By Carl Curry, NERC Reliability Specialist
All NAES client sites are very familiar with the NERC Reliability Compliance Program (RCP) procedures and their corresponding attachments. These documents are the basis of the NAES compliance program; however, some sites may not be as familiar with some of the less commonly used supporting documents. One such document is the Internal Compliance Program (ICP). This article will take a closer look at the NAES ICP and discuss some of the details and purpose of the ICP. The article will also reinforce the need to ensure the facilities are familiar with this compliance document, and the role it plays in the overall NAES NERC compliance program.
In general, the key components of an Internal Compliance Program are to:
- Document organization leaders’ commitment and support of the compliance program
- Discuss policies and procedures used for compliance
- Risk assessment process
- Training and communication program to all individuals involved
- Monitoring and auditing program
- Reporting mechanisms if discrepancies or Potential Non-Compliances are identified
- Enforcement and disciplinary measures if needed, and
- Response and remediation
The ICP is one of a few compliance documents that does not refer to a specific NERC Reliability Standard but instead is a general policy document. The ICP follows the model of the Internal Compliance Program above and discusses the concepts of the compliance program:
- the control environment – the documents and policies that promote standards of conduct and ethical values, and how these are enforced and managed
- key risk factors – inherent, controlled, and detection risk, and how each type of risk is recognized and managedÂ
- roles and responsibilities                               Â
- oversight of compliance management
- compliance reporting
- security, particularly regarding BES Cyber Systems
- training to improve employees’ knowledge and commitment to the ICP
- compliance monitoring and controls methods – discusses the processes the regions use to monitor and verify compliance
- enforcement and reporting – controls applied to promote communication, monitoring, and incident reporting
Inherent Risk Assessments
Evidence of compliance with the Internal Compliance Program concepts is requested in the Inherent Risk Assessment (IRA), one of the RFI documents the regions use through Align. The IRA, as the name states, focuses on the inherent risk involved in operating, maintaining, and protecting BES equipment and Cyber Systems and how these risks are managed.
The IRA requests documents and evidence that support the entity’s formal Internal Compliance Program (ICP), and asks questions about how the program is disseminated to facilities and employees, if supervised by a high-ranking official, if sufficient budgetary and personnel resources are dedicated to the program, senior management support, training, encouragement of self-reporting, corrective actions, development of controls, and management of change. Without an overarching compliance document, it could be difficult to provide concise program evidence. The IRA is a detailed and extensive request for information and the ICP has sections that address these requests and can provide many of the responses.
As mentioned earlier, since the ICP is not a document commonly referred to in our compliance monitoring and assessments some sites might have limited knowledge of this document, and employees may have even less knowledge. Therefore, it is important for the NAES NERC program to ensure sites have a current version of the ICP, review the document with sites, and verify the employees and supervisors involved in NERC compliance are familiar with the ICP and the concepts included in the document.
