welcome
play

Welcome! NERC 2019 Compliance and Standards Workshop Embassy Suites - PowerPoint PPT Presentation

Aug 30, 2023 •314 likes •2.08k views

Welcome! NERC 2019 Compliance and Standards Workshop Embassy Suites by Hilton Minneapolis July 24, 201 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY NERC Antitrust Compliance Guidelines It is NERCs policy and practice to obey the antitrust

  1. Updated COP Process Highlights Enhanced Targeted Prioritized Single Analysis Oversight Monitoring Report Analysis of Provides Identifies target One report to inherent and considerations for interval for provide both performance an entity’s oversight, inherent risk continuous primary assessment data provides an understanding of improvement and monitoring tools, results and the an entity’s overall a focus to a and informs compliance inherent risk and Regional Entity annual planning oversight plan performance for its compliance monitoring profile activities 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  2. I nputs – Quantitative and Qualitative Data Inherent risk assessment – quantitative entity data such as what you own or operate Performance assessment – qualitative entity data such as internal controls, culture of compliance, compliance history, event data Enhanced Analysis 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  3. Targeted Oversight COPs will communicate the Regional Entity’s current understanding of a Registered Entity’s inherent risk and performance profile COPs will include selected Risk Categories for monitoring Provides considerations for an entity’s continuous improvement Provides focus for Regional Entity for its compliance monitoring activities Targeted Oversight 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  4. Risk Categories Asset/System Identification Asset/System Physical Protection Entity Coordination Long-term Studies/Assessments Identity Management and Access Operational Studies/Assessments Control Emergency Operations Planning Modeling Data Operating During System Protection Emergencies/Backup & Recovery Training Normal System Operations Asset/System Management and Maintenance 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  5. Prioritized Monitoring Identifies target interval for oversight, primary monitoring tools, and informs annual planning Prioritized Monitoring 8 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  6. Prioritized Monitoring Higher inherent risk without 1 1 – 3 Years demonstrated positive performance Higher inherent risk with 2 2 – 4 Years demonstrated positive performance Moderate inherent risk without 3 3 – 5 Years demonstrated positive performance Moderate inherent risk with 4 4 – 6 Years demonstrated positive performance Lower inherent risk without 5 5 – 7 Years demonstrated positive performance Lower inherent risk with 6 6 + Years demonstrated positive performance 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  7. Performance I mpact COPs establish target intervals for engagements based off of inherent risk and performance profile Category 1 Category 2 The target monitoring interval for a The target monitoring interval for a higher risk entity without higher risk entity with demonstrated positive performance demonstrated positive performance is once every 1 – 3 years. is once every 2 – 4 years. A Regional Entity will use one or a A Regional Entity will use one or a combination of the following CMEP combination of the following CMEP Tools: Tools: • • Audit (on or off-site) Audit (on or off-site) • • Self-Certifications Self-Certifications • • Spot Check Spot Check 10 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  8. Contents of the COP Report 1. Purpose 2. Analysis and Results 3. Oversight Strategy App. A: IRA Results Summary App. B: Standards and Single Report Requirements for Monitoring 11 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  9. COP Process I mplementation Timeline • Throughout the second half of 2019, Regional Entities will begin implementation of new COP summaries. • Industry outreach will begin in July 2019 and continue through 2020. 12 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  10. 13 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  11. Align Project Update David Calderon, NERC, Senior Engineer, Grid Planning & Operations Assurance 2019 Compliance and Standards Workshop July 24, 2019 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  12. What is Align? • Single, common portal for registered entities, enabling consistency of experience. • Real-time access to information, eliminating delays and manual communications. • Improved capability to support the Risk-Based Compliance Oversight Framework. • Enhanced quality assurance and oversight, enabling consistent application of the CMEP. 2 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  13. Align Release 1: What to expect as a registered entity? Release 1 Functionality • Create and submit Self-Reports and Self- Logs Stakeholder Group • Create and manage mitigating activities (informal) and Mitigation Plans (formal) Reg egist st er ered ed Ent it ies es • View and track Open Enforcement Actions “EAs” (resulting from all monitoring methods) • Receive and respond to Requests for Information “RFIs” • Receive notifications and view dashboards on new/open action items • Generate report of Standards and Requirements applicable to your entity • Manage user access for your specific entity 3 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  14. Update on Development • Development and testing will require a 6-8 week extension. • Revised deployment approach . • Will provide a more manageable go live for NERC and the Regions. • NERC will go live with two Regions; MRO and Texas RE, by September 30th. • The remaining regions will onboard by November 1st. 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  15. Update on Training • The following roles need training for Release 1:  Primary Compliance Contact (PCC), Alternate Compliance Contact (ACC), Authorizing Officer (AO) • Regional staff and registered entity trainings will be rescheduled to after September 15 at the earliest; based on the schedule set up by NERC. • Will be supported with training materials and process documentation. • Entities should coordinate with their Regional Align contacts for additional training and timing related questions. 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  16. Regional Contacts Region Contact Name Contact Email Desiree Sawyer MRO Desiree.Sawyer@mro.net Marissa Falco Marissa.Falco@mro.net Jason Wang NPCC jwang@npcc.org Ray Sefchick RF ray.sefchik@rfirst.org Todd Curl SERC TCurl@serc1.org Rochelle Brown Texas RE Rochelle.Brown@TEXASRE.org Michael Dalebout WECC mdalebout@wecc.org 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  17. 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  18. Break Webinar participants: We will return at 10:30 a.m. Central RELI ABI LI TY | RESI LI ENCE | SECURI TY

