Presentation is loading. Please wait.

Presentation is loading. Please wait.

▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney.

Published byAnnabelle Alicia Tyler Modified over 9 years ago

Similar presentations

Presentation on theme: "▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney."— Presentation transcript:

1 ▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney Director of Compliance, MRO SPP Compliance Forum May 23, 2013 Reliability Assurance Initiative

2 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 2 Common Mission Improve the Reliability of the Bulk Power System

3 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Improvement Is the Goal We have very reliable systems within MRO/SPP, but we can still improve by identifying problems and fixing them – no weak links There is always opportunity for improvement within the design criteria of an interconnected system May 23, 2013 3

4 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 4 Demystifying Internal Controls No, Really… What Is an Internal Control?

5 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Nothing New Registered Entities have been managing reliability for decades – they have management practices (i.e. controls) around reliability Existing practices have been translated into the Reliability Standards and documented – “operationalizing compliance” Don’t overthink “internal controls” May 23, 2013 5

6 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Risk Possibility that something undesirable will happen Measured as a combination of likelihood and impact Control/Control Activity Policy, procedure, checklist, etc. designed to minimize the opportunity for a risk to be realized Internal Control Control activity performed internally, not by a third party Management practices that include control activities performed internally (“self monitoring”) May 23, 2013 6Definitions

7 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Inherent Risk Risks “built-in” to a given entity, based on geography, what facilities it operates, “interconnectedness,” etc. Reliability Standards are designed to mitigate inherent risk in a broad sense Control Risk Risk that management practices or control activities are not achieving their reliability or compliance objectives Detection Risk Risk that possible violations are going unnoticed Residual Risk Risk that remains after application of a control and other mitigating factors Difficult and expensive to eliminate 100% of risk – we must live with some risk May 23, 2013 7 Types of Risk

8 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Preventive Controls designed to stop something from occurring Detective Controls designed to identify when a possible violation has occurred and facilitate timely remediation Also known as “Monitoring” controls May 23, 2013 8 Types of Controls

9 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Multiple, complementary controls that work together to reduce risk (“Defense in depth”) Primary Secondary Tertiary Secondary and Tertiary controls serve as a “safety net” in case the Primary control does not function as expected Each subsequent tier of controls further reduces residual risk May 23, 2013 9 Control Hierarchies

10 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Protection System Maintenance and Testing Relay technicians complete work orders according to a pre-defined checklist to prevent steps being skipped or performed incorrectly Supervisors review and approve completed work orders to verify technicians’ proper use of the checklist A sample of work orders is reviewed by Internal Audit to verify accuracy and completeness May 23, 2013 10Examples

11 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 11 Program Documents (Procedures) Standard Work Order Supervisory Review Management Oversight Checklist followed and completed, exceptions noted, follow-up notes signed Review for completeness and accuracy, follow-up actions closed or scheduled to be completed, signed Periodic sampling of work orders to determine program is being completed and properly reviewed Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples

12 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Training Management establishes training objectives and reviews training materials to confirm objectives are met Individuals are tested after completion of training to ensure effectiveness of delivery Supervisors conduct performance observations to verify past training has been effective and to identify additional training needs May 23, 2013 12Examples

13 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 13 Program Documents (Procedures) Training Objectives Training Evaluation Performance Observations Management establishes training objectives and reviews training materials to confirm objectives are met Individuals are tested after completion of training to ensure effectiveness of delivery Supervisors conduct performance observations to verify past training has been effective and to identify additional training needs Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples

14 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Cybersecurity Systems are configured to require passwords to prevent unauthorized access All changes to systems are reviewed, approved, and tested to ensure that unauthorized changes do not occur Periodic reviews are conducted to ensure that password controls adhere to corporate security policies May 23, 2013 14Examples

15 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 15 Security Policies Password Controls Configuration Management Security Assessments Systems are configured to require passwords to prevent unauthorized access All changes to systems are reviewed, approved, and tested to ensure that unauthorized changes do not occur Periodic reviews are conducted to ensure that password controls adhere to corporate security policies Procedure/ Process Control Control ActivityControl Type Primary Control Secondary Control Tertiary ControlExamples Configuration Management Procedures

16 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS May 23, 2013 16 Reliability Assurance Initiative Focusing on Risk

