WECC COMPLIANCE 101 Webinar

WECC COMPLIANCE 101

Webinar

Thursday, October 9, 2014

2

Agenda

Introductions Laura Scholl

Overview of WECC and Regulatory Structure

Connie White

Audit – What to Expect Stacia Ellis and Bill Fletcher

Enforcement Overview Rachael Ferrin, Richard Shiflett, Haley Sousa, and Joelle Bohlender

webCDMS and EFT Brittany Power

Overview of WECC and Regulatory Structure

Constance WhiteVice President of Compliance and

Acting Regional Manager

COMPLIANCE 101Overview of WECC

And Regulatory Structure

5

The Western Electricity Coordinating Council (WECC) is a non-profit corporation that exists to

assure a reliable bulk electric system in the geographic area of the Western Interconnection. This area includes all or parts of the 14 western United States, two Canadian provinces, and the

northern portion of Baja California, Mexico.

WECC Profile

6

• Incorporated in 2002

• Predecessor, WSCC formed in 1967

• Largest geographic area of the eight Regional Entitieso Entire Western Interconnection (1.8 million square miles) -

includes all or part of 14 U.S. states, 2 Canadian provinces and a portion of Baja California Norte, Mexico

• Non-Governmental

• Industry participants join together to promote system reliability

• Bifurcation in February 2014 changed functions

WECC History

7

WECC Coverage Service Area

1.8 million square miles

126,285 miles of transmission

Population of 78 million

8

9

WECC Organization

• Independent Board of Directorso 9 memberso Committees

• Members Advisory Committee• Members

• Grid owners, operators, users• Stakeholders• State and Provincial

10

Peak Reliability assumed responsibility for Reliability Coordination

o Operate two Reliability Coordination Offices (Vancouver WA and Loveland CO) that provide situational awareness and real-time supervision of the entire Western Interconnection

Bifurcation

11

• Transmission expansion planningo Management of a comprehensive planning databaseo Provide coordination of sub-regional planning processeso Analyses and modeling

• Studieso Model the system and perform studies under a variety of

scenarios to set operating policies and limits

WECC Services

12

• Loads and Resources Assessmentso Perform annual assessment of 10-year loads and resourceso Maintain 10-year coordinated plan of system growth o Provide information to NERC for summer and winter assessments of

the reliability and adequacy of the bulk-power system

• Operator Trainingo Provide training sessions for operators, schedulers and dispatchers

• WREGISo Hosts the Western Renewable Energy Generation Information

System, which creates and tracks renewable energy certificates

WECC Services

13

Delegation Agreemento Perform functions delegated to WECC as a Regional Entity

under Delegation Agreement with NERC, including regulating entities subject to mandatory Reliability Standards

WECC Services

14

Mandatory Reliability Regulation

• Northeast Blackout of 2003– 10 Million people

in Ontario, Canada– 45 million people in

eight U.S. states

15

16

17

Task Force Report

• Final report of the U.S.- Canada Power System Outage Task Force on the 2003 blackout concluded:

the single most important recommendation for preventing future blackouts, and reducing the

scope of those that occur, is for the U.S. government to make reliability standards mandatory and enforceable.

18

Task Force Findings

Inadequate System Understanding

Inadequate Situational Awareness

Inadequate Tree Trimming

Inadequate Reliability Center Diagnostic Support

Congressional Action

•Energy Policy Act of 2005On August 8, 2005, the Energy Policy Act of 2005 (EPAct 2005) was signed into law.

•“Section 215”Section 215 of the EPAct 2005 directed FERC to certify an Electric Reliability Organization (ERO) and develop procedures for establishing, approving and enforcing electric reliability standards.

