Presentation - Society of Corporate Compliance and Ethics
advertisement
RSA ReliabilityStandards AdvisoryServiceLLC Utilities & Energy Compliance & Ethics Conference ‐ Society of Corporate Compliance and Ethics ‐ NERC Compliance Embraces Internal Controls February 25, 2014 Reliability|Sustainability Copyright|©2014ReliabilityStandardsAdvisoryLLCAllrightsreserved 1 Fred Anderson, CCEP, CIA, CFE Chief Executive Officer & Founder, Reliability Standards Advisory Service LLC – More than 20 years experience as Fortune 500 Management Consultant: – Master of Science Corporate Finance – Bachelor of Business Administration Economics Randi Nyholm, CCEP Transmission Compliance Specialist Senior, Minnesota Power – MS Scientific and Technical Communication – BS Business Administration – Five years in development and implementation of NERC compliance programs ReliabilityStandards AdvisoryServiceLLC • Conduct a Risk Assessment for NERC Standards • Identify and Implement Appropriate Internal Control • Create Sustainable Models and Tools that don’t Break the Bank ReliabilityStandards AdvisoryServiceLLC 1 ReliabilityStandards AdvisoryServiceLLC 1. Principals of risk management 2. Risk identification and quantification methods 3. Managing risk – not all risk is bad 4. RAI and risk management for the BES ReliabilityStandards AdvisoryServiceLLC To identify and manage risks that are associated with an organization’s objectives. Managing risk is a single continuous process. The objective of managing risks is to decrease the probability of events that reduce bulk electric system reliability. ReliabilityStandards AdvisoryServiceLLC 2 Risk‐taking in areas of legal and ethical obligations invariably leads to bad outcomes. • FERC/NERC guidance states “assessment of risk is fundamental to developing a strong compliance program.” • NERC guidance lists factors that a utility should consider in any risk assessment. • FERC and NERC look at a utility's overall compliance program and take into account to what degree the entity analyzes risks. Source ‐ FERC Revised Policy Statement on Penalty Guidelines – Docket No. PL10‐4‐000 (Sep 17, 2010) ReliabilityStandards AdvisoryServiceLLC The portfolio of risks facing each utility is unique to that business. Some utilities will face severe risks of a nature that are of no significance to another. Registrants even with similar registered functions are likely to have very different risk portfolios. Source: NERC CMEP 2014 ReliabilityStandards AdvisoryServiceLLC From an ERM Perspective • Once the utilities’ objectives are concisely established start identifying risk by asking “What can go wrong?” From a Strictly FERC/NERC Standard Compliance Perspective • Prioritize standards (AML) based on level of risk to the BES. • Start identifying all risks by Standard / Requirement by asking “What can go wrong?” From a Registrant’s Risk to the Bulk Electric System Perspective • Identify the utilities’ areas of impact to the grid through an agreed list of key indicators – example MRO Risk Based Overview AML. • Start identifying risk by asking “What can go wrong?” ReliabilityStandards AdvisoryServiceLLC 3 Methodology: A process of compiling a risk register starts off by identifying a wide variety of risks, but these should then be filtered to allow the utility to concentrate on those with the greatest potential impact to the BES. Characteristics of Risk Register Approach Complexity of the business, Filters applied on risks/opportunities Opportunity to take a formal look at the specific risks management faces Not a scientific exercise Attempts to quantify risks, to a great extent done on a subjective basis ReliabilityStandards AdvisoryServiceLLC ReliabilityStandards AdvisoryServiceLLC Three Tiered System Primary – Highest or greatest risk to BES reliability Secondary – Significant reliability risk but due to either severity, probability or a combination of both reliability risk impact from a cost/benefit perspective is more acceptable to assume. Tertiary – Low reliability risk, minimum impact to reliability. Typically this level of risk is assumed by a utility due to the nature of the cost/benefit outcomes. ReliabilityStandards AdvisoryServiceLLC 4 A Risk Map prioritizes each BES Operations risk according to significance and likelihood and maps the risks into four quadrants. Once the top BES risks are plotted, look at the quadrant where the risks are located. Position in the quadrant helps prioritize the risks and indicates the level of concern and attention which should be directed toward mitigating that risk given the potential impact on a utility’s ability to accomplish its business strategies ReliabilityStandards AdvisoryServiceLLC Adequacy – is the ability of a utility’s electric system to supply the aggregate electric power and energy requirements to electricity consumers, at all times, taking into account all scheduled and reasonably expected unscheduled outages of system components. Operating reliability – is the ability of a utility’s electric system to withstand sudden disturbances such as electric short circuits of unanticipated loss of