View
2
Download
0
Category
Preview:
Citation preview
1
September 30, 2020
Travis English
Training & Outreach
Specialist
Internal Controls
Practices Group
Antitrust Statement
▪ All WECC meetings are conducted in accordance with the WECC
Antitrust Policy and the NERC Antitrust Compliance Guidelines.
All participants must comply with the policy and guidelines.
▪ This meeting is public—confidential or proprietary information
should not be discussed in open session. Please contact WECC
legal counsel if you have any questions
3
Agenda
4
1. Welcome, Introductions
2. Review WECC Antitrust Policy
3. Opening Remarks—Ruchi Shah, WECC
4. Internal Controls Overview—Jennifer Hart & Sherri Palmer, WECC
5. Interactive Group Exercises
6. Entity Practice Sharing—Chris Johnson, WAPA
7. Facility Ratings Risk and Identified Problems—Hashir Ahmad and Jay
Loock, WECC
8. Question and Answer
9. Wrap-up
September 30, 2020
Ruchi Shah
Director of Entity Risk
Assessment & Registration
Welcome
Welcome
▪ Working from Home Safety!
• Remove obstructions on floor
• Check your fire alarms
• Escape plan in case of fire
• Take breaks and stretch
6
Internal Controls Practices Group
▪ Interactive event
▪ Platform to share best practices
▪ Risk and Controls discussions
▪ Wrap up by 4:00 p.m. MDT
7
Contact:
8
Ruchi Shah
Director of Entity Risk Assessment & Registration
rshah@wecc.org
September 30, 2020
Jennifer Hart
Risk Assessment Analyst
Sherri Palmer
Senior Internal Controls Specialist
Internal Controls
Practices Group
10
11
Business Objectives, Risks, and Internal Controls
12
Business goals and
objectives identified
Risks identified and
assessed
Processes andInternal Controls
created
Internal Controlsimplemented and
operating
Internal Controlsmonitored,
evaluated, andimproved
Business goals andobjectivesachieved
Note: Discussions relating to financial reporting objectives are not included in today’s webinar
What is Internal Control?
▪ A process
▪ Effected by people
▪ Actions and supporting technology at all levels
▪ Gives reasonable assurance of—
• Efficiency and effectiveness of operations
• Successful compliance
• Reliability and security
13
ERO Definition of Internal Control
The processes, practices, policies or procedures, system
applications, technology tools, and skilled human capital an
entity uses to prevent, detect, and correct noncompliance with
Reliability Standards and address risks to the reliable
operation of its business.
14
Three Control Types
Preventative
Segregation of duties
Access privileges
Passwords
Physical control over assets
Employee training
Security awareness
Detective
Reconciling two datasets
Reviewing data for appropriateness
Conducting physical equipment/element counts
Corrective
Patching a system
Data backups used to restore a system
Data validity check—may require user to re-enter data if value is outside of parameters
15
Control Types
16
Manual Controls
IT Dependent Manual Controls
Cybersecurity and IT Controls
Application Controls
Physical and Environmental
Controls
17
Internal Control
Objectives
Validity of data Accurate and
complete reports
Segregation of responsibilities
Access controls
Timeliness
ReconciliationReview of operations
Security of assets
Reviews and approvals
Input, process, and output of applications
Other—must be tailored
Benefits
Risk Management AccountabilityMeasure
EffectivenessAchieve Objectives Adherence to Policy
Transparency in Compliance
Safeguard AssetsAccuracy and Completeness
Reliability and Security of BPS
18
19
20
Three Lines of Defense
21
Operational
Processes
Internal Control
Activities
Roles & Responsibilities
Governing Bodies/Board /Audit Committee
Senior Management
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Management ControlLegal
InternalAudit
Legal
Legal
Internal Control
Risk Management
Compliance
Functions Own & Manage RiskI
Functions Oversee RisksI
Functions ProvideIndependent Oversight
I
ExternalAudit
RegulatorsSecurity
1st
Line of Defense: Operational Management
22
▪ Functions that own and manage risk
▪ Maintain effective internal control
▪ Execute risk and day-to-day control
▪ Identify, assess, control, and mitigate risks
▪ Guide development and implementation of policies, processes,
procedures
▪ Implement detailed procedures and Internal Controls
▪ Supervise execution
2nd
Line of Defense: Functions That Oversee Risks
▪ Risk management, Internal Control, and compliance functions
▪ Ensure first line is properly designed, in place, and operating as
intended
▪ Support policies and define roles and responsibilities
▪ Set goals for implementation
▪ Provide framework
▪ Help management develop processes and controls to mitigate risks
and manage issues
23
3rd
Line of Defense: Provide Independent Assurance
▪ Include internal audit, external auditors, and external regulators
▪ Broad range of objectives
▪ All elements of frameworks
▪ Essential governance requirement for all organizations
▪ Important for large, medium, and small organizations
▪ Ensures effective governance and risk management, Internal
Control, and compliance processes
24
25
Assignment and Coordination are Essential
Risk &
Internal
Control Skill
Specialties
Internal Controls Specialist
Risk Analysts
Compliance Officers
Quality Inspectors
Internal Auditors
Security Specialists
26
Because risk management and
controls specialization are being
spread across multiple teams:
The Stakes Are High
▪ Limited resources may not be deployed effectively
▪ Significant risks may not be identified or managed appropriately
▪ Communications among groups could become gridlocked and
focus on who’s job it is to accomplish a certain task
▪ It’s not enough that risk and Internal Control functions exist!
