Compliance and Certification Committee - NERC Highlights and Minutes 20… · Compliance and Certification Committee Agenda | November 29-30, 2016 2 Overview of 2017 Standard Processes

Agenda Compliance and Certification Committee November 29, 2016 | 3:00 p.m. - 5:30 p.m. Eastern* Following Closed Session November 30, 2016 | 8:00 a.m. – 10:30 am Eastern NRECA Conference Center 4301 Wilson Boulevard Arlington, VA 22203 Introductions and Chair’s Remarks NRECA Welcome – Jim Spiers, Vice President, Business and Technology Strategies NERC Antitrust Compliance Guidelines and Public Announcement Agenda Items

1. Administrative – Secretary and Patti Metro

a. Compliance and Certification Committee (CCC) Roster

2. Committee Business

a. Consent Agenda – (Review) (Patti Metro)

i. Meeting Agenda - (Approve)

ii. CCC September 2016 Meeting Minutes* – (Approve) (Patti Metro)

iii. CCCPP-010 Approved – (Inform) (Patti Metro)

b. Review of CCC Action Items* – (Review) (Jennifer Flandermeyer)

c. North American Electric Reliability Corporation (NERC) Board Enterprise-wide Risk Committee Report – (Update) (Patti Metro)

d. NERC Board of Trustees and Members Representative Committee (MRC) Update from November 2016 Meetings* - (Inform) (Jennifer Flandermeyer)

e. 2017 Work Plan Review and Discussion * - (Approve) (Jennifer Flandermeyer)

f. Focused Member Feedback Follow Up on Oversight Monitoring Tools* - (Inform) (Ken McIntyre and Patti Metro)

g. Independent Audits*

i. Status Update on Independent Audit for NERC Compliance Monitoring and Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP) and

http://www.nerc.com/comm/CCC/Documents/CCC%202016%20Roster%2009262016.pdf

http://www.nerc.com/comm/CCC/Agenda%20Highlights%20and%20Minutes%202013/CCC_September%202016%20Meeting%20Minutes.pdf

Compliance and Certification Committee Agenda | November 29-30, 2016 2

Overview of 2017 Standard Processes Manual (SPM) Audit* – (Inform) (Mechelle Thomas)

ii. Request for participants on the SPM and Standards Applicable to NERC (SAN) Independent Audit for 2017 – (Inform) (Mechelle Thomas)

h. Compliance Guidance* - (Update) (Marisa Hecht)

3. Reliability Issues Steering Committee (RISC)* - (Update) (Terry Bilke)

4. Subcommittee – (Updates)

a. Nominating Subcommittee – (Helen Nalley)

b. ERO Monitoring Subcommittee (EROMS) – (Ted Hobson)

i. Stakeholder Perception Survey and Next Steps

ii. 2015 Self-certifications of SAN and SPM

c. Compliance Processes and Procedures Subcommittee (CPPS) – (Matt Goldberg)

i. CMEP Program Support - 2017

ii. Regional Entity Run Clearinghouse – Information Review Support

d. Organization Registration and Certification Subcommittee (ORCS) – (Keith Comeaux)

i. NERC Rules of Procedure changes

ii. Functional Model Advisory Group Proposed Revision Review

5. ERO Enterprise Staff Reports Including Status of CCC Work Plan Deliverables- (Updates)

a. Enforcement Update – (Ed Kichline and Teri Stasko)

b. Compliance Monitoring Update* – (Adina Kruppa)

c. Data Retention Action Item Update – (Ken McIntyre)

d. WECC Mapping Project – (Michael Dalebout)

e. Future Outreach events Update – (Marisa Hecht)

6. Member Round Table – (Discussion) (Patti Metro)

7. Review of Action Items – (Review) (Jennifer Flandermeyer)

8. Future Meeting Dates- (Inform)

a. March 15 - 16, 2017: Atlanta, GA

i. Wednesday, 8:00 a.m. – 5:00 p.m. and Thursday, 8:00 a.m. – Noon

b. May 17 – 18, 2017: Salt Lake City, UT (Hosted by WECC)

Compliance and Certification Committee Agenda | November 29-30, 2016 3

i. Wednesday, 8:00 a.m. – 5:00p.m. and Thursday, 8:00 a.m. – Noon

c. September 13 – 14, 2017: Atlanta, GA


d. November 29 - 30, 2017: West Palm Beach, FL (Hosted by FPL)


9. Adjourn

*Background materials provided

Antitrust Compliance Guidelines I. General It is NERC’s policy and practice to obey the antitrust laws and to avoid all conduct that unreasonably restrains competition. This policy requires the avoidance of any conduct that violates, or that might appear to violate, the antitrust laws. Among other things, the antitrust laws forbid any agreement between or among competitors regarding prices, availability of service, product design, terms of sale, division of markets, allocation of customers or any other activity that unreasonably restrains competition. It is the responsibility of every NERC participant and employee who may in any way affect NERC’s compliance with the antitrust laws to carry out this commitment. Antitrust laws are complex and subject to court interpretation that can vary over time and from one court to another. The purpose of these guidelines is to alert NERC participants and employees to potential antitrust problems and to set forth policies to be followed with respect to activities that may involve antitrust considerations. In some instances, the NERC policy contained in these guidelines is stricter than the applicable antitrust laws. Any NERC participant or employee who is uncertain about the legal ramifications of a particular course of conduct or who has doubts or concerns about whether NERC’s antitrust compliance policy is implicated in any situation should consult NERC’s General Counsel immediately. II. Prohibited Activities Participants in NERC activities (including those of its committees and subgroups) should refrain from the following when acting in their capacity as participants in NERC activities (e.g., at NERC meetings, conference calls and in informal discussions):

• Discussions involving pricing information, especially margin (profit) and internal cost information and participants’ expectations as to their future prices or internal costs.

• Discussions of a participant’s marketing strategies.

• Discussions regarding how customers and geographical areas are to be divided among competitors.

• Discussions concerning the exclusion of competitors from markets.

• Discussions concerning boycotting or group refusals to deal with competitors, vendors or suppliers.

NERC Antitrust Compliance Guidelines 2

• Any other matters that do not clearly fall within these guidelines should be reviewed with NERC’s General Counsel before being discussed.

