WECC Process for Risk Based Compliance Oversight Process for Risk... · 2017. 4. 1. · WECC Process for Risk-Based Compliance Oversight 4 W E S T E R N E L E C T R I C I T Y C O

WECC Process for Risk-Based Compliance Oversight

Inherent Risk Assessment and Compliance Oversight Plan

WECC Entity Oversight

Effective Date: April 1, 2017

155 North 400 West, Suite 200

Salt Lake City, Utah 84103-1114

WECC Process for Risk-Based Compliance Oversight 2

W E S T E R N E L E C T R I C I T Y C O O R D I N A T I N G C O U N C I L

Table of Contents

Introduction ................................................................................................................................ 3

1.1 Purpose ..................................................................................................................................... 3

1.2 Document Owner ..................................................................................................................... 3

1.3 Scope ........................................................................................................................................ 3

Risk Based Compliance Oversight Framework Overview .............................................................. 3

2.1 WECC’s Risk-Based Compliance Oversight Team ..................................................................... 4

IRA Process Overview .................................................................................................................. 4

3.1 Entity Participation in the IRA Process ..................................................................................... 4

3.2 IRA Frequency and Revisions .................................................................................................... 4

3.3 IRA Process Workflow............................................................................................................... 5

3.3.1 Gather and Review Entity Information ................................................................................. 5

3.3.2 Perform Risk Factor Assessment .......................................................................................... 5

3.3.3 Perform Data Analysis and Assess Additional Considerations ............................................. 6

3.3.4 Identify a List of Standards for Compliance Monitoring ....................................................... 6

3.3.5 Document IRA Results ........................................................................................................... 7

3.3.6 Share IRA Results .................................................................................................................. 7

Compliance Oversight Plan .......................................................................................................... 7

4.1 COP Frequency and Revisions .................................................................................................. 8

4.2 COP Inputs ................................................................................................................................ 8

4.3 Document COP Results ............................................................................................................. 8

Data Retention ............................................................................................................................ 9

Process Feedback to NERC ........................................................................................................... 9

Revision History ........................................................................................................................ 10

References ................................................................................................................................ 11

Attachment A: Risk Factor Criteria ................................................................................................... 12

Attachment B: Additional IRA Considerations .................................................................................. 16



Introduction

This document describes the process used by WECC to conduct Risk-Based Compliance Oversight based

on the ERO Enterprise Guide for Compliance Monitoring.1 Specifically, this document describes how

the Inherent Risk Assessment (IRA) and other performance considerations are used to develop an

entity-specific Compliance Oversight Plan (COP).

1.1 Purpose

The purpose of this document is to provide guidance to registered entities and WECC staff on

the framework WECC uses during the IRA and COP processes.

1.2 Document Owner

WECC’s Director of Risk Assessment and Mitigation (RAM) is the owner of this document.

The document owner may delegate coordination but is responsible for:

• Reviewing, editing, and updating;

• Coordinating revisions across the Entity Oversight department management; and

• Posting.

1.3 Scope

This document applies to WECC and all United States registered entities in the Western

Interconnection. WECC’s international partners are not implementing the Risk-Based

Compliance Oversight Framework.

Risk-Based Compliance Oversight Framework Overview

As described in the Electric Reliability Organization (ERO) Enterprise Guide for Compliance Monitoring,

WECC follows the Risk-Based Compliance Oversight Framework (Framework) which focuses on

identifying, prioritizing, and addressing risks to the Bulk Power System (BPS), enabling WECC to focus

its compliance monitoring approach based on risk for each registered entity.

The Framework consists of multiple, interdependent components including Risk Elements, IRAs,

Internal Controls Evaluation (ICE), Compliance Monitoring and Enforcement Program (CMEP) Tools,

and COPs.

1 ERO Enterprise Guide for Compliance Monitoring, October 2016:

http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO%20Enterprise%20Guide%20for%20Compliance%20Monitoring.pdf

http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/ERO%20Enterprise%20Guide%20for%20Compliance%20Monitoring.pdf



The IRA and COP processes are key to developing an entity-specific risk profile and oversight plan for

each NERC registered entity in the Western Interconnection.

