20141009 - Presentation - Compliance 101
advertisement
WECC COMPLIANCE 101 Webinar Thursday, October 9, 2014 2 Agenda Introductions Laura Scholl Overview of WECC and Regulatory Structure Connie White Audit – What to Expect Stacia Ellis and Bill Fletcher Enforcement Overview Rachael Ferrin, Richard Shiflett, Haley Sousa, and Joelle Bohlender webCDMS and EFT Brittany Power Overview of WECC and Regulatory Structure Constance White Vice President of Compliance and Acting Regional Manager COMPLIANCE 101 Overview of WECC And Regulatory Structure 5 WECC Profile The Western Electricity Coordinating Council (WECC) is a non-profit corporation that exists to assure a reliable bulk electric system in the geographic area of the Western Interconnection. This area includes all or parts of the 14 western United States, two Canadian provinces, and the northern portion of Baja California, Mexico. 6 WECC History • Incorporated in 2002 • Predecessor, WSCC formed in 1967 • Largest geographic area of the eight Regional Entities o Entire Western Interconnection (1.8 million square miles) includes all or part of 14 U.S. states, 2 Canadian provinces and a portion of Baja California Norte, Mexico • Non-Governmental • Industry participants join together to promote system reliability • Bifurcation in February 2014 changed functions 7 WECC Coverage Service Area 1.8 million square miles 126,285 miles of transmission Population of 78 million 8 9 WECC Organization • Independent Board of Directors o 9 members o Committees • Members Advisory Committee • Members • Grid owners, operators, users • Stakeholders • State and Provincial 10 Bifurcation Peak Reliability assumed responsibility for Reliability Coordination o Operate two Reliability Coordination Offices (Vancouver WA and Loveland CO) that provide situational awareness and real-time supervision of the entire Western Interconnection 11 WECC Services • Transmission expansion planning o Management of a comprehensive planning database o Provide coordination of sub-regional planning processes o Analyses and modeling • Studies o Model the system and perform studies under a variety of scenarios to set operating policies and limits 12 WECC Services • Loads and Resources Assessments o Perform annual assessment of 10-year loads and resources o Maintain 10-year coordinated plan of system growth o Provide information to NERC for summer and winter assessments of the reliability and adequacy of the bulk-power system • Operator Training o Provide training sessions for operators, schedulers and dispatchers • WREGIS o Hosts the Western Renewable Energy Generation Information System, which creates and tracks renewable energy certificates 13 WECC Services Delegation Agreement o Perform functions delegated to WECC as a Regional Entity under Delegation Agreement with NERC, including regulating entities subject to mandatory Reliability Standards 14 Mandatory Reliability Regulation • Northeast Blackout of 2003 – 10 Million people in Ontario, Canada – 45 million people in eight U.S. states 15 16 17 Task Force Report • Final report of the U.S.- Canada Power System Outage Task Force on the 2003 blackout concluded: the single most important recommendation for preventing future blackouts, and reducing the scope of those that occur, is for the U.S. government to make reliability standards mandatory and enforceable. 18 Task Force Findings Inadequate System Understanding Inadequate Situational Awareness Inadequate Tree Trimming Inadequate Reliability Center Diagnostic Support Congressional Action •Energy Policy Act of 2005 On August 8, 2005, the Energy Policy Act of 2005 (EPAct 2005) was signed into law. •“Section 215” Section 215 of the EPAct 2005 directed FERC to certify an Electric Reliability Organization (ERO) and develop procedures for establishing, approving and enforcing electric reliability standards. 