PUBLIC DOCUMENT TRADE SECRET DATA EXCISED. Before the Minnesota Public Utilities Commission State of Minnesota. Docket No.

Transcription

1 PUBLIC DOCUMENT TRADE SECRET DATA EXCISED Direct Testimony and Schedules David C. Harkness Before the Minnesota Public Utilities Commission State of Minnesota In the Matter of the Application of Northern States Power Company for Authority to Increase Rates for Electric Service in Minnesota Docket No. E00/GR-1- Exhibit (DCH-1) Business Systems November, 01 Docket No. E00/GR-1-

2 PUBLIC DOCUMENT TRADE SECRET DATA EXCISED TABLE OF CONTENTS I. Introduction 1 II. Business Systems Investment Strategy III. Business Systems Governance 1 IV. Business Systems Test Year Capital Investments V. Business Systems Step Year Capital Investments VI. Test Year O&M Budget VII. Compliance Information VIII. Conclusion SCHEDULES Statement of Qualifications Schedule 1 Business Systems Capital Projects Schedule 01 In-Service Projects with Emergent Demand Account Funding Schedule O&M Costs by General Ledger Account Schedule Software Contract Escalators by Major Vendor Schedule Excerpts from Direct and Rebuttal Testimony of Amy L. Stitt in Docket No. E00/GR-1-1 Schedule Software Maintenance Contract Additions for 01 Schedule Docket No. E00/GR-1-

3 I. INTRODUCTION Q. PLEASE STATE YOUR NAME AND OCCUPATION. A. My name is David C. Harkness. I am the Chief Information Officer (CIO) and Vice President of Xcel Energy Services Inc. (XES). Q. PLEASE SUMMARIZE YOUR QUALIFICATIONS AND EXPERIENCE. A. I have more than years of experience in the field of Information Technology (IT), with of those years in a management role. I joined Xcel Energy and Northern States Power Company in November 00, following six years at PNM Resources in Albuquerque, New Mexico, where I first served as Senior Director, Business Process Outsourcing, then as Senior Director of Business Transformation and, finally, as Vice President and CIO for more than three years. While in New Mexico, I was also appointed by Governor Richardson to New Mexico s Information Technology Commission, where I helped establish and direct the IT Strategy for the State of New Mexico. Prior to that experience, I held several IT Leadership roles for McLeod USA, MCI, and Rockwell International, where I began my career in 1. In my current position, I am responsible for the XES Business Systems organization, which provides IT services to the Xcel Energy s shared services and the operating companies. In this role, I am responsible for the corporate Business Continuity function and IT disaster recovery. I report to the Chief Administrative Officer. My resume is attached as Exhibit (DCH-1), Schedule 1. 1 Docket No. E00/GR-1-

4 Q. WHAT ARE THE MAJOR FUNCTIONS AND RESPONSIBILITIES OF THE BUSINESS SYSTEMS ORGANIZATION? A. The Business Systems organization is the centralized information technology organization, providing technology services across all operating companies including the Company. These services include support for the following business operations: Foundational Technology Infrastructure. Business Systems is responsible for providing support for each employee s hardware and software needs. This includes maintaining and updating the operating system used on employee computers and providing sufficient data storage capabilities. Business Systems is also charged with protecting the security of the Company s data from cyber attacks. Systems Controls. We provide technology support to our generation, transmission, and distribution units to help manage and operate the electric and gas system. This includes providing and supporting software applications such as Supervisory Control and Data Acquisition (SCADA) which is used to monitor the health of the transmission and distribution systems. Customer Support. We provide support for infrastructure and software that facilitate interactions with our customers. This includes maintaining the Customer Resource System, which is the Company s customer information system of record, and which generates approximately million billing statements to Xcel Energy customers on a monthly basis. We also support the Interactive Voice Response (IVR) software that enables interaction with customers via telephone keypad or speech recognition. As discussed by Company witness Mr. Michael C. Gersack, this system, for which our customers consistently report Docket No. E00/GR-1-