2.1 WECC’s Risk-Based Compliance Oversight Team

WECC’s Risk-Based Compliance Oversight processes, including IRA and COP, are shared efforts

by the WECC Oversight staff including the RAM team, Compliance Audit Teams, and Compliance

Program Coordinators (CPC). WECC relies on the collective experience and professional

judgment of the Oversight staff during these processes.

IRA Process Overview

IRA is a process within the Framework in which WECC identifies inherent risks for the registered entity

to determine areas of focus for the entity’s future compliance monitoring activities. Inherent risks are

attributes specific to a registered entity that could impact the reliability of the BPS.

In coordination with other components of the Framework, WECC uses the results of the IRA to develop

an entity-specific COP for each registered entity.

3.1 Entity Participation in the IRA Process

WECC collaborates with the entity throughout the IRA process to ensure WECC has current,

appropriate, and sufficient information necessary to conduct the IRA and reach accurate

conclusions. This collaboration may include phone calls and requests for information.

Entities participate in the IRA process by completing the IRA and COP Survey. WECC typically

requires entities to complete an IRA and COP Survey before it starts the IRA process. WECC

follows the documentation protocols listed in the NERC Rules of Procedure and relies on the

professional judgment of WECC staff when gathering information from the entity during the IRA

process.

Entities are encouraged to respond promptly and accurately to the IRA and COP Survey and any

other requests for information. Throughout the process, the entity can submit questions about

the IRA or COP to the WECC RAM team at [email protected].

3.2 IRA Frequency and Revisions

WECC may review and revise an entity’s IRA at any time. A review or revision is more likely to

occur if an entity experiences significant changes or if new reliability risks emerge. Significant

changes may include, but are not limited to, registration changes, asset ownership changes,

system events, changes in compliance history or activity, organization changes, or changes in

the overall risk elements in the Western Interconnection.

mailto:[email protected]



3.3 IRA Process Workflow

WECC follows six steps during the IRA process:

1. Gather and review entity-specific data.

2. Assess the entity’s inherent risk in context of pre-determined ERO Enterprise Risk Factor criteria

and the professional judgement of the IRA team.

3. Perform data analysis and review additional performance considerations to further understand

the entity and refine the risk associated with the entity.

4. Identify and prioritize a list of Regional and NERC Reliability Standards that are associated with

the entity’s risks for consideration in the COP.

5. Document the decisions made during the risk assessment process and provide supporting

justification.

6. Share results of the IRA with the registered entity.

3.3.1 Gather and Review Entity Information

In this step, WECC gathers and reviews information about the registered entity. This allows

WECC to determine which Risk Factors and other considerations apply to the entity based on

the entity’s registered functions, assets, system, geography, interconnectivity, compliance

history, corporate structure, delegation agreements, etc.

Initially, WECC reviews entity information that is already available to WECC. Next, it determines

whether additional information is needed to complete the IRA process. To facilitate the

collection of accurate background information and get a more complete understanding of the

entity, WECC usually requests that the entity complete an IRA and COP Survey. WECC will direct

the entity when to complete the IRA and COP Survey. The IRA and COP Survey contains

questions related to an entity’s Operations and Planning and Critical Infrastructure Protection

information and practices. WECC may also gather entity background information through

phone calls and targeted requests for information as needed.

At the end of this step, WECC has gathered and reviewed entity background information. With

this information, WECC determines which Risk Factors and additional performance

considerations are applicable to the entity.

3.3.2 Perform Risk Factor Assessment

In this step, WECC uses entity-specific information and data to identify the risks associated with

the entity based on pre-determined Risk Factor criteria and the professional judgement of

WECC staff.



The ERO Enterprise Guide for Compliance Monitoring identifies a common set of pre-

determined Risk Factor criteria for use across the ERO Enterprise. As permitted under the ERO

IRA Process, WECC has implemented technical variances to certain Risk Factor Criteria based on

the Western Interconnection’s unique risk profile. WECC’s region-specific Risk Factor Criteria

are documented in Appendix A.