20 Authority for Compliance Monitoring • FERC Order 672 (Implementing Rule 18 CFR 39) – Responsibility and oversight assigned to FERC – FERC designated NERC as Electric Reliability Organization – NERC has delegation agreement with WECC and seven other regions Implementing Section 215 SECTION 215 Regional Entities Delegation Agreement • Creates Electrical Reliability Organization (ERO) • FERC names NERC as ERO • NERC selects 8 regional entities • WECC is selected for Western Interconnection • NERC and WECC sign agreements • WECC oversight begins in Western Interconnection Development of Mandatory Reliability Standards Operations and Planning (O&P) Standards become mandatory and enforceable June17, 2007 (FERC Order 693) Critical Infrastructure Protection (CIP) standards become mandatory and enforceable December 2009 (FERC Order 706) 23 Order 693 & Order 706 Standards • Order 693 (Operations and Planning) includes: – – – – Resource and Demand Balancing (BAL) Emergency Preparedness & Operations (EOP) Facilities Design, Connection & Mtnce. (FAC) Protection and Control (PRC) • Order 706 (CIP) includes: – Critical Cyber Asset Identification – Personnel & Training – Electronic Security Perimeters 24 WECC Compliance • Recommends Registrations for Entities o Register users, owners, operators according to function • Monitors Compliance with Standards o Monitor compliance by users, owners and operators of the bulk power system in the United States • Enforces Compliance o Violation mitigation and settlement negotiation o Representation of WECC in any hearing or appeal process • Administration o Audit coordination o Reporting systems o webCDMS and EFT 25 In summary… Authority CMEP Reliability Standards Delegation Agreement Federal Power Act 2005 Registration Registration Authority Registration Monitoring Authority Monitoring Registration Enforcement Authority Education/Outreach Authority Enforcement Monitoring Registration Education/Outreach 31 Reference Documents • Compliance Monitoring and Enforcement Program (CMEP) & WECC’s annual plan • Delegation Agreement • Rules of Procedure • NERC Standards and WECC Regional Standards • NERC Guidance, Bulletins, Directives and Compliance Application Notices (CANs) • FERC Orders Notice of Audit Stacia Ellis Compliance Program Coordinator 33 Notice of Compliance Audit Packet • Notice of Audit Letter • Compliance Monitoring Authority Letter • Audit Team Biographies • Confidentiality Agreements 34 Notice of Compliance Audit Packet • Certification Letter • Pre-Audit Data Requests • Pre-Audit Survey • Audit Scope and WECC RSAWs 35 Notice of Compliance Audit Letter • 90-Day Notice of Audit Letter – Details of your specific Audit • • • • Dates of Audit Audit Scope Due Dates Audit Team Composition, observers (if applicable) – Observers can include FERC/NERC • Date/time of proposed Pre-Audit Conference Call • Opening Presentation Suggestions 36 Notice of Compliance Audit Letter • Audit Team Composition – Primary Audit Team • Individuals expected to participate in the Audit – Alternate Audit Team • Individuals available to act as backup or replacements for Primary Team members 37 Attachments A, B and C • Attachment A – Informational; Explanation of Compliance Monitoring Authority • Attachment B – Short Biographies of the WECC Audit Staff • Attachment C – Signed Confidentiality Agreements of the WECC Audit Staff 38 Attachments D and E • Attachment D – Audit Scope – RSAWs (Reliability Standard Audit Worksheets) • Customized for your Entity and your audit – Based on your Registered Functions and Audit Scope • Attachment E – Certification Letter • Must be printed on your company letterhead and signed by an Authorized Officer • Certifies that the information being provided for the Audit is accurate 39 Attachment F • Attachment F – Pre-Audit Survey • • • • Verify contact information Audit Logistics List any delegation agreements Signed by Authorized Officer • Please complete all applicable fields 40 Attachment G • Attachment G – Pre-Audit Data Requests • Why are we doing this to you?!? o Clarifications for data submittals o Specifying types of evidence to remove some of the guesswork 41 Att G – Operations & Planning (O&P) Data • Some evidence may apply to more than one Standard – One copy is sufficient, but document inventories or “roadmaps” are appreciated • Single Line Diagram – Requested for the majority of Audits 42 Att G – Cyber Security (CIP) Data • CIP-004 – CIP-009 may not be applicable based upon the Critical Asset/Critical Cyber Asset determination – Determined by CIP-002-3 Requirements 2 & 3 – Complete RSAWs indicating absence of CA/CCA identification – 2015 CIP audits will include CIP v5 outreach If you have any questions please contact Brent Castagnetto at bcastagnetto@wecc.biz or 801-819-7627 43 Attachment H • Attachment H – Audit Feedback – Now sending with initial package • Feedback is encouraged for all phases of audit. 