ferc/nerc compliance self-assessments and preparing for an … · 2014. 9. 3. · self-assessments...
TRANSCRIPT
-
1
FERC/NERC ComplianceSelf-Assessments
andPreparing for an External
Audit"Simplicity means the achievement of maximum effect
© 2011, All Rights Reserved
with minimum means.”—Albert Einstein
March 2, 2011
1
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Introductions• Deena King
– Managing Director, Pure Knowledge Consultingg g , g g– 30 Year Cross-trained Professional– 10 years Audit/Compliance
• Specialties– Compliance Program:
• Design and Implementation• Evaluations and Gap Analysis
Contin o s Impro ement
© 2011, All Rights Reserved
• Continuous Improvement• Industries:
– Higher Education– Utility
March 2, 2011
2
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
2
Agenda
• What needs to be “self-assessed”?• Compliance as a Business Process
– Core Process Components• Compliance Program Self-Assessment
– Risk AssessmentSelf A dits
© 2011, All Rights Reserved
– Self-Audits• Review
March 2, 2011
3
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
What needs to be “self-assessed?”
© 2011, All Rights Reserved
March 2, 2011
4
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
3
“Self-Assessment”
• FERC “Internal Compliance Program”– FERC Policy Statement on Compliance
(SOC) dated October 16, 2008– FERC Revised Policy Statement on
Enforcement (SOE) dated May 15, 2008• Two Types
© 2011, All Rights Reserved
yp– Self-Audit– Review of Internal Compliance Program
March 2, 2011
5
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
“Self-Assessment”• FERC on Self-Audits
– Systematic internal auditing (SOC, P19)– The company has an ongoing process for auditing
compliance with Commission regulations (SOE, P58)– The importance on good-faith self-reporting (SOE, P62)– The compliance plan can call for the company to hire an
independent third party auditor to review its business practices in order to ensure compliance (SOE, P45)
• FERC on Internal Program Reviews P i di i d l ti f th ff ti f th
© 2011, All Rights Reserved
– Periodic review and evaluation of the effectiveness of the program (SOC, P16)
– The company frequently reviews and modifies its compliance program (SOE, P58)
March 2, 2011
6
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
4
Definitions• Self-Audit
– An internal review of compliance with specificAn internal review of compliance with specific regulations and/or requirements
• Regulation• Current State (Evidence)• Compliant Y/N?• If No, Action Planning (and self-report if necessary)
© 2011, All Rights Reserved
, g ( p y)
March 2, 2011
7
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Definitions• Self-Assessment
– An internal review review and evaluation ofAn internal review review and evaluation of the effectiveness of the internal compliance program
• ICP– Internal Compliance Program
© 2011, All Rights Reserved
March 2, 2011
8
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
5
Internal Compliance Program Self-Assessment
Compliance as a Business P
© 2011, All Rights Reserved
Process
March 2, 2011
9
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Business Process
• Example: Advertise an Open Position– Hiring Manager
• 1) Go to HR website• 2) Complete Form CorpAd1• 3) Submit to Supervisor for Approval
– Hiring Manager Supervisor
© 2011, All Rights Reserved
• 4) Review CorpAd1; Approve• 5) Submit to HR for Processing
– HR (etc.)
March 2, 2011
10
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
6
Business Process: ExampleGo to HR Website
HiringFill in Form CorpAd1
Submit to Supervisor for Approval
Review CorpAd1 and
Manager
Hi i
© 2011, All Rights Reserved
Approve
Submit CorpAd1 to HR Etc.
HiringManagerSupervisor
HR
March 2, 2011
11
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Business Process
• Complex:
© 2011, All Rights Reserved
http://www.gerke.com/gerke2009/processmapping1.php, 1/10/11March 2, 2011
12
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
7
Business Process
• Simplified:
© 2011, All Rights Reserved
http://www.gerke.com/gerke2009/processmapping1.php, 1/10/11March 2, 2011
13
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Where to begin?
