Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Inherent Risk Assessment Report Template

advertisement 
Inherent Risk Assessment Report
Template
Reference Only
Last Revised: January 13, 2016
155 North 400 West, Suite 200
Salt Lake City, Utah 84103-1114
2
Inherent Risk Assessment Report – Reference Template
Table of Contents
Summary .......................................................................................................................................... 3
Preliminary Compliance Oversight Plan ............................................................................................. 3
Introduction...................................................................................................................................... 4
Entity Overview ................................................................................................................................ 4
Inherent Risk Assessment ................................................................................................................. 4
Risk Factor Analysis ............................................................................................................................. 5
Risk Elements ...................................................................................................................................... 6
Preliminary Compliance Oversight Plan ............................................................................................. 7
Registered Functions........................................................................................................................... 7
Audit Duration .................................................................................................................................... 7
Monitoring Tools................................................................................................................................. 7
Document History ............................................................................................................................. 8
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
3
Inherent Risk Assessment Report – Reference Template
Summary
The Western Electricity Coordinating Council (WECC) performed an Inherent Risk Assessment (IRA) of
[Entity Name] (ACRO) from [date IRA survey is received] to [final report date]. During the IRA, WECC’s
Compliance Risk Analysis (CRA) team reviewed the inherent risks posed by ACRO based on its
composition. During the assessment process, WECC considered Risk Elements identified in the
Compliance Monitoring and Enforcement Implementation Plan1 (CMEP IP), associated Risk Factors, and
overall unique entity composition to establish a preliminary Compliance Oversight Plan for ACRO.
WECC will develop a final Compliance Oversight Plan after ACRO’s audit.
Preliminary Compliance Oversight Plan
Based on the IRA, the following Registered Functions will be considered for upcoming audit:
[List of Registered Functions recommended for audit. Numbered and in column format.]
Based on the IRA, the following Operations and Planning (O&P) Standard Requirements are identified
as areas of focus for upcoming audit:
[List of O&P Standards recommended for audit. Numbered and in column format.]
Based on the IRA, the following Critical Infrastructure Protection (CIP) Standard Requirements are
identified as areas of focus for upcoming audit:
[List of CIP Standards recommended for audit. Numbered and in column format.]
Compliance Oversight
Plan (Number of
Requirements)
[number of all
requirements
applicable to entity]
Compliance Monitoring
Reliability Standard Requirements applicable to
ACRO’s Registered Functions
[Date of Last Audit] On-site Audit Scope
[number of
requirements reviewed
during last audit]
Proposed [YYYY] Audit Scope Based on IRA Results
1
[number of
requirements
recommended for
audit during IRA]
Percent of Applicable
Requirements
100%
XX% [last audit
requirements/all
requirements applicable
to entity)*100]
XX% [(IRA
requirements/all
requirements applicable
to entity)*100]
ERO CMEP Implementation Plan: http://www.nerc.com/pa/comp/Resources/Pages/default.aspx
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
4
Inherent Risk Assessment Report – Reference Template
Introduction
WECC performed an IRA of ACRO to identify areas of focus and monitoring method needed to monitor
ACRO’s compliance with selected Regional and North American Electric Reliability (NERC) Reliability
Standards applicable to ACRO’s NERC Registered Functions. WECC followed the process described in
NERC’s Electric Reliability Organization (ERO) Enterprise Inherent Risk Assessment Guide2 (IRA Guide)
and WECC Inherent Risk Assessment Process3 to assess inherent risk for ACRO. The IRA Guide serves as
a common approach for NERC and the Regional Entities for implementing and performing IRAs. As
directed by the IRA Guide, all Regional Entities share summary IRA results with the Registered Entity,
including risks identified, associated NERC Reliability Standards and Requirements, and impact on the
scope of monitoring.
The results of the IRA process do not change any obligation for ACRO to be compliant with all NERC
Reliability Standards applicable to ACRO’s function(s). While the IRA process intends to inform the
scope of the WECC’s Compliance Oversight Plan for ACRO, the IRA process does not limit WECC’s
authority under the NERC Rules of Procedure to conduct any compliance monitoring activities WECC
may determine as appropriate.
During the IRA Process, WECC collected and reviewed information to gain a more complete
understanding of ACRO. WECC used information from ACRO’s IRA Survey response and information
currently available within WECC. The IRA considers information collected through [date when draft
report is sent to management for review] and may not include any changes to ACRO’s information
after this date.
Entity Overview
[Brief narrative overview of the entity]
Inherent Risk Assessment
In the 2016 ERO Compliance Monitoring and Enforcement Program Implementation Plan, NERC
published a list of Risk Elements which identified and prioritized continent-wide risks to reliability of
the BPS. The WECC regional CMEP Implementation Plan identifies Risk Elements specific to the
Western Interconnection.
2
ERO Enterprise Inherent Risk Assessment Guide:
http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO_Enterprise_Inherent_Risk_Assessment_Guide_20141010.pdf
3
Inherent Risk Assessment Process: https://www.wecc.biz/Reliability/WECC%20Inherent%20Risk%20Assessment%20Process.pdf
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
5
Inherent Risk Assessment Report – Reference Template
Consistent with the IRA Guide, WECC further established Risk Factor Criteria4 to provide guidance in
assessing ACRO’s unique, inherent risks to the BPS. The following table shows the association between
Risk Elements and Risk Factors.
