Professional Documents
Culture Documents
Certification Program
Submitted to:
North American Electric Reliability Corporation
116-390 Village Boulevard
Princeton, New Jersey 08540
Table of Contents
Executive Summary ....................................................................................................................................... 3
Section 1: Overview ...................................................................................................................................... 8
Project Background ...................................................................................................................................... 8
Process Evaluation Methodology ............................................................................................................... 14
Purpose of Report ...................................................................................................................................... 16
Document Overview ................................................................................................................................... 17
Disclaimer of Confidentiality ....................................................................................................................... 17
Section 2: Observations and Recommendations Summary ................................................................... 18
Introduction................................................................................................................................................. 18
The Process-driven Organization............................................................................................................... 18
Process Governance and the Process Foundation Summary Observations ............................................ 20
Overarching Observations and Recommendations ................................................................................... 21
Categorization of Recommendations ......................................................................................................... 37
Section 3: Cross-Functional Areas Evaluation ........................................................................................ 42
Introduction................................................................................................................................................. 42
3.1. Compliance Program Confidentiality Requirements .......................................................................... 42
3.2. Developing and Overseeing the Compliance Training Program........................................................ 43
3.3. Developing and Disseminating Compliance Process Directives and Bulletins .................................. 44
3.4. Processing Reliability Standards Violations ....................................................................................... 45
Section 4: Functional Area Evaluation ...................................................................................................... 47
Introduction................................................................................................................................................. 47
4.1. Compliance Program Planning .......................................................................................................... 48
4.2. Overseeing Registration of Owners/Users/Operators of the Bulk Power System ............................. 54
4.3. Overseeing Certification of Owners/Users/Operators of the Bulk Power System ............................. 60
4.4. Overseeing Compliance Activities of Regional Entities (excluding CVIs) .......................................... 65
4.5. Overseeing Enforcement Activities of Regional Entities .................................................................... 76
4.6. Analyzing and Reporting Compliance Information ............................................................................. 83
4.7. Conducting Reviews of Regional Entities’ Compliance and Enforcement Programs ........................ 88
4.8. NERC Involvement in Compliance Inquiries and Violation Investigations ......................................... 94
4.9. Handling Complaints ........................................................................................................................ 101
4.10. Executing Compliance Enforcement Authority Responsibilities .................................................... 105
Appendix I – Functional Area to Processes and Procedures Crosswalk ............................................. 114
Appendix II – Process Questionnaire ....................................................................................................... 117
Appendix III – Observations and Recommendations from Development of Agreed-Upon
Procedures .................................................................................................................................................. 118
Appendix IV – Excerpt from Management Letter to NERC ..................................................................... 127
AFFILIATES – Crowe Horwath LLP is a member of Crowe Horwath International, a Swiss association. Each member firm of Crowe Horwath
International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or
omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all
responsibility or liability for acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International. Crowe
Horwath International does not render any professional services and does not have an ownership or partnership interest in Crowe Horwath
LLP. Crowe Horwath International and its other member firms are not responsible or liable for any acts or omissions of Crowe Horwath LLP and
specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath LLP. © 2009 Crowe Horwath LLP
Compliance Enforcement, Registration and Certification
Process Evaluation Report
Table of Figures
TABLE 1 – PROJECT APPROACH PHASE 1................................................................................................................9
TABLE 2 – PROJECT APPROACH PHASE 2..............................................................................................................10
TABLE 3 – CERCP PROCESS EVALUATION FINAL SCOPE..........................................................................................12
TABLE 4 – CMEP PROCESSES AND PROCEDURES...................................................................................................13
FIGURE 1 – LEVEL OF EVALUATION......................................................................................................................14
TABLE 5 – POLICY, PROCESS, AND PROCEDURE DEFINED ........................................................................................15
TABLE 6 – THE INFRASTRUCTURE FOR PROCESS SUCCESS ........................................................................................19
TABLE 7 – RECOMMENDATION CATEGORIES .........................................................................................................37
TABLE 8 – RECOMMENDATIONS SUMMARY BY CATEGORY OF RECOMMENDATION .....................................................40
TABLE 9 – RECOMMENDATIONS COUNT BY SECTION, BY CATEGORY .........................................................................41
AFFILIATES – Crowe Horwath LLP is a member of Crowe Horwath International, a Swiss association. Each member firm of Crowe Horwath
International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or
omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all
responsibility or liability for acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International. Crowe
Horwath International does not render any professional services and does not have an ownership or partnership interest in Crowe Horwath
LLP. Crowe Horwath International and its other member firms are not responsible or liable for any acts or omissions of Crowe Horwath LLP and
specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath LLP. © 2009 Crowe Horwath LLP
Compliance Enforcement, Registration and Certification 3
Process Evaluation Report
Executive Summary
Project Objectives
North American Electric Reliability Corporation (“NERC”) determined the need for a project to
provide NERC with an evaluation of its Compliance Enforcement, Registration and Certification
Program (“CERCP”) processes and procedures. NERC engaged Crowe Horwath LLP to perform
this evaluation and Crowe completed this project between July and October, 2009.
The project was initiated to assist NERC’s Compliance area (“NERC Compliance” or the “NERC
Compliance Department”) in achieving its overall objectives for effective implementation of the
CERCP, including adequate management controls . The project objective, therefore, was to
identify and document whether the program has adequately implemented applicable CERCP
processes and procedures in accordance with the applicable law, FERC orders, and NERC Rules
of Procedure. Additionally, Crowe reviewed the internal processes and procedures used by the
Compliance Department in carrying out its duties for consistency with the Rules of Procedure
and for completeness and effectiveness.
Project Approach
For purposes of planning, tracking, and execution, the project was divided into two separate,
sequential phases where the outputs from Phase I became key inputs to Phase II activities.
Phase I of the project primarily involved (i) conducting necessary project initiation and planning
activities, and (ii) gathering information from NERC Compliance personnel concerning the
processes that NERC’s Compliance Department has in place over the compliance with and
enforcement of approved electric reliability standards. Phase II of the project involved (i)
performing analysis and review of process and procedure information and artifacts gathered in
Phase I, (ii) preparation of the public report and the confidential letter to management, (iii)
review and revisions to the reports based upon feedback, and (iv) final delivery of the reports
and project closeout.
Project Scope
Four cross-functional areas and ten functional areas comprise the final scope of the CERCP
process evaluation and, therefore, the scope of this report. Cross-functional areas are areas
that underlie all CERCP processes – for example, confidentiality requirements. Functional areas
represent groupings of related processes, frequently for purposes of mapping related processes
back to a unit or basic responsibility of the program – for example, registration, certification,
CVIs, and enforcement are all functional areas. The 37 processes defined by the NERC
Compliance Department’s CMEP Processes and Procedures Manual are all encompassed within
these 14 cross-functional and functional areas. The CMEP Processes and Procedures Manual is
an internal set of procedures developed and maintained by NERC’s Compliance department to
assist in the implementation of the compliance enforcement, registration and certification
program.
Cross-Functional Areas
1. Compliance Program Confidentiality Requirements
2. Developing and Overseeing the Compliance Training Program
3. Developing and Disseminating Compliance Process Directives and Bulletins
Compliance Enforcement, Registration and Certification 4
Process Evaluation Report
5. We observed that processes within some functional areas were not adequately monitored
because there were few interim checkpoints being taken during the overall duration of the
process. For example, the functional areas Analyzing and Reporting Compliance Violation
Information and NERC Compliance Enforcement Authority Responsibilities had no
monitoring in place or planned. We also observed that for those functional areas that were
monitored, there was often not adequate follow up when process deviations were found. In
the functional area Overseeing Compliance Activities of Regional Entities, for example, we
observed that staff was given reminders of the need to meet timeliness goals, but no other
actions were taken when these goals were not met.
6. We observed several processes that involve handling large amounts of information and
documentation. NERC had begun to address these issues through the development of new
technologies, but it was our observation that until these are fully implemented, the volume
of data and documentation will continue to be an impediment to accomplishing the
Compliance Department’s goals in a timely manner.
7. We identified some issues with the level of controls over data security, confidentiality, and
physical security. Confidential information has been removed from this public version and
has been provided under separate cover to NERC management.
Document Overview
This report takes a top-down approach towards presenting the detailed observations and
recommendations. The Overview section provides a more detailed look at the objectives, scope,
and approach of this Process Evaluation.
The subsequent section (Section 2) titled Observations and Recommendations Summary
provides a summary level view across all observations and recommendations. As part of this
project and the methodology used, Crowe Horwath LLP developed a “scorecard” for evaluating
the various functional and cross-functional areas. The summary contains the summarized level
view of that scorecard. The summary also contains a number of overarching recommendations.
These recommendations are summary-level findings that in many cases present macro-level
observations made across functional areas or within functional areas across multiple criteria.
The next section of the document, Section 3, Cross-Functional Areas Evaluation, contains the
observations and recommendations as they relate to the four cross-functional areas.
Finally, Section 4, Functional Area Evaluation, contains the observations and recommendations
as they relate to the ten functional areas evaluated. Especially relevant to the functional area
evaluations are appendices I and II. Appendix I contains a crosswalk of the functional areas back
to the actual CERCP processes and procedures as defined by the NERC CMEP Processes and
Procedures manual. As most analysis will be documented as the functional area level, it is
important to note which processes and procedures comprise each functional area.
Appendix II contains the criteria used to evaluation each functional area. Appendix III contains
detailed observations and recommendations regarding changes to the ROP. These observations
and recommendations were developed by Crowe as part of its development of the Agreed-Upon
Procedures. Appendix IV contains an excerpt from the Management Letter to NERC from the
results of recently completed Agreed-Upon Procedures project for a regional entity. The excerpt
contains key recommendations regarding the ROP and the CMEP Processes and Procedures.
Compliance Enforcement, Registration and Certification 8
Process Evaluation Report
Section 1: Overview
Project Background
Project Objectives
North American Electric Reliability Corporation (“NERC”) determined the need for a project to
provide NERC with an evaluation of its Compliance Enforcement, Registration and Certification
Program (“CERCP”) processes and procedures. NERC engaged Crowe Horwath LLP to perform
this evaluation and Crowe completed this project between July and October, 2009.
The project was initiated to assist NERC’s Compliance area in achieving its overall objectives for
effective implementation of the CERCP, including adequate management controls. The project
objective, therefore, was to identify and document whether the program meets the
requirements of the implementing rules established by FERC for the Energy Policy Act (i.e. the
NERC Rules of Procedure and subsequent FERC orders), and if the NERC implementation has
adequately implemented applicable CERCP processes and procedures.
More specifically, the intent of this engagement was to:
1. Assess the core internal processes of the NERC CERCP implementation through interviews of
NERC Compliance employees and inspection of documentary evidence, using criteria found in
the following program documents from the ROP, and applicable sections from 18 CFR Part 29 as
the primary basis for the evaluation:
a. Section 400 – Compliance Enforcement
b. Appendix 4B – Sanction Guidelines of the North American Electric Reliability
Corporation
c. Appendix 4C – Compliance Monitoring and Enforcement Program
d. Section 500 – Organization Registration and Certification
e. Appendix 5 – Organization Registration and Certification Manual
f. Section 1500 – Confidentiality of Information
2. Provide an independent Process Evaluation Report (i.e. this report) for public use to align
with NERC’s need to be transparent, stating process efficiency, resource, or other improvement
recommendations identified (if applicable) during the process evaluation.
3. Provide a Confidential Letter to Management (i.e. a separate letter from this report) for any
process efficiency, resource, or other improvement recommendations that for the purposes of
communicating such information must include the identification of confidential information,
including but not limited to company names, data, NERC confidential information or personnel
identification. NERC assisted Crowe Horwath LLP with identification of such information.
Project Approach
For purposes of planning, tracking, and effective execution, the project was divided into two
separate, sequential phases where the outputs from Phase I became key inputs to Phase II
activities. The purpose, scope, activities, and outcomes of the two phases are described below.
Compliance Enforcement, Registration and Certification 9
Process Evaluation Report
Purpose Phase I of the project involved (i) conducting necessary project initiation and planning
activities, and (ii) gathering information from Compliance personnel concerning the
processes that NERC’s Compliance Department has in place over the compliance with
and enforcement of approved electric reliability standards. The activities included a
review of the criteria contained in the applicable sections of the Rules of Procedure,
developing questionnaires for data gathering, scheduling and conducting interviews
with NERC Compliance staff, and reviewing information received from NERC
Compliance staff and other documentary evidence regarding the execution of the
CERCP processes.
Activities 1. Conduct project initiation activities including, but not limited to, project kickoff
meetings to coordinate all project stakeholders and to ensure that there is a
common understanding for the project objectives, scope, approach, schedule, and
responsibilities.
2. Plan and establish the operating model for the project. Planning included the
creation and coordination of the project schedule of activities, resource schedules
and availability, project communications and status reporting.
3. Create a crosswalk of NERC compliance processes and procedures back to
functional areas that effectively group and map the processes and procedures
back to areas of organizational responsibility (see Appendix I).
4. Conduct initial interviews with functional area owners (primarily CERCP Managers
and Directors) to confirm understanding of the scope of the functional area, key
interactions with other functional areas, and the processes and resources
implemented within the area. Identify key documents and information supporting
the implementation of the CERCP processes and procedures.
5. Request, collect, and review documents and information supporting the
implementation of the CERCP processes and procedures (received from functional
areas owners and key subject matter experts).
6. Conduct formal interviews with functional area owners and functional area staff
(primarily analysts, investigators, administrators, and auditors) using common
functional area evaluation criteria to determine the status of the CERCP
implementation with respect to the criteria (note: the interview criteria are
included as Appendix II to this report).