• Federal Energy Regulatory Commission (FERC)(FERC)– Policy Statement on Compliance (SOC) dated
October 16, 2008– Revised Policy Statement on Enforcement
(SOE) dated May 15, 2008
© 2011, All Rights Reserved
• North American Electric Reliability Corporation (NERC)
March 2, 2011
14
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
8
FERC Policy Statements
• Policy Statement on Compliance– 14 pages of legalese– 8 paragraphs dedicated to “vigorous
compliance programs”• Revised Policy Statement on Enforcement
– 28 pages of legalese
© 2011, All Rights Reserved
28 pages of legalese– 9 paragraphs dedicated to “compliance
programs” or “compliance plans”
March 2, 2011
15
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
FERC Policy Statements
• Policy Statement on Compliance– 14 pages of legalese– 8 paragraphs dedicated to “vigorous
compliance programs”• Revised Policy Statement on Enforcement
– 28 pages of legalese
© 2011, All Rights Reserved
28 pages of legalese– 9 paragraphs dedicated to “compliance
programs” or “compliance plans”
March 2, 2011
16
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
9
The Work PKC Did• The “7 Elements” from the Federal Sentencing
Guidelines• “Best Practice” Frameworks (Appendix A)
– COSO “Cube”• Sarbanes-Oxley Controls
– CObIT• Technology Compliance• Process Controls
– OCEG “Red Book”
© 2011, All Rights Reserved
– OCEG Red Book• Open Compliance and Ethics Group
– Continuous Improvement Models• Deming’s “Plan, Do, Check, Act”
March 2, 2011
17
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
The Work PKC Did• Using “best practice”, extract the elements of
a “compliance process” from thea compliance process from the FERC/NERC statements
• Result:– Elements of a “vigorous compliance program”
• Framework for AssessmentApproach
© 2011, All Rights Reserved
– Approach– Technique
• “Compliance in One Page” ©2010
March 2, 2011
18
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
10
Assess Risk/ Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Business Process: One Page
nuou
sve
men
t
LawsRegulationsRegulators
Document Standards, Policies, and Procedures
Monitor, Audit, and ReportLeadership/
Corporate Culture
Con
tinIm
prov Laws
RegulationsRegulators
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
© 2011, All Rights ReservedMarch 2, 2011
19
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17)
Establish/Modify Compliance Organization
The best program will not succeed unless senior management actively embraces the importance of compliance; Senior management may designate…compliance officials within the company (see paras 13 and 15)
The Compliance Process: FERC Statement on Compliance
Con
tinuo
usm
prov
emen
t
Assess Risk/ Identify Requirements
Laws, etc
Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission’s orders (see para 16)
Document Standards, Policies, and Procedures
Monitor, Audit, and Report
Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20)
Leadership/Corporate Culture
The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see paras 1 and 13)
C Im Laws, etc
© 2011, All Rights Reserved
The company must…implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21)
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
Systematic and effective preventative measures such as…training; clear direction from the company (see para 16)
*The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21)
March 2, 2011
20
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
© 2011, All Rights Reserved
-
11
Summary
• Compliance as a Business ProcessA Ri k/Id if R i– Assess Risk/Identify Requirements
– Establish/Modify Compliance Organization– Document Standards, Policies, and Procedures– Communicate Standards, Policies, and Procedures– Implement, Promote and Enforce
Monitor Audit and Report
© 2011, All Rights Reserved
– Monitor, Audit, and Report– Continuous Improvement– Leadership/Corporate Culture
March 2, 2011
21
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Questions? Comments?
© 2011, All Rights Reserved
March 2, 2011
22
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
12
Internal Compliance Program Self-Assessment
Know the Process
© 2011, All Rights Reserved
Assess the Process
March 2, 2011
23
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and
Procedures• Communicate Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011
24
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
13
ICP Self Assessment Areas
• What are we doing to accomplish the t k?task?
• How have we documented:– The task itself?
• Policies and Procedures• Desk Procedures (when necessary)
© 2011, All Rights Reserved
( y)– That we implemented the task?
• “Proof of Performance”• Logs, Meeting Minutes, Emails, Newsletters, etc.
