2017 ICPA Survey - Western Electricity Coordinating Council ICPA Survey... · Web viewCell Phone: Email: Authorizing Entity ... Assume the worst can happen at any time. Anticipate

2017 Internal Compliance Program Assessment – ICPA February 1, 2017

CONTACT INFORMATION

Entity Name: Click here to enter text.NERC # Registry ID: Click here to enter text.Primary Compliance Contact Name: Click here to enter text.Primary Contact Title: Click here to enter text.Office Phone: Click here to enter text.Cell Phone: Click here to enter text.Email: Click here to enter text.

Alternate Compliance Contact Name: Click here to enter text.Alternate Compliance Contact Title: Click here to enter text.Office Phone: Click here to enter text.Cell Phone: Click here to enter text.Email: Click here to enter text.

Authorizing Entity Officer Name: Click here to enter text.Authorizing Entity Officer Title: Click here to enter text.Mailing address (Not a P.O. Box): Click here to enter text.Telephone: Click here to enter text.Email: Click here to enter text.

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Internal Compliance Program Assessment

TABLE OF CONTENTS

PURPOSE..................................................................................................................................i

INSTRUCTIONS.........................................................................................................................i

SURVEY QUESTIONS................................................................................................................1

1. Established Formal Internal Compliance Program.............................................................1

2. Well Documented and Widely Disseminated.....................................................................2

3. Officers/Personnel.............................................................................................................3

4. Independent Access to Executives.....................................................................................4

5. Independently Managed....................................................................................................5

6. Resources...........................................................................................................................6

7. Leadership Support............................................................................................................7

8. Program Evaluation and Modification...............................................................................8

9. Compliance Training..........................................................................................................9

10. Self-Audit......................................................................................................................... 10

11. Enforcement.................................................................................................................... 11

12. Internal Controls..............................................................................................................13

13. Risk Assessment...............................................................................................................15

AUTHORIZATION...................................................................................................................16

APPENDIX A: Selected Example ICP Practices........................................................................17

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L


PURPOSE

The WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities assess their internal compliance programs. The ICPA will assist WECC in its review and understanding of the programs that entities have implemented to ensure compliance with the NERC Reliability Standards. The ICPA is:

Based on relevant FERC orders, FERC direction, and WECC and NERC experience related to robust internal compliance programs.

Composed of questions designed to focus on various aspects of an entity’s program.

Designed to prompt an entity to identify and gather specific, relevant information related to its internal compliance program.

Adaptable to allow for the unique constraints of smaller entities, as well as flexible enough to recognize distinct characteristics across the variety of programs.

INSTRUCTIONS

1. For each question below, choose the statement that best describes the responsible entity’s current status.

2. Please attach supporting documentation or provide associated page numbers and paragraph references within the ICP, and submit this completed package to WECC.

For example, this documentation package may include, but not be limited to:

Organizational charts Internal plans, policies, processes and/or procedures Emails Training manuals PowerPoint presentations with associated attendance rosters ICP workshops; and/or Computer Based Training modules.

Note: For the purposes of this document, “compliance program(s)” refers to programs concerned with compliance with NERC Reliability Standards.

i


SURVEY QUESTIONS

1. Established Formal Internal Compliance Program

Is the ICP an established, formal program? For example, does the ICP contain fully documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures for the governance and management of compliance with NERC Reliability Standards?

Note: See Appendix A for example practices.

Choose the statement that best describes the ICP:

☐ NOThe ICP does not have any documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures.

☐ PARTIALThe ICP has some documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures, but does not address all.

☐ YESThe ICP has well documented plans, policies, processes and/or procedures, internal controls, and other systematic preventative measures.

Describe, in narrative form, how the entity documents its ICP: Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

The entity’s ICP document(s) Plans, policies, processes and/or procedures, internal controls, and other systematic preventive

measures associated with the entity’s governance and management of compliance with NERC Reliability Standards

Other documented processes and/or procedures as applicable

Applicable Document(s), Page and Section Date and/or VersionClick here to enter text. Click here to enter text.

