NERC and its eight regional entities continue to work on streamlining compliance and enforcement processes, with an audit checklist in field trial now, panelists told FERC at the commission’s July 9 regional technical conference.
Two compliance and enforcement trends include the continued high level of self-identified violations by industry, and the use of the Find, Fix, Track and Report (FFT) program, Mark Rossi, senior vice president and COO at NERC, said in his remarks. He added that self-identified violations historically represent 70% or more of the Electric Reliability Organization (ERO) enterprise caseload. Likewise, about 40% of all violations are processed through the FFT program throughout the enterprise.
The Reliability Assurance Initiative (RAI) program, which aims to build on the success of FFT, focuses on high reliability risk areas and reduces the administrative burden on registered entities.
“It appropriately gives credit to entities that demonstrate strong management practices and a culture of complying with the reliability standards,” he said.
The RAI work has been organized into a series of phases, and the priorities for the rest of this year include developing a common ERO auditor handbook to guide compliance auditors and to implement consistent compliance audit practices across the ERO footprint, he said.
FERC on June 20 accepted NERC’s FFT compliance filing, according to Rossi.
He noted that the natural evolution of the FFT process is to get to the point where an instance of noncompliance that presents a lower risk to reliability is not required to be formally identified as a possible violation and, therefore, trigger an enforcement action.
Under the RAI program, NERC and the regional entities are developing processes by conducting pilot programs by which the newly developed internal controls and risk assessment methods can be tested and modified based upon results from the field, firsthand experiences and lessons learned, he said.
Stacy Dochoda, president and CEO of the Florida Reliability Coordinating Council and the 2013 chair of the Regional Entity Management Group, noted in her remarks that the eight regional entities engaged a third-party consulting firm to review the regional entity audit practices. The final report included three major recommendations, namely, to develop a standardized audit checklist, publish a reference manual for audits or an “audit handbook,” and create an audit training program.
The audit checklist was finalized in April and is in field trial now, she said, adding that a team has begun working on the audit handbook.
Dochoda said the regional entities have made progress on eliminating older violations, adding that more than 21% of the pre-2012 violations were processed during 1Q13.
She also noted that about 40% of the possible violations processed during the last year were processed through the FFT.
Regarding the status of the RAI program, she said NERC and the regional entities are developing prototypes and pilots around risk and reviewing alternatives to enforcement mechanisms to resolve violations that do not pose a serious risk to the reliable operations of the bulk power system. The activities in the pilots involve, for instance, improving the focus of self-certifications.
Dochoda also said that the RAI is a multi-year, phased approach to implementation, and the risk-based processes and tools are expected to be consistently used across the eight regional entities in 2016.
Kelliher: OSHA model proves problematic
Joe Kelliher, executive vice president, federal regulatory affairs with NextEra Energy (NYSE:NEE), said in his written statement, representing the Edison Electric Institute, that the addition of the FFT report provides a good first step in streamlining and reducing inefficiency.
The ERO compliance and enforcement program needs to adopt several changes, he said, adding that as designed and practiced, the program does not provide incentives for companies to strongly manage and mitigate their reliability risks. Instead, the current reliability enforcement regime focuses registered entities on managing compliance risks, he said.
“That impedes the ability of registered entities to focus resources on assuring compliance with the reliability standards that have the greatest reliability consequence, as well as distracting from the important tasks of planning and operating the bulk power system and delivering reliability on a daily basis,” he said.
Compliance audits consume too much time and attention; issues of little or no consequence to reliability move slowly through the full enforcement process; minor matters require too much time and take too many people to resolve; companies like NextEra that do business in multiple regions face widely varying compliance processes and outcomes; FFT requires too much company time and expense; and companies have no efficient appeals method or recourse for actions or decisions viewed as unreasonable or unfair.
The core problem in that area, Kelliher added, is continued adherence to the “[Occupational Safety and Health Administration (OSHA)] model” as the foundation for the reliability enforcement and compliance, noting that under that approach, every reliability violation gets a “ticket,” and is subject to process and mitigation, although not necessarily to civil penalties.
The model is not working well, he said, noting that the administrative burden on companies consumes too many resources and the benefits are small.
“There is a need to conform reliability enforcement and regulation with how the commission enforces all other regulatory requirements,” he said. “We urge the ERO and the commission to amend rules governing reliability enforcement to that end.”
One path to move away from the OSHA model is the approach used by FERC, where the commission sets enforcement priorities and exercises prosecutorial discretion to focus its enforcement resources on those priorities. Noting that there are 10 enforcers of reliability requirements – the commission, ERO and eight regional entities – he said that exercise of prosecutorial discretion in reliability enforcement entails the commission trusting in the judgment of others.
Another path is the approach that could emerge from RAI, under which enforcement and compliance would focus on violations deemed to “significantly” impact reliability.