7. Conduct final functional area interviews to confirm understanding and answer
final questions regarding processes, procedures, documents, and process artifacts.
Interviews included, in some cases, observation of various supporting IT systems.
Purpose Phase II of the project involved (i) performing analysis and review of information
gathered in Phase I, (ii) preparation of the public report and the confidential letter to
Compliance Enforcement, Registration and Certification 10
Process Evaluation Report
management, (iii) review and revisions to the reports based upon feedback, and (iv)
final delivery of the reports and project closeout.
Activities 1. Prepare preliminary process write-ups for functional areas and conduct follow-up
interviews and communications to confirm understanding and address open
questions.
2. Perform cross-process analysis to identify overarching findings (e.g. trends) and
recommendations and prepare draft report sections for cross-functional areas and
overarching items.
3. Prepare a draft of the report overview section and executive summary.
4. Combine report sections and prepare initial draft of the Confidential Letter to
Management, including the CERCP Process Evaluation Report.
5. Conduct an internal (that is, internal to Crowe Horwath LLP) quality assurance
review cycle to fully review and discuss content and revise as necessary for initial
external review.
6. Prepare and conduct a preliminary report presentation (deliver draft report,
communicate the preliminary evaluation results, explain and confirm the quality
review and report acceptance process). Discuss approach for the public report and
confidential management letter (e.g. identify confidential aspects of the draft
public report).
7. Facilitate external quality assurance review cycle (distribute draft report, collect
and vet feedback, make applicable changes to draft report and letter).
8. Issue final evaluation report (public) and confidential management letter (non-
public).
9. Conduct project closeout (turnover of project assets, final project assessment and
feedback, etc.)
Project Scope
The Engagement Letter for this Process Evaluation project established that “The intent of this
engagement is to … assess the core processes of the CMEP [plus other compliance enforcement
areas+ … using criteria found in the following program documents as the primary basis for the
evaluation:
a. Section 400 - Compliance Enforcement
b. Appendix 4B - Sanction Guidelines of the North American Electric Reliability Corporation
c. Appendix 4C - Compliance Monitoring and Enforcement Program
d. Section 500 – Organization Registration and Certification
e. Appendix 5 - Organization Registration and Certification Manual
f. Section 1500 – Confidentiality of Information”
Compliance Enforcement, Registration and Certification 11
Process Evaluation Report
To that end, the Engagement Letter identified eleven internal “processes” related to NERC’s
compliance enforcement, registration and certification goals that we used as the initial basis for
the scope of this Process Evaluation:
1. Compliance program planning
2. Following compliance program confidentiality requirements
3. Registration of users, owners, and operators of the bulk power system
4. Certification of users, owners, and operators of the bulk power system
5. Overseeing the compliance activities of Regional Entities
6. Overseeing the enforcement actions of Regional Entities
7. Reporting to the Federal Energy Regulatory Commission (FERC) or other Applicable
Governmental Authorities
8. Conducting reviews of Regional Entities’ compliance and enforcement programs
9. Conducting Compliance Violation Investigations and other monitoring and oversight
methods
10. Processing reliability standard violations
11. Handling complaints received on the hotline and via the Web site and those
communicated by the Regional Entities appropriately
During the course of the project this list of eleven initial “processes” evolved to more accurately
reflect the scope of all CERCP responsibilities and the alignment of these processes to the CERCP
as functionally implemented by NERC’s Compliance organization. Crowe discovered that NERC
has defined and documented 37 different internal compliance enforcement, registration and
certification processes and procedures and that the initial list of eleven “processes” in fact
represents eleven different “groups of processes”. We termed these groups of processes
“functional areas” to avoid confusion on the project because we were using the term “process”
liberally whereby it could mean too many things – a policy or rule, a procedure, a group of
processes, etc.
In an effort to ensure that the scope of the assessment fully covered the applicable processes
and procedures, Crowe created a crosswalk of the 37 CMEP Processes and Procedures back to
the original process list of 11 items. The CMEP Processes and Procedures Manual is an internal
set of procedures developed and maintained by NERC’s Compliance department to assist in the
implementation of the compliance enforcement, registration and certification program. The
result of that crosswalk is contained in Appendix I of this report.
As the list of areas evolved, Crowe also recognized that some of these functional areas
represent responsibilities that are shared across processes – in essence these areas are core or
foundational elements across CERCP processes. Through reviews of NERC’s process
documentation and discussions with management in NERC’s Compliance Department, we
identified four such areas that are “cross-functional” in nature: Compliance Program
Confidentiality, Developing and Overseeing the Compliance Training Program, Developing and
Disseminating Compliance Process Directives and Bulletins, and Processing Reliability Standards
Violations. Because these cross-functional areas are not necessarily processes or groups of
processes in and of themselves, but rather requirements and policies with responsibilities
spread throughout the organization and across processes, we redefined the list of areas and
conducted project activities using the following breakout:
Compliance Enforcement, Registration and Certification 12
Process Evaluation Report
Cross-Functional Areas
1 Compliance Program Confidentiality Requirements
2 Developing and Overseeing the Compliance Training Program
3 Developing and Disseminating Compliance Process Directives and Bulletins
4 Processing Reliability Standards Violations
Functional Areas
1 Compliance Program Planning
2 Overseeing Registration of Owners/Users/Operators of the Bulk Power System
3 Overseeing Certification of Owners/Users/Operators of the Bulk Power System
4 Overseeing Compliance Activities of Regional Entities (excluding CVIs)
5 Overseeing Enforcement Activities of Regional Entities
6 Analyzing and Reporting Compliance Information
7 Conducting Reviews of Regional Entities’ Compliance and Enforcement Programs
8 NERC Involvement in Compliance Inquiries and Compliance Violation Investigations
9 Handling Complaints
10 Executing Compliance Enforcement Authority Responsibilities
Table 3 – CERCP Process Evaluation Final Scope
These four cross-functional areas and ten functional areas comprise the final scope of the CERCP
process evaluation – that is, the areas assessed as part of the evaluation – and, therefore, the
scope of this report. The 37 processes defined by NERC CMEP Processes and Procedures manual
are all encompassed within these 14 areas. The list of processes is as follows:
NERC
Process NERC CMEP Processes and Procedures Manual
Identifier Process Name Relevant ROP Section
NPP-CME-101 Organization Certification Process Procedure ROP 500; ROP Appx 5
NPP-CME-102 Organization Registration Appeals Procedure ROP 500; ROP Appx 5
NPP-CME-103 Organization Certification Appeals Procedure ROP 500; ROP Appx 5
NPP-CME-200 CMEP Development and Maintenance Process ROP 401.1
NPP-CME-201 CMEP Implementation Plan Process ROP 402.1.1; CMEP 4.0
NPP-CME-202 Training Process ROP 402.9
Monitoring and Facilitating Effectiveness of the
NPP-CME-204 CMEP ROP 402; ROP 404
NPP-CME-205 Compliance Process Bulletins/Directives None
NPP-CME-300 Compliance Inquiry Process None
NPP-CME-301 Complaint Process CMEP 3.8
NPP-CME-302 Compliance Violation Investigation Process CMEP 3.4
Compliance Enforcement, Registration and Certification 13
Process Evaluation Report
NERC
Process NERC CMEP Processes and Procedures Manual
Identifier Process Name Relevant ROP Section
NPP-CME-303 Evidence Handling Process CMEP 3.4
NPP-CME-400 Observation of RE-led Compliance Audits CMEP 3.1.5
NPP-CME-401 Regional Entity-led Compliance Audit Process CMEP 3.1.6
Procedure for the Regions to Self-Certify Adherence
NPP-CME-402 to the ROP and CMEP during and Audit None
NPP-CME-403 Regional Entity Spot Check Process None
NERC Audit of Regional Entity Adherence to the
NPP-CME-404 CMEP ROP 402.1.3; ROP 404.3
NPP-CME-500 Remedial Action Process CMEP 7.0
Compliance Violation and Penalty Process - Regional
NPP-CME-501 Entity CEA CMEP 5.1, 5.2, 5.4, 5.6
NPP-CME-502 Settlement Process - Regional Entity CEA CMEP 5.4
NPP-CME-503 Mitigation Process - Regional Entity CEA CMEP 6.0
NPP-CME-504 Mitigation Process - NERC CEA CMEP 6.0
NPP-CME-505 Appeals and Hearing Process CMEP 5.3, 5.5
NPP-CME-506 Penalty Guidance Process Appx 4B
NPP-CME-602 Registered Entity Audit Process Procedure CMEP 3.1
NPP-CME-603 Self-Report Procedure CMEP 3.5
NPP-CME-604 Spot Check Procedure CMEP 3.3
NPP-CME-605 Mitigation Plan Procedure CMEP 6.0
NPP-CME-606 Self-Certification Procedure CMEP 3.2
NPP-CME-607 Data Reporting and Disclosure Procedure CMEP 8.0
NPP-CME-608 Exception Reporting Procedure CMEP 3.7
NPP-CME-609 Periodic Data Submittal Procedure CMEP 3.6
NPP-CME-610 Implementation and Tracking Procedure CMEP 5.1; CMEP 6.0; CMEP 7.0
NPP-CME-611 Remedial Action Directive Procedure - CEA CMEP 7.0
NPP-CME-700 Data Management, Evaluation, and Analysis Process ROP 408; CMEP 8.0
NPP-CME-701 Compliance Data Reporting Process CMEP 8.0
ROP 402.8; ROP 404.3; ROP
NPP-CME-800 Document Management and Control 1500; CMEP 9.0
Table 4 – CMEP Processes and Procedures
The evaluation and the results documented within this report are focused at the level of the
cross-functional and functional areas, as demonstrated below, because this was the level of
evaluation most closely tied to the scope and intent of the project as expressed by the
engagement letter. We used individual internal process documents and comparisons to the
Rules of Procedure and other policies for making our evaluations. We also rolled up
observations and recommendations at any individual process level to the relevant functional
Compliance Enforcement, Registration and Certification 14
Process Evaluation Report
area. To that end, this evaluation does not necessarily contain detailed observations and
recommendations for all 37 processes and procedures as these represent, in effect, a level of
detail lower than the focus of this evaluation.
ROP,
Policy FERC
Orders
In order to accomplish the project objective, namely, “to identify and document whether the
program has adequately implemented applicable CERCP processes and procedures”, Crowe first
contemplated those items that define and provide details regarding the applicable CERCP
processes and procedures. After doing so, we further assessed the role of these defining items
in order to determine the adequacy of the NERC CERCP’s implementation.
Applicable Processes and Procedures
We compared the applicable, defining items for NERC’s CERCP to the typical role of policies,
processes, and procedures within any organization as follows:
Compliance Enforcement, Registration and Certification 15
Process Evaluation Report
Definition Applicable
Artifacts
Policy Policies are concise, formal and mandatory statements Applicable Rules
of principles and rules formulated or adopted by or of Procedure
dictated to an organization to reach its objectives and (ROP) sections
perhaps its goals. They are designed to influence all
FERC Orders and
major decisions and actions and to set all boundaries for
related decisions
all activities that take place within the scope set by them.
Applicable laws
and regulations
Processes Defines what is to be done and describes how (that is, NERC CMEP
and the steps involved) the activities are to be performed. (internal)
Procedures Processes and
The mandatory steps and specific methods required to
implement and comply with a policy to meet its intent Procedures
and perform the operations of the organization. Manual
Processes and procedures must ensure (i.e. put controls NERC
in place) that a point of view held by the governing body Compliance
of an organization (that is, the policies) is translated into Directives and
steps that result in an outcome compatible with that Bulletins
view.
Note: while there are subtle, technical differences
between the terms process (typically refers only to the
“what is to be done”) and procedure (typically refers to
the “how it is to be done”), we do not attempt to
differentiate these terms or use them to infer specific
meaning by their usage – which is to say, they are used
interchangeably throughout this document per the
definition above.
Table 5 – Policy, Process, and Procedure Defined
Adequacy of Implementation
For each of the functional areas within the scope of the project, Crowe Horwath analyzed the
information obtained through interviews and review of documentation to assess the following
for each process within each functional area:
1. Whether the objective of the process is known and documented
2. Whether the process is accurately documented – that is, the process as documented
matches how the process is most commonly executed by practitioners
3. Whether the roles and responsibilities in executing the process are documented and
whether responsibilities in executing the process are understood
4. Whether necessary inputs are available and in place to support appropriate execution of the
process
Compliance Enforcement, Registration and Certification 16
Process Evaluation Report
Purpose of Report
The purpose of this report is to provide NERC with an evaluation of its CERCP processes and
procedures. This report, submitted by Crowe Horwath LLP, represents the culmination of
activities performed on the project per the Project Approach and methodology described above.
The primary objective of the report is to document observations as to whether the program has
adequately implemented applicable CERCP processes and procedures, where “adequacy” is
defined by those criteria identified in the Process Evaluation Methodology section of this
Compliance Enforcement, Registration and Certification 17
Process Evaluation Report
document, and to make recommendations where the implementation of the CERCP processes
and procedures can be improved.
Document Overview
The following report takes a top-down approach towards presenting the observations and
recommendations. The subsequent section (Section 2) titled Observations and
Recommendations Summary provides a summary level view across all observations and
recommendations. As part of this project and the methodology used, Crowe Horwath LLP
developed a “scorecard” for evaluating the various functional and cross-functional areas. The
summary contains the summarized level view of that scorecard. The summary also contains a
number of overarching recommendations. These recommendations are summary-level findings
that in many cases present macro-level observations made across functional areas or within
functional areas across multiple criteria.
