miso overview...• simply “making the current-state handoffs, timing and responsibilities...
TRANSCRIPT
2/14/2013
1
Lori Spence & Jana Utter
Compliant Processes –“Baked In, Not Tacked On”
MISO Overview
2
• Independent• Non-profit• 2001 - Reliability Coordinator• 2005 - Energy Markets• 2009 - Ancillary Services• Large Footprint
2/14/2013
2
Scope of Operationsas of June 1, 2012
• Generation Capacity
– 132,313 MW (market)
– 144,599 MW (reliability)
• Historic Peak Load(July 23, 2012)
– 98,576 MW (market)
– 104,669 MW (reliability)
• 49,670 miles of transmission
• 11 states, 1 Canadian province
3
• 5-minute dispatch
• 1,936 pricing nodes
• 1,258 generating units (market)
• 6,060 generating units (network model)
• $23.6 billion gross market charges (2011)
• 356 market participants serving 38.9 million people
Compliance Scope
• MISO conducts its operations while complying with laws, regulations, and industry standards. The Compliance Scope facing MISO involves thousands of legal and regulatory requirements. Financial penalties for non-compliance can be up to $1,000,000 per violation for each day the violation continues.
4
2/14/2013
3
Introduction
• Baking compliance requirement activities into day-to-day business activities
• Making compliance program implementation efficient and effective
• Structuring and deploying the resources needed for sustainable compliance
5
Baking compliance requirement activities into day-to-day business activities
6
2/14/2013
4
7
Process-Driven Compliance: Motivation Model
8
2/14/2013
5
Business Process Maturity
Optimized(Continuous Improvement)• Deliberate
process optimization & improvement
• Tied to organizational goals
Managed(Orchestrated)• Meaningful
Metrics reported & reviewed
• Risks reviewed; Process controls established
Structured(Proactive)• Processes
Documented• Relationship
diagram created • Inputs/Outputs
identified
Undisciplined(Reactive)• Same process
used repeatedly
Initial• Chaotic, often
requires heroics
LEVEL 1
LEVEL 2
LEVEL 3
LEVEL 4
LEVEL 5
9
10
Process Deployment: “Initial”
Files
WebDatabases
Apps
Reports
Evidence records may not be captured completely, or may even become lost.
ManualProcessesBurdenStandardOwners
LackVisibilityIntoCompliancePosition
Manual processes and unstructured data
Process-Driven Compliance
2/14/2013
6
11
Process Deployment – “Structured”Process-Driven Compliance
Process Driven Compliance defines documented processes, controls, and evidence to support Compliance activities.
Proposed Maturity Model
• Process-level Compliance Maturity Model– Incorporates the required attributes of compliance and process
necessary to arrive at “compliant” processes
– Defines a set of structured levels that describe how well the behaviors, practices and processes of an organization can reliably and sustainably produce required outcomes
12
2/14/2013
7
Process-level Compliance Maturity Model
• Facilitates answers to questions regarding process compliance:
– Where am I now?
– Where do I want / need to be?
– What are my next steps?
• Sets a company-wide standard for measuring & planning process-level compliance (“compliant processes”)
• Applicable to all compliance areas
13
Process-level Compliance Maturity Model
• Key dimensions of “compliant” process maturity for MISO– Requirements
– Process
– Controls
– Evidence
– Gap analysis & treatment
– Training
14
2/14/2013
8
Process-level Compliance Maturity Model
15
Process-level Compliance Maturity Model
16
2/14/2013
9
Process-level Compliance Maturity Model
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Initial(Chaotic, Ad Hoc, Individual Heroics)
Undisciplined(Reactive)
Structured(Proactive)
Managed(Orchestrated)
Optimized(Continuous
Improvement)
Level 2 Themes:
• Repeatable but informal and variable
• Result of 1-time stand-up effort ("won and done" approach)
Level 3 Themes:
• Adherence to standards
• Document linkage
Level 4 Themes:
• Triggers for reviews and updates
• Metrics and monitoring
• Streamline & simplify within process: from requirement through process, controls, and evidence
Level 5 Themes
• Automation
• Coordinate across processes: collaborative integration with upstream supplier process(es) and downstream customer process(es)
17
Process-level Compliance Maturity Model
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Initial(Chaotic, Ad Hoc, Individual Heroics)
Undisciplined(Reactive)
Structured(Proactive)
Managed(Orchestrated)
Optimized(Continuous
Improvement)
REQUIREMENTS
Requirement & Process Risk
Level 1 description
Level 2 description
Level 3 description
Level 4 description
Level 5 description
The current level may be okay if …
X X X X
You may want to move to the next level if …
X X X X
What does it take to move to the next level?