March 2, 2011
25
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and
Procedures• Communicate Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011
26
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
14
Risk Assessment/Identify Requirements
• FERC– Prepare an inventory of current compliance risksPrepare an inventory of current compliance risks
(SOE, P59)• (Note: This will result in a list of current program
requirements)– Companies are in the best position to determine
the risks their activities entail and how best to assure compliance (SOC, P9 and 17)
• Self Assess:
© 2011, All Rights Reserved
• Self Assess:– How are we keeping track of current compliance
requirements?– How are we assessing compliance risk?
March 2, 2011
27
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Risk Assessment Tool
© 2011, All Rights Reserved
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
28http://www.midwestreliability.org/01_about_mro/board_of_directors/presentations/Penalty%20tool%20determinants_MRO%20BOD.pdf
-
15
Violation Risk FactorBAL-002-0 R1. Each Balancing Authority shall have access to and/or operate Contingency
Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated adjustments to Interchange Schedules.
HIGH
BAL-002-0 R1.1. A Balancing Authority may elect to fulfill its Contingency Reserve obligations by participating as a member of a Reserve Sharing Group. In such cases, the Reserve Sharing Group shall have the same responsibilities and obligations as each Balancing Authority with respect to monitoring and meeting the requirements of Standard BAL-002.
HIGH
BAL-002-0 R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve Sharing Group shall specify its Contingency Reserve policies, including:
MEDIUM
BAL-002-0 R2.1. The minimum reserve requirement for the group. HIGH
BAL-002-0 R2.2. Its allocation among members. LOWER
BAL-002-0 R2.3. The permissible mix of Operating Reserve – Spinning and Operating Reserve –Supplemental that may be included in Contingency Reserve.
LOWER
© 2011, All Rights Reserved
BAL-002-0 R2.4. The procedure for applying Contingency Reserve in practice. LOWER
BAL-002-0 R2.5. The limitations, if any, upon the amount of interruptible load that may be included. LOWER
BAL-002-0 R2.6. The same portion of resource capacity (e.g., reserves from jointly owned generation) shall not be counted more than once as Contingency Reserve by multiple Balancing Authorities.
MEDIUM
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
29http://www.nerc.com/page.php?cid=2%7C20
Violation Severity LevelStandard Number Requirement Number
Text of Requirement Lower VSL Moderate VSL High VSL Severe VSL
BAL-002-0 R1. Each Balancing Authority shall have
N/A N/A N/A The Balancing Authority does not
access to and/or operate Contingency Reserve to respond to Disturbances. Contingency Reserve may be supplied from generation, controllable load resources, or coordinated adjustments to Interchange Schedules.
have access to and/or operate Contingency Reserve to respond to Disturbances.
http://www.nerc.com/page.php?cid=2%7C20
© 2011, All Rights Reserved
BAL-002-0 R2. Each Regional Reliability Organization, sub-Regional Reliability Organization or Reserve Sharing Group shall specify its Contingency Reserve policies, including:
The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 1 of the following sub-requirements.
The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 2 or 3 of the following sub-requirements.
The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify 4 or 5 of the following sub-requirements.
The Regional Reliability Organization, sub-Regional Reliability Organization, or Reserve Sharing Group has failed to specify all 6 of the following sub-requirements.
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
30
-
16
Risk Limits
• Found in violation of BAL-002-0, R1– What are the penalty Risk Limits?
• Found in violation of BAL-002-0, R2; specifically R2.2 and R2.3– What are the penalty Risk Limits?
• With limited resources where would you
© 2011, All Rights Reserved
• With limited resources, where would you focus compliance efforts?
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
31
Other Risks
• Potential Penalties (Obviously)• Other Risks
– Reputation– Health and Safety– Stock Price (for public companies)
Vendor Relations
© 2011, All Rights Reserved
– Vendor Relations– Customer Relations– Etc.
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
32
-
17
Questions on Risk Assessment?
