2017 ICPA Survey
CONTACT INFORMATION
Entity Name:
Click here to enter text.
NERC # Registry ID:
Click here to enter text.
Primary Compliance Contact Name:
Click here to enter text.
Primary Contact Title:
Click here to enter text.
Office Phone:
Click here to enter text.
Cell Phone:
Click here to enter text.
Email:
Click here to enter text.
Alternate Compliance Contact Name:
Click here to enter text.
Alternate Compliance Contact Title:
Click here to enter text.
Office Phone:
Click here to enter text.
Cell Phone:
Click here to enter text.
Email:
Click here to enter text.
Authorizing Entity Officer Name:
Click here to enter text.
Authorizing Entity Officer Title:
Click here to enter text.
Mailing address (Not a P.O. Box):
Click here to enter text.
Telephone:
Click here to enter text.
Email:
Click here to enter text.
2017 Internal Compliance Program Assessment ICPA
February 1, 2017
Internal Compliance Program Assessment
Western Electricity Coordinating Council
WECC Compliance Monitoring and Enforcement Program
Internal Compliance Program Self-Assessment Version 2.0
12/3/12
2
TABLE OF CONTENTS
PURPOSEi
INSTRUCTIONSi
SURVEY QUESTIONS1
1.Established Formal Internal Compliance Program1
2.Well Documented and Widely Disseminated2
3.Officers/Personnel3
4.Independent Access to Executives4
5.Independently Managed5
6.Resources6
7.Leadership Support7
8.Program Evaluation and Modification8
9. Compliance Training9
10.Self-Audit10
11.Enforcement11
12.Internal Controls13
13. Risk Assessment15
AUTHORIZATION16
APPENDIX A: Selected Example ICP Practices17
Internal Compliance Program Assessment
18
PURPOSE
The WECC Internal Compliance Program Assessment (ICPA) is a tool
to help entities assess their internal compliance programs. The
ICPA will assist WECC in its review and understanding of the
programs that entities have implemented to ensure compliance with
the NERC Reliability Standards. The ICPA is:
Based on relevant FERC orders, FERC direction, and WECC and NERC
experience related to robust internal compliance programs.
Composed of questions designed to focus on various aspects of an
entitys program.
Designed to prompt an entity to identify and gather specific,
relevant information related to its internal compliance
program.
Adaptable to allow for the unique constraints of smaller
entities, as well as flexible enough to recognize distinct
characteristics across the variety of programs.
INSTRUCTIONS
1. For each question below, choose the statement that best
describes the responsible entitys current status.
2. Please attach supporting documentation or provide associated
page numbers and paragraph references within the ICP, and submit
this completed package to WECC.
For example, this documentation package may include, but not be
limited to:
Organizational charts
Internal plans, policies, processes and/or procedures
Emails
Training manuals
PowerPoint presentations with associated attendance rosters
ICP workshops; and/or
Computer Based Training modules.
Note: For the purposes of this document, compliance program(s)
refers to programs concerned with compliance with NERC Reliability
Standards.
Internal Compliance Program Assessment
1
SURVEY QUESTIONSEstablished Formal Internal Compliance
Program
Is the ICP an established, formal program? For example, does the
ICP contain fully documented plans, policies, processes and/or
procedures, internal controls, and other systematic preventive
measures for the governance and management of compliance with NERC
Reliability Standards?
Note: See Appendix A for example practices.
Choose the statement that best describes the ICP:
NO
The ICP does not have any documented plans, policies, processes
and/or procedures, internal controls, and other systematic
preventive measures.
PARTIAL
The ICP has some documented plans, policies, processes and/or
procedures, internal controls, and other systematic preventive
measures, but does not address all.
YES
The ICP has well documented plans, policies, processes and/or
procedures, internal controls, and other systematic preventative
measures.
Describe, in narrative form, how the entity documents its
ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
The entitys ICP document(s)
Plans, policies, processes and/or procedures, internal controls,
and other systematic preventive measures associated with the
entitys governance and management of compliance with NERC
Reliability Standards
Other documented processes and/or procedures as applicable
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Well Documented and Widely Disseminated
Does the ICP require communication to all employees, including
contractors and vendors, etc.? Has the ICP, (i.e. all plans,
policies, processes and/or procedures) been widely disseminated
throughout the entity?