• Challenge to assign specific roles and coordinate responsibilities
• Must ensure no gaps in controls nor duplication of coverage
27
Internal Controls Program
28
A Chat About Tailoring
29
30
Control Activities
Reasonable Assurance of Achievement
Entity Strategic Direction & Objectives
• Goals & Values
• Efficient & Effective Operations
• Reliability & Security of the BPS
• Successful Compliance
Risk Management
• Business Risks
• Operational Risks
• Technology Innovation & Emerging Risks
• Compliance Risk
Control Objectives
Form a basis for determining how risks should be mitigated through the design and implementation of Internal Controls
31
Must be designed and operating effectively
32
33
Identifying & Designing Internal Controls
34
Risk Identified
Facility Ratings Are Not Accurate
Control Objective
Identify Associated Processes, Standards,
Owners
Obtain Understanding
of Process & Activities
• Walk Through the process• Identify who is performing each step• What is involved in each step• When does step take place• Identify resulting documentation and
reports• Identify systems• Identify control ownersOnly Valid
Facility Ratings Must Be Approved & Communicated
Determine if Existing
Controls are Sufficient
• If Control Objectives not met or controls are ineffective - design new or improve controls
• Consider Preventative vs. Detective Controls & combinations, frequency of control, manual or automated, cost vs benefit
Document Controls
Potential Errors
Identified
Facility Ratings Process
• Draft Process Narrative/Flowchart/Key Activities (keep it brief)
• Draft Risk, Objective, Control, Control Owner Mapping Matrices
• Identify Controls to be testedDocument Policies &
Procedures
• Ensure Policies and Procedures are aligned with risks and controls
EmergingRisks
Failure Points and Guidance Questions
www.wecc.org/Pages/Compliance-UnitedStates.aspx
35
Failure Point Development Process
▪ Failure Points identify potential risks
▪ Cross-functional effort within WECC
• Based on a Process Failure Modes and Effects Analysis (PFEMA) process
• Experience of WECC subject matter experts
• Data analysis and root cause trends
▪ Risk assessment is a dynamic and iterative process
▪ Industry feedback is welcome!
• Send your comments to InternalControls@wecc.org
36
Example FAC-008-3 Failure Point
▪ Potential Failure Point (R1): Failure to develop a process for identifying
the most limiting element in a Facility.
• How does [the entity] identify the most limiting element in a Facility?
▪ Potential Failure Point (R1): Failure to train personnel on developed
Facility Ratings.
• How does [the entity] identify which new hires might be subject to this
requirement?
• How does [the entity] ensure that existing personnel are identified for training?
• What about internal transfers from one role to another?
Source: Internal Controls Failure Points- Guidance Questions FAC-008-3, February 2020
37
Using Failure Points and Guidance Questions
▪ Failure Points compliment your Risk Assessment process but must
be tailored
• What risks apply to your program?
• What additional risks could your
unique process experience?
• Risk prioritization
▪ Guidance questions aid
understanding of process
& activities
38
39
Process Flow and Narrative: Example
Walkthrough and inventory all equipment
Record all equipment, description, and equipment rating
Compare inventory to all documentation in equipment
database
Populate equipment database showing most-limiting component was selected,
and identify second-most-limiting element
Determine all element ratings facility rating
Validate ratings and approve and communicate facility ratings. Publish
final approved facility rating.
40
Process Narrative
Field Engineers walk down the plant and
identify all elements and record all the details
on a spreadsheet. Photos of nameplates are
taken and filed in the equipment database.
