Fred W. Gorbet, Chair Board of Trustees July 16, 2014 Mr. John A. Anderson, Chair NERC Member Representatives Committee c/o Electricity Consumers Resource Council 1111 19th Street, NW Suite 700 Washington, DC 20036 Re: August 2014 Policy Input to NERC Board of Trustees Dear John: I would like to invite the Member Representatives Committee (MRC) to provide policy input on four issues of particular interest to the Board of Trustees (Board) as it prepares for the meetings on August 13-14, 2014, in Vancouver, BC. Enclosed with this request is additional background information to help MRC members solicit inputs from their respective sectors. The four issues are: Item 1: Reliability Assurance Initiative (RAI) The goal of RAI is to fully implement a risk-based compliance monitoring and enforcement program. Partnering with industry, the ERO Enterprise executed a series of pilots to test and implement activities and approaches to support risk-based methods and evaluated the results of the pilots. Since the completion of the pilots, activities continue to document the processes and procedures as well as expand the use of select tools and techniques to additional Registered Entities. The ERO Enterprise is currently finalizing the documentation to complete a single design for the four modules outlined in the Compliance Oversight Framework (Framework): risk elements, inherent risk assessment (IRA), internal controls evaluation, and compliance monitoring and enforcement tools. Following the Board meeting in May, the ERO Enterprise worked on developing the IRA Guide (see Attachment A). The IRA Guide describes the process used to assess inherent risk of Registered Entities by the Regions and serves as a guide for implementing and performing an IRA. The MRC is encouraged to provide feedback on the draft IRA Guide. Specifically, the Board requests input on the following questions: 1. Do you agree with the process design of the draft IRA Guide to appropriately scope oversight? Are there areas for enhancement in the draft IRA Guide that would address specific concerns (please provide examples)? 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 | www.nerc.com 2. What additional information or examples would help demonstrate the processes outlined in the draft IRA Guide? 3. What types of training and information on the draft IRA Guide would be beneficial to support clear communication and expectations between the CEA and registered entity for gathering and assessing data pertinent to risk? 4. Are there any other considerations not identified in the draft IRA Guide that you believe need to be addressed? Item 2: Risk-Based Registration Initiative The July 16, 2014 MRC Informational Session agenda materials included an update on the Risk-Based Registration (RBR) Initiative launched in 2014 (see Agenda Item 4b), focused on reviewing the current registration criteria and practices to ensure the right entities are subject to the right set of applicable Reliability Standards, using a consistent and common approach to risk assessment and registration across the ERO Enterprise. NERC established a RBR Advisory Group (RBRAG) to provide input and advice for the RBR design and implementation plan. The RBRAG is comprised of representatives from NERC staff, Regional Entity staff, and Federal Energy Regulatory Commission staff, along with U.S. and Canadian industry representatives. An RBRAG technical task force has also been formed to provide technical support. In June 2014, NERC posted drafts of the RBR design and implementation plan, NERC Rules of Procedure (ROP) Appendix 5B, and specific questions focused on key areas of the draft design for public comment. Approximately fifty sets of comments were received. These comments have been reviewed with the RBRAG technical task force and considered in the revisions of the draft design, implementation plan, and ROP Appendix 5B, which are included in this MRC policy input package. The MRC is encouraged to provide feedback on these draft documents (see Attachments B and C), addressing the following questions: 1. Are there any additional issues that should be considered when completing the technical assessments needed to measure the potential risks to Bulk Electric System reliability from the proposed reforms? 2. Do you agree with the proposed design of the RBR program? Are there areas for enhancement that would address specific concerns? 3. Do the implementation plan and ROP revisions provide a clear and concise plan toward implementation of the proposed design? 4. Are there additional venues or mechanisms that NERC should consider to communicate the details of the proposed design and implementation plan? 5. Are there any other considerations not identified in the draft design framework that you believe need to be addressed in this initiative? The RBR design, implementation plan, and ROP enhancements, which are part of the Phase 1 RBR effort, will be included in the MRC agenda for discussion at the August 2014 meeting. With the additional contributions provided by this policy input and discussions at the next MRC meeting, the refined version of these documents will subsequently be posted for an additional 45-day period for industry comment. The final drafts will be brought to the Board at its November 2014 meeting for approval. Separate efforts regarding sub-set lists of applicable Reliability Standards for Transmission Owners/Transmission Operators and Generator Owners/Generator Operators will be addressed in Phase 2. Functional registration categories that are not changing as part of Phase 1 of RBR also will be re-evaluated. Further information on Phase 2 will be provided at the November 2014 Board meeting. Item 3: Critical Infrastructure Protection (CIP) Version 5 Transition The July 16, 2014 MRC Informational Session agenda materials included an update on the CIP Version 5 transition (see Agenda Item 4c). In the context of CIP Version 5 transition activities, the Board would appreciate feedback from the MRC on issues or concerns regarding the transition to CIP Version 5. NERC, the Regional Entities, and the industry share a common vision of a smooth transition to CIP Version 5 in a manner that does not result in an unexpected, large volume of possible violations. NERC is currently assessing input from the Implementation Study and industry comments to the draft guidance documents. Further, a working group made up of NERC staff, Regional Entities, study participants, and other stakeholders has been created and will meet monthly to address emerging questions