Choose the statement that best describes the ICP:
NO
The ICP has not been distributed.
PARTIAL
The ICP has been distributed only to the employees that are
involved in the development and implementation of the ICP.
PARTIAL
The ICP has been distributed only to the employees that have a
direct responsibility for compliance with the NERC Reliability
Standards.
YES
The ICP has been distributed to all employees, and, if
applicable, to contractors and vendors.
Describe, in narrative form, how the entity disseminates the ICP
to all appropriate relevant employees, including contractors and
vendors:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Compliance Training Program
Compliance Communications Program
Website samples
Sample e-mail memos, newsletters, etc.
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Officers/Personnel
Has the entity named and staffed a Compliance Officer, FERC/NERC
Director, or additional FERC/NERC personnel as required to support
its ICP?
Smaller Entities: A smaller entity may not have sufficient staff
to dedicate one employee as a full-time Compliance Officer or
FERC/NERC Director. In such cases, has the entity assigned one
person the responsibility to coordinate or monitor the entitys
compliance responsibilities?
Choose the statement that best describes the ICP:
NO
The entity has not identified or assigned compliance
responsibility and accountability to a Compliance Officer,
FERC/NERC Director/Manager, or other high-ranking official.
PARTIAL
The entity has identified and assigned responsibility for some
compliance activities to various employees throughout the
organization.
YES
The entity has identified and assigned responsibility and
accountability to a Compliance Officer or other high-ranking
official, FERC/NERC Director/Manager, and additional personnel as
required. For larger organizations, at least one position is fully
dedicated to FERC/NERC compliance. For smaller organizations, at
least one position is partially dedicated to FERC/NERC compliance.
Below, provide the name(s) and title(s) of the employee(s)
currently staffing this/these position(s).
Name(s):
Click here to enter text.
Describe, in narrative form, how the entity has assigned
compliance responsibility in the organization:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Compliance Organizational Chart
Defined Roles and Responsibilities assigned to entity personnel
for each NERC Reliability Standard identified in Item 2 above
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Independent Access to Executives
Does the assigned compliance official(s) have independent access
to the CEO or equivalent and/or Board of Directors?
Note: If your entity does not currently have an assigned
compliance official, please answer NO to this question.
Choose the statement that best describes the ICP:
NO
The entitys assigned compliance official does not have
independent access to the CEO or equivalent and/or Board of
Directors.
YES
The entitys assigned compliance official has independent access
to the CEO and/or Board of Directors.
Describe, in narrative form, how the entity provides independent
access to the CEO or equivalent and/or Board of Directors for its
employee(s) responsible for compliance:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Organizational chart or plan showing independent access
Sample meeting minutes, notes, agendas, emails, etc., showing
independent access to senior management
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Independently Managed
Is the ICP operated and managed so it is independent of those
responsible for compliance with the NERC Reliability Standards?
Smaller Entities: A smaller entity may not have the available
personnel to manage its ICP separately from the work groups that
are responsible for complying with NERC Reliability Standards. In
such cases, those personnel responsible for compliance should at
minimum have independent access to the companys assigned compliance
official, the CEO or equivalent, and/or the Board of Directors (see
item 5 above).
Choose the statement that best describes the ICP:
NO
The ICP is not managed or operated independently of the work
groups that are responsible for complying with NERC Reliability
Standards.
PARTIAL
The ICP is managed by the work groups that are responsible for
complying with NERC Reliability Standards, but it is managed
independently.
YES
The ICP is managed and operated independently of the work groups
that are responsible for complying with NERC Reliability
Standards.
Describe, in narrative form, how the entity independently
manages its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include the following document or equivalent:
Organizational chart or plan which shows how the program is
independently managed
For smaller entities, please provide applicable
documentation
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Resources
Has the entity dedicated resources (staff and budget) to support
its ICP?
Choose the statement that best describes the ICP:
NO
The entitys budget does not provide for any staff resources to
work on compliance with NERC Reliability Standards.