WECC reviews entity information to determine the risks associated with the entity based on the

Risk Factor criteria. The Risk Factor criteria serve as a guideline and helps WECC follow a

consistent and repeatable process for assessing quantitative areas of risk. In addition to using

the established criteria, WECC uses professional judgement to determine the risk rating based

on each entity’s specific circumstances. Based on the Risk Factor criteria and professional

judgement of the IRA team, WECC identifies a risk rating of high, medium, or low and

associated justification for each applicable Risk Factor.

Later in the IRA process, the Risk Factor ratings will be used to identify an initial list of Regional

and NERC Reliability Standards and requirements associated with the entity’s inherent risks to

the BPS. This list will be used as an input to the COP.

At the end of this step, WECC has assessed information about the entity to identify a high,

medium, or low rating for each Risk Factor and documented justifications that support the risk

ratings.

3.3.3 Perform Data Analysis and Assess Additional Considerations

Throughout the IRA process, WECC analyzes entity information to gain a better understanding

of the entity’s unique characteristics and understand the entity’s inherent risk to the BPS. In

addition to the Risk Factor Analysis, WECC considers additional factors such as compliance

history, performance trends, recently completed or planned system changes, or any other

circumstances that might affect WECC’s decision to monitor a specific risk area or Standard.

A list of performance considerations that WECC may use to understand and evaluate the entity

is included as Attachment B.

At the end of this step, WECC has assessed and documented information about the entity to

develop a more refined understanding of the entity’s risk to the BPS.

3.3.4 Identify a List of Standards for Compliance Monitoring

In this step, WECC reviews the Risk Factor ratings to identify areas of focus for future

compliance monitoring.

Based on the risk assessment results and an understanding of the registered entity’s unique

characteristics, WECC identifies and prioritizes a list of Standards and requirements associated



with the registered entity’s risks to select appropriate CMEP tools for compliance monitoring.

This prioritized list of Standards and requirements and compliance monitoring recommendation

is a key input into the COP.

3.3.5 Document IRA Results

The results of the IRA are documented in an IRA Summary Report. The IRA Summary Report

identifies the inherent risks applicable to the entity based on the Risk Factors and a list of

associated Reliability Standards and requirements for COP consideration.

3.3.6 Share IRA Results

Prior to finalizing the IRA process, WECC shares a draft of the IRA Summary Report with the

registered entity. Entities have the opportunity to share feedback with WECC on the IRA

process and are encouraged to share ideas that WECC may consider to further improve and

refine the IRA process. Entities are encouraged to notify WECC if the IRA Summary Report

contains outdated information or factual inaccuracies so that WECC may determine whether

updates to the IRA are needed.

Entities are invited to submit feedback to WECC using the Entity Inherent Risk Assessment and

Compliance Oversight Plan Draft Report Comment Form. For Reliability Coordinator (RC),

Balancing Authority (BA), and Transmission Operator (TOP) registered entities, WECC schedules

a follow-up call with the compliance contact to review the entity’s feedback. WECC may

coordinate a follow-up conference call with other non-BA/TOPs in instances where the entity

has submitted feedback to WECC.

3.3.7 Finalize IRA Summary Report

WECC adheres to a formal approval process prior to the completion of the IRA Summary

Report. During the approval process, the Director of RAM reviews, verifies, and approves the

results of the IRA and the IRA Summary Report.

After the IRA is approved, WECC shares a final version of the document with the entity and

NERC.

Compliance Oversight Plan

The COP is the final output of the ERO Enterprise Risk-Based Compliance Oversight Framework. WECC

uses the COP process to tailor its compliance monitoring activities for NERC Reliability Standards based

on an entity’s specific risks and performance considerations. For each registered entity, the COP

identifies NERC Reliability Standards selected for monitoring, the interval of monitoring activities, and



the possible type of CMEP tool (such as Compliance Audit, Spot Check, or Self-Certification) that WECC

may use for compliance monitoring.

4.1 COP Frequency and Revisions

WECC completes the COP process concurrently with the IRA. WECC may review and revise an

entity’s COP at any time. Periodic COP revisions may be based on factors such as updates to the

IRA, the identification and assessment of internal controls, changes to NERC Reliability

Standards, WECC’s quarterly Compliance Monitoring Strategy (CMS) meeting, Reportable

Events, System Outage(s), changes in compliance history or activity, or other changes to the

entity’s characteristics and risks.

