Board of Trustees Compliance Committee August 13, 2014 | 10:00 a.m. - PowerPoint PPT Presentation

Board of Trustees Compliance Committee August 13, 2014 | 10:00 a.m. – 11:00 a.m. Pacific The Westin Bayshore 1601 Bayshore Drive Vancouver, BC V6G 2V4

Reliability Assurance I nitiative (RAI ) Progress Report Jerry Hedrick, Director of Regional Entity Assurance and Oversight Sonia Mendonca, Associate General Counsel and Director of Enforcement Compliance Committee Open Meeting August 13, 2014

Agenda • RAI Project Overview • Progress Report • Compliance Exception Program • Aggregation / Logging Program • RAI Project Timelines • Regional Implementation Update • Joint Regional and Registered Entity RAI Discussions  WECC / Tucson Electric  SERC / Georgia Transmission  Texas RE / ERCOT 3 RELI ABI LI TY | ACCOUNTABI LI TY

Overview • Compliance monitoring activities focused on risks to reliability • Enforcement resources focused on noncompliance that poses a serious and substantial risk to reliability • Continued oversight and visibility • Discretion on whether to initiate an enforcement action to resolve noncompliance 4 RELI ABI LI TY | ACCOUNTABI LI TY

Progress Report Resources and • Develop industry and auditor training for risk elements and Inherent Risk Tools Assessment • Finalizing the Inherent Risk Assessment Guide and examples Single Compliance • Developing the Risk Elements methodology and procedures for the IP/AML Design • Beginning work on the Internal Control Evaluation Guide • Finalized user guides to support improved self-reporting process Enforcement • Implemented improved process flow across ERO enterprise Processes • Expanding aggregation/logging and compliance exception programs Compliance and • Integrating program design feedback loops and processes Enforcement • Finalizing program documents for multi-regional registered entities Integration 5 RELI ABI LI TY | ACCOUNTABI LI TY

Compliance Exceptions Program Items Closed as of August 1, 2014 WECC, 4 SERC, 4 MRO, 14 RF, 3 NPCC, 3 6 RELI ABI LI TY | ACCOUNTABI LI TY

Aggregation/ Logging Program Regional Entity Registered Entity Participants as of August 1, 2014 MRO Alliant Energy East Alliant Energy West Nebraska Public Power District MidAmerican Energy Company American Transmission Company NPCC New York Power Authority RF American Electric Power (jointly with SPP and TRE) PJM Interconnection (jointly with SERC) SERC Associated Electric Cooperative, Inc. TRE CenterPoint Energy Luminant Energy Luminant Generation Lower Colorado River Authority 7 RELI ABI LI TY | ACCOUNTABI LI TY

Compliance and Enforcement Timeline 2 2 May June July Aug Sep Oct Nov Dec Jan Feb Mar 0 0 1 1 4 5 May 2014 User guides posted; Compliance Exceptions and Aggregation programs reviewed and expanded (throughout 2014) July 2014 Published the Inherent Risk Assessment Guide for comment Aug. 2014 Publish the Risk Elements Methodology for the modified Implementation Plan (IP) and Actively Monitored List (AML) Multi-Region Registered Entity (MRRE) program documents finalized (monitoring and enforcement activities) Sept. 2014 Finalize Inherent Risk Assessment based on industry feedback 8 RELI ABI LI TY | ACCOUNTABI LI TY

Compliance and Enforcement Timeline 2 2 May June July Aug Sep Oct Nov Dec Jan Feb Mar 0 0 1 1 4 5 Oct. 2014 Publish the 2015 IP and AML Develop and begin delivering training on completed modules to industry and regional auditors Publish the Internal Control Evaluation (ICE) and Compliance Monitoring and Evaluation Program (CMEP) Tools Modules Q4 2014 FERC informational filing submitted Q1 2015 MRRE program implemented Deploy ICE and Compliance Monitoring Tools 9 RELI ABI LI TY | ACCOUNTABI LI TY

Regional I mplementation Update • Regional Lessons Learned From the Compliance Pilots  Risk Assessment and Scoping  Controls Evaluation and Testing  Training and Education • RAI Regional Program Implementation  Compliance Activities  Enforcement Activities • Organizational Alignment  Creation of Risk teams 10 RELI ABI LI TY | ACCOUNTABI LI TY

Constance B. White Vice President of Compliance WECC’s RAI Experience NERC Board Presentation August 13, 2014

