Risk Assessment & Mitigation
FRCC Fall Compliance Workshop
November 10 – 12, 2015
Information Update
2
•IRA/COP Status Update
•2016 CMEP Updates
IRA/COP Status Update
3
• FRCC is on track for the completion of baseline IRAs and draft COPs for all registered entities in the region by the end of 2015.
• FRCC plans to update the IRA and COP for each registered entity scheduled for an audit, a spot check, or a self-certification in 2016. For all other registered entities an IRA may be updated at any time. Trigger conditions for updating IRAs have been determined.
• When an IRA is updated the corresponding COP will be reviewed and updated as necessary
2016 Risk-Based Approach to CMEP Updates
4
Risk Assessment
FRCC Fall Compliance Workshop
November 10 – 12, 2015
Risk Assessment
• What is Risk?
• What is a Risk Assessment?
• How do we Perform a Risk Assessment?
• Risk Assessment Interactive Activity
• Myth Busters!
6
What Is Risk?
• True or False• The IRA is a review of potential risks posed by an individual
registered entity to the reliability of the bulk power system (BPS)
• An assessment of BPS reliability impact due to inherent risk requires identification and aggregation of individual risk factors related to each registered entity
• An IRA considers risk factors such as assets, systems, geography, interconnectivity, prior compliance history, and overall unique entity composition are used when determining the compliance oversight plan for a registered entity
7
What Is Risk? (cont’d)
*To quote David Tattam on Operational Risk:“Operational Risk simply comes from doing things, or operating”
* David Tattam 2011, A Short Guide To Operational Risk, Gower Publishing Limited
8
9
• All Higher Risk Requirements will be in my Audit Scope
• FRCC will only perform an ICE for High Risk Requirements
• There is an appeal process for IRA and ICE results
How Do We Perform ARisk Assessment?
• Prioritized list of known risks to the reliability of the BPS and associated Reliability Standards and Requirements (ERO CMEP Implementation Plan)
• Understanding of the registered entity and its operations
• Information Attributes Lists and their common sources
• Possible Risk Factor considerations
10
From the NERC IRA guide
Performing a Risk Assessment
Risk Assessment Interactive Activity
• Entity Information:• XYZ is registered for the following functions: BA, DP, GO,
GOP, LSE, RP, TO and TOP as of May 29, 2007; and TP as of August 28, 2008.
• XYZ owns 886 miles of 345kV, 486 miles of 230kV, 898 miles of 115kV and 3791 miles of 69kV transmission.
• Operates its own transmission system and is not the TOP for another Registered Entity.
12
Risk Assessment Interactive Activity (con’t)
• XYZ has entered into a Coordinated Functional Registration (CFR) agreement with the RTO such that, the RTO is responsible for the performance of selected XYZ TOP Requirements.
• XYZ owns 71 MWs of natural gas fired, 1152 MWs of coal fired and 153 MWs of other sources of Generation.
• Operates its own generating units and is not the GOP for another Registered Entity.
13
Risk Assessment Interactive Activity (con’t)
• XYZ is an investor-owned utility that provides electricity for residential, commercial, and industrial customers with approximately 130,200 customers in a service area of 70,000 square miles.
• XYZ peak system load was 896MWs on January 5, 2015. XYZ has entered into a CFR agreement with RTO such that RTO is responsible for the performance of selected XYZ LSE Requirements.
• XYZ is its own RP and TP.
14
Risk Assessment Interactive Activity (con’t)
• XYZ has the following:• twenty-seven 115kV,
• eleven 230kV, and
• twelve 345kV interconnections with other TOs:
• Lakes Public Utilities (1-115kV tie);
• River Energy (5-115kV ties and 1-345kV tie);
• Mini Power (2-230kV ties);
• Mini Power Cooperative, Inc. (10-115kV ties, 4-230kV ties and
1- 345kV tie);
• Basin Municipal Power Agency (8-115kV and 2-230kV ties);
• Kota Utilities Company (1-230kV tie);
• NWE Energy (1-230kV tie);
• WAPower (1-115kV tie); and
• CELake Energy (2-115kV ties, 1-230kV tie, and 10-345kV ties).
15
Risk Assessment Interactive Activity (con’t)
• XYZ does not provide RP or TP functions to another Registered Entity. XYZ’s PA is the RTO. XYZ has entered into a CFR agreement with the RTO such that the RTO is responsible for the performance of selected XYZ RP and TP Requirements.
• XYZ has identified Critical Cyber Assets essential to the operation of its Critical Asset(s). XYZ has not had an event that was classified as a reportable Cyber Security Incident. With the application of the criteria in CIP-002-5.1, XYZ will have Medium and High BES Cyber Systems on April 1, 2016.
16
Risk Assessment Interactive Activity (con’t)
• Since its last on-site audit in 2013, XYZ has had two additional instances of non-compliance with approved NERC Reliability Standards.
• XYZ has completed all open Mitigation Plans and has no pending Settlement Agreements on or before January 1, 2016.
• XYZ has had no reportable events; no investigations; and no complaints.
17
Risk Assessment Interactive Activity (con’t)
“When considering risk elements, REs will perform a Regional Risk Assessment, identifying risks specific to the region that could potentially impact the reliability of the BPS. After determining region-specific risks, REs will also identify the related Reliability Standards and Requirements associated with those risks”.
NERC 2015 ERO CMEP Version 1.2 | August 17, 2015
18
Risk Factor Criteria
19
Standard & Requirements
Regional Risk Focus Areas Justification Associated Standard & Requirement(s)
Appendix A1 - Florida Reliability Coordinating Council (FRCC) 2015 CMEP Implementation Plan
20
Compliance History Trends FRCC has experienced a high number violations with these Standards/Requirements
FAC-008-3 R2, R3 & R6
Inherent Risk Assessment Summary Report
22
Table 2: Moderate Risk RequirementsStandard & Requirement Risk Element Justification
FAC-008-3 R2 Region Identified
illustration only
Moderate Risks Section Of IRA Summary
23
• An Entity is not allowed to ICE between Audit Cycles
• Only BAs and TOPs will receive an audit
• IRA and ICE results are negotiable
• FRCC RAM team has all the right answers
• ICE cannot be beneficial to a small Entity
• Entities only need to be compliant with the Standards and Requirements identified in their IRA
• Internal Controls Evaluation (ICE) is voluntary
24
25
Questions?