▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney.

Slides:



Advertisements
Similar presentations
Internal Control–Integrated Framework
Advertisements

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.
RISK-FOCUSED SURVEILLANCE FRAMEWORK UPDATE
Understanding & Managing Risk
How to Document A Business Management System
Final Determinations. Secretary’s Determinations Secretary annually reviews the APR and, based on the information provided in the report, information.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Performance Monitoring All All Contracts require basic monitoring once awarded. The Goal of contract monitoring is to ensure that the contract is satisfactorily.
Controlling Risk by Managing Change Jessica Blaydes & Gary Fobare Honeywell Aerospace 2013 Region IX Workshop.
Network security policy: best practices
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Internal Auditing and Outsourcing
Regulatory Requirements & Compliance: Ensuring Effective Outcomes Presented By: John E. Palmer, CPA Managing Director/Principal.
Auditing Internal Control over Financial Reporting
An Educational Computer Based Training Program CBTCBT.
Copyright 2005 Welcome to The Great Lakes TL 9000 SIG TL 9000 Requirements Release 3.0 to Release 4.0 Differences Bob Clancy Vice President, BIZPHYX,
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Federal Energy Regulatory Commission June Cyber Security and Reliability Standards Regis F. Binder Director, Division of Logistics & Security Federal.
Planning an Audit The Audit Process consists of the following phases:
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
How To Prepare For A CIP Audit Scott Barker CISSP, CISA CIP Compliance Workshop Baltimore, MD August 19-20, 2009.
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
Reliability Assurance Initiative
Corporate Responsibility and Compliance A Resource for Health Care Boards of Directors By Debbie Troklus, CHC and Michael C. Hemsley, Esq.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
Evaluation of Internal Control System
1 Texas Regional Entity 2008 Budget Update May 16, 2007.
Overview of WECC and Regulatory Structure
PwC *connectedthinking Monitoring and Auditing Around Government Pricing Peter J. Claude PricewaterhouseCoopers LLP November 7, 2005.
Safety Auditors Conference 2005 A Practical Approach…….
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
The Audit as a Management Tool Vermont State Auditor’s Office – April 2009.
Reliability Assurance Initiative (RAI) 101 Ben Christensen Senior Compliance Risk Analyst, Cyber Security.
Programme Performance Criteria. Regulatory Authority Objectives To identify criteria against which the status of each element of the regulatory programme.
Bill Lewis, Compliance Team Lead NERC Reliability Working Group May 16, 2013 Texas RE Update Talk with Texas RE April 25, 2013.
Paragraph 81 Project. 2RELIABILITY | ACCOUNTABILITY Background FERC March 15, 2012 Order regarding the Find, Fix, Track and Report (FFT) process  Paragraph.
Project quality management. Introduction Project quality management includes the process required to ensure that the project satisfies the needs for which.
Internal Controls Christina Urias Managing Director – International Regulatory Affairs NAIC.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Kathy Corbiere Service Delivery and Performance Commission
RECOMMENDATIONS OF THE GOVERNOR ’ S TASK FORCE ON CONTRACTING AND PROCUREMENT REVIEW Report Overview PD Customer Forum September 2002.
Tax Administration Diagnostic Assessment Tool
Purchasing Forum – May The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Risk Management and the Audit Plan abc CIPFA in the Midlands Audit Training Seminar Wednesday 24th November 2004 Tina Spiers.
BSBPMG501A Manage Project Integrative Processes Manage Project Integrative Processes Project Integration Processes – Part 2 Diploma of Project Management.
1 1 Effective Administration of Commercial Contracts Breakout Session # Session D06 Name: Holly Walker, CPCM Corporate Learning Solutions and Contract.
Electric System Financial Results Financial Planning Budget and Rates Building Community Reliability Standard Advisory Service NERC Onsite Visit, Feb 2013.
Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
MOPC Meeting Oct , 2016 Little Rock, AR
An Overview on Risk Management
Our new quality framework and methodology:
Mandatory Reliability Standards
Reliability Assurance Initiative (RAI) 101
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Quality Assurance in Clinical Trials
Presentation transcript:

▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney Director of Compliance, MRO SPP Compliance Forum May 23, 2013 Reliability Assurance Initiative

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Common Mission Improve the Reliability of the Bulk Power System

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Improvement Is the Goal We have very reliable systems within MRO/SPP, but we can still improve by identifying problems and fixing them – no weak links There is always opportunity for improvement within the design criteria of an interconnected system May 23,

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Demystifying Internal Controls No, Really… What Is an Internal Control?