WECC may choose not to revise the COP for the sole purpose of updating minor Standards

changes such as Errata changes or Interpretations2. The version of the Standard subject to

enforcement will be identified in WECC’s official notification for the selected CMEP monitoring

tool.

4.2 COP Inputs

As described in the ERO Enterprise Guide for Compliance Monitoring, WECC uses the following

inputs during the development of the COP:

1. IRA Results, including a list of entity-specific risks and a prioritized list of applicable

Standards and requirements that were identified for future compliance monitoring.

2. ERO-wide Risk Elements

3. Regional Risk Assessment results

4. Internal Controls and mitigating activities such as those identified during an ICE or

reviewed during compliance monitoring activities, such as during an audit.

5. The results of WECC’s previous CMEP activities, such as audit findings.

4.3 Document COP Results

The results of the COP process are incorporated into an entity-specific COP report.

2 Reference NERC Standards Numbering System:

http://www.nerc.com/pa/Stand/Resources/Documents/NERC_Standards_Numbering_System_(Update).pdf

http://www.nerc.com/pa/Stand/Resources/Documents/NERC_Standards_Numbering_System_(Update).pdf



4.3.1 Develop COP Report

The COP includes the following items: a list of NERC Standards and requirements identified for

monitoring, possible CMEP Tools used for monitoring the identified Standards, and the interval

in which the monitoring is to be performed.

4.3.2 Share the COP

Prior to finalizing the COP process, WECC shares a draft of the COP report with the registered

entity. Entities have the opportunity to share feedback with WECC on their COP. Entities are

encouraged to notify WECC if the COP contains outdated information or factual inaccuracies so

that WECC may determine whether updates to the COP are needed.

Entities are invited to submit feedback to WECC using the Entity Inherent Risk Assessment and

Compliance Oversight Plan Draft Report Comment Form. For RC, BA, and TOP registered

entities, WECC schedules a follow-up call with the compliance contact to review the entity’s

feedback. WECC may coordinate a follow-up conference call with other non-BA/TOPs in

instances where the entity has submitted feedback to WECC.

4.3.3 Finalize COP Report

WECC adheres to a formal approval process prior to the completion of the Compliance

Oversight Plan and COP report. During the approval process, the Director of RAM reviews,

verifies, and approves the results of the Compliance Oversight Plan. After the COP is approved,

WECC shares a final version of the document with the entity and NERC.

Data Retention

WECC’s Compliance Oversight staff complies with WECC’s Records Retention Policy during and after

the IRA and COP processes. After completing an IRA or COP, WECC retains relevant documentation that

supports the analysis performed and conclusions drawn during each process. The retained

documentation may be used to evaluate the entity’s controls during the ICE process or used during

subsequent reviews or revisions of the entity’s IRA and COP.

Process Feedback to NERC

WECC will continue to give feedback to NERC and industry on lessons learned during the Risk-Based

Compliance Monitoring processes such as IRA and COP. WECC’s feedback to NERC may include

information about an entity’s IRA and COP results, regional trends identified through the IRA process,

metrics such as IRA and COP completion status or the average time taken by WECC to complete each

process, and information about WECC’s planned CMEP activities.



Revision History

Revision Update Date

Modified By Approval Date

Approved By Comments

1 3/26/2015 Ruchi Ankleshwaria DJ McCarty

6/30/2015 Michael Moon

Initial draft for posting and registered entity input. Enhancements include: - internal process improvement - consideration of ICE and audit scheduling processes

2 4/1/2017 Jennifer Hart 7/9/2018 Ruchi Shah Updated to align with the October 2016 ERO Enterprise Guide for Compliance Monitoring. Major changes include: - updates to the IRA process workflow - addition of the COP processes - clarification on inputs to the IRA and COP process Approved with an effective date of 4/1/2017



References

NERC Rules of Procedure

NERC ERO Enterprise Guide for Compliance Monitoring

NERC Overview of the ERO Enterprise’s Risk-Based Compliance Monitoring and Enforcement Program