The next section of the document, Section 3, Cross-Functional Areas Evaluation, contains the
observations and recommendations as they relate to the four cross-functional areas.
Finally, Section 4, Functional Area Evaluation, contains the observations and recommendations
as they relate to the ten functional areas evaluated. Especially relevant to the functional area
evaluations are appendices I and II. Appendix I contains a crosswalk of the functional areas back
to the actual CERCP processes and procedures as defined by the NERC CMEP Processes and
Procedures manual. As most analysis will be documented at the functional area level, it is
important to note which processes and procedures comprise each functional area.
Appendix II contains the criteria used to evaluation each functional area. Appendix III contains
detailed observations and recommendations regarding changes to the ROP. These observations
and recommendations were developed by Crowe as part of its development of the Agreed-Upon
Procedures. Appendix IV contains an excerpt from the Management Letter to NERC from the
results of a recently completed Agreed-Upon Procedures project for a regional entity. The
excerpt contains key recommendations regarding the ROP and the CMEP Processes and
Procedures.
Disclaimer of Confidentiality
Introduction
During our data gathering process, we used a Process Questionnaire (Appendix II) and other
methods to identify observations in different functional areas and cross-functional areas within
the Compliance Department. This section presents a summary of our analysis conducted across
the functional and cross-functional areas.
Background
In the pre-ERO era of NERC as a “Council”, the predecessor department to NERC’s Compliance
Department could be characterized generally as a service provider organization that responded
predominantly to unique, frequently “one-off”, situations or requests by a constituency of
voluntary stakeholders, or to the Regions (now NERC’s delegated authorities the Regional
Entities) who themselves were also and similarly service providers to those same stakeholders.
However, beginning before and certainly since certification of NERC as the ERO in 2006 NERC
CMEP has been transformed into a regulatory and regulated organization that is significantly
dependant upon development and implementation of thorough and complete processes to
succeed in its primary task/goal, which is consistent monitoring and fair enforcement. NERC’s
CMEP implementation must do this in a significantly-prescribed, uniform manner, which is to
say the basis for NERC’s CMEP implementation has become significantly more process-driven.
Basis for Observations
Before we summarize the observations made across the various functional areas it is worthwhile
to understand the basis for the observations. In observing the process areas within NERC
Compliance we apply concepts from process engineering and classical process
improvement/process optimization techniques and theories such as Lean, Six Sigma, TQM, etc.
We assessed NERC Compliance processes and procedures across three “tiers” or “layers”
comprising the elements critical for organizations to be successful with their processes:
Process Organizational success with process starts at the top. Management must
Governance create and instill an environment whereby the organization will operate and
guide its decisions within the policies and processes set by management or
dictated externally by laws or regulations.
The Process In order for policies to be followed and processes to be successful in an
Foundation organization, management must, through whatever means available to it,
provide foundational elements that enable the organization to carry out its
mission and operate within the policies and processes. Organizations
frequently fail to achieve process efficiency and/or control process exceptions
(that is, process results outside of the results desired and/or considered
within tolerances set by policy) when they lack one or more foundational
elements that are required to enable processes. Such items include, but are
Compliance Enforcement, Registration and Certification 19
Process Evaluation Report
Before we summarize the observations made across the various NERC CERCP functional process
areas it is worthwhile to note our observations regarding the governance and foundational
layers of the NERC process environment.
▪ As a regulatory entity, NERC by its very nature is compelled to maintain an environment
focused on the creation, compliance, and enforcement of its standards and rules. We
observe that the NERC CERCP program generally has the governance and “tone at the top”
to be successful with its processes. Our assessment of individual functional areas indicates
that process objectives are typically well known and well understood and that there is
clearly a culture of policy and process adherence.
▪ As part of our analysis we placed NERCs CERCP into appropriate context from the standpoint
that NERC’s Compliance organization and the purpose, roles, and scope of responsibilities
for that organization has existed in their current state only for a relatively very short period
of time. The relative immaturity of the organization certainly has a bearing on the
expectations for its level of process maturity. For example:
o We observed in our analysis that the organizational structure, and the resulting roles
and responsibilities within that structure, continue to mature and change fairly
frequently as the Compliance area has undergone numerous structural changes within
the past two to four years. Three years ago the Compliance organization shifted from a
“Service Organization” whose purpose was to provide technical assistance to a
“Regulatory Organization” whose purpose was to regulate (i.e. compliance
enforcement, in addition to the role of registration and certification). The changes in
scope of responsibilities and assignment of responsibilities within an organization
certainly create challenges when attempting to get to a level of process maturity.
o We observed that the NERC Compliance Director/Manager-level positions are staffed, in
most cases, by personnel that are relatively new to the NERC Compliance organization.
Of the six (6) Director/Manager-level positions reporting up through the Vice President
of Compliance the average length of tenure for the personnel is less than 40 months. If
you filter out the one Manager with significant tenure (i.e. greater than five years), we
find that the average Director/Manager in Compliance has been with the organization
just over two years (i.e. approximately 25 months).
o The newness of staff to their respective positions certainly impacts expectations with
respect to process documentation. Organizational and process problems and
inefficiencies are being addressed by NERC compliance personnel (e.g. Compliance has
stood up 35+ processes in the past two years), but organizational and process best
practices emerge typically once some degree of longevity and critical mass has been
achieved. Procedurally, NERC’s Compliance area has achieved a great deal despite their
relatively short existence as an organization.
▪ We observe a number of areas (explained further in subsequent sections of this report)
where the NERC CERCP can improve its “process foundation”. It is our observation that a
number of these areas are a result of the NERC Compliance area’s relatively short duration
of existence and immature organizational infrastructure and, therefore, process
infrastructure. For example:
o Both the Rules of Procedures (ROP) and the NERC CMEP Processes and Procedures
Manual can be significantly upgraded to provide a more solid operational foundation. A
Compliance Enforcement, Registration and Certification 21
Process Evaluation Report
number of enhancements and changes to the ROP are recommended and we outline
those in this report. We also find that the internal CMEP Processes and Procedures are
substantially less mature than the ROP and will require a great deal of attention to reach
a point where they are documented in a manner where the tieback to the ROP is more
obvious, consistent across the Processes and Procedures themselves, and adequate to
provide the ultimate level of management control needed. Generally, the CMEP
Processes and Procedures Manual needs better defined roles and responsibilities,
timelines, and outcome-based measurements.
o While existing systems/processes to measure some results and provide statistics, it is
our observation that tools, systems, and technologies can be leveraged to provide
greater degrees of control and security over both public and private/confidential assets,
to enhance process efficiency and effectiveness, and to assist with the creation of a
continuous process improvement environment. For example, we observe that the
CERCP program generally requires a great deal of monitoring, in large part because
there are a number of reporting requirements that must be met and, therefore, requires
significant levels of rigor in terms of tracking and measuring process execution.
However, with that said, we also observe that the systems and technologies available to
Compliance personnel are largely a collection of non-enterprise level solutions created
by various means (e.g. “grassroots”) to support the needs of the departments.
Generally speaking, some of these critical monitoring, measuring, reporting systems are
currently not structured as long term solutions built on enterprise-level platforms with
the foundation of IT controls required of such systems.
Introduction
During our data gathering process, we used a Process Questionnaire (Appendix II) and other
methods to identify observations in different functional areas and cross-functional areas within
the Compliance Department. In doing so, seven themes emerged that impact the Compliance
Department as a whole, as opposed to a specific team, process, or functional area. These seven
themes are important to the NERC Compliance Department’s maturity as a process-driven
organization. We provide an overview of these themes below and address each in further detail
in subsequent sub-sections:
1. We recommend to NERC that a number of changes to the ROP (including its related
appendices). These changes should be implemented to ensure a solid foundation for NERC’s
compliance program. We observed a number of issues with the ROP whereby it could be
strengthened by adding to it (address areas of Regional Entity accountability – e.g.
Compliance Inquiry process), changing it (address areas where Regional Entities differ in
practice from the ROP as documented – e.g. terminology such as “guidelines” and notices of
violation), or deleting from it (removing redundancies).
2. CMEP Process and Procedures documents should be completed, reviewed, and approved,
including incorporating more defined roles, responsibilities, timelines, and outcomes where
these were found to be lacking. We observed that process documents lacked consistency
and at times did not contain obvious tie-backs to the ROPs by virtue of the process used to
develop them. The individual documents requiring completion, review, and approval are
captured within the detailed recommendations of this report.
Compliance Enforcement, Registration and Certification 22
Process Evaluation Report
3. We observed that the Compliance Department was not consistently meeting a number of its
internal process goals for timeliness. NERC Compliance indicated to us that, with their
current staff resources, they often had to adjust timelines in order to ensure the quality of
their work. It is our observation, therefore, that staffing levels may not be appropriately
aligned for the workload required. However, it is also our observation that there are other
contributing factors (process inefficiency issues, deficiencies in the “process infrastructure,”
effort-based metrics) which may also contribute heavily towards NERC’s ability to meet its
goals in certain compliance enforcement, registration and certification process areas. The
lack of activity level, effort-based metrics impedes the ability to fully assess whether staffing
levels are adequate relative to workload and/or to assess the degree to which staff levels
are required to meet certain levels of desired timeliness and quality.
4. We observed that problems with the consistency of outputs from Regional Entities (in terms
of the level of quality of outputs and the timeliness of those outputs) and differences in
professional opinion between NERC, the Regional Entities, and FERC impacted the timelines
for the Compliance Department’s work and the quantity of work that could be accomplished
(i.e. as measured by the number of enforcement actions processed within establish time
frames). For example, one manager noted that Regional Entities often submitted Notices of
Confirmed Violations that contained errors in dates and judgments that NERC did not find
appropriate, such as classifying an issue as a documentation error rather than a failure to
perform, when the standard required documentation of performance. Another manager
stated that NERC and FERC periodically had different opinions on application of reliability
standards on Compliance Violations Investigations.
5. We observed that processes within some functional areas were not adequately monitored
because there were few interim checkpoints being taken during the overall duration of the
process. For example, the functional areas Analyzing and Reporting Compliance Violation
Information and NERC Compliance Enforcement Authority Responsibilities had no
monitoring in place or planned. We also observed that for those functional areas that were
monitored, there was often not adequate follow up when process deviations were found.
In the functional area Overseeing Compliance Activities of Regional Entities, for example, we
observed that staff was given reminders of the need to meet timeliness goals, but no other
actions were taken when these goals were not met.
6. We observed several processes that involved handling large amounts of information and
documentation. NERC had begun to address these issues through the development of new
technologies, but it was our observation that until these are fully implemented, the volume
of data and documentation will continue to be an impediment to accomplishing the
Compliance Department’s goals in a timely manner.
7. We identified some issues with the level of controls over data security, confidentiality and
physical security. Confidential information has been removed from this public version and
has been provided under separate cover to NERC management.
Underlying each of these themes are several overarching observations that we made during our
data gathering and analysis process. As appropriate, we also made recommendations to
address these observations. The following sub-sections provide our observations for each of the
seven key areas followed by our recommendations for each area.
Compliance Enforcement, Registration and Certification 23
Process Evaluation Report
1In this report, where we refer to the ROP, we are also referring to its appendices, including Appendix 4C (the Compliance
Management Enforcement Program or CMEP).
Compliance Enforcement, Registration and Certification 24
Process Evaluation Report
During this project, we recommended several other changes to the ROP, which are
described below. See Overarching Recommendation ROP-01.
o A section should be added to the CMEP to describe the rules governing the
Compliance Inquiry process. We observed that there was no reference to this
process in the ROP, although NERC expected Regional Entities to follow it. See
Recommendation CVI-01 in the Functional Area Evaluation “NERC Involvement in
Compliance Inquiries and Compliance Violation Investigations.”
o References to “Transitional Certification” in ROP Appendix 5 should be deleted,
because this process has never been implemented. It should be replaced with the
“Provisional Certification” process. Note at the time of our observations, a revision
of Appendix 5 was pending that would incorporate these changes, but it was not yet
approved. See Recommendation CER-01 in the Functional Area Evaluation
“Overseeing Certification of Owners, Operators, and Users of the Bulk Power
System.”
o NERC Compliance Staff have identified a gap in the RoP and CMEP concerning
violation dismissals. In order to exercise appropriate and expected oversight there
needs to be developed both an internal process for the review of dismissals prior to
approval and appropriate changes to RoP and CMEP to ensure due process for the
industry, regional entities and NERC. We observed that NERC must review Notices
of Confirmed Violations prior to filing a Notice of Penalty with FERC, but not before
this stage. As a result, NERC has spent a great deal of time working with Regional
Entities at this end phase after the Regional Entities had already presented their
findings and had significant points of contact with the violating Registered Entities.
See Recommendation ENF-03 in the Functional Area Evaluation “Overseeing
Enforcement Activities of Regional Entities.”
When revisions to the ROP are made, other documents, such as implementation plans,
delegation agreements, report templates, documents in the Compliance Department’s
Processes and Procedures Manual, training materials, and systems may need to be revised
as well. Once the ROP changes are implemented, NERC should undergo a process to ensure
that other updates are made to related documents and systems as well. See
Recommendation ROP-02.
Compliance Enforcement, Registration and Certification 25
Process Evaluation Report
Recommendations
ROP-01 Perform an assessment of ROP changes recommended as part of this evaluation
(along with changes that may by otherwise queued up within NERC’s own
assessment of the ROP) and then develop and implement a plan to incorporate the
following into the Rules of Procedure and related appendices (that is, where there
is concurrence on the need for the change):
Observations on the ROP that Crowe made while developing the Regional
Entity AUPs,
Observations on the ROP that Crowe made while performing the Regional
Entity AUPs,
Required Compliance Directives that are meant to be followed on an
ongoing basis and that have not already been incorporated into the ROP,
and
Recommended changes to the ROP that Crowe identified during the
process evaluation project.