© 2011, All Rights Reserved
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
33
ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and
Procedures• Communicate Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011
34
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
18
Organizational Structure• FERC
– Create an independent Compliance Officer who reports to the Chief Executive Officer and the Board or to a committee thereofChief Executive Officer and the Board, or to a committee thereof (SOE, P59)
– The program is supervised by an officer or other high-ranking official; this official has independent access to the board and/or CEO (SOE, P58)
– Senior management may designate compliance officials within the company; This may be a position devoted exclusively to compliance matters or may be an assigned duty of an employee (SOC, P13 and P15)
© 2011, All Rights Reserved
• Self Assess:– What does our organization look like?– Have we defined roles and responsibilities?– How can we show “engagement” by each person?
March 2, 2011
35
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Leadership/Corporate Culture
• FERC– The responsibility for a culture of compliance rests squarely on theThe responsibility for a culture of compliance rests squarely on the
shoulders of senior management (SOC, P13)– Senior management actively involved in compliance efforts (SOE, P58)– Senior management provides adequate resources for the compliance
program to operate adequately (SOC, P14 and SOE, P58)– These factors include the active support of senior management (SOC,
P5)– Senior management should communicate to employees its commitment
t li f tl b th f ll d i f ll (SOC P14)
© 2011, All Rights Reserved
to compliance frequently, both formally and informally (SOC, P14)
• Self Assess:– How can we show “proof of performance” by senior management?– How are we show adequate resources and communication?
March 2, 2011
36
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
19
Documented P&P• FERC
– Company has in place rigorous procedures and processes (SOC P4)(SOC, P4)
– Companies should invest in systematic preventive measures to keep the company in compliance with the Commission’s statutes, regulations and orders (SOC, P16)
– The company has an established, formal program (i.e. plans, policies, and procedures) for internal compliance. It is well documented (SOE P58)
– An inventory of compliance practices (SOE, P59)– Promote compliance by identifying measurable performance
© 2011, All Rights Reserved
Promote compliance by identifying measurable performance targets (SOE, P59)
• Self Assess:– Have we documented standards, policies, and procedures?– Do we include measureable targets?
March 2, 2011
37
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Communication and Training• FERC
– The ICP is widely disseminated within the company (SOE, P58)These factors include the scope and depth of employee training– These factors include … the scope and depth of employee training (SOC, P5)
– The importance [of] tools and training sufficient to enable employees to comply with Commission requirements (SOC, P6 and SOE, P59)
– Systematic and effective preventive measures (such as careful hiring, training, accountability, and supervision), are fundamental to an effective compliance program (SOC, P16)
– The company frequently provides training to all relevant employees; the training is sufficiently detailed and thorough to instill an understanding of relevant rules and the importance of compliance (SOE, P58)
© 2011, All Rights Reserved
( )• Self Assess:
– How are we communicating compliance policies and procedures?– How are we training on compliance policies and procedures?
March 2, 2011
38
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
20
Implement, Promote, Enforce
• FERC– It is not enough to create a good compliance program g g p p g
on paper; the company must carry through to implement the program (SOC, P16)
– A company has rigorous procedures and processes that provide effective accountability for compliance (SOC, P4 and SOE, P58)
– The company responds to wrongdoing (SOE, P58)– Steps taken by a company to end violations and
© 2011, All Rights Reserved
p y p yremedy the misconduct (SOC, P21)
• Self Assess:– Have we implemented the program?– Can we document accountability and enforcement?
March 2, 2011
39
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Questions?
© 2011, All Rights Reserved
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
40
-
21
ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and
Procedures• Communicate Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011
41
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Monitor, Audit, and Report
• FERCICP Re ie– ICP Review
• Periodic review and evaluation of the effectiveness of the program (SOC, P16)
– Auditing and Reporting• Systematic internal auditing (SOC, P19)• The company has an ongoing process for auditing
© 2011, All Rights Reserved
compliance with Commission regulations (SOE, P58)
• The importance on good-faith self-reporting (SOE, P62)
March 2, 2011
42
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
22
Monitor, Audit, and Report
• FERCICP R i– ICP Review
• Periodic review and evaluation of the effectiveness of the program (SOC, P16)
• The company frequently reviews and modifies its compliance program (SOE, P58)
• Self Assess:
© 2011, All Rights Reserved
– How do we review and evaluate the effectiveness of our program?