20

Authority for Compliance Monitoring

• FERC Order 672 (Implementing Rule 18 CFR 39)– Responsibility and oversight assigned to FERC– FERC designated NERC as Electric Reliability

Organization– NERC has delegation agreement with WECC and

seven other regions

Implementing Section 215

SECTION 215

• Creates Electrical Reliability Organization (ERO)• FERC names NERC as ERO

Regional Entiti

es

• NERC selects 8 regional entities• WECC is selected for Western Interconnection

Delegatio

n Agreeme

nt

• NERC and WECC sign agreements• WECC oversight begins in Western

Interconnection

Development of Mandatory Reliability Standards

Critical Infrastructure Protection (CIP) standards become mandatory and enforceable December 2009

(FERC Order 706)

Operations and Planning (O&P) Standards become mandatory and enforceable

June17, 2007 (FERC Order 693)

23

Order 693 & Order 706 Standards

• Order 693 (Operations and Planning) includes:– Resource and Demand Balancing (BAL)– Emergency Preparedness & Operations (EOP)– Facilities Design, Connection & Mtnce. (FAC)– Protection and Control (PRC)

• Order 706 (CIP) includes:– Critical Cyber Asset Identification– Personnel & Training– Electronic Security Perimeters

24

• Recommends Registrations for Entitieso Register users, owners, operators according to function

• Monitors Compliance with Standardso Monitor compliance by users, owners and operators of the bulk

power system in the United States

• Enforces Complianceo Violation mitigation and settlement negotiationo Representation of WECC in any hearing or appeal process

• Administration o Audit coordinationo Reporting systemso webCDMS and EFT

WECC Compliance

25

In summary…

Authority

Federal Power Act 2005Delegation AgreementReliability Standards

CMEP

Registration

Authority

Reg

istr

atio

n

Monitoring

Authority

Reg

istr

atio

n

AuditsSelf Reports

Self Certif

icatio

nsOther

Enforcement

Authority

Reg

istr

atio

n

Mo

nit

ori

ng

Risk A

ssess

ments

Due Pro

cessSettle

ment

Mitigatio

n Acti

ons

Education/Outreach

Authority

Reg

istr

atio

n

Mo

nit

ori

ng

En

forc

emen

t

Education/Outreach

31

Reference Documents• Compliance Monitoring and Enforcement Program

(CMEP) & WECC’s annual plan• Delegation Agreement• Rules of Procedure• NERC Standards and WECC Regional Standards• NERC Guidance, Bulletins, Directives and Compliance

Application Notices (CANs)• FERC Orders

Notice of Audit

Stacia EllisCompliance Program Coordinator

33

Notice of Compliance Audit Packet

• Notice of Audit Letter

• Compliance Monitoring Authority Letter

• Audit Team Biographies

• Confidentiality Agreements

34

Notice of Compliance Audit Packet

• Certification Letter

• Pre-Audit Data Requests

• Pre-Audit Survey

• Audit Scope and WECC RSAWs

35

Notice of Compliance Audit Letter

• 90-Day Notice of Audit Letter – Details of your specific Audit

• Dates of Audit• Audit Scope• Due Dates• Audit Team Composition, observers (if applicable)

– Observers can include FERC/NERC• Date/time of proposed Pre-Audit Conference Call• Opening Presentation Suggestions

36

Notice of Compliance Audit Letter

• Audit Team Composition – Primary Audit Team

• Individuals expected to participate in the Audit

– Alternate Audit Team• Individuals available to act as backup or replacements

for Primary Team members

37

Attachments A, B and C

• Attachment A– Informational; Explanation of Compliance

Monitoring Authority • Attachment B

– Short Biographies of the WECC Audit Staff• Attachment C

– Signed Confidentiality Agreements of the WECC Audit Staff

38

Attachments D and E

• Attachment D– Audit Scope– RSAWs (Reliability Standard Audit Worksheets)

• Customized for your Entity and your audit– Based on your Registered Functions and Audit Scope

• Attachment E– Certification Letter

• Must be printed on your company letterhead and signed by an Authorized Officer

• Certifies that the information being provided for the Audit is accurate

39

Attachment F

• Attachment F– Pre-Audit Survey

• Verify contact information• Audit Logistics • List any delegation agreements• Signed by Authorized Officer

• Please complete all applicable fields

40

Attachment G

• Attachment G– Pre-Audit Data Requests

• Why are we doing this to you?!?oClarifications for data submittalsoSpecifying types of evidence to remove some

of the guesswork

41

Att G – Operations & Planning (O&P) Data

• Some evidence may apply to more than one Standard– One copy is sufficient, but document inventories

or “roadmaps” are appreciated• Single Line Diagram

– Requested for the majority of Audits

42

Att G – Cyber Security (CIP) Data

• CIP-004 – CIP-009 may not be applicable based upon the Critical Asset/Critical Cyber Asset determination – Determined by CIP-002-3 Requirements 2 & 3– Complete RSAWs indicating absence of CA/CCA

identification– 2015 CIP audits will include CIP v5 outreach

If you have any questions please contact Brent Castagnetto at [email protected] or 801-819-7627

mailto:[email protected]

43

Attachment H

• Attachment H– Audit Feedback– Now sending with initial package

• Feedback is encouraged for all phases of audit.