As part of the plan, include a schedule for reviewing the ROP revisions internally,
drafting the revised ROP, obtaining necessary input from outside parties, obtaining
BOTCC approval, and issuing the revised ROP.
ROP-02 Based on the ROP changes that are made, determine what changes need to be
made to other documents, including implementation plans, templates used by
NERC and Regional Entities, the Compliance Department’s Policy and Procedure
Manual, and any internal systems (tracking, reporting, etc.) if applicable. We
recommend that NERC Compliance develop and implement a plan to incorporate
necessary changes.
ROP-03 Based upon observations made while executing recommendations ROP-01 and
ROP-02, we recommend that NERC Compliance should establish and implement a
formal “internal change control” process whereby changes to the ROP, delegation
agreements, implementation plans, templates, the Compliance Department’s
Policy and Procedure Manual, training materials, and any internal systems can be
fully managed, coordinated, and tracked to completion in a consistent manner.
Managing internal change in a consistent, methodical manner is critical towards
assuring consistency between all of these pieces that are ultimately critical
towards the effective implementation of the CERCP. The internal change process
would accommodate externally-driven changes (e.g. changes to the ROP and FERC
orders) and ensure that these changes appropriately permeate throughout the
organization and would also accommodate internal changes to ensure consistency
between the process assets (process documentation, training assets, templates,
etc.)
Compliance had a fairly substantial amount of progress to make before its process documents
could be considered mature and reflective of a process-driven organization.
Certain compliance-related internal processes that NERC performs had not yet been
documented. Specifically:
o No document had been drafted of the CMEP Development and Maintenance
Process, meaning that NERC Compliance did not have a documented tool to guide
the development, coordination, or management of changes to the ROP. (See the
Functional Area Evaluation “Compliance Program Planning,” Criterion 1.)
o No document had been drafted for Penalty Guidance beyond the Sanction
Guidelines contained in the ROP. As a result, NERC Compliance had no documented
practice for the review of penalties assessed by Regional Entities. In particular,
there was no formal process for ensuring consistent application of penalties across
Regional Entities. This is a key NERC responsibility under the CMEP and Appendix 4B
to the ROP. (See the Functional Area Evaluation “Overseeing the Enforcement
Activities of Regional Entities,” Criterion 1.)
Because the ROP did not specify how to carry out these processes, documented internal
processes are essential to assure consistent achievement of NERC’s compliance goals. See
Recommendation PPM-01.
Of the Processes and Procedures Manual documents that have been drafted, only five —-
NPP-CME-301 (Complaint Process); NPP-CME-303 (Evidence Handling Process); NPP-CME-
400 (Observation of RE-led Compliance Audits); NPP-CME-403 (RE Spot Check Process); NPP-
CME-404 (NERC Audit of RE Adherence to the CMEP)—have been finalized and reviewed by
the Vice President and Director of Compliance or his designee. We observed that several of
the documents were still in very early draft form, with unresolved details “blanked out” or
unanswered comments and questions. These included the “CMEP Implementation Plan
Process” (NPP-CME-201) in the functional area Compliance Program Planning; the “Training
Process,” (NPP-CME-202) in the cross-functional area Developing and Overseeing the
Compliance Training Program; and, several processes within the functional area Overseeing
Regional Entity Enforcement Programs. As a result, the Compliance Department may not
have been executing the processes in a manner consistent with management’s goals. See
Recommendation PPM-02.
We observed that the documents in the Processes and Procedures Manual did not clearly
distinguish between policies, processes, and procedures. Often the terms were used
interchangeably. For example, documents such as the “Auditor Training Process,” “Data
Management, Evaluation, and Analysis Process” and the “Evidence Handling Process” did
not really have a process flow, but were more like policy documents. As noted above,
policies form the underlying rules and principles of an organization, while processes provide
a general framework for implementing those policies (what is to be done), and procedures
provide the specific steps for executing the processes (how it is to be done). As a best
practice, NERC Compliance should ensure that it’s Processes and Procedures Manual follows
the appropriate hierarchy of policies, processes, and procedures. See Recommendation
PPM-03.
Several of the processes did not document well-defined roles and responsibilities (these are
detailed throughout the report). We observed that they often noted that steps were to be
performed by “NERC,” or they may have assigned general responsibility for a process to a
certain manager, without identifying what team members are responsible for what parts of
Compliance Enforcement, Registration and Certification 27
Process Evaluation Report
the process. Examples of processes where these types of issues were identified included the
“Regional Entity-led Compliance Audit Process” (NPP-CME-401), within the functional area
Overseeing Regional Entity Compliance Programs, and the “Data Management Evaluation
and Analysis Process” within the functional area Analyzing and Reporting Compliance
Information. (See Criterion 3 in the functional area evaluations.) Organizational flexibility is
critical, and generally it is not necessary to assign a specific individual to be responsible for a
specific process step. For example, a process could refer to “a designated member of the
Enforcement and Mitigation team,” or “a Regional Entity Compliance Auditor,” or “the
Manager or Organization Registration and Certification or his designee.” Essentially,
Compliance staff should be aware of what roles they have, or might have, within certain
processes. This is especially important as new staff are hired who would not be as familiar
with NERC’s policies, processes, and procedures as the current Compliance Department
staff, many of whom were involved in the actual development of these documents. See
Recommendation PPM-04.
We observed that some processes lacked adequate information on how they were to be
carried out. We found this to be especially true when the process involved reviewing or
observing the work of Regional Entities. For example, we observed that NERC’s role while
observing Regional Entity compliance audits and NERC’s role in reviewing compliance
violation investigations led by Regional Entities were not well defined. (See Criterion 3 in
the functional area evaluations Overseeing Compliance Activities of Regional Entities and
NERC Involvement in Compliance Inquiries and Compliance Violation Investigations.) In
addition, the enforcement process for when NERC is acting as the Compliance Enforcement
Authority was not fully documented. (See Criterion 1 in the functional area evaluation NERC
Compliance Enforcement Authority Responsibilities.) See Recommendation PPM-05.
We observed that a number of processes—such as the “Organization Registration Process”
(NPP-CME-100) and the “Compliance Violation and Penalty Process” (NPP-CME-501)—did
not include adequate timelines or other measurable outcomes, other than those required
by the ROP. (See Criterion 6 within the functional area evaluations.) Admittedly, this
timelines are often dependent on receiving information from outside parties who cannot be
held to deadlines not specified in the ROP or other policy directives. However, for purposes
of better measuring and monitoring of the processes, and for communicating process norms
to staff, key measurements should be built into the process documents. See
Recommendation PPM-06.
We observed that many of the processes that we reviewed were not developed with the
ROP as a starting point. Instead, Compliance staff related to us that they developed the
processes based on how they carried out their functions at the time or how the processes
had been historically executed. Staff noted that they kept the ROP requirements in mind
while drafting the documents. However, in instances we observed process documents that
were not based on ROP requirements, such as the process documents related to
Compliance Inquiries, and ROP requirements that did not have an associated process
document prepared, such as NERC’s reviews of penalties and sanctions. We did not observe
any obvious or direct conflicts between the process document contents and the ROP
requirements, largely because the ROP was generally non-specific on the way many of
NERC’s compliance duties are to be carried out. See Recommendation PPM-07.
As part of the review cycle of this process evaluation report it was noted that there were
inconsistent uses of the term CMEP (i.e. Compliance Monitoring and Enforcement Program).
It was NERC’s observation of our initial report draft that the scope of the processes
Compliance Enforcement, Registration and Certification 28
Process Evaluation Report
contained within this report, and likewise within NERC’s Compliance Department, was
broader than CMEP, using the ROPs definition of CMEP (which is identified and defined by
Appendix 4C of the ROP). As an example, NERC’s Compliance Department refers to its
processes and procedures as the CMEP Processes and Procedures Manual, when this
document contains items that map back to other sections of the ROP (e.g. registration,
certification, confidentiality). Similarly, the use of the term “RE” was noted to be ambiguous
to the extent that this can refer to both regional entities and registered entities. See
Recommendation PPM-08.
In this report, we made other recommendations to improve the quality of the process
documents themselves. These are specific to certain cross-functional and functional areas, and
for purposes of providing an easy cross reference to these related recommendations, these
consist of the following recommendations within the sections listed:
o Recommendations TRA-01 and TRA-02 within the Cross-Functional Area Evaluation
“Developing and Overseeing the Compliance Training Program,”
o Recommendation PRO-01 within the Cross-Functional Area Evaluation “Processing
Reliability Standards Violations,”
o Recommendations IMP-01 and IMP-02 in the Functional Area Evaluation
“Compliance Program Planning,”
o Recommendations REG-01 and REG-02 in the Functional Area Evaluation
“Overseeing Registration of Users, Owners, and Operators of the Bulk Power
System,”
o Recommendations CER-02, CER-04, and CER-05 in the Functional Area Evaluation
“Overseeing Certification of Users, Owners, and Operators of the Bulk Power
System,”
o Recommendations COM-01, COM-03, COM-04, COM-05, and COM-06 in the
Functional Area Evaluation “Overseeing Compliance Activities of Regional Entities,”
o Recommendations ENF-01 and ENF-02 in the Functional Area Evaluation
“Overseeing Enforcement Activities of Regional Entities,”
o Recommendation REP-03 in the Functional Area Evaluation “Analyzing and
Reporting Compliance Information,”
o Recommendations REV-01 and REV-03 in the Functional Area Evaluation
“Conducting Reviews of Regional Entities’ Compliance and Enforcement Programs,”
o Recommendations CVI-02 and CVI-03 in the Functional Area Evaluation “NERC
Involvement in Compliance Inquiries and Compliance Violation Investigations,” and
o Recommendations CEA-01, CEA-02, and CEA-04 in the Functional Area Evaluation
“NERC Compliance Enforcement Authority Responsibilities.”
Recommendations
PPM-01 Develop internal process documents for the CMEP Development and Maintenance
Process and the Penalty Guidance Process. Include procedures for cross-regional
comparisons in the Penalty Guidance Process. Develop a due date for completion
of these drafts.
Compliance Enforcement, Registration and Certification 29
Process Evaluation Report
PPM-02 Finalize all internal process documents and have them reviewed by the
appropriate Compliance team manager and by the Vice President and Director of
Compliance or a designee. Reviewers of the process documents should ensure
that the Recommendations PPM-04, PPM-05, PPM-06, and all functional area-
specific recommendations made in this report to improve the quality of the
process documentation are incorporated. All processes should be finalized and
reviewed before FERC begins requesting information for its audit of NERC.
PPM-03 In the internal Processes and Procedures Manual documents, classify the policies,
processes, and procedures into a hierarchy. Note that for some purposes, policies
- and sometimes even processes - may be the underlying ROP or FERC orders,
which would not need to be repeated in their entirety within the documents.
PPM-05 Where processes were found not to be clear or well-defined (see references to this
recommendation, that is, Recommendation Id PPM-05 in the functional area
evaluations), we recommend that NERC Compliance specify in greater detail what
steps are to be followed within the processes. In keeping with Recommendation
PPM-04, designate who (by role) is responsible for these process steps.
PPM-06 Where noted as an issue in the functional area evaluations (see references to this
Recommendation, i.e. PPM-06), we recommend that NERC Compliance consider
identifying key milestones (perhaps in many cases, more detailed milestones)
within the process documents and specifying a goal or outcome to be measured,
such as a due date, for each of those key milestones beyond those used in
reporting timeliness in Corporate Goal # 1.
PPM-07 We recommend that NERC Compliance more closely align its CMEP Process and
Procedure documents with the applicable ROP sections pertinent to the individual
process being documented. In a number of cases the ROP contains a “swim lane”
diagram indicating NERC role in executing a process. It is our observation that the
“NERC swim lane” can be utilized in many cases as the basic framework for the
CERCP process. For example, arrows on the ROP diagram flowing into the NERC
swim lane become process input requirements, arrows flowing out of the NERC
swim lane become process output requirements, etc.
Compliance Enforcement, Registration and Certification 30
Process Evaluation Report
We generally observed across most processes that time/effort metrics were not captured,
reported, or analyzed. The lack of effort-based metrics impeded the ability to fully assess
whether staffing levels are adequate relative to workload and/or to assess the degree to
which staff levels were required to meet certain levels of desired timeliness and quality.
See Recommendations STA-01 and STA-02.
We observed that because of increasing requirements, Technical Feasibility Exception
reporting, Critical Infrastructure Protection and coordination between the Nuclear
Regulatory Commission and NERC, all with an undetermined impact and potentially
significant resource requirement, NERC’s Compliance Department requires a high degree of
flexibility in assigning staff. These programs will also undoubtedly evolve and mature over
the next couple of years.. For example, we observed that several staff on the Regional
Operations team were occupied with the Regional Entity audits, which are performed every
three years. Once this process is completed, that team may have more time to devote to
other responsibilities. In addition, an unexpected large disturbance in the bulk power
system (BPS) could require a sudden surge in the need for Compliance Violation
Investigation team resources.
We noted some sharing of staff among different teams, however, we also noted a trend
towards specializing staff (as opposed to cross training and/or cross-utilization) . For
example, we observed that NERC Compliance developed plans for members of the
Organization Registration to help perform the Regional Entity audits, however, most teams
were in the process of becoming highly specialized. NERC Compliance should consider
organizational alignment that encourages a certain amount of flexibility to react to sudden
major workload needs across functional areas. See Recommendations STA-02 and STA-03.
