2/14/2013

1

Lori Spence & Jana Utter

Compliant Processes –“Baked In, Not Tacked On”

MISO Overview

2

• Independent• Non-profit• 2001 - Reliability Coordinator• 2005 - Energy Markets• 2009 - Ancillary Services• Large Footprint

2/14/2013

2

Scope of Operationsas of June 1, 2012

• Generation Capacity

– 132,313 MW (market)

– 144,599 MW (reliability)

• Historic Peak Load(July 23, 2012)

– 98,576 MW (market)

– 104,669 MW (reliability)

• 49,670 miles of transmission

• 11 states, 1 Canadian province

3

• 5-minute dispatch

• 1,936 pricing nodes

• 1,258 generating units (market)

• 6,060 generating units (network model)

• $23.6 billion gross market charges (2011)

• 356 market participants serving 38.9 million people

Compliance Scope

• MISO conducts its operations while complying with laws, regulations, and industry standards. The Compliance Scope facing MISO involves thousands of legal and regulatory requirements. Financial penalties for non-compliance can be up to $1,000,000 per violation for each day the violation continues.

4

2/14/2013

3

Introduction

• Baking compliance requirement activities into day-to-day business activities

• Making compliance program implementation efficient and effective

• Structuring and deploying the resources needed for sustainable compliance

5

Baking compliance requirement activities into day-to-day business activities

6

2/14/2013

4

7

Process-Driven Compliance: Motivation Model

8

2/14/2013

5

Business Process Maturity

Optimized(Continuous Improvement)• Deliberate

process optimization & improvement

• Tied to organizational goals

Managed(Orchestrated)• Meaningful

Metrics reported & reviewed

• Risks reviewed; Process controls established

Structured(Proactive)• Processes

Documented• Relationship

diagram created • Inputs/Outputs

identified

Undisciplined(Reactive)• Same process

used repeatedly

Initial• Chaotic, often

requires heroics

LEVEL 1

LEVEL 2

LEVEL 3

LEVEL 4

LEVEL 5

9

10

Process Deployment: “Initial”

eMail

Files

WebDatabases

Apps

Reports

Evidence records may not be captured completely, or may even become lost.

ManualProcessesBurdenStandardOwners

LackVisibilityIntoCompliancePosition

Manual processes and unstructured data

Process-Driven Compliance

2/14/2013

6

11

Process Deployment – “Structured”Process-Driven Compliance

Process Driven Compliance defines documented processes, controls, and evidence to support Compliance activities.

Proposed Maturity Model

• Process-level Compliance Maturity Model– Incorporates the required attributes of compliance and process

necessary to arrive at “compliant” processes

– Defines a set of structured levels that describe how well the behaviors, practices and processes of an organization can reliably and sustainably produce required outcomes

12

2/14/2013

7

Process-level Compliance Maturity Model

• Facilitates answers to questions regarding process compliance:

– Where am I now?

– Where do I want / need to be?

– What are my next steps?

• Sets a company-wide standard for measuring & planning process-level compliance (“compliant processes”)

• Applicable to all compliance areas

13

Process-level Compliance Maturity Model

• Key dimensions of “compliant” process maturity for MISO– Requirements

– Process

– Controls

– Evidence

– Gap analysis & treatment

– Training

14

2/14/2013

8

Process-level Compliance Maturity Model

15

Process-level Compliance Maturity Model

16

2/14/2013

9

Process-level Compliance Maturity Model

LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5

Initial(Chaotic, Ad Hoc, Individual Heroics)

Undisciplined(Reactive)

Structured(Proactive)

Managed(Orchestrated)

Optimized(Continuous

Improvement)

Level 2 Themes:

• Repeatable but informal and variable

• Result of 1-time stand-up effort ("won and done" approach)

Level 3 Themes:

• Adherence to standards

• Document linkage

Level 4 Themes:

• Triggers for reviews and updates

• Metrics and monitoring

• Streamline & simplify within process: from requirement through process, controls, and evidence

Level 5 Themes

• Automation

• Coordinate across processes: collaborative integration with upstream supplier process(es) and downstream customer process(es)

17

Process-level Compliance Maturity Model

LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5

Initial(Chaotic, Ad Hoc, Individual Heroics)

Undisciplined(Reactive)

Structured(Proactive)

Managed(Orchestrated)

Optimized(Continuous

Improvement)

REQUIREMENTS

Requirement & Process Risk

Level 1 description

Level 2 description

Level 3 description

Level 4 description

Level 5 description

The current level may be okay if …

X X X X

You may want to move to the next level if …

X X X X

What does it take to move to the next level?