– How do we modify the program after a violation?
March 2, 2011
43
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Monitor, Audit, and Report
• FERC– Auditing and ReportingAuditing and Reporting
• Systematic internal auditing (SOC, P19)• The company has an ongoing process for auditing
compliance with Commission regulations (SOE, P58)• The importance on good-faith self-reporting (SOE, P62)• The compliance plan can call for the company to hire
an independent third party auditor to review its business practices in order to ensure compliance (SOE, P45)
© 2011, All Rights Reserved
P45)• Self Assess:
– Can we show that we audit, internal & external?– Can we show self-reporting (when necessary)?
March 2, 2011
44
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
23
The Audit Process
Types of Auditors• Internal
General Process• Internal• External• Regulatory
– FERC– NERC– Regional Entity
• WECC• FRCC• MRO
• Notification• Opening Conference• “Walkthrough”• Field Work
– Data Requests– Interviews
© 2011, All Rights Reserved
• NPCC• RFC• SERC• SPP• TRE• WECC
Interviews
• Preliminary Findings• Final Findings• Audit Report
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
45
Preparing for Regulators• Leverage Internal Audit Department
“Peer” Audit• Peer” Audit• Engage External Audit Specialists
– “Big 4”– Mid-Tier
• Grant Thornton• Jefferson Wells
- Specialty• Encari• ICF• Industrial Defender
© 2011, All Rights Reserved
Jefferson Wells• Resources Global• SAIC• etc
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
46
Industrial Defender• etc
-
24
Questions?
© 2011, All Rights Reserved
March 2, 2011 SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
47
ICP Self Assessment Areas• Assess Risk/Identify Requirements• Establish/Modify Compliance Organization• Establish/Modify Compliance Organization• Leadership/Corporate Culture• Document Standards, Policies, and
Procedures• Communicate Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote and Enforce• Monitor, Audit, and Report• Continuous ImprovementMarch 2, 2011
48
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
25
Continuous Improvement
• FERC– Are new or modified prospective controls needed to
prevent a recurrence? (SOC, P21)– Ensure that steps are taken within the company to improve
compliance practices (SOE, P44) – Describe measures taken by the company to end the
practices that led to the violations (SOE, P45)– Work with industry associations to develop compliance
best practices (SOC, P7)– Encourage the continuing exchange of ideas and best
© 2011, All Rights Reserved
– Encourage the continuing exchange of ideas and best practices among regulated companies (SOC, P7)
• Self Assess:– How do we improve compliance programs?– How are we leveraging “best practice”?
March 2, 2011
49
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
The Really Good News• WECC
Internal Compliance Program Self Assessment– Internal Compliance Program Self Assessment– Purpose is to measure how well entities:
• Assess Risk/Identify Requirements• Establish/Modify our Compliance Organization• Document our Standards, Policies, and Procedures• Communicate our Standards, Policies, and Procedures
Implement Promote and Enforce
© 2011, All Rights Reserved
• Implement, Promote, and Enforce• Monitor, Audit, and Report• Continuously Improve• Leadership/Corporate Culture
March 2, 2011
50
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
26
The Really Good News
• Internal Compliance Program Self AssessmentWill b bli h d i i tl b WECC– Will be published imminently by WECC
– Cover all 8 Areas Discussed Above– 20 Questions– To get a copy:
• E-mail:
© 2011, All Rights Reserved
– Taud Olsen– Managing Director of Compliance, WECC– [email protected]
March 2, 2011
51
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
The Really Good News
• Pure Knowledge ConsultingG i C li P A T l– Generic Compliance Program Assessment Tool
– Standards, Best-Practice Based– Federal Sentencing Guidelines– FERC Policy Compatible
– Available in May 2011
© 2011, All Rights Reserved
March 2, 2011
52
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
27
Questions? Comments?