Engineering drawings are used to ensure all
elements are identified and any elements not
on the drawing is also documented in the
spreadsheet. Once the walkdown is
complete, all the data is entered from the
spreadsheet into the equipment database.
The rating process is used to rate all the
elements and identify the most limiting and
next limiting element. All this data is
maintained in the equipment database.
Automated processing determines the facility
normal and emergency ratings. Once
approved by the rating change committee, the
facility rates are published and
communicated to all personnel requiring this
data to perform their job responsibilities.
Any rate changes must follow the change
control process.
Facility Ratings Controls Discussion
41
• Track rating & equipment data
• Track changes – newly commissioned & field changes
• Track changes to project plans and rating database
Inventory & Change Management
• Limit and track rating database edits
• Limit and track source documents & print editsAccess Controls
• Specific training for contractors to understand process & procedures and oversight of contractor activitiesContractor Management
• Risk-based plan for facility walkdowns to ensure rating matches “current” elements within the field to supporting documentation
Data Verification
• Reconcile field prints with information stored in rating database Reconciliation
• Data entry reviews
• Peer review from someone that did not enter the data
Periodic Facility Reviews
42
43
Internal Control Program Journey
44
Support From the Top Down
45
Senior management must support the Internal Control Program
Senior Management defines the culture and communicates views and expectations at all levels
All levels of management and employees mustbelieve Internal Controls are important
46
RMR FAC-008 Field
Verification Project
Christian Johnson
RMR Reliability Compliance Manager
WECC Internal Controls Webinar, Sept. 30, 2020
47
RMR Operational Risks requiring
Internal Controls
• Why implement Internal Controls for Facility Ratings?• Risk: Missing or incorrect information could result incorrect Facility
Ratings
• Risk of incorrect Facility Ratings• Safety issues for workers and public
• Damage to equipment
• Pre-contingent mitigating activities address potential overloads
• Lack of mitigating activities address potential overloads
• Impact to BES reliability if out of normal system configuration due to mitigating activities
• Lost revenue
RMR FAC-008 Field Verification Project 48
Background for Field Verification
Project
• June 2018 - RMR begins using a new tool to document the rating of transmission Elements• The tool is a spreadsheet - Facility Equipment List (FEL)
• FEL details include• Itemizes current carrying Elements of a Facility
• Information source (e.g. specific drawings), Designation/Item #, material, rating, and Facility Rating Methodology Variants (if applicable)
RMR FAC-008 Field Verification Project 49
Field Verification Project Overview
• During the FEL creation, questions were encountered requiring field visits• Planning Engineers identifies question(s)
• Requests sent to Maintenance Field Supervisor
• Field visit performed by Maintenance personnel
• Supplemental data sent to Planning Engineers
• Results incorporated into FEL sent to Facility Rating Change Control Committee (FRC3) for Rating approval
• Objective: Improve accuracy of data used for determining Facility Ratings
RMR FAC-008 Field Verification Project 50
Field Verification Activity
• Maintenance personnel perform field visit to address questions from Planning Engineers
• Submit field visit results to Planning Engineers
• Results incorporated into FEL for FRC3 for approval
• Action Items can be assigned to update documentation/drawings post FEL approval
• Objective: Supplemental data should be incorporated in a permanent Information Source (e.g., engineering drawing or asset database)
RMR FAC-008 Field Verification Project 51
Field Verification Activity - Results
RMR FAC-008 Field Verification Project 52
Field Verification Activity - Results
RMR FAC-008 Field Verification Project 53
Field Verification Activity - Results
RMR FAC-008 Field Verification Project 54
Field Verification Project
• Questions for Chris
RMR FAC-008 Field Verification Project 55
Let’s Review Some Control Examples
Risks & Potential
Failure Points
Facility Rating changes are not communicated to all necessary personal and not communicated promptly
Field elements do not match system one-lines or design drawings
Equipment ratings are not determined according to Facility Rating method
Internal Control
Objectives
Facility Rating changes are communicated promptly and to appropriate personnel, who need this information to carry out their responsibilities
Facility Ratings are accurate and complete
Supporting documentation has been validated against field elements to ensure it is accurate and complete
Control Activities
FRC3 Change Committee meets weekly; all changes are published and distributed to appropriate personnel after each meeting