PARTIAL
The entity has provided for staff resources within its budget
but cannot demonstrate that staff resources were allocated to
compliance with NERC Reliability Standards.
YES
The ICP is fully budgeted and fully or partially staffed
(relative to the number of full time equivalent staff that
implements the Reliability Standards) on a year-round basis.
Describe, in narrative form, the support the entity allocates to
its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include the following document or equivalent:
Organizational chart or plan which shows compliance roles and
responsibilities and how they are staffed
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Leadership Support
Does the ICP have the support and participation of senior
management (Officer Level)? This includes reviewing compliance
reports, participating in compliance meetings, and communicating
the importance of compliance to entity personnel on a regular
basis.
Choose the statement that best describes the ICP:
NO
Senior management does not actively support or routinely
participate in the ICP.
PARTIAL
Senior management reviews compliance reports, participates in
compliance meetings, and communicates to employees their commitment
to compliance at least semi-annually.
YES
Senior management is actively involved in compliance efforts,
reviews compliance reports, participates in compliance meetings,
and communicates to employees its commitment to compliance
frequently, both formally and informally. Compliance activities
occur at least quarterly.
Describe, in narrative form, the support the ICP receives from
the entitys Officer Level leadership:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Samples of Senior Management Communications for the past 12
months
Samples of Compliance meeting agendas for the past 12 months
Samples of Compliance committee meeting minutes for the past 12
months
Samples of relevant e-mail memos, newsletters, etc. for the past
12 months
Description of management review/approval process and/or
procedure
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Program Evaluation and Modification
Does the entity regularly review and modify its ICP? This
includes a process and/or procedure to trigger a review of the ICP
either following a violation or following changes to NERC
Reliability Standards, and modifying the ICP, if necessary. Does
the ICP contain a process and/or procedure for identifying and
updating its list of NERC Reliability Standards applicable to the
entity?
Choose the statement that best describes the ICP:
NO
The ICP does not have an identified review cycle or a process
and/or procedure to trigger a review. ICP does not have a list of
NERC Reliability Standards applicable to the entity or a process
and/or procedure to identify and update that list.
PARTIAL
The ICP does not specify a review cycle; however, the entity has
a process and/or procedure to trigger a review, or has reviewed and
modified its ICP since the entity was registered. The ICP has a
list of NERC Reliability Standards applicable to the entity but it
does not have a process and/or procedure for updating its list.
YES
The ICP is reviewed on at least an annual cycle. In addition,
the entity has a process and/or procedure to trigger a review
either following a violation or following changes to NERC
Reliability Standards. The ICP is modified as necessary. The ICP
contains a process and/or procedure for identifying and updating
its list of NERC Reliability Standards applicable to the
entity.
Describe, in narrative form, how the entity reviews and modifies
its ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
ICP review and modification process and/or procedure
A sample of recent ICP reviews, including version control
records
A plan or other document that lists NERC Reliability Standards
that apply to the entity
A description of the process and/or procedure the entity follows
to update this list when Standards change, as applicable
Version control records of the entitys Reliability Standards
lists
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
9. Compliance Training
Does the ICP require compliance training for all entity staff,
contractors and vendors who have direct responsibility for the
implementation of the processes and/or procedures that demonstrate
compliance with the NERC Reliability Standards? Relevant personnel
may include but are not limited to: Subject Matter Experts (SMEs),
Engineers, Technicians, Vegetation Management implementers and
System Operators (as applicable). Does this training measure
understanding through quizzes, exams, surveys, etc. consistent with
a Registered Entitys collective bargaining agreements?
Note: See Appendix A for example practices.
Choose the statement that best describes the ICP:
NO
The ICP does not require training for relevant personnel.
PARTIAL
The ICP requires training for personnel that have a direct
responsibility for compliance with NERC Reliability Standards.
YES
The ICP includes detailed training for personnel, including
contractors and vendors that have a direct responsibility for
compliance with NERC Reliability Standards, including assisting
personnel who must keep professional credentials up-to-date.
Training also includes overview compliance awareness training for
other employees that do not have a direct responsibility for
compliance with NERC Reliability Standards. All training includes
processes and/or procedures that measure the degree of
understanding and comprehension of such Standards (quizzes, etc.),
consistent with a Registered Entitys collective bargaining
agreements.
