ferc/nerc compliance self-assessments and preparing for an … · 2014. 9. 3. · self-assessments...

1

FERC/NERC ComplianceSelf-Assessments

andPreparing for an External

Audit"Simplicity means the achievement of maximum effect

© 2011, All Rights Reserved

with minimum means.”—Albert Einstein

March 2, 2011

1

SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX

Introductions• Deena King

– Managing Director, Pure Knowledge Consultingg g , g g– 30 Year Cross-trained Professional– 10 years Audit/Compliance

• Specialties– Compliance Program:

• Design and Implementation• Evaluations and Gap Analysis

Contin o s Impro ement


• Continuous Improvement• Industries:

– Higher Education– Utility

March 2, 2011

2


2

Agenda

• What needs to be “self-assessed”?• Compliance as a Business Process

– Core Process Components• Compliance Program Self-Assessment

– Risk AssessmentSelf A dits


– Self-Audits• Review

March 2, 2011

3


What needs to be “self-assessed?”


March 2, 2011

4


3

“Self-Assessment”

• FERC “Internal Compliance Program”– FERC Policy Statement on Compliance

(SOC) dated October 16, 2008– FERC Revised Policy Statement on

Enforcement (SOE) dated May 15, 2008• Two Types


yp– Self-Audit– Review of Internal Compliance Program

March 2, 2011

5


“Self-Assessment”• FERC on Self-Audits

– Systematic internal auditing (SOC, P19)– The company has an ongoing process for auditing

compliance with Commission regulations (SOE, P58)– The importance on good-faith self-reporting (SOE, P62)– The compliance plan can call for the company to hire an

independent third party auditor to review its business practices in order to ensure compliance (SOE, P45)

• FERC on Internal Program Reviews P i di i d l ti f th ff ti f th


– Periodic review and evaluation of the effectiveness of the program (SOC, P16)

– The company frequently reviews and modifies its compliance program (SOE, P58)

March 2, 2011

6


4

Definitions• Self-Audit

– An internal review of compliance with specificAn internal review of compliance with specific regulations and/or requirements

• Regulation• Current State (Evidence)• Compliant Y/N?• If No, Action Planning (and self-report if necessary)


, g ( p y)

March 2, 2011

7


Definitions• Self-Assessment

– An internal review review and evaluation ofAn internal review review and evaluation of the effectiveness of the internal compliance program

• ICP– Internal Compliance Program


March 2, 2011

8


5

Internal Compliance Program Self-Assessment

Compliance as a Business P


Process

March 2, 2011

9


Business Process

• Example: Advertise an Open Position– Hiring Manager

• 1) Go to HR website• 2) Complete Form CorpAd1• 3) Submit to Supervisor for Approval

– Hiring Manager Supervisor


• 4) Review CorpAd1; Approve• 5) Submit to HR for Processing

– HR (etc.)

March 2, 2011

10


6

Business Process: ExampleGo to HR Website

HiringFill in Form CorpAd1

Submit to Supervisor for Approval

Review CorpAd1 and

Manager

Hi i


Approve

Submit CorpAd1 to HR Etc.

HiringManagerSupervisor

HR

March 2, 2011

11


Business Process

• Complex:


http://www.gerke.com/gerke2009/processmapping1.php, 1/10/11March 2, 2011

12


7

Business Process

• Simplified:


http://www.gerke.com/gerke2009/processmapping1.php, 1/10/11March 2, 2011

13


Where to begin?