44 Audit Periods Defined • Audit Periods, for O&P and CIP, are clearly defined in Attachment G for both: • Operations and Planning (O&P) • Cyber Security (CIP) 45 Audit Frequency • 3 year cycle Entities registered as a: – Balancing Authority (BA) – Transmission Operator (TOP) or – Reliability Coordinator (RC) • All others – Generally a 6 year cycle. Subject to flexibility in the future as part of NERC’s Reliability Assurance Initiative (RAI). 46 Outreach • “Howdy Call” – A few days after Notice of Audit Packet is uploaded to the EFT Server. 47 Recommendations • • • • • Know the Reliability Standards Use the RSAWs as guides Ask questions Participate in Outreach (CUG/CIPUG) We are here for you… – Questions – Comments – Concerns Audit Approach and Best Evidence William Fletcher Senior Compliance Auditor, Operations and Planning 49 Compliance Audit (on-site vs. off-site) • Primary difference is: – Location of audit conduct • Scope is typically smaller for off site. • On-Site – Required for RC, BA, TOP functions • Per NERC Rules of Procedure 403.11.2 50 Compliance Audit (on-site vs. off-site) • On-Site – Documentation sent to WECC before audit for preliminary review – The audit team reviews evidence during off-site week or the first week of the audit and completes its review during the second week or on-site week – Data Requests or DRs – In-person interviews for clarification • Off-Site – Documentation sent to WECC before audit for preliminary review – Data Requests or DRs – Entity may be present at audit if desired – Telephone interviews for clarification Audit Approaches •We audit to the Requirements of the Standards •General Approaches included in RSAW •RSAW may ask specific questions •Always includes the section: “Describe, in narrative form, how you meet compliance with this requirement.” 52 Audit Approaches “Describe, in narrative form, how you meet compliance with this requirement.” • Describe here how your company knows it is compliant with this requirement and how you know you have been compliant for the entire period of the audit. • Your place to describe your internal controls. • Your evidence should support your narrative. 53 Audit Approaches • List the evidence provided in the RSAW. o This road map is important • Compliance Assessment Approach in RSAW is used as a checklist. o Data Request (DR) for gaps or samples • Document & record review is primary • Interviews and observations are usually for Corroborating 54 Sufficient Audit Evidence Sufficiency of Evidence • The measure of the quantity of evidence • Quantity of evidence is dependent on the scope of the audit • Extra quantity does not make up for poor quality • Ensure you provide enough evidence to demonstrate compliance for the entire audit period. 55 Sufficient Audit Evidence Sampling is used to limit the amount of detailed evidence provided. • Normally used in conjunction with summary of a full set of data. • Sampling used to assess details. • Reduces the burden on the Audit Team but not really on the Entity • Audit Team must select the samples 56 Appropriate Audit Evidence Appropriateness The measure of the quality of evidence • Relevance • Validity • Reliability 57 Appropriate Audit Evidence Quality of Evidence • Good Internal Controls point to reliable evidence. • Direct observation is more reliable than indirect observation. • Examination of original documents is more reliable than examination of copies. • Testimonial evidence from system experts is more reliable than from personnel with indirect or partial knowledge. 58 Types of Evidence • Physical Evidence • Documentary Evidence • Testimonial Evidence Compliance Audits may use all three types but Documentary Evidence is by far the most frequent type of evidence assessed and relied on. 59 Testimonial Evidence • Attestations of Compliance or Statements of Compliance are generally not accepted as the only available evidence. • Attestations may be used to explain minor gaps in documentation or to state if no conditions occurred which are subject to a requirement. • Attestor must be knowledgable and qualified. 