  19. Centralized Organization Registration ERO System (CORES) Update Ryan Stewart, NERC, Senior Manager of Registration and Certification 2019 Compliance and Standards Workshop July 24, 2019 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  20. Agenda • CORES Concept Video Demonstration  https://vimeopro.com/nerclearning/cores-video-library/video/337820719 • Overview of CORES • Registered Entity Pilot Sessions and Outreach Engagements • Training and Outreach Events • Rollout Strategy 2 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  21. CORES Overview • The objective of the Centralized Organization Registration ERO System (CORES) project is to create a centralized registration system for the Electric Reliability Organization (ERO). This project will address:  Processing of registration requests  Granting of a NERC Compliance Registry (NCR) identification number  The information collected in CORES will be based upon the existing Common Registration Form that each Regional Entity currently uses for processing registration requests  Link to CORES project page – FAQs, timeline, opportunities for engagement (https://www.nerc.com/pa/comp/Pages/CORESTechnologyProject.aspx) 3 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  22. Key Points About CORES Transition • The CORES application is hosted on the ERO Portal  Each entity user that will register or modify registration with NERC will need an ERO Portal account  https://eroportal.nerc.net/ • Registered entities will not need to register again • The process for collecting data is different – the data is virtually the same • Initial training videos developed – more in the works 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  23. ERO Portal Access 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  24. Benefits • CORES will expand current functionality, align regional registration processes, and provide an improved system-based approach to processing registration requests. • Central repository for collecting registered entity data • New functionality for entities in multiple regions  Coordinated Oversight now captured • Easily update information in a central location 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  25. Key Points About CORES Transition • CORES is not currently planned to be used for:  Compliance Monitoring and Enforcement Functions – see the Align project. o https://www.nerc.com/ResourceCenter/Pages/CMEPTechnologyProject.aspx  Certification or Certification Reviews o No system in place for Certification or Certification reviews at this time  BES Exceptions o BES Exceptions will continue to utilize the BESnet application for processing 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  26. Outreach and Engagements • Focus Group • AWG • ORCS • CCC • Bulletins • Regional Workshops • Registered Entity Pilots – Testing • Training 8 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  27. Registered Entity Pilot Sessions • Registered Entity Pilot Sessions  May 14 | RF Hosted Reg. Entity Pilot Roadshow  May 16 | Texas RE Hosted Reg. Entity Pilot Roadshow  May 21 | NPCC Hosted Reg. Entity Pilot Roadshow  May 23 | NERC/Slalom Hosted Reg. Entity Pilot Roadshow 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  28. Training and Outreach Events • Planned Training Dates (subject to change)  June 6/7 | Begin to Post Training Materials  July 10| NERC hosted ERO WebEx (pre-release)*  July 15-19 | Expected CORES System Release*  End of July| NERC hosted ATL ERO In-person & WebEx, open Q&A, (post- release)*  End of July| NERC hosted ERO WebEx (*in-person), open Q&A, (post- release)* *Expected based on when this material was developed 10 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  29. Rollout Strategy • ERO is currently developing the rollout strategy • Initial group will include pilot session and focus group participants • Each Regional Entity will work with their unique registered entities on certain milestones  ERO Portal accounts created  Contact information verified  Data validation from the migration of existing data  Entering of other information • NERC will work with all Regional Entities for those registered in multiple Regions 11 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  30. Website 12 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  31. 13 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  32. Multi-Region Registered Entity Coordinated Oversight Program Fahad Ansari, NERC, Senior Compliance Auditor 2019 Compliance and Standard Workshop July 24, 2019 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  33. Terminology 2 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  34. Program Objectives • Streamline ERO Enterprise activities for the registered entities by eliminating unnecessary duplication of administrative tasks • Focus on risk to reliability, while improving efficiency and consistency of Compliance Monitoring and Enforcement Program (CMEP) Activities • Coordinate Lead Regional Entity (LRE) and Affected Regional Entity (ARE) oversight responsibilities to work collectively and collaboratively to support risk-based compliance monitoring and effective implementation of the Program 3 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  35. Activities Under Coordinated Oversight • Self-Reports • Compliance Audits and Spot Checks • Self-Certifications • Periodic Data Submittals • Complaints • Technical Feasibility Exceptions (TFEs) • Mitigation Plan Review and Verification • Enforcement Coordination • System Events • Organization Registration • NERC Alerts 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  36. Current MRRE Program Breakdown WECC, 6 • 50 MRRE Groups in Coordinated Oversight (210 registered entities) MRO, 17 Texas RE, 9 SERC, 6 NPCC, 1 RF, 11 Distribution of 47 MRRE Groups by LRE 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  37. Program Criteria • Registered Entity Inclusion Criteria  Operates in or owns assets in two or more Regional Entity jurisdictions  Verifies its Primary Compliance Contact (PCC), Authorizing Officer (AO) or Primary Compliance Officer (PCO) contact information is accurate prior to submitting request for inclusion  Designates a PCC  Common (integrated) Compliance Program across all NCRs and programs 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  38. Program Criteria • LRE Selection Criteria  Bulk power supply (BPS)/Bulk Electric System (BES) reliability considerations  Registered entity operational characteristics  Resource considerations 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  39. Stakeholder Communication • Focus on Key Program Initiatives  Clearly defined roles/responsibilities  Timing of conducting Inherent Risk Assessment (IRA) and Compliance Oversight Plan (COP)  CMEP Technology Project • Onboarding meeting for new participants • Post-audit feedback survey • Publicly posted FAQs and MRRE Coordinated Oversight guide 8 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  40. Other Questions • Am I an MRRE? • I am registered in multiple regions under different NCRIDs, can I participate in the Coordinated Oversight Program? • Upstream owner is not a registered entity, what now? • After participating in the Program, does the number of Regional Entities reduce to one? • Do I have to respond to NERC Alerts for all NCRIDs in my MRRE Group? • Why do I have to submit MiDAS reporting in ARE footprint? 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  41. 10 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  42. I nternal Controls in Enforcement Ed Kichline, NERC, Senior Counsel and Director of Enforcement Oversight 2019 Compliance and Standards Workshop July 24, 2019 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  43. Overview • Enforcement’s role in the risk-based Compliance Monitoring and Enforcement Program • Identification and reporting of noncompliance • Risk assessment of noncompliance • Mitigation of noncompliance 2 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  44. Risk-Based Enforcement • Outcomes for noncompliance are based on risk • Risk is based on specific facts and circumstances • Mitigation required for all noncompliance • Continuous evaluation and communication of risks  Analysis and lessons learned shared publicly  Input to risk identification 3 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  45. Goals and Principles of Enforcement Activities • Overarching goal of sustainable compliance  Focus on robust mitigation to reduce risks and likelihood of recurrence  Establishing cultures of continuous learning  Meaningful engagements and interactions between Regional Entities and registered entities throughout resolution of noncompliance • Value of internal controls to foster lasting solutions 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  46. I nternal Controls in I dentifying and Reporting Noncompliance • Describe the internal control that led to discovery of the noncompliance  Effect on extent of condition review • Determine whether a preventive control did not work as designed  Opportunity for mitigation 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  47. I nternal Controls in Risk Assessment • Preventive controls that reduce incident probability  Reduce the likelihood of something occurring • Detective internal controls  Periodic reviews to identify possible issues • Corrective internal controls that reduce the length of the noncompliance 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  48. Controlling risks • Redundancy in processes that have been drilled and practiced • Walkdowns for additional visibility of facilities and equipment • Automated tools  CIP-004-6 R3  CIP-007-6 R5 • Alarms • Checks to ensure the controls are functioning as designed 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  49. I nternal Controls in Mitigation • Strengthen the preventive controls that may have failed • Opportunities for improved detective controls • Value of details on your internal controls  What will be done  Who will do it  How often will it be done 8 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  50. Results of Mitigation • Report the results of your completed mitigation  Any adjustments to ratings or settings?  Any applicable patches missed?  Any events in unreviewed logs? 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  51. Effectiveness of internal controls • Tasks with checklists  Requirements to be kept on hand during performance of tasks  Checkbox to confirm use of checklists • Administrative barriers that cannot be avoided in completion of activities  CIP-010 • Physical barriers vs. Written policies and warning signs • Requiring sign-off on results of testing, inspection, or maintenance activity • Revise procedures to include explicit process steps addressing the missed activity 10 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  52. Effectiveness of internal controls • Training  Recurring mandatory training  For new employees soon after onboarding  Demonstrating comprehension of training • Change management  Mergers and restructuring  Additions of assets and facilities 11 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  53. Examples of internal controls in mitigation • PRC and MOD  Biannual review of new facilities to identify new equipment to add to the Protective System Maintenance Program  GRC tracking tool with notifications to internal personnel and outside consultant  Preventive Maintenance work orders to ensure completion of periodic activities • FAC-008-3 R6  Require two planners to enter and verify data for new facilities and equipment • Tracking new or revised Standards to ensure more effective implementation 12 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  54. The Benefits of I nternal Controls • Greater reliance on what you report • Protection against harm from the noncompliance • Reduced likelihood of recurrence of the noncompliance • Sustainable compliance  Enhanced reliability and security 13 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  55. 14 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  56. Lunch Webinar participants: We will return at 1:00 p.m. Central RELI ABI LI TY | RESI LI ENCE | SECURI TY