• Federal Energy Regulatory Commission (FERC)(FERC)– Policy Statement on Compliance (SOC) dated

October 16, 2008– Revised Policy Statement on Enforcement

(SOE) dated May 15, 2008


• North American Electric Reliability Corporation (NERC)

March 2, 2011

14


8

FERC Policy Statements

• Policy Statement on Compliance– 14 pages of legalese– 8 paragraphs dedicated to “vigorous

compliance programs”• Revised Policy Statement on Enforcement

– 28 pages of legalese


28 pages of legalese– 9 paragraphs dedicated to “compliance

programs” or “compliance plans”

March 2, 2011

15


FERC Policy Statements

• Policy Statement on Compliance– 14 pages of legalese– 8 paragraphs dedicated to “vigorous

compliance programs”• Revised Policy Statement on Enforcement

– 28 pages of legalese


28 pages of legalese– 9 paragraphs dedicated to “compliance

programs” or “compliance plans”

March 2, 2011

16


9

The Work PKC Did• The “7 Elements” from the Federal Sentencing

Guidelines• “Best Practice” Frameworks (Appendix A)

– COSO “Cube”• Sarbanes-Oxley Controls

– CObIT• Technology Compliance• Process Controls

– OCEG “Red Book”


– OCEG Red Book• Open Compliance and Ethics Group

– Continuous Improvement Models• Deming’s “Plan, Do, Check, Act”

March 2, 2011

17


The Work PKC Did• Using “best practice”, extract the elements of

a “compliance process” from thea compliance process from the FERC/NERC statements

• Result:– Elements of a “vigorous compliance program”

• Framework for AssessmentApproach


– Approach– Technique

• “Compliance in One Page” ©2010

March 2, 2011

18


10

Assess Risk/ Identify Requirements

Establish/Modify Compliance Organization

Compliance as a Business Process: One Page

nuou

sve

men

t

LawsRegulationsRegulators

Document Standards, Policies, and Procedures

Monitor, Audit, and ReportLeadership/

Corporate Culture

Con

tinIm

prov Laws

RegulationsRegulators


Communicate Standards, Policies, and Procedures

Implement, Promote, and Enforce

© 2011, All Rights ReservedMarch 2, 2011

19


Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17)


The best program will not succeed unless senior management actively embraces the importance of compliance; Senior management may designate…compliance officials within the company (see paras 13 and 15)

The Compliance Process: FERC Statement on Compliance

Con

tinuo

usm

prov

emen

t


Laws, etc

Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission’s orders (see para 16)


Monitor, Audit, and Report

Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20)

Leadership/Corporate Culture

The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see paras 1 and 13)

C Im Laws, etc


The company must…implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21)


Implement, Promote and Enforce

Systematic and effective preventative measures such as…training; clear direction from the company (see para 16)

*The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21)

March 2, 2011

20



11

Summary

• Compliance as a Business ProcessA Ri k/Id if R i– Assess Risk/Identify Requirements

– Establish/Modify Compliance Organization– Document Standards, Policies, and Procedures– Communicate Standards, Policies, and Procedures– Implement, Promote and Enforce

Monitor Audit and Report


– Monitor, Audit, and Report– Continuous Improvement– Leadership/Corporate Culture

March 2, 2011

21


Questions? Comments?


March 2, 2011

22


12

Internal Compliance Program Self-Assessment

Know the Process


Assess the Process

March 2, 2011

23


ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and

Procedures• Communicate Standards, Policies, and

Procedures


• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011

24


13

ICP Self Assessment Areas

• What are we doing to accomplish the t k?task?

• How have we documented:– The task itself?

• Policies and Procedures• Desk Procedures (when necessary)


( y)– That we implemented the task?

• “Proof of Performance”• Logs, Meeting Minutes, Emails, Newsletters, etc.

March 2, 2011

25




Procedures



26


14

Risk Assessment/Identify Requirements

• FERC– Prepare an inventory of current compliance risksPrepare an inventory of current compliance risks

(SOE, P59)• (Note: This will result in a list of current program

requirements)– Companies are in the best position to determine

the risks their activities entail and how best to assure compliance (SOC, P9 and 17)

• Self Assess:


• Self Assess:– How are we keeping track of current compliance

requirements?– How are we assessing compliance risk?