© 2011, All Rights Reserved
March 2, 2011
53
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Review
© 2011, All Rights Reserved
March 2, 2011
54
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
28
Assess Risk/ Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Business Process: One Page
nuou
sve
men
t
LawsRegulationsRegulators
Document Standards, Policies, and Procedures
Monitor, Audit, and ReportLeadership/
Corporate Culture
Con
tinIm
prov Laws
RegulationsRegulators
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
© 2011, All Rights ReservedMarch 2, 2011
55
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Compliance in One Page• Assess Risk/Identify Requirements• Establish/Modify our Compliance Organization• Establish/Modify our Compliance Organization• Leadership/Corporate Culture• Document our Standards, Policies, and
Procedures• Communicate our Standards, Policies, and
Procedures
© 2011, All Rights Reserved
• Implement, Promote, and Enforce• Monitor, Audit, and Report• Continuously Improve
March 2, 2011
56
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
29
Achieving Excellence Through Best PracticesCompliance, IT, Leadership, Audit
~~~~~~For additional information on products and services, please contact:
Deena King, CCEP, CISA*Managing Director
© 2011, All Rights Reserved
www.pureknowledgeconsulting.com
March 2, 2011
57
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
Cell: (702)994-70851930 Village Center Circle #3-20
Las Vegas, NV [email protected]
Appendix A
Additional Information on Using “B t P ti ” F k i
© 2011, All Rights Reserved
“Best Practice” Frameworks in Compliance
March 2, 2011
58
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
30
The Compliance Process and the FERC Policy Statement on Compliance*+
Each company has to determine the optimum investment to make in compliance measures in light of its resources and risks (see para 17)
Assess Risk/Identify Requirements
The best program will not succeed unless
Leadership/ Corporate Culture
The responsibility for a culture of compliance rests squarely on the shoulders of senior management (see paras 1 and 13)
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX, March 2, 2011
© 2011, All Rights Reserved
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies and Procedures
senior management actively embraces the importance of compliance; Senior management may designate…compliance officials within the company (see paras 13 and 15)
Companies [should] invest in systematic preventative measures to keep the company in compliance with the Commission’s orders (see para 16)
Systematic and effective preventative measures such as…training; clear direction from the
paras 1 and 13)
+Also note that paras 23 and 25 and footnotes 23, 28, 29 and 30 reference the Federal Sentencing Guidelines.
ContinuousImprovement
© 2011, All Rights Reserved
Policies, and Procedures
Monitor Compliance
company (see para 16)
Effective accountability for compliance; periodic review and evaluation of the effectiveness of the [compliance] program; methods to detect violations; systematic internal auditing (see paras 16, 18-20)
Promotion and Enforcement
The company must…implement the program; companies will act expeditiously to end the wrongful conduct and will report it promptly; [correct] the problem; remediation of the misconduct (see paras 16, 19, and 21)
The question of whether new or modified prospective controls are needed to prevent a recurrence (see para 21)
*FERC Compliance with Statues, Regulations, and Orders, Docket No. PL09-1-000.
