By Leland McMillan, NERC Services Supervisor
Remember the days of audits every 6 years? Oh wait, did you think they were still doing that? In the past, the regions held to a fairly strict schedule of conducting audits on a periodic basis, which included 3-year, or 6-year intervals based on registration type. Over time, the Compliance Monitoring and Enforcement Program (CMEP) has evolved to a risk-based approach. The 2021 NERC CMEP linked here is a really good source of information in which NERC identifies regional monitoring schedules, periodic data submittals, and risk elements. This document is the foundation that regions build upon to develop the scope of monitoring and strategy for evaluation in the upcoming year.
The process for reviewing risk elements are discussed within the document by NERC:
“The Electric Reliability Organization (ERO) Enterprise identifies risk elements using data including, but not limited to compliance findings; event analysis experience; data analysis; and the expert judgment of ERO Enterprise staff, committees, and subcommittees (e.g., NERC’s Reliability Issues Steering Committee or RISC). Reviewed publications include the RISC’s biennial report, the State of Reliability Report, the Long-Term Reliability Assessment, publications from the RISC, special assessments, the ERO Enterprise Strategic Plan, and ERO Event Analysis Process insights. The ERO Enterprise uses these risk elements to identify and to prioritize interconnection and continent-wide risks to the reliability of the BPS.”
The risk elements are then related to monitoring tools utilized by the regions to ensure reliability and cyber security of the grid. NERC explains in the CMEP how the risk elements are translated to priorities for the regions:
“These identified risks are used to focus compliance monitoring and enforcement activities. The ERO Enterprise reviewed and reassessed the 2020 risk elements to determine applicability for 2021. The Implementation Plan (IP) identifies NERC Reliability Standards and Requirements to be considered for focused CMEP activities. The ERO Enterprise recognizes, however, that by using the Framework and other risk-based processes, the REs will develop an informed list of NERC Reliability Standards and Requirements for any monitoring activities specific to a registered entity’s risks. Notably, the IP is not intended to be a representation of just “important” Reliability Standard requirements; rather, it is intended to reflect the ERO Enterprise’s prioritization within its CMEP based on its inputs and to communicate to registered entities to bring collective focus within their operations to address each prioritized risk.”
Each region uses these risk factors to develop monitoring schedules, which include audit lists and Periodic Data Submittals. The frequency of monitoring may vary based on the region’s perception of the Registered Entity’s evaluated risk on the BES. This is why the industry is seeing a variance in the audit intervals. Other monitoring activities can include Spot Checks, Self-Certifications, and Guided Self-Certifications. The Guided Self Certifications are becoming more prevalent among the regional entities, especially for smaller entities that have not been targeted for an audit. So, just because your entity does not appear on the 2021 audit list does not mean that you will be exempt from regulatory evaluation. Guided Self Certifications required evidence submissions and do not provide as much lead time for preparation as an audit. In this respect, a Guided Self Certification may be a greater regulatory risk than an audit in that a clearly defined schedule is not always available for an entity prepare for this type of monitoring. Accordingly, it is recommended to become familiar with the NERC CMEP and the associated risk elements.