March 2, 2011

27


Risk Assessment Tool


March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX

28http://www.midwestreliability.org/01_about_mro/board_of_directors/presentations/Penalty%20tool%20determinants_MRO%20BOD.pdf

15

Violation Risk FactorBAL-002-0 R1. Each Balancing Authority shall have access to and/or operate Contingency

Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated adjustments to Interchange Schedules.

HIGH

BAL-002-0 R1.1. A Balancing Authority may elect to fulfill its Contingency Reserve obligations by participating as a member of a Reserve Sharing Group. In such cases, the Reserve Sharing Group shall have the same responsibilities and obligations as each Balancing Authority with respect to monitoring and meeting the requirements of Standard BAL-002.

HIGH

BAL-002-0 R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve Sharing Group shall specify its Contingency Reserve policies, including:

MEDIUM

BAL-002-0 R2.1. The minimum reserve requirement for the group. HIGH

BAL-002-0 R2.2. Its allocation among members. LOWER

BAL-002-0 R2.3. The permissible mix of Operating Reserve – Spinning and Operating Reserve –Supplemental that may be included in Contingency Reserve.

LOWER


BAL-002-0 R2.4. The procedure for applying Contingency Reserve in practice. LOWER

BAL-002-0 R2.5. The limitations, if any, upon the amount of interruptible load that may be included. LOWER

BAL-002-0 R2.6. The same portion of resource capacity (e.g., reserves from jointly owned generation) shall not be counted more than once as Contingency Reserve by multiple Balancing Authorities.

MEDIUM


29http://www.nerc.com/page.php?cid=2%7C20

Violation Severity LevelStandard Number Requirement Number

Text of Requirement Lower VSL Moderate VSL High VSL Severe VSL

BAL-002-0 R1. Each Balancing Authority shall have

N/A N/A N/A The Balancing Authority does not

access to and/or operate Contingency Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated adjustments to Interchange Schedules.

have access to and/or operate Contingency Reserve to respond to Disturbances.

http://www.nerc.com/page.php?cid=2%7C20


BAL-002-0 R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve Sharing Group shall specify its Contingency Reserve policies, including:

The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 1 of the following sub-requirements.

The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 2 or 3 of the following sub-requirements.

The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 4 or 5 of the following sub-requirements.

The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify all 6 of the following sub-requirements.


30

16

Risk Limits

• Found in violation of BAL-002-0, R1– What are the penalty Risk Limits?

• Found in violation of BAL-002-0, R2; specifically R2.2 and R2.3– What are the penalty Risk Limits?

• With limited resources where would you


• With limited resources, where would you focus compliance efforts?


31

Other Risks

• Potential Penalties (Obviously)• Other Risks

– Reputation– Health and Safety– Stock Price (for public companies)

Vendor Relations


– Vendor Relations– Customer Relations– Etc.


32

17

Questions on Risk Assessment?



33



Procedures



34


18

Organizational Structure• FERC

– Create an independent Compliance Officer who reports to the Chief Executive Officer and the Board or to a committee thereofChief Executive Officer and the Board, or to a committee thereof (SOE, P59)

– The program is supervised by an officer or other high-ranking official; this official has independent access to the board and/or CEO (SOE, P58)

– Senior management may designate compliance officials within the company; This may be a position devoted exclusively to compliance matters or may be an assigned duty of an employee (SOC, P13 and P15)


• Self Assess:– What does our organization look like?– Have we defined roles and responsibilities?– How can we show “engagement” by each person?

March 2, 2011

35



• FERC– The responsibility for a culture of compliance rests squarely on theThe responsibility for a culture of compliance rests squarely on the

shoulders of senior management (SOC, P13)– Senior management actively involved in compliance efforts (SOE, P58)– Senior management provides adequate resources for the compliance

program to operate adequately (SOC, P14 and SOE, P58)– These factors include the active support of senior management (SOC,

P5)– Senior management should communicate to employees its commitment

t li f tl b th f ll d i f ll (SOC P14)


to compliance frequently, both formally and informally (SOC, P14)

• Self Assess:– How can we show “proof of performance” by senior management?– How are we show adequate resources and communication?