Periodic Facility “walkdowns” are performed to ensure that field matches the supporting documentation
Facility Rating list is reviewed independently for accuracy and is consistent with Facility Rating method
56
57
58
September 30, 2020
Hashir Ahmad, WECCSenior Risk Assessment Engineer
Facility Ratings
FAC-008-3
Facility Ratings Current State of Controls
NERC Facility Ratings Problem Statement
▪ NERC’s observations about the state of Facility Ratings and the use of Internal
Controls to mitigate risks:
• Discrepancies between documented and actual field conditions of equipment and Facility
Ratings
• Incorrect calculations
• Incorrect ratings
• Missing equipment types
▪ Entities with strong controls have better data for more accurate ratings than those
who have not taken steps to develop controls
▪ ERO Enterprise believes the issue is more widespread than what has been discovered
to date
60
Inaccurate Facility Rating Risks
▪ Incorrect Facility Ratings pose significant risk
▪ Facility Ratings have not taken into account the most limiting series element,
creating large de-rates
▪ Discrepancies include some significant and widespread across the ERO
Enterprise
▪ Incorrect Facility Ratings can cause equipment operated beyond capability,
causing damage or line sagging
▪ Cause unplanned outages
▪ One of the contributing factors to the August 2003 blackout
▪ An ERO Area of Focus
61
Common Failures
Discrepancies between documentation and field conditions of Equipment
or Facility Ratings
Missing equipment from Facility Ratings
report/database (e.g., jumpers, bus bars, CTs,
wave traps)
Changes not tracked in the field (emergency or planned) and lack of
proper communication to update the Facility Rating
Incorrect identification of Most Limiting Series
Element
Lack of communication with neighboring entities
to develop Facility Ratings for jointly owned Facilities
Lack of internal communication (e.g.,
substation and transmission)
Inaccurate/outdated documentation and prints (e.g., one-line diagrams,
as-built drawings)
Incomplete Facility Ratings Methodology
Lack of Emergency Ratings including Dynamic Ratings
Insufficient training of staff
62
A Sustainable Path Forward—Internal Control Enhancements
• Track Rating & Equipment Data
• Track Changes—newly commissioned & field changes
• Track Changes to project plans and Rating database
Inventory & Change Management
• Limit and track Rating database edits
• Limit and track source documents & print editsAccess Controls
• Specific training for Contractors to understand process & procedures and oversight of Contractor activities
Contractor Management
• Data entry reviewsData Verification
• Reconcile field prints with information stored in Rating database Reconciliation
• Risk Based Plan for Facility walkdowns to ensure Rating match “as-builds”Periodic Facility Reviews
63
Perform Self - Assessments
Contact:
Hashir Ahmad
Senior Risk Assessment Engineer
hahmad@wecc.org
September 30, 2020
Jay Loock, WECCSenior Compliance Auditor
Facility Ratings
FAC-008-3
Risks of Inaccurate Facility Ratings
Risks of Inaccurate Facility Ratings
▪ Operational Risks
▪ Planning Risks
▪ Compliance Risks
▪ Loss of Revenue
66
Accurate Facility Ratings
Accurate Facility Ratings involves coordination across multiple models, departments, and entities.
This may involve coordination of short-term ratings that must be integrated into the energy management systems and considered in real-time assessments.
Correct application of Facility Ratings is paramount to maintaining a highly reliable and secure Bulk Electric System.
67
System Operating Limits
The purpose of approved FAC-008-3, which is applicable to both Generation and Transmission Owners, is to ensure that Facility Ratings used in the reliable planning and operation of the BES are determined based on technically sound principles.
A Facility Rating is essential for the determination of System Operating Limits (SOL).
68
Standards that Require Accurate Facility Ratings
Operations
▪ Standard FAC-010-3—System Operating Limits Methodology for the Planning Horizon
• R1.2. States that SOLs shall not exceed associated Facility Ratings.
▪ Standard TOP-001-4—Transmission Operations
• R13. Each Transmission Operator shall ensure that a Real-time Assessment is performed at least
once every 30 minutes.
69
Standards that Require Accurate Facility Ratings
Protection
▪ Standard PRC-023-4—Transmission Relay Loadability
Criteria:
1. Set transmission line relays so they do not operate at or below 150% of the highest seasonal Facility Rating of a circuit for the available defined loading duration nearest 4 hours.
2. Set transmission line relays so they do not operate at or below 115% of the highest seasonal 15-minute Facility Rating of a circuit.
70
Standards that Require Accurate Facility Ratings
Planning
▪ Standard TPL-001-4—Transmission System Planning
Performance Requirements
• Steady State Studies—Applicable Facility Ratings shall not be exceeded.
71
Contact:
Jay Loock
Senior Compliance Auditor
jloock@wecc.org
73
74
Contact:
75
internalcontrols@wecc.org
Recommended