60 Evidence for Procedural Documents The characteristics of a valid procedural or policy document include: – Document title – Definition or Purpose – Revision level – Effective dates – Authorizing signatures 61 Non Applicable Requirements Three instances are acceptable for use of term “Not Applicable” 1) Entity is not registered for the applicable function. (only TOP responsible for TOP requirements) 2) Entity does not own, operate or maintain the equipment addressed by the requirement. (UVLS, UFLS, SPS etc.) 3) Entity does not use the program or process specified by the requirement. (and is not required to… ATC, CBM, etc) 62 Evidence for Tasks Performed • When the standard calls for a task to be performed it must be documented. – – – – – – – Records Logs Reports Work Orders Phone recordings Transcripts of phone recordings Shift Schedules • Dates & Times are critical 63 Evidence of “Coordination” with other entities • Typical evidence provided initially is a single email. “…If you have any comments please contact ______” This alone is neither sufficient or appropriate to demonstrate coordination between two or more parties. • If emails or correspondence are used – Two way communications are needed • Better are: – Meeting Agendas – Meeting Minutes – Attendance Lists 64 Evidence of “Distribution” of information • Typical evidence provided initially is a single email with a large distribution list. “…please see attached” This alone is typically neither sufficient or appropriate to demonstrate distribution to others. • If emails or correspondence are used – Need clear identification of the personnel on the distribution list. • Even Better is corroboration by receipt acknowledgement Enforcement 101 October 9, 2014 Rachael Ferrin Richard Shiflett Haley Sousa Joelle Bohlender 66 Agenda • What is a violation? • How does WECC know about a violation? • What is the submittal and review process for possible violations? • What is the submittal and review process for Mitigation Plans? 67 What is a violation? A violation is a failure to demonstrate compliance pursuant to applicable NERC Reliability Standard Requirement – Possible Violation (PV) • The identification by the Compliance Enforcement Authority of a possible failure by a registered Entity to comply with a Reliability Standard that is applicable to the Registered Entity. NERC Rules of Procedure, Appendix 2 (January 31, 2012). 68 How does the Entity discover a possible violation? Internal Audits Internal Assessments Compliance Culture Ongoing Compliance Assessments 69 How does WECC know about a possible violation? Compliance Monitoring • Self-Reports • Self-Certifications – New possible violation – Change in scope • Compliance Audits • Spot Checks • Compliance Investigations • Periodic Data Submittals • Complaints 70 Possible Violation Submittal • Submit Self-Reports and Self-Certifications via webCDMS • Self Report/Self Certification Content Checklist 71 Self-Report/Self-Certification Content Checklist • Is the version of the standard (in effect at the time of the violation) identified? • Are all multiple subrequirements in scope identified? • Has this violation been previously reported? • Does the violation description include: – All devices/facilities/personnel in scope? – Names/IDs of devices/facilities/personnel? – Where are these devices located? – What are these devices used for? – What type of access do the personnel have? – Any additional information to assess the VSL? • Is the start date and end date identified? • Are the compensating measures identified? 72 Possible Violation Review • WECC Subject Matter Experts (SME) reviews the “possible violation” • Analyze facts and circumstances • Data Requests/conference call if necessary • Technical assessment – Facts and Timelines – Risk Assessment • Recommendation of Dismissal or Acceptance to Case Managers 73 Entity’s next step after reporting a Possible Violation • Submit Mitigation Plan – Notice of Alleged Violation triggers Mitigation Plan due date – Timely Mitigation is encouraged – Not admission of violation Every violation goes through the same process. 74 Mitigation Plan Submittal • Submit via webCDMS – One violation per plan • Eight Steps to Prevention and Mitigation • Mitigation Plan Content Checklist 75 Mitigation and Prevention Checklist • • • • • • • • Symptom Root Cause Corrective Actions Preventive Actions Detective Actions Assign tasks Timeline and milestones Interim Risk 76 Mitigation Plan Content Checklist • Has the scope of the violation being mitigated changed? • Has the root cause been identified? • Does the mitigation plan include: – What is being fixed? – How it is being fixed? – When it is being fixed? • Do the mitigation actions: – Relate to the requirements in scope? – Identify preventative measures? – Identify detection measures? 