March 2, 2011

36


19

Documented P&P• FERC

– Company has in place rigorous procedures and processes (SOC P4)(SOC, P4)

– Companies should invest in systematic preventive measures to keep the company in compliance with the Commission’s statutes, regulations and orders (SOC, P16)

– The company has an established, formal program (i.e. plans, policies, and procedures) for internal compliance. It is well documented (SOE P58)

– An inventory of compliance practices (SOE, P59)– Promote compliance by identifying measurable performance


Promote compliance by identifying measurable performance targets (SOE, P59)

• Self Assess:– Have we documented standards, policies, and procedures?– Do we include measureable targets?

March 2, 2011

37


Communication and Training• FERC

– The ICP is widely disseminated within the company (SOE, P58)These factors include the scope and depth of employee training– These factors include … the scope and depth of employee training (SOC, P5)

– The importance [of] tools and training sufficient to enable employees to comply with Commission requirements (SOC, P6 and SOE, P59)

– Systematic and effective preventive measures (such as careful hiring, training, accountability, and supervision), are fundamental to an effective compliance program (SOC, P16)

– The company frequently provides training to all relevant employees; the training is sufficiently detailed and thorough to instill an understanding of relevant rules and the importance of compliance (SOE, P58)


( )• Self Assess:

– How are we communicating compliance policies and procedures?– How are we training on compliance policies and procedures?

March 2, 2011

38


20

Implement, Promote, Enforce

• FERC– It is not enough to create a good compliance program g g p p g

on paper; the company must carry through to implement the program (SOC, P16)

– A company has rigorous procedures and processes that provide effective accountability for compliance (SOC, P4 and SOE, P58)

– The company responds to wrongdoing (SOE, P58)– Steps taken by a company to end violations and


p y p yremedy the misconduct (SOC, P21)

• Self Assess:– Have we implemented the program?– Can we document accountability and enforcement?

March 2, 2011

39


Questions?



40

21



Procedures



41



• FERCICP Re ie– ICP Review

• Periodic review and evaluation of the effectiveness of the program (SOC, P16)

– Auditing and Reporting• Systematic internal auditing (SOC, P19)• The company has an ongoing process for auditing


compliance with Commission regulations (SOE, P58)

• The importance on good-faith self-reporting (SOE, P62)

March 2, 2011

42


22


• FERCICP R i– ICP Review

• Periodic review and evaluation of the effectiveness of the program (SOC, P16)

• The company frequently reviews and modifies its compliance program (SOE, P58)

• Self Assess:


– How do we review and evaluate the effectiveness of our program?

– How do we modify the program after a violation?

March 2, 2011

43



• FERC– Auditing and ReportingAuditing and Reporting

• Systematic internal auditing (SOC, P19)• The company has an ongoing process for auditing

compliance with Commission regulations (SOE, P58)• The importance on good-faith self-reporting (SOE, P62)• The compliance plan can call for the company to hire

an independent third party auditor to review its business practices in order to ensure compliance (SOE, P45)


P45)• Self Assess:

– Can we show that we audit, internal & external?– Can we show self-reporting (when necessary)?

March 2, 2011

44


23

The Audit Process

Types of Auditors• Internal

General Process• Internal• External• Regulatory

– FERC– NERC– Regional Entity

• WECC• FRCC• MRO

• Notification• Opening Conference• “Walkthrough”• Field Work

– Data Requests– Interviews


• NPCC• RFC• SERC• SPP• TRE• WECC

Interviews

• Preliminary Findings• Final Findings• Audit Report


45

Preparing for Regulators• Leverage Internal Audit Department

“Peer” Audit• Peer” Audit• Engage External Audit Specialists

– “Big 4”– Mid-Tier

• Grant Thornton• Jefferson Wells

- Specialty• Encari• ICF• Industrial Defender


Jefferson Wells• Resources Global• SAIC• etc


46

Industrial Defender• etc

24

Questions?