Recommendations
STA-01 We recommend that NERC Compliance consider enhancing its time tracking system
currently in place for tracking staff hours. The time tracking system could capture
more granular detail than it currently captures to track time needed to complete
individual processes in all functional areas and, in particular, steps or activities
within the processes. This would require staff to document time spent on
processes and activities within processes, including in some cases additional details
such as the violation or audit (for example) being worked on. This may be done on
a sample basis, especially for tasks that repeat often, such as reviewing mitigation
plans from Regional Entities. When a large internal process change occurs, such as
the implementation of CRATS, NERC can collect new hourly data on the process and
use that as a basis for measuring the organizational impact of change.
STA-02 Based on the data collected on project staff hours (recommendation STA-01), we
recommend that NERC Compliance consider development of benchmarks for the
completion of major processes and estimates for the total number of staff hours
spent on those projects within a given time period (monthly, quarterly, yearly).
NERC Compliance could re-run estimates periodically to account for “spikes” or
“lulls” in certain processes. NERC Compliance could then use this analysis to
determine if current staffing levels on each team are sufficient to meet the team’s
process needs, or if resources need to be re-aligned.
Compliance Enforcement, Registration and Certification 32
Process Evaluation Report
ENT-03 We recommend that NERC Compliance consider a review of the compliance and
enforcement staff structure of Regional Entities to ensure that they have the proper
mix of talent for carrying out all compliance and enforcement duties. For example,
NERC Compliance could ensure that they have adequate staff with a legal or
regulatory background. NERC Compliance could then direct Regional Entities that
are lacking in certain key skills to acquire those skills through added hiring, changes
in staff roles, or other means.
ENT-04 Identify key areas of differences with FERC in professional judgments. Work with
FERC to establish clear guidelines for handling these items, or make adjustments as
necessary (proposing to change a reliability standard, for example). We further
recommend that NERC track these agreements with NERC in a database for easy
query across NERC teams.
ENT-05 When implementing a process that requires obtaining multiple reviews from
different parties, we recommend that NERC Compliance consider establishing and
enforcing/reinforcing clear goals for obtaining comments, for entities with which this
can be done (Regional Entities and other NERC departments, primarily).
referenced as the only method of monitoring and measuring underlying processes, which is
to say that other monitoring and measuring is not abundant (such as quality measurements,
interim process measurements, time/effort /productivity/efficiency measurements, process
exceptions or exception root causes, etc.) See Recommendation MON-01.
We observed that certain metrics that were monitored and measured, such as those in the
monthly Goal 1 Update Report, were measured as “yes/no” responses only. In other words,
there was no determination or measuring of control limits. For example, the Goal 1 Update
Report measured whether audit observation reports were completed on time, but it did not
measure by how many days a report was late. This made it difficult to get a complete
picture of how well process goals were or were not being met. It also made the tracking of
process improvement (or conversely, process degradation) over time more difficult. For
example, a team may have progressed from being several weeks late on average with a
report to being several days later on average, but this was not being captured. While in
some cases, such as deadlines required by the ROP, there would be no acceptable outer
control limit, in most other cases, upper and lower control limits should be established for
measuring process milestones and outcomes. See Recommendation MON-02.
We observed that within the Goal 1 Update report, most of the metrics were tracked
cumulatively over the year. As a result, those metrics did not show progress or decline from
month to month. Managers indicated to Crowe that this is typically because the level of
acceptability of a process deviation was determined based on the number of times that
deviation occurred within a given year. However, by focusing on measuring control limits,
as noted above, rather than the number of deviations, this cumulative tracking would not be
necessary, and NERC management would get a more complete picture of progress over
time. See Recommendation MON-02.
We observed that nearly all the processes that were monitored identified deviations from
the Processes and Procedures Manual. However, for certain processes in the functional
areas of Overseeing Regional Entity Compliance Programs and Overseeing Regional Entity
Enforcement Programs, there were not sufficient follow-up or corrective actions undertaken
when deviations were identified. For example, we observed that observation reports on
Regional Entity compliance audits were often not completed on time (see the Functional
Area Evaluation section Overseeing Compliance Activities of Regional Entities). However,
the only follow-up was to remind staff of the need to be timely. See Recommendation
MON-03.
Recommendations
MON-01 A number of the Functional Area Evaluations in this report will reference this
recommendation (that is, Recommendation Id MON-01). Our general, summary-
level recommendation referenced within the functional areas is that we
recommend that NERC Compliance consider the identification and documentation
of milestones and other goals (i.e. key performance indicators) to track and
monitor the progress of processes beyond those used for Corporate Goal #1.
Furthermore, we then recommend that NERC Compliance consider developing and
implementing a system for monitoring, measuring, and reporting on those key
performance indicators. NERC will need to allot the resources and infrastructure
necessary to implement the system.
Compliance Enforcement, Registration and Certification 35
Process Evaluation Report
MON-02 For all key goals that are established, and for those already being measured, we
recommend that NERC Compliance develop and implement a means for capturing
the level of deviation of each goal from its established norm (i.e. track exceptions).
For each performance metric NERC Compliance should determine how much
deviation is acceptable (in process terms this is typically referred to as “within
tolerance”) and capture those actual process results falling outside of tolerance.
Categorization of Recommendations
Introduction
Throughout this report we have made a number of recommendations that we believe will
strengthen NERC’s execution of its compliance processes and decrease future risks of violating
the ROP, FERC Orders, and internal policies. To assist NERC Compliance in prioritizing these
recommendations, we have grouped them into five categories:
Classification of Recommendations
All recommendations in this report have been summarized and classified into the
aforementioned “recommendation categories” (i.e. categories 1 through 5) as documented in
the tables below. Each specific recommendation is referenced by its recommendation identified
(or ID) and each category is referenced solely by its category number.
Report Section Topic or Functional Area ID Category
Overarching Recommended Changes to the Rules of ROP-01 5
Observations and Procedure ROP-02 4
Recommendations
ROP-03 4
Process Documentation Development PPM-01 3
PPM-02 3
PPM-03 3
PPM-04 4
PPM-05 4
PPM-06 4
PPM-07 3
PPM-08 4
Compliance Department Staffing Levels STA-01 4
STA-02 4
STA-03 4
Resolving Issues with Other Entities ENT-01 4
ENT-02 4
ENT-03 4
ENT-04 4
ENT-05 4
Monitoring and Measuring Compliance MON-01 4
Processes MON-02 4
MON-03 4
Handling Compliance Information INF-01 5
Because there are numerous recommendations made by this report (as evidenced by the
preceding table) spread across multiple sections or “types” (overarching, cross-functional and
functional) with multiple classifications, we provide another table below that captures all
recommendations in this report by topic (of functional area) by section and by category with a
count of the recommendations found.
Compliance Enforcement, Registration and Certification 41
Process Evaluation Report
* Confidential information has been removed from this public version and has been provided under separate cover to NERC management. .
Compliance Enforcement, Registration and Certification 42
Process Evaluation Report
Introduction
NERC Compliance personnel have a number of responsibilities that are shared throughout the
Compliance Department, and in certain cases, with other departments as well. These cross-
functional areas have underlying policies or processes that are required to be followed in
performing the procedures underlying many, and in some cases, all, of the Compliance
functional areas. Through reviews of NERC Compliance’s process documentation and
discussions with management in NERC’s Compliance Department, we identified four such areas
that are cross-functional in nature:
▪ Compliance Program Confidentiality Requirements,
▪ Developing and Overseeing the Compliance Training Program,
▪ Developing and Disseminating Compliance Process Directives and Bulletins, and
▪ Processing Reliability Standards Violations.
Because these cross-functional areas are not necessarily processes, but often sets of
requirements and policies with responsibilities spread throughout the organization, we did not
evaluate them using the Process Questionnaire in Appendix II. Rather, we performed our
evaluations based on reviews of underlying policy documentation and from information
obtained during interviews with and observations of managers and staff throughout the
Compliance Department.
As noted in Appendix I, the following process makes up the Compliance Program Confidentiality
cross-functional area: “Document Management and Control” (NPP-CME-800)
As noted in Appendix I, the following process makes up the cross-functional area Developing
and Overseeing the Compliance Training Program: “Training Process” (NPP-CME-202)
Observations
While performing the agreed-upon procedures at one of the Regional Entities, we
discovered two issues with training on NERC’s end. Specifically, we found that NERC
Compliance did not ensure training had been provided to Certification Review Team
members by Regional Entities. We also found that NERC Compliance had not recorded (in a
system, a tracking sheet, or otherwise) the training that compliance auditors had taken
beyond what was recorded by the Training Department. Specifically, while performing
agreed-upon procedures at one Regional Entity, neither the NERC Training Department nor
the NERC Compliance Department could provide us with lead auditor training records for
certain auditors, although these auditors held training certifications on file at the Regional
Entity’s office. We made recommendations in those reports to provide direction regarding
corrections for these issues.
We observed that NERC’s compliance training process document (“Training Process,” NPP-
CME-202.R0) was in draft form and had not been reviewed by management. See
Overarching Recommendation PPM-02.
We observed that NERC’s compliance training process document did not fully spell out the
requirements of the training program, such as who is required to be trained and when, or
how training is to be recorded and monitored to assure that appropriate individuals have
completed their required training courses. See Recommendation TRA-01 below.
We observed that the roles as spelled out in the compliance training process document did
not always accurately reflect the division of responsibilities in practice. For example, the
document stated that the Director of Training maintains the compliance training records,
but in actuality certain records were maintained by the Compliance Department. In
addition, the document stated that the Director of Training was responsible for providing
the Compliance training. However, we have observed that some training presentations are
delivered by Compliance staff. See Recommendation TRA-02 below.
Compliance Enforcement, Registration and Certification 44
Process Evaluation Report
Recommendations
TRA-01 We recommend that NERC Compliance revise the “Training Process” document
to fully identify the requirements of NERC’s compliance training program,
including the basic requirements outlined in the ROP and the specific courses
that NERC has developed to satisfy those requirements. The document should
also identify who is required to be trained and when. It should also specify how
training is to be recorded and monitored to assure that appropriate individuals
have completed their required training courses.
TRA-02 With input from the Director of Training and all NERC Compliance teams that
have a stake in the training process, revise the current draft “Training Process”
document to accurately identify the roles and responsibilities for the different
aspects of the functional area, such as training development, training delivery,
and training records monitoring and maintenance. The changes should be
reviewed and approved along with the rest of the draft process document.
As noted in Appendix I, the following process makes up the cross-functional area Developing
and Disseminating Compliance Process Directives and Bulletins: “Compliance Process
Bulletins/Directives” (NPP-CME-205)
Observations
As documented in Crowe’s management letter to NERC following one of the Regional Entity
agreed-upon procedures (AUPs), Regional Entities did not have a clear understanding on
whether bulletins, letters, and other directives issued by NERC outside of the ROP were
binding on them. Therefore, we recommended that NERC Compliance develop a hierarchy
of documentation to clearly indicate required actions on the part of Regional Entities.
We observed that the roles within the “Compliance Process Bulletins/Directives” process
document were not c learly defined. For example, the document mentioned the role of the
Compliance Department in general, but it did not provide information on who was
responsible for the process. NERC Compliance staff personnel informed us that any teams
within Compliance have the authority to develop Compliance Directives and Bulletins. In
addition, under the actual process, NERC Compliance told us that an Administrative
Assistant routinely tracked Directives and Bulletins by sequential number, and assigned a
new sequential number to any new Directive or Bulletin. However, we observed that this
procedure and responsibility was not fully documented. We recommend (as we generally
have in Overarching Recommendation PPM-04) that NERC Compliance more fully
document roles and responsibilities within compliance process documentation.
Recommendations
There are no recommendations specific to this cross-functional area. As noted above,
recommendations for this area are fully covered within overarching sections of this reports and
within observations identified in previous reports to NERC Compliance.
As noted in Appendix I, the following processes make up the cross-functional area Processing
Reliability Standards Violations:
These process documents were evaluated in the Functional Area Evaluations Overseeing
Enforcement Activities of Regional Entities and Analyzing and Reporting Compliance
Information.
Observations
We observed that each Compliance team responsible for this cross functional area has
drafted its own process document covering the processing of reliability standards violations.
The Compliance Analysis, Reporting, and Tracking team documented this within the
“Compliance Data Reporting Process,” and the Enforcement and Mitigation team
documented this within its “Compliance Violations and Penalty Process.” While the
documents did not appear to have any conflicts per our observations, they did overlap and
go into varying levels of detail. To avoid potential conflicts in future iterations of the
documents, we recommend that the teams should merge the processes into one document
on which they reach mutual agreement. See Recommendation PRO-01.
The implementation of the new Compliance Reporting and Tracking System (CRATS) will
greatly affect how reliability standards violations are received, processed, and tracked. The
process documents related to this functional area should be re-examined and updated for
changes that will occur with the new system. See Overarching Recommendation INF-01.
Recommendations
PRO-01 To eliminate confusion and future conflicts, we recommend that NERC Compliance
consolidate the processes related to the processing of reliability standards
violations into a single process document. The Manager of Enforcement and
Mitigation and the Manager of Compliance Analysis, Reporting, and Tracking
should coordinate the development of this document to ensure that each team’s
processes and requirements are accurately documented, and that the teams have
a mutual understanding of how the overall process should function. The
document needs to clearly delineate the roles and responsibilities of the
respective functions.