1


2. Well Documented and Widely Disseminated

Does the ICP require communication to all employees, including contractors and vendors, etc.? Has the ICP, (i.e. all plans, policies, processes and/or procedures) been widely disseminated throughout the entity?


☐ NOThe ICP has not been distributed.

☐ PARTIALThe ICP has been distributed only to the employees that are involved in the development and implementation of the ICP.

☐ PARTIALThe ICP has been distributed only to the employees that have a direct responsibility for compliance with the NERC Reliability Standards.

☐ YESThe ICP has been distributed to all employees, and, if applicable, to contractors and vendors.

Describe, in narrative form, how the entity disseminates the ICP to all appropriate relevant employees, including contractors and vendors:

Click here to enter text.


Compliance Training Program Compliance Communications Program Website samples Sample e-mail memos, newsletters, etc.



3. Officers/Personnel

Has the entity named and staffed a Compliance Officer, FERC/NERC Director, or additional FERC/NERC personnel as required to support its ICP?

Smaller Entities: A smaller entity may not have sufficient staff to dedicate one employee as a full-time Compliance Officer or FERC/NERC Director. In such cases, has the entity assigned one person the responsibility to coordinate or monitor the entity’s compliance responsibilities?


☐ NOThe entity has not identified or assigned compliance responsibility and accountability to a Compliance Officer, FERC/NERC Director/Manager, or other high-ranking official.

☐ PARTIALThe entity has identified and assigned responsibility for some compliance activities to various employees throughout the organization.

☐ YESThe entity has identified and assigned responsibility and accountability to a Compliance Officer or other high-ranking official, FERC/NERC Director/Manager, and additional personnel as required. For larger organizations, at least one position is fully dedicated to FERC/NERC compliance. For smaller organizations, at least one position is partially dedicated to FERC/NERC compliance. Below, provide the name(s) and title(s) of the employee(s) currently staffing this/these position(s).

Name(s): Click here to enter text.

Describe, in narrative form, how the entity has assigned compliance responsibility in the organization:



Compliance Organizational Chart Defined Roles and Responsibilities assigned to entity personnel for each NERC Reliability Standard

identified in Item 2 above



4. Independent Access to Executives

Does the assigned compliance official(s) have independent access to the CEO or equivalent and/or Board of Directors?

Note: If your entity does not currently have an assigned compliance official, please answer “NO” to this question.


☐ NOThe entity’s assigned compliance official does not have independent access to the CEO or equivalent and/or Board of Directors.

☐ YESThe entity’s assigned compliance official has independent access to the CEO and/or Board of Directors.

Describe, in narrative form, how the entity provides independent access to the CEO or equivalent and/or Board of Directors for its employee(s) responsible for compliance:



Organizational chart or plan showing independent access Sample meeting minutes, notes, agendas, emails, etc., showing independent access to senior

management



5. Independently Managed

Is the ICP operated and managed so it is independent of those responsible for compliance with the NERC Reliability Standards?

Smaller Entities: A smaller entity may not have the available personnel to manage its ICP separately from the work groups that are responsible for complying with NERC Reliability Standards. In such cases, those personnel responsible for compliance should at minimum have independent access to the company’s assigned compliance official, the CEO or equivalent, and/or the Board of Directors (see item 5 above).


☐ NOThe ICP is not managed or operated independently of the work groups that are responsible for complying with NERC Reliability Standards.

☐ PARTIALThe ICP is managed by the work groups that are responsible for complying with NERC Reliability Standards, but it is managed independently.

☐ YESThe ICP is managed and operated independently of the work groups that are responsible for complying with NERC Reliability Standards.

Describe, in narrative form, how the entity independently manages its ICP:


Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

Organizational chart or plan which shows how the program is independently managed For smaller entities, please provide applicable documentation



6. Resources

Has the entity dedicated resources (staff and budget) to support its ICP?