47



Procedures



48


25

Continuous Improvement

• FERC– Are new or modified prospective controls needed to

prevent a recurrence? (SOC, P21)– Ensure that steps are taken within the company to improve

compliance practices (SOE, P44) – Describe measures taken by the company to end the

practices that led to the violations (SOE, P45)– Work with industry associations to develop compliance

best practices (SOC, P7)– Encourage the continuing exchange of ideas and best


– Encourage the continuing exchange of ideas and best practices among regulated companies (SOC, P7)

• Self Assess:– How do we improve compliance programs?– How are we leveraging “best practice”?

March 2, 2011

49


The Really Good News• WECC

Internal Compliance Program Self Assessment– Internal Compliance Program Self Assessment– Purpose is to measure how well entities:

• Assess Risk/Identify Requirements• Establish/Modify our Compliance Organization• Document our Standards, Policies, and Procedures• Communicate our Standards, Policies, and Procedures

Implement Promote and Enforce


• Implement, Promote, and Enforce• Monitor, Audit, and Report• Continuously Improve• Leadership/Corporate Culture

March 2, 2011

50


26

The Really Good News

• Internal Compliance Program Self AssessmentWill b bli h d i i tl b WECC– Will be published imminently by WECC

– Cover all 8 Areas Discussed Above– 20 Questions– To get a copy:

• E-mail:


– Taud Olsen– Managing Director of Compliance, WECC– [email protected]

March 2, 2011

51


The Really Good News

• Pure Knowledge ConsultingG i C li P A T l– Generic Compliance Program Assessment Tool

– Standards, Best-Practice Based– Federal Sentencing Guidelines– FERC Policy Compatible

– Available in May 2011


March 2, 2011

52


27

Questions? Comments?


March 2, 2011

53


Review


March 2, 2011

54


28



Compliance as a Business Process: One Page

nuou

sve

men

t

LawsRegulationsRegulators


Monitor, Audit, and ReportLeadership/

Corporate Culture

Con

tinIm

prov Laws

RegulationsRegulators




© 2011, All Rights ReservedMarch 2, 2011

55


Compliance in One Page• Assess Risk/Identify Requirements• Establish/Modify our Compliance Organization• Establish/Modify our Compliance Organization• Leadership/Corporate Culture• Document our Standards, Policies, and

Procedures• Communicate our Standards, Policies, and

Procedures


• Implement, Promote, and Enforce• Monitor, Audit, and Report• Continuously Improve