Compliance Enforcement, Registration and Certification 47
Process Evaluation Report
Introduction
In addition to the four cross-functional areas, we have identified ten functional areas that are
more limited in scope, in that they each fall under the direction of one manager within the
Compliance Department. However, these functional areas encompass most of the core
processes that NERC Compliance must carry out in order to accomplish its objectives of
achieving compliance with and enforcing the reliability standards. These ten functional areas
are:
In the following ten evaluation sections we will briefly explain each of these functional areas and
we will provide observations on the execution and documentation of the processes underlying
each area. Where appropriate, we provide recommendations for improving the execution or
documentation of the processes, including any warranted changes to the Rules of Procedure
(ROP).
Our evaluations were based on our review of NERC’s process documentation and on interviews
with NERC personnel. Primarily, we posed a list of questions to the managers in charge of each
functional area, and at least one staff person on each manager’s team. The complete set of
questions asked in each interview is captured in Appendix II – Process Questionnaire.
Our observations for each functional area in many cases provide an indication of whether we
observed the criteria generally to be met, partially met, not met, or not applicable. As we
Compliance Enforcement, Registration and Certification 48
Process Evaluation Report
noted in the Composite Evaluation section of this report, the meaning of these relative
indicators is as follows:
Met The criterion assessed for the functional area was generally observed to
meet the expectations with respect to sufficiency, quality, and
completeness. Flaws or shortcomings that may exist do not significantly
impact the processes within the functional area to the extent that the
processes would generally fail to operate per their objective or
performance requirements.
Partially Met The criterion assessed for the functional area was generally observed to
not fully meet the expectations with respect to sufficiency, quality, and
completeness. Flaws or shortcomings that exist may impact the processes
within the functional area to the extent that the processes could fail to
fully or consistently achieve their objective or operate within performance
requirements.
Not Met The criterion assessed for the functional area was observed to not meet
expectations with respect to sufficiency, quality, and completeness.
Significant flaws or shortcomings exist which we believe impacts the
processes within the functional area to the extent that the processes have
a significant likelihood to fail and/or to fully and consistently achieve their
objective, operate within performance requirements, or operate
efficiently. With that said, it is worthwhile to note that a “not met” rating
does not mean the process or procedure is in conflict with the rules of
procedure and this rating should not be interpreted as such. The rating is
an indication that there is a higher likelihood of potential problems or
inefficiencies, not an absolute indicator that there were observations of
non-compliance.
Not Applicable The criteria for the functional area were not observed or not applicable
and therefore not assessed.
input on the annual compliance implementation plan from other people within NERC and the
Regional Entities.
As noted in Appendix I, the following processes make up the Compliance Program Planning
functional area:
We observed that the “CMEP Implementation Plan Process” document did not specify
the need for an internal review of NERC’s draft implementation plan by a manager
before submittal to outside parties for comment. Although in practice the
implementation plans were drafted with input from a number of individuals within
NERC, an overall review of the implementation plan by a manager prior to submittal to
FERC for approval will help to assure the overall quality of the draft and avoid
unnecessary errors or misunderstandings. See Recommendation IMP-01.
The “CMEP Implementation Plan Process” document did not specify any minimum
criteria that Regional Entities’ compliance implementation plans must meet in order to
receive NERC approval. Such developed criteria would provide a guide to NERC
Compliance personnel and help achieve uniformity across the regions. See Overarching
Recommendation PPM-05.
Compliance Enforcement, Registration and Certification 54
Process Evaluation Report
The “CMEP Implementation Plan Process” document also did not address updating
implementation plans for significant changes to the compliance program that may occur
during the year. For example, if a new standard is approved by FERC during the year,
NERC Compliance must decide whether or not the standard should be actively
monitored during the year, and whether that in turn warrants a modification to the
NERC and regional implementation plans. We observed that NERC Compliance had no
formal documented process for implementing such changes. See Recommendation
IMP-02.
Recommendations
Rec Id Recommendation
IMP-01 Modify the “CMEP Implementation Plan Process” document (NPP-CME-201.R0) to
include a requirement for management review of NERC’s implementation plan draft
prior to submitting the plan to outside entities for review.
IMP-02 Develop, document, and approve a formal process for addressing significant changes
to the compliance program that occur during the year. Include roles and
responsibilities for deciding what modifications need to be made to implementation
plans, Reliability Standard Audit Worksheets, and other impacted NERC Compliance
documents and templates, and for actually making those modifications. Include
provisions for internal management review and obtaining input from FERC, Regional
Entities, and other stakeholders.
As noted in Appendix I, the following processes make up the functional area for Overseeing
Registration of Users, Owners, and Operators of the Bulk Power System:
At the time of our data gathering, the process for registering entities was observed to be
in a state of flux. The registration process document reflected the requirements for
updating information in the manual registration system. However, NERC Compliance
was in the process of implementing the new Compliance Reporting and Tracking System
(CRATS) that will automate the process and allow regional entities to update their
information directly into the system. Once the new system is implemented, it will be
crucial that the process document is updated in order to assure that personnel are
performing the proper steps to register entities in an accurate, timely manner. See
overarching Recommendation INF-01.
Once the Registration process becomes more automated, process monitoring will be
especially critical. On one hand, the capability for running system reports will enhance
the monitoring process and make it easier to determine when key milestones have been
met. However, NERC Compliance will need to institute controls within the system to
assure that updates are accurately and completely recorded and that proper
justifications are made for significant registration changes. NERC Compliance told us
they were considering such process controls in the system, but had not yet decided
what controls will be implemented. For example, the new system will include a
comment field in which entities will record justifications for any significant changes to its
compliance status, such as changing the functions for which it is registered or removing
itself from the compliance registry. NERC Compliance stated that they were intending
to either 1) block the submission of such changes until these justifications can be
reviewed by NERC Compliance, or 2) produce a daily report to NERC showing what
changes have been made. Because the new process will give significant control to
registered entities for directly changing their compliance status, we strongly
recommend that NERC Compliance implement the first option. See Recommendation
REG-03.
Compliance Enforcement, Registration and Certification 60
Process Evaluation Report
Recommendations
Rec Id Recommendation
REG-01 In creating a new registration process document, we recommend that NERC
Compliance includes a Purpose or Objective section that describes not only the
purpose of the document itself but also the purpose of the registration process.
REG-02 We recommend that NERC Compliance include its procedures for assuring that
compliance registry changes are properly reviewed and justified within the new
registration process document.
REG-03 In implementing the new registration software system, we recommend that NERC
Compliance include functionality for blocking submission of changes to the
compliance registry until NERC has reviewed each change and recorded its approval
within the system. This option is preferable to producing a daily report after the fact,
because a risk exists that this report may not be reviewed thoroughly enough or at all.
As noted in Appendix I, the following processes make up the functional area for Overseeing
Certification of Users, Owners, and Operators of the Bulk Power System:
We observed that the process diagram within the Certification process document
showed that Regional Entities send schedule and information requests to an entity
being certified, but the document text stated this is the NERC Certification Team Lead
Compliance Enforcement, Registration and Certification 65
Process Evaluation Report
responsibility. NERC Compliance confirmed that the document text was correct. See
Recommendation CER-04.
The Certification process diagram implied that all parties must agree on a
recommendation to certify an entity, but the document text implied that only a majority
opinion is needed. NERC Compliance confirmed that the text is correct, but noted that if
a Certification review involves multiple regions, the regions must agree unanimously.
See Recommendation CER-05.
Recommendations
Rec Id Recommendation
CER-01 Expedite the revision of Appendix 5 of the ROP to reflect the deletion of “Transitional
Certification” and the implementation of “Provisional Certification.”
CER-02 Document the Legal Department’s role in the “Organization Certification Appeals
Procedure” (NPP-CME-103.R0). Although for purposes of a Compliance Department
document, it is not necessary to include all the steps in the Legal Department’s own
procedure, it would be helpful for staff to have a resource for understanding Legal’s
role in the certification appeals process.
CER-03 Develop a more comprehensive training program for the Certification review process.
Topics to cover should include: the Certification policies and processes as spelled out
in the ROP and the Certification process document (NPP-ORC-002); confidentiality
and conflict of interest rules; evidence reviewed during the Certification process; the
Certification feedback process; and, lessons learned and best practices identified
during prior Certification reviews.
CER-04 Revise the diagram in the Certification process document to show that sending
schedule and information requests to an entity being certified is the responsibility of
the NERC Certification Team Lead.
CER-05 Revise the diagram and text of the Certification process document to show that only a
majority opinion is need to certify an entity, but that if a Certification review involves
multiple regions, the regions must agree unanimously.
Entities on audits that NERC did not directly observe, and reviews of information provided by
Regional Entities pursuant to their performance of compliance audits.
As noted in Appendix I, the following processes make up the functional area for Overseeing
Compliance Activities of Regional Entities (excluding CVIs):
NERC’s ROP required that Regional Entities notify NERC about their performance of five of
the eight monitoring methods (self-certifications, self-reports, periodic data submittals,
exception reports, and spot checks) only if the Regional Entity has identified a possible
violation. At that point the process would be in the enforcement phase.2 We observed that
the Director of Regional Operations had the ability to review Regional Entities’ performance
of its responsibilities related to these methods “after the fact” (discussed in the functional
area evaluation “Review Of RE Compliance And Enforcement Programs”), but NERC
Compliance had no process for directly overseeing these methods prior to the enforcement
phase and lacked real-time visibility of the Regional Entities’ performance in these areas. In
a prior consulting report, we recommended that NERC Compliance revise the ROP to allow
for more direct oversight in these areas. See Overarching Recommendation ROP-01. If
NERC Compliance changes its ROP to reflect this, it will also need to establish processes and
responsibilities for accomplishing these oversight objectives. See Recommendation COM-
03.
2
NERC had been heavily involved in monitoring self certifications and spot checks related to the critical
infrastructure protection (CIP) standards. However, NERC management was not sure how long this would be a
continuing effort on NERC’s part, because the process had not been fully negotiated between NERC and the
Regional Entities.
Compliance Enforcement, Registration and Certification 75
Process Evaluation Report
We observed that NERC Compliance only reviewed the compliance audit reports for
conformance to the Audit Report Template, which we observed to be primarily a document
indicating what types of information needs to be in an audit report. Unless the audit was
one that NERC Compliance was directly observing, or if it was one of the eight audits that
NERC Compliance was reviewing as part of its three-year assessment, NERC Compliance
stated that they did not evaluate the evidence presented in the audit report for support for
the validity of the Regional Entity’s findings. See Recommendation COM-04.
We observed no method for tracking the status of Regional Entity compliance audits; as a
result, we observed NERC Compliance did not know at what point Regional Entities were at
in their auditing process until NERC Compliance received a final audit report. In addition,
NERC Compliance did not track whether scheduled audits took place or whether the
Regional Entity’s audit schedules met the requirements of the ROP that Balancing
Authorities, Transmission Operators, and Reliability Coordinators receive an audit at least
every three years. See Recommendation COM-05.
We observed that NERC Compliance had no formalized process for implementing changes to
reliability standards or other NERC Compliance directives within the Reliability Standard
Audit Worksheets (RSAWs), the standard working papers that were being used to record
findings and determinations of compliance with reliability standards on an audit.
Stakeholders have addressed with NERC Compliance the need to update the RSAWs in a
timely manner. See Recommendation COM-06.
NERC Compliance noted that their view of the audit observer role differed somewhat from
FERC’s. This was because NERC Compliance believed the observer should be watching and
recording how Regional Entities conduct an audit, and should not participate in the auditing
process or provide real-time advice to the Regional Entity. FERC audit observers, however,
tended to take a more active role in the process. This has led to some potentially confusing
situations for Regional Entities, especially when both NERC and FERC were observing an
audit. NERC Compliance stated that they were working with FERC to provide better
explanations of the roles of NERC and FERC observers on a Regional Entity’s audit.
Recommendations
Rec Id Recommendation
COM-01 Document the role of a NERC observer on a Regional Entity audit. Specify what
activities the observer must perform while onsite and what activities must not be
performed onsite. Document this role within the process document “Observation of
Regional Entity-led Compliance Audits” (NPP-CME-400.R0).
COM-02 Decrease the reliance on direct observations as the primary method for monitoring
Regional Entity compliance audits. Develop a risk-based approach for assessing which
audits should be monitored by observation and which should be monitored by other
methods, such as spot checking, self certifications, or more in-depth reviews of
compliance audit reports and the evidence presented within them.
Rec Id Recommendation
COM-03 Implement and document processes to allow for more direct oversight of the
following Regional Entity monitoring methods: spot checks, self certifications,
periodic data submittals, self reports, and exception reports. Include as part of the
process a requirement for Regional Entities to periodically report the status of these
methods even when no violation has been identified. In addition, include monitoring
procedures, such as spot checks, for NERC Compliance to perform to assess Regional
Entity compliance with the ROP in these areas.
COM-04 Develop and implement procedures for reviews of compliance audit reports that
include an evaluation of the evidence and conclusions within the report as well as
conformance to the Audit Report template. Include a risk-based process for
determining which audit reports will undergo this more in-depth review and how
often a Regional Entity reports will undergo such a review (e.g., yearly spot checks
plus one major review every three years during the Regional Entity audit). In keeping
with Recommendation COM-03, consider substituting some audit observations with
this review.
COM-05 Develop and implement a process to monitor the status of planned and ongoing
Regional Entity compliance audits, through the point that a final non-public audit
report is issued. Include requirements for Regional Entities to periodically report the
status of their compliance audits to NERC and to certify that audits were scheduled
according to the requirements of the ROP.
COM-06 Develop a formal process for implementing changes to reliability standards and new
NERC directives within the Reliability Standard Audit Worksheets (RSAWs). Include
timelines within this process that will be monitored to ensure that Regional Entities
are using the most up-to-date information to perform their compliance audits.
