|Internal Controls: Or, How to|
Stay Off the NERC Hot Seat
by Leland McMillan – NERC Reliability Specialist
In accordance with NERC’s FERC-approved Reliability Assurance Initiative (RAI), regional entities are focusing more on ensuring compliance and reliability rather than sticking with their traditional audit approach. In concert with this, registered entities throughout the industry are embracing internal controls as a strategy for promoting best practices and ensuring compliance, rather than reactively discovering non-compliance after the fact. Internal controls need not be fancy, expensive or time-consuming. You can use the tools described below to help mitigate risk, tailoring them to fit your specific needs.
Quick Reference Binder
Designed to make life easier for control room operators, a ‘quick reference’ binder is a useful preventive control that provides easy access to information needed to assess and evaluate NERC events. This resource may contain a cover page with event-driven requirements that can impact BES system operations and require a prompt response. It provides brief instructions to personnel as well as links to procedures, applicable NERC Standards and additional information for the site.
Monthly or Quarterly Checklist
A spreadsheet distributed to personnel with questions pertaining to applicable Standards helps create the expectation of a periodic compliance review. This review may effectively supplement or fulfill annual compliance assessments, quarterly reporting requirements and event-driven requirements. Each month or quarter, conduct a meeting of plant personnel to answer each of the questions, review activities from the prior period and provide a look-ahead to the next month.
PRC-005 ‘Smart’ Maintenance Spreadsheet
Wouldn’t it be nice to receive a reminder that maintenance is coming due for specific devices? To set this up, populate a spreadsheet with components and intervals using your region’s audit format. Program it to provide notifications when maintenance dates draw near. These automated notifications can be sent to key personnel to ensure that compliance is not forgotten.
Risk is an important factor to consider when developing an internal controls framework. NERC and the regional entities produce periodic reports on their perceived top risks to reliability, which allows you to tailor your controls to address these in timely fashion. A mature compliance program also includes periodic assessments of high-risk standards and requirements and tailored leading-indicator metrics for evaluating the health of the compliance program on a regular basis.
Whether your controls are motivated by business needs or regulatory exposure, base your compliance evaluations of internal controls on the current version of NERC’s Compliance Monitoring and Enforcement Program (CMEP) Implementation Plan. Your regional entity will inquire about your internal controls by facilitating an Internal Compliance Program assessment (or Internal Control Evaluation) as part of its compliance monitoring.
While internal controls may add a layer of additional effort at the front end, you’ll realize substantial resource savings over the long term by minimizing reactive measures taken to address non-compliance requests. In addition, the scope and frequency of your compliance audits will be reduced based on the quality of your controls and your ability to demonstrate effective risk mitigation.
At the end of the day, ask yourself: Are our controls effectively keeping us in compliance?