☐ NOThe entity’s budget does not provide for any staff resources to work on compliance with NERC Reliability Standards.

☐ PARTIALThe entity has provided for staff resources within its budget but cannot demonstrate that staff resources were allocated to compliance with NERC Reliability Standards.

☐ YESThe ICP is fully budgeted and fully or partially staffed (relative to the number of full time equivalent staff that implements the Reliability Standards) on a year-round basis.

Describe, in narrative form, the support the entity allocates to its ICP:


Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

Organizational chart or plan which shows compliance roles and responsibilities and how they are staffed



7. Leadership Support

Does the ICP have the support and participation of senior management (Officer Level)? This includes reviewing compliance reports, participating in compliance meetings, and communicating the importance of compliance to entity personnel on a regular basis.


☐ NOSenior management does not actively support or routinely participate in the ICP.

☐ PARTIALSenior management reviews compliance reports, participates in compliance meetings, and communicates to employees their commitment to compliance at least semi-annually.

☐ YESSenior management is actively involved in compliance efforts, reviews compliance reports, participates in compliance meetings, and communicates to employees its commitment to compliance frequently, both formally and informally. Compliance activities occur at least quarterly.

Describe, in narrative form, the support the ICP receives from the entity’s Officer Level leadership:



Samples of Senior Management Communications for the past 12 months Samples of Compliance meeting agendas for the past 12 months Samples of Compliance committee meeting minutes for the past 12 months Samples of relevant e-mail memos, newsletters, etc. for the past 12 months Description of management review/approval process and/or procedure



8. Program Evaluation and Modification

Does the entity regularly review and modify its ICP? This includes a process and/or procedure to trigger a review of the ICP either following a violation or following changes to NERC Reliability Standards, and modifying the ICP, if necessary. Does the ICP contain a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity?


☐ NOThe ICP does not have an identified review cycle or a process and/or procedure to trigger a review. ICP does not have a list of NERC Reliability Standards applicable to the entity or a process and/or procedure to identify and update that list.

☐ PARTIALThe ICP does not specify a review cycle; however, the entity has a process and/or procedure to trigger a review, or has reviewed and modified its ICP since the entity was registered. The ICP has a list of NERC Reliability Standards applicable to the entity but it does not have a process and/or procedure for updating its list.

☐ YESThe ICP is reviewed on at least an annual cycle. In addition, the entity has a process and/or procedure to trigger a review either following a violation or following changes to NERC Reliability Standards. The ICP is modified as necessary. The ICP contains a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity.

Describe, in narrative form, how the entity reviews and modifies its ICP:



ICP review and modification process and/or procedure A sample of recent ICP reviews, including version control records A plan or other document that lists NERC Reliability Standards that apply to the entity A description of the process and/or procedure the entity follows to update this list when Standards

change, as applicable Version control records of the entity’s Reliability Standards lists




9. Compliance Training

Does the ICP require compliance training for all entity staff, contractors and vendors who have direct responsibility for the implementation of the processes and/or procedures that demonstrate compliance with the NERC Reliability Standards? Relevant personnel may include but are not limited to: Subject Matter Experts (SMEs), Engineers, Technicians, Vegetation Management implementers and System Operators (as applicable). Does this training measure understanding through quizzes, exams, surveys, etc. consistent with a Registered Entity’s collective bargaining agreements?



☐ NO The ICP does not require training for relevant personnel.

☐ PARTIAL The ICP requires training for personnel that have a direct responsibility for compliance with NERC Reliability Standards.

☐ YES The ICP includes detailed training for personnel, including contractors and vendors that have a direct responsibility for compliance with NERC Reliability Standards, including assisting personnel who must keep professional credentials up-to-date. Training also includes overview compliance awareness training for other employees that do not have a direct responsibility for compliance with NERC Reliability Standards. All training includes processes and/or procedures that measure the degree of understanding and comprehension of such Standards (quizzes, etc.), consistent with a Registered Entity’s collective bargaining agreements.

