Site loading image
TRC

Regulatory Updates

Consistent NERC Compliance Evidence for Successful Audit Outcomes

Dwayne Stradford | June 26, 2024

While utilities often work in technical silos, NERC auditors are trained to cross check compliance evidence and data between interrelated standards. Working in silos often leads to inadvertent situations where the compliance evidence from one standard is used but inconsistent with information produced or used by other standards. To assure compliance evidence reporting objectives are achieved in each applicable standard and requirement, it is important to identify interrelationships and create a framework where subject matter experts (SMEs) in all technical disciplines consider the evidence data consistency requirements.

NERC compliance auditors are also trained to examine process flows and identify whether they are comprehensive or incomplete. Auditors determine the appropriateness of information by examining the quality and completeness of compliance evidence. They examine the relevance, validity, consistency and reliability of evidence used for addressing the audit reliability objectives and supporting their findings and conclusions. If conflicting evidence is found, they will identify this in their formal Regional Entity (RE) audit report findings which could further lead to a compliance violation and related fines.

To improve the likelihood of favorable NERC audit compliance outcomes and avoid the need for implementing mitigation plans, individual contributors and SMEs should look at certain cross linked compliance evidence to assure consistency between approaches used to record compliance evidence. Doing so will allow a company to spend more time on executing core reliability duties and enhance company regulatory obligations. Avoid waiting until the RE compliance audits are underway to identify conflicting evidence situations.

Achieving Consistent Compliance Evidence Through Audit Readiness Reviews

There is a single guaranteed way to assure your company is currently and continuously addressing the interrelationships between evidence packages used for compliance verification. TRC recommends implementing regularly scheduled Audit Readiness Reviews and Mock Audits with independent reviewers to create an enduring and effective process for consistent evidence.

An Audit Readiness Review focusing on consistent evidence will assess your company’s current compliance status, the strength of your compliance program and can identify weaknesses in compliance evidence that your organization may have.

Independently assessed evidence reviews are a valuable tool that all organizations should consider. Audit Readiness Reviews can be done completely internally or by an independent party.

There are three main assessments that should be included in every Audit Readiness Review.

    1. First, an organization should complete a review and assessment of the current effective and enforceable NERC Reliability Standards to determine which standards are applicable or not and which you may be exempt from. Building an in-depth continuously updated list of applicable standards is fundamental to knowing whether your company can achieve and maintain compliance.
    2. Second, assess your current Compliance program’s internal controls and the evidence with multi-departmental uses. By going through your program documents and compliance evidence, you are auditing your own compliance program for consistency between standards families.
    3. Third, even if you have found no evidence of inconsistency gaps in your organization’s compliance program, you should still assess its strengths and weaknesses.

Internal audit readiness reviews support a proactive NERC Compliance program that will:

    • Equip staff and management with sufficient training, education, tools and other resources, such as well-publicized policies and procedures, to detect evidence consistency issues in a timely manner and to detect, correct or prevent noncompliance.
    • Promote a culture of compliance and self-reporting to ensure compliance, including an effective process to self-report noncompliance identified through internal oversight activities.

Audit Readiness Reviews will create an optimal time to formally integrate the objective QA/QC reviews from the subject matter leaders in the other operational data providing departments. Undergoing Audit Readiness Reviews will clearly demonstrate to auditors that there is an intentional effort to breakdown operational silos. It also exhibits the culture of compliance by encouraging compliance awareness across corporate boundaries amongst all subject matter experts. Furthermore, the better that individual contributors understand the importance of their work output within the broader context of overall NERC compliance, the more likely they are to become more focused on the quality of their work.

Your company stands to gain multiple advantages, such as:

  • Mitigating repeat violations and unforced compliance errors. Create an overall culture of compliance through a community effort and help improve a company’s NERC compliance reputation with their Regulators.
  • Increasing overall corporate productivity. With a decline in incident management activities and the need for implementation of mitigation plans, individual contributors and subject matter experts can spend more time effectively executing core company reliability enhancing duties and responsibilities.
  • Avoiding financial penalties. There is a direct, positive impact on shareholder value since NERC fines and penalties are generally not recoverable from consumers.

Interrelationships Between NERC Standards

Interrelationships Between NERC Standards

FAC-008 to TPL, MOD and TOP

The FAC-008 standard calls for the establishment of a formal methodology to directly calculate a clear set of facilities ratings for the bulk electric system (BES). These are generally seasonal in nature and are extensively used in both the Modeling (MOD) standards and later in the Planning (TPL) standards. Auditors perform data sampling based on cross checks between the MOD and TPL standards to confirm the facility rating produced under the FAC-008 standard are faithfully reflected in the TPL planning studies and Transmission Operations (TOP) operational studies, in the control room as prepared and used by operators. Your company’s internal controls must provide for clear conveyance of the FAC-008 ratings data for each component of each BES Facility into these subsequent processes.

An effective FAC-008 data management program starts in the field. NERC encourages utilities to perform their own self-assessments to identify and mitigate the Facility Rating issues that may be present on their systems. In addition to performing a self-assessment, to further ensure FAC-008 programs are sustainable going forward, companies need to implement sufficient internal controls related to:

  • Inventory and Change Management – Controls to continually track the Facility Rating, the equipment that comprises each Facility, and the Equipment Ratings, as well as controls to ensure newly commissioned facilities, changes made in the field to facilities, and changes to project plans are properly tracked and recorded in the Facility Rating database; this is a significant opportunity for efficiency in data management. Getting the rating right, from the beginning for each component is crucial to success relative to having consistent facility ratings data.
  • Access Controls – Technical or procedural controls to limit and track who can and should change and edit prints, databases. Controlling access will minimize errors.
  • Contractor Management – Training to ensure contractors understand all relevant processes and sufficient oversight to identify and track changes to facilities made by contractors.
  • Data Verification – Objective, third party or interdepartmental peer reviews to ensure information is entered correctly into the company’s Facility Rating database; Managing contractors that have access to design and “as-built” records is important to effective data management.
  • Reconciliation – Process step to reconcile field prints with information in the company’s facility ratings databases and EMS, operations assessments in the near term and in Planning Assessments; and
  • Periodic Facility Reviews – Periodic comprehensive reviews, including facility walk-downs, on a subset of facilities to ensure the documented Facility Rating matches the as-builds. This assessment should be risk-based, starting with the most critical and most impactful facilities.

Next Steps

By implementing regularly scheduled Audit Readiness Reviews and Mock Audits with independent reviewers you create an enduring and effective process for consistent evidence. TRC has extensive experience in conducting reviews of compliance programs to help your company avoid the consequences (monetary and reputational) of unsuccessful NERC/Region compliance audits. Our experts can help you stay compliant and give you the space to focus on your initiatives.

Resources

NERC Compliance Success Through a Corporate Community Approach
NERC Auditor Handbook
Prevent NERC Compliance Failures with Readiness Reviews
NERC O&P Compliance for Registered Transmission Operators
NERC Compliance Services – Field Verified NERC Compliance Data
NERC Compliance Support Services – Renewable Energy Projects
CIP-014-3 (Physical Security) – Post Assessment Support

Your Trusted Regulatory Advisor

TRC closely follows the national, provincial, and state regulatory trends in all regions of North America. Our approach to power system security, engineering, planning, design, construction and commissioning testing, balances solutions that incorporate industry reliability risk trends, mandatory reliability standard requirements, regulatory guidance, compliance obligations, best practices, operational goals, and budgets. With expertise in power system planning, engineering, and operations. TRC supports public utilities and private energy providers in their efforts to stay ahead of the regulatory curve and to meet or exceed regulatory requirements as they evolve.

This regulatory update is provided as a service to TRC’s utility clients, helping to keep you informed of forward-looking issues that will impact your company’s electric system reliability risks along with related topics regarding regulatory developments, to help you achieve your company’s business goals.

Dwayne Stradford

Dwayne Stradford serves as TRC’s NERC Compliance Director in the Power Division. He is leading and coordinating TRC’s NERC compliance support services with our various power utility clients. He is an accomplished, diverse energy professional with over 30 years of engineering experience regarding real-time transmission operations, short/long term transmission planning, NERC Reliability Compliance Standards (both NERC-CIP and NERC O&P), Transmission Reliability Assurance, utility scale renewables integration, FERC Regulatory/RTO policy, and Project Management. He spent the bulk of his career (close to two decades) working for AEP but has considerable working experience in the electric utility industry as a professional consultant. He has worked with utility clients on transmission and generation related projects in all three interconnections, so he has breadth of regional BES experience throughout the entire country. Please contact Dwayne Stradford for more information.

Looking for effective solutions to your problems?

Turn to the experts at TRC.

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Read our Privacy Policy.