NERC Annual ERO CMEP Implementation Plan

NERC Risk Elements Guide

NERC ERO Enterprise Internal Control Evaluation Guide

Generally Accepted Government Auditing Standards

WECC IRA and COP Survey

WECC COP Template

WECC CMEP Implementation Plan

WECC Records Retention Policy



Attachment A: Risk Factor Criteria

The ERO Enterprise Guide for Compliance Monitoring identifies a common set of pre-determined Risk

Factor criteria for use across the ERO Enterprise. As permitted under the ERO IRA process, WECC has

requested technical variances to the Risk Factor Criteria based on the Western Interconnection’s

unique risk profile. WECC uses the following Risk Factor Criteria, effective April 1, 2017, to conduct

IRAs.

Risk Factor Criteria for Assessment

Risk Factor N/A Low Risk Medium Risk High Risk

CIP - Impact Rating Criteria

Entity has no BES Cyber Systems

(BCS)

Entity has one or more low-impact

BCS(s)

Entity has one or more medium-impact BCS(s)

Entity has one or more high-impact

BCS(s)

Critical Transmission

Entity does not own, operate,

coordinate, plan, design, or

monitor the status of

transmission facilities

Entity’s system is not critical to

adjacent entities as it is not being used as a flow-through system for power

flow

Entity’s system is critical to adjacent entities as it is

being used as a flow-through system for power

flow

Entity's system includes elements

(owned or operated) of an IROL / Flowgate / Major Transmission

Path (WECC) / Generic Transmission Limit

(Texas RE) / Cranking Path

ICCP Connectivity

Entity has no BES Cyber Systems

(BCS)

Entity has low-impact BCS(s) without ICCP

connections or external routable

connectivity

Entity has low-impact BCS(s) with at least one

ICCP connection - or -

Entity has low impact BCS(s) with external

routable connectivity (LERC) - or -

Entity has medium-impact BCSs

Entity has medium-impact BCS(s) with at

least one ICCP connection

- or - Entity has high-impact

BCS(s)

Largest Generator Facility

Entity does not own any

generation facilities

Entity’s largest single generation facility is less than

500 MVA

Entity’s largest single generation facility is

between 500 - 1,000 MVA

Entity’s largest single generation facility is greater than 1,000

MVA

Load

Entity does not have any system

load

Entity’s system load is less than

300 MW

Entity’s system load is between 300 - 2,000 MW

Entity’s system load is greater than 2,000

MW



Monitoring and Situational Awareness Tools

Entity does not meet any of the

identified criteria

Entity does not have monitoring and situational

awareness tools and operates 10 or

more lines over 100 kV

Entity does not have monitoring and situational

awareness tools and operates 10 or more lines

over 200 kV

Entity does not have monitoring and

situational awareness tools and operates 20

or more lines over 200kV

Planned Facilities


identified criteria

Entity is planning on or currently

building transmission

facilities less than 200 kV in the next

three years - or -

Entity is planning on or currently

building generation facilities that are

less than 500 MVA in the next three

years

Entity is planning on or currently building

transmission facilities between 200 - 300 kV in

the next three years - or -


generation facilities that are between 500 and

1,000 MVA in the next three years


transmission facilities greater than 300 kV in the next three years

- or - Entity is planning on or currently building generation facilities greater than 1,000

MVA in the next three years

RAS/SPS



monitor the status of a RAS/SPS

----------

Entity owns or designed a RAS/SPS that is not needed to meet TPL

requirements - or -

Entity owns or operates equipment that is part of

a RAS/SPS that is not needed to meet TPL

requirements

Entity owns or designed a RAS/SPS

that is needed to meet TPL

requirements - or -

Entity owns or operates equipment

that is part of a RAS/SPS that is

needed to meet TPL requirements

System Restoration

Entity has no responsibilities during system

restoration

Entity has regional or company system

restoration responsibilities limited to load

restoration

Entity has Blackstart Resource(s)