X X X X

18

2/14/2013

10

Process-level Compliance Maturity Model

19

Process-level Compliance Maturity Model

Model Content – Guidance on Levels - Example

20

2/14/2013

11

Process-level Compliance Maturity Model

Model Content – Guidance on Levels - Example

21

Process-level Compliance Maturity Model

Model Content – Guidance on Levels - Example

22

2/14/2013

12

Process-level Compliance Maturity Model

Model Content – Guidance on Levels - Example

23

Lessons Learned

24

Overcoming corporate inertia to transform mindset to drive process-centric behaviors requires significant communication and internal marketing

2/14/2013

13

Making compliance program implementation efficient and effective

25

MISO’s Corporate Governance

26

2/14/2013

14

Operational Model – Hybrid

27

Baking In - Business Process Modeling

• Graphical representation for specifying business processes– Provides a standard notation readily understandable by all

business stakeholders: business analysts, technical developers and business managers

28

2/14/2013

15

Baking In - Business Process Modeling

29

Enterprise Compliance

• Implement a comprehensive framework and technology solution, each known as the Compliance Model and Compliance Platform to:– Provide a common approach for management and assurance of

compliance

– Ensure all Compliance Requirements are identified, documented, and maintained

– Enable a holistic view of Compliance Requirements, Processes, Controls & Records across Compliance Areas

– Gain insight into areas of risks and prioritize for process enhancements

– Transition from “Initial” to “Structured” processes

30

2/14/2013

16

Process Deployment: “Initial”

• Issues

– Manual processes depend heavily on individuals and their ability to adhere to policy and procedures

– Records ‘silos’ exist for storage of information, generally segregated by departments and individuals

– Evidence is paper-based which becomes stale or exposes us to documentation failure

– No consistent process exists to gather, maintain, and update information

31

Process Deployment: “Structured”

• Solutions

– Provides for monitoring of control activities

– Assures a consistent, auditable, defendable position

– Provides control and visibility of processes to ensure compliance and the generation and storage of documentation

– Successful management of overall compliance involving a significant volume of activities that are monitored and documented

32

2/14/2013

17

Compliance Platform

33

Compliance Platform

34

2/14/2013

18

35

“Business Process Management’s Success Hinges on Business-Led Initiatives”, Gartner, 26 July 2005

• Simply “making the current-state handoffs, timing and responsibilities explicit, productivity improvements of more than 12 percent are normally realized

• Improves employee satisfaction by freeing employees from the manual grind

The BPM is an enterprise application which could be used to manage and improve processes across the organization

1

1

2

Kamlet, Andy. "How BPM Software Improves Employee Satisfaction", Business Performance Management Magazine, February 1, 2007. 2

Business Process Management

Business Process Management

36

FEATURES BENEFITS

Transforms a static, manual process to a dynamic, electronic process

Improves business effectiveness and efficiencies

-Develop process maps with tool

-Import process maps into tool

-Execute processes

-Interfaces with other systems

-Eliminate risks inherent in manual processes

-Increase ability to demonstrate compliance

-Provides information needed to monitor compliance status

2/14/2013

19

Enterprise Content Management

37

FEATURES BENEFITS

Central repository for records

Supports RecordsRetention and Records Management Policies

Allows easy search for retrieval of records

Enables retrieval of appropriate evidence for audits

Governance, Risk & Compliance

38

FEATURES BENEFITS

Central Repository ofRequirements, Owners, Processes, Controls, and Description of Evidence

Manage and monitor compliance information

Single system for managing compliance controls. Controls are federated.

