk Assessment Single Compliance Design Finalizing the Inherent Risk Assessment Guide and examples Developing the Risk Elements methodology and procedures for the IP/AML Beginning work on the Internal Control Evaluation Guide Enforcement Processes Compliance and Enforcement Integration Finalized user guides to support improved self-reporting process Implemented improved process flow across ERO enterprise Expanding aggregation/logging and compliance exception programs Integrating program design feedback loops and processes Finalizing program documents for multi-regional registered entities 5

6 Compliance Exceptions Program Items Closed as of August 1, 2014 WECC, 4 SERC, 4 MRO, 14 RF, 3 NPCC, 3 6

7 Aggregation/Logging Program Regional Entity Registered Entity Participants as of August 1, 2014 MRO NPCC RF SERC TRE Alliant Energy East Alliant Energy West Nebraska Public Power District MidAmerican Energy Company American Transmission Company New York Power Authority American Electric Power (jointly with SPP and TRE) PJM Interconnection (jointly with SERC) Associated Electric Cooperative, Inc. CenterPoint Energy Luminant Energy Luminant Generation Lower Colorado River Authority 7

8 Compliance and Enforcement Timeline May June July Aug Sep Oct Nov Dec Jan Feb Mar May 2014 User guides posted; Compliance Exceptions and Aggregation programs reviewed and expanded (throughout 2014) July 2014 Published the Inherent Risk Assessment Guide for comment Aug Publish the Risk Elements Methodology for the modified Implementation Plan (IP) and Actively Monitored List (AML) Multi-Region Registered Entity (MRRE) program documents finalized (monitoring and enforcement activities) Sept Finalize Inherent Risk Assessment based on industry feedback

9 Compliance and Enforcement Timeline May Oct Q Q June July Aug Sep Oct Nov Dec Jan Feb Mar Publish the 2015 IP and AML Develop and begin delivering training on completed modules to industry and regional auditors Publish the Internal Control Evaluation (ICE) and Compliance Monitoring and Evaluation Program (CMEP) Tools Modules FERC informational filing submitted MRRE program implemented Deploy ICE and Compliance Monitoring Tools

10 Regional Implementation Update Regional Lessons Learned From the Compliance Pilots Risk Assessment and Scoping Controls Evaluation and Testing Training and Education RAI Regional Program Implementation Compliance Activities Enforcement Activities Organizational Alignment Creation of Risk teams 10

11 Constance B. White Vice President of Compliance WECC s RAI Experience NERC Board Presentation August 13, 2014

12 Tucson Electric Power Preparation 12 IRA (Inherent Risk Assessment) o WECC reviewed TEPC s compliance and event history to determine any entity specific risks ICE (Internal Controls Assessment) focused on Operations and Planning Standards in the following risk areas: o Configuration Management o Operations o Information Management o Planning

13 Tucson Electric Power ICE Example Sample Question 1: How do you control and manage changes to configuration of protection system devices? Controls Reviewed: Maintenance and testing program, systems and tools, interaction between systems Result: Risks identified 13 Sample Question 2: Explain how you ensure Blackstart Resources are capable of meeting the requirements of its restoration plan Controls Reviewed: Annual testing of entity s two Blackstart Resources, management observes testing, test results are documented and reviewed Result: Low Risk

14 14 Tucson Electric Power ICE Results WECC identified some strong controls Based on the results, the WECC audit team customized the audit o Removed 7 low risk requirements o Heightened focus on PRC-005 and PRC-008 WECC plans to significantly reduce TEPC s 2015 Self Certification WECC selected specific TEPC issues for the compliance exception process

15 15 Tucson Electric Power Lessons Learned Entities are receptive Training and education is necessary Risk-based process is effective but will take time to develop WECC refined the processes for another entity scheduled for audit and is focusing on CIP standards for the Internal Controls Evaluation process Additional clarity is needed

16 Tucson Electric Power Feedback Opportunity to allow for open dialogue and to tell/show our compliance story Opportunity for additional education and discussion on internal controls Reduced administrative burden Suggestion: provide additional clarity of and context for data requests in future reviews -- may facilitate obtaining desired responses from registered entities

17 RAI Experience at SERC August 12, 2014 Vancouver, BC Angie Sheffield VP, General Auditor and Chief Regulatory Compliance Officer Georgia Transmission Corporation Scott Henry President and CEO SERC Reliability Corporation 17

18 Pre-Audit Preparation Inherent Risk Assessment Data collection regarding GTC risks through pre-audit survey SERC s consideration of risks resulted in adjustment of standards in scope as compared to AML Focus on communication and coordination of operators due to arrangement of entity with other entities for performance of registered functions Scope increased by eight Requirements 18

19 Pre-Audit Preparation Internal Controls Evaluation SERC auditors reviewed GTC s Independent Audit Reports (IAR) SERC accepted GTC s IAR For 18 of the 38 requirements in scope, SERC did little to no additional testing 19

20 Independent Auditor Evaluation Audit team deemed IAR adequately addressed Standards/Requirements. IAR reflected an appropriate level of rigor for SERC staff to draw the same conclusions. Audit team determined the IAR was relevant to the audit period. Audit team requested minor supplemental evidence. 20