- or - Entity provides switching

or other logistics based on the direction from a

different entity responsible for the

restoration plan

Entity is an RC - or -

Entity is responsible for independent

actions coordinated with an RC



Total Generation Capacity

Entity does not own or operate any generation

facilities

Entity’s total generation

nameplate capacity is less than 1,000

MVA

Entity’s total generation nameplate capacity is between 1,000 - 5,000

MVA

Entity’s total generation nameplate

capacity is greater than 5,000 MVA

Transmission Portfolio



monitor the status of

transmission facilities

Entity has transmission

facilities less than 200kV

Entity has transmission facilities between 200 -

300 kV - or -

Entity has over 1,000 miles of transmission lines

100 kV or greater

Entity has transmission facilities greater than 300 kV

- or - Entity has over 4,000 miles of transmission

lines 200 kV or greater

UFLS Development and Coordination

Entity is not responsible for developing or coordinating a UFLS program

Entity is responsible for

developing and/or coordinating a

UFLS program for less than 500 MW

of load

Entity is responsible for developing and/or

coordinating a UFLS program for 500 MW to

900 MW of load

Entity is responsible for developing and/or coordinating a UFLS

program for 900 MW of load

UFLS Equipment

Entity does not own or operate UFLS equipment

Entity is responsible for 0% up to 0.3% of the entire regionally identified UFLS

program

Entity is responsible for 0.3% to 1.3% of the entire regionally identified UFLS

program

Entity is responsible for more than 1.3% of the entire regionally

identified UFLS program

UVLS

Entity does not have any UVLS responsibilities

The Registered Entity owns or

operates UVLS that is less than 10% of

its peak load

The Registered Entity owns or operates UVLS that is greater than or equal to 10%, but less

than 25%, of its peak load

The Registered Entity owns or operates

UVLS that is greater than or equal to 25%

of its peak load

Variable Generation


identified criteria

Less than 10% of the entity’s BA

Area total generation

nameplate MVA is comprised of non-

10% - 25% of the entity’s BA Area total generation

nameplate MVA is comprised of non-

dispatchable generation

Over 25% of the entity’s BA Area total generation nameplate MVA is comprised of

non-dispatchable generation



dispatchable generation

Voltage Control

Entity does not own or operate

any voltage control

equipment

----------

Entity owns and/or operates reactive

resources to provide voltage control

Entity owns and/or operates reactive

resources other than generators to provide

voltage control

Workforce Capability


identified criteria

Less than 25% of the entity’s System

Operators have less than 5 years of System Operator

experience

Between 25 - 50% of the entity’s System Operators have less than 5 years of

System Operator experience

Greater than 50% of the entity’s System Operators have less

than 5 years of System Operator experience



Attachment B: Performance Considerations

During the IRA process, WECC considers a variety of factors such as an entity’s compliance history,

performance trends, recently completed or planned system changes, and other qualitative information

to better understand the entity’s inherent risks and inform the Compliance Oversight Plan. The

following list is an example of the types of information WECC uses to understand and evaluate the

registered entity.

WECC reviews the current status of the Performance Considerations as well as significant past changes

and any changes planned for the future.

Organizational Characteristics

• Compliance History (non-compliances, monitoring, audit feedback)

• JRO/CFR/Agreements

• Organizational Structure

• Registered Functions

Critical Infrastructure Protection

• Networks and Electronic Security Perimeters

• Physical Security and Physical Security Perimeters

• Cyber Systems (including EMS/SCADA)

• Cyber Security Incidents

• User management (Governance and Personnel)

• Asset Management

• Change Management

Transmission Facilities

• BESnet inclusions/exclusions

• Changes in footprint

• Coordination with other Registered Entities

• Transmission Availability Data System

• Vegetation management

Generating Facilities

• BESnet inclusions/exclusions

• Blackstart operability

• Changes in footprint

• Coordination with other Registered Entities

• Generation Availability Data System

• Reserve capability/RSG participation

• Resource mixture



• Vegetation management

Load Management

• Composition (Industrial/Residential/Commercial)

• Profile

Events

• Event Analysis practices

• NERC Reportable Events

• OE-417 Electric Emergency Incident and Disturbance Report

• Operating capacity/Energy emergency

• SOL/IROL/Path exceedances

Protections Systems

• Coordination

• Facility maintenance

• Misoperations

• UVLS/UFLS/RAS operations