5 high levels of customer satisfaction, has allowed nearly 0 percent of all Minnesota callers through August 01 this year to get the information they need, or transact with the Company without talking to a Customer Service Representative. Business Systems is also responsible for maintaining the Company s website that provides valuable information to customers about their account and Company operations. Corporate Support. We also provide IT support for necessary corporate functions of the Company such as Human Resources and Financial Management. This includes providing and maintaining software applications that assist in the creation, tracking, reporting, and analysis of budget and forecast information. Q. WHAT IS THE PURPOSE OF YOUR TESTIMONY IN THIS PROCEEDING? A. I present and support the Northern States Power Company Capital and Operations and Maintenance (O&M) budgets for the Business Systems area, for purposes of determining test year electric revenue requirements and final rates in this proceeding. Q. PLEASE SUMMARIZE YOUR TESTIMONY. A. More than ever, dependence on technology is continuing to increase. As such, Business Systems provides a vital service to the Xcel Energy organization that enables the provision of efficient, effective, and safe electric and natural gas service to our customers. Technology is necessary to efficiently dispatch work to the field and operate our generating facilities, effectively purchase fuel for our customers, manage and monitor the electrical and natural gas systems, bill our customers for service, develop budgets and track expenditures, pay our employees, and offer programs to our customers Docket No. E00/GR-1-

6 and respond to their inquiries. We have used technology to improve our ability to forecast the wind, to efficiently take advantage of this renewable resource. We have implemented systems and connectivity that allow devices in the field to talk to each other and report their condition, facilitating proactive maintenance that avoids outages to customers, as well as faster restoration of electrical service when our customers are impacted by weather or other events on our system. We have deployed technology directly to our customers, allowing them to view and pay their bills online and very recently, assisted Customer Care to implement a redesigned billing statement for all of our retail customers. In my testimony, I discuss the Business Systems organization and the information technology and business continuity services we provide to the Xcel Energy enterprise. I discuss how, for the last several years, we have held our capital and O&M costs relatively steady by maximizing the life of our systems and infrastructure. I also discuss several cost savings initiatives in which we have engaged, such as the renegotiation of our services agreement with IBM. These efforts have allowed us to delay significant investment in replacement of various systems, as well as redeploy cost savings to technology initiatives that provide the organization increased value. We now, however, are entering a period where increased investment in our information technology infrastructure and assets is necessary to continue to meet our compliance obligations, and the needs of the organization and our customers. In total, we are proposing capital additions of $. million ($. million MN Electric Jurisdiction) and $.0 of O&M costs ($1.1 million Docket No. E00/GR-1-

7 NSPM Electric Jurisdiction) in the test year, and $.0 million of capital additions ($. million MN Electric Jurisdiction) in the 01 step of our Multi-Year Rate Plan. Our planned investments can be generally categorized as follows: Cyber Security. Cyber security investments ensure the availability, integrity, and confidentiality of our information systems and are necessary to ensure we meet our legal and regulatory obligations and risk management objectives. These investments provide prevention, detection, containment, and corrective services to protect the Company from security incidents and breaches and assist in the recovery from adverse events. Aging Technology. We apply a risk management approach to our information systems, meaning we seek to maximize our investments by maintaining our systems at the minimum level necessary to meet business area and organizational needs. This may mean that we do not perform upgrades at the same pace as provided by the software developer, for example. We call this harvesting our systems. There comes a point, however, when the business or compliance needs increase, or the risk of this approach outweighs its benefits, and we must upgrade or replace the system. Increase Efficiencies. Investments that leverage technology to increase productivity fall into the Increase Efficiencies category. These investments may involve an increase in data capacity to facilitate or keep pace with increased technology usage; they may take advantage of wireless or intelligent mobile devices to dispatch or collect completed work in the field; or they may be improved integration and data analytics tools that provide increased management information to Docket No. E00/GR-1-

8 enable improved management decisions. We determine our information technology plan by working with each of the business areas and operating companies within Xcel Energy to identify shortand long-term technology needs. The needs are typically greater than the organization s ability to fund them, so we apply a rigorous process to assess and prioritize the organization s needs. The plan is then subjected to various management reviews, and finally an executive review before it is incorporated into the budgets. Technology is always evolving and plays a vital role in providing our customers with efficient, effective, and safe electric and natural gas service. Therefore, Business Systems must remain agile to take advantage of opportunities, and to effectively respond to emergent data security threats, compliance requirements, and business needs. Similar to our rigorous planning process, I discuss our process to respond to these emergent demands. Finally, I discuss the Business Systems O&M budget, which includes costs for software maintenance, network communications, application development, and distributed systems such as servers, data storage, and desktop computer and printer maintenance. Similar to the capital budget, we have maintained a relatively flat O&M budget over the recent past and now expect expenditures to increase. These increases result from strategic insourcing of functions such as cyber security, as well as the increased O&M that is necessary to support the increased information technology investment plan. Docket No. E00/GR-1-

9 We have entered a phase of increased investment in our information technology systems, which is necessary to continue to meet our compliance requirements and provide our customers with safe, effective, and efficient electric and natural gas service. We have effectively managed our systems and level of expenditures, focusing on cost-efficiencies and harvesting maximum value from our existing systems and other assets. We now must increase our investment to ensure our systems continue to prevent threats to their security, replace aging technology, and deploy efficiency solutions that enable the organization to continue to provide our customers with high levels of service. Q. HOW HAVE YOU ORGANIZED YOUR TESTIMONY? A. My testimony is organized into the following sections: Section I Introduction Section II Business Systems Investment Strategy Section III Business Systems Governance Section IV Test Year Capital Investments Section V Step Year Capital Investments Section VI Test Year O&M Budget Section VII Compliance Information Section VIII Conclusion Docket No. E00/GR-1-

10 II. BUSINESS SYSTEMS INVESTMENT STRATEGY A. Key Strategic Drivers Q. WHAT ISSUES ARE DRIVING THE BUSINESS SYSTEMS STRATEGIC PLANNING? A. As previously noted, the three key areas driving information technology investment are addressing evolving cyber security threats and requirements, replacing aging technology, and increasing efficiency. 1. Cyber Security Q. PLEASE SUMMARIZE THE CYBER SECURITY ISSUES FACING THE COMPANY. A. There are four cyber security issues that must be addressed: (1) keeping hackers out of our systems; () detecting hackers if they gain access to our systems; () removing hackers that gain access to our systems; and () returning our systems to their original state if hackers gain access. As the number of cyber threats, attacks, and regulatory requirements continue to increase in volume and complexity, it is imperative that the Company establishes and maintains the proper tools to protect the integrity and confidentiality of our data and our systems. Given that these threats are constantly in flux, it is important that these tools and resources continue to change in response to new threats to our information systems. I should clarify that cyber security is not simply a matter of implementing a standardized base of security controls and processes that cover all the regulatory and legal requirements. Effective cyber security also requires filling the security gaps that would exist if we focused solely on regulatory and legal compliance. Many large financial companies that have had their data hacked in recent years were compliant with regulatory and legal requirements. Docket No. E00/GR-1-

11 Q. WHAT IS BUSINESS SYSTEMS DOING TO ADDRESS THOSE ISSUES? A. In the past two years, the Company has taken great strides forward to address cyber security issues. This includes creating a new department within Business Systems to focus on these issues, implementing new technologies and new systems, partnering with federal agencies to learn about new threats and solutions, and in-sourcing the Company s disaster recovery services. I will address each of these initiatives in turn. First, the IT Security & Risk Management department within Business Systems was created in 0 out of the need to increase our overall cyber security posture, implement preparations and plans to be able to quickly mitigate any adverse events, respond appropriately and effectively to large scale events that would otherwise cause significant harm to the bulk electric system and/or natural gas delivery systems, and ensure regulatory compliance. Second, to meet the needs and demands of today's security requirements, our department has implemented and operates multiple security systems and technologies. We identified needs to enhance, replace, or create service processes and operational procedures to ensure both full effectiveness of these technologies and a productive environment for Xcel Energy while still meeting our ever growing regulatory, legal, and best practice-based security needs. The technologies implemented to date include: Vulnerability Management, Advanced Threat Protection, Security Forensic tools, Advance Firewalls, Intrusion Prevention Devices, Data Loss Prevention software, and a Security Incident and Event Management system to correlate all the data and bring visibility to what is happening on our infrastructure. Docket No. E00/GR-1-

12 Third, we have enhanced our partnerships with both regulatory and state/federal agencies to ensure we are tapped into the stream of information available regarding impending threats and attacks. These agencies include Edison Electric Institute, National Infrastructure Advisory Council, American Gas Association, the Federal Bureau of Investigation, and Homeland Security. Finally, we have in-sourced our disaster recovery services to improve these functions and increase our capabilities in this area. In particular, we have implemented an isolated infrastructure and computing platform to enable thorough testing of all recovery plans to ensure full recoverability. We have also rebuilt the recovery plans for critical systems and continue to expand into secondary systems. We have also begun aligning the technology recovery needs with identified critical business functions and processes to ensure we not only recover the technology, but also the functions required to keep the Company providing its services to its customers. Q. WHAT ARE THE NEXT STEPS FOR THE COMPANY IN THE AREA OF CYBER SECURITY? A. The next steps are to complete implementation of these new systems, ensure adequate resources to operate and maintain them over time, and to continually evaluate how our processes are functioning and new threats that may emerge.. Aging Technology Q. WHAT ARE THE PRIMARY ISSUES FACING THE COMPANY WITH REGARD TO AGING TECHNOLOGY? A. Business Systems supports the operations of the Company with a large and growing IT infrastructure. Information assets are no different from physical Docket No. E00/GR-1-

13 assets in that they are subject to aging, technological obsolescence, increasing maintenance costs, and they may no longer adequately meet the business needs for which they were developed. A reasonably up-to-date infrastructure is necessary for the Company to continue to meet increasingly demanding data security, reliability, and compliance requirements, as well as the service expectations of our customers. For example, aging technologies are not equipped with the most current data security measures, such that they are more vulnerable to attack. Also, the recovery of aging technologies after an outage can be compromised if those systems are no longer supported by their vendor. Another area of IT that must keep pace with current needs is our Company s data storage capabilities. The increasing use of technology across the organization is resulting in the need to store, transmit, and manage ever larger amounts of data and our systems must be able to keep pace with these growing data storage needs. While solutions such as purge-archive and data warehousing can help reduce the impact of this data explosion, they are not sufficient to fully mitigate it. As a result, we need to increase our storage capacities, the speeds and flexibility of our networks, and improve our tools to cost effectively manage this essential resource. Q. HOW DOES THE COMPANY DETERMINE WHEN AN EXISTING SYSTEM NEEDS TO BE REPLACED? A. Business Systems strives to maximize our technology investments by maintaining existing systems until the risk and costs associated with keeping these aging technologies in place outweigh the benefit. For instance, new software systems are often necessary when the existing software is no longer Docket No. E00/GR-1-

14 supported by the vendor. The Company s migration to the Windows desktop operating system from its existing Window XP system in 01 is a good example of this type of investment. In April 01, Microsoft will no longer support Windows XP. However, by using this operating system past the time when many companies have already moved to Windows, and by not upgrading to subsequent operating systems until absolutely necessary, the Company maximized its initial investment and value to customers. Overall, our Business Systems governance processes, described later in my testimony, ensure a rigorous process for evaluating current needs and proposed technology solutions.. Improve Efficiency Q. HOW DOES BUSINESS SYSTEMS ASSIST IN IMPROVING EFFICIENCY FOR THE COMPANY? A. Technology can offer the opportunity to improve productivity, improve communications between systems and between people, and allow the opportunity to use data more efficiently. A simple example that illustrates this point is the mobile phone. Mobile phones were not necessarily invented to solve a problem with land-based telephone lines or service. However, as they emerged, and as they become increasingly sophisticated, they have changed the culture and we have learned how much efficiency can be gained from what has become wireless mobile computing devices. Business Systems is constantly evaluating new technologies and helping the business areas examine ways to increase efficiencies and enhance communications between systems that benefit the Company, and ultimately, our customers. 1 Docket No. E00/GR-1-

15 Q. HOW DOES BUSINESS SYSTEMS DETERMINE WHICH EFFICIENCY-IMPROVING TECHNOLOGY TO IMPLEMENT? A. The key is to identify these new technologies and to implement only those technologies that can offer efficiency benefits that outweigh their implementation costs. Business Systems works with various business units in the Xcel Energy organization to evaluate new technologies to determine whether they can be utilized to improve the efficiencies in the way tasks are completed, data is used, or in the way communications are conducted within the organization. Q. CAN YOU PROVIDE A SPECIFIC EXAMPLE OF HOW IT INVESTMENTS SUPPORT THE COMPANY S BUSINESS OBJECTIVES AND IMPROVE SERVICE TO CUSTOMERS? A. One example is Business Systems support for increased data collection and data storage for distribution substation feeder load data. As noted in the testimony of Company witness Mr. Stephen R. Foss, Distribution is implementing a new Feed Load Monitoring system to track feeder load data for all three phases of power, as opposed to only one phase as is done currently. This new system will require Business Systems to provide additional data storage capabilities and also greater data bandwidth. By collecting and storing this data, Distribution will be able to manage the system more efficiently and improve the accuracy of its system planning and operation. This new Feed Load Monitoring system is one of many so-called smart grid initiatives that are being employed by the Company to improve our efficiency, management capabilities, and value and service to our customers. The Company discusses its Smart Grid initiatives in its April 1, 01 Annual Smart 1 Docket No. E00/GR-1-

16 Grid report in Docket No. E/CI-0-. Another example is the outage maps that were added to the Xcel Energy website in 00. These maps allow customers to view current electric outages on a map along with estimated outage restoration times. This map is fed directly from information in the field and is updated every 0 minutes. These maps improve efficiency for our customers who are able to easily access valuable outage data. B. Cost Allocation to the Company Q. HOW DO CAPITAL PROJECTS EXECUTED BY BUSINESS SYSTEMS AFFECT THE MINNESOTA JURISDICTION? A. Many of the Business Systems projects are planned and budgeted at the Xcel Energy Services or operating company level, and implemented throughout our system. Most projects benefit multiple jurisdictions as when we implement new software throughout the Xcel Energy organization and therefore must be allocated or assigned to the appropriate operating companies. Allocation of capital projects falls under the Company s capitalization policy, sponsored by Company witness Ms. Lisa H. Perkett. Company witness Ms. Amy L. Stitt explains the Company s cost allocation and assignment process for appropriately allocating Business Systems costs to the NSPM operating company. In instances where a project is more fully-dedicated to the Minnesota jurisdiction, a greater portion of the project costs may be assigned to Minnesota. One key Minnesota-specific project in the 01 test year is the replacement and upgrade of the emergency radios used at the Prairie Island 1 Docket No. E00/GR-1-

17 Nuclear Generating Plant. Because these radios are used solely at Prairie Island to ensure personnel safety and facilitate communications, the full cost of the project is assigned to the Minnesota electric jurisdiction. For Business Systems, this circumstance is less common, as most of our projects are implemented at the Xcel Energy level. C. Looking Ahead Q. HOW DO YOU PLAN FOR AND ANTICIPATE UPCOMING IT NEEDS? A. We are constantly evaluating the Company s existing and emerging technology needs. Our evaluations consider not only current needs, but also upcoming needs that may evolve from aging technologies, emerging technologies, and potential changes to the way we do business. This process involves review of likely scenarios in future as well as current years, so we can develop a comprehensive albeit somewhat evolving strategy. Business Systems maintains a multi-year roadmap in coordination with business units that highlights business objectives and identifies possible future IT additions or modifications. Q. WHAT ARE THE ANTICIPATED LONG-TERM TRENDS IN THE COMPANY S INVESTMENT IN BUSINESS SYSTEMS? A. We have had a relatively steady level of IT investment for the past several years. During this time, we have not incurred significant costs to update or replace our existing IT systems. We have largely focused our incremental investments on maintaining our existing IT assets, and taken steps to maintain service levels while managing or reducing costs associated with our systems. Due to the maturity of our current systems, we have been able to limit our investments in recent years while harvesting the value of these assets. 1 Docket No. E00/GR-1-

18 However, due to the age of these systems, and the ever-changing business and regulatory requirements, we are now entering a phase of replacement and upgrade of these systems. Figure 1 below depicts our capital additions trend over the last several years that we expect to continue through 01. Figure 1 $0,000 Business Systems Actual and Budgeted Capital Additions 0-01 (NSPM) Total Additions ($000s) $0,000 $0,000 $0, $ Actual Budget III. BUSINESS SYSTEMS GOVERNANCE Q. DOES THE COMPANY ENGAGE IN A CAREFUL REVIEW AND APPROVAL PROCESS BEFORE UNDERTAKING A PARTICULAR IT INVESTMENT? A. Yes. We have implemented a careful, methodical approach, called the IT Governance process, to evaluate any proposed Business Systems investment. 1 Docket No. E00/GR-1-

19 With each potential investment, our goal is first to assess the need for and benefit of a project compared to its estimated cost. We also assess whether the proposed timing of the project is indeed appropriate, or whether the cost of a particular project should be delayed or avoided. Finally, if a project satisfies these fundamental questions, we then assess the best way to maximize the value of the project for our Company and therefore our customers. Q. WHAT IS IT GOVERNANCE? A. IT Governance is Business Systems budget development, project prioritization, and project management process. Our IT capital investments are driven by the needs of Xcel Energy s business areas. IT works with each business area to determine its specific IT needs, and then these needs are prioritized based on a particular set of factors. The IT Governance process also monitors the end-to-end project lifecycle for each proposed project, from its conception to in service, to ensure that it meets budget and schedule, and performs as expected for the specified business objective. The IT Governance process also oversees and must approve any changes in project scope or budget. Q. WHAT ARE THE OBJECTIVES OF THE IT GOVERNANCE FUNCTION? A. The objectives of the IT Governance function are to ensure the ongoing health of our IT systems, to support business area strategies, to ensure that we are taking advantage of evolving technology and are positioned for the future, and to provide continuous oversight of budgeting, scheduling, and implementation of IT projects. 1 Docket No. E00/GR-1-

20 Q. CAN YOU PROVIDE AN OVERVIEW OF STEPS IN THE IT GOVERNANCE PROCESS? A. Yes. Business Systems employs a gated approval process called the Governance Gates Process to oversee IT projects throughout their lifecycle. Projects move through specific gates or approvals from the IT Governance Board and other stakeholders as they move from project idea towards in service. This process ensures that projects comply with relevant IT portfolio and project management requirements. The Governance Gates Process also enables regular review of project metrics (schedule, budget, scope), and institutes corrective action plans or modification of the scope of a project as appropriate. Q. WHO MAKES UP THE IT GOVERNANCE BOARD? A. The IT Governance Board is comprised of myself, our Senior Director of IT Account Management, Senior Director of IT Governance and Portfolio Management, Director for Enterprise Architecture, Director of IT Security and Risk Management, Director of Infrastructure, and Senior Director of Enterprise Applications. Q. PLEASE IDENTIFY THE DIFFERENT GATES OR APPROVALS THAT ARE PART OF THE IT GOVERNANCE PROCESS. A. There are four different approvals that each capital project must garner before it is initiated and ultimately placed in service. These gates include: (1) Approval to Initiate; () Approval to Plan; () Approval to Proceed; and () Approval to Implement. 1 Docket No. E00/GR-1-

21 A. Approval to Initiate Q. WHAT IS THE PURPOSE OF THE APPROVAL TO INITIATE GATE? A. The purpose of this gate is to determine whether a project is sound, viable, and worthy of funding, support, and inclusion in the Company s IT portfolio. Generally speaking, this is the project idea phase of development. Each Business Systems account management team is responsible for partnering with a specific business unit within the organization to determine that area s longterm strategic objectives, and identify whether IT investments can enable achievement of those objectives. It is through this process of coordination with the business areas that the potential need for future IT projects is identified. Q. WHAT IS THE NEXT STEP? A. From idea stage, project ideas are grouped and evaluated, ranked, and selected based on a common set of filters and criteria. This categorization process allows IT to evaluate the benefits and risks associated with each project idea. Q. PLEASE DISCUSS THE CONSIDERATIONS AND RESULT OF THE CATEGORIZATION PROCESS. A. This process weighs a multitude of criteria including the financial and nonfinancial benefits of a project, the potential for other existing technologies to address the business need, and the degree to which the project is needed to meet regulatory requirements or to ensure system reliability and security. The result of this process is a list of ranked project ideas. Q. WHAT IS THE NEXT STEP AFTER THE PROJECT IDEAS ARE RANKED? A. The IT Governance Board reviews the ranked project ideas to determine 1 Docket No. E00/GR-1-

22 which projects should be slated for implementation and included in the Business Systems budget. This process requires further refinement of the budget figures for each project, and prioritization of possible projects. This prioritization process exists to ensure that only those solutions that are essential to achievement of specific business objectives are implemented. Q. WHAT HAPPENS ONCE AN IDEA HAS BEEN APPROVED TO INITIATE? A. Once an idea is Approved to Initiate, a project is created and funding is made available to complete scoping, cost, and schedule estimate refinement and to determine the delivery path most applicable to the project. B. Approval to Plan Q. WHAT IS THE NEXT REQUIRED APPROVAL IN THE IT GOVERNANCE PROCESS? A. The next gate is the Approval to Plan. This is the formal review process to obtain approval from the IT Governance Board that the initial budget and project schedule have been adequately documented, and that the project management strategy is appropriately developed to move the project forward to the next gate. In particular, the purpose of this approval is to ensure that the budget, schedule, and plan for development of a project are sound. Q. WHAT HAPPENS WITH A PROJECT UPON APPROVAL OF THIS GATE? A. Upon approval of this gate, the project profile, budget, and schedule are assessed and modified as appropriate. Approval at this gate also allows some or all of the funding from the capital budget to be released, to allow the project to begin detail requirements and design activities. 0 Docket No. E00/GR-1-

23 C. Approval to Proceed Q. WHAT IS THE NEXT APPROVAL REQUIRED IN THE IT GOVERNANCE PROCESS? A. The next gate is Approval to Proceed. This approval provides the final check of a project before production begins to ensure that the proposed design meets the identified needs and any technical problems are resolved. Q. WHAT OCCURS AT THIS STEP IN THE PROCESS? A. At this gate, the detailed design of a project is reviewed and validated by a Technical Review Board to ensure that the project satisfies its intended business objectives. Overall project status, technical solutions, software products, documentation, and definitive estimates are reviewed to ensure completeness and consistency with design standards and to resolve any technical issues with the project. After approval is obtained at this gate, the project will receive any remaining budget funds, and the project team will begin to build and deploy the project. D. Approval to Implement Q. DESCRIBE THE FINAL GATE, OR APPROVAL TO IMPLEMENT. A. This is a formal inspection conducted by the IT Technical Review Board to determine whether the technology solution is ready for in service. The business unit sponsoring the solution must also approve the project at this stage, and confirm that it meets the business unit s objectives and needs, and that the operational procedures and tools (such as user training) are in place to ensure its successful and secure operation in the production environment. 1 Docket No. E00/GR-1-

24 Q. DO CHANGES IN PROJECT METRICS PRIOR TO IN-SERVICE REQUIRE APPROVAL FROM THE IT GOVERNANCE BOARD? A. Yes. Any change to the budget, schedule, or scope of a project must be approved by the IT Governance Board to ensure that any change in these key components of a project is necessary and well-documented. E. Ongoing Cost Control Measures Q. ONCE A PROJECT MOVES TO IMPLEMENTATION, DOES BUSINESS SYSTEMS TAKE ANY FURTHER STEPS TO MONITOR VARIANCES BETWEEN ITS ACTUAL EXPENDITURES AND ITS BUDGET? A. Yes. Management in each area of Business Systems monitors actual versus budget expenditures for both capital and O&M efforts on a monthly basis. Any deviations are then evaluated to determine whether costs are appropriate. In addition, action plans are developed to mitigate variations in actual to budgeted expenditures. These mitigation plans may either reduce or delay other expenditures to support the overall authorized budget. If authorized budget adjustments are required, they are identified and approved at an appropriate level of management. Q. DO EMPLOYEES WITHIN THE BUSINESS SYSTEMS DEPARTMENT ANTICIPATE AND MANAGE DEVIATIONS FROM THE BUDGET? A. Yes. Employees in the Business Systems department with budget responsibility have budgetary goals that are incorporated into their performance objectives. Performance is measured on a monthly basis to ensure adherence to the goals and provide for an action plan to address any variances. Docket No. E00/GR-1-

25 Q. IN ADDITION TO THE IT GOVERNANCE PROCESS, DOES BUSINESS SYSTEMS UNDERTAKE OTHER ONGOING STEPS TO CONTROL ITS COSTS? A. Yes. Business Systems is continuously taking steps to control its costs. These efforts may include: increasing or decreasing the scope of outsourced services; increasing or decreasing the use of consultants; and changing service providers. We also utilize competitive bidding practices and a multi-vendor sourcing strategy where possible, which enables us to utilize a combination of internal and external resources as appropriate to minimize costs and maximize efficiencies in running our systems. In addition, Business Systems actively interacts with other utility IT organizations, as well as IT organizations in other industries to learn how they control costs. For instance, I am the chair of the Edison Electric Institute/American Gas Association Technical Advisory Council (TAC). The TAC is a group of utility CIOs that meet to discuss IT issues, including how to manage costs. Through our participation in such groups, we are able to monitor and implement industry best practices for managing technical projects and controlling costs. Q. CAN YOU IDENTIFY SPECIFIC COST CONTROL MEASURES THE COMPANY HAS UNDERTAKEN TO MANAGE COSTS IN RECENT YEARS? A. Business Systems has employed several cost savings measures over the past several years. The primary cost saving measure in this period was a renegotiation of the Company s contract with IBM for application and infrastructure support. During this renegotiation, the Company was able to extend its contract with IBM from September 01 to June 01 and obtained expected cost savings of approximately $ million over the next four years Docket No. E00/GR-1-

26 for Xcel Energy. We have likewise renegotiated other large contracts in recent years to capture cost savings, including our consulting contract with Accenture and desktop services with Dell. In addition, in 0, Business Systems brought in-house its cyber security and disaster recovery programs that had been provided by an outside vendor. Bringing these services in-house has allowed the organization to be more efficient and directly accountable to our security posture. These cost saving measures have successfully reduced costs in some areas, allowing us to reinvest those savings to keep our overall investments at a relatively steady level. We are always looking for opportunities to further improve the cost effectiveness of the organization. Q. YOU MENTIONED USING A MULTI-VENDOR SOURCING STRATEGY AS A COST CONTROL MEASURE. WHY IS HAVING MULTIPLE VENDORS BENEFICIAL? A. Business Systems relies on approximately 0 different vendors for capital investments and for O&M support, with our top seven vendors comprising 0 percent of our total costs. By utilizing multiple vendors, we require these vendors to compete against each other for our business, and thus have an incentive to keep the price of their services competitive. Also, having multiple vendors available minimizes the risks associated with relying solely on one vendor. Docket No. E00/GR-1-

27 IV. BUSINESS SYSTEMS TEST YEAR CAPITAL INVESTMENTS A. Overview Q. GENERALLY SPEAKING, WHAT TYPES OF CAPITAL ADDITIONS ARE PROVIDED BY BUSINESS SYSTEMS? A. The Business Systems capital additions include hardware (computers, servers, radio systems, phone systems, and routers), software (implementation and upgrades) and related technology infrastructure investments, and cyber security solutions that support Xcel Energy s business operations. The major capital additions for both the test year and the 01 Step are described in more detail later in my testimony. Q. WHAT CAPITAL ADDITIONS IS THE COMPANY PROPOSING TO MAKE IN 01? A. The total NSPM Business Systems 01 capital additions are budgeted to be $. million ($. million MN Electric Jurisdiction). Q. ARE THE BUSINESS SYSTEMS CAPITAL ADDITIONS REASONABLE AND NECESSARY? A. Yes. These capital additions are reasonable and necessary to maintain stability and reliability of the IT systems used by employees to serve Minnesota customers, efficiently manage business operations, protect company data and information, and meet evolving regulatory and legal requirements. Q. WHAT PROJECTS COMPRISE THE MAJOR CAPITAL ADDITIONS BUDGETED TO GO INTO SERVICE IN THE 01 TEST YEAR? A. The Business Systems 01 capital additions budget contains numerous projects, including 1 projects that comprise nearly percent of the NSPM Docket No. E00/GR-1-

28 capital additions budget. These 1 projects are described in detail in Section V of my testimony. The remaining percent of the Business Systems capital additions budget consists of a number of smaller projects, which can be classified into the three key objectives of Business Systems as follows: Table 1 Total NSPM Dollars 01 IT Investments Cyber Security $.1 million Replace Aging Technology $1. million Increase Efficiency $. million A detailed list of all the Business Systems capital projects included in the test year budget, their cost, in-service date, and a project description is attached as Exhibit (DCH), Schedule. I will describe the 1 larger capital projects comprising nearly percent of the test year budget in terms of Business Systems three key objectives. Q. WHAT HAS BEEN THE COMPANY S CAPITAL EXPENDITURE TREND FOR THE LAST THREE YEARS? A. For the past three years, our capital expenditures have been steadily increasing as we have started to make significant capital additions to serve our three objectives of addressing cyber security, replacing aging technology, and increasing efficiencies. Specifically, a considerable increase in our capital expenditures can be seen in 01 