2017 ICPA Survey - wecc.org ICPA Survey V6.0.docx · Web viewThe WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities assess their internal compliance programs

2017 ICPA Survey

CONTACT INFORMATION

Entity Name:

Click here to enter text.

NERC # Registry ID:


Primary Compliance Contact Name:


Primary Contact Title:


Office Phone:


Cell Phone:


Email:


Alternate Compliance Contact Name:


Alternate Compliance Contact Title:


Office Phone:


Cell Phone:


Email:


Authorizing Entity Officer Name:


Authorizing Entity Officer Title:


Mailing address (Not a P.O. Box):


Telephone:


Email:


2017 Internal Compliance Program Assessment ICPA

February 1, 2017

Internal Compliance Program Assessment

Western Electricity Coordinating Council

WECC Compliance Monitoring and Enforcement Program

Internal Compliance Program Self-Assessment Version 2.0 12/3/12

2

TABLE OF CONTENTS

PURPOSEi

INSTRUCTIONSi

SURVEY QUESTIONS1

1.Established Formal Internal Compliance Program1

2.Well Documented and Widely Disseminated2

3.Officers/Personnel3

4.Independent Access to Executives4

5.Independently Managed5

6.Resources6

7.Leadership Support7

8.Program Evaluation and Modification8

9. Compliance Training9

10.Self-Audit10

11.Enforcement11

12.Internal Controls13

13. Risk Assessment15

AUTHORIZATION16

APPENDIX A: Selected Example ICP Practices17


18

PURPOSE

The WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities assess their internal compliance programs. The ICPA will assist WECC in its review and understanding of the programs that entities have implemented to ensure compliance with the NERC Reliability Standards. The ICPA is:

Based on relevant FERC orders, FERC direction, and WECC and NERC experience related to robust internal compliance programs.

Composed of questions designed to focus on various aspects of an entitys program.

Designed to prompt an entity to identify and gather specific, relevant information related to its internal compliance program.

Adaptable to allow for the unique constraints of smaller entities, as well as flexible enough to recognize distinct characteristics across the variety of programs.

INSTRUCTIONS

1. For each question below, choose the statement that best describes the responsible entitys current status.

2. Please attach supporting documentation or provide associated page numbers and paragraph references within the ICP, and submit this completed package to WECC.

For example, this documentation package may include, but not be limited to:

Organizational charts

Internal plans, policies, processes and/or procedures

Emails

Training manuals

PowerPoint presentations with associated attendance rosters

ICP workshops; and/or

Computer Based Training modules.

Note: For the purposes of this document, compliance program(s) refers to programs concerned with compliance with NERC Reliability Standards.


1

SURVEY QUESTIONSEstablished Formal Internal Compliance Program

Is the ICP an established, formal program? For example, does the ICP contain fully documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures for the governance and management of compliance with NERC Reliability Standards?

Note: See Appendix A for example practices.

Choose the statement that best describes the ICP:

NO

The ICP does not have any documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures.

PARTIAL

The ICP has some documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures, but does not address all.

YES

The ICP has well documented plans, policies, processes and/or procedures, internal controls, and other systematic preventative measures.

Describe, in narrative form, how the entity documents its ICP:


Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

The entitys ICP document(s)

Plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures associated with the entitys governance and management of compliance with NERC Reliability Standards

Other documented processes and/or procedures as applicable

Applicable Document(s), Page and Section

Date and/or Version



Well Documented and Widely Disseminated

Does the ICP require communication to all employees, including contractors and vendors, etc.? Has the ICP, (i.e. all plans, policies, processes and/or procedures) been widely disseminated throughout the entity?


NO

The ICP has not been distributed.

PARTIAL

The ICP has been distributed only to the employees that are involved in the development and implementation of the ICP.

PARTIAL

The ICP has been distributed only to the employees that have a direct responsibility for compliance with the NERC Reliability Standards.

YES

The ICP has been distributed to all employees, and, if applicable, to contractors and vendors.

Describe, in narrative form, how the entity disseminates the ICP to all appropriate relevant employees, including contractors and vendors:



Compliance Training Program

Compliance Communications Program

Website samples

Sample e-mail memos, newsletters, etc.


Date and/or Version



Officers/Personnel

Has the entity named and staffed a Compliance Officer, FERC/NERC Director, or additional FERC/NERC personnel as required to support its ICP?