Describe, in narrative form, how the entity provides compliance
training to all personnel, including contractors and vendors (see
above):
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Compliance Training Program
Compliance Communications Program
Samples of training modules
Attendance records
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
1. Self-Audit
Does the ICP include a formal, internal self-auditing process
and/or procedure for compliance with all applicable NERC
Reliability Standards on an annual basis? Are results reported
internally?
Choose the statement that best describes the ICP:
NO
The ICP does not include an internal self-auditing and reporting
process and/or procedure.
PARTIAL
Although the ICP includes a process and/or procedure for
internal self-auditing and reporting, the entity does not
self-audit and report on at least an annual basis.
YES
The ICP includes internal self-auditing and reporting for
compliance on an annual basis for full compliance with all
applicable NERC Reliability Standards. Audit results are reported
and reviewed internally.
Describe, in narrative form, how the entity self-audits its
ICP:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one of more of the following or
equivalent:
ICP self-audit program
Sample of the audit reports or other results (past 12-24 months)
redacted if necessary
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Enforcement
Does the ICP include processes and/or procedures for
disciplinary action for employees involved in violations of the
Reliability Standards? Are available Human Resources (HR)
disciplinary programs utilized as necessary? Is Senior Leadership
or the Board involved as necessary? Conversely, does the entitys
ICP include employee compliance with NERC Reliability Standards as
a performance factor on job descriptions and performance
evaluations to encourage accountability?
Choose the statement that best describes the ICP:
NO
The entitys ICP does not include disciplinary action for
employees who are responsible for violations of NERC Reliability
Standards. The ICP does not include employee compliance with NERC
Reliability Standards as a performance factor on job descriptions
and performance evaluations.
PARTIAL
The entity takes disciplinary action for employees responsible
for violations of NERC Reliability Standards; however, the entity
does not have a formal documented disciplinary action process
and/or procedure.
YES
The entitys ICP includes detailed disciplinary action processes
and/or procedures for employees involved in NERC Reliability
Standard violations, including involving HR, Senior Leadership,
and/or the Board as necessary. The entity has administered
disciplinary action when appropriate. The ICP includes compliance
with NERC Reliability Standards as a performance factor on job
descriptions and performance evaluations.
Describe, in narrative form, the entitys disciplinary action for
employees that are responsible for violations of NERC Reliability
Standards:
Click here to enter text.
Describe, in narrative form, how the entity uses employee
compliance with NERC Reliability Standards as a performance factor
on job descriptions and performance evaluations to encourage
accountability:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include:
Company policies relating to disciplinary actions for compliance
violations
Samples of any recent disciplinary actions (past 12-24 months)
redacted if necessary
Company programs relating to compensation, awards, employee
recognition, or other monetary and/or non-monetary incentives
relating to compliance
Samples of non-confidential information related to actual awards
or other incentives
Job Descriptions
Other examples of programs or policies entity uses to promote a
culture of compliance
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
Internal Controls
Does the ICP include a process and/or procedure to implement
internal controls to prevent, detect and/or correct, and report
possible violations of NERC Reliability Standards? This includes
assessing the effectiveness of internal controls and specific
processes and/or procedures to promote prompt detection and
self-reporting of possible violations to the Regional Entity
(WECC).
See Appendix A for internal controls description and generic
examples of internal control activities.
Choose the statement that best describes the ICP:
NO
The ICP does not include a process and/or procedure to put into
place and assess the effectiveness of internal controls. The entity
has not implemented any internal controls. The ICP does not include
processes and/or procedures for self-reporting possible violations
of applicable NERC Reliability Standards.
PARTIAL
The ICP does not have a process and/or procedure to implement
and assess the effectiveness of internal controls. However, the
entity has implemented some internal controls. The ICP does not
include processes and/or procedures for self-reporting possible
violations of applicable NERC Reliability Standards, but the entity
has self-reported violations to WECC since the entity was
registered.
