reliability assurance initiative (rai) 101 ben christensen senior compliance risk analyst, cyber...
TRANSCRIPT
Reliability Assurance Initiative (RAI) 101
Ben ChristensenSenior Compliance Risk Analyst,
Cyber Security
2
Agenda
• Introduction to Reliability Assurance Initiative– Risk Elements– Inherent Risk Assessment (IRA)– Internal Controls Evaluation (ICE)
• Overview of WECC’s IRA and ICE process and documents
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
3
Introduction to RAI
• Implements risk based compliance monitoring and enforcement
• Initial discussions by NERC in 2012• Regional RAI pilots during 2013 and 2014• 2014 NERC and Regions designed the risk
based framework
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
4
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
Overview of Risk Based Framework
5
Risk Elements
• Replaces prior actively monitored lists• WECC identified region wide risk elements– 10 O&P risk elements– 6 CIP risks elements
• WECC identified NERC Standards and Requirements associated with risk elements
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
7
What is the IRA?
• Review of inherent risks posed by an entity to the BPS
• Review of an entity’s characteristics– Such as event history, compliance history, devices
owned/operated, types of transmission lines, generation portfolio, etc.
• IRA process is located on the WECC website
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
8
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
WECC’s IRA Process
Identify Major Inputs
into IRA
Review Entity Background
Identify Initial List of Applicable Functions
and Standards
Identify and Review
Applicable Risk Element
Determine Monitoring
Strategy
9
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
IRA Surveys
• Currently posted on WECC website
• Completed by Registered Entities
• Helps identify Entity’s inherent risks
10
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
IRA Final Report
• Documents WECC’s assessments and evaluations
• Helps develop Registered Entity’s Compliance Oversight Plan
• Summary of Final Reports provided to Entity
11
Internal Controls Evaluation (ICE)
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
12
What is ICE?
• Voluntary process• WECC will evaluate internal controls related to
the risks and associated standards• WECC will make recommendations to
strengthen controls• ICE process is located on the WECC website
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
13
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
WECC’s ICE Process
Identify key controls related to
risks
Request controls information
Test effectiveness of controls
Identify how well controls address risks and provide
compliance assurance
14
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
ICE Surveys
• Currently posted on WECC website
• Completed by Registered Entities
• Helps identify Entity’s internal controls
15
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
ICE Final Report
• Documents WECC’s assessments and evaluations
• Helps develop Registered Entity’s Compliance Oversight Plan
• Summary of Final Report provided to Entity
16
How will WECC use IRA and ICE?
• WECC can better tailor compliance monitoring activities using existing CMEP tools (i.e., audits, spot checks, or self-certifications)
• WECC may use the results to focus the depth and scope of monitoring engagements
• Not a one size fits all but a risk based approach
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L
17
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C OU N C I L
Additional Resources
• NERC RAI Page• NERC Risk Elements Guide• WECC CMEP IP• IRA
– IRA Process– IRA Survey template– IRA Report template
• ICE– ICE Process– O&P ICE Survey– CIP ICE Survey