Smaller Entities: A smaller entity may not have sufficient staff to dedicate one employee as a full-time Compliance Officer or FERC/NERC Director. In such cases, has the entity assigned one person the responsibility to coordinate or monitor the entitys compliance responsibilities?


NO

The entity has not identified or assigned compliance responsibility and accountability to a Compliance Officer, FERC/NERC Director/Manager, or other high-ranking official.

PARTIAL

The entity has identified and assigned responsibility for some compliance activities to various employees throughout the organization.

YES

The entity has identified and assigned responsibility and accountability to a Compliance Officer or other high-ranking official, FERC/NERC Director/Manager, and additional personnel as required. For larger organizations, at least one position is fully dedicated to FERC/NERC compliance. For smaller organizations, at least one position is partially dedicated to FERC/NERC compliance. Below, provide the name(s) and title(s) of the employee(s) currently staffing this/these position(s).

Name(s):


Describe, in narrative form, how the entity has assigned compliance responsibility in the organization:



Compliance Organizational Chart

Defined Roles and Responsibilities assigned to entity personnel for each NERC Reliability Standard identified in Item 2 above


Date and/or Version



Independent Access to Executives

Does the assigned compliance official(s) have independent access to the CEO or equivalent and/or Board of Directors?

Note: If your entity does not currently have an assigned compliance official, please answer NO to this question.


NO

The entitys assigned compliance official does not have independent access to the CEO or equivalent and/or Board of Directors.

YES

The entitys assigned compliance official has independent access to the CEO and/or Board of Directors.

Describe, in narrative form, how the entity provides independent access to the CEO or equivalent and/or Board of Directors for its employee(s) responsible for compliance:



Organizational chart or plan showing independent access

Sample meeting minutes, notes, agendas, emails, etc., showing independent access to senior management


Date and/or Version



Independently Managed

Is the ICP operated and managed so it is independent of those responsible for compliance with the NERC Reliability Standards?

Smaller Entities: A smaller entity may not have the available personnel to manage its ICP separately from the work groups that are responsible for complying with NERC Reliability Standards. In such cases, those personnel responsible for compliance should at minimum have independent access to the companys assigned compliance official, the CEO or equivalent, and/or the Board of Directors (see item 5 above).


NO

The ICP is not managed or operated independently of the work groups that are responsible for complying with NERC Reliability Standards.

PARTIAL

The ICP is managed by the work groups that are responsible for complying with NERC Reliability Standards, but it is managed independently.

YES

The ICP is managed and operated independently of the work groups that are responsible for complying with NERC Reliability Standards.

Describe, in narrative form, how the entity independently manages its ICP:


Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

Organizational chart or plan which shows how the program is independently managed

For smaller entities, please provide applicable documentation


Date and/or Version



Resources

Has the entity dedicated resources (staff and budget) to support its ICP?


NO

The entitys budget does not provide for any staff resources to work on compliance with NERC Reliability Standards.

PARTIAL

The entity has provided for staff resources within its budget but cannot demonstrate that staff resources were allocated to compliance with NERC Reliability Standards.

YES

The ICP is fully budgeted and fully or partially staffed (relative to the number of full time equivalent staff that implements the Reliability Standards) on a year-round basis.

Describe, in narrative form, the support the entity allocates to its ICP:


Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

Organizational chart or plan which shows compliance roles and responsibilities and how they are staffed


Date and/or Version



Leadership Support

Does the ICP have the support and participation of senior management (Officer Level)? This includes reviewing compliance reports, participating in compliance meetings, and communicating the importance of compliance to entity personnel on a regular basis.


NO

Senior management does not actively support or routinely participate in the ICP.

PARTIAL

Senior management reviews compliance reports, participates in compliance meetings, and communicates to employees their commitment to compliance at least semi-annually.

YES

Senior management is actively involved in compliance efforts, reviews compliance reports, participates in compliance meetings, and communicates to employees its commitment to compliance frequently, both formally and informally. Compliance activities occur at least quarterly.

Describe, in narrative form, the support the ICP receives from the entitys Officer Level leadership:



Samples of Senior Management Communications for the past 12 months

Samples of Compliance meeting agendas for the past 12 months

Samples of Compliance committee meeting minutes for the past 12 months

Samples of relevant e-mail memos, newsletters, etc. for the past 12 months

Description of management review/approval process and/or procedure


Date and/or Version



Program Evaluation and Modification

Does the entity regularly review and modify its ICP? This includes a process and/or procedure to trigger a review of the ICP either following a violation or following changes to NERC Reliability Standards, and modifying the ICP, if necessary. Does the ICP contain a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity?