44

Audit Periods Defined

• Audit Periods, for O&P and CIP, are clearly defined in Attachment G for both:

• Operations and Planning (O&P) • Cyber Security (CIP)

45

Audit Frequency

• 3 year cycleEntities registered as a:

– Balancing Authority (BA) – Transmission Operator (TOP) or – Reliability Coordinator (RC)

• All others– Generally a 6 year cycle. Subject to flexibility in the

future as part of NERC’s Reliability Assurance Initiative (RAI).

46

Outreach

• “Howdy Call”– A few days after Notice of Audit Packet is

uploaded to the EFT Server.

47

Recommendations

• Know the Reliability Standards• Use the RSAWs as guides• Ask questions• Participate in Outreach (CUG/CIPUG)• We are here for you…

– Questions– Comments– Concerns

Audit Approach and Best Evidence

William FletcherSenior Compliance Auditor,

Operations and Planning

49

Compliance Audit (on-site vs. off-site)

• Primary difference is:– Location of audit conduct

• Scope is typically smaller for off site.• On-Site – Required for RC, BA, TOP functions

• Per NERC Rules of Procedure 403.11.2

50

Compliance Audit (on-site vs. off-site)

• On-Site– Documentation sent to WECC before audit for preliminary review– The audit team reviews evidence during off-site week or the first week of the

audit and completes its review during the second week or on-site week– Data Requests or DRs– In-person interviews for clarification

• Off-Site– Documentation sent to WECC before audit for preliminary review– Data Requests or DRs– Entity may be present at audit if desired– Telephone interviews for clarification

Audit Approaches

•We audit to the Requirements of the Standards•General Approaches included in RSAW•RSAW may ask specific questions•Always includes the section:

“Describe, in narrative form, how you meet compliance with this requirement.”

52

Audit Approaches

“Describe, in narrative form, how you meet compliance with this requirement.”

• Describe here how your company knows it is compliant with this requirement and how you know you have been compliant for the entire period of the audit.

• Your place to describe your internal controls.• Your evidence should support your narrative.

53

Audit Approaches

• List the evidence provided in the RSAW.o This road map is important

• Compliance Assessment Approach in RSAW is used as a checklist.o Data Request (DR) for gaps or samples

• Document & record review is primary• Interviews and observations are usually for

Corroborating

54

Sufficient Audit Evidence

Sufficiency of Evidence• The measure of the quantity of evidence• Quantity of evidence is dependent on the scope of

the audit• Extra quantity does not make up for poor quality• Ensure you provide enough evidence to demonstrate

compliance for the entire audit period.

55

Sufficient Audit Evidence

Sampling is used to limit the amount of detailed evidence provided.• Normally used in conjunction with summary of a full

set of data.• Sampling used to assess details.• Reduces the burden on the Audit Team but not really

on the Entity• Audit Team must select the samples

56

Appropriate Audit Evidence

AppropriatenessThe measure of the quality of evidence• Relevance• Validity• Reliability

57

Appropriate Audit Evidence

Quality of Evidence• Good Internal Controls point to reliable evidence.• Direct observation is more reliable than indirect observation.• Examination of original documents is more reliable than

examination of copies.• Testimonial evidence from system experts is more reliable

than from personnel with indirect or partial knowledge.

58

Types of Evidence

• Physical Evidence• Documentary Evidence• Testimonial Evidence

Compliance Audits may use all three types but Documentary Evidence is by far the most frequent type of evidence assessed and relied on.

59

Testimonial Evidence

• Attestations of Compliance or Statements of Compliance are generally not accepted as the only available evidence.

• Attestations may be used to explain minor gaps in documentation or to state if no conditions occurred which are subject to a requirement.

• Attestor must be knowledgable and qualified.

