2015 Internal Compliance Program Assessment – ICPA
Version 5.0
February 2, 2015
CONTACT INFORMATION
Entity Name:
NERC # Registry ID:
Primary Compliance Contact Name:
Primary Contact Title:
Office Phone:
Cell Phone:
Email:
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Alternate Compliance Contact Name:
Alternate Compliance Contact Title:
Office Phone:
Cell Phone:
Email:
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Authorizing Entity Officer Name:
Authorizing Entity Officer Title:
Mailing address (Not a P.O. Box):
Telephone:
Email:
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z
155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 -1114 • PH 801.582.0353 • FX 801.582.3918
Internal Compliance Program Assessment
TABLE OF CONTENTS
PURPOSE ................................................................................................................................ i
INSTRUCTIONS ....................................................................................................................... i
SURVEY QUESTIONS .............................................................................................................. 1
1.
ICP ....................................................................................................................................... 1
2.
Identify and Update Requirements .................................................................................... 2
3.
Risk Assessment .................................................................................................................. 3
4.
Officers/Personnel .............................................................................................................. 4
5.
Independent Access to Executives...................................................................................... 5
6.
Independently Managed ..................................................................................................... 6
7.
Resources ............................................................................................................................ 7
8.
Leadership Support ............................................................................................................. 8
9.
Measurable Compliance Performance Targets .................................................................. 9
10. Compliance Training ......................................................................................................... 10
11. Compliance Communications ........................................................................................... 11
12. Program Implementation ................................................................................................. 12
13. Promoting Compliance through Employee Incentives ..................................................... 13
14. Enforcement ..................................................................................................................... 14
15. Self-Audit........................................................................................................................... 15
16. Self-Reporting ................................................................................................................... 16
17. Program Evaluation and Modification .............................................................................. 17
18. Internal Controls ............................................................................................................... 18
19. External Industry Participation ......................................................................................... 19
AUTHORIZATION ................................................................................................................. 20
APPENDIX A: Overview of FERC Statements by Question ..................................................... 21
APPENDIX B: Selected Example ICP Practices....................................................................... 23
W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L • W W W . W E C C . B I Z
155 NORTH 400 WEST • SUITE 200 • SALT LAKE CITY • UTAH • 84103 -1114 • PH 801.582.0353 • FX 801.582.3918
Internal Compliance Program Assessment
PURPOSE
The WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities
assess their internal compliance programs. The ICPA will assist WECC in its review and
understanding of the programs that entities have implemented to ensure compliance
with the NERC Reliability Standards. The ICPA is:

Based on relevant FERC orders, FERC direction, and WECC and NERC experience
related to robust internal compliance programs. The ICPA includes an Appendix A
containing referenced or supporting FERC documents.

Composed of nineteen questions designed to focus on various aspects of an entity’s
program.

Designed to prompt an entity to identify and gather specific, relevant information related
to its internal compliance program.

Adaptable to allow for the unique constraints of smaller entities as well as flexible
enough to recognize distinct characteristics across the variety of programs.
INSTRUCTIONS
1. For each question below, choose the statement that best describes the
responsible entity’s current status.
2. Please attach supporting documentation or provide associated page numbers
and paragraph references within the ICP, and submit this completed package to
WECC.
For example, this documentation package may include, but not be limited to:







Organizational charts
Internal plans, policies, processes and/or procedures
Emails
Training manuals
PowerPoint presentations with associated attendance rosters
ICP workshops; and/or
CBT modules.
Note: For the purposes of this document, “compliance program(s)” refers to
programs concerned with compliance with NERC Reliability Standards.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
i
Internal Compliance Program Assessment
SURVEY QUESTIONS
1. ICP
Is the ICP an established, formal program? For example, does the ICP contain fully
documented plans, policies, processes and/or procedures, internal controls, and
other systematic preventive measures for the governance and management of
compliance with NERC Reliability Standards?
Note: See Appendix B for example practices.
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
The ICP does not have any documented plans, policies, processes and/or
procedures, internal controls, and other systematic preventive measures.
The ICP has some documented plans, policies, processes and/or
procedures, internal controls, and other systematic preventive measures, but
does not address all.
The ICP has well documented plans, policies, processes and/or procedures,
internal controls, and other systematic preventative measures.
Describe, in narrative form, how the entity documents its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:



The entity’s ICP document(s)
Plans, policies, processes and/or procedures, internal controls, and other systematic preventive
measures associated with the entity’s governance and management of compliance with NERC
Reliability Standards
Other documented processes and/or procedures as applicable
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
1
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
2. Identify and Update Requirements
Does the ICP identify and list all NERC Reliability Standards applicable to the entity?
Does the ICP contain a process and/or procedure for updating this list as Standards
change?
Note: See Appendix B for example practices.
Choose the statement that best describes the ICP:
☐
☐
☐
NO
The ICP does not have a process and/or procedure for identifying and
updating the NERC Reliability Standards applicable to the entity.
The ICP identifies all or some of the NERC Reliability Standards applicable
PARTIAL to the entity, but does not contain a process and/or procedure for updating
this list as Standards change.
YES
The ICP identifies all NERC Reliability Standards applicable to the entity
and contains a process and/or procedure for updating this list as Standards
change.
Describe, in narrative form, how the entity identifies and lists the applicable
NERC Reliability Standards in its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:



A plan or other document that lists NERC Reliability Standards that apply to the entity
A description of the process and/or procedure the entity follows to update this list when
Standards change, as applicable
Version control records of the entity’s Reliability Standards lists
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
2
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
3. Risk Assessment
Does the ICP include processes and/or procedures to assess compliance and
reliability risks related to the NERC Reliability Standards on an annual basis?
Note: See Appendix B for example practices.
Choose the statement that best describes the ICP:
☐
☐
☐
NO
The ICP does not document how compliance and reliability risk is
assessed.
PARTIAL
Although the ICP includes processes and/or procedures to assess
compliance and reliability risks, the entity does not assess risk on an
annual basis.
YES
The entity assesses its compliance and reliability risks, and the ICP
includes processes and/or procedures to assess compliance and reliability
risks at least annually.
Describe, in narrative form, how the entity assesses compliance and reliability
risks:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:


The entity’s compliance and reliability risk assessment processes and/or procedures
Final risk assessment reports
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
3
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
4. Officers/Personnel
Has the entity named and staffed a Compliance Officer, FERC/NERC Director, or
additional FERC/NERC personnel as required to support its ICP?
Smaller Entities: A smaller entity may not have sufficient staff to dedicate
one employee as a full-time Compliance Officer or FERC/NERC Director. In
such cases, has the entity assigned one person the responsibility to
coordinate or monitor the entity’s compliance responsibilities?
Choose the statement that best describes the ICP:
☐
☐
☐
The entity has not identified or assigned compliance responsibility and
accountability to a Compliance Officer, FERC/NERC Director/Manager, or
other high-ranking official.
NO
PARTIAL
YES
Name(s):
The entity has identified and assigned responsibility for some compliance
activities to various employees throughout the organization.
The entity has identified and assigned responsibility and accountability to
a Compliance Officer or other high-ranking official, FERC/NERC
Director/Manager, and additional personnel as required. For larger
organizations, at least one position is fully dedicated to FERC/NERC
compliance. For smaller organizations, at least one position is partially
dedicated to FERC/NERC compliance. Below, provide the name(s) and
title(s) of the employee(s) currently staffing this/these position(s).
Click here to enter text.
Describe, in narrative form, how the entity has assigned compliance
responsibility in the organization:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:


Compliance Organizational Chart
Defined Roles and Responsibilities assigned to entity personnel for each NERC Reliability
Standard identified in Item 2 above
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
4
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
5. Independent Access to Executives
Does the assigned compliance official(s) have independent access to the CEO or
equivalent and/or Board of Directors?
Note: If your entity does not currently have an assigned compliance official, please
answer “NO” to this question.
Choose the statement that best describes the ICP:
☐
☐
NO
The entity’s assigned compliance official does not have independent
access to the CEO or equivalent and/or Board of Directors.
YES
The entity’s assigned compliance official has independent access to the
CEO and/or Board of Directors.
Describe, in narrative form, how the entity provides independent access to the
CEO or equivalent and/or Board of Directors for its employee(s) responsible for
compliance:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:


Organizational chart or plan showing independent access
Sample meeting minutes, notes, agendas, emails, etc., showing independent access to senior
management
Applicable Document(s), Page and Section
Click here to enter text.
Date and/or Version
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
5
Internal Compliance Program Assessment
6. Independently Managed
Is the ICP operated and managed so it is independent of those responsible for
compliance with the NERC Reliability Standards?
Smaller Entities: A smaller entity may not have the available personnel to
manage its ICP separately from the work groups that are responsible for
complying with NERC Reliability Standards. In such cases, those personnel
responsible for compliance should at minimum have independent access to the
company’s assigned compliance official, the CEO or equivalent, and/or the Board
of Directors (see item 5 above).
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
The ICP is not managed or operated independently of the work groups
that are responsible for complying with NERC Reliability Standards.
The ICP is managed by the work groups that are responsible for
complying with NERC Reliability Standards, but it is managed
independently.
The ICP is managed and operated independently of the work groups that
are responsible for complying with NERC Reliability Standards.
Describe, in narrative form, how the entity independently manages its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include the following document or equivalent:


Organizational chart or plan which shows how the program is independently managed
For smaller entities, please provide applicable documentation
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
6
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
7. Resources
Has the entity dedicated resources (staff and budget) to support its ICP?
Choose the statement that best describes the ICP:
☐
☐
☐
NO
The entity’s budget does not provide for any staff resources to work on
compliance with NERC Reliability Standards.
PARTIAL
The entity has provided for staff resources within its budget but cannot
demonstrate that staff resources were allocated to compliance with NERC
Reliability Standards.
YES
The ICP is fully budgeted and fully or partially staffed (relative to the
number of full time equivalent staff that implements the Reliability
Standards) on a year-round basis.
Describe, in narrative form, the support the entity allocates to its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include the following document or equivalent:

Organizational chart or plan which shows compliance roles and responsibilities and how they
are staffed
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
7
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
8. Leadership Support
Does the ICP have the support and participation of senior management (Officer
Level)? This includes reviewing compliance reports, participating in compliance
meetings, and communicating the importance of compliance to entity personnel on a
regular basis.
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
Senior management does not actively support or routinely participate in
the ICP.
Senior management reviews compliance reports, participates in
compliance meetings, and communicates to employees their commitment
to compliance at least semi-annually.
Senior management is actively involved in compliance efforts, reviews
compliance reports, participates in compliance meetings, and
communicates to employees its commitment to compliance frequently,
both formally and informally. Compliance activities occur at least quarterly.
Describe, in narrative form, the support the ICP receives from the entity’s Officer
Level leadership:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:





Samples of Senior Management Communications for the past 12 months
Samples of Compliance meeting agendas for the past 12 months
Samples of Compliance committee meeting minutes for the past 12 months
Samples of relevant e-mail memos, newsletters, etc. for the past 12 months
Description of management review/approval process and/or procedure
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
8
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
9. Measurable Compliance Performance Targets
Does the entity promote compliance by including measurable compliance
performance targets in the ICP? For example, the entity might use an Excel
spreadsheet to list all requirements, who is responsible for each requirement, target
dates, and status of compliance with each. Additional targets might include, but are
not limited to, completing self-certifications on time, achieving “full compliance”
following a mock audit, completing mitigation plans on time, or other relevant goals.
Note: See Appendix B for example practices.
Choose the statement that best describes the ICP:
☐
☐
☐
The ICP does not identify measureable compliance performance targets.
NO
PARTIAL
YES
The ICP contains general compliance performance targets, but the
performance targets are not specific or measureable.
The ICP includes measureable, specific compliance performance targets
for employees. These targets might include, but are not limited to, full
compliance for each requirement, timely self-certification submittals,
mitigation plan target dates, successful mock audits, etc.
Describe, in narrative form, how the entity measures its compliance performance:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:


Specific NERC compliance performance targets and goals and how they are measured
Sample results
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
9
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
10. Compliance Training
Does the ICP require compliance training for all entity staff, contractors and vendors
who have direct responsibility for the implementation of the processes and/or
procedures that demonstrate compliance with the NERC Reliability Standards?
Relevant personnel may include but are not limited to: Subject Matter Experts
(SMEs), Engineers, Technicians, Vegetation Management implementers and
System Operators (as applicable). Does this training measure understanding
through quizzes, exams, surveys, etc. consistent with a Registered Entity’s collective
bargaining agreements?
Note: See Appendix B for example practices.
Choose the statement that best describes the ICP:
☐
☐
☐
The ICP does not require training for relevant personnel.
NO
PARTIAL
YES
The ICP requires training for personnel that have a direct responsibility for
compliance with NERC Reliability Standards.
The ICP includes detailed training for personnel, including contractors and
vendors that have a direct responsibility for compliance with NERC
Reliability Standards, including assisting personnel who must keep
professional credentials up-to-date. Training also includes overview
compliance awareness training for other employees that do not have a
direct responsibility for compliance with NERC Reliability Standards. All
training includes processes and/or procedures that measure the degree of
understanding and comprehension of such Standards (quizzes, etc.),
consistent with a Registered Entity’s collective bargaining agreements.
Describe, in narrative form, how the entity provides compliance training to all
personnel, including contractors and vendors (see above):
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:




Compliance Training Program
Compliance Communications Program
Samples of training modules
Attendance records
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
10
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
11. Compliance Communications
Does the ICP require communication to all employees, including contractors and
vendors, etc.? Has the ICP, (i.e. all plans, policies, processes and/or procedures)
been widely disseminated throughout the entity?
Choose the statement that best describes the ICP:
☐
☐
☐
☐
The ICP has not been distributed.
NO
PARTIAL
The ICP has been distributed only to the employees that are involved in
the development and implementation of the ICP.
PARTIAL
The ICP has been distributed only to the employees that have a direct
responsibility for compliance with the NERC Reliability Standards.
YES
The ICP has been distributed to all employees, and, if applicable, to
contractors and vendors.
Describe, in narrative form, how the entity disseminates the ICP to all appropriate
relevant employees, including contractors and vendors:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:




Compliance Training Program
Compliance Communications Program
Website samples
Sample e-mail memos, newsletters, etc.
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
11
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
12. Program Implementation
For the purposes of this question the word implement means, “actual fulfillment by
concrete measures.” Has the entity implemented its ICP; i.e. all plans, policies,
processes and/or procedures? Are logs, meeting minutes, forms, agendas, and
other records being kept to show compliance plans, policies, processes and/or
procedures are being followed and are operating as intended?
Choose the statement that best describes the ICP:
☐
☐
☐
The entity has not implemented its ICP.
NO
PARTIAL
The entity has partially implemented its ICP and is continuing to work on
full implementation. The entity has evidence of an implementation plan
with set milestone and completion dates.
YES
The entity has fully implemented its ICP. Entity is currently following all
processes and/or procedures detailed in the ICP and can provide records
as evidence.
Describe, in narrative form, how the entity implements and documents its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one of more of the following or equivalent:


Samples from each plan, policy, process and/or procedure of the entity’s ICP (including
measurements in item 9 above, Measurable Compliance Performance Targets.)
Logs, meeting minutes, forms, agendas, and other records used to support “proof of
performance” of items 1-11 and 13-19 in this self-assessment.
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
12
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
13. Promoting Compliance through Employee Incentives
Does the entity’s ICP include provisions for compensation, awards, employee
recognition, or other monetary and/or non-monetary incentives to encourage the
relevant employees’ compliance with the NERC Reliability Standards? Is
compliance with NERC Reliability Standards a performance factor on job
descriptions and performance evaluations?
Note: See Appendix B for non-monetary example practices.
Choose the statement that best describes the ICP:
☐
NO
☐
PARTIAL
☐
YES
The ICP does not provide any form of monetary and/or non-monetary
incentives and/or recognition to encourage accountability for employee
compliance with the NERC Reliability Standards.
Entity has monetary and/or non-monetary incentives and/or recognition to
encourage employee compliance with NERC Reliability Standards;
however, the ICP or any other document specific to compliance does not
detail a formal monetary and/or non-monetary incentive and/or recognition
structure.
The ICP includes provisions for, and details of, monetary and/or nonmonetary incentives and/or recognition to encourage employee
compliance with the NERC Reliability Standards and accountability for
compliance. Compliance with NERC Reliability Standards is a
performance factor on job descriptions and performance evaluations.
Describe, in narrative form, how the entity promotes compliance through
incentives:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:




Company programs relating to compensation, awards, employee recognition, or other monetary
and/or non-monetary incentives relating to compliance
Samples of non-confidential information related to actual awards or other incentives
Job Descriptions
Other examples of programs or policies entity uses to promote a culture of compliance
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
13
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
14. Enforcement
Does the ICP include processes and/or procedures for disciplinary action for
employees involved in violations of the Reliability Standards? Are available Human
Resources (HR) disciplinary programs utilized as necessary? Is Senior Leadership
or the Board involved as necessary?
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
The entity’s ICP does not include disciplinary action for employees who
are responsible for violations of NERC Reliability Standards.
The entity takes disciplinary action for employees responsible for
violations of NERC Reliability Standards; however, the entity does not
have a formal documented disciplinary action process and/or procedure.
The entity’s ICP includes detailed disciplinary action processes and/or
procedures for employees involved in NERC Reliability Standard
violations, including involving HR, Senior Leadership, and/or the Board as
necessary. The entity has administered disciplinary action when
appropriate.
Describe, in narrative form, the entity’s disciplinary action for employees that are
responsible for violations of NERC Reliability Standards:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include:


Company policies relating to disciplinary actions for compliance violations
Samples of any recent disciplinary actions (past 12-24 months) – redacted if necessary
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
14
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
15. Self-Audit
Does the ICP include a formal, internal self-auditing process and/or procedure for
compliance with all applicable NERC Reliability Standards on an annual basis? Are
results reported internally?
Choose the statement that best describes the ICP:
☐
☐
☐
NO
The ICP does not include an internal self-auditing and reporting process
and/or procedure.
PARTIAL
Although the ICP includes a process and/or procedure for internal selfauditing and reporting, the entity does not self-audit and report on at least
an annual basis.
YES
The ICP includes internal self auditing and reporting for compliance on an
annual basis for full compliance with all applicable NERC Reliability
Standards. Audit results are reported and reviewed internally.
Describe, in narrative form, how the entity self-audits its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one of more of the following or equivalent:


ICP self-audit program
Sample of the audit reports or other results (past 12-24 months) – redacted if necessary
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
15
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
16. Self-Reporting
Does the ICP include specific processes and/or procedures to promote prompt
detection and self-reporting of possible violations to the Regional Entity (WECC)?
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
The ICP does not include processes and/or procedures for self-reporting
possible violations of applicable NERC Reliability Standards.
The ICP does not include processes and/or procedures for self-reporting
possible violations of applicable NERC Reliability Standards, but the entity
has self-reported violations to WECC since the entity was registered.
The ICP includes processes and/or procedures for self-reporting possible
violations of applicable NERC Reliability Standards. In addition, entity has
followed these processes and/or procedures and, if a violation was found,
promptly self-reported the violation to WECC.
Describe, in narrative form, how the entity encourages timely self-reporting in its
ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:



Processes and/or procedure for self-reporting
A sample of recent self-reports
A list of the entity’s self-reports for the past 12 months
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
16
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
17. Program Evaluation and Modification
Does the entity regularly review and modify its ICP? This includes a process and/or
procedure to trigger a review of the ICP either following a violation or following
changes to NERC Reliability Standards, and modifying the ICP, if necessary.
Choose the statement that best describes the ICP:
☐
☐
☐
NO
PARTIAL
YES
The ICP does not have an identified review cycle or a process and/or
procedure to trigger a review.
The ICP does not specify a review cycle; however, the entity has a process
and/or procedure to trigger a review, or has reviewed and modified its ICP
since the entity was registered.
The ICP is reviewed on at least an annual cycle. In addition, the entity has a
process and/or procedure to trigger a review either following a violation or
following changes to NERC Reliability Standards. The ICP is modified as
necessary.
Describe, in narrative form, how the entity reviews and modifies its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:


ICP review and modification process and/or procedure
A sample of recent ICP reviews, including version control records
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
17
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
18. Internal Controls
Does the ICP include a process and/or procedure to implement internal controls to
prevent, detect and/or correct possible violations of NERC Reliability Standards?
This includes assessing the effectiveness of internal controls.
See Appendix B for internal controls description and generic examples of internal
control activities.
Choose the statement that best describes the ICP:
☐
NO
The ICP does not include a process and/or procedure to put into place and
assess the effectiveness of internal controls. The entity has not implemented
any internal controls.
☐
PARTIAL
The ICP does not have a process and/or procedure to implement and assess
the effectiveness of internal controls. However, the entity has implemented
some internal controls.
☐
YES
The ICP contains a process and/or procedure to implement and assess the
effectiveness of internal controls. The entity has also implemented robust
internal controls to prevent, detect and/or correct possible violations of NERC
Reliability Standards.
Describe, in narrative form, how the entity uses internal controls to prevent,
detect and/or correct the possible violation of NERC Reliability Standards, and
how the entity assesses the effectiveness of those controls:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include one or more of the following or equivalent:



Process and/or procedure for establishing and assessing internal controls
Examples of internal controls implemented (See Appendix B for generic examples of internal
control activities)
Assessments and/or reviews completed by the entity to determine the effective ness of internal
controls (i.e. in terms of high-risk Reliability Standards; in terms of preventative, detective, or
corrective; etc.)
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
18
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
19. External Industry Participation
Has the entity participated in outreach activities to share compliance program
activities with other entities, adjacent utilities, local organizations, etc.? Does the
entity participate in WECC-related conferences and user meetings such as CUG,
CIPUG, Open Webinar, WICF, etc.?
Choose the statement that best describes the ICP:
☐
☐
☐
The entity has not participated in compliance outreach activities.
NO
PARTIAL
YES
The entity has participated occasionally in compliance outreach activities
since June 18, 2007.
The entity regularly participates in outreach activities to share compliance
program activities with other entities, adjacent utilities, and/or local
organizations. The entity also attends WECC-related conferences and user
meetings such as CUG, CIPUG, Open Webinar, WICF, etc.
Describe, in narrative form, the entity’s external industry participation:
Click here to enter text.
Please provide supporting evidence. Examples of supporting evidence may
include some or all of the following or equivalent:



Sample presentations made to professional organizations
Names of persons participating on regional or national compliance committees, does not include
participation in Standards Development processes and/or procedures.
Attendance records for technical conferences, industry webinars, etc.
Applicable Document(s), Page and Section
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
19
Date and/or Version
Click here to enter text.
Internal Compliance Program Assessment
AUTHORIZATION
An authorized individual must sign and date this Internal Compliance Program
Assessment. By doing so, this individual, on behalf of the entity’s organization, certifies
that the information submitted herein is accurate.
1. This certifies that I am
(Officer’s Name)
of
(RE)
.
2. I am an officer, employee, attorney or other person authorized to sign this
Internal Compliance Program Assessment on behalf of (RE) .
3. I have read and am familiar with the contents of the Internal Compliance Program
Assessment and related documents submitted herein.
4. I understand that based on the answers herein, WECC may request more
information specific to
(RE) ‘s ICP.
5. To the best of my knowledge, the information provided in this response is correct.
Authorized Signature: Click here to enter text.
Name (Print):
Click here to enter text.
Title:
Click here to enter text.
Date:
Click here to enter text.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
20
Internal Compliance Program Assessment
APPENDIX A: Overview of FERC Statements by Question
For purposes of this document, the following acronyms apply:
SOE= FERC Revised Policy Statement on Enforcement dated May 15, 2008
http://www.ferc.gov/whats-new/comm-meet/2008/051508/M-1.pdf
SOC= FERC Policy Statement on Compliance dated October 16, 2008
http://www.ferc.gov/whats-new/comm-meet/2008/101608/M-3.pdf
P=Paragraph Number
Risk Assessment/Identify Requirements (#2, #3)
 Prepare an inventory of current compliance risks (SOE, P59)
o (Note: This will result in a list of current program requirements)
 Companies are in the best position to determine the risks their activities entail and how
best to assure compliance (SOC, P9 and 17)
Establish/Modify Compliance Organization (#4, #5, #6)
 Create an independent Compliance Officer who reports to the Chief Executive Officer
and the Board, or to a committee thereof (SOE, P59)
 The program is supervised by an officer or other high-ranking official; this official has
independent access to the board and/or CEO (SOE, P58)
 Senior management may designate compliance officials within the company; This may
be a position devoted exclusively to compliance matters or may be an assigned duty of
an employee (SOC, P13 and P15)
Document Standards, Policies, and Procedures (#1, #9)
 Company has in place rigorous procedures and processes (SOC, P4)
 Companies should invest in systematic preventive measures to keep the company in
compliance with the Commission’s statutes, regulations and orders (SOC, P16)
 The company has an established, formal program (i.e. plans, policies, and procedures)
for internal compliance. It is well documented (SOE P58)
 An inventory of compliance practices (SOE, P59)
 Promote compliance by identifying measurable performance targets (SOE, P59)