NO

The ICP does not have an identified review cycle or a process and/or procedure to trigger a review. ICP does not have a list of NERC Reliability Standards applicable to the entity or a process and/or procedure to identify and update that list.

PARTIAL

The ICP does not specify a review cycle; however, the entity has a process and/or procedure to trigger a review, or has reviewed and modified its ICP since the entity was registered. The ICP has a list of NERC Reliability Standards applicable to the entity but it does not have a process and/or procedure for updating its list.

YES

The ICP is reviewed on at least an annual cycle. In addition, the entity has a process and/or procedure to trigger a review either following a violation or following changes to NERC Reliability Standards. The ICP is modified as necessary. The ICP contains a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity.

Describe, in narrative form, how the entity reviews and modifies its ICP:



ICP review and modification process and/or procedure

A sample of recent ICP reviews, including version control records

A plan or other document that lists NERC Reliability Standards that apply to the entity

A description of the process and/or procedure the entity follows to update this list when Standards change, as applicable

Version control records of the entitys Reliability Standards lists


Date and/or Version



9. Compliance Training

Does the ICP require compliance training for all entity staff, contractors and vendors who have direct responsibility for the implementation of the processes and/or procedures that demonstrate compliance with the NERC Reliability Standards? Relevant personnel may include but are not limited to: Subject Matter Experts (SMEs), Engineers, Technicians, Vegetation Management implementers and System Operators (as applicable). Does this training measure understanding through quizzes, exams, surveys, etc. consistent with a Registered Entitys collective bargaining agreements?



NO

The ICP does not require training for relevant personnel.

PARTIAL

The ICP requires training for personnel that have a direct responsibility for compliance with NERC Reliability Standards.

YES

The ICP includes detailed training for personnel, including contractors and vendors that have a direct responsibility for compliance with NERC Reliability Standards, including assisting personnel who must keep professional credentials up-to-date. Training also includes overview compliance awareness training for other employees that do not have a direct responsibility for compliance with NERC Reliability Standards. All training includes processes and/or procedures that measure the degree of understanding and comprehension of such Standards (quizzes, etc.), consistent with a Registered Entitys collective bargaining agreements.

Describe, in narrative form, how the entity provides compliance training to all personnel, including contractors and vendors (see above):



Compliance Training Program

Compliance Communications Program

Samples of training modules

Attendance records


Date and/or Version



1. Self-Audit

Does the ICP include a formal, internal self-auditing process and/or procedure for compliance with all applicable NERC Reliability Standards on an annual basis? Are results reported internally?


NO

The ICP does not include an internal self-auditing and reporting process and/or procedure.

PARTIAL

Although the ICP includes a process and/or procedure for internal self-auditing and reporting, the entity does not self-audit and report on at least an annual basis.

YES

The ICP includes internal self-auditing and reporting for compliance on an annual basis for full compliance with all applicable NERC Reliability Standards. Audit results are reported and reviewed internally.

Describe, in narrative form, how the entity self-audits its ICP:


Please provide supporting evidence. Examples of supporting evidence may include one of more of the following or equivalent:

ICP self-audit program

Sample of the audit reports or other results (past 12-24 months) redacted if necessary


Date and/or Version



Enforcement

Does the ICP include processes and/or procedures for disciplinary action for employees involved in violations of the Reliability Standards? Are available Human Resources (HR) disciplinary programs utilized as necessary? Is Senior Leadership or the Board involved as necessary? Conversely, does the entitys ICP include employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations to encourage accountability?


NO

The entitys ICP does not include disciplinary action for employees who are responsible for violations of NERC Reliability Standards. The ICP does not include employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations.

PARTIAL

The entity takes disciplinary action for employees responsible for violations of NERC Reliability Standards; however, the entity does not have a formal documented disciplinary action process and/or procedure.

YES

The entitys ICP includes detailed disciplinary action processes and/or procedures for employees involved in NERC Reliability Standard violations, including involving HR, Senior Leadership, and/or the Board as necessary. The entity has administered disciplinary action when appropriate. The ICP includes compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations.