60

Evidence for Procedural Documents

The characteristics of a valid procedural or policy document include: – Document title – Definition or Purpose– Revision level – Effective dates – Authorizing signatures

61

Non Applicable Requirements

Three instances are acceptable for use of term “Not Applicable”1) Entity is not registered for the applicable

function. (only TOP responsible for TOP requirements)

2) Entity does not own, operate or maintain the equipment addressed by the requirement. (UVLS, UFLS, SPS etc.)

3) Entity does not use the program or process specified by the requirement. (and is not required to… ATC, CBM, etc)

62

Evidence for Tasks Performed

• When the standard calls for a task to be performed it must be documented.– Records– Logs– Reports– Work Orders– Phone recordings– Transcripts of phone recordings– Shift Schedules

• Dates & Times are critical

63

Evidence of “Coordination” with other entities

• Typical evidence provided initially is a single email.“…If you have any comments please contact ______”

This alone is neither sufficient or appropriate to demonstrate coordination between two or more parties.

• If emails or correspondence are used– Two way communications are needed

• Better are:– Meeting Agendas– Meeting Minutes– Attendance Lists

64

Evidence of “Distribution” of information

• Typical evidence provided initially is a single email with a large distribution list.“…please see attached”

This alone is typically neither sufficient or appropriate to demonstrate distribution to others.

• If emails or correspondence are used– Need clear identification of the personnel on the distribution list.

• Even Better is corroboration by receipt acknowledgement

Enforcement 101October 9, 2014

Rachael FerrinRichard Shiflett

Haley SousaJoelle Bohlender

66

Agenda

• What is a violation?

• How does WECC know about a violation?

• What is the submittal and review process for

possible violations?

• What is the submittal and review process for

Mitigation Plans?

67

What is a violation?

A violation is a failure to demonstrate

compliance pursuant to applicable NERC

Reliability Standard Requirement– Possible Violation (PV)

• The identification by the Compliance Enforcement Authority of

a possible failure by a registered Entity to comply with a

Reliability Standard that is applicable to the Registered Entity.

NERC Rules of Procedure, Appendix 2 (January 31, 2012).

http://www.nerc.com/files/Appendix_2_ROP_Definitions_20120131.pdf

68

How does the Entity discover a possible violation?

Ongoing Compliance Assessments

Internal Assessments

Internal Audits

Compliance Culture

69

How does WECC know about a possible violation?

Compliance Monitoring• Self-Reports• Self-Certifications

– New possible violation – Change in scope

• Compliance Audits• Spot Checks• Compliance Investigations• Periodic Data Submittals• Complaints

70

Possible Violation Submittal

• Submit Self-Reports and Self-Certifications via webCDMS

• Self Report/Self Certification Content Checklist

http://www.wecc.biz/compliance/United_States/Documents/Best%20User%20Reporting%20Practice%20Checklist.htm


71

Self-Report/Self-Certification Content Checklist

• Is the version of the standard (in effect at the time of the violation) identified?

• Are all multiple subrequirements in scope identified?

• Has this violation been previously reported?

• Does the violation description include:– All devices/facilities/personnel in scope?– Names/IDs of devices/facilities/personnel?– Where are these devices located?– What are these devices used for?– What type of access do the personnel have? – Any additional information to assess the VSL?

• Is the start date and end date identified?

• Are the compensating measures identified?

72

Possible Violation Review

• WECC Subject Matter Experts (SME) reviews the “possible violation”

• Analyze facts and circumstances• Data Requests/conference call if necessary• Technical assessment

– Facts and Timelines– Risk Assessment

• Recommendation of Dismissal or Acceptance to Case Managers

73

Entity’s next step after reporting a Possible Violation

• Submit Mitigation Plan– Notice of Alleged Violation triggers

Mitigation Plan due date– Timely Mitigation is encouraged– Not admission of violation

Every violation goes through the same process.

74

Mitigation Plan Submittal

• Submit via webCDMS– One violation per plan

• Eight Steps to Prevention and Mitigation

• Mitigation Plan Content Checklist

http://www.wecc.biz/compmtg/010182011/Lists/Presentations/1/2011%2010%2020%20CIPUG%20ESPM%20-%20Sarin.pdf


75

Mitigation and Prevention Checklist

• Symptom• Root Cause• Corrective Actions• Preventive Actions• Detective Actions• Assign tasks• Timeline and milestones• Interim Risk

76

Mitigation Plan Content Checklist

• Has the scope of the violation being mitigated changed?