17 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS “One size fits all” compliance model NERC Actively Monitored Standards do not change based on regional differences, entity size, etc. No consideration of management practices (i.e. controls) around reliability standards Zero-defect approach to enforcement is burdensome Every violation requires a regulatory filing regardless of severity Self-reports require significant effort Administrative Citation Process (ACP) & Find, Fix, Track (FFT) are not sufficient Expediting enforcement won’t solve the problem May 23, 2013 17 Current State

18 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Shape compliance monitoring and mitigation based on risk Reserve enforcement for most significant risks May 23, 2013 18 Key Elements of RAI

19 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Assessment of each entity’s inherent risk Some factors influencing assessment Facilities Special Protection Systems IROLs Geographic location Functions performed Connectivity (physical and cyber) EMS/SCADA system Compliance history May 23, 2013 19 Scoping of Work

20 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS What does a risk assessment look like? Not a letter grade or single rating Entities will not be compared and ranked Assessment will look more like a matrix Certain families of standards may be higher risk for one entity, less risky for another May 23, 2013 20 Scoping of Work

21 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Internal controls established by each entity must be identified Evaluation of select controls to determine effectiveness Design – Is the control, as documented, adequate to address the risk? Operational – Is the control implemented as designed? Effective controls reduce residual risk to an acceptable level MRO staff can rely on effective controls Regulatory scope can be adjusted – less auditing and testing (or none) where strong controls exist May 23, 2013 21 Scoping of Work

22 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Risk assessments and internal controls will be leveraged across all compliance monitoring activities Internal emphasis should shift over time toward maintaining effective controls around Reliability Standards Continue to identify and correct issues in a timely fashion Focus on reliable operations first Compliance should be a natural outcome of strong operations May 23, 2013 22 Scoping of Work

23 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS “Compliance Exceptions” represent lower risk violations Do not represent significant risk to the BES Identified by an entity itself or by regional staff Initially tracked at the regional level No enforcement proceedings, no penalties Mitigation will always be important What was done to address the problem itself? What is being done to prevent recurrence? May 23, 2013 23 Compliance Exceptions

24 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Enforcement will focus on most significant or high-risk issues Violation poses significant risk to reliable operation of the BES, e.g. cause or contributing factor in a cascading event Multiple smaller issues may aggregate into a bigger problem or are indicative of a poor control environment Willful misconduct May 23, 2013 24 Compliance Exceptions

25 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Compliance audit Tools being developed with input from industry, the Regions, and NERC Currently developing risk assessment Internal controls evaluation to occur during June & July Scope will reflect risk and presence of effective controls Audit completion in Q4 of 2013 May 23, 2013 25 MRO Pilots

26 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Self-certification Transition from blanket, “check the box” approach to narrowly focused self-certifications Scope limited to FAC-008-3 R6 based on problems identified on recent audits Focus on self-assessment process and on controls to identify and correct problems May 23, 2013 26 MRO Pilots

27 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTS Contact Information Thomas P. Tierney, Director of Compliance Midwest Reliability Organization tp.tierney@midwestreliability.org (651) 855-1745 May 23, 2013 27

28 ▪▪ CLARITY ▪ ASSURANCE ▪ RESULTSQuestions? May 23, 2013 28

Download ppt "▪ ▪ CLARITY ▪ ASSURANCE ▪ RESULTS MIDWEST RELIABILITY ORGANIZATION Improving RELIABILITY and mitigating RISKS to the Bulk Power System Thomas P. Tierney."

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.

Key Reliability Standard Spot Check Frank Vick Compliance Team Lead.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.

4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.
RISK-FOCUSED SURVEILLANCE FRAMEWORK UPDATE

RISK-FOCUSED SURVEILLANCE FRAMEWORK UPDATE
Understanding & Managing Risk

Understanding & Managing Risk
How to Document A Business Management System

How to Document A Business Management System
Final Determinations. Secretary’s Determinations Secretary annually reviews the APR and, based on the information provided in the report, information.

Final Determinations. Secretary’s Determinations Secretary annually reviews the APR and, based on the information provided in the report, information.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Performance Monitoring All All Contracts require basic monitoring once awarded. The Goal of contract monitoring is to ensure that the contract is satisfactorily.

Performance Monitoring All All Contracts require basic monitoring once awarded. The Goal of contract monitoring is to ensure that the contract is satisfactorily.
Controlling Risk by Managing Change Jessica Blaydes & Gary Fobare Honeywell Aerospace 2013 Region IX Workshop.

Controlling Risk by Managing Change Jessica Blaydes & Gary Fobare Honeywell Aerospace 2013 Region IX Workshop.
Network security policy: best practices

Network security policy: best practices
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google