Describe, in narrative form, the entitys disciplinary action for employees that are responsible for violations of NERC Reliability Standards:


Describe, in narrative form, how the entity uses employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations to encourage accountability:


Please provide supporting evidence. Examples of supporting evidence may include:

Company policies relating to disciplinary actions for compliance violations

Samples of any recent disciplinary actions (past 12-24 months) redacted if necessary

Company programs relating to compensation, awards, employee recognition, or other monetary and/or non-monetary incentives relating to compliance

Samples of non-confidential information related to actual awards or other incentives

Job Descriptions

Other examples of programs or policies entity uses to promote a culture of compliance


Date and/or Version



Internal Controls

Does the ICP include a process and/or procedure to implement internal controls to prevent, detect and/or correct, and report possible violations of NERC Reliability Standards? This includes assessing the effectiveness of internal controls and specific processes and/or procedures to promote prompt detection and self-reporting of possible violations to the Regional Entity (WECC).

See Appendix A for internal controls description and generic examples of internal control activities.


NO

The ICP does not include a process and/or procedure to put into place and assess the effectiveness of internal controls. The entity has not implemented any internal controls. The ICP does not include processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards.

PARTIAL

The ICP does not have a process and/or procedure to implement and assess the effectiveness of internal controls. However, the entity has implemented some internal controls. The ICP does not include processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards, but the entity has self-reported violations to WECC since the entity was registered.

YES

The ICP contains a process and/or procedure to implement and assess the effectiveness of internal controls. The entity has also implemented robust internal controls to prevent, detect and/or correct possible violations of NERC Reliability Standards. The ICP also includes processes and/or procedures for self-reporting possible violations of applicable NERC Reliability Standards. In addition, entity has followed these processes and/or procedures and, if a violation was found, promptly self-reported the violation to WECC.

Describe, in narrative form, how the entity uses internal controls to prevent, detect and/or correct, and report the possible violation of NERC Reliability Standards, and how the entity assesses the effectiveness of those controls:



Process and/or procedure for establishing and assessing internal controls

Examples of internal controls implemented (See Appendix A for generic examples of internal control activities)

Assessments and/or reviews completed by the entity to determine the effectiveness of internal controls (i.e. in terms of high-risk Reliability Standards; in terms of preventative, detective, or corrective; etc.)

Processes and/or procedure for self-reporting

A sample of recent self-reports

A list of the entitys self-reports for the past 12 months


Date and/or Version



13. Risk Assessment

Does the ICP include processes and/or procedures to assess compliance and reliability risks related to the NERC Reliability Standards on an annual basis. Does the ICP also include processes and/or procedures to assess risk to reliability posed by a particular noncompliance?



NO

The ICP does not document how compliance and reliability risk is assessed.

PARTIAL

Although the ICP includes processes and/or procedures to assess compliance and reliability risks, the entity does not assess risk on an annual basis or for specific issues of noncompliance.

YES

The entity assesses its compliance and reliability risks, and the ICP includes processes and/or procedures to assess compliance and reliability risks at least annually and for specific issues of noncompliance.

Describe, in narrative form, how the entity assesses compliance and reliability risks:



The entitys compliance and reliability risk assessment processes and/or procedures

Final risk assessment reports


Date and/or Version



AUTHORIZATION

An authorized individual must sign and date this Internal Compliance Program Assessment. By doing so, this individual, on behalf of the entitys organization, certifies that the information submitted herein is accurate.

1. This certifies that I am of .

2. I am an officer, employee, attorney or other person authorized to sign this Internal Compliance Program Assessment on behalf of .

3. I have read and am familiar with the contents of the Internal Compliance Program Assessment and related documents submitted herein.

4. I understand that based on the answers herein, WECC may request more information specific to (RE) s ICP.

5. To the best of my knowledge, the information provided in this response is correct.

Authorized Signature:

Name (Print):


Title:


Date:


APPENDIX A: Selected Example ICP Practices

Internal Compliance Program

1. Outline and describe the elements of the ICP in an overview document that includes the following sections:

a. Purpose, Background, and Program Overview

Senior Management, Compliance Officer and Internal Compliance Program Core Members (including roles and responsibilities)

b. Risk Assessment

c. Internal Controls

d. Measurable Compliance Performance Targets

e. Compliance Communication and Training

f. Self-Audit and Self-Certification

g. Self-Reporting

h. Documentation and Record Keeping

i. Version History

j. Attachments/Links

i. Applicable Reliability Standards

ii. Organizational Chart

iii. Terms and Definitions

2. Outline and describe the elements of ICP in an overview document that includes the following:

a. Compliance Culture including organization, senior management commitment, funding, staffing, communication and ICP dissemination.

b. Control Environment including monitoring, tracking, control, documentation, data retention, reporting, remediation, risk assessment.

c. Continual Improvement including internal auditing, education and training.