“Test once and report many”

2/14/2013

20

Process Implementation

39

Lessons Learned

• 100% Technology implementation with only partial people and process isn’t enough– Plan for both capital and operational costs for total budget

– Have manual processes documented and working before automation

• Engage stakeholders early and frequently to foster collaboration and adoption– Sell the benefits and gather support and commitment from

management and technical staff

40

2/14/2013

21

Structuring and deploying the resources needed for sustainable compliance

41

Compliance Center of Excellence

• A Compliance Center of Excellence (CCoE) is a proven way to provide:– Capture of intellectual capital and sharing of best practices

across an organization

– Standardization across processes, reports, etc.

– Prioritization of projects / resources

– Flexibility of CCoE staff based on project needs

– Multi-disciplinary perspectives for effectively designing and implementing cross-functional solutions

42

2/14/2013

22

Compliance Center of Excellence

43

44

2/14/2013

23

Lessons Learned

• Customize Compliance Center of Excellence to Culture– Appropriate balance between control and centralization

• Don’t always have to be Best Practice. – Sometimes adequate and acceptable practice is sufficient

• External checkpoints provide view from outside.– Third party Assurance

45

Conclusion & Wrap Up

• Baking compliance requirement activities into day-to-day business activities

• Making compliance program implementation efficient and effective

• Structuring and deploying the resources needed for sustainable compliance

46

2/14/2013

24

Demonstration

48

SSAE16 Objective and Control

• Objective: Controls are in place to provide reasonable assurance that Day-Ahead, Real-Time and Financial Transmission Rights (FTR) data are captured accurately and completely.

• Control Number: 9.1.b

• Control Language: Market Settlements personnel review and approve miscellaneous charges and manual entries, if any, prepared by a separate Market Settlements person.

• Procedure: MS-OP-009 Market Settlements Manual Data Changes

• Documentation: MS-OP-009 Appendix B and supporting documentation

48

2/14/2013

25

49

5050

Business Objectives

• Minimize risk of non-compliance through a process that:– Tracks changes to Market Settlements production

data by Market Settlements personnel

– Ensures separation of duties for approval and validation of manual data changes

– Provides documentation in support of compliance

• Provide for efficient management activities– SSAE 16 Control Documentation easily accessible for

audit purposes

2/14/2013

26

51

Process Design Objectives

• Eliminate use of hardcopy forms

• Electronic signatures for approval and validation

• Enforce separation of duties when performing manual data updates

• Eliminate scanning of completed forms and supporting documents

• Automate storage of forms and supporting documentation (email, spreadsheets…)

• Conform with SSAE16 Objective and Control

51

52

Process Design

52

Blue Print

2/14/2013

27

Start the MS-OP-009 change request process

Enter the necessary information in the form

Unique change control number

assigned

Ability to associate all supporting documentation

2/14/2013

28

Attach supporting documentation for the change

Submit the change request for approval

2/14/2013

29

Change request is removed from Analyst’s queue…

…and is moved to Sr. Analyst’s queue for approval

Sr. Analyst verifies the requested change and approves it

2/14/2013

30

Sr. Analyst can implement the change or have someone else implement it

Change request is removed from the Sr. Analyst’s queue…

… and is placed in Analyst’s queue for implementation

2/14/2013

31

Changes are implemented and acknowledgement signed

Change request is removed from the implementer’s queue…

… and is placed in queue for verification

2/14/2013

32

Changes are verified and acknowledgement signed

Completed change request is removed from everyone’s work queue…

2/14/2013

33

… and change request is emailed at completion

All documents related to this change can be pulled from the ECMS using this unique ID

Email contains .PDF of completed form

2/14/2013

34

New form replicates critical elements of old, paper form

All change forms and supporting documents are bundled together in the enterprise content management system

2/14/2013

35

File is renamed to match the unique change control ID, but native file name is still retained as meta-data.

Lots of meta data