March 2, 2011
59
The Compliance Process Mapped to theFERC Policy Statement on Enforcement*
An inventory of current compliance risks (see paragraph 59)Assess Risk/
Identify Requirements
E t bli h/M dif C li
An independent Compliance Officer or other high-ranking official who reports to the Chief Executive Officer, the Board, or a
Leadership/Corporate Culture
Compliance is fully supported by senior management and they are actively involved in compliance efforts; company policies on compensation
© 2011, All Rights Reserved
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
, ,committee; Tie regulatory compliance to personnel assessments and compensation,including compensation of management (see paragraphs 58 and 59)
An established, formal, well documented program for internal compliance; an inventory of current compliance practices (see paragraphs 58 and 59)
Training on rules and regulations that is sufficiently detailed and thorough is provided to all relevant employees; frequent mandatory training programs that include “real world” examples (see
h 58 d 59)
co pa y po c es o co pe sat oand promotion take into consideration employee compliance; sufficient funding is provided for the administration of compliance programs (see paragraphs 58 and 59)
ContinuousImprovement
The company frequently modifies the compliance program; the company i l t ff ti
© 2011, All Rights Reserved
Monitor, Audit, and Report
paragraphs 58 and 59)
The company frequently reviews the compliance program; the company audits internal compliance with regulations and tracks and reports results; the company reports violations to management and self-reports; the company has an internal hotline (see paragraphs 58, 59, and 61)
Implement, Promote, and Enforce
There are identifiable, measurable performance targets; there are disciplinary consequences in place for infractions of Commission requirements; the company looks for repeat offenses (see paragraph 59)
implements more effective internal controls and procedures to prevent recurrence of misconduct (see paragraph 58)
*FERC Enforcement of Statues, Regulations, and Orders, Docket No. PL08-3-000, May 2008. March 2, 2011
60SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
31
Assess Risk/Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Process: Mapped to the “7 Elements”
nuou
sve
men
t
• High-level Oversight• Response and
Document Standards, Policies, and Procedures
Monitor, Audit, and Report
Leadership/Corporate Culture
Con
tinIm
prov
g g• Screening
• Standards and Procedures
• Response andCorrection
• Monitoring, Auditing, andReporting
• High-level Oversight
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
• Training and Education• Promotion and Enforcement
March 2, 2011
61
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
© 2011, All Rights Reserved
The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement (§8B2.1.c).D li bl A l/Q l Ri k
Establish/Modify Compliance Organization
Governing authority shall be knowledgeable and exercise reasonable oversight; High-level personnel shall ensure the organization has an effective compliance program; Specific individuals shall be delegated day-to-day operational
The Compliance Process: Federal Sentencing Guidelines
Con
tinuo
usm
prov
emen
t
Assess Risk/ Identify Requirements
Laws, etc
Deliverables: Annual/Quarterly Risk Assessments; Compliance Inventories
The organization shall establish standards and procedures to prevent and detect criminal conduct (§8B2.1.b.1).Deliverables: Documentation
Document Standards, Policies, and Procedures
responsibility; Exercise due diligence (§8B2.1.b.2.A-C & 3).Deliverables: Org Chart; Job Descriptions; Background Checks
Monitor, Audit, and Report
Monitoring and auditing to detect criminal conduct; Periodically evaluate the effectiveness of the organization’s compliance program; Publicize a reporting system (§8B2.1.b.5.A-C).Deliverables: Audit Program; Program Evaluation; Hotline; Audit Reports
Leadership/Corporate Culture
Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)Deliverable: Leadership
C Im
© 2011, All Rights Reserved
The organization’s compliance and ethics program shall be reasonably implemented, promoted and enforced consistently throughout the organization (§8B2.1.a.2 & b.6).Deliverable: An Implemented Program
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
Communicate periodically standards and procedures, and other aspects to employees by conducting effective training programs and otherwise disseminating information (§8B2.1.b.4).Deliverables: Communication and Training Plans*After criminal conduct has been detected, the organization shall take steps to
respond appropriately including making modifications to the program (§8B2.1.b.7)Deliverables: Enforcement; Modifications to any or all noted deliverables
© 2011, All Rights Reserved
62
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
March 2, 2011
-
32
Using the Compliance Process To Design/Enhance Compliance Programs
Deliverables: - Annual/Quarterly Risk Assessments- Compliance Inventories
Assess Risk/Identify Requirements
Leadership/Corporate Culture
Deliverables: - Leadership