system components. Note: Details of the 6 ALR definitions are available at http://www.nerc.com/docs/pc/Definition‐of‐ALR‐approved‐at‐Dec‐07‐ OC‐PC‐mtgs.pdf Details of the Eight Reliability Principles are available at http:/www.nerc.com/files/Reliability_Principles.pdf ReliabilityStandards AdvisoryServiceLLC NERC’s definition was recently further refined with the identification of specific characteristics that define an Adequate Level of Reliability (ALR)1: 1. The System is controlled to stay within acceptable limits during normal conditions; 2. The System performs acceptably after credible Contingencies; 3. The System limits the impact and scope of instability and cascading outages when they occur; 4. The System’s Facilities are protected from unacceptable damage by operating them within Facility Ratings; 5. The System’s integrity can be restored promptly if it is lost; and 6. The System has the ability to supply the aggregate electric power and energy requirements of the electricity consumers at all times, taking into account scheduled and reasonably expected unscheduled outages of system components. 1 http://www.nerc.com/docs/pc/Definition‐of‐ALR‐approved‐at‐Dec‐07‐OC‐PC‐mtgs.pdf. ReliabilityStandards AdvisoryServiceLLC 5 A framework provides a standard against which utility’s – large or small, in public or private sector, for profit or not – can assess their control systems and determine how to improve them and consequently bulk electric system reliability. ReliabilityStandards AdvisoryServiceLLC Risk models Use quantitative or statistical methods to determine the aggregate risk based on a portfolio of individual risk factors using a tool such as regression analysis. Other techniques include: 1. Value‐at‐Risk (VaR), 2. Historical Simulation (HS), 3. Extreme Value Theory (EVT) or Scenario Analysis to assess a portfolio of risk categories. ReliabilityStandards AdvisoryServiceLLC Enterprise risk management is…. a process, effected by a registrant’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk tolerance, to provide reasonable assurance regarding the achievement of utility objectives. ReliabilityStandards AdvisoryServiceLLC 6 COSO formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting (the Treadway Commission). The Treadway Commission is jointly sponsored and funded by five main professional accounting associations and institutes headquartered in the United States ReliabilityStandards AdvisoryServiceLLC Within the context of an utility's established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an utility's objectives, set forth in four categories. These four categories provide a common definition of enterprise risk management and provide a unified approach for the evaluation of enterprise risk management systems. ReliabilityStandards AdvisoryServiceLLC Standard PRC‐005‐1b — Transmission and Generation Protection System Maintenance and Testing Purpose: To ensure all transmission and generation Protection Systems affecting the reliability of the Bulk Electric System (BES) are maintained and tested. (Source: NERC Standard website) Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES. Risk Assessment Output: Identification of two “primary” internal controls. ReliabilityStandards AdvisoryServiceLLC 7 ReliabilityStandards AdvisoryServiceLLC RSA ReliabilityStandards AdvisoryServiceLLC Critical System Components • Switching Diagrams – select certain items that have critical system protections components • Hierarchy of Risk – i.e. Top 20 • Generation • Large Tie‐lines • Topography Concerns Long distance of Transmission and Generation Lines ReliabilityStandards AdvisoryServiceLLC Protection System Maintenance Program Monitoring Components • Data Request: A list of all substations 100kV and above and generating stations connected to the BES. • Maintenance and testing intervals • Basis for maintenance and testing intervals • Summary document of maintenance and testing procedures Sample Design ‐ Identify (1) Population and Size (2) Sample Size (3) Sample Method ReliabilityStandards AdvisoryServiceLLC 8 • Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES. • Internal Control (PRC‐005‐1b‐R1‐R2:(IC1)): What do we need to know to mitigate “maintain” risk? ReliabilityStandards AdvisoryServiceLLC • Means different things to different people. • Miscommunication & different expectations. Internal Controls • Are put in place to keep the utility on course toward profitability, goals and achievement of its mission, and to minimize surprises / pitfalls along the journey. • Enable management to deal with rapidly changing economic, competitive environments, shifting consumer and regulatory demands and to ensure compliance with laws and regulations. ReliabilityStandards AdvisoryServiceLLC Why – Myth 1: Internal Control can ensure a Registered Entities success. Myth 2: Internal Control can ensure compliance with laws, and regulations such as NERC Standards and Requirements. Can only provide reasonable assurance Judgments in decision‐making can be faulty Simple error or mistake Circumvention or collusion Ability to override system Resource