YES
The ICP contains a process and/or procedure to implement and
assess the effectiveness of internal controls. The entity has also
implemented robust internal controls to prevent, detect and/or
correct possible violations of NERC Reliability Standards. The ICP
also includes processes and/or procedures for self-reporting
possible violations of applicable NERC Reliability Standards. In
addition, entity has followed these processes and/or procedures
and, if a violation was found, promptly self-reported the violation
to WECC.
Describe, in narrative form, how the entity uses internal
controls to prevent, detect and/or correct, and report the possible
violation of NERC Reliability Standards, and how the entity
assesses the effectiveness of those controls:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
Process and/or procedure for establishing and assessing internal
controls
Examples of internal controls implemented (See Appendix A for
generic examples of internal control activities)
Assessments and/or reviews completed by the entity to determine
the effectiveness of internal controls (i.e. in terms of high-risk
Reliability Standards; in terms of preventative, detective, or
corrective; etc.)
Processes and/or procedure for self-reporting
A sample of recent self-reports
A list of the entitys self-reports for the past 12 months
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
13. Risk Assessment
Does the ICP include processes and/or procedures to assess
compliance and reliability risks related to the NERC Reliability
Standards on an annual basis. Does the ICP also include processes
and/or procedures to assess risk to reliability posed by a
particular noncompliance?
Note: See Appendix A for example practices.
Choose the statement that best describes the ICP:
NO
The ICP does not document how compliance and reliability risk is
assessed.
PARTIAL
Although the ICP includes processes and/or procedures to assess
compliance and reliability risks, the entity does not assess risk
on an annual basis or for specific issues of noncompliance.
YES
The entity assesses its compliance and reliability risks, and
the ICP includes processes and/or procedures to assess compliance
and reliability risks at least annually and for specific issues of
noncompliance.
Describe, in narrative form, how the entity assesses compliance
and reliability risks:
Click here to enter text.
Please provide supporting evidence. Examples of supporting
evidence may include one or more of the following or
equivalent:
The entitys compliance and reliability risk assessment processes
and/or procedures
Final risk assessment reports
Applicable Document(s), Page and Section
Date and/or Version
Click here to enter text.
Click here to enter text.
AUTHORIZATION
An authorized individual must sign and date this Internal
Compliance Program Assessment. By doing so, this individual, on
behalf of the entitys organization, certifies that the information
submitted herein is accurate.
1. This certifies that I am of .
2. I am an officer, employee, attorney or other person
authorized to sign this Internal Compliance Program Assessment on
behalf of .
3. I have read and am familiar with the contents of the Internal
Compliance Program Assessment and related documents submitted
herein.
4. I understand that based on the answers herein, WECC may
request more information specific to (RE) s ICP.
5. To the best of my knowledge, the information provided in this
response is correct.
Authorized Signature:
Name (Print):
Click here to enter text.
Title:
Click here to enter text.
Date:
Click here to enter text.
APPENDIX A: Selected Example ICP Practices
Internal Compliance Program
1. Outline and describe the elements of the ICP in an overview
document that includes the following sections:
a. Purpose, Background, and Program Overview
Senior Management, Compliance Officer and Internal Compliance
Program Core Members (including roles and responsibilities)
b. Risk Assessment
c. Internal Controls
d. Measurable Compliance Performance Targets
e. Compliance Communication and Training
f. Self-Audit and Self-Certification
g. Self-Reporting
h. Documentation and Record Keeping
i. Version History
j. Attachments/Links
i. Applicable Reliability Standards
ii. Organizational Chart
iii. Terms and Definitions
2. Outline and describe the elements of ICP in an overview
document that includes the following:
a. Compliance Culture including organization, senior management
commitment, funding, staffing, communication and ICP
dissemination.
b. Control Environment including monitoring, tracking, control,
documentation, data retention, reporting, remediation, risk
assessment.
c. Continual Improvement including internal auditing, education
and training.
3. Along with the ICP overview document, develop an ICP Handbook
companion document that includes specific ICP plans associated with
the ICP. These plans are detailed processes and/or procedures,
which also include the purpose, objective, responsibilities,
reference documents and revision history for each plan.