Describe, in narrative form, how the entity provides compliance training to all personnel, including contractors and vendors (see above):



Compliance Training Program Compliance Communications Program Samples of training modules Attendance records

Applicable Document(s), Page and Section Date and/or Version


Click here to enter text. Click here to enter text.

10. Self-Audit

Does the ICP include a formal, internal self-auditing process and/or procedure for compliance with all applicable NERC Reliability Standards on an annual basis? Are results reported internally?


☐ NOThe ICP does not include an internal self-auditing and reporting process and/or procedure.

☐ PARTIALAlthough the ICP includes a process and/or procedure for internal self-auditing and reporting, the entity does not self-audit and report on at least an annual basis.

☐ YESThe ICP includes internal self-auditing and reporting for compliance on an annual basis for full compliance with all applicable NERC Reliability Standards. Audit results are reported and reviewed internally.

Describe, in narrative form, how the entity self-audits its ICP:


Please provide supporting evidence. Examples of supporting evidence may include one of more of the following or equivalent:

ICP self-audit program Sample of the audit reports or other results (past 12-24 months) – redacted if necessary



11. Enforcement

Does the ICP include processes and/or procedures for disciplinary action for employees involved in violations of the Reliability Standards? Are available Human Resources (HR) disciplinary programs utilized as necessary? Is Senior Leadership or the Board involved as necessary? Conversely, does the entity’s ICP include employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations to encourage accountability?


☐ NOThe entity’s ICP does not include disciplinary action for employees who are responsible for violations of NERC Reliability Standards. The ICP does not include employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations.

☐ PARTIALThe entity takes disciplinary action for employees responsible for violations of NERC Reliability Standards; however, the entity does not have a formal documented disciplinary action process and/or procedure.

☐ YESThe entity’s ICP includes detailed disciplinary action processes and/or procedures for employees involved in NERC Reliability Standard violations, including involving HR, Senior Leadership, and/or the Board as necessary. The entity has administered disciplinary action when appropriate. The ICP includes compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations.

Describe, in narrative form, the entity’s disciplinary action for employees that are responsible for violations of NERC Reliability Standards:


Describe, in narrative form, how the entity uses employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations to encourage accountability:Click here to enter text.


Please provide supporting evidence. Examples of supporting evidence may include: Company policies relating to disciplinary actions for compliance violations Samples of any recent disciplinary actions (past 12-24 months) – redacted if necessary Company programs relating to compensation, awards, employee recognition, or other monetary and/or

non-monetary incentives relating to compliance Samples of non-confidential information related to actual awards or other incentives Job Descriptions Other examples of programs or policies entity uses to promote a culture of compliance



12. Internal Controls

Does the ICP include a process and/or procedure to implement internal controls to prevent, detect and/or correct, and report possible violations of NERC Reliability Standards? This includes assessing the effectiveness of internal controls and specific processes and/or procedures to promote prompt detection and self-reporting of possible violations to the Regional Entity (WECC).

See Appendix A for internal controls description and generic examples of internal control activities.


☐ NOThe ICP does not include a process and/or procedure to put into place and assess the effectiveness of internal controls. The entity has not implemented any internal controls. The ICP does not include processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards.

☐ PARTIALThe ICP does not have a process and/or procedure to implement and assess the effectiveness of internal controls. However, the entity has implemented some internal controls. The ICP does not include processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards, but the entity has self-reported violations to WECC since the entity was registered.

☐ YESThe ICP contains a process and/or procedure to implement and assess the effectiveness of internal controls. The entity has also implemented robust internal controls to prevent, detect and/or correct possible violations of NERC Reliability Standards. The ICP also includes processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards. In addition, entity has followed these processes and/or procedures and, if a violation was found, promptly self-reported the violation to WECC.