• Has the root cause been identified?

• Does the mitigation plan include:

– What is being fixed?

– How it is being fixed?

– When it is being fixed?

• Do the mitigation actions:

– Relate to the requirements in scope?

– Identify preventative measures?

– Identify detection measures?

77

Mitigation Plan Review

• WECC Subject Matter Experts (SME) conduct reviews

• Review the mitigation plan– Actions (Corrective, Detective and Preventive)– Duration

• Data Requests/conference call if necessary• Notice of Acceptance or Rejection via auto

notification or EFT server

78

Mitigation Plan Extensions

• Extension Requests– Accepted Mitigation Plan completion date =

date Completion Certification and evidence submitted to WECC

– Five business days prior to completion date

79

CMP Submittal

• Submit Completion Certification and evidence via webCDMS

• CMP Content Checklist

80

CMP Content Checklist

• Has the scope changed since the Mitigation Plan was accepted?– Have you included a brief statement to confirm the

scope?

• Is the evidence uploaded with a description for each file?

• Is there a mapping of actions to evidence?

• Is there a completion date for each action?

81

Mitigation Plan Completion Review

• WECC Subject Matter Experts (SME) conduct reviews

• Analyze Evidence– Were all actions outlined in the plan completed?– Has both procedural and implementation evidence been

submitted?

• Data Requests/conference call if necessary• Notice of Acceptance or Rejection via auto

notification or EFT Server

82

Summary

• Violation life cycle– Submitting violations and mitigation plans– WECC’s review of violations and mitigation plans

• Resources– http://

www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx

http://www.wecc.biz/compliance/outreach/Lists/101Links/AllItems.aspx



83

The Hand-Off

Possible

Violation Submitt

al

Technica

l SME Review

The Hand-off to Case Manager

Case

Manager

Review

4 Methods

of PV

Disposition

Confirmed

Violatio

n

84

WECC Enforcement Case Managers

Primary Role: Determining Violation Disposition (disposition analysis)

• Case analysis• Violation Disposition• Policy analysis• Assess penalties• Conduct settlements • Build relationships

85

Enforcement Processes

86

Disposition Analysis

• Dismissal• Find, Fix and Track (“FFT”)• Notice of Alleged Violation (“NOAV”)• Expedited Settlement Agreement (“ESA”)

87

Dismissal

• Disposition method used when the Case Manager determines the possible violation is not enforceable – For Example…– Standard Requirement does not apply to Entity– Facts and circumstances warrant a violation of a

different Standard Requirement– Entity produced additional evidence

demonstrating compliance

88

What does a dismissal look like?

• Case Manager will issue a “Notice of Dismissal and Completion of Enforcement Action”

• WECC: – Withdraws the Possible Violation from Entity’s compliance

record– Any data retention directives relating to the possible

violation are released

• Entity: – Does not need to respond to notice– Questions/concerns contact Case Manager

89

Not a Dismissal, Now what?


90

PVs for FFT Review

WECC Reviews All PVs for FFT Treatment“Strong” FFT Candidates:• Are not Repeat PVs• PV does not reveal programmatic or systematic

shortcomings• Found and Fixed by the Entity• Mitigation Plan has been submitted

91

What does an FFT look like?

• WECC Enforcement will issue a “Notice of Find, Fix and Track”– Remediation Required– No Penalty or sanction– FFT is filed with NERC but does not become a

“confirmed violation”

• FFT will become part of an Entity’s compliance history

92

What to do with an FFT?

• Within five (5) days of receiving an FFT Notice an Entity Must:

• Submit to WECC an affidavit, signed by an officer with knowledge of remediation,

OR• Submit to WECC written notification opting out of

the FFT processing– If an Entity opts out of the FFT disposition, then WECCs

policy is to issue the violation through the traditional NOAV process.

93

4 Disposition Methods


94

What does a NOAV look like?CMEP Section 5.3

• NERC Rules of Procedure, Appendix 4C §5.3 (“CMEP”)• Alleged Violation Facts• Mitigation Plan Summary (if applicable)• Enforcement Violation Determinations

– BES Impact Statement• Minimal• Moderate• Severe

– Violation Severity Level (“VSL”)– Violation Risk Factor (“VRF”)

• Penalty

95

What to do with a NOAV?