constraints – relative to costs ReliabilityStandards AdvisoryServiceLLC 9 Internal Controls Serve Many Important Purposes, including: • Past 10 years increasing calls for better internal control systems FERC, DOJ, SEC, IRS, PCAOB • A means to an end, not the end itself ‐ Report cards KPI, KRI, SRI and other metrics • View by regulators and executives as a solution to a variety of potential problems ReliabilityStandards AdvisoryServiceLLC • Broadly defined terms “An internal control is a process, designed to provide reasonable assurance regarding the achievement of objectives.” • In business, internal controls are deployed for: o Effectiveness and efficiency of operations o Reliability of financial reporting o Compliance with applicable laws and regulations ReliabilityStandards AdvisoryServiceLLC The Institute of Internal Auditors (IIA) defines control and control processes as follows: A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. ReliabilityStandards AdvisoryServiceLLC 10 • Derived from how utility management runs business & integrated with management processes 1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communication 5. Monitoring ReliabilityStandards AdvisoryServiceLLC 1. Poor Judgment in Cognitive Decision Making 2. Human Error – Culture Influences & Intuitive Failures 3. Control Processes deliberately Circumvented by Employees and Others 4. Management Overriding Controls 5. The Occurrence of Unforeseeable Circumstances *Surveys conducted by AICPA and IIA ReliabilityStandards AdvisoryServiceLLC Effective • Control environment is the company's attitude toward internal controls. Known as "tone‐at‐the‐top," the control environment is a necessary condition for effective internal control. • The "what could go wrong?" stage, in completing a formal risk assessment. • Business systems that gather information related to internal control and management that uses this information to support employees in doing their job. • Monitoring is the ongoing feedback mechanism that ensures that internal control systems that are effectively designed remain that way. • Control activities are the specific activities performed by company personnel to ensure that internal control is effective. ReliabilityStandards AdvisoryServiceLLC 11 Efficient (measuring efficiency) • Provides reasonable assurance business objectives are met • Realistic expectations • Benefit greater than resource expenditure • Sustainable model • Automated communication channels ReliabilityStandards AdvisoryServiceLLC Standard PRC‐005‐1b — Transmission and Generation Protection System Maintenance and Testing Purpose: To ensure all transmission and generation Protection Systems affecting the reliability of the Bulk Electric System (BES) are maintained and tested. (Source: NERC Standard website) Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES. Output: Identification of two “primary” internal controls. ReliabilityStandards AdvisoryServiceLLC R1. Each Transmission Owner and any Distribution Provider that owns a transmission Protection System and each Generator Owner that owns a generation Protection System shall have a Protection System maintenance and testing program for Protection Systems that affect the reliability of the BES. The program shall include: R1.1. Maintenance and testing intervals and their basis. R1.2. Summary of maintenance and testing procedures. ReliabilityStandards AdvisoryServiceLLC 12 • Risk: Failure to maintain and test all transmission and generation protection systems affecting reliability of the BES. • Internal Controls PRC‐005‐1b‐R1‐R2: What do we need to know to mitigate “maintain” risk? – Six Activities: Identify population of protective relay systems including elements List of protective relay schemes & link to PSR Maintenance schedule for each PSR Create & archive PSR maintenance records Who is responsible for performing PSR maintenance? Management responsible for oversight of PSR maintenance? ReliabilityStandards AdvisoryServiceLLC • To Maintain: Identify population of protective relay systems including elements • Information Criteria: SRRU • Sufficient – information is factual, adequate, and convincing so that a prudent, informed person reaches similar conclusion • Reliable – information is best attainable information • Relevant – information supports and is consistent with objectives • Useful – information helps organization meet its goals • Ask yourself ‐ Is the information SRRU compliant? ReliabilityStandards AdvisoryServiceLLC • 8 Internal Control Design Attributes A Protection System maintenance program. (R1, M1) Maintenance intervals and their basis. (R1.1) Summary of maintenance procedures. (R1.2) Provide documentation of its Protection System maintenance program and implementation of program to its Regional Reliability Organization on request (within 30 calendar days). (R2) Evidence Protection System devices were maintained within the defined intervals. (R2.1) Date each Protection System device was last maintained. (R2.2) Evidence it provided documentation of its Protection System maintenance program and the implementation of its