Describe, in narrative form, how the entity uses internal controls to prevent, detect and/or correct, and report the possible violation of NERC Reliability Standards, and how the entity assesses the effectiveness of those controls:




Process and/or procedure for establishing and assessing internal controls Examples of internal controls implemented (See Appendix A for generic examples of internal control

activities) Assessments and/or reviews completed by the entity to determine the effectiveness of internal controls

(i.e. in terms of high-risk Reliability Standards; in terms of preventative, detective, or corrective; etc.) Processes and/or procedure for self-reporting A sample of recent self-reports A list of the entity’s self-reports for the past 12 months



13. Risk Assessment

Does the ICP include processes and/or procedures to assess compliance and reliability risks related to the NERC Reliability Standards on an annual basis. Does the ICP also include processes and/or procedures to assess risk to reliability posed by a particular noncompliance?



☐ NOThe ICP does not document how compliance and reliability risk is assessed.

☐ PARTIALAlthough the ICP includes processes and/or procedures to assess compliance and reliability risks, the entity does not assess risk on an annual basis or for specific issues of noncompliance.

☐ YESThe entity assesses its compliance and reliability risks, and the ICP includes processes and/or procedures to assess compliance and reliability risks at least annually and for specific issues of noncompliance.

Describe, in narrative form, how the entity assesses compliance and reliability risks:



The entity’s compliance and reliability risk assessment processes and/or procedures Final risk assessment reports



AUTHORIZATION

An authorized individual must sign and date this Internal Compliance Program Assessment. By doing so, this individual, on behalf of the entity’s organization, certifies that the information submitted herein is accurate.

1. This certifies that I am (Officer’s Name) of (RE) .

2. I am an officer, employee, attorney or other person authorized to sign this Internal Compliance Program Assessment on behalf of (RE) .

3. I have read and am familiar with the contents of the Internal Compliance Program Assessment and related documents submitted herein.

4. I understand that based on the answers herein, WECC may request more information specific to (RE) ‘s ICP.

5. To the best of my knowledge, the information provided in this response is correct.

Authorized Signature: Click here to enter text.

Name (Print): Click here to enter text.

Title: Click here to enter text.

Date: Click here to enter text.


APPENDIX A: Selected Example ICP Practices

Internal Compliance Program1. Outline and describe the elements of the ICP in an overview document that includes the

following sections:a. Purpose, Background, and Program Overview

Senior Management, Compliance Officer and Internal Compliance Program Core Members (including roles and responsibilities)

b. Risk Assessmentc. Internal Controlsd. Measurable Compliance Performance Targetse. Compliance Communication and Trainingf. Self-Audit and Self-Certificationg. Self-Reportingh. Documentation and Record Keepingi. Version Historyj. Attachments/Links

i. Applicable Reliability Standardsii. Organizational Chart

iii. Terms and Definitions2. Outline and describe the elements of ICP in an overview document that includes the

following:a. Compliance Culture including organization, senior management commitment,

funding, staffing, communication and ICP dissemination.b. Control Environment including monitoring, tracking, control, documentation,

data retention, reporting, remediation, risk assessment.c. Continual Improvement including internal auditing, education and training.

3. Along with the ICP overview document, develop an “ICP Handbook” companion document that includes specific ICP “plans” associated with the ICP. These plans are detailed processes and/or procedures, which also include the purpose, objective, responsibilities, reference documents and revision history for each plan.