III. Activities That Are Permitted From time to time decisions or actions of NERC (including those of its committees and subgroups) may have a negative impact on particular entities and thus in that sense adversely impact competition. Decisions and actions by NERC (including its committees and subgroups) should only be undertaken for the purpose of promoting and maintaining the reliability and adequacy of the bulk power system. If you do not have a legitimate purpose consistent with this objective for discussing a matter, please refrain from discussing the matter during NERC meetings and in other NERC-related communications. You should also ensure that NERC procedures, including those set forth in NERC’s Certificate of Incorporation, Bylaws, and Rules of Procedure are followed in conducting NERC business. In addition, all discussions in NERC meetings and other NERC-related communications should be within the scope of the mandate for or assignment to the particular NERC committee or subgroup, as well as within the scope of the published agenda for the meeting. No decisions should be made nor any actions taken in NERC activities for the purpose of giving an industry participant or group of participants a competitive advantage over other participants. In particular, decisions with respect to setting, revising, or assessing compliance with NERC reliability standards should not be influenced by anti-competitive motivations. Subject to the foregoing restrictions, participants in NERC activities may discuss:

• Reliability matters relating to the bulk power system, including operation and planning matters such as establishing or revising reliability standards, special operating procedures, operating transfer capabilities, and plans for new facilities.

• Matters relating to the impact of reliability standards for the bulk power system on electricity markets, and the impact of electricity market operations on the reliability of the bulk power system.

• Proposed filings or other communications with state or federal regulatory authorities or other governmental entities.

Matters relating to the internal governance, management and operation of NERC, such as nominations for vacant committee positions, budgeting and assessments, and employment matters; and procedural matters such as planning and scheduling meetings.

# Date Responsible Parties

Due Date Status Comments and Next Steps

1 Sep‐14 Data Retention Project: o CPPS will communicate with the Standards Committee to provide information on the results and recommendations. CPPS will report on the status at the December meeting.o Adina Mineo will communicate all recommendations to appropriate parties

McIntyre Sep‐16 Open Ken McIntyre will follow up with Brian Murphy to get a formal response from the Standards Committee for the CCC to close this out.

2 Jun‐15 Follow up on process with NERC staff on how to file a complaint with the CCC beyond the procedural documents.

Metro / Berardesco Mar‐17 Open Charlie, Teri and Ed are working on this process and will provide a suggested complaint process for the CCC to consider.

3 Dec‐15 Review the existing hearing procedures and evaluate if changes are required based on NERC's revised hearing procedures for the ERO.

Metro / Flandermeyer / Kichline / Stasko

May‐17 Open Action required: Review CCC procedures to determine if any impacts or required changes.

4 Sep‐16 Review of output from focused feedback sessions with NERC management and full CCC on some frequency basis.

Metro / Flandermeyer

Ongoing Open

CCC Action Item List ‐ As of November 2016

Agenda Item 2b Compliance And Certification Committee Meeting

November 29-30, 2016



Proj # Project Name Activities Owner Q1 Q2 Q3 Q4 Status Trend Comments

12016 ERO Effectiveness Survey

• Provide input to the development of the 2016 NERC annual ERO effectiveness survey, including development of questions •Develop recommendations to address the least favorable scores identified by stakeholders •Analyze 2015 Effectiveness Survey and suggest survey improvement action plans for consideration by the BOT

CCC, EROMS, TalentQuest, NERC Mgmt X X X IP

All EROMS work, including review of 2015 results and inputs to the 2016 survey will be complete by April 1. Survey to be issued on May 10th (Q2). Final analysis and recommendations by EROMS of the CCC section will be completed in Q4.

2Independent Audit of CMEP and ORCP

•Participate and support •Coordinate with NERC on criteria development, process and assessment of adherence to NERC ROP

CCC, Mechelle Thomas (NERC), and independent audit form X X C

Report was transmitted to EWRC in November 2016.

3NERC Self-Certifications

•Participate and support •Coordinate with NERC on criteria development, process and assessment of adherence to NERC ROP

CCC, Mechelle Thomas (NERC) X X C

Transmitted to the EWRC in July 2016.

4

Enterprise-wide Risk Committee (EWRC) 2016 Work-Plan

•Provide input as requested by the EWRC •Update CCC procedure(s) to revise criteria as necessary to appropriately reflect expected program improvements from Risk-based CMEP (i.e. CCCPP-010)

CCC Chair and Vice Chair, Mechelle Thomas (NERC), and EWRC/ CPPS, CCC, NERC and RE Mgmt X X C

CCCPP-010 was transmitted to EWRC in November 2016.

5Regional Consistency Tool (RCT) Monitoring

•Receive reports and monitor for issue resolution CCC, NERC Mgmt X X C

Discussion completed in September 2016. Evaluation of these results may generate action items for the 2017 Work Plan for BOT request.

6

Review and Update of CCC Programs and Procedures

•Continuous updates to CCC Procedures as changes occur in the ERO organization- specific items include confidentiality CCC, NERC Mgmt X X X X IP

7

Risk-based Registrations Advisory Group (RBRAG) •Participation and support

CCC Chair, ORCS Chair and Vice Chair X X X X C

NS= Not started IP= In process C= Complete X= Cancelled

Project Tracking - 2016 as of November NERC CCC





8

ERO Enterprise's Risk-based Compliance Monitoring and Enforcement Program (CMEP)

•Participate in risk-based compliance oversight advisory group •Support rollout of key activities • Risk-based CMEP oversight for issue spotting and advice to NERC on possible solutions

CCC, CPPS, NERC Mgmt X X X X IP

9Communication Tools Review

•Supports teams as subject matter experts suggested improvement areas • Participate and support

CCC, CCC Chair, CPPS, NERC Mgmt X X X X C

Completed with focused feedback session in June and items included in 2017 Work Plan.

10ERO Enterprise Risk Input

•Provide stakeholder and subject matter expertise to NERC managmenet in development of risk analysis and elements •Participate and support

CCC, CCC Chair, RISC, NERC Mgmt X X X X C

RISC activities and ERO Strategic Plan were approved by the BOT in November 2016. This concludes the activity for the calendar year.