77 Mitigation Plan Review • WECC Subject Matter Experts (SME) conduct reviews • Review the mitigation plan – Actions (Corrective, Detective and Preventive) – Duration • Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto notification or EFT server 78 Mitigation Plan Extensions • Extension Requests – Accepted Mitigation Plan completion date = date Completion Certification and evidence submitted to WECC – Five business days prior to completion date 79 CMP Submittal • Submit Completion Certification and evidence via webCDMS • CMP Content Checklist 80 CMP Content Checklist • Has the scope changed since the Mitigation Plan was accepted? – Have you included a brief statement to confirm the scope? • Is the evidence uploaded with a description for each file? • Is there a mapping of actions to evidence? • Is there a completion date for each action? 81 Mitigation Plan Completion Review • WECC Subject Matter Experts (SME) conduct reviews • Analyze Evidence – Were all actions outlined in the plan completed? – Has both procedural and implementation evidence been submitted? • Data Requests/conference call if necessary • Notice of Acceptance or Rejection via auto notification or EFT Server 82 Summary • Violation life cycle – Submitting violations and mitigation plans – WECC’s review of violations and mitigation plans • Resources – http://www.wecc.biz/compliance/outreach/Lists/ 101Links/AllItems.aspx 83 The Hand-Off Possible Violation Submittal Technical SME Review The Handoff to Case Manager Case Manager Review 4 Methods of PV Disposition Confirmed Violation 84 WECC Enforcement Case Managers Primary Role: Determining Violation Disposition (disposition analysis) • Case analysis • • • • • Violation Disposition Policy analysis Assess penalties Conduct settlements Build relationships 85 Enforcement Processes 86 Disposition Analysis • • • • Dismissal Find, Fix and Track (“FFT”) Notice of Alleged Violation (“NOAV”) Expedited Settlement Agreement (“ESA”) 87 Dismissal • Disposition method used when the Case Manager determines the possible violation is not enforceable – For Example… – Standard Requirement does not apply to Entity – Facts and circumstances warrant a violation of a different Standard Requirement – Entity produced additional evidence demonstrating compliance 88 What does a dismissal look like? • Case Manager will issue a “Notice of Dismissal and Completion of Enforcement Action” • WECC: – Withdraws the Possible Violation from Entity’s compliance record – Any data retention directives relating to the possible violation are released • Entity: – Does not need to respond to notice – Questions/concerns contact Case Manager 89 Not a Dismissal, Now what? • • • • Dismissal Find, Fix and Track (“FFT”) Notice of Alleged Violation (“NOAV”) Expedited Settlement Agreement (“ESA”) 90 PVs for FFT Review WECC Reviews All PVs for FFT Treatment “Strong” FFT Candidates: • Are not Repeat PVs • PV does not reveal programmatic or systematic shortcomings • Found and Fixed by the Entity • Mitigation Plan has been submitted 91 What does an FFT look like? • WECC Enforcement will issue a “Notice of Find, Fix and Track” – Remediation Required – No Penalty or sanction – FFT is filed with NERC but does not become a “confirmed violation” • FFT will become part of an Entity’s compliance history 92 What to do with an FFT? • Within five (5) days of receiving an FFT Notice an Entity Must: • Submit to WECC an affidavit, signed by an officer with knowledge of remediation, OR • Submit to WECC written notification opting out of the FFT processing – If an Entity opts out of the FFT disposition, then WECCs policy is to issue the violation through the traditional NOAV process. 