program. (M2) Data retention requirements of one calendar year and 3 years. ReliabilityStandards AdvisoryServiceLLC 13 [Company Name] has a documented Protection System maintenance program (R1, M1) that contains maintenance intervals, their basis (R1.1) and includes a Summary of maintenance procedures (R1.2). This document is reviewed by oversight management and updated annually. This program includes a process that documents notification of its Protection System maintenance program and implementation of that program to its Regional Reliability Organization on request (within 30 calendar days)(R2, M2). Program includes a process that provides evidence that Protection System devices are maintained within the defined intervals (R2.1) and a date each Protection System device was last maintained (R2.2). The Protection System program, maintenance records and data are archived for three years. Responsibility for this control is assigned to [Job Title]. This control is annually tested. A review of the appropriateness of the control’s attributes are reviewed and updated annually prior to testing. ReliabilityStandards AdvisoryServiceLLC Create an Internal Control Registry that captures all regulatory controls with important information such as: risk, severity index, review dates, manual / automated, frequency, testing dates, control function, control owner, Standard and/or requirement, evidence required, CSA, KRI, SRI, KPIs, etc. FERC received 45 full Notices of Penalty (NOP) from NERC encompassing 520 possible or confirmed violations (375 of which involved the Critical Infrastructure Protection (CIP) reliability standards), and 12 Spreadsheet NOPs encompassing 575 possible or confirmed minimal or moderate risk violations; NERC also filed or posted 796 possible violations in Find, Fix, and Track (FFT) reports (456 of which were CIP‐related). The NOPs and Spreadsheet NOPs collectively proposed $8.6 million in penalties, all of which FERC declined to review. ‐ source FERC 2013 Report on Enforcement ReliabilityStandards AdvisoryServiceLLC ReliabilityStandards AdvisoryServiceLLC 14 RSA TM ProcessName: EventReporting OperatingPlan(EROP) Control No:EOP‐‐004‐‐2‐‐R1‐‐IC1 ProcessOwner: Name/JobTitle HR:JobDescriptionY/N Objective: Standard(s): Requirements: EachResponsibleEntity shall haveanEROP in accordance EOP‐‐004‐‐2 R1 Control Type: Automated/Manual: Preventative Manual with EOP‐‐ 004‐‐2Attachment1thatincludes protocols forreportingtothe EROand otherorganizations. Risk: FailuretohaveadatedEROPwithprotocols including organizations toreceivereport,eventtypesandinaccordance with EOP‐‐004‐‐2Attachment1. (C,D,W,M,Q,A) ControlOwner:Name andJobTitle A‐‐Annual Y/N Control: [CompanyName]hasadocumentedEROP(R1, M1)in accordance with EOP‐‐ ‐004‐‐2Attachment1,andincludesprotocolsforreportingtotheEROand otherorganizations.Thisdocumentisreviewedbyoversightmanagementand updatedannually. EROPprotocols,eventreports anddataarearchivedfor threeyears.Responsibilityforthiscontrolisassignedto[JobTitle].This controlisannuallytested.Areviewoftheappropriatenessofthecontrol’s attributesarereviewedandupdated annually priortotesting. Frequency: HR:JobDescription EvidencetoDemonstrateCompliance: Documents: Monitoring: 1.)EROPPublication comportstoAttachment1specificattributes. 1.)EROPPublicationName a.Reviewevidence 2.)JobTitle,SignatureandDateofreview.3.)EvidencethatEROP 2.)Reviewpage documents1 document 3.)Screenprint 4.Coursetrainingmaterials& attendance record &2. b.Confirmindividuals have accesstoprocess documents. c.Confirmtraining effectiveness availabilityto individualstaskedwithoperating process. 4.)Evidencethat individuals taskedoperating processareproficient in operating plan. Copyright | © 2014 Reliability Standards Advisory LLC All rights reserved R E L IA B IL IT Y | S U S T A IN A B ILIT Y TM RSA ReliabilityStandards AdvisoryServiceLLC 1.) Risk Assessment – SME Table Top Discussions Current State vs. Future State: Policies, Procedures, Controls, Evidence * Readiness Assessment Gap Analysis Diagnostic Tool Identify Risks * Risk Register Reporting Tool 2.) Quant. / Qualification of Risk – Select Methodology * Risk Register Reporting Tool 3.) Key Risk Indicators (KRI) – Risk Model / Cycles * Risk Register Reporting Tool 4.) Risk Taking Statement – 7 Areas Addressed • Risk Register Reporting Tool 5.) Design Management Process Internal Controls * Internal Control Register Reporting Tool ReliabilityStandards AdvisoryServiceLLC ReliabilityStandards AdvisoryServiceLLC 15 • What Internal Control Can & Cannot Do • Internal Control Definition & 5 Interrelated Components • Internal Control Lessons Learned from Historic Examples • Aspects of BES Internal Control Systems Framework & Elements • Why & How Internal Controls are the “Life” to Stakeholders • Diagnostic Steps in Designing & Testing an Internal Control ReliabilityStandards AdvisoryServiceLLC Fred Anderson CIA, CFE, CCEP Reliability Standards Advisory Service LLC Fred.Anderson@rsaservice.net (770) 547‐3369 Randi K. Nyholm, CCEP Minnesota Power rnyholm@mnpower.com (218) 723‐7466 ReliabilityStandards AdvisoryServiceLLC 16