Identify and Update Requirements1. Create a list (in a database, in spreadsheet form, or as a word document) which clearly

identifies all applicable NERC and WECC Reliability Standards. The list should:a. Be updated on at least an annual basis, but more frequently as appropriate.b. Contain information as to where NERC and WECC Reliability Standards may be

found.2. On the list of applicable NERC and WECC Reliability Standards, assign specific Standard

Requirements to certain employees, e.g. Subject Matter Experts (SMEs) or Reliability Standard Owners.

a. The employees would be obligated to continuously monitor and track compliance with assigned NERC Reliability Standards.

i. List any specific tasks required for compliance


ii. List any measureable compliance performance targets associated with tasks required for compliance

3. Ensure new or modified Reliability Standards are promptly identified and communicated to those required to comply with the standards.

a. Conduct regular (e.g. quarterly) reviews of applicable NERC and WECC Reliability Standards to ensure that:

i. All applicable Standards are being addressed;ii. Any changes to Standards are being incorporated into the entity’s ICP;

andiii. Entity personnel remain aware of any updates, additions, or

modifications to the Standards.b. Review ICP following NERC or WECC information release, e.g., Compliance

Application Notices, Updates on Audit Approach (presentations at the CUG meetings), Reliability Standard Interpretations, et cetera.

4. Develop or implement a comprehensive compliance tracking solution, beyond a spreadsheet, (e.g. specialized third-party software) which includes all applicable NERC and WECC Reliability Standards and Requirements down to the sub-requirement level.

a. Document a process for updating all reliability standards on a frequent basis while allowing multiple groups to track their compliance activities.

b. Leverage the compliance tracking solution as a depository for documenting evidence, gap analysis records and other data related to entity’s compliance with the Reliability Standards.

5. Convert the text of the individual Reliability Standards into hyperlinks which point to the respective standards on the NERC website. Users of the lists can then easily access the details of the Reliability Standards at the source.

Risk Assessment1. At a high level, adopt a strategic risk management approach, which incorporates the

following:a. Anticipate the Risk

i. Assume the worst can happen at any time.ii. Anticipate the next happening.

iii. Play it out. Think it through.iv. Figure out what you do not know.

b. Assess the Riski. What is the likelihood of the event?ii. What is the magnitude?

c. Act Against the Riski. Establish a strategy to mitigate the risk.ii. Maintain a holistic view of the risk and solution.

d. Adopt a Plani. Develop processes and procedures (specific to risk management).ii. Identify roles and responsibilities.

2. At a high level, and with a focus on compliance and reliability risk, adopt an Enterprise Risk Management (ERM) approach, which incorporates the following:

a. Identify Risks


b. Assess and Evaluate Risksc. Integrate Risksd. Respond to Riskse. Design, Implement and Test Controlsf. Monitor, Assure and Escalate

3. At a high level, and with a focus on compliance and reliability risk, adopt a strategic risk management approach, which incorporates the following:

a. Anticipate the Riski. Assume the worst can happen at any time.ii. Anticipate the next happening.

iii. Play it out. Think it through.iv. Figure out what you do not know.

b. Assess the Riski. What is the likelihood of the event?ii. What is the magnitude?

c. Act Against the Riski. Establish a strategy to mitigate the risk.ii. Maintain a holistic view of the risk and solution.

d. Adopt a Plani. Develop processes and procedures (specific to risk management).ii. Identify roles and responsibilities.

4. Uses a point system to compile a compliance and reliability risk index score for all entity applicable Reliability Standard Requirements and sub-requirements.

a. The score could incorporate several risk factors, including:i. Violation Risk Factor (VRF)ii. Actively Monitored List (AML) or equivalent list

iii. Entity violation history, (taking into account Standard Requirements violated, Violation Impact, Violation Severity Level (VSL), and mitigation status)

iv. WECC/NERC Most Violated Reliability Standards Reportsv. Requirements that have annual, event driven or periodic activity,

likelihood of occurrencevi. New versions of Reliability Standardsvii. Changes in key personnel (e.g. SMEs)

b. Quantify and score the risk for each applicable Reliability Standard Requirement.i. Develop a method to quantify and evaluate the risk for each risk factor

and each applicable Reliability Standard Requirement, e.g. create a risk assessment matrix listing each applicable Reliability Standard Requirement and each risk factor.