21 Benefits Improved focus from prior audit in 2008 Still required same level of effort from GTC However, more focused on GTC s inherent risk Did not duplicate effort by re-testing areas that GTC was adequately monitoring Encouraged GTC to continue building its internal control program and endorsed our focus on selfmonitoring 21

22 Lessons Learned Additional communication/collaboration should occur during IRA Further training for entity and regional staff is essential Timing Audit should be focused on the what Risk assessment results could be used to scope other types of compliance monitoring Self-certifications Spot-checks 22

23 RAI within the ERCOT Region Curtis Crews, Texas Reliability Entity, Inc. Chuck Manning, Electric Reliability Council of Texas

24 ERCOT Audit/Spot Check Experience Registered as BA, IA, PC, RC, RP, TOP, TSP 2008 Compliance Violation Investigation , 2009, Audit 2009 CIP Spot Check 2010 CIP Audit 2011 FERC, NERC and Texas RE Investigation (Cold Weather) 2011, 2012 Four 693 Spot Checks Audit 2013 CIP Audit 24 NERC BOTCC August 2014

25 ERCOT 2012 and 2013 Engagements Attention to high risk areas Reliability-focused engagements In-depth review Risk-Based Risk Elements w/ Key Resources Address risk appropriately Benefits to ERCOT Audit was efficient and focused Both teams had the same goal of reliability and security Recommendations and concerns versus compliance only Productive recommendations Curing period allowed for further dialogue among experts 25 NERC BOTCC August 2014

26 26

27 Physical Security Implementation Steven Noess, Associate Director of Standards Development Compliance Committee Meeting August 13, 2014

28 Overview CIP Purpose: To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection. * *Note: ( widespread proposed for removal by FERC in NOPR issued July 17, 2014) 28

29 Requirements Applies to certain Transmission Owners (TOs) and Transmission Operators (TOPs) Standard requires owners or operators to: Identify critical facilities on the Bulk-Power System Evaluate threats on those facilities Implement plans to protect critical facilities against those threats 29

30 Tiered Applicability All TOs and TOPs (CIP not applicable to all) Applicable TOs who must determine if stations/substations are critical TOs/TOPs with critical facilities (full standard applies) 30

31 Third-Party Verifications/Reviews Critical facility identification must be verified by third party Directed by FERC order Verifier must be a Planning Coordinator, Transmission Planner, Reliability Coordinator, or entity with transmission planning experience Verification may recommend addition/subtraction Threat evaluation and security plan reviewed by third party Directed by FERC order Reviewer must meet certain experience criteria Review may recommend changes to security plan 31

32 FERC Proposes Approval NOPR proposing approval issued July 17, 2014 Forty five-day comment period from federal register publication, September 22, 2014 NOPR proposes to direct two modifications: Governmental authorities may add or subtract from critical facilities Revise certain wording that may narrow scope ( widespread ) NOPR proposes to direct two informational filings: High Impact Control Centers (six months of effective date of final rule) Possible resiliency measures, in addition to those required by standard, following loss of critical facilities (one year of effective date of final rule) 32

33 Implementation Critical facility identification: complete before effective date (six months following FERC approval) Standard filed with FERC May 23, 2014 NOPR proposing approval (with directives) issued July 17, 2014 Tiered timeline for balance of requirements (within 15 months) Training and other coordination Audit and Enforcement Common approaches (Planning Committee, regional groups, etc.) 33

34 ERO to Monitor Implementation NERC Board of Trustees directed NERC management to monitor and assess implementation on ongoing basis: Number of assets critical under the standard Defining characteristics of the assets identified as critical Scope of security plans (types of security and resiliency contemplated) Timelines included for implementing security and resiliency measures Industry s progress in implementing the standard 34

35 35

36 Key Compliance Enforcement Metrics and Trends Compliance Committee Open Session August 13, 2014

37 ERO Enterprise 2014 Goals Compliance Enforcement 2014 Goals Timeliness and transparency of compliance results (caseload index and violation aging) Promotion of self-identification of noncompliance Timeliness of mitigation RAI enforcement reforms 37

38 Caseload Index as of July 1, 2014 Regional Entities 8.3 months NERC 1.2 months ERO Enterprise 9.5 months Target: 7 months Threshold: 8 months * Excludes violations that are held by appeal, a regulator, or a court. 38

39 Caseload Reduction as of July 1, 2014 * Excludes violations that are held by appeal, a regulator, or a court. Target: 0 Threshold: 65 39

40 Violation Age in the ERO Enterprise * Excludes violations that are held by appeal, a regulator, or a court. 40

41 Violation Age in the ERO Enterprise Inventory by Discovery Year * Excludes violations that are held by appeal, a regulator, or a court. 41

42 Promoting Self-Assessment and Identification of Noncompliance Target: 75% Threshold: 70% 42

43 Monitoring Mitigation Completion Pre-2014 Progress Time frame Progress toward the goal Threshold Target % 75% 80% % 90% 95% % 95% 98% 2010 and older 99% 98% 100% 43

44 FFT Utilization ERO Enterprise 44

45 FFT Utilization By Regional Entity 45

46 Risk Assessment 46

47 Trends by Standard in 2013 and Q1 and Q

48 Risk Assessment for Top 10 Violated Standards (2013) 48

49 49