Communicate Standards, Policies, and Procedures (#10, #11)
 The ICP is widely disseminated within the company (SOE, P58)
 These factors include … the scope and depth of employee training (SOC, P5)
 The importance [of] tools and training sufficient to enable employees to comply with
Commission requirements (SOC, P6 and SOE, P59)
 Systematic and effective preventive measures (such as careful hiring, training,
accountability, and supervision), are fundamental to an effective compliance program
(SOC, P16)
 The company frequently provides training to all relevant employees; the training is
sufficiently detailed and thorough to instill an understanding of relevant rules and the
importance of compliance (SOE, P58)
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
21
Internal Compliance Program Assessment
Implement, Promote, and Enforce (#12, #13, #14)




It is not enough to create a good compliance program on paper; the company must carry
through to implement the program (SOC, P16)
A company has rigorous procedures and processes that provide effective accountability
for compliance (SOC, P4 and SOE, P58)
The company responds to wrongdoing (SOE, P58)
Steps taken by a company to end violations and remedy the misconduct (SOC, P21)
Monitor, Audit, and Report (#15, #16, #17)
Auditing and Reporting
 Systematic internal auditing (SOC, P19)
 The company has an ongoing process for auditing compliance with Commission
regulations (SOE, P58)
 The importance on good-faith self-reporting (SOE, P62)
 The compliance plan can call for the company to hire an independent third party auditor
to review its business practices in order to ensure compliance (SOE, P45)
ICP Review
 Periodic review and evaluation of the effectiveness of the program (SOC, P16)
 The company frequently reviews and modifies its compliance program (SOE, P58)
Continuous Improvement (#17, #19)
 Are new or modified prospective controls needed to prevent a recurrence? (SOC, P21)
 Ensure that steps are taken within the company to improve compliance practices (SOE,
P44)
 Describe measures taken by the company to end the practices that led to the violations
(SOE, P45)
 Work with industry associations to develop compliance best practices (SOC, P7);
encourage the continuing exchange of ideas and best practices among regulated
companies (SOC, P7)
Leadership/Corporate Culture (#7, #8)
 The responsibility for a culture of compliance rests squarely on the shoulders of senior
management (SOC, P13)
 Senior management actively involved in compliance efforts (SOE, P58)
 Senior management provides adequate resources for the compliance program to
operate adequately (SOC, P14 and SOE, P58)
 These factors include the active support of senior management (SOC, P5)
 Senior management should communicate to employees its commitment to compliance
frequently, both formally and informally (SOC, P14)
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
22
Internal Compliance Program Assessment
APPENDIX B: Selected Example ICP Practices
Internal Compliance Program
1. Outline and describe the elements of the ICP in an overview document that
includes the following sections:
a. Purpose, Background, and Program Overview
b. Senior Management, Compliance Officer and Internal Compliance
Program Core Members (including roles and responsibilities)
c. Risk Assessment
d. Internal Controls
e. Measurable Compliance Performance Targets
f. Compliance Communication and Training
g. Self-Audit and Self-Certification
h. Self-Reporting
i. Documentation and Record Keeping
j. Version History
k. Attachments/Links
i. Applicable Reliability Standards
ii. Organizational Chart
iii. Terms and Definitions
2. Outline and describe the elements of ICP in an overview document that includes
the following:
a. Compliance Culture including organization, senior management
commitment, funding, staffing, communication and ICP dissemination.
b. Control Environment including monitoring, tracking, control,
documentation, data retention, reporting, remediation, risk assessment.
c. Continual Improvement including internal auditing, education and training.
3. Along with the ICP overview document, develop an “ICP Handbook” companion
document that includes specific ICP “plans” associated with the ICP. These
plans are detailed processes and/or procedures, which also include the purpose,
objective, responsibilities, reference documents and revision history for each
plan.
Identify and Update Requirements
1. Create a list (in a database, in spreadsheet form, or as a word document) which
clearly identifies all applicable NERC and WECC Reliability Standards. The list
should:
a. Be updated on at least an annual basis, but more frequently as
appropriate.
b. Contain information as to where NERC and WECC Reliability Standards
may be found.
2. On the list of applicable NERC and WECC Reliability Standards, assign specific
Standard Requirements to certain employees, e.g. Subject Matter Experts
(SMEs) or Reliability Standard Owners.
a. The employees would be obligated to continuously monitor and track
compliance with assigned NERC Reliability Standards.
i. List any specific tasks required for compliance
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
23
Internal Compliance Program Assessment
ii. List any measureable compliance performance targets associated
with tasks required for compliance
3. Ensure new or modified Reliability Standards are promptly identified and
communicated to those required to comply with the standards.
a. Conduct regular (e.g. quarterly) reviews of applicable NERC and WECC
Reliability Standards to ensure that:
i. All applicable Standards are being addressed;
ii. Any changes to Standards are being incorporated into the entity’s
ICP; and