11 Risk Metrics Analytics

•Provide support for identification and recommendation of analytics tools for continuous improvmenet opportunites and trend spotting for response efforts to strengthen reliability and security

Past CCC Chair/ CCC, CPPS, RISC, NERC Mgmt X X X X C

12Update 2016 CCC Work Plan

•Incorporate ERO 2016- 2019 Strategic Goals •Revise 2016 CCC Work Plan, if applicable •Evaluate work plan timeline

CCC Exec Committee, CCC Vice Chair, NERC Mgmt X C

13 2017 Work Plan

•Create 2017 Work Plan •Create work plan timeline and project plan

CCC Exec Committee, CCC Vice Chair, NERC Mgmt X X IP

Work Plan will be considered for approval at the November 2016 CCC meeting.

14Compliance Guidance Policy

•Process for qualification of entities •Guidance listing for endorsement •Process for NERC Endorsement

CCC Compliance Policy Task Force X X C





Agenda Item 2d Compliance and Certification Committee Meeting November 29 - 30, 2016

Report of November 2016

Member Representatives Committee (MRC) and Board of Trustees (Board) Meetings Action Information Purposes Only Background These notes are provided by Compliance Certification Committee (CCC) attendees at the MRC and Board meetings. The notes are not provided to accurately represent all agenda topics in full. The North American Electric Reliability Corporation (NERC) MRC and Board convened their quarterly meetings on November 1-2, 2016. The following are the most significant highlights from those meetings. Board of Trustees Compliance Committee (BOTCC)

• Chair’s Opening Remarks

The BOTCC has been discussing notice of penalties with the Regional Entities (RE) s as these are approved and conducting executive sessions with Regional Executives. This effort will continue.

February will consist of an annual closed meeting with Regional Consistency as a theme.

• Update on Compliance Monitoring and Enforcement Program (CMEP)

Inherent Risk Assessment (IRA) Process Update – See materials in BOTCC agenda package.

NERC conducted reviews of compliance exceptions for analysis. Four major themes were identified:

o Minor mistakes when implementing programs rather than widespread failures;

o Discovered through internal review processes;

o Repeat noncompliance did not result from failures in prior mitigation; and

o Training and procedures were largely adequate.

• The industry is showing continued increasing maturity in self-identifying and reporting infractions, the vast majority of which end up as compliance exceptions after a year of processing and reviews by the regions and NERC. Should be able to process minor infractions in a month or less.

• Should be close to completing IRAs on Balancing Authorities, Reliability Coordinators, and Transmission Operators in 2016.

• NERC is looking to come up with a set of common risk factors to be used Electric Reliability Organization (ERO)-wide. The ERO Enterprise Compliance Monitoring Guide (previously IRA Guide) will be used for all IRAs in 2017.

• There will be a review or high level consideration of internal controls when developing the oversight plan for all registered entities.

• NERC hopes to post an Internal Controls Evaluation (ICE) guide this year.

• About three percent of registered entities have undergone an ICE, which is an indication of lack of agreement on what should be reviewed and that the control reviews are too complex.

• Serious risk violations markedly down over time.

• Regional consistency tool isn’t being used.

• Compliance Guidance

Update was provided on the processes that have been put in place to collect, review, and approve guidance.

23 cases of guidance have been submitted, 14 have been approved, 5 rejected, 4 still pending.

There is a website to support the process and to post the approved guidance.

There was a great deal of variability in the quality and structure of the guidance submitted. NERC is looking to create a template.

Member Representatives Committee Meetings: Responses to the Board’s Request for Policy Input

• ERO Reliability Risk Priorities Report

There was a little confusion in the report on what was meant by “low risk”.

These are risks of some consequences, but need some attention to keep them low.

Future work should look at a single communication provider failure.

• ERO Enterprise Strategic Plan and Metrics

Identification and prioritization of these recommendations and integration into the ERO Plan was very successful. There were requests of NERC, with RISC’s assistance, to consider how to effectively execute on the recommendations.

Discussion of validity of the metrics and data.

Ensure performance metrics are focused on and measuring risk versus simple data comparisons to drive reliability improvement.

• Other Items

NERC is looking at an alternative application to Cybersecurity Risk Information Sharing Program that would be adaptable to smaller entities (and at a lower cost).

Fairly long discussion on the role of the Technical Basis included in a standard. It is intended to be the record of what the drafting team was thinking when developing a standard; not guidance on how to meet the requirement.

Board Meetings:

• President’s Report

The ERO continues working on the transition to Risk-Based Compliance and Enforcement. While there is substantial learning occurring, there is still a lot of work to do.

IT infrastructure is a key requirement for the Risk-Based Compliance maturation across the ERO to better manage consistent processes.

Mr. Cauley was supportive and pleased with the proposed set of metrics that assure reliability improvement if the goals are met.

NERC’s engagement with Canada and Mexico is more important than ever.

Related to reliability improvements, the key focus areas are as follows: distributed energy resources, resilience, dependence on natural gas, and resource adequacy.

Technology interfacing with the grid is expanding at an exponential pace. This could present security risk to reliability, so we will need to stay ahead of this.

Mr. Lanford took time to discuss the Regions’ work with NERC on several of the elements of the Risk-Based CMEP. He discussed the revised IRA Guide that has been renamed to the ERO Enterprise Guide for Compliance Monitoring. He discussed the use of a base case to determine how REs handle things differently and for analysis to determine what additional changes or actions may need to occur within the ERO.

• Standards

All items proposed for approval, endorsement, adoption, retirement or acceptance were successfully acted upon by the Board.

o 2017-2019 Reliability Standards Development Plan – (there have been additions related to directives since the public posting).

o Florida Reliability Coordinating Council Regional Reliability Standards Development Process Manual Revisions

o Compliance Filing in Response to the Federal Energy Regulatory Commission directive to change the violation risk factors of IRO-018-1 and TOP-010-1 to High

o Interpretation of CIP-002-5.1 - “shared Bulk Electric System cyber systems”

o Western Electricity Coordinating Council Interpretation BAL-002-WECC-2a

o BAL-004-2 – Time Error Correction

o 2016 ERO Reliability Risk Priorities: RISC Recommendations

• Mr. Gorbet expressed his appreciation for the Policy input and comments on the report stating there was very good input received.

