The North American Electric Reliability Corporation (NERC) regional entity audit teams will be implementing a risk based audit program – the Reliability Assurance Initiative (RIA) in 2015. Registered Entities need to be prepared for upcoming changes in compliance standards.
NERC’s plan is to transform the current compliance and enforcement program into one that focuses on high reliability risk areas and reduces administrative burden on NERC Registered Entities. NERC’s stated program goals are:
- Develop enforcement incentives to distinguish between poor performance that must be discouraged and positive behaviors that contribute to higher accountability and improved performance;
- Design a compliance program that recognizes an entity’s risk to reliability along with its management controls and corrective action programs used to meet the reliability standards; and
- Reduce the administrative burdens of the compliance and enforcement program on industry while gaining efficiencies.
The implementation of the RAI Standards for audits will begin in 2015. Registered Entities should be in the process of evaluating their current control environment for compliance to close any gaps in performance.
What are the requirements of the RAI?
NERC is currently using a pilot program to evaluate the RAI by using the regional Electric Reliability Organization (ERO) audit teams. The pilot program, used on a selection of utilities, uses five criteria in evaluating a risked based audit approach:
1. Transparency for oversight purposes
2. Program design elements effectiveness
3. Alignment to the Reliability Standards
4. Implementation requirements
5. Impact on Registered Entities
NERC’s timeline for this pilot program is as follows:
Benefits gained through the RAI program
NERC has stated that the end goal is more effective audits and encouraging an overall compliance environment that provides more reliability to the Bulk Electric System (BES) while cutting down on some of the “one and done” aspects of the current audit and enforcement structure – i.e. focusing on smaller audit areas vs. the bigger picture.
Some NERC stated benefits from this process include:
- Improved self-violation reporting mechanisms by Registered Entities
- The NERC audit scope incorporates risk criteria instead of blind enforcement
- Lesser risk violations do not result in enforcement actions
- Audit scope is based on a common ERO risk based methodology
Based on this approach, the compliance regime shifts to using a standard, risk based audit practice similar to other entities with a common audit approach in assessing risk to reliability. The compliance approach will be to assess the strength of management controls relative to meeting compliance standards.
What should Registered Entities do to be ready for their next audit under the RAI?
The main focus for NERC auditors will be to focus on noncompliance that poses a serious risk to the reliability of the Bulk Electric System. NERC auditors will structure their engagements to recognize existing processes in place and encourage REs to continue to self-identify, mitigate and record noncompliance. Their focus will be on reliability and effective controls in the organization under audit.
For organizations that utilize approaches such as the COSO 2013 Framework, this application is built to be used for RAI readiness. Much like with the Reliability Standards Auditors Worksheets (RSAWs), NERC has given Registered Entities the playbook for compliance.
Registered entities should be in the process of an evaluation of the components of the Framework that address NERC compliance including:
- Control environment
- Risk assessment
- Control activities
- Information and communication
Example RAI readiness plan:
For more information on this topic, or to learn how Baker Tilly energy and utility specialists can help, contact our team.