March 2, 2011

56


29

Achieving Excellence Through Best PracticesCompliance, IT, Leadership, Audit

~~~~~~For additional information on products and services, please contact:

Deena King, CCEP, CISA*Managing Director


www.pureknowledgeconsulting.com

March 2, 2011

57


Cell: (702)994-70851930 Village Center Circle #3-20

Las Vegas, NV [email protected]

Appendix A

Additional Information on Using “B t P ti ” F k i


“Best Practice” Frameworks in Compliance

March 2, 2011

58


30

The Compliance Process and the FERC Policy Statement on Compliance*+

Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17)

Assess Risk/Identify Requirements

The best program will not succeed unless

Leadership/ Corporate Culture

The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see paras 1 and 13)

SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX, March 2, 2011




Communicate Standards, Policies and Procedures

senior management actively embraces the importance of compliance; Senior management may designate…compliance officials within the company (see paras 13 and 15)

Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission’s orders (see para 16)

Systematic and effective preventative measures such as…training; clear direction from the

paras 1 and 13)

+Also note that paras 23 and 25 and footnotes 23, 28, 29 and 30 reference the Federal Sentencing Guidelines.

ContinuousImprovement


Policies, and Procedures

Monitor Compliance

company (see para 16)

Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20)

Promotion and Enforcement

The company must…implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21)

The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21)

*FERC Compliance with Statues, Regulations, and Orders, Docket No. PL09-1-000.

March 2, 2011

59

The Compliance Process Mapped to theFERC Policy Statement on Enforcement*

An inventory of current compliance risks (see paragraph 59)Assess Risk/

Identify Requirements

E t bli h/M dif C li

An independent Compliance Officer or other high-ranking official who reports to the Chief Executive Officer, the Board, or a


Compliance is fully supported by senior management and they are actively involved in compliance efforts; company policies on compensation





, ,committee; Tie regulatory compliance to personnel assessments and compensation,including compensation of management (see paragraphs 58 and 59)

An established, formal, well documented program for internal compliance; an inventory of current compliance practices (see paragraphs 58 and 59)

Training on rules and regulations that is sufficiently detailed and thorough is provided to all relevant employees; frequent mandatory training programs that include “real world” examples (see

h 58 d 59)

co pa y po c es o co pe sat oand promotion take into consideration employee compliance; sufficient funding is provided for the administration of compliance programs (see paragraphs 58 and 59)


The company frequently modifies the compliance program; the company i l t ff ti



paragraphs 58 and 59)

The company frequently reviews the compliance program; the company audits internal compliance with regulations and tracks and reports results; the company reports violations to management and self-reports; the company has an internal hotline (see paragraphs 58, 59, and 61)


There are identifiable, measurable performance targets; there are disciplinary consequences in place for infractions of Commission requirements; the company looks for repeat offenses (see paragraph 59)

implements more effective internal controls and procedures to prevent recurrence of misconduct (see paragraph 58)

*FERC Enforcement of Statues, Regulations, and Orders, Docket No. PL08-3-000, May 2008. March 2, 2011

60SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX

31



Compliance as a Process: Mapped to the “7 Elements”

nuou

sve

men

t

• High-level Oversight• Response and




Con

tinIm

prov

g g• Screening

• Standards and Procedures

• Response andCorrection

• Monitoring, Auditing, andReporting

• High-level Oversight




• Training and Education• Promotion and Enforcement

March 2, 2011

61



The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (§8B2.1.c).D li bl A l/Q l Ri k


Governing authority shall be knowledgeable and exercise reasonable oversight; High-level personnel shall ensure the organization has an effective compliance program; Specific individuals shall be delegated day-to-day operational

The Compliance Process: Federal Sentencing Guidelines

Con

tinuo

usm

prov

emen

t


Laws, etc

Deliverables: Annual/Quarterly Risk Assessments; Compliance Inventories

The organization shall establish standards and procedures to prevent and detect criminal conduct (§8B2.1.b.1).Deliverables: Documentation


responsibility; Exercise due diligence (§8B2.1.b.2.A-C & 3).Deliverables: Org Chart; Job Descriptions; Background Checks