3. Along with the ICP overview document, develop an ICP Handbook companion document that includes specific ICP plans associated with the ICP. These plans are detailed processes and/or procedures, which also include the purpose, objective, responsibilities, reference documents and revision history for each plan.

Identify and Update Requirements

1. Create a list (in a database, in spreadsheet form, or as a word document) which clearly identifies all applicable NERC and WECC Reliability Standards. The list should:

a. Be updated on at least an annual basis, but more frequently as appropriate.

b. Contain information as to where NERC and WECC Reliability Standards may be found.

2. On the list of applicable NERC and WECC Reliability Standards, assign specific Standard Requirements to certain employees, e.g. Subject Matter Experts (SMEs) or Reliability Standard Owners.

a. The employees would be obligated to continuously monitor and track compliance with assigned NERC Reliability Standards.

i. List any specific tasks required for compliance

ii. List any measureable compliance performance targets associated with tasks required for compliance

3. Ensure new or modified Reliability Standards are promptly identified and communicated to those required to comply with the standards.

a. Conduct regular (e.g. quarterly) reviews of applicable NERC and WECC Reliability Standards to ensure that:

i. All applicable Standards are being addressed;

ii. Any changes to Standards are being incorporated into the entitys ICP; and

iii. Entity personnel remain aware of any updates, additions, or modifications to the Standards.

b. Review ICP following NERC or WECC information release, e.g., Compliance Application Notices, Updates on Audit Approach (presentations at the CUG meetings), Reliability Standard Interpretations, et cetera.

4. Develop or implement a comprehensive compliance tracking solution, beyond a spreadsheet, (e.g. specialized third-party software) which includes all applicable NERC and WECC Reliability Standards and Requirements down to the sub-requirement level.

a. Document a process for updating all reliability standards on a frequent basis while allowing multiple groups to track their compliance activities.

b. Leverage the compliance tracking solution as a depository for documenting evidence, gap analysis records and other data related to entitys compliance with the Reliability Standards.

5. Convert the text of the individual Reliability Standards into hyperlinks which point to the respective standards on the NERC website. Users of the lists can then easily access the details of the Reliability Standards at the source.

Risk Assessment

1. At a high level, adopt a strategic risk management approach, which incorporates the following:

a. Anticipate the Risk

i. Assume the worst can happen at any time.

ii. Anticipate the next happening.

iii. Play it out. Think it through.

iv. Figure out what you do not know.

b. Assess the Risk

i. What is the likelihood of the event?

ii. What is the magnitude?

c. Act Against the Risk

i. Establish a strategy to mitigate the risk.

ii. Maintain a holistic view of the risk and solution.

d. Adopt a Plan

i. Develop processes and procedures (specific to risk management).

ii. Identify roles and responsibilities.

2. At a high level, and with a focus on compliance and reliability risk, adopt an Enterprise Risk Management (ERM) approach, which incorporates the following:

a. Identify Risks

b. Assess and Evaluate Risks

c. Integrate Risks

d. Respond to Risks

e. Design, Implement and Test Controls

f. Monitor, Assure and Escalate

3. At a high level, and with a focus on compliance and reliability risk, adopt a strategic risk management approach, which incorporates the following:

a. Anticipate the Risk

i. Assume the worst can happen at any time.

ii. Anticipate the next happening.

iii. Play it out. Think it through.

iv. Figure out what you do not know.

b. Assess the Risk

i. What is the likelihood of the event?

ii. What is the magnitude?

c. Act Against the Risk

i. Establish a strategy to mitigate the risk.

ii. Maintain a holistic view of the risk and solution.

d. Adopt a Plan

i. Develop processes and procedures (specific to risk management).

ii. Identify roles and responsibilities.

