Risk Assessment & Mitigation

FRCC Fall Compliance Workshop

November 10 – 12, 2015

Information Update

2

•IRA/COP Status Update

•2016 CMEP Updates

IRA/COP Status Update

3

• FRCC is on track for the completion of baseline IRAs and draft COPs for all registered entities in the region by the end of 2015.

• FRCC plans to update the IRA and COP for each registered entity scheduled for an audit, a spot check, or a self-certification in 2016. For all other registered entities an IRA may be updated at any time. Trigger conditions for updating IRAs have been determined.

• When an IRA is updated the corresponding COP will be reviewed and updated as necessary

2016 Risk-Based Approach to CMEP Updates

4

Risk Assessment

FRCC Fall Compliance Workshop

November 10 – 12, 2015

Risk Assessment

• What is Risk?

• What is a Risk Assessment?

• How do we Perform a Risk Assessment?

• Risk Assessment Interactive Activity

• Myth Busters!

6

What Is Risk?

• True or False• The IRA is a review of potential risks posed by an individual

registered entity to the reliability of the bulk power system (BPS)

• An assessment of BPS reliability impact due to inherent risk requires identification and aggregation of individual risk factors related to each registered entity

• An IRA considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition are used when determining the compliance oversight plan for a registered entity

7

What Is Risk? (cont’d)

*To quote David Tattam on Operational Risk:“Operational Risk simply comes from doing things, or operating”

* David Tattam 2011, A Short Guide To Operational Risk, Gower Publishing Limited

8

9

• All Higher Risk Requirements will be in my Audit Scope

• FRCC will only perform an ICE for High Risk Requirements

• There is an appeal process for IRA and ICE results

How Do We Perform ARisk Assessment?

• Prioritized list of known risks to the reliability of the BPS and associated Reliability Standards and Requirements (ERO CMEP Implementation Plan)

• Understanding of the registered entity and its operations

• Information Attributes Lists and their common sources

• Possible Risk Factor considerations

10

From the NERC IRA guide

Performing a Risk Assessment

Risk Assessment Interactive Activity

• Entity Information:• XYZ is registered for the following functions: BA, DP, GO,

GOP, LSE, RP, TO and TOP as of May 29, 2007; and TP as of August 28, 2008.

• XYZ owns 886 miles of 345kV, 486 miles of 230kV, 898 miles of 115kV and 3791 miles of 69kV transmission.

• Operates its own transmission system and is not the TOP for another Registered Entity.

12

Risk Assessment Interactive Activity (con’t)

• XYZ has entered into a Coordinated Functional Registration (CFR) agreement with the RTO such that, the RTO is responsible for the performance of selected XYZ TOP Requirements.

• XYZ owns 71 MWs of natural gas fired, 1152 MWs of coal fired and 153 MWs of other sources of Generation.

• Operates its own generating units and is not the GOP for another Registered Entity.

13

Risk Assessment Interactive Activity (con’t)

• XYZ is an investor-owned utility that provides electricity for residential, commercial, and industrial customers with approximately 130,200 customers in a service area of 70,000 square miles.

• XYZ peak system load was 896MWs on January 5, 2015. XYZ has entered into a CFR agreement with RTO such that RTO is responsible for the performance of selected XYZ LSE Requirements.

• XYZ is its own RP and TP.

14

Risk Assessment Interactive Activity (con’t)

• XYZ has the following:• twenty-seven 115kV,

• eleven 230kV, and

• twelve 345kV interconnections with other TOs:

• Lakes Public Utilities (1-115kV tie);

• River Energy (5-115kV ties and 1-345kV tie);

• Mini Power (2-230kV ties);

• Mini Power Cooperative, Inc. (10-115kV ties, 4-230kV ties and

1- 345kV tie);

• Basin Municipal Power Agency (8-115kV and 2-230kV ties);

• Kota Utilities Company (1-230kV tie);

• NWE Energy (1-230kV tie);

• WAPower (1-115kV tie); and

• CELake Energy (2-115kV ties, 1-230kV tie, and 10-345kV ties).

15

Risk Assessment Interactive Activity (con’t)

• XYZ does not provide RP or TP functions to another Registered Entity. XYZ’s PA is the RTO. XYZ has entered into a CFR agreement with the RTO such that the RTO is responsible for the performance of selected XYZ RP and TP Requirements.

• XYZ has identified Critical Cyber Assets essential to the operation of its Critical Asset(s). XYZ has not had an event that was classified as a reportable Cyber Security Incident. With the application of the criteria in CIP-002-5.1, XYZ will have Medium and High BES Cyber Systems on April 1, 2016.

16

Risk Assessment Interactive Activity (con’t)

• Since its last on-site audit in 2013, XYZ has had two additional instances of non-compliance with approved NERC Reliability Standards.

• XYZ has completed all open Mitigation Plans and has no pending Settlement Agreements on or before January 1, 2016.

• XYZ has had no reportable events; no investigations; and no complaints.

17

Risk Assessment Interactive Activity (con’t)

“When considering risk elements, REs will perform a Regional Risk Assessment, identifying risks specific to the region that could potentially impact the reliability of the BPS. After determining region-specific risks, REs will also identify the related Reliability Standards and Requirements associated with those risks”.

NERC 2015 ERO CMEP Version 1.2 | August 17, 2015

18

Risk Factor Criteria

19

Standard & Requirements

Regional Risk Focus Areas Justification Associated Standard & Requirement(s)

Appendix A1 - Florida Reliability Coordinating Council (FRCC) 2015 CMEP Implementation Plan

20

Compliance History Trends FRCC has experienced a high number violations with these Standards/Requirements

FAC-008-3 R2, R3 & R6

Risk Factor Criteria (con’t)

21

Inherent Risk Assessment Summary Report

22

Table 2: Moderate Risk RequirementsStandard & Requirement Risk Element Justification

FAC-008-3 R2 Region Identified

illustration only

Moderate Risks Section Of IRA Summary

23

• An Entity is not allowed to ICE between Audit Cycles

• Only BAs and TOPs will receive an audit

• IRA and ICE results are negotiable

• FRCC RAM team has all the right answers

• ICE cannot be beneficial to a small Entity

• Entities only need to be compliant with the Standards and Requirements identified in their IRA

• Internal Controls Evaluation (ICE) is voluntary

24

25

Questions?