When Regional Entities identify possible violations of reliability standards through their eight
compliance monitoring methods, they must notify NERC of this and keep NERC informed of the
progress of the enforcement and mitigation of the violation. NERC in turn is delegated various
oversight responsibilities during this process. For example, NERC is responsible for reviewing
and approving mitigation plans, enforcement actions and settlement agreements from Regional
Entities. The Manager of Enforcement and Mitigation at NERC and his staff have primary
responsibility for carrying out these functions.
As noted in Appendix I, the following processes make up the functional area for Overseeing
Enforcement Activities of Regional Entities:
We observed that the process documents that had been developed for this functional area
were in draft form and had not been reviewed by management. See Overarching
Recommendation PPM-02.
Although the ROP required that NERC be provided with copies of Notices of Alleged
Violation and Penalty and Sanction (NAVAPS), the ROP did not require that NERC review the
NAVAPS. The ROP also did not give NERC sign-off authority at this stage. We further
observed that the ROP did not require NERC review of alleged violations and penalties until
the violation has gone through the Regional Entity’s full due process and the violation has
either been confirmed or settled on. We observed that this was often months after a
violation was first identified and came after considerable negotiations and information
exchanges had already occurred between the Regional Entity and the Registered Entity that
violated the standard. Often, once they received a Notice of Confirmed Violation (NOCV) or
settlement agreement, NERC would find significant issues with the documents that must be
resolved before they can approve them and file a Notice of Penalty with FERC. Many of the
same issues, such as inconsistent dates and improper categorization of a violation as a
documentation issue rather than a failure to perform, were repeating among the Regional
Entities. The process then involved a lot of back and forth between the Regional Entity to
resolve. Much of this could be prevented if the ROP allowed for NERC involvement earlier in
the process. See Recommendation ENF-03.
Compliance Enforcement, Registration and Certification 83
Process Evaluation Report
Recommendations
Rec Id Recommendation
ENF-01 Revise the process documents related to NERC’s oversight of Regional Entities’
enforcement programs to specify the objectives of the processes themselves.
ENF-02 Consolidate the review and approval of settlements process noted in the documents
“Compliance Violation and Penalty Process” (NPP-CME-501.R0) and “Review and
Approval of Settlements” (NPP-CME-502.R0) into one document. Ensure that the
document accurately and fully reflects the settlement review process, including the
role of the NERC BOTCC.
ENF-03 Revise the ROP to allow for NERC involvement in reviewing violations, penalties, and
sanctions prior to the Notice of Penalty stage.
ENF-04 Provide a copy of the “Compliance Violation and Penalty Process” (NPP-CME-501)
document to the Compliance Analysis, Reporting, and Tracking team for review, to
ensure that their role in the process is captured accurately and clearly.
As noted in Appendix I, the following processes make up the functional area for Analyzing and
Reporting Compliance Information:
Analyzing and Reporting Compliance Information – Functional Area Criteria and Observations
Recommendations
Rec Id Recommendation
REP-01 Provide Compliance Reporting, Analysis, and Tracking staff with copies of the process
documents related to Analyzing and Reporting Compliance Information. Obtain input
from staff members on the processes as documented.
REP-02 Identify key milestones and deadlines within the processes related to Analyzing and
Reporting Compliance Information. Develop a mechanism for measuring and tracking
these key milestones and deadlines, and develop goals and acceptable ranges for
meeting them. Report results to NERC management. In addition, develop a plan for
addressing goals that are not met within the acceptable range.
REP-03 Revise the “Data Management, Evaluation, and Analysis Process” (NPP-CME-700.R0)
to be more process-oriented. Establish specific roles and responsibilities and key
milestones, such as deadlines, within the process to help track progress and ensure
that the process is followed.
Compliance Enforcement, Registration and Certification 88
Process Evaluation Report
As noted in Appendix I, the following processes make up the functional area for Conducting
Reviews of Regional Entities Compliance and Enforcement Programs:
Registered Entities’ mitigation plans that were approved by Regional Entities. Because of
how these procedures were written, they appeared to overlap with the normal duties of the
Enforcement and Mitigation team, which NERC Compliance has charged with reviewing
mitigation plans for conformance to the CMEP, including determining whether the actions
specified in those plans would actually mitigate the alleged violation. However, the spot
check process was not designed to review the mitigation plans for adequacy, but rather it
was designed to examine whether the Registered Entity actually followed through on the
actions in its mitigation plan. To provide a more accurate guide to staff performing spot
checks, NERC Compliance should revise Attachment 1 of the “RE Spot Check Process.” See
Recommendation REV-03.
Recommendations
Rec Id Recommendation
REV-01 Revise the document “NERC Audit of Regional Entity Adherence to the CMEP” (NPP-
CME-404) to accurately reflect how the process is performed in practice, including:
Specify that some of the agreed-upon procedures may be performed by NERC
Compliance staff as agreed to with the BOTCC and FERC.
Include a provision to allow for changes to the external auditor team, as long
as NERC and the Regional Entity approve the change and the auditors have
submitted the requisite non-disclosure agreements, work histories, and
conflict of interest statements prior to working on the engagement.
Include a provision for the external audit team to prepare management
letters to the Regional Entity and NERC, when items are identified that are
not exceptions to the agreed-upon procedures, but should be changed in
either entity’s compliance program.
Delete the requirement for a formal team meeting fourteen days prior to the
performing the agreed-upon procedures to discuss the completeness of
information provided by the Regional Entity. Instead, specify that NERC and
the external auditor will review the items requested pursuant to the sampling
procedures for completeness within a certain time after the information is
provided by the Regional Entity.
REV-02 Develop a training program on NERC’s process for auditing Regional Entities. Include
details on how the process is carried out, such as the definition of agreed-upon
procedures, and which agreed-upon procedures are typically performed at Regional
Entities. Also, include any best practices and lessons learned from the first round of
Regional Entity audits.
REV-03 Revise the procedures from Attachment 1 of the “RE Spot Check Process” that
requires the spot check team to “review Mitigation Plans for appropriate content as
required by the CMEP” to more accurately reflect how the Compliance Audit Group
reviews completed mitigation plans as part of a spot check.
Compliance Enforcement, Registration and Certification 94
Process Evaluation Report
Before initiating a CVI, NERC or a Regional Entity may perform a Compliance Inquiry, which is a
smaller scale review to determine if enough evidence exists to warrant a full CVI.
As noted in Appendix I, the following processes make up the functional area for NERC
Involvement in Compliance Inquiries and Compliance Violation Investigations:
In addition to the observations noted in the evaluations above, we observed the following:
Except for the document “Evidence Handling,” the process documents that had been
developed for this functional area were in draft form and had not been reviewed by
management. See Overarching Recommendation PPM-02.
Compliance Enforcement, Registration and Certification 101
Process Evaluation Report
NERC noted significant concerns with the quality of CVIs performed by Regional Entities,
stating that they have found a majority of Regional Entity-led CVI to be deficient in some
way. NERC noted that the Regional Entities do have in place regional level processes
and methodology for conducting CVIs, but the Regional Entities are not consistent in
their method for performing CVIs. It is NERC’s observation that the Regional Entities
often assign investigations lower priority than other items such as compliance audits
and spot checks. They also noted that the Regional Entities’ staff lack experience in
investigation methodology and project management and they do not have the legal
resources to support CVIs. NERC provided CVI training to the Regional Entities, but the
Manager of Compliance Violation Investigations has noted that the Regional Entities are
so far from having a solid CVI program that he has recommended that all CVIs be
centralized under NERC. See Overarching Recommendations ENT-01, ENT-02, and ENT-
03.
Recommendations
Rec Id Recommendation
CVI-01 Add a section on Compliance Inquiries to the ROP / CMEP. Ensure that the
Compliance Inquiry Rules of Procedure align with the approved “Compliance Inquiry
Process” document (NPP-CME-300).
CVI-02 Add language to the “Compliance Violation Investigation Process” document (NPP-
CME-302) to more specifically describe a new role for a NERC single point of contact
when a Regional Entity-led CVI is in progress. Specify what the NERC staff’s duties are
(such as obtaining weekly updates from the Regional Entity, and reviewing all
Regional Entity correspondence) and what NERC is not required to do (attend site
visits, e.g.). Also, specify what obligations the Regional Entities have for providing
documentation and other materials to the NERC single point of contact.
CVI-03 Delete language in the “Compliance Violation Investigation Process” document (NPP-
CME-302) and the “Compliance Inquiry Process” document (NPP-CME-300) which
refers to the processes as “suggested guidelines” or “guidelines.” Replace this
language with “process requirements” or similar phrasing.
NERC maintains a telephone hotline and a website for receiving complaints from the public
related to the reliability of the bulk power system. Regional Entities may also forward
Compliance Enforcement, Registration and Certification 102
Process Evaluation Report
complaints that they have received to NERC for processing. The telephone hotline (and
corresponding voice mail box) is monitored at least daily by an Administrative staff member,
and the website is monitored at least daily for complaints by the Manager of Compliance
Violation Investigations or his designee. NERC, at its discretion, will forward a complaint to the
appropriate Regional Entity for review, unless the complaint is related to a Regional Entity or its
affiliates, the Regional Entity determines it cannot conduct the review, or the complainant
requests anonymity or specifically requests NERC to conduct the review of the complaint. In
such cases, NERC’s Manager of Compliance Violation Investigations is responsible for ensuring
that the complaint is reviewed by NERC.
As noted in Appendix I, the following process makes up the functional area for Handling
Complaints: “Complaint Process” (NPP-CME-301)
In addition, we made the following observation about the complaint handling process:
Recommendations
At the time of our information gathering, NERC had not fully assumed its CEA responsibilities. At
that time, only one of the three registered Regional Entities had signed an agreement for NERC
to perform the applicable CEA functions. For the other two Regional Entities, no agreement had
been signed, so it was not yet clear which of the monitoring methods NERC would be obligated
to perform at those entities. However, NERC was moving forward with the CEA function, and
had begun processing some self-reported violations, had sent requests for self-certifications,
and was planning to perform its first reliability standard compliance audit of a registered
function of a Regional Entity in October 2009.
As noted in Appendix I, the following processes make up the functional area for NERC
Compliance Enforcement Authority Responsibilities:
We observed that the process documents that had been developed for this functional
area were currently in draft form and had not been reviewed by management. See
Overarching Recommendation PPM-02.
Compliance Enforcement, Registration and Certification 112
Process Evaluation Report
Recommendations
Rec Id Recommendation
CEA-01 Revise or create process documents to fully record the processes, roles, and
responsibilities for handling the enforcement of violations identified by NERC in the
course of its role as a CEA. Because both the Organization Registration and
Certification and Enforcement and Mitigation teams have roles in this process, the
Manager of Organization Registration and Certification and the Manager of
Enforcement and Mitigation should coordinate the drafting of these processes to
ensure agreement among the assignment of roles and responsibilities between the
teams.
CEA-02 Revise the following errors that were identified in the process documents in the
functional area NERC CEA Responsibilities:
In the “Registered Entity Audit Process Procedure” (NPP-CME-602),
step 4.3.a stated: “The MORC will forward the Public Audit Report to
the MORC for final processing.” The step should state: “The MORC
will forward the Public Audit Report to the Vice President and
Director of Compliance for final processing.”
In the “Registered Entity Audit Process Procedure” (NPP-CME-602),
step 4.3.h stated: “The AA *Administrative Assistant+ will process the
Non-Public Audit Report to ... Redact all confidential, privileged,
and/or critical energy infrastructure information...” The step should
state: “The MORC, or his designee, will process the Non-Public Audit
Report to...and will forward the report to the AA.”
In the “Registered Entity Audit Process Procedure” (NPP-CME-602),
step 4.3.j stated: “The MORC will endorse the report as being the
approved Public Audit Report and will forward the approved report to
the MORC.” The step should state: “The MORC will endorse the
report as being the approved Public Audit Report and will forward the
approved report to the Vice President and Director of Compliance.”
In the “Mitigation Plan Procedure” (NPP-CME-605), step 4.1.a stated:
“A registered entity found to be in violation of a reliability standard
shall file a mitigation plan with NERC.” The step should state: ““A
registered entity that NERC found to be in violation of a reliability
standard shall file a mitigation plan with NERC.”
In the “Mitigation Plan Procedure” (NPP-CME-605), the Note on page
8 stated: “If the mitigation plan was submitted via the portal, the
SPOC will contact the SPOC and request them to unlock the form to
allow editing by the entity.” This should state: “If the mitigation plan
was submitted via the portal, the NERC SPOC will contact the
Registered Entity’s SPOC and request them to unlock the form to
allow editing by the entity.”
CEA-03 Develop a comprehensive plan for monitoring NERC’s performance of its CEA duties in
compliance, enforcement, and mitigation. Establish key milestones to track and
report. Include oversight involvement by the Regional Operations team.
Compliance Enforcement, Registration and Certification 113
Process Evaluation Report
Rec Id Recommendation
CEA-04 Consolidate the documents “Mitigation Plan Procedure” (NPP-CME-605) and
“Mitigation Process – NERC CEA” (NPP-CME-504) into one process document with
roles and responsibilities split appropriately between the Organization Registration
and Certification team and the Enforcement and Mitigation team. Assign the primary
role for interaction with the Regional Entity to the Organization Registration and
Certification team with oversight by the Enforcement and Mitigation team. Also,
assign interactions with FERC to the Enforcement and Mitigation team.