• Submit a NOAV Response within 30 days • The NOAV Response must conform to one of

three options– Agree with the violation AND penalty– Agree with the violation, but contest penalty– Contest both the violation AND penalty

• Failure to submit a NOAV Response within 30 days will automatically result in confirmed violations with penalties

96

NOAV Response: “Option 1” Does not contest

• Does not contest violation facts as alleged in the NOAV

• May identify errors that should be corrected in the “Notice of Confirmed Violation” (“NOCV”)

• Submit a Mitigation Plan

Enforcement will issue a Notice of Confirmed Violation within ten (10) days of receiving a NOAV Response that “agrees with or does not contest an alleged violation.”

97

NOAV Response: “Option 2” Contests Penalty

• NOAV Response will be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.

• Submit a Mitigation Plan.• NOAV Response must explicitly contest penalty and

request settlement.– NOAV Response must articulate basis for each penalty– NOAV Response should include a proposed penalty the Entity

believes to be reasonable including the basis for proposed penalty

98

NOAV Response: “Option 3”Contests Alleged Violation & Penalties

• NOAV Response must be submitted to Enforcement using the EFT Server within thirty (30) calendar days of receiving the NOAV.

• NOAV Response must explicitly contest each alleged violation and proposed penalty and request settlement.

• Each Contention must be supported by:– An explanation of the Entity’s position– Basis for Contention– Additional Information or evidence

99

A Word on Penalties

• Attached to violations disposed of using the NOAV or ESA processes

• Based on: – NERC Sanction Guidelines (January 31, 2012)– Penalty Range

• Penalty range depends upon Violation Severity Level (“VSL”) and Violation Risk Factor (“VRF”)

• Penalties are then adjusted for either Mitigating or Aggravating Factors

100

Reaching Settlement

NOAVC & T

AgreementWork with Case

ManagerSettlement Agreement

101

4 Disposition Methods


102

ESA: Expedited Settlement Process

ESASettlement Agreement

103

What does an ESA look like?

• Expedites Formal Settlement Negotiations

• The ESA will contain– Facts and circumstances of the violation– Risk Assessment Summary– Mitigation Plan Summary– VSL and VRF determinations– Penalty determination

104

What to do with an ESA?

• Entity will have 15 days to review the ESA…– The Entity will contact Case Manager with questions or concerns.

• If the Entity accepts the terms of the ESA…– The Entity must submit a signed copy of the ESA to WECC within 15

days of receipt of the ESA issuance.

• If the Entity rejects the ESA or does not respond within 15 days…– WECC will issue a Notice of Alleged Violation and Proposed Penalty

and Sanction.

105

Settlement Agreements & Expedited Settlement Agreements

106

Payment & Closure of Enforcement Action

• After NOP becomes effective, WECC issues a “Payment Due Notice”

• The Penalty will be due thirty (30) days from the date the Notice is issued

• Public NOP filings can be found on the NERC website

CASE

CLOSED

107

Enforcement Process Summary

Possible Violation Submitta

l

Technical SME Review

The Hand-off to Case Manager

Case Manag

er Review

4 Methods

of PV Dispositi

on

Confirmed

Violation

• Lifecycle of a Possible Violation• Best Compliance Practices

• http://www.wecc.biz/compliance/Pages/Best-Practices.aspx

• Possible Violation Disposition and Entity Responses

http://www.wecc.biz/compliance/Pages/Best-Practices.aspx

Compliance 101

Brittany PowerData Coordinator

109

webCDMS

110

webCDMS Regions

1.MRO2.SPP3.WECC4.Texas RE5.RFC

111

EFT Server

WECC EFT Server

http://www.globalscape.com/

112

Compliance Standards Index


113


114


115


116

• Call @ 801-883-6879• Types of calls for WECC

o EFT Questionso Registration Questionso Historical Questionso Standard Questionso Non-technical Questions

• [email protected]

Reminder: Help Desk

• Call @ 673-220-2020• Types of calls for OATI

o Technical Problemso webCDMS Login Problemso Certificate Problemso Access Problems

WECC Support OATI Support

mailto:[email protected]