RAI may not succeed in its goal of focusing enforcement and compliance on the reliability requirements with the greatest reliability significance if it must extend to all reliability requirements except those that pose minimal risk to the bulk electric system, he said.
Another core design issue in RAI is which entity determines whether particular violations pose minimal, moderate or significant issues to the bulk electric system, he said.
The ERO and regional entities can make some changes that will properly refocus the incentives on reliability risk management within the program. The commission can do so by endorsing as a policy principle that companies build and maintain strong internal risk management processes and controls, and allowing companies with strong controls and processes to earn appropriate credit for them, he added.
From the ERO perspective, such credit should be applied by adjustments in the scope, frequency and intensity of compliance audits and spot checks; relief in the disposition of matters with no reliability consequences by having matters dismissed without having to enter an enforcement process; and reduced self-reporting burdens.
Kelliher also said that the ERO and regional entities must develop a process for assessing company processes and controls to gauge determinations of credit to be applied in various compliance and enforcement matters affecting the company. However, they must avoid seeking to impose a top-down structure or design for risk management that would force companies to reconfigure existing control systems.
NRECA: FFT should be separate from RAI
Barry Lawson, associate director, power delivery and reliability, with the National Rural Electric Cooperative Association (NRECA), said that fully implementing FFT would provide for regional entities audit personnel to identify and finalize FFT determinations in the field at the time of audit or at the time a registered entity submits a self-report, eliminating the need to enter the enforcement pipeline and the months-long wait for the offer and confirmation of FFT treatment for a possible violation, he said.
The NRECA encourages NERC to keep the FFT process separate from the RAI initiative, adding that it should not be folded into the longer-term RAI process, which could delay implementation of key benefits.
He also noted that the NRECA supports the concepts behind the RAI, as focusing the NERC compliance and enforcement process on the risk, and mitigation of risks, to bulk electric system reliability and security would be an improvement over the current compliance-focused program.
However, the NRECA has several concerns with the RAI, including that if RAI is not developed and implemented carefully, it could result in additional compliance burdens over the current program. Also, the details and criteria used to complete registered entity assessments must be applied consistently across the regional entities to ensure equal treatment under the RAI.
Like Kelliher, he said the RAI must avoid a one-size-fits-all method for assessing a registered entity’s compliance program and internal controls.
RAI = revolution
William Gallagher, special projects chief, Vermont Public Power Supply Authority, said in his written statement on behalf of the Transmission Access Policy Study Group (TAPS) that as approved by the commission in June, FFT will be enhanced by, for instance, expansion to certain moderate risk violations as well as possible violations whose mitigation will be completed within 90 days of the FFT posting.
To date, FFT’s benefits have largely focused on enabling NERC and its regional entities to process possible violations more efficiently, and registered entities have, thus far, generally not experienced the hoped-for efficiency gains from FFT, he said.
When a possible violation is identified to a regional entity – whether by self-report, self-certification, or audit – the registered entity may not know for months whether it will be accorded FFT treatment.
He urged NERC to take more aggressive efforts to implement the second phase of FFT, as approved in a March order by the commission, in which compliance personnel would be authorized to make FFT decisions in the field, thereby further increasing the resource prioritization benefits of FFT for registered entities, as well as NERC and its regional entities.
He also noted that consistency of application, within and across the regions, is key in achieving the benefits of FFT. Gallagher said he supports NERC efforts to improve the consistency of FFT implementation through standardized instructions and templates, for example.
While FFT can be viewed as a continuing evolution from NERC’s initial enforcement approach of penalizing all violations and processing them the same way, RAI promises more of a revolution in the way NERC and its regional entities approach compliance and enforcement, he said.
RAI is intended to prioritize and customize compliance and enforcement resources based on risk, rather than continue a “one-size-fits-all” approach, he said.
The beauty of RAI is that it aligns compliance and enforcement efforts with registered entity management tools – internal controls – that are designed to improve reliability and reinforce a culture of reliability excellence, instead of just fostering compliance with NERC standards, he said.
“Where a registered entity’s internal controls are determined to be ‘strong,’ NERC and its regional entity can be more scalpel-like in their auditing efforts and deployment of other compliance tools, saving time and resources for all involved,” he said.
Gallagher also noted that he supports proceeding with some pilot programs in advance of developing criteria so that the pilots may provide useful “lessons learned” that can be applied to developing the criteria.
However, he said, criteria development is a crucial step that cannot be skipped, adding that NERC’s draft 2014 business plan “makes no express reference to developing and sharing the criteria that will be used by regional entities in assessing internal controls and entity risk.”
Among other things, he said that to make RAI a tool that promotes enhanced identification, correction and prevention of deficiencies, NERC, its regional entities and registered entities will need flexibility on self-reports, including allowing NERC and its regional entities to decline to treat a self-report as an enforcement matter.