© 2011, All Rights Reserved
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies and Procedures
Deliverables: - Org Chart- Job Descriptions- Background Checks
Deliverables: - Documentation
Deliverables: - Communication
Training Plans
ContinuousImprovement
Deliverables: - Enforcement- Modifications to any or all noted deliverables
© 2011, All Rights Reserved
Policies, and Procedures
Monitor, Audit, and Report
- Training Plans
Deliverables: - Audit Program- Program Evaluation- Hotline- Audit Reports
Implement, Promote and Enforce
Deliverable: - An Implemented Program
a oted de e ab es
March 2, 2011
63
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
March 2, 2011
COSO Management Controls
• At Multiple levels across multipleacross multiple functions:– Internal Environment– Objective Setting– Event Identification– Risk Assessment
Ri k R
© 2011, All Rights Reserved
– Risk Response– Control Activities– Communication– Monitoring
March 2, 2011
64
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
33
Assess Risk/Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Process: Map to COSO
nuou
sve
men
t
• Entity-level; Division,• Objective Setting• Risk Assessment
Document Standards, Policies, and Procedures
Monitor, Audit, and Report
Leadership/Corporate Culture
Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)
Con
tinIm
prov
y ; ,• Business Unit; Subdivision
• Control Activities
• Monitoring• Reporting • Internal Environment
• Strategic; OperationsC li
• Risk Assessment
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
• Communication• Risk Response
• Compliance
March 2, 2011
65
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
© 2011, All Rights Reserved
CObIT “Process Controls”
© 2011, All Rights Reserved
March 2, 2011
66
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
34
Assess Risk/Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Process: Map to CObIT Processes
nuou
sve
men
t
• Ownership• Goals and Objectives
Document Standards, Policies, and Procedures
Monitor, Audit, and Report
Leadership/Corporate Culture
Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)
Con
tinIm
prov
p
• Repeatability• Define Policies, Plans, Procedures
• PerformanceImprovement
• Compare Measurements(Performance Improvement) • High-level Oversight
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
• Roles and Responsibilities• Communicate Policies, PlansProcedures
Procedures
• Performance Metrics(Performance Improvement)
March 2, 2011
67
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
© 2011, All Rights Reserved
OCEG Foundation-level Guidelines
• CultureEthics
• ProcessPlan/Organize– Ethics
– Risk– Governance– Workforce
• Organization/Personnel– Leadership
– Plan/Organize– Prevent/Protect/Prepare– Monitor/Evaluate– Respond/Improve
• Technology
© 2011, All Rights Reserved
– Oversight– Strategy– Operations
March 2, 2011
68
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
35
Assess Risk/Identify Requirements
Establish/Modify Compliance Organization
Compliance as a Process: Map to OCEG Foundation
nuou
sve
men
t
• Leadership: Oversight, • Culture: Risk• Leadership: Strategy
Document Standards, Policies, and Procedures
Monitor, Audit, and Report
Leadership/Corporate Culture
Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law (§8B2.1.a.2 and b)
Con
tinIm
prov
p g ,Operations
• Process: Plan, Organize
• Process: Respond,Improve
• Process: Monitor, Evaluate• Culture: Ethics,Governance, WorkforceO i ti L d hi
p gy
© 2011, All Rights Reserved
Communicate Standards, Policies, and Procedures
Implement, Promote and Enforce
• Process: Prepare
• Organization: Leadership
• Process: Prevent, Protect
March 2, 2011
69
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
© 2011, All Rights Reserved
Compliance Action Plan:One Possible Configuration
• Risk Assessment Program
• Communications Plan• Training Plang
– Identifying Requirements– Compliance Inventories
• Compliance Plan– Org Chart– Roles and
Responsibilities– Annual Plan Evaluation
Training Plan• Annual Action Plan
– Implementation Program• New or Improved
• Monitoring Program– Hotline– Background Checks
© 2011, All Rights Reserved
Annual Plan Evaluation• Policies and
Procedures• Lots and Lots
• Compliance Audit Program
• Leverage Corporate Leadership Training
March 2, 2011
70
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX
-
36
Governance
The Compliance Process:Organizational Levels
Management
Performance/Operational
Risk: Mid-levelOrg: ManagementDocument and Communicate: Departmental Compliance Programs; Policies and ProceduresPromote and Enforce: Departmental Policies and ProceduresMonitor: Effectiveness of departmental programs; Departmental Policies and Procedures
Risk: OperationalOrg: Front-line ProfessionalsDocument and Communicate: Operational ProceduresPromote and Enforce: Operational Procedures
© 2011, All Rights Reserved
*Companies subject to the FERC Standards of Conduct must designate a Chief Compliance Officer
Promote and Enforce: Operational ProceduresMonitor: Operational Procedures
March 2, 2011
71
SCCE Utilities and Energy Compliance and Ethics Conference, Houston, TX