ii. Develop a scale, e.g. a numeric scale from 1 to 5, or scale of High/Medium/Low, and quantify the level of risk for each risk factor for each Reliability Standard Requirement. Includes the weighting of risk based on likelihood and magnitude factors.

iii. Aggregate the risk factor valuations into a risk index score for each Reliability Standard Requirement.


c. Use the point system above to determine, based on criteria established by the entity, which Standard Requirements pose the greatest compliance and reliability risk.

d. Based on the risk-assessment results, the entity may choose to focus more attention on the higher-risk Standard Requirements.

e. Clearly document the risk assessment results by Reliability Standard Requirement:

i. Create a spreadsheet or word document with a list of applicable Reliability Standard Requirements.

ii. Flag or otherwise identify higher-risk Requirements.iii. List the key control(s) for each identified risk.

5. Use a more basic risk-assessment approach which assesses all entity applicable Reliability Standard Requirements and sub-requirements and simply flags or highlights Requirements based on risk factors. (See risk factors listed under 1.a. above.)

6. Conduct risk assessments on a regular basis, i.e., annually, or more frequently based on the level of risk.

7. Group or categorize related risks together to reduce management and resource needs for mitigation activities and controls.

8. Integrate internal controls with the risk assessment, i.e., each identified risk should have at least one key control. These key controls should be reassessed periodically and could fall under one or more of the following general categories:

a. Preventative Controlsb. Detective Controlsc. Corrective Controls

9. Annually distribute a risk-assessment questionnaire to managers who have compliance oversight responsibilities and employees who have direct responsibility for compliance with Reliability Standards to help evaluate any changes in known risks and help detect any new risks that might otherwise go unidentified. Incorporate review of the questionnaire results into the risk-assessment process.

10. Incorporate the assessment of risk associated with significant change by anticipating and monitoring change in the following areas:

a. External Environment (regulatory/compliance, social, political, technological, etc.)

b. Strategic Planning (business model, regulatory/compliance, services, neighboring entities, etc.)

c. Succession Planning (executives, key employees, etc.)

Compliance Training1. Ensure all employees and contractors receive an appropriate level training on the ICP

and NERC Reliability Standards each year or at the initiation of the business relationship.2. Incorporate in the training, and/or follow-up the training with a survey or examination

to measure understanding of the training material.a. Based on the survey or examination results, make changes to the training

program as necessary.

Promoting Compliance through Employee Incentives


1. Non-Monetary Ideas – a. Certificates of exceptional performanceb. Letters acknowledging an employee’s activitiesc. Recognition at staff meetingsd. Congratulatory communications copied to all employeese. Reserve a premium parking space for an employee of the monthf. Adopt an annual compliance and reliability award, and give it to the individual

that has exhibited the strongest commitment to compliance and reliability

Internal Controls1. Preventive Control Activities

a. Automated compliance work management systemb. Documented NERC compliance responsibilitiesc. Training regarding the policies and procedures used to ensure compliance with

the Reliability Standardsd. Use of colored lanyards or other overt identification methods to identify

escorted visitors in NERC CIP Physical Security Perimeterse. Restricting access to assetsf. Documented configuration management programg. Documented change management programh. Records management system

2. Detective Control Activitiesa. Automated systems that check and identify compliance discrepanciesb. Periodic review of control center communications, e.g., listening to a prescribed

number of voice recordings for each periodc. Quarterly self-assessments used to identify individual who gained access to CIP

cyber areas without the proper training or background investigationsd. Review by responsible management of compliance documentatione. Reviews of performance against defined criteria

3. Corrective Control Activitiesa. Root Cause Analysis Programb. Event Analysisc. Business Continuity and Recovery Plans – returns an operation to a normal

operating state after a failure or interruption

Documents

2017 ICPA Survey - Western Electricity Coordinating Council ICPA Survey... · Web viewCell Phone: Email: Authorizing Entity ... Assume the worst can happen at any time. Anticipate