180 likes | 200 Views
Reliability Assurance Initiative. NERC Reliability Working Group July 25, 2013. What is RAI?.
E N D
Reliability Assurance Initiative NERC Reliability Working Group July 25, 2013
What is RAI? A collaborative effort between NERC, the Regional Entities, and registered entities to identify and implement changes that enhance the effectiveness of the Compliance Monitoring and Enforcement Program • Represents risk-based compliance monitoring • Focuses on risks to reliability • Enforcement will be reserved for significant matters • It is a customized compliance approach • Individualized scoping for each registered entity • Reduces administrative burdens and distractions
How will we know it’s successful? If the end state compliance monitoring and enforcement program is effective* at providing reasonable assurance through compliance monitoring, appropriate deterrence through enforcement and a feedback loop to continuously improve reliability standards. *resources expended to achieve and monitor compliance and carry out enforcement are sufficient on the larger risk areas and not necessarily over applied on the lower risk areas.
What are the components of the RAI? The four components of the RAI are: • Assessing Reliability Risk • Scoping Compliance Monitoring • Processing Possible Violations in Accordance with Risk • Strengthening the Feedback Loop to the Standards Development Process
In the context of RAI, what is meant by risk? • Definition of risk to the BES • Instability, uncontrolled separation, or cascading failures • System-wide risks to the BES • Entity’s Risk to the BES • Inherent risk is a function of registrations and other relevant factors like system design, configuration, size, etc. • Control risk is a function of the entity’s internal controls established to reduce risk of violation or system event. • These two components will be considered in determining an entity’s risk profile or risk assessment. • Project currently underway to determine a regional approach to develop a prototype for risk assessment.
Risk Considerations • Analysis of risk assists an entity to deploy controls more effectively. • Review should focus on greatest threats to reliability based on impact and likelihood of occurrence. • Cost of a control should not exceed benefits. • Reliability Standards are dynamic and methodology should be flexible enough to adapt with changes. • There is no “one size fits all” model.
How do I do an internal risk assessment? One size does not fit all!!!
What is a risk assessment process? Assess Risks Dev Assmnt Criteria Assess Risk Interaction Assess Risks Prioritize Risks Identify Risks Respond To Risks AKA Internal Controls
Questions to Consider • What are risks to reliability of the bulk electric system? • Consider registered functions. • Review event analysis of the entity. • Review operational issues in the industry. • What keeps me up at night relative to reliability? • What are compliance risks for the Standards? • Are there stumbling blocks to compliance for the entity? • Review self-reports for the entity (are there problematic standards?). • Review frequently violated standards. • What keeps me up at night relative to compliance? • Risk Interactions • Interactions between other events/conditions that could increase risk. • How do risks rank relative to each other? • Formal method to calculate risk • Likelihood scale, impact scale • “Pin the tail on the donkey”
Internal Control Program An internal control program helps provide a Registered Entity with reasonable assurance of compliance with the requirements of the Standards.
Functional Overlap of the Standards Future - Functions Based Current – Standards Based Change Management & Testing CIP-002 CIP-003 Device Management CIP-004 Info. Classification & Handling / Doc Control CIP-005 CIP-006 Access Control CIP-007 Physical Security CIP-008 CIP-009 Recovery & Incident Response
Management Controls • Policies and procedures ensure management’s directives are carried out. • Elements of controls work together and collectively reduce risk of not achieving objectives. • Should not be considered discretely (defense in depth).
Types of Control Activities Continuous Improvement Cycle
Internal Controls Analysis • Review existing processes, procedures and policies to determine if they facilitate compliance with the Reliability Standards
ERO RAI Program • Conceptual White Papers • ERO & Industry Documents • RAI Q&A • Internal Controls Working Guide • Initial Phase Plan/Deliverables • Audit Handbook • ERO & Industry Collaborative Guides • Benefits & Impacts • Internal Control Library • RAI Pilots • MRO - ATC • RFC – PJM, PPL • SERC – integrating into audits • Self-Reporting Process Enhancement • Self-Report Guide • Mitigation Plan Guide • Violation vs Deficiency Pilots • FFT Enhancements • Regional Entity Triage Process
References Controls Framework Documents • Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control - Integrated Framework • The Institute of Internal Auditors – International Professional Practices Framework – Standard 2210 – Engagement Objectives • Information Systems Audit and Control Association – Control Objectives for Information and Related Technology Auditing Guidance Documents • American Institute of Certified Public Accountants – Professional Standards, vol. 1 – AU Section 314 • United States Government Accounting Office - Government Auditing Standards – Chapter 7 – Reporting Standards for Performance Audits NERC RAI Documents • http://www.nerc.com/pa/comp/Pages/Reliability-Assurance-Intiative.aspx