Tucson Electric Power –Preparation • IRA (Inherent Risk Assessment) o WECC reviewed TEPC’s compliance and event history to determine any entity specific risks • ICE (Internal Controls Assessment) focused on Operations and Planning Standards in the following risk areas: o Configuration Management o Operations o Information Management o Planning 12

Tucson Electric Power – ICE Example • Sample Question 1 : How do you control and manage changes to configuration of protection system devices? • Controls Reviewed : Maintenance and testing program, systems and tools, interaction between systems • Result : Risks identified • Sample Question 2 : Explain how you ensure Blackstart Resources are capable of meeting the requirements of its restoration plan • Controls Reviewed : Annual testing of entity’s two Blackstart Resources, management observes testing, test results are documented and reviewed • Result : Low Risk 13

Tucson Electric Power – ICE Results • WECC identified some strong controls • Based on the results, the WECC audit team customized the audit o Removed 7 low risk requirements o Heightened focus on PRC-005 and PRC-008 • WECC plans to significantly reduce TEPC’s 2015 Self Certification • WECC selected specific TEPC issues for the compliance exception process 14

Tucson Electric Power – Lessons Learned • Entities are receptive • Training and education is necessary • Risk-based process is effective but will take time to develop • WECC refined the processes for another entity scheduled for audit and is focusing on CIP standards for the Internal Controls Evaluation process • Additional clarity is needed 15

Tucson Electric Power Feedback • Opportunity to allow for open dialogue and to tell/show our compliance “story” • Opportunity for additional education and discussion on internal controls • Reduced administrative burden • Suggestion: provide additional clarity of and context for data requests in future reviews -- may facilitate obtaining desired responses from registered entities

RAI Experience at SERC August 12, 2014 Vancouver, BC Angie Sheffield VP, General Auditor and Chief Regulatory Compliance Officer Georgia Transmission Corporation Scott Henry President and CEO SERC Reliability Corporation 17

Pre-Audit Preparation • Inherent Risk Assessment – Data collection regarding GTC risks through pre-audit survey – SERC’s consideration of risks resulted in adjustment of standards in scope as compared to AML  Focus on communication and coordination of operators due to arrangement of entity with other entities for performance of registered functions  Scope increased by eight Requirements 18

Pre-Audit Preparation • Internal Controls Evaluation – SERC auditors reviewed GTC’s Independent Audit Reports (IAR) – SERC accepted GTC’s IAR  For 18 of the 38 requirements in scope, SERC did little to no additional testing 19

Independent Auditor Evaluation • Audit team deemed IAR adequately addressed Standards/Requirements. • IAR reflected an appropriate level of rigor for SERC staff to draw the same conclusions. • Audit team determined the IAR was relevant to the audit period. • Audit team requested minor supplemental evidence. 20

Benefits • Improved focus from prior audit in 2008 – Still required same level of effort from GTC – However, more focused on GTC’s inherent risk – Did not duplicate effort by re-testing areas that GTC was adequately monitoring • Encouraged GTC to continue building its internal control program and endorsed our focus on self- monitoring 21

Lessons Learned • Additional communication/collaboration should occur during IRA • Further training for entity and regional staff is essential – Timing • Audit should be focused on the “what” • Risk assessment results could be used to scope other types of compliance monitoring – Self-certifications – Spot-checks 22

RAI w ithin the ERCOT Region Curtis Crew s, Texas Reliability Entity, Inc. Chuck Manning, Electric Reliability Council of Texas

ERCOT Audit/Spot Check Experience ● Registered as BA, IA, PC, RC, RP, TOP, TSP  2008 Compliance Violation Investigation 693  2008, 2009, 2010 693 Audit  2009 CIP Spot Check  2010 CIP Audit  2011 FERC, NERC and Texas RE Investigation (Cold Weather)  2011, 2012 Four 693 Spot Checks  2012 693 Audit  2013 CIP Audit NERC BOTCC August 2014 24

ERCOT 2012 and 2013 Engagements Risk-Based Attention to high risk areas Risk Elements Reliability-focused w/ Key Resources engagements In-depth review Address risk appropriately Benefits to ERCOT Audit was efficient and focused Both teams had the same goal of reliability and security Recommendations and concerns versus compliance only Productive recommendations Curing period allowed for further dialogue among experts NERC BOTCC August 2014 25

RAIcomments@nerc.net 26 RELI ABI LI TY | ACCOUNTABI LI TY

Physical Security I mplementation Steven Noess, Associate Director of Standards Development Compliance Committee Meeting August 13, 2014