Compliance – • a: the act or process of complying to a desire,
demand, proposal, or regimen or to coercion • b : conformity in fulfilling official
requirements (Merriam Webster definition) In other words…… …..the things we do to fulfill the Requirements of
the NERC Standards.
Internal Controls – systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to ….deter and detect errors….ensure accuracy and completeness of its data…..and ensure adherence to its policies and plans. (Business Dictionary.com)
In other words…. Internal Controls are those additional things we do to
ensure our Compliance activities • Get Done On Time • Get Done Correctly • Get Documented Properly
Internal Controls come in many shapes and sizes • Processes and Procedures • Checklists • Spreadsheets • Calendar/Email reminders • Training and Qualification
SPP RE FALL COMPLIANCE WORKSHOP
Westar Energy’s Approach to Internal Controls • Traditional vs. Risk-Based Compliance Approach • What is the impact to Westar Energy? • Roles and Responsibilities • Assessing Process-Level Risks • Identifying Internal Controls
6
NERC 693 COMPLIANCE WORKSHOP
Transition to Risk-Based Compliance
7
Traditional Approach
• Review all applicable standards every year • Collect evidence • Conduct testing • Update RSAWs
Risk-Based Compliance
• Review higher risk standards • Utilize internal risk assessment
results • Collect evidence • Conduct testing
• Conduct process-reviews • Identify and prioritize process-
level risk • Identify and document internal
controls • Perform gap analysis
NERC 693 COMPLIANCE WORKSHOP
How does Risk-Based Compliance Impact Westar?
• Focus resources on higher risk areas
• Positive effect on reliability
• Better internal controls and management processes
• Incorporate 2015 lessons learned into 2016 work plan
• CIP Audit – April 2016
• 693 Audit – November 2016
8
SPP RE FALL COMPLIANCE WORKSHOP
Roles and Responsibilities
9
Internal Audit
NERC Compliance
Business Units
SPP RE FALL COMPLIANCE WORKSHOP
Assessing Process-Level Risks
• Review reliability-related processes • Misoperations • Transmission Vegetation Management
• Identify process-level risks • Perform a risk assessment • Document risks
10
SPP RE FALL COMPLIANCE WORKSHOP
Identifying Internal Controls
• Identify and document existing internal controls • Perform a gap assessment • Implement internal controls where necessary
11
SPP RE FALL COMPLIANCE WORKSHOP
Tiffany Lake Manager, NERC Reliability (785) 575-8193 [email protected]
12
OG&E
OG&E Approach
• OG&E Compliance Progression • Risk-Based Approach
– Risk Assessment – Process Review & Mapping – Internal Controls
• Documenting Internal Controls • Current Focus Areas • Benefits • Examples
14
OG&E Compliance Process Progression
• Foundation - Compliance Management Program – Compliance Management Tool - Define compliance,
Collect evidence, Update RSAWs
• Compliance Assurance Process (CAP) – Procedures, Process Flow Charts, Trained SMEs,
Documented Evidence, RACIs, Controls
• Risk-Based Approach – Documented risk assessment – emphasis on higher risk
areas – In depth process review and mapping – Identify and document new internal controls
OG&E
Risk Assessment Considerations • NERC Risk Elements • SPP Risk Elements • Top 10 Most Violated Standards • Standard VRFs • Audit and Self-Certification Lists • NERC Projects – pending Standards • Past OG&E Compliance History • Compliance Assurance Process (CAP) Score • Other
OG&E
Process Review and Mapping
• Process Mapping – Detailed review with process owners – Understand how work is done – Incorporate compliance requirements – Identify touch points within processes
• Business groups • NERC Standards
– Include controls already in place – Identify weak areas in the process and develop new
controls
OG&E
Internal Controls • Level
– Entity – Process – Compliance assurance
• Type – Preventive – Detective – Corrective
• Application – Automated – Manual – Hybrid
• Frequency – Daily – Weekly – Monthly – Quarterly – Annually
OG&E
Documenting Internal Controls
OGE Internal Controls Spreadsheet - CIP
Standard Req. NERC Risk Element
SPP Risk Element
OGE Risk Ranking (High, Medium, Low) Requirement Text Internal
Control ID Control Title Control Area Internal Control Description Goal of Controls
Control Type (Preventative,
Detective, Corrective)
Control Application (Automated,
Manual, Hybrid)
Control Frequency (e.g. real-time, daily, monthly,
quarterly, annual, etc.)Control Owner
• Start with what you have • Review processes to identify new controls
• Consider process mapping as a tool
OG&E
Current Focus Areas
OPS (693) – Facility Ratings – Operations Personnel Training – Misoperations
CIP – Recovery Plans – Change Management
OG&E
Benefits
• Better understanding of internal processes • Improved processes • Better defined roles and responsibilities • Improved compliance assurance • Improved reliability
OG&E
• Municipal Utility • Registrations:
TO/TOP/GO/GOP/TP/RP/DP/LSE • 26 miles of 161KV Transmission • 4 BES Substations • 1 BES Generation asset
Risk Assessment
• IPL system design very stable • Maintenance program effective • Program documents stable • System events very rare
• Biggest risk is Awareness
Approach to Internal Controls
• Management focused – Lead Team, Reliability Team, CIP Team
• Monthly meetings with division managers and primary SMEs
• Develop tools (spreadsheets, checklists, procedures) to help supervisors monitor performance of compliance activities
Other Internal Control Examples
• Monthly CIP Team Meetings – Review changes that could impact CIP compliance
• Monthly Blackstart Restoration Calls – Review system changes that could impact plan
• Flowgate application in SCADA EMS – Displays permanent and temporary flowgates and
alerts • Anti-virus software with automated removal
and alerting