• Mr. Cauley noted some additional clarification needed in the future on prioritization (high, medium, low).

• Mr. Barber noted the next report should have some focus on bringing the next generation into the industry.

• Mr. Thilly noted that the report is important in focusing NERC’s strategic plan efforts.

2017-2020 ERO Enterprise Strategic Plan and Metrics

NERC Rules of Procedure Amendment – Consolidated Hearing Process

• Update on Mexico

Inclusion of Mexico in the ERO model is triggered when Mexico recognizes NERC as the international ERO.

Memorandum of Understanding (MOU) would be similar to what is done with the Provinces.

Primary question is compliance oversight.

Final approval of standards and enforcement is implemented by the country.

MOU might be signed by the end of the year, with ramp up through the year.

Board Committee Reports

• Corporate Governance and Human Resources

Presently at 14 percent attrition; which demonstrates improvement.

• Finance and Audit

The Third Quarter 2016 Unaudited Statement of Activities was accepted by the Board.

NERC | Report Title | Report Date I

NERC Compliance and Certification Committee 2017 Work Plan NERC Board Approved: [Insert Date]

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] ii

Table of Contents

Preface ....................................................................................................................................................................... iii

Executive Summary ................................................................................................................................................... iv

Introduction ................................................................................................................................................................ v

Revision History ...................................................................................................................................................... v

2017 Work Plan Deliverables .....................................................................................................................................1

Key Strategic Activities ...............................................................................................................................................4

Project 1 – Assist with Review of Information ........................................................................................................4

Project 2 – Feedback on CMEP Programs ...............................................................................................................4

Project 3 – ERO Enterprise Risk Input .....................................................................................................................4

Project 4 – Stakeholder Collaboration ....................................................................................................................4

Project 5 – Program Support Efforts for CMEP and ORCP ......................................................................................4

Ongoing Responsibilities ............................................................................................................................................5

ERO Enterprise Effectiveness Stakeholder Survey ..................................................................................................5

Independent Audit of Standard Processes Manual and Standards Applicable to NERC ........................................5

NERC Self-Certifications ..........................................................................................................................................5

Enterprise-wide Risk Committee Work Plan...........................................................................................................5

Review and Update of CCC Programs and Procedures ...........................................................................................6

Logistics and NERC Budget Requirements for CCC Activities .....................................................................................7

CCC Quarterly Meetings (Cost to be determined by NERC) ...................................................................................7

Hearings and Appeals (Cost to be determined by NERC) .......................................................................................7

Mediation (Cost to be determined by NERC) .........................................................................................................7

CCC Program Audits/Review ...................................................................................................................................7

WebEx/Conference Calls (Cost to be determined by NERC) ..................................................................................7

Stakeholder Perception Survey (Cost to be determined by NERC) ........................................................................7

Training (Cost to be determined by NERC) .............................................................................................................7

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] iii

Preface The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability of the bulk power system (BPS) in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term reliability; monitors the BPS through system awareness; and educates, trains, and certifies industry personnel. NERC’s area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC’s jurisdiction includes users, owners, and operators of the BPS, which serves more than 334 million people. The North American BPS is divided into eight Regional Entity (RE) boundaries as shown in the map and corresponding table below.

The North American BPS is divided into eight Regional Entity (RE) boundaries. The highlighted areas denote overlap as some load-serving entities participate in one Region while associated transmission owners/operators participate in another.

FRCC Florida Reliability Coordinating Council

MRO Midwest Reliability Organization

NPCC Northeast Power Coordinating Council RF ReliabilityFirst

SERC SERC Reliability Corporation

SPP RE Southwest Power Pool Regional Entity Texas RE Texas Reliability Entity

WECC Western Electricity Coordinating Council

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] iv

Executive Summary The purpose of this work plan is to identify the anticipated activities and deliverables of the NERC Compliance and Certification Committee (CCC) for the year 2017. The plan is based on the responsibilities assigned to the CCC by the NERC Board of Trustees (Board) through programs across the ERO Enterprise and tasks identified by the CCC that are required to fulfill these responsibilities. Additionally, the CCC identified projects and deliverables that will further support the goals of the ERO Enterprise Strategic Plan 2017-2020. There are several main project areas on which CCC activities will focus:

1. Objective and Risk-informed Compliance Monitoring, Enforcement, and Organization Registration and Certification: As a committee providing support and advice but otherwise independent of the execution of NERC’s Compliance Monitoring and Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP), the CCC will develop criteria to assess NERC’s adherence to the Rules of Procedure (ROP) for these programs on an ongoing basis. In a similar manner, as a committee independent of the NERC Reliability Standards development process, the CCC will develop criteria to assess NERC’s adherence to the ROP regarding the NERC Reliability Standards development process until such time as proposed changes to procedural rules are approved. In 2017, the CCC will continue to work with NERC staff and stakeholders to continue to refine the role for the CCC with respect to the ERO Enterprise’s adherence to its processes, procedures, and statutory obligations in light of the maturation of the ERO Enterprise and its processes as well as NERC’s internal audit functions.

2. Effective and Efficient ERO Enterprise Operations: Provide continued and ongoing input and support into the design of ERO Enterprise program development and revision efforts. The CCC will assist in identifying modifications for improvements and associated changes to the NERC ROP and associated documents or processes.

3. Identification and Mitigation of Significant Risks to Reliability: In 2017, the CCC will begin working with NERC staff and stakeholders to identify areas where collaboration with stakeholder committees will assist with the further development and maturation of successful risk mitigation and program administration to support the success of the ERO Enterprise.

4. Identification of Emerging Risks to Reliability: The CCC will participate in discussions on the continued development of risk metrics to further evaluate potential emerging issues or threats and trends to facilitate reliability of the Bulk Electric System (BES). The CCC will also identify necessary actions as inputs to NERC management.