X X X X
18
2/14/2013
10
Process-level Compliance Maturity Model
19
Process-level Compliance Maturity Model
Model Content – Guidance on Levels - Example
20
2/14/2013
11
Process-level Compliance Maturity Model
Model Content – Guidance on Levels - Example
21
Process-level Compliance Maturity Model
Model Content – Guidance on Levels - Example
22
2/14/2013
12
Process-level Compliance Maturity Model
Model Content – Guidance on Levels - Example
23
Lessons Learned
24
Overcoming corporate inertia to transform mindset to drive process-centric behaviors requires significant communication and internal marketing
2/14/2013
13
Making compliance program implementation efficient and effective
25
MISO’s Corporate Governance
26
2/14/2013
14
Operational Model – Hybrid
27
Baking In - Business Process Modeling
• Graphical representation for specifying business processes– Provides a standard notation readily understandable by all
business stakeholders: business analysts, technical developers and business managers
28
2/14/2013
15
Baking In - Business Process Modeling
29
Enterprise Compliance
• Implement a comprehensive framework and technology solution, each known as the Compliance Model and Compliance Platform to:– Provide a common approach for management and assurance of
compliance
– Ensure all Compliance Requirements are identified, documented, and maintained
– Enable a holistic view of Compliance Requirements, Processes, Controls & Records across Compliance Areas
– Gain insight into areas of risks and prioritize for process enhancements
– Transition from “Initial” to “Structured” processes
30
2/14/2013
16
Process Deployment: “Initial”
• Issues
– Manual processes depend heavily on individuals and their ability to adhere to policy and procedures
– Records ‘silos’ exist for storage of information, generally segregated by departments and individuals
– Evidence is paper-based which becomes stale or exposes us to documentation failure
– No consistent process exists to gather, maintain, and update information
31
Process Deployment: “Structured”
• Solutions
– Provides for monitoring of control activities
– Assures a consistent, auditable, defendable position
– Provides control and visibility of processes to ensure compliance and the generation and storage of documentation
– Successful management of overall compliance involving a significant volume of activities that are monitored and documented
32
2/14/2013
17
Compliance Platform
33
Compliance Platform
34
2/14/2013
18
35
“Business Process Management’s Success Hinges on Business-Led Initiatives”, Gartner, 26 July 2005
• Simply “making the current-state handoffs, timing and responsibilities explicit, productivity improvements of more than 12 percent are normally realized
• Improves employee satisfaction by freeing employees from the manual grind
The BPM is an enterprise application which could be used to manage and improve processes across the organization
1
1
2
Kamlet, Andy. "How BPM Software Improves Employee Satisfaction", Business Performance Management Magazine, February 1, 2007. 2
Business Process Management
Business Process Management
36
FEATURES BENEFITS
Transforms a static, manual process to a dynamic, electronic process
Improves business effectiveness and efficiencies
-Develop process maps with tool
-Import process maps into tool
-Execute processes
-Interfaces with other systems
-Eliminate risks inherent in manual processes
-Increase ability to demonstrate compliance
-Provides information needed to monitor compliance status
2/14/2013
19
Enterprise Content Management
37
FEATURES BENEFITS
Central repository for records
Supports RecordsRetention and Records Management Policies
Allows easy search for retrieval of records
Enables retrieval of appropriate evidence for audits
Governance, Risk & Compliance
38
FEATURES BENEFITS
Central Repository ofRequirements, Owners, Processes, Controls, and Description of Evidence
Manage and monitor compliance information
Single system for managing compliance controls. Controls are federated.