Monitoring and auditing to detect criminal conduct; Periodically evaluate the effectiveness of the organization’s compliance program; Publicize a reporting system (§8B2.1.b.5.A-C).Deliverables: Audit Program; Program Evaluation; Hotline; Audit Reports


Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)Deliverable: Leadership

C Im


The organization’s compliance and ethics program shall be reasonably implemented, promoted and enforced consistently throughout the organization (§8B2.1.a.2 & b.6).Deliverable: An Implemented Program



Communicate periodically standards and procedures, and other aspects to employees by conducting effective training programs and otherwise disseminating information (§8B2.1.b.4).Deliverables: Communication and Training Plans*After criminal conduct has been detected, the organization shall take steps to

respond appropriately including making modifications to the program (§8B2.1.b.7)Deliverables: Enforcement; Modifications to any or all noted deliverables


62


March 2, 2011

32

Using the Compliance Process To Design/Enhance Compliance Programs

Deliverables: - Annual/Quarterly Risk Assessments- Compliance Inventories



Deliverables: - Leadership




Communicate Standards, Policies and Procedures

Deliverables: - Org Chart- Job Descriptions- Background Checks

Deliverables: - Documentation

Deliverables: - Communication

Training Plans


Deliverables: - Enforcement- Modifications to any or all noted deliverables


Policies, and Procedures


- Training Plans

Deliverables: - Audit Program- Program Evaluation- Hotline- Audit Reports


Deliverable: - An Implemented Program

a oted de e ab es

March 2, 2011

63


March 2, 2011

COSO Management Controls

• At Multiple levels across multipleacross multiple functions:– Internal Environment– Objective Setting– Event Identification– Risk Assessment

Ri k R


– Risk Response– Control Activities– Communication– Monitoring

March 2, 2011

64


33



Compliance as a Process: Map to COSO

nuou

sve

men

t

• Entity-level; Division,• Objective Setting• Risk Assessment




Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)

Con

tinIm

prov

y ; ,• Business Unit; Subdivision

• Control Activities

• Monitoring• Reporting • Internal Environment

• Strategic; OperationsC li

• Risk Assessment




• Communication• Risk Response

• Compliance

March 2, 2011

65



CObIT “Process Controls”


March 2, 2011

66


34



Compliance as a Process: Map to CObIT Processes

nuou

sve

men

t

• Ownership• Goals and Objectives





Con

tinIm

prov

p

• Repeatability• Define Policies, Plans, Procedures

• PerformanceImprovement

• Compare Measurements(Performance Improvement) • High-level Oversight




• Roles and Responsibilities• Communicate Policies, PlansProcedures

Procedures

• Performance Metrics(Performance Improvement)

March 2, 2011

67



OCEG Foundation-level Guidelines

• CultureEthics

• ProcessPlan/Organize– Ethics

– Risk– Governance– Workforce

• Organization/Personnel– Leadership

– Plan/Organize– Prevent/Protect/Prepare– Monitor/Evaluate– Respond/Improve

• Technology


– Oversight– Strategy– Operations

March 2, 2011

68


35



Compliance as a Process: Map to OCEG Foundation

nuou

sve

men

t

• Leadership: Oversight, • Culture: Risk• Leadership: Strategy





Con

tinIm

prov

p g ,Operations

• Process: Plan, Organize

• Process: Respond,Improve

• Process: Monitor, Evaluate• Culture: Ethics,Governance, WorkforceO i ti L d hi

p gy




• Process: Prepare

• Organization: Leadership

• Process: Prevent, Protect

March 2, 2011

69



Compliance Action Plan:One Possible Configuration

• Risk Assessment Program

• Communications Plan• Training Plang

– Identifying Requirements– Compliance Inventories

• Compliance Plan– Org Chart– Roles and

Responsibilities– Annual Plan Evaluation

Training Plan• Annual Action Plan

– Implementation Program• New or Improved

• Monitoring Program– Hotline– Background Checks


Annual Plan Evaluation• Policies and

Procedures• Lots and Lots

• Compliance Audit Program

• Leverage Corporate Leadership Training

March 2, 2011

70


36

Governance

The Compliance Process:Organizational Levels

Management

Performance/Operational

Risk: Mid-levelOrg: ManagementDocument and Communicate: Departmental Compliance Programs; Policies and ProceduresPromote and Enforce: Departmental Policies and ProceduresMonitor: Effectiveness of departmental programs; Departmental Policies and Procedures

Risk: OperationalOrg: Front-line ProfessionalsDocument and Communicate: Operational ProceduresPromote and Enforce: Operational Procedures


*Companies subject to the FERC Standards of Conduct must designate a Chief Compliance Officer

Promote and Enforce: Operational ProceduresMonitor: Operational Procedures

March 2, 2011

71


ferc/nerc compliance self-assessments and preparing for an … · 2014. 9. 3. · self-assessments...

Documents