  57. Compliance Guidance Kiel Lyons, NERC, Senior Manager, Grid Planning and Operations Assurance 2019 Compliance & Standards Workshop July 24, 2019 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  58. Overview • Background • Compliance Guidance Policy • Types of Guidance • Prequalified Organizations • Endorsement Process • Implementation Guidance Development Aid • Current Guidance • Compliance Guidance Web Page • Resources • Key Take-Aways • Questions and Answers 2 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  59. Background Transformation of Guidance Documents • FERC Interpretations • Implementation Guidance • CMEP Practice Guides • Compliance Process Bulletins (being retired) • Directives and Bulletins for Regional Entities (being retired) • Compliance Application Notices (CAN) (being retired) • Compliance Analysis Report (CAR) (being retired) 3 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  60. Compliance Guidance Policy • Purpose of policy  Industry implement Reliability Standards  ERO CMEP staff execute duties • Compliance Guidance team  Reviewed role, purpose, development, use, and maintenance  Recommended use of examples • NERC Board or Trustees approved Compliance Guidance Policy 4 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  61. Compliance Guidance Policy Principles • Cannot change scope of Reliability Standard • May be developed concurrently with Reliability Standard, • Should not conflict • Should be developed collaboratively • Not only way to comply • Additional Considerations:  Finite and limited set  Related guidance in one location  Consider revising standard  Apply professional judgment  Feedback loops 5 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  62. Types of Guidance Compliance Guidance Implementation CMEP Practice Guidance Guides 6 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  63. I mplementation Guidance • Developed by industry, for industry • Endorsed by the ERO Enterprise • Given deference during monitoring by the ERO Enterprise • Examples or approaches  One of several possible approaches • Developed by:  Standard Drafting Team (SDT)  Pre-Qualified Organization 7 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  64. CMEP Practice Guides • Developed by ERO Enterprise , for ERO Enterprise  May be initiated through industry discussions  Publically posted • ERO Enterprise CMEP staff approach  Fosters consistency • All guidance reviewed by NERC Vice President, Deputy General Counsel, and Director of Enforcement 8 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  65. Pre-Qualified Organizations Approved by Compliance and Certification Committee (CCC) • The organization must:  Be actively involved in NERC operations  Have methods to assure technical rigor  Possess ability to vet content 9 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  66. Pre-Qualified Organizations Pre-Qualified Organization Application Process Applicant is Applicant CCC notifies added to Pre- CCC Reviews applies with the applicant Qualified Application Organization the CCC of approval List 10 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  67. Standard Drafting Teams • Standard Drafting Teams (SDTs)  Identifies examples  Reviews existing guidance • Examples vetted by industry through comment/ballot process • Decision to submit for ERO Enterprise endorsement made by  Project Management and Oversight Subcommittee (PMOS) liaison  NERC standards developer • May not submit guidance after standard is approved  Must be submitted by Pre-Qualified Organization 11 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  68. Endorsement Process Endorsement of Implementation Guidance • Pre-Qualified Organization or SDT submit proposed guidance  Email to ComplianceGuidance@nerc.net  Include Implementation Guidance Submittal Form • NERC:  Acknowledges receipt  Posts proposed guidance  Distributes to ERO Enterprise SMEs • ERO Enterprise endorses or declines to endorse • Publicly posted  Non-endorsed noted in spreadsheet 12 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  69. Development Aid 13 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  70. Development Aid • Ensure guidance provides specific examples or approaches to compliance. • Ensure guidance provides specific examples or approaches to compliance. • Ensure guidance does not conflict with, or contradict, previously approved documents • Ensure guidance capitalizes terms defined in the NERC Glossary of Terms when the term is intended to have the same meaning as defined in the Glossary. • Ensure guidance does not add compliance obligations to an entity that is not specifically required by the subject Reliability Standard and Requirement. 14 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  71. Development Aid • Ensure guidance does not make the subject Reliability Standard and Requirement less restrictive. • Ensure guidance does not include language that attempts to describe an audit approach. • Ensure guidance does not introduce new terminology, attempt to define a term, interpret a term, or clarify an ambiguity in the subject Reliability Standard and Requirement. • Ensure guidance correctly references footnotes, citations, active links, illustrations, table numbers, attachments, addendums, appendices, etc. • Ensure guidance does not skip steps or stop short of complying with the subject Reliability Standard and Requirement by addressing the entire Requirement in sufficient detail. 15 RELI ABI LI TY | RESI LI ENCE | SECURI TY

  72. Development Aid • Consider using the specific language of the subject Reliability Standard and Requirement when possible. • Consider avoiding terms that were used in previous versions of a Reliability Standard, but are no longer in use in the current version of the subject Reliability Standard and Requirement. • Consider using illustrations such as diagrams, sample records, flowcharts, templates, etc. • Consider using softer words such as “should consider”, “may want to”, “recommended”, etc. when the processes, procedures, or approaches described are examples and are not prescriptive and mandatory. 16 RELI ABI LI TY | RESI LI ENCE | SECURI TY

Recommend

More recommend