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Nothing New Registered Entities have been managing reliability for decades – they have management practices (i.e. controls) around reliability Existing practices have been translated into the Reliability Standards and documented – “operationalizing compliance” Don’t overthink “internal controls” May 23,

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Risk Possibility that something undesirable will happen Measured as a combination of likelihood and impact Control/Control Activity Policy, procedure, checklist, etc. designed to minimize the opportunity for a risk to be realized Internal Control Control activity performed internally, not by a third party Management practices that include control activities performed internally (“self monitoring”) May 23, Definitions

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Inherent Risk Risks “built-in” to a given entity, based on geography, what facilities it operates, “interconnectedness,” etc. Reliability Standards are designed to mitigate inherent risk in a broad sense Control Risk Risk that management practices or control activities are not achieving their reliability or compliance objectives Detection Risk Risk that possible violations are going unnoticed Residual Risk Risk that remains after application of a control and other mitigating factors Difficult and expensive to eliminate 100% of risk – we must live with some risk May 23, Types of Risk

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Preventive Controls designed to stop something from occurring Detective Controls designed to identify when a possible violation has occurred and facilitate timely remediation Also known as “Monitoring” controls May 23, Types of Controls

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Multiple, complementary controls that work together to reduce risk (“Defense in depth”) Primary Secondary Tertiary Secondary and Tertiary controls serve as a “safety net” in case the Primary control does not function as expected Each subsequent tier of controls further reduces residual risk May 23, Control Hierarchies

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Protection System Maintenance and Testing Relay technicians complete work orders according to a pre-defined checklist to prevent steps being skipped or performed incorrectly Supervisors review and approve completed work orders to verify technicians’ proper use of the checklist A sample of work orders is reviewed by Internal Audit to verify accuracy and completeness May 23, Examples

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Program Documents (Procedures) Standard Work Order Supervisory Review Management Oversight Checklist followed and completed, exceptions noted, follow-up notes signed Review for completeness and accuracy, follow-up actions closed or scheduled to be completed, signed Periodic sampling of work orders to determine program is being completed and properly reviewed Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Training Management establishes training objectives and reviews training materials to confirm objectives are met Individuals are tested after completion of training to ensure effectiveness of delivery Supervisors conduct performance observations to verify past training has been effective and to identify additional training needs May 23, Examples

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Program Documents (Procedures) Training Objectives Training Evaluation Performance Observations Management establishes training objectives and reviews training materials to confirm objectives are met Individuals are tested after completion of training to ensure effectiveness of delivery Supervisors conduct performance observations to verify past training has been effective and to identify additional training needs Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Cybersecurity Systems are configured to require passwords to prevent unauthorized access All changes to systems are reviewed, approved, and tested to ensure that unauthorized changes do not occur Periodic reviews are conducted to ensure that password controls adhere to corporate security policies May 23, Examples

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Security Policies Password Controls Configuration Management Security Assessments Systems are configured to require passwords to prevent unauthorized access All changes to systems are reviewed, approved, and tested to ensure that unauthorized changes do not occur Periodic reviews are conducted to ensure that password controls adhere to corporate security policies Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples Configuration Management Procedures

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, Reliability Assurance Initiative Focusing on Risk

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS “One size fits all” compliance model NERC Actively Monitored Standards do not change based on regional differences, entity size, etc. No consideration of management practices (i.e. controls) around reliability standards Zero-defect approach to enforcement is burdensome Every violation requires a regulatory filing regardless of severity Self-reports require significant effort Administrative Citation Process (ACP) & Find, Fix, Track (FFT) are not sufficient Expediting enforcement won’t solve the problem May 23, Current State

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Shape compliance monitoring and mitigation based on risk Reserve enforcement for most significant risks May 23, Key Elements of RAI

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Assessment of each entity’s inherent risk Some factors influencing assessment Facilities Special Protection Systems IROLs Geographic location Functions performed Connectivity (physical and cyber) EMS/SCADA system Compliance history May 23, Scoping of Work

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS What does a risk assessment look like? Not a letter grade or single rating Entities will not be compared and ranked Assessment will look more like a matrix Certain families of standards may be higher risk for one entity, less risky for another May 23, Scoping of Work

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Internal controls established by each entity must be identified Evaluation of select controls to determine effectiveness Design – Is the control, as documented, adequate to address the risk? Operational – Is the control implemented as designed? Effective controls reduce residual risk to an acceptable level MRO staff can rely on effective controls Regulatory scope can be adjusted – less auditing and testing (or none) where strong controls exist May 23, Scoping of Work

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Risk assessments and internal controls will be leveraged across all compliance monitoring activities Internal emphasis should shift over time toward maintaining effective controls around Reliability Standards Continue to identify and correct issues in a timely fashion Focus on reliable operations first Compliance should be a natural outcome of strong operations May 23, Scoping of Work

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS “Compliance Exceptions” represent lower risk violations Do not represent significant risk to the BES Identified by an entity itself or by regional staff Initially tracked at the regional level No enforcement proceedings, no penalties Mitigation will always be important What was done to address the problem itself? What is being done to prevent recurrence? May 23, Compliance Exceptions

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Enforcement will focus on most significant or high-risk issues Violation poses significant risk to reliable operation of the BES, e.g. cause or contributing factor in a cascading event Multiple smaller issues may aggregate into a bigger problem or are indicative of a poor control environment Willful misconduct May 23, Compliance Exceptions

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Compliance audit Tools being developed with input from industry, the Regions, and NERC Currently developing risk assessment Internal controls evaluation to occur during June & July Scope will reflect risk and presence of effective controls Audit completion in Q4 of 2013 May 23, MRO Pilots

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Self-certification Transition from blanket, “check the box” approach to narrowly focused self-certifications Scope limited to FAC R6 based on problems identified on recent audits Focus on self-assessment process and on controls to identify and correct problems May 23, MRO Pilots

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Contact Information Thomas P. Tierney, Director of Compliance Midwest Reliability Organization (651) May 23,

▪▪ CLARITY ▪ ASSURANCE ▪ RESULTSQuestions? May 23,