Pillars of Internal Controls Part 1

1. Pillars of Internal Controls Part 1 Harold G. Sherrill Sr. Internal Controls Analyst Risk Assessment and Mitigation Western Electricity Coordinating Council

2. Common Enterprise Risk Management (ERM) Objectives BUSINESS OBJECTIVES GOVERNANCE OBJECTIVES Information Reliability (i.e. accounting) Legal Social Responsibility Reliability and Security • Market share growth • Client satisfaction • Volume • Cost containment • Quality • Innovation and technology • Profitability Western Electricity Coordinating Council

3. Common ERM Objectives Alignment of Program Objectives Bottom-Up Approach Top-Down approach Risk-Based Internal Controls Objectives Western Electricity Coordinating Council

4. Part 1 • Pillar 1 Risk Assessment • Pillar 2 Design and Implementation • Exercise: Change Management Risk Assessment Part 2 • Pillar 3 Controls Monitoring • Pillar 4 Controls Evaluation • Panel: Controls Monitoring and Evaluation What You Will Learn Today Western Electricity Coordinating Council

5. Review activities and process in operation Identify all practices Document entity practices for use in the Risk Assessment process Pillar 1 – Risk Assessment Risk Assessment Western Electricity Coordinating Council

6. Identify potential failure scenarios of practices that prevent you from achieving objective • Potential Failures Points • Potential Causes of Failure Points • risk targets • Align/Map practices to risk • address gaps Pillar 1 – Risk Assessment RiskAssessment Western Electricity Coordinating Council

7. Risk Assessment Example Insurance Scenario Western Electricity Coordinating Council

8. How do I get a lower rate? Safety is a key factor Research risk associated Risk Assessment Example Western Electricity Coordinating Council

9. Enterprise Risk Objective Cost containment via reducedrisks evaluation outcome. Risk-based determination of insurance cost Risk Assessment Objective Identify risk elements that may result in failure to achieve a favorable risk evaluation Internal Control Objective Achieve a favorable risk evaluation outcome based on designed and implemented controls Risk Assessment Example Western Electricity Coordinating Council

10. Risk Assessment Example Western Electricity Coordinating Council

11. …activities and/or process in operation that mitigate an identified risk. The Essence of a Control Western Electricity Coordinating Council

12. Level of coverage relevant to address specific business and governance needs such as: Training, Change Management, Compliance, etc. Controls are capable of mitigating the intended risk targets Reliability and Security Pillar 2 – Design Design and Implementation Western Electricity Coordinating Council

13. Control narratives adequately describe the 5Ws + how What is being performed Why is it being performed When is it being performed Who is performing the what How is who performing the what Where is who performing the what Pillar 2 – Design Design and Implementation Western Electricity Coordinating Council

14. Controls will operate to: Mitigate risk targets within the enterprise Address all identified requirement-level risk targets Pillar 2 – Implementation Design and Implementation Western Electricity Coordinating Council

15. Risk and CONTROL Assessment Example Western Electricity Coordinating Council

16. 20 minutes Risk & Controls Assessment Change Management Western Electricity Coordinating Council

17. SCENARIO Black Start Generating Facility - Going in Service 2022 WHAT CONTROLS ARE NEEDED TO ADDRESS CHANGE MANAGEMENT? List of Business Units Impacted Physical Security Changes NERC Compliance Documentation Cyber System Changes System Impact Studies Western Electricity Coordinating Council

19. Pillars of Internal Controls - Part 2 Harold G. Sherrill Sr. Internal Controls Analyst Risk Assessment and Mitigation (RAM) Western Electricity Coordinating Council

20. Part 2 • Pillar 3 Controls Monitoring • Pillar 4 Controls Evaluation • Panel: Controls Monitoring and Evaluation What You Will Learn Today Western Electricity Coordinating Council

21. Monitoring of Internal Controls Ensure your controls are implemented as designed on a consistent basis. Frequency Scope Placement Pillar 3 – Controls Monitoring ControlsMonitoring Western Electricity Coordinating Council

22. Evaluation of Internal Controls Designed and implemented controls continue to meet overall objectives. Possible triggers for a controls evaluation • Changes in operational responsibilities • Changes impacting the entity such as; • system events, • compliance activities. Pillar 4 – Controls Evaluation ControlsEvaluation Western Electricity Coordinating Council

23. Controls Monitoring and Evaluation Panel Harold Sherrill, WECC Joe Carluccio, BPA Tina Kilgore-Goodwin, CAISO Lisa Milanes, CAISO Eric Olsen, SMUD Western Electricity Coordinating Council

24. Proactive risk posture instinctively aides in compliance excellence! Ultimate Reliability & SecurityApproach Western Electricity Coordinating Council

25. Key Takeaway! “….A truly effective and efficient internal control structure requires taking a deliberate and fundamental approach to the design, execution, and monitoring of the controls, rather than just creating them to address perceived outcomes.” - Kevin Hickey, Keynote Speaker, Signature Bank NY Western Electricity Coordinating Council