iii. Entity personnel remain aware of any updates, additions, or
modifications to the Standards.
b. Review ICP following NERC or WECC information release, e.g.,
Compliance Application Notices, Updates on Audit Approach
(presentations at the CUG meetings), Reliability Standard Interpretations,
et cetera.
4. Develop or implement a comprehensive compliance tracking solution, beyond a
spreadsheet, (e.g. specialized third-party software) which includes all applicable
NERC and WECC Reliability Standards and Requirements down to the subrequirement level.
a. Document a process for updating all reliability standards on a frequent
basis while allowing multiple groups to track their compliance activities.
b. Leverage the compliance tracking solution as a depository for
documenting evidence, gap analysis records and other data related to
entity’s compliance with the Reliability Standards.
5. Convert the text of the individual Reliability Standards into hyperlinks which point
to the respective standards on the NERC website. Users of the lists can then
easily access the details of the Reliability Standards at the source.
Risk Assessment
1. At a high level, adopt a strategic risk management approach, which incorporates
the following:
a. Anticipate the Risk
i. Assume the worst can happen at any time.
ii. Anticipate the next happening.
iii. Play it out. Think it through.
iv. Figure out what you do not know.
b. Assess the Risk
i. What is the likelihood of the event?
ii. What is the magnitude?
c. Act Against the Risk
i. Establish a strategy to mitigate the risk.
ii. Maintain a holistic view of the risk and solution.
d. Adopt a Plan
i. Develop processes and procedures (specific to risk management).
ii. Identify roles and responsibilities.
2. At a high level, and with a focus on compliance and reliability risk, adopt an
Enterprise Risk Management (ERM) approach, which incorporates the following:
a. Identify Risks
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
24
Internal Compliance Program Assessment
b. Assess and Evaluate Risks
c. Integrate Risks
d. Respond to Risks
e. Design, Implement and Test Controls
f. Monitor, Assure and Escalate
3. At a high level, and with a focus on compliance and reliability risk, adopt a
strategic risk management approach, which incorporates the following:
a. Anticipate the Risk
i. Assume the worst can happen at any time.
ii. Anticipate the next happening.
iii. Play it out. Think it through.
iv. Figure out what you do not know.
b. Assess the Risk
i. What is the likelihood of the event?
ii. What is the magnitude?
c. Act Against the Risk
i. Establish a strategy to mitigate the risk.
ii. Maintain a holistic view of the risk and solution.
d. Adopt a Plan
i. Develop processes and procedures (specific to risk management).
ii. Identify roles and responsibilities.
4. Uses a point system to compile a compliance and reliability risk index score for
all entity applicable Reliability Standard Requirements and sub-requirements.
a. The score could incorporate several risk factors, including:
i. Violation Risk Factor (VRF)
ii. Actively Monitored List (AML) or equivalent list
iii. Entity violation history, (taking into account Standard Requirements
violated, Violation Impact, Violation Severity Level (VSL), and
mitigation status)
iv. WECC/NERC Most Violated Reliability Standards Reports
v. Requirements that have annual, event driven or periodic activity,
likelihood of occurrence
vi. New versions of Reliability Standards
vii. Changes in key personnel (e.g. SMEs)
b. Quantify and score the risk for each applicable Reliability Standard
Requirement.
i. Develop a method to quantify and evaluate the risk for each risk
factor and each applicable Reliability Standard Requirement, e.g.
create a risk assessment matrix listing each applicable Reliability
Standard Requirement and each risk factor.
ii. Develop a scale, e.g. a numeric scale from 1 to 5, or scale of
High/Medium/Low, and quantify the level of risk for each risk factor
for each Reliability Standard Requirement. Includes the weighting
of risk based on likelihood and magnitude factors.
iii. Aggregate the risk factor valuations into a risk index score for each
Reliability Standard Requirement.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
25
Internal Compliance Program Assessment
c. Use the point system above to determine, based on criteria established by
the entity, which Standard Requirements pose the greatest compliance
and reliability risk.
d. Based on the risk-assessment results, the entity may choose to focus
more attention on the higher-risk Standard Requirements.
e. Clearly document the risk assessment results by Reliability Standard
Requirement:
i. Create a spreadsheet or word document with a list of applicable
Reliability Standard Requirements.
ii. Flag or otherwise identify higher-risk Requirements.
iii. List the key control(s) for each identified risk.
5. Use a more basic risk-assessment approach which assesses all entity applicable
Reliability Standard Requirements and sub-requirements and simply flags or
highlights Requirements based on risk factors. (See risk factors listed under 1.a.
above.)
6. Conduct risk assessments on a regular basis, i.e., annually, or more frequently
based on the level of risk.
7. Group or categorize related risks together to reduce management and resource
needs for mitigation activities and controls.
8. Integrate internal controls with the risk assessment, i.e., each identified risk
should have at least one key control. These key controls should be reassessed
periodically and could fall under one or more of the following general categories:
a. Preventative Controls
b. Detective Controls
c. Corrective Controls
9. Annually distribute a risk-assessment questionnaire to managers who have