CEA-05 Consolidate the NERC Compliance Enforcement Authority functions noted in the
documents “Remedial Action Process” (NPP-CME-500) and “Remedial Action Directive
Procedure - CEA (NPP-CME-611) into one process document with roles and
responsibilities split appropriately between the Organization Registration and
Certification team and the Enforcement and Mitigation team. Assign the primary role
for interaction with the Regional Entity to the Organization Registration and
Certification team with oversight by the Enforcement and Mitigation team. Also,
assign interactions with FERC to the Enforcement and Mitigation team.
CMEP Process Evaluation Report 114
1 - Following compliance program Mike DeLaura ROP 402.8; ROP 404.3; ROP
confidentiality requirements NPP-CME-800 Document Management and Control (and Kate Calla) 1500; CMEP 9.0
2 - Developing and overseeing the compliance
training program NPP-CME-202 Training Process Joel deJesus ROP 402.9
3 - Developing and Disseminating Compliance
Process Directives and Bulletins NPP-CME-205 Compliance Process Bulletins/Directives Joel deJesus None
FUNCTIONAL AREAS:
1 - Compliance Program Planning NPP-CME-200 CMEP Development and Maintenance Process Dave Hilt ROP 401.1
NPP-CME-201 CMEP Implementation Plan Process Joel deJesus ROP 402.1.1; CMEP 4.0
Monitoring and Facilitating Effectiveness of
NPP-CME-204 the CMEP Dave Hilt ROP 402; ROP 404
2 - Overseeing registration of users, owners,
and operators of the BPS NPP-CME-100 Organization Registration Process Craig Lawrence ROP 500; ROP Appx 5
NPP-CME-102 Organization Registration Appeals Procedure Craig Lawrence ROP 500; ROP Appx 5
3 - Overseeing certification of users, owners,
and operators of the BPS NPP-CME-101 Organization Certification Process Procedure Craig Lawrence ROP 500; ROP Appx 5
NPP-CME-103 Organization Certification Appeals Procedure Craig Lawrence ROP 500; ROP Appx 5
4 - Overseeing the compliance activities of Observation of Regional Entity-led Compliance
Regional Entities (excluding CVIs) NPP-CME-400 Audits Joel deJesus CMEP 3.1.5
NPP-CME-401 Regional Entity-led Compliance Audit Process Joel deJesus CMEP 3.1.6
www.crowehorwath.com
CMEP Process Evaluation Report 115
www.crowehorwath.com
CMEP Process Evaluation Report 116
10 - NERC Compliance Enforcement NPP-CME-602 Registered Entity Audit Process Procedure Craig Lawrence CMEP 3.1
Authority responsibilities NPP-CME-603 Self-Report Procedure Craig Lawrence CMEP 3.5
(excluding conducting CVIs)
NPP-CME-604 Spot Check Procedure Craig Lawrence CMEP 3.3
NPP-CME-605 Mitigation Plan Procedure Craig Lawrence CMEP 6.0
NPP-CME-606 Self-Certification Procedure Craig Lawrence CMEP 3.2
NPP-CME-607 Data Reporting and Disclosure Procedure Craig Lawrence CMEP 8.0
NPP-CME-608 Exception Reporting Procedure Craig Lawrence CMEP 3.7
NPP-CME-609 Periodic Data Submittal Procedure Craig Lawrence CMEP 3.6
CMEP 5.1; CMEP 6.0; CMEP
NPP-CME-610 Implementation and Tracking Procedure Craig Lawrence 7.0
NPP-CME-611 Remedial Action Directive Procedure - CEA Craig Lawrence CMEP 7.0
www.crowehorwath.com
CMEP Process Evaluation Report 117
www.crowehorwath.com
CMEP Process Evaluation Report 118
In developing the agreed-upon procedures, we identified several key areas in which NERC’s
policies and processes for monitoring Regional Entity compliance could be improved. We
developed recommendations to address these areas of improvement. The details of each
condition identified and related recommendations are listed below.
A. Condition: The NERC Rules of Procedure and related appendices lack policies to
address certain key objectives.
www.crowehorwath.com
CMEP Process Evaluation Report 119
o Data Security - NERC has not provided the Regional Entities any specific minimum
standards for maintaining data security.
o Timelines for Notifying NERC - Although the Rules of Procedure specify that
Regional Entities must notify NERC of the following situations, the Rules of
Procedures and related appendices do not specify time requirements for notifying
NERC of the following
The initiation and outcome of a hearing
Conclusion of a settlement proceeding
Receipt of certification applications
Initiation of an unscheduled compliance audit
Results of a compliance violation investigation, if the investigation did not
substantiate an alleged violation
Results of complaints to Regional Entities from third parties, if the Regional
Entity did not initiate a compliance violation investigation as a result
Receipt of anonymous complaints
Verification that a registered entity completed its mitigation plan
www.crowehorwath.com
CMEP Process Evaluation Report 120
o Use of Terms Such as “Guidelines” - The Rules of Procedure note several instances
that refer to NERC “guidance,” “guidelines,” or “procedures,” implying that these are
not required actions. However, in practice, these are policies that NERC requires
Regional Entities to follow. For example, Rule of Procedure 403.10.2 states that
“When requested, the RE shall report promptly to NERC in accordance with NERC
procedures.” Also, Appendix 4B to the Rules of Procedure is titled “ERO Sanctions
Guidelines.” Further, Section 3.1.1 of Appendix 4C to the Rules of Procedure states,
“The audit team follows NERC audit guidelines in the implementation of the
Compliance Audit.”
o COI Statements - The Rules of Procedure and associated appendices do not specify a
requirement for compliance program participants to sign conflict of interest
statements, but NERC does require this in practice (ROP 400 line 52)
o 48 Hour Reporting - Section 408.1.1 of the Rules of Procedure and Section 8.0 of
Appendix 4C to the Rules of Procedure specify that Regional Entities must report
violations of certain specifically identified reliability standards with 48 hours.
However, NERC’s 2008 practice allowed for reporting of such violations within 2
business days. Per its implementation plan, in 2009 NERC decided not to specify any
standards that require 48 hour reporting.
o Notices of Violation – NERC’s use of terms regarding notices of violations are not
consistent with NERC’s use of the terms in practice. For example, NERC’s
definition of an “initial notice of violation” differs between its policy and its practice.
Section 5.1 of Appendix 4C to the Rules of Procedure describes an “initial notice of
Alleged Violation” as an optional notice that NERC or the Regional Entities can send
to Registered Entities informing them that they may have committed a violation.
However, in NERC’s actual practice, an “initial notice of Alleged Violation” (also
www.crowehorwath.com
CMEP Process Evaluation Report 121
o Use of Term “Appeals” - Regarding the entity registration and certification processes,
Section 504 of the Rules of Procedure states, Each regional entity with delegated
responsibilities shall establish and maintain a fair, independent, and
nondiscriminatory appeals process.” In addition, Section 7.0 of Appendix 4C to the
Rules of Procedure states: “Notice to contest the Remedial Action Directive and
participation in the hearing process set forth in Section 1.9 of Attachment 2, Hearing
Process shall constitute the Registered Entity’s right to appeal the Remedial Action
Directive.” However, NERC only intends to use the term “appeal” to refer to a
challenge brought before NERC. The term NERC uses to refer to a challenge
brought before a Regional Entity is a “hearing.”
o Monthly and Quarterly Registered Entity Reporting - The regional entity compliance
schedule in NERC’s implementation plan requires regional entities to review monthly
and quarterly reports from registered entities. These types of reports are separate
from and not included with the data required to be submitted by registered entities
and reviewed by regional entities under Section 3.0 of Appendix 4C to the Rules of
Procedure.
www.crowehorwath.com
CMEP Process Evaluation Report 122
NERC, to FERC. However, in practice, regional entities first review and approve a
mitigation plan, then submit it to NERC for further review.
o Difference in NERC Tool and Appendix to the ROP - Confidential information has
been removed from this public version and has been provided under separate cover to
NERC management.
The NERC Rules of Procedure and its associated appendices contain several instances of
information that is repeated in different sections of the document. Having redundant
information within the Rules of Procedure is not necessarily a shortcoming of the
document. For example, certain policies, such as the requirement for Regional Entities to
notify NERC of alleged violations, apply in various compliance situations, and it may be
easier for a reader to have that policy within the section of interest to him or her, rather
than having to follow a reference to a different part of the document. However, an excess
of repeated information can make the document difficult for NERC to manage. In
particular, if NERC chooses to amend a certain policy, it will have to ensure that all
references to that policy within the Rules of Procedure and its associated appendices are
updated.
Data Confidentiality - The following sections in the Rules of Procedure all specify
policies for maintaining the confidentiality of information, such as requirements for
compliance program participants to have confidentiality agreements and policies for
redacting critical infrastructure information: sections 402.3, 402.8, 403.6.4, 403.7.4,
403.14 (which is specific to compliance audits and compliance violation
investigations), 403.16, 408.3 (which is specific to NERC), 408.6.2, and 1500. In
addition, Sections 3.1.5 and 3.1.6 of Appendix 4C to the Rules of Procedure specify
requirements in the area of confidentiality, related to the performance of compliance
audits. Section 9.0 of Appendix 4C to the Rules of Procedure also encompasses data
confidentiality requirements.
Audit Training - Requirements for the completion of compliance audit training are
addressed in Section 402.9 of the Rules of Procedure and in Section 3.1.5 of
Appendix 4C to the Rules of Procedure. Further requirements for industry experts
and Regional Entity members to attend compliance audit training are noted in section
403.7.5 of the Rules of Procedure.
Mitigation Plans - Rules of Procedure Sections 403.10.4 and 403.18, and Section 6.0
of Appendix 4C to the Rules of Procedure list policies for the submission and review
of mitigation plans.
Settlements - Section 403.19 of the Rules of Procedure, Sections 3.2 through 3.4 of
Appendix 4B to the Rules of Procedure, and Section 5.4 Appendix 4C to the Rules of
Procedure all provide policies related to the conduct of settlements.
www.crowehorwath.com
CMEP Process Evaluation Report 124
Hearings - Sections 403.4, 403.20, and 407.3 of the Rules of Procedure, along with
Sections 5.2 and 5.3 of and Attachment 2 to Appendix 4C to the Rules of Procedure
provide policies related to the hearing process.
Registration and Certification - Section 500 of the Rules of Procedure, Section 2.0 of
Appendix 4C to the Rules of Procedure, and Appendix 5 to the Rules of Procedure all
provide policies for the registration and certification of bulk power system entities.
o The “CMEP goals,” which the ROP states Regional Entities are required to meet, are
not specified or described. (ROP 401.4)
www.crowehorwath.com
CMEP Process Evaluation Report 125
o There are no standards on how to assess whether bulk power system owners,
operators, and users are given a “reasonable opportunity” to demonstrate that
information is confidential before a report becomes public. (ROP 408.3.1)
o What constitutes the “entire record” surrounding a notice of appeal is not defined.
(ROP 410.3)
o The specific “NERC requirements” for maintaining work papers and other
documentation associated with a compliance audit are not identified. (ROP Appendix
4C, section 3.1.6)
We identified two instances of inconsistent wording within the Rules of Procedure and
related appendices themselves. The inconsistent wording could complicate NERC’s
ability to hold Regional Entities accountable to the required policy. These instances also
illustrate the potential pitfalls that could occur when a policy is included in more than one
section of the Rules of Procedure.
stricter, specifying that compliance program records must be retained for the longer
of 5 years or the requirements of the Reliability Standard or Applicable Governmental
Authority.
o Implementation Plan Deadline - Section 403.21 of the Rules of procedure requires the
Regional Entities to submit an annual compliance enforcement implementation plan
“generally on or about November 1 of the preceding year.” However, Section 4.2 of
Appendix 4C to the Rules of Procedure requires submission of the annual
implementation plan, “By November 1 of each year.”
www.crowehorwath.com
CMEP Process Evaluation Report 127
The following excerpt includes those observations and recommendations made to NERC to
revise the Rules of Procedure from a recently completed Agreed-Upon Procedures project for
one of the regional entities.
Note: The following excerpt includes only those observations and recommendations made to
NERC to revise the Rules of Procedure. Recommendations to NERC also resulted from the
agreed-upon procedures performed at other regional entities; however, none of these
recommendations involved changes to the ROP.
VIOLATIONS LANGUAGE
Observation: Language related to "violations" in the ROP and CMEP is not clear and
often not consistent. For example, throughout the ROP, NERC uses the
term "alleged" violation to refer to potential violations regardless of
whether a Notice of Alleged Violation and Penalty and Sanction has been
issued.
Recommendation: We recommend that NERC review the ROP and CMEP to ensure that
language related to violations is applied consistently and refers distinctly
to the levels of violations (e.g., possible, alleged, confirmed) that NERC has
recognized.
DATA RETENTION
www.crowehorwath.com
CMEP Process Evaluation Report 128
Recommendation: We recommend that NERC change the reference from 400.7.5 to 403.7.5.
Currently, the CMEP uses the term “may” which may imply that these
steps are optional.
www.crowehorwath.com
CMEP Process Evaluation Report 129
NERC’s policies do not specify the means by which Regional Entities are to
report information to NERC and other entities. For example, NERC’s
policies do not require that Regional Entities use the NERC Workbook for
reporting violations, or even require Regional Entities to report all the
Observation: information that is captured in the Workbook. In addition, NERC uses the
term “Initial Notice of Alleged Violation” to refer to the notice it sends to
FERC when a determination of an alleged violation is made. NERC’s
policies do not reference the INAV letter that Regional Entities send to
Registered Entities when a violation is identified.
We recommend that NERC clarify in its policies whether and when specific
Recommendation:
reporting templates are required to be followed.
www.crowehorwath.com