Identify and Update Requirements
1. Create a list (in a database, in spreadsheet form, or as a
word document) which clearly identifies all applicable NERC and
WECC Reliability Standards. The list should:
a. Be updated on at least an annual basis, but more frequently
as appropriate.
b. Contain information as to where NERC and WECC Reliability
Standards may be found.
2. On the list of applicable NERC and WECC Reliability
Standards, assign specific Standard Requirements to certain
employees, e.g. Subject Matter Experts (SMEs) or Reliability
Standard Owners.
a. The employees would be obligated to continuously monitor and
track compliance with assigned NERC Reliability Standards.
i. List any specific tasks required for compliance
ii. List any measureable compliance performance targets
associated with tasks required for compliance
3. Ensure new or modified Reliability Standards are promptly
identified and communicated to those required to comply with the
standards.
a. Conduct regular (e.g. quarterly) reviews of applicable NERC
and WECC Reliability Standards to ensure that:
i. All applicable Standards are being addressed;
ii. Any changes to Standards are being incorporated into the
entitys ICP; and
iii. Entity personnel remain aware of any updates, additions, or
modifications to the Standards.
b. Review ICP following NERC or WECC information release, e.g.,
Compliance Application Notices, Updates on Audit Approach
(presentations at the CUG meetings), Reliability Standard
Interpretations, et cetera.
4. Develop or implement a comprehensive compliance tracking
solution, beyond a spreadsheet, (e.g. specialized third-party
software) which includes all applicable NERC and WECC Reliability
Standards and Requirements down to the sub-requirement level.
a. Document a process for updating all reliability standards on
a frequent basis while allowing multiple groups to track their
compliance activities.
b. Leverage the compliance tracking solution as a depository for
documenting evidence, gap analysis records and other data related
to entitys compliance with the Reliability Standards.
5. Convert the text of the individual Reliability Standards into
hyperlinks which point to the respective standards on the NERC
website. Users of the lists can then easily access the details of
the Reliability Standards at the source.
Risk Assessment
1. At a high level, adopt a strategic risk management approach,
which incorporates the following:
a. Anticipate the Risk
i. Assume the worst can happen at any time.
ii. Anticipate the next happening.
iii. Play it out. Think it through.
iv. Figure out what you do not know.
b. Assess the Risk
i. What is the likelihood of the event?
ii. What is the magnitude?
c. Act Against the Risk
i. Establish a strategy to mitigate the risk.
ii. Maintain a holistic view of the risk and solution.
d. Adopt a Plan
i. Develop processes and procedures (specific to risk
management).
ii. Identify roles and responsibilities.
2. At a high level, and with a focus on compliance and
reliability risk, adopt an Enterprise Risk Management (ERM)
approach, which incorporates the following:
a. Identify Risks
b. Assess and Evaluate Risks
c. Integrate Risks
d. Respond to Risks
e. Design, Implement and Test Controls
f. Monitor, Assure and Escalate
3. At a high level, and with a focus on compliance and
reliability risk, adopt a strategic risk management approach, which
incorporates the following:
a. Anticipate the Risk
i. Assume the worst can happen at any time.
ii. Anticipate the next happening.
iii. Play it out. Think it through.
iv. Figure out what you do not know.
b. Assess the Risk
i. What is the likelihood of the event?
ii. What is the magnitude?
c. Act Against the Risk
i. Establish a strategy to mitigate the risk.
ii. Maintain a holistic view of the risk and solution.
d. Adopt a Plan
i. Develop processes and procedures (specific to risk
management).
ii. Identify roles and responsibilities.
4. Uses a point system to compile a compliance and reliability
risk index score for all entity applicable Reliability Standard
Requirements and sub-requirements.
a. The score could incorporate several risk factors,
including:
i. Violation Risk Factor (VRF)
ii. Actively Monitored List (AML) or equivalent list
iii. Entity violation history, (taking into account Standard
Requirements violated, Violation Impact, Violation Severity Level
(VSL), and mitigation status)
iv. WECC/NERC Most Violated Reliability Standards Reports
v. Requirements that have annual, event driven or periodic
activity, likelihood of occurrence
vi. New versions of Reliability Standards
vii. Changes in key personnel (e.g. SMEs)
b. Quantify and score the risk for each applicable Reliability
Standard Requirement.