4. Uses a point system to compile a compliance and reliability risk index score for all entity applicable Reliability Standard Requirements and sub-requirements.

a. The score could incorporate several risk factors, including:

i. Violation Risk Factor (VRF)

ii. Actively Monitored List (AML) or equivalent list

iii. Entity violation history, (taking into account Standard Requirements violated, Violation Impact, Violation Severity Level (VSL), and mitigation status)

iv. WECC/NERC Most Violated Reliability Standards Reports

v. Requirements that have annual, event driven or periodic activity, likelihood of occurrence

vi. New versions of Reliability Standards

vii. Changes in key personnel (e.g. SMEs)

b. Quantify and score the risk for each applicable Reliability Standard Requirement.

i. Develop a method to quantify and evaluate the risk for each risk factor and each applicable Reliability Standard Requirement, e.g. create a risk assessment matrix listing each applicable Reliability Standard Requirement and each risk factor.

ii. Develop a scale, e.g. a numeric scale from 1 to 5, or scale of High/Medium/Low, and quantify the level of risk for each risk factor for each Reliability Standard Requirement. Includes the weighting of risk based on likelihood and magnitude factors.

iii. Aggregate the risk factor valuations into a risk index score for each Reliability Standard Requirement.

c. Use the point system above to determine, based on criteria established by the entity, which Standard Requirements pose the greatest compliance and reliability risk.

d. Based on the risk-assessment results, the entity may choose to focus more attention on the higher-risk Standard Requirements.

e. Clearly document the risk assessment results by Reliability Standard Requirement:

i. Create a spreadsheet or word document with a list of applicable Reliability Standard Requirements.

ii. Flag or otherwise identify higher-risk Requirements.

iii. List the key control(s) for each identified risk.

5. Use a more basic risk-assessment approach which assesses all entity applicable Reliability Standard Requirements and sub-requirements and simply flags or highlights Requirements based on risk factors. (See risk factors listed under 1.a. above.)

6. Conduct risk assessments on a regular basis, i.e., annually, or more frequently based on the level of risk.

7. Group or categorize related risks together to reduce management and resource needs for mitigation activities and controls.

8. Integrate internal controls with the risk assessment, i.e., each identified risk should have at least one key control. These key controls should be reassessed periodically and could fall under one or more of the following general categories:

a. Preventative Controls

b. Detective Controls

c. Corrective Controls

9. Annually distribute a risk-assessment questionnaire to managers who have compliance oversight responsibilities and employees who have direct responsibility for compliance with Reliability Standards to help evaluate any changes in known risks and help detect any new risks that might otherwise go unidentified. Incorporate review of the questionnaire results into the risk-assessment process.

10. Incorporate the assessment of risk associated with significant change by anticipating and monitoring change in the following areas:

a. External Environment (regulatory/compliance, social, political, technological, etc.)

b. Strategic Planning (business model, regulatory/compliance, services, neighboring entities, etc.)

c. Succession Planning (executives, key employees, etc.)

Compliance Training

1. Ensure all employees and contractors receive an appropriate level training on the ICP and NERC Reliability Standards each year or at the initiation of the business relationship.

2. Incorporate in the training, and/or follow-up the training with a survey or examination to measure understanding of the training material.

a. Based on the survey or examination results, make changes to the training program as necessary.

Promoting Compliance through Employee Incentives

1. Non-Monetary Ideas

a. Certificates of exceptional performance

b. Letters acknowledging an employees activities

c. Recognition at staff meetings

d. Congratulatory communications copied to all employees

e. Reserve a premium parking space for an employee of the month

f. Adopt an annual compliance and reliability award, and give it to the individual that has exhibited the strongest commitment to compliance and reliability

Internal Controls

1. Preventive Control Activities

a. Automated compliance work management system

b. Documented NERC compliance responsibilities

c. Training regarding the policies and procedures used to ensure compliance with the Reliability Standards

d. Use of colored lanyards or other overt identification methods to identify escorted visitors in NERC CIP Physical Security Perimeters

e. Restricting access to assets

f. Documented configuration management program

g. Documented change management program

h. Records management system

2. Detective Control Activities

a. Automated systems that check and identify compliance discrepancies

b. Periodic review of control center communications, e.g., listening to a prescribed number of voice recordings for each period

c. Quarterly self-assessments used to identify individual who gained access to CIP cyber areas without the proper training or background investigations

d. Review by responsible management of compliance documentation

e. Reviews of performance against defined criteria

3. Corrective Control Activities

a. Root Cause Analysis Program

b. Event Analysis

c. Business Continuity and Recovery Plans returns an operation to a normal operating state after a failure or interruption

Documents

2017 ICPA Survey - wecc.org ICPA Survey V6.0.docx · Web viewThe WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities assess their internal compliance programs