93 4 Disposition Methods • • • • Dismissal Find, Fix and Track (“FFT”) Notice of Alleged Violation (“NOAV”) Expedited Settlement Agreement (“ESA”) 94 What does a NOAV look like? CMEP Section 5.3 • • • • NERC Rules of Procedure, Appendix 4C §5.3 (“CMEP”) Alleged Violation Facts Mitigation Plan Summary (if applicable) Enforcement Violation Determinations – BES Impact Statement • Minimal • Moderate • Severe – Violation Severity Level (“VSL”) – Violation Risk Factor (“VRF”) • Penalty 95 What to do with a NOAV? • Submit a NOAV Response within 30 days • The NOAV Response must conform to one of three options – Agree with the violation AND penalty – Agree with the violation, but contest penalty – Contest both the violation AND penalty • Failure to submit a NOAV Response within 30 days will automatically result in confirmed violations with penalties 96 NOAV Response: “Option 1” Does not contest • Does not contest violation facts as alleged in the NOAV • May identify errors that should be corrected in the “Notice of Confirmed Violation” (“NOCV”) • Submit a Mitigation Plan Enforcement will issue a Notice of Confirmed Violation within ten (10) days of receiving a NOAV Response that “agrees with or does not contest an alleged violation.” 97 NOAV Response: “Option 2” Contests Penalty • NOAV Response will be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV. • Submit a Mitigation Plan. • NOAV Response must explicitly contest penalty and request settlement. – NOAV Response must articulate basis for each penalty – NOAV Response should include a proposed penalty the Entity believes to be reasonable including the basis for proposed penalty 98 NOAV Response: “Option 3” Contests Alleged Violation & Penalties • NOAV Response must be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV. • NOAV Response must explicitly contest each alleged violation and proposed penalty and request settlement. • Each Contention must be supported by: – An explanation of the Entity’s position – Basis for Contention – Additional Information or evidence 99 A Word on Penalties • Attached to violations disposed of using the NOAV or ESA processes • Based on: – NERC Sanction Guidelines (January 31, 2012) – Penalty Range • Penalty range depends upon Violation Severity Level (“VSL”) and Violation Risk Factor (“VRF”) • Penalties are then adjusted for either Mitigating or Aggravating Factors 100 Reaching Settlement Work with Case Manager C&T Agreement NOAV NOAV Response Schedule Settlement Settlement Agreement Settlement Negotiation 101 4 Disposition Methods • • • • Dismissal Find, Fix and Track (“FFT”) Notice of Alleged Violation (“NOAV”) Expedited Settlement Agreement (“ESA”) 102 ESA: Expedited Settlement Process ESA Settlement Agreement 103 What does an ESA look like? • Expedites Formal Settlement Negotiations • The ESA will contain – Facts and circumstances of the violation – Risk Assessment Summary – Mitigation Plan Summary – VSL and VRF determinations – Penalty determination 104 What to do with an ESA? • Entity will have 15 days to review the ESA… – The Entity will contact Case Manager with questions or concerns. • If the Entity accepts the terms of the ESA… – The Entity must submit a signed copy of the ESA to WECC within 15 days of receipt of the ESA issuance. • If the Entity rejects the ESA or does not respond within 15 days… – WECC will issue a Notice of Alleged Violation and Proposed Penalty and Sanction. 105 Settlement Agreements & Expedited Settlement Agreements 106 Payment & Closure of Enforcement Action • After NOP becomes effective, WECC issues a “Payment Due Notice” • The Penalty will be due thirty (30) days from the date the Notice is issued • Public NOP filings can be found on the NERC website 107 Enforcement Process Summary Possible Violation Submittal Technical SME Review The Handoff to Case Manager Case Manager Review 4 Methods of PV Disposition • Lifecycle of a Possible Violation • Best Compliance Practices • http://www.wecc.biz/compliance/Pages/Best-Practices.aspx • Possible Violation Disposition and Entity Responses Confirmed Violation Compliance 101 Brittany Power Data Coordinator 109 webCDMS 110 webCDMS Regions 1.MRO 2.SPP 3.WECC 4.Texas RE 5.RFC 111 EFT Server WECC EFT Server 112 Compliance Standards Index Compliance Standards Index 113 Compliance Standards Index 114 Compliance Standards Index 115 Compliance Standards Index 116 Reminder: Help Desk WECC Support OATI Support • Call @ 801-883-6879 • Types of calls for WECC o EFT Questions o Registration Questions o Historical Questions o Standard Questions o Non-technical Questions • support@wecc.biz • Call @ 673-220-2020 • Types of calls for OATI o Technical Problems o webCDMS Login Problems o Certificate Problems o Access Problems