i. Develop a method to quantify and evaluate the risk for each
risk factor and each applicable Reliability Standard Requirement,
e.g. create a risk assessment matrix listing each applicable
Reliability Standard Requirement and each risk factor.
ii. Develop a scale, e.g. a numeric scale from 1 to 5, or scale
of High/Medium/Low, and quantify the level of risk for each risk
factor for each Reliability Standard Requirement. Includes the
weighting of risk based on likelihood and magnitude factors.
iii. Aggregate the risk factor valuations into a risk index
score for each Reliability Standard Requirement.
c. Use the point system above to determine, based on criteria
established by the entity, which Standard Requirements pose the
greatest compliance and reliability risk.
d. Based on the risk-assessment results, the entity may choose
to focus more attention on the higher-risk Standard
Requirements.
e. Clearly document the risk assessment results by Reliability
Standard Requirement:
i. Create a spreadsheet or word document with a list of
applicable Reliability Standard Requirements.
ii. Flag or otherwise identify higher-risk Requirements.
iii. List the key control(s) for each identified risk.
5. Use a more basic risk-assessment approach which assesses all
entity applicable Reliability Standard Requirements and
sub-requirements and simply flags or highlights Requirements based
on risk factors. (See risk factors listed under 1.a. above.)
6. Conduct risk assessments on a regular basis, i.e., annually,
or more frequently based on the level of risk.
7. Group or categorize related risks together to reduce
management and resource needs for mitigation activities and
controls.
8. Integrate internal controls with the risk assessment, i.e.,
each identified risk should have at least one key control. These
key controls should be reassessed periodically and could fall under
one or more of the following general categories:
a. Preventative Controls
b. Detective Controls
c. Corrective Controls
9. Annually distribute a risk-assessment questionnaire to
managers who have compliance oversight responsibilities and
employees who have direct responsibility for compliance with
Reliability Standards to help evaluate any changes in known risks
and help detect any new risks that might otherwise go unidentified.
Incorporate review of the questionnaire results into the
risk-assessment process.
10. Incorporate the assessment of risk associated with
significant change by anticipating and monitoring change in the
following areas:
a. External Environment (regulatory/compliance, social,
political, technological, etc.)
b. Strategic Planning (business model, regulatory/compliance,
services, neighboring entities, etc.)
c. Succession Planning (executives, key employees, etc.)
Compliance Training
1. Ensure all employees and contractors receive an appropriate
level training on the ICP and NERC Reliability Standards each year
or at the initiation of the business relationship.
2. Incorporate in the training, and/or follow-up the training
with a survey or examination to measure understanding of the
training material.
a. Based on the survey or examination results, make changes to
the training program as necessary.
Promoting Compliance through Employee Incentives
1. Non-Monetary Ideas
a. Certificates of exceptional performance
b. Letters acknowledging an employees activities
c. Recognition at staff meetings
d. Congratulatory communications copied to all employees
e. Reserve a premium parking space for an employee of the
month
f. Adopt an annual compliance and reliability award, and give it
to the individual that has exhibited the strongest commitment to
compliance and reliability
Internal Controls
1. Preventive Control Activities
a. Automated compliance work management system
b. Documented NERC compliance responsibilities
c. Training regarding the policies and procedures used to ensure
compliance with the Reliability Standards
d. Use of colored lanyards or other overt identification methods
to identify escorted visitors in NERC CIP Physical Security
Perimeters
e. Restricting access to assets
f. Documented configuration management program
g. Documented change management program
h. Records management system
2. Detective Control Activities
a. Automated systems that check and identify compliance
discrepancies
b. Periodic review of control center communications, e.g.,
listening to a prescribed number of voice recordings for each
period
c. Quarterly self-assessments used to identify individual who
gained access to CIP cyber areas without the proper training or
background investigations
d. Review by responsible management of compliance
documentation
e. Reviews of performance against defined criteria
3. Corrective Control Activities
a. Root Cause Analysis Program
b. Event Analysis
c. Business Continuity and Recovery Plans returns an operation
to a normal operating state after a failure or interruption