“Test once and report many”
2/14/2013
20
Process Implementation
39
Lessons Learned
• 100% Technology implementation with only partial people and process isn’t enough– Plan for both capital and operational costs for total budget
– Have manual processes documented and working before automation
• Engage stakeholders early and frequently to foster collaboration and adoption– Sell the benefits and gather support and commitment from
management and technical staff
40
2/14/2013
21
Structuring and deploying the resources needed for sustainable compliance
41
Compliance Center of Excellence
• A Compliance Center of Excellence (CCoE) is a proven way to provide:– Capture of intellectual capital and sharing of best practices
across an organization
– Standardization across processes, reports, etc.
– Prioritization of projects / resources
– Flexibility of CCoE staff based on project needs
– Multi-disciplinary perspectives for effectively designing and implementing cross-functional solutions
42
2/14/2013
22
Compliance Center of Excellence
43
44
2/14/2013
23
Lessons Learned
• Customize Compliance Center of Excellence to Culture– Appropriate balance between control and centralization
• Don’t always have to be Best Practice. – Sometimes adequate and acceptable practice is sufficient
• External checkpoints provide view from outside.– Third party Assurance
45
Conclusion & Wrap Up
• Baking compliance requirement activities into day-to-day business activities
• Making compliance program implementation efficient and effective
• Structuring and deploying the resources needed for sustainable compliance
46
2/14/2013
24
Demonstration
48
SSAE16 Objective and Control
• Objective: Controls are in place to provide reasonable assurance that Day-Ahead, Real-Time and Financial Transmission Rights (FTR) data are captured accurately and completely.
• Control Number: 9.1.b
• Control Language: Market Settlements personnel review and approve miscellaneous charges and manual entries, if any, prepared by a separate Market Settlements person.
• Procedure: MS-OP-009 Market Settlements Manual Data Changes
• Documentation: MS-OP-009 Appendix B and supporting documentation
48
2/14/2013
25
49
5050
Business Objectives
• Minimize risk of non-compliance through a process that:– Tracks changes to Market Settlements production
data by Market Settlements personnel
– Ensures separation of duties for approval and validation of manual data changes
– Provides documentation in support of compliance
• Provide for efficient management activities– SSAE 16 Control Documentation easily accessible for
audit purposes
2/14/2013
26
51
Process Design Objectives
• Eliminate use of hardcopy forms
• Electronic signatures for approval and validation
• Enforce separation of duties when performing manual data updates
• Eliminate scanning of completed forms and supporting documents
• Automate storage of forms and supporting documentation (email, spreadsheets…)
• Conform with SSAE16 Objective and Control
51
52
Process Design
52
Blue Print
2/14/2013
27
Start the MS-OP-009 change request process
Enter the necessary information in the form
Unique change control number
assigned
Ability to associate all supporting documentation
2/14/2013
28
Attach supporting documentation for the change
Submit the change request for approval
2/14/2013
29
Change request is removed from Analyst’s queue…
…and is moved to Sr. Analyst’s queue for approval
Sr. Analyst verifies the requested change and approves it
2/14/2013
30
Sr. Analyst can implement the change or have someone else implement it
Change request is removed from the Sr. Analyst’s queue…
… and is placed in Analyst’s queue for implementation
2/14/2013
31
Changes are implemented and acknowledgement signed
Change request is removed from the implementer’s queue…
… and is placed in queue for verification
2/14/2013
32
Changes are verified and acknowledgement signed
Completed change request is removed from everyone’s work queue…
2/14/2013
33
… and change request is emailed at completion
All documents related to this change can be pulled from the ECMS using this unique ID
Email contains .PDF of completed form
2/14/2013
34
New form replicates critical elements of old, paper form
All change forms and supporting documents are bundled together in the enterprise content management system
2/14/2013
35
File is renamed to match the unique change control ID, but native file name is still retained as meta-data.
Lots of meta data