The CCC has subcommittees performing certain assigned tasks on behalf of and under the supervision of the CCC. The CCC will use these subcommittees, along with NERC and RE staff, as the primary resource for projects and activities. The subcommittees include:

• Organization Registration and Certification Subcommittee (ORCS)

• Compliance Processes and Procedures Subcommittee (CPPS)

• ERO Monitoring Subcommittee (EROMS)

• CCC Nominating Subcommittee The following pages represent an outline of the deliverables of the work plan and detailed project information.

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] v

Introduction The CCC is a Board-appointed stakeholder committee serving and reporting directly to the Board. In that capacity under a NERC Board-approved charter,1 and as approved by FERC2 and set forth in NERC’s ROP, the CCC will engage with, support, and advise the Board, NERC Board of Trustees Compliance Committee (BOTCC), and the NERC Board of Trustees Enterprise-wide Risk Committee (EWRC) regarding all facets of the NERC CMEP, ORCP, and Reliability Standards Development Process. The CCC will continue to partner with NERC leadership on key NERC initiatives and criteria for evaluation and assessment of the effectiveness of NERC programs. In order to support this endeavor, the CCC has developed this annual work plan to identify the activities that the CCC intends to perform in 2017 to fulfill the responsibilities the Board has established for the CCC. The CCC provides for balanced discussion, commentary, and recommendations on compliance issues by bringing together a diversity of opinions and perspectives from NERC member sectors. Members are appointed to the CCC by the Board and serve on the committee at the pleasure of the Board. Individuals deemed qualified to serve on the committee will generally include senior-level industry experts who have particular familiarity, knowledge, and experience in the areas of compliance, compliance enforcement, compliance administration and management, organization responsibilities and registration, organization certification, and NERC and Regional standards. These individuals are normally involved with internal compliance programs within their respective organizations. Committee members are expected to represent the interests of the sector they represent, to the best of their ability and judgment. Revision History

Date Version Number Comments 10/21/2016 1.0 Initial Draft - CCC Executive Committee and NERC review

11/29/2016 1.1 Version for CCC Approval

CCC Approved

1 http://www.nerc.com/comm/CCC/Documents/CCC%20Charter%20Approved%20RR15-11-000.pdf 2 http://www.nerc.com/files/Order_on_Comp_Filing_06.07.2007_CCC_VSL_Order.pdf

http://www.nerc.com/comm/CCC/Documents/CCC%20Charter%20Approved%20RR15-11-000.pdf

http://www.nerc.com/files/Order_on_Comp_Filing_06.07.2007_CCC_VSL_Order.pdf

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved]

1

2017 Work Plan Deliverables The tables below summarize the list of CCC work plan deliverables for projects in 2017. Further details on the deliverables and projects are discussed in the next section by the project number identified below.

Project Area: Support ERO Enterprise Program Effectiveness and Efficiencies in CCC focus areas Applicable ERO Enterprise 2017-2020 Strategic Goal No. 5: The ERO Enterprise supports and encourages transparency, consistency, quality, efficiency and timeliness of results, and operates as a collaborative enterprise. This supports various Contributing Activities as defined in the 2017-2020 ERO Enterprise Strategic Plan. Project # Project Name Activities Schedule Resource(s)

1 Assistance with Review of Information Production, Capture

and Response

• Review information production for efficiency and effectiveness opportunities

• Assist with evaluation of oversight and monitoring tools for issue resolution

Ongoing CCC Chair, ORCS Chair and Vice Chair

2 Feedback on CMEP Programs • Define problem set and categorize if possible

• Identify solutions where necessary

• Identify training if necessary

Q1-Q4 2017

CCC, NERC Management

Project Area: Participation in Risk Identification and Mitigation Strategy Applicable ERO Enterprise 2017-2020 Strategic Goal No. 4: Risks to Reliability – The ERO Enterprise identifies, evaluates, studies, and independently assesses emerging risks to reliability. This supports various Contributing Activities as defined in the 2017-2020 ERO Enterprise Strategic Plan. Project # Project Name Activities Schedule Resource(s)

3 ERO Enterprise Risk Input • Provide stakeholder and

subject matter expertise to NERC management in development of risk analysis and priorities

• Participate in and support Reliability Issues Steering Committee (RISC), Leadership Summit, and development of Risk Priorities

Ongoing Past CCC Chair, CCC, RISC, NERC Management

2017 Work Plan Deliverables

NERC | Compliance and Certification Committee 2017 Work Plan |[Date Board Approved] 2

4 Stakeholder Collaboration • Identify industry stakeholder groups where CCC collaboration will strengthen ERO Enterprise processes and approach

Ongoing CCC, Stakeholder Committees

Project Area: Continuous Improvement Applicable ERO Enterprise 2017-2020 Strategic Goal No. 2: The ERO Enterprise is a strong enforcement authority that is objective, fair, and promotes a culture of reliability excellence through risk-informed compliance monitoring, enforcement, certification and registration. ERO Enterprise compliance activities are risk-informed, efficient and effective. This supports various Contributing Activities as defined in the 2017-2020 ERO Enterprise Strategic Plan.

5 Program Support Efforts (CMEP, ORCP, Standards

Development)

• Participate in risk-based compliance assurance outreach and feedback discussions

• Support rollout of key activities or program revisions as requested

• Partnership with ERO Enterprise related to Reliability Standard Audit Worksheets

• Reviews and associated actions with the Compliance Guidance Policy

• Evaluate programs and associated ROP sections for necessary efforts as program development occurs

Ongoing CCC, CPPS, and NERC Management

2017 Work Plan Deliverables


Ongoing Responsibilities3 Applicable ERO Enterprise 2017-2020 Strategic Goal No. 2: The ERO Enterprise is a strong enforcement authority that is objective, fair, and promotes a culture of reliability excellence through risk-informed compliance monitoring, enforcement, certification and registration. ERO Enterprise compliance activities are risk-informed, efficient, and effective. This supports various Contributing Activities as defined in the 2017-2020 ERO Enterprise Strategic Plan. Applicable ERO Enterprise 2017-2020 Strategic Goal No. 5: The ERO Enterprise supports and encourages transparency, consistency, quality, efficiency and timeliness of results, and operates as a collaborative enterprise. This supports various Contributing Activities as defined in the 2017-2020 ERO Enterprise Strategic Plan. Responsibility # Project Name Activities Schedule Resource(s)