compliance oversight responsibilities and employees who have direct
responsibility for compliance with Reliability Standards to help evaluate any
changes in known risks and help detect any new risks that might otherwise go
unidentified. Incorporate review of the questionnaire results into the riskassessment process.
10. Incorporate the assessment of risk associated with significant change by
anticipating and monitoring change in the following areas:
a. External Environment (regulatory/compliance, social, political,
technological, etc.)
b. Strategic Planning (business model, regulatory/compliance, services,
neighboring entities, etc.)
c. Succession Planning (executives, key employees, etc.)
Measurable Compliance Performance Targets
1. Apply the concept of "SMART" objective-setting criteria to setting and evaluating
measureable compliance performance targets. (Google for more details.)
a. Specific
b. Measureable
c. Achievable
d. Relevant
e. Time-bound
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
26
Internal Compliance Program Assessment
2. Adopt a Measurement and Analysis approach designed to develop and sustain a
measurement capability used to support management information needs.
a. Align Measurement and Analysis Activities for each high-risk Reliability
Standard Requirement:
i. Establish Measurement Objectives
ii. Specify Measures
iii. Specify Data Collection and Storage Procedures
iv. Specify Analysis Procedures
b. Provide Measurement Results to management:
i. Obtain Measurement Data
ii. Analyze Measurement Data
iii. Store Data and Results
iv. Communicate Results
3. On the list of applicable NERC and WECC Reliability Standards, list: (1) the
employees responsible for compliance; (2) any specific tasks required for
compliance; and (3) any measureable compliance performance targets
associated with those tasks.
4. Create a proactive, time-based goal for the internal investigation and evaluation
of the potential violation of a Reliability Standard Requirement. For example:
a. Define a period of time (e.g. five business days or 10 business days, etc.)
to determine whether or not a possible violation exists following the initial
internal report of a potential violation.
5. Create proactive, time-based goals for submission of Compliance documents to
WECC, including Self-Reports, Mitigation Plans, Data Requests, etc. For
example:
a. Define a period of time to promptly submit Self-Reports following the
internal determination of possible violations.
b. Define a period of time to promptly submit Mitigation Plans following SelfReport filings.
6. Set specific time-based targets (e.g. X number of days, weeks, months) to help
ensure timely completion of the following:
a. Investigation of possible violations
b. Submission of Self-Reports
c. Submission of Mitigation Plans
7. Specifically reference measureable compliance performance targets in the ICP.
Compliance Training
1. Ensure all employees and contractors receive an appropriate level training on the
ICP and NERC Reliability Standards each year or at the initiation of the business
relationship.
2. Incorporate in the training, and/or follow-up the training with a survey or
examination to measure understanding of the training material.
a. Based on the survey or examination results, make changes to the training
program as necessary.
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
27
Internal Compliance Program Assessment
Promoting Compliance through Employee Incentives
1. Non-Monetary Ideas –
a. Certificates of exceptional performance
b. Letters acknowledging an employee’s activities
c. Recognition at staff meetings
d. Congratulatory communications copied to all employees
e. Reserve a premium parking space for an employee of the month
f. Adopt an annual compliance and reliability award, and give it to the
individual that has exhibited the strongest commitment to compliance and
reliability
Internal Controls
Note: In terms of Bulk Power System (BPS) reliability, an internal control program is a
process that helps provide a Registered Entity with reasonable assurance it complies
with the Reliability Standard(s) or the operating function(s) and processes that the
Reliability Standard(s) require. Below are generic examples of control activities in
consideration of Reliability Standards.1
1. Preventive Control Activities
a. Automated compliance work management system
b. Documented NERC compliance responsibilities
c. Training regarding the policies and procedures used to ensure compliance
with the Reliability Standards
d. Use of colored lanyards or other overt identification methods to identify
escorted visitors in NERC CIP Physical Security Perimeters
e. Restricting access to assets
f. Documented configuration management program
g. Documented change management program
h. Records management system
2. Detective Control Activities
a. Automated systems that check and identify compliance discrepancies
b. Periodic review of control center communications, e.g., listening to a
prescribed number of voice recordings for each period
c. Quarterly self assessments used to identify individual who gained access
to CIP cyber areas without the proper training or background
investigations
d. Review by responsible management of compliance documentation
e. Reviews of performance against defined criteria
3. Corrective Control Activities
a. Root Cause Analysis Program
b. Event Analysis
c. Business Continuity and Recovery Plans – returns an operation to a
normal operating state after a failure or interruption
1
RAI Internal Controls Working Guide V1; Initial Version July 9, 2013
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Assessment Version 5.0 2/2/2015
28
Download

2015 Internal Compliance Program Assessment