Association between Risk Elements and Risk Factors
2016 Risk Elements
Associated Risk Factors
Critical Infrastructure Protection
Event Response/System
Recovery
Extreme Physical Events
Human Performance
Maintenance and Management
of BPS Assets
Monitoring and Situational
Awareness
Planning and System Analysis
Protection System Failures
Compliance Trends, Cyber Security Incidents, Physical Access, System
Management
Blackstart Resource, Compliance Trends, Emergency Preparedness,
Reportable Events
Compliance Trends, Cyber Security Incidents, Emergency Preparedness
Compliance Trends, Misoperations, Reportable Events, Workforce
Capability
BES Cyber System Identification, Blackstart Resources, Compliance
Trends, Generation Portfolio, Transmission Portfolio
Blackstart Resources, BPS Coordination, Compliance Trends, Emergency
Preparedness, Equipment Categories, Generation Portfolio, Load
Management, System Geography, System Modeling & Usage,
Transmission Portfolio, Workforce Capability
Compliance Trends, Load Management, System Modeling & Usage
BPS Coordination, Compliance Trends, Equipment Categories,
Misoperations
Risk Factor Analysis
The rating and analysis of each Risk Factor is included in the table below. Risk Factors are rated as high,
medium, or low based on the Risk Factor Criteria and professional judgment of the Compliance Risk
Analyst.
Risk Factor
Compliance
Trends
Risk
Rating
High,
Medium,
or Low
Explanation
Explanation of Risk Factor Rating
Generation
Portfolio
Blackstart
Resource
Emergency
Preparedness
Transmission
Portfolio
4
IRA Risk Factor Criteria: https://www.wecc.biz/Reliability/IRA%20Risk%20Factor%20Criteria%20Version%201.pdf?Web=1
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
6
Inherent Risk Assessment Report – Reference Template
Risk Factor
Risk
Rating
Explanation
BPS
Coordination
System
Geography
Load
Management
System
Modeling &
Usage
Equipment
Categories
Misoperations
Reportable
Events
Workforce
Capability
BES Cyber
System
Identification
Physical
Access
Cyber Security
Incidents
System
Management
Risk Elements
Based on the Risk Factor analysis, the following areas of inherent risk have been identified for ACRO.
WECC used the selected Risk Elements to identify areas of focus for the preliminary Compliance
Oversight Plan:
1.
2.
3.
4.
5.
6.
7.
8.
Critical Infrastructure Protection
Event Response/System Recovery
Extreme Physical Events
Human Performance
Maintenance and Management of BPS Assets
Monitoring and Situational Awareness
Planning and System Analysis
Protection System Failures
Based on the Risk Factor analysis, WECC did not consider the following Risk Elements to identify the
areas of focus for the preliminary Compliance Oversight Plan:
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
7
Inherent Risk Assessment Report – Reference Template
1. List risk elements removed from scope.
Preliminary Compliance Oversight Plan
Registered Functions
Based on the IRA, the following Registered Functions are recommended for audit:
1. List of NERC Registered Functions recommended for audit
2.
3.
Based on the IRA, the following Registered Functions are not recommended for audit:
1. List of NERC Registered Functions – and explanation
Audit Duration
[Description of any issues that should be considered by the Audit team when establishing the length of
the audit]
Monitoring Tools
WECC has identified the following areas of focus for ACRO based on the Risk Elements, Risk Factors,
and professional judgment of the CRA. ACRO must maintain compliance for all applicable NERC and
Regional Reliability Standards and Requirements, including those not identified in this IRA. The
preliminary Compliance Oversight Plan shall remain in effect until the final Compliance Oversight Plan
is developed.
Standards and Requirements Recommended for Audit
Standard and
Requirement
Requirement
W
E S T E R N
Explanation
Explanation
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
8
Inherent Risk Assessment Report – Reference Template
Standard and
Requirement
Explanation
Standards and Requirements Recommended for Self-Certification
1. List Standards and Requirements
2.
3.
Document History
IRA Approval
Title
Name
Date
Manager, Compliance Risk Analysis
Approval Date
Audit Team Lead, O&P
Approval Date
Audit Team Lead, CIP
Approval Date
Revision History
IRA Version
Author
Document Date
Version 1
IRA Lead
IRA Approval Date
W
E S T E R N
E
L E C T R I C I T Y
C
O O R D I N A T I N G
C
O U N C I L
Related documents
Standards Update JGC 6-5-2014
Standards Update JGC 6-5-2014
Unit 1 Jeopardy
Unit 1 Jeopardy
HTC Affiliate Presentation 2013
HTC Affiliate Presentation 2013
5 Effective Savings Strategies Copy
5 Effective Savings Strategies Copy
Letter to Parents
Letter to Parents
Red Velvet by Lolita Chakrabarti
Red Velvet by Lolita Chakrabarti
Read Full Study
Read Full Study
Download
advertisement