1 ERO Enterprise Effectiveness Stakeholder

Survey

• Participate on the ERO Enterprise Effectiveness Stakeholder Survey Advisory Group

• Support development of future surveys

Quarters 1 and 2 of 2017

CCC, EROMS, TalentQuest, NERC Management

2 Independent Audit of Standard Processes Manual (SPM) and

Standards Applicable to NERC (SAN)

• Participate and support

• Coordinate with NERC on criteria development, process, and assessment of adherence to SPM and SAN


CCC, Internal Audit (NERC), and independent audit firm

3 NERC Self-Certifications • Participate and support

• Coordinate with NERC on criteria development, process, and assessment of adherence to NERC ROP


CCC, Internal Audit (NERC), EROMS

4 EWRC Work Plan • Provide input as requested by the EWRC

• Fulfill advisory role as requested

Quarters 1 and 4 of 2017/ As requested

CCC Leadership, Internal Audit (NERC), EWRC, and ERO Enterprise Management

5 Review and Update of CCC Programs and Procedures • Continuous updates to

CCC procedures as changes occur in the ERO Enterprise

Ongoing CCC, NERC Management

3 http://www.nerc.com/comm/CCC/Documents/CCC%20Charter%20Approved%20RR15-11-000.pdf

http://www.nerc.com/comm/CCC/Documents/CCC%20Charter%20Approved%20RR15-11-000.pdf

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved]

4

Key Strategic Activities Project 1 – Assist with Review of Information

• Receive reports for awareness on consistency and actions taken for issue resolution

• Participate in evaluation of oversight monitoring tools or real-time reporting capability versus historical look provided by ERO Enterprise Effectiveness Stakeholder Survey

• Participate in review and evaluation of CMEP information for industry created by NERC Project 2 – Feedback on CMEP Programs

• Define specifics around registered entities’ inconsistency feedback to identify options for productive conversation and identify solutions

Opportunities for consistency

Processes or outcomes Project 3 – ERO Enterprise Risk Input

• Perform outreach efforts with stakeholders to gather input for emerging risks

• Participate and support Reliability Leadership Summit as opportunity occurs

• Participate in RISC

• Participate in creation or evaluation of ERO Enterprise risk priorities Project 4 – Stakeholder Collaboration

• Identify opportunities where the CCC can provide compliance expertise in collaboration with other industry stakeholder committees

• Strengthen standing committee collaboration and create joint work products, as necessary Project 5 – Program Support Efforts for CMEP and ORCP

• Participate in continued outreach efforts to drive clarity in expectations and processes related to risk, controls and compliance within the risk-based CMEP

IRA / ICE case studies – benefits and lessons learned

Survey inputs / case studies / recommendations

Outreach events – panel discussions or support

Industry implementation updates – risk-based CMEP experiences

• Hold periodic discussions to identify opportunities for improvement on specific issues and serve as a focus group working with ERO Enterprise staff to drive specific improvements and information sharing

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] 5

Ongoing Responsibilities ERO Enterprise Effectiveness Stakeholder Survey

• Participate on the ERO Enterprise Effectiveness Stakeholder Survey Advisory Group

• Support development efforts of the ERO Enterprise Effectiveness Stakeholder Survey by contributing input on survey objectives, content, and delivery in preparation for future surveys

Independent Audit of Standard Processes Manual and Standards Applicable to NERC

• Work with NERC management (Internal Audit) to develop criteria for the 2017 audits of the SPM and SAN

• Provide subject matter expertise as observers for the audit

• Review audit report based on audit criteria as completed by the independent audit firm

• Monitor mitigation of any non-conformance audit findings NERC Self-Certifications

• Develop self-certification forms and request NERC self-certify adherence to the ROP on a rotational basis dependent on cycle for independent audits for the following items:

CMEP

ORCP

SAN

SPM

• Coordinate with NERC to prepare a summary report of the results of NERC’s assessment for the Board through the EWRC

Enterprise-wide Risk Committee Work Plan

• Work with NERC to provide input for the annual EWRC work plan

• Participate in advisory capacity as requested in planning for EWRC-identified RE Audits

• Review the criteria for annual RE Evaluations as required. Suggest modifications per procedure to this program and criteria as appropriate. Items to consider here may include the following:

Update criteria for assessing effectiveness of RE CMEP activities

Continue to assess how CMEP practices change after risk-based CMEP implementation in regards to (a) monitoring practices (as embodied in CCCPP-010 and also including assisting CPPS in the annual RE evaluation criteria work); (b) enforcement; and (c) Reliability Standards development

Update effectiveness criteria, based on input from NERC on progress, for program evaluation and identification of opportunities for improvement

Update CCCPP-010 to incorporate any revised criteria to appropriately reflect expected program improvements, results, and evaluation

Assist NERC with annual evaluation of goals, tools, and procedures of each RE CMEP to determine effectiveness of each RE CMEP, using criteria developed by the NERC CCC

Ongoing Responsibilities


Work with NERC to address any concerns or input received from the REs

• Coordinate with the EWRC to determine the use of spot checks of NERC processes annually for those areas for which the CCC is responsible for monitoring in coordination with the EWRC

• Support EWRC to determine the use of third parties to conduct required audits per the NERC ROP Review and Update of CCC Programs and Procedures

• Review CCC programs and procedures in consultation with NERC management to identify necessary changes and procedural review or approval requirements

Monitor ERO Enterprise adherence to the NERC ROP and make recommendations for updates to the ROP as deemed necessary

Update procedures related to confidentiality for CCC members

NERC | Compliance and Certification Committee 2017 Work Plan | [Date Board Approved] 7

Logistics and NERC Budget Requirements for CCC Activities CCC Quarterly Meetings (Cost to be determined by NERC) Assumptions: Four CCC meetings per year

• NERC staff attendance

• NERC travel expenses

• Hotel (Conference rooms if applicable – normally hosted at stakeholder locations or NERC offices)

• Food Hearings and Appeals (Cost to be determined by NERC) Assumptions: No hearings expected, but noted here as a placeholder

• Administrative Law Judge’s fee

• Hearing refresher training (if applicable, administered by NERC Legal Staff in 2016)

• Transcription costs

• Travel expenses Note: The CCC conducted hearing training in 2016. The need to conduct the training again is dependent on CCC membership turnover or those CCC members that have not received training. CCC will notify NERC and the Board if additional hearings are expected that would require an increase to the budget. Mediation (Cost to be determined by NERC) Assumptions: No mediations expected, but noted here as a placeholder

• Mediator fee and travel expenses CCC Program Audits/Review Assumptions: Audit/Review using an Independent Contractor

• Audit frequency changes dependent on NERC internal monitoring capability as it continues to mature, based upon recommendations of independent reviewer

• There are scheduled audits in 2017 with planning beginning in Q4 of 2016

WebEx/Conference Calls (Cost to be determined by NERC) Assumptions: Three CCC/Subcommittees NERC WebEx or conference calls quarterly Stakeholder Perception Survey (Cost to be determined by NERC) Assumptions: At the request of the NERC Board, the CCC previously engaged a professional survey firm to conduct stakeholder perception surveys. The stakeholder perception survey has now been combined with the ERO Enterprise Effectiveness Stakeholder Survey. Training (Cost to be determined by NERC) Assumptions: Half day of hearing training appended to regular CCC meeting every even year. Five to 10 CCC members should be trained with capability to assist with observation and audit criteria for audits of NERC. This training will be conducted annually or as needed.

Agenda Item 2f Compliance and Certification Committee Meeting November 29-30, 2016

Compliance and Certification Committee (CCC) Feedback on Consistency September 2016 CCC Meeting Discussion Summary During the September 2016 Compliance Certification Committee (CCC) meeting at Southwest Power Pool, RE in Little Rock, AR, the CCC held a focused roundtable discussion on handling consistency issues. To facilitate the roundtable discussion, the CCC executive team developed a background document (refer to agenda item 5) and included it in the meeting agenda package. The CCC members discussed whether consistency issues need to be presented to the Electric Reliability Organization (ERO) Enterprise in a broader context than those contemplated in the Regional Consistency Reporting Tool (RCRT). Based on the ERO Operating Model White Paper, consistency means “that the approach, methods, and practices are the same across the ERO Enterprise and that the outcomes…are fair, reasonable, and without bias.”1 However, consistency does not mean “that each Regional Entity (RE) produce identical outcomes given a particular set of circumstances.”2 The following document summarizes some of the key takeaways from the discussion. Key Takeaways North American Electric Reliability Corporation (NERC) and the CCC will consider the following key takeaways to determine next steps:

• Overall, the CCC members noted that there is a need to understand the specific details of any reported inconsistencies.

• CCC can provide assistance in reviewing and screening possible inconsistency issues through the following actions:

Gather additional information on issues;

Coordinate issues with appropriate standing committees;

Assist NERC in tracking issues; and

Provide industry input on issues.

• CCC noted that NERC should manage a tool to help collect information.

Recommended converting the existing RCRT.

Recommended incorporating more than just consistency issues, such as interpretations.

1 ERO Operating Model White Paper, available at http://www.nerc.com/AboutNERC/Documents/ERO_Enterprise_Operating_Model_February_2014.pdf, at page 13. 2 Id.

http://www.nerc.com/comm/CCC/Agenda%20Highlights%20and%20Minutes%202013/CCC%20September%20Agenda%20Package.pdf

http://www.nerc.com/AboutNERC/Documents/ERO_Enterprise_Operating_Model_February_2014.pdf

CCC Feedback on Consistency 2

• NERC may provide more information on differences among Regions to educate stakeholders on where they may expect non-uniformity.

CCC will help develop scope of information that may be helpful to stakeholders.

NERC can work with Regions to gather data needed to educate stakeholders.

Compliance and Certification Committee MeetingNovember 29-30, 2016

Status of the CCC CMEP/ORCP Audits and Overview of 2017 Standard Processes Manual Audit

Agenda Item 2giCompliance and Certification Committee MeetingNovember 29-30, 2016

RELIABILITY | ACCOUNTABILITY2

Audit Objective: • Ensure North American Electric Reliability Corporation’s (NERC)

compliance with the Compliance Monitoring and Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP)

Audit Scope:• CMEP and ORCP activities for the time period of 2013-2015

Audit Team:• Independent Auditor (serves as audit team lead)• Compliance Certification Committee (CCC) Observers• NERC Internal Audit

NERC CMEP and ORCP Audit



Completed Activities Since June CCC Meeting:• NERC responses to Audit Observations• Completion of Audit Report including NERC responses• Presentation of Audit Report to the Enterprise-wide Risk

Committee(EWRC) at the November meetingSummary of Observations:• 11 observations• Two observations of Non-Compliance with the NERC Rules of

Procedure ; one is Mitigated and the other is being addressed• Other nine observations are improvements to NERC

CMEP/ORCP processes



Next Steps:• Mitigation of Audit Report Observations by NERC Management• Verification of Mitigation by NERC Internal Audit• Post Audit Report on NERC website


Audit Objective: • Ensure NERC’s compliance with Standard Processes Manual (SPM)

Audit Scope:• SPM activities for the time period of 2014-2016

Audit Team:• Independent Auditor (serves as audit team lead)• CCC Observers• NERC Internal Audit

SPM Audit


NERC SPM Audit

CCC• Steering

Committee

•Observer

•Tester of selected areas

Independent Auditor• Finalize scope

•Conduct audit

•Report on findings

• Status and budget reporting

NERC Internal Audit•Coordination

•Communication

•Collaboration

NERC Staff•Provide

requested information

•Remediate audit findings

Roles and Responsibilities:


NERC SPM Audit

Timeline:• December, 2016-February, 2016 – Assemble and Prepare Audit

Team Seek Volunteers and Selection of CCC Observers Provide Auditor Training for CCC Observers CCC Observers sign Confidentiality and Conflict of Interest Agreements CCC Observers, Independent Auditor, and NERC Internal Audit Scope and

Plan Audit

• March, 2017-April, 2017 – Conduct Audit Fieldwork Interview NERC staff Audit Testing Develop initial observations

• Draft and Deliver Audit Report – Third Quarter 2017

Compliance Guidance UpdateMarisa Hecht, Senior Advisor, NERC Compliance AssuranceCompliance & Certification Committee MeetingNovember 29-30, 2016

Agenda Item 2hCompliance and Certification Committee MeetingNovember 29-30, 2016


• Implementation Guidance Update 23 submitted 10 received endorsement in May 2016 2 received endorsement in October 2016 2 received endorsement for Inactive Reliability Standards in October 2016 5 were declined endorsement 4 pending endorsement

Compliance Guidance


• ‘Inactive Reliability Standards’ added to website• Added headers to endorsed documents

Website


• Continue Electric Reliability Organization (ERO) Enterprise review of submittals

• Develop guidelines for drafting future Implementation Guidance• Outreach on how to develop and submit Implementation

Guidance

Next Steps


Agenda Item 3 Compliance and Certification Committee Meeting November 29-30, 2016

November 2016 NERC RISC Update The North American Electric Reliability Corporation (NERC) Reliability Issues Steering Committee (RISC) had meetings and conference calls though the summer with a goal of finalizing its 2016 report. Recent highlights include:

• Committee members updated, consolidated, and refined the current Risk Profiles that form the structure for the 2016 RISC recommendations (These recommendations serve as input into NERC’s strategic plan as well as standing committee work plans).

• The NERC Board of Trustees (Board) accepted the RISC’s 2016 report.

Upcoming RISC activity includes:

• November 16 - December 20, nominations sought for two Member Representatives Committee representatives and two at-large members for the RISC

• End of November/Early December: Face-to-face year end debrief

• March 21, 2017: NERC Reliability Conference (Mayflower Hotel, Washington, DC)

• March 22, 2017: RISC debrief of the Reliability Conference

A mapping of this year’s identified risks is below. Additional information can be found on the RISC website. Compliance Certification Committee members should provide any input on other risks that should be addressed in 2017 or ways to use compliance information or processes to reduce reliability risk to Terry Bilke.

Risk Heat Map

http://www.nerc.com/comm/RISC/Related%20Files%20DL/Forms/Default.aspx

http://www.nerc.com/comm/RISC/Related%20Files%20DL/Forms/Default.aspx

Risk-based Compliance Monitoring UpdateAdina Kruppa, Compliance Assurance ManagerCompliance Certification Committee MeetingNovember 29-30, 2016

Agenda Item 5bCompliance And Certification Committee Meeting November 29-30, 2016


• Project background• Inherent Risk Assessment (IRA) Refinements• IRA Guide Revisions• Internal controls and Compliance Monitoring Enforcement

Program (CMEP)• Next Steps

Agenda


• Objective Enhance IRA processes for Electric Reliability Organization (ERO) Enterprise

based on lessons learned from first year of implementation

• Project Reviewed regional IRA processes for consistency, not uniformity

• Output Developed common risk factors for ERO Enterprise

• Deliverables Revised ERO Enterprise guidance documents

Project Background


• Start with 18 common risk factors• Risk factor criteria determines initial high, medium, or low

assessment Common criteria established, with regional flexibility provided Risk factors have associated Reliability Standards and Requirements

• Other considerations layered on inherent risk factor into entity’s Compliance Oversight Plan (COP) Entity performance data (e.g., misoperations) Compliance history Professional judgment and knowledge of the entity

• Document technical justification for decisions

IRA

IRA


• How considerations impact monitoring of inherent risk

• Include the following: Reliability Standards and Requirements to be included in

scope for compliance monitoring Compliance monitoring tools Interval of compliance monitoring

COPs

Entit

y Co

mpl

ianc

e O

vers

ight

Pl

an


• IRA Guide name change based on enhancements New name, Guide for Compliance Monitoring

• Updates to Appendix A, definitions• Removal of Appendix B, information attributes, and use of

information attributes• New set of 18 common risk factors• Clarifies use of risk elements and Internal Control Evaluations

(ICE) for IRA and COP

IRA Guide Revisions

http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO%20Enterprise%20Guide%20for%20Compliance%20Monitoring.pdf


• IRA process end goal is entity-specific COP Enhance IRA Guide to become overall Compliance Monitoring Guide

• No change to overall Risk-based Compliance Monitoring Framework (“Framework”) Framework is not sequential, components are interrelated and

interdependent

• Minimal to no impact to registered entities IRA Guide revisions will impact regional processes Expected implementation January 2017, with some REs implementing

sooner

IRA Key Takeaways


• CMEP staff follow Generally Accepted Government Auditing Standards (GAGAS) and professional auditing standards Requires understanding of the entity and controls Requires a level of rigor and analysis of risk

• CMEP staff needs to: Understand risk entity poses to Bulk Power System (BPS) Understand controls to address risks Test and analyze results to have reasonable assurance of compliance and

mitigation of risk

Internal Controls and CMEP


• Impact on CMEP staff Consider internal controls across all CMEP activities to help understand the

entity, For example internal control activities:o Inform compliance monitoring effortso Disposition of noncompliance o Self-logging

Identify existing processes, procedures, and activities that help mitigate risk and ensure compliance with Reliability Standards

Hold discussions with CMEP staff about existing controls or processeso Help CMEP staff understand entity operations

Internal Controls and CMEP


• During CMEP activities ICE activities Compliance monitoring activities, such as an audit Enforcement, such as through mitigation plans

• Objectives of understanding internal controls Compliance Monitoringo Inform compliance monitoring activities - monitoring method or depth of testing

Enforcemento Understand mitigation of violationo Understand internal controls to support self-logging capabilities o Considering extent and severity of Possible Violation (PV),

When to Expect Control Discussions


Internal Controls Key Takeaways

• Open dialogue between CMEP staff and entity• Expect discussions on internal controls across all CMEP activities• Look at existing processes and practices to find internal controls• Consider documentation and evidence • Understand control design and implementation Control, as designed, mitigates risk objective Control is implemented as designed


• 2016 will focus on refinements to regional processes• 2017 will focus on implementation of updated processes• Continue work to refine the ICE Guide• Conduct industry outreach webinar on Guide for Compliance

Monitoring, and ICE, when revised

Next Steps