and issues regarding the transition to CIP Version 5. The background document included in the MRC Informational Session agenda identifies the ongoing activities that have been completed to date and provides an overview of proposed next steps in managing the transition, which may include development of supporting documents approved under section 11 of the Standard Processes Manual. Specifically, the Board seeks input from the MRC on steps that NERC and the Regional Entities can take to enhance the effectiveness of their transition guidance and coordination efforts to provide stakeholders increased confidence that their CIP Version 5 transition efforts and activities are meeting implementation expectations. Similarly, please provide input on what activities and resources you view as most useful to achieving confidence in entities’ transition efforts. Item 4: Cybersecurity Risk Information Sharing Program (CRISP) The July 16, 2014 MRC Informational Session agenda materials included an update on CRISP (see Agenda Item 4d), a voluntary program to facilitate the exchange of cybersecurity information between electric utilities and the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC) to enable electric power critical infrastructure operators to better protect their networks from sophisticated cyber threats. The Board seeks input from the MRC regarding the following: 1. Should NERC take on the risks and challenges associated with serving as the program lead for CRISP, as described in the MRC Informational Session background materials, and do you have any specific comments regarding the structure of the program? 2. On July 15, 2014, NERC posted the final draft of its 2015 business plan and budget and included detailed information regarding a proposed initial funding mechanism for NERC’s participation in the CRISP program. Do you have any specific comments regarding the proposed initial funding mechanism? As a reminder, the full agenda packages for the Board, Board committees and MRC meetings will be available on July 30, 2014. I encourage the MRC to review the agenda materials for the August meetings, once available, and offer any additional input that is meaningful and timely to industry and stakeholders. Written comments should be sent to Kristin Iwanechko, MRC Secretary ([email protected]) by August 6, 2014 for the Board to review in advance of the meetings scheduled for Vancouver. Sincerely, Fred W. Gorbet, Chair NERC Board of Trustees cc: NERC Board of Trustees Member Representatives Committee Attachment A Risk Elements and Inherent Risk Assessment Overview Summary The RAI Oversight Plan Framework (Framework) consists of four modules as shown in the diagram below: Risk Elements; Inherent Risk Assessment; Internal Control Evaluation; and CMEP Tools. RAI Oversight Plan Framework • RE Functions • Characteristics -ERO / Regional an • Events Pl • RISC Input Input ht g si EleRmiseknts ASptapnlidcaarbdles RAI Scope CEI Scope CTMooElPs pliance Over m Controls Not Evaluated o C Inherent Risk Internal Controls Oversight Assessment Evaluation Scoping The Inherent Risk Assessment (IRA) module, the second module of the Framework, defines the approach for assessing a Registered Entity’s risks in order to appropriately determine the scope for a chosen oversight method. The IRA is dependent upon the outputs of the Risk Elements module (currently under development and expected in August 2014). The attached draft IRA Guide documents lessons learned through the compliance pilots and how to implement risk assessment methodologies across the ERO Enterprise during the second half of 2014. The Risk Elements module will be used by the ERO, on an ongoing basis, to identify risks to the Bulk Electric System (BES) and evaluate where those risks correspond to registered functions and tasks, identifying those standards and requirements that address those risks. The Regional Entity will then conduct a more focused assessment on the Registered Entity’s specific risk factors to more clearly understand how a Registered Entity’s operations are exposed to those risks. The Risk Elements module provides the following inputs to the IRA model: 1. Specifically identified risks to the reliability of the BES ranked by considering significance, likelihood, vulnerability, and potential impact to the reliability of the BES; 2. Preliminary list of NERC Reliability Standards and requirements mapped to the reliability risks; and 3. Preliminary list of Registered Entities subject to the IRA process. These inputs, and how they tie in to the IRA, are shown in the diagram below. Identify and Assess Inherent Weight risks to functional tasks by Risk to the BES impact, likelihood, & frequency. Link Reliability Standards and requirements to functional tasks R isk Elements I Map Risks to Registered BES Inherent R functions and rate Functions & Risk A Tasks Risk Sources Reliability Standards & Requirements ERO Inherent Risk Assessment Guide Effective: TBD 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 NERC | IRA Guide | July 2014 404-446-2560 | www.nerc.com 1 of 22 Table of Contents 1.0 Introduction ..........................................................................................................................................................3 2.0 IRA Module ...........................................................................................................................................................4 2.1 IRA Role Within the Overall Risk-based Compliance Oversight Framework ....................................................4 Figure 1. Risk-based Compliance Oversight Framework ....................................................................................4 2.2 Major inputs into the IRA module ....................................................................................................................4 2.2.1 Inputs from the Risk Elements module .........................................................................................................4 2.2.2 Understanding the Registered Entity ............................................................................................................5 2.3 Objectives of IRA module..................................................................................................................................5 3.0 IRA Module Overview ...........................................................................................................................................6 3.1 Information Gathering ......................................................................................................................................6 3.1.1 Information Gathering Process ..................................................................................................................7 3.1.2 Key Outputs ................................................................................................................................................8 3.1.3 Timing .........................................................................................................................................................8 3.2 Decision Making ................................................................................................................................................8 3.2.1 Decision Making Process ............................................................................................................................9 3.2.2 Key Outputs ............................................................................................................................................. 12 3.2.3 Timing ...................................................................................................................................................... 12 3.3 IRA Outcomes ................................................................................................................................................ 12 3.3.1 IRA Outcomes Process ............................................................................................................................ 12 3.3.2 Key Outputs ............................................................................................................................................. 12 3.3.3 Timing ...................................................................................................................................................... 13 3.4 Revision of the Inherent Risk Assessment ..................................................................................................... 13 4.0 Documentation .................................................................................................................................................. 14 4.1. Results Documentation .............................................................................................................................. 14 4.2. Documentation Retention .......................................................................................................................... 14 5.0 Possible Tools, Templates, and Other Needs .................................................................................................... 15 6.0 References ......................................................................................................................................................... 16 Appendix A – Definitions ......................................................................................................................................... 17 Appendix B – Information Attribute List ................................................................................................................. 18 Appendix C – Risk Factor Examples ......................................................................................................................... 21 NERC | IRA Guide | July 2014 2 of 22 1.0 Introduction This Inherent Risk Assessment (IRA) Guide (“Guide”) describes the process used to assess inherent risk of registered entities by the Compliance Enforcement Authorities (CEAs) and serves as a standard for North American Electric Reliability Corporation (NERC) and the eight Regional Entities (REs) for implementing and performing an IRA process for the purpose of achieving its intended result. CEAs1 perform an IRA of registered entities to identify areas of focus and the level of effort needed to monitor compliance with NERC Reliability Standards. The IRA is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS). An assessment of BPS reliability impact due to inherent risk requires identification and aggregation of individual risk factors related to each registered entity, and the consideration of the significance of BPS reliability impact for identified risks. An IRA considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition when determining the Compliance Oversight Plan for a registered entity. The IRA will be performed on a periodic basis. The frequency of the IRA may depend based on occurrence of significant changes or emergence of new reliability risks. Appendix A contains definitions of terms used within the IRA Guide. Revision History Date Version Number Comments 1 NERC ROP, Section 401 (Scope of the NERC Compliance Monitoring and Enforcement Program): CEAs, which consist of NERC and the eight REs, carry out Compliance Monitoring and Enforcement Program (CMEP) activities in accordance with the NERC ROP and Appendix 4C CMEP, the respective Regional Delegation Agreements between NERC and each RE, and other agreements with the Canadian and Mexican regulatory authorities NERC | IRA Guide | July 2014 3 of 22 2.0 IRA Module 2.1 IRA Role Within the Overall Risk-based Compliance Oversight Framework The IRA module is the second module within the Risk-based Compliance Oversight Framework and serves as an important part of the risk-based Compliance Oversight Framework. The IRA considers outputs from the Risk Elements module (see section 2.2.1 for more details) Outputs from the IRA module are key input sources to the Internal Controls Evaluation (ICE) module, the Compliance Monitoring and Enforcement Program (CMEP) Tools module, and the overall Compliance Oversight Plan. Figure 1 below Illustrates the placement of the IRA module within the risk-based Compliance Oversight Framework. IRA Figure 1. Risk-based Compliance Oversight Framework Where the Risk Elements module provides a process for identifying and prioritizing risks the IRA module enables the CEAs in determining areas of focus for compliance oversight of a registered entity. Based on the risks formulated within the Risk Elements module, the IRA module is used to assist with the identification of Reliability Standards and Requirements that should be monitored. 2.2 Major inputs into the IRA module 2.2.1 Inputs from the Risk Elements module The Risk Elements module outputs represent risks to the reliability of the BPS, as known by both NERC and the REs, which would be subject to the IRA process. The Risk Elements module should provide the following inputs into the IRA module: NERC | IRA Guide | July 2014 4 of 22