A “Good” Self-Report Is Critical to Communicate Effectively to The Regulator
by Leland McMillan, NERC Supervisor
NERC has published the “Registered Entity Self-Report and Mitigation Plan User Guide” to provide guidance for effective communications concerning potential non-compliance. Quality of detail in this respect is critical to BES reliability, risk assessment, relations with regulators, company reputation, and potentially penalty calculations. The introduction of the document states:
The ERO Enterprise developed this User Guide for registered entities’ use in reporting and mitigating noncompliance. The purpose of this document is to describe the type and quality of information that the registered entity must submit to allow for an effective evaluation by the CEA regarding the circumstances and risk of a noncompliance and the activities an entity takes to address them. The ability of the CEA to arrive at a final disposition determination in an efficient and effective manner depends on the quality of the information it has about the facts of the noncompliance, risk, cause, and related mitigation. Accordingly, this User Guide provides guidance to assist registered entities with the submission of Self-Reports and mitigating activities.
While the details may be obvious to your staff, the people reviewing your submission may not be familiar with your facilities, so Chapter 1 on “Description of the Noncompliance” contains very helpful tips to help the regulator understand what happened and why. Here are the steps in the process:
Risk assessment is a key component of the review process and Chapter 2 addresses the details, but here is how NERC defines Risk as it relates to reliability:
Risk is the potential impact to reliability or security multiplied by the likelihood of that impact occurring. Risk assessment involves reviewing the negative consequence or the potential impact of the event and the likelihood that the event will occur, based on the internal controls in place at the time the noncompliance occurred as well as the inherent risk of the registered entity.
Mitigation is required for any potential non-compliance and must be complete in order for a registered entity to be eligible for compliance exception. The guide elaborates on several key facets of mitigation efforts, but the following table demonstrates critical components:
This document should be of great assistance in understanding what is required and desired by regulators for identifying and addressing instances of non-compliance. The appendices are checklists to assist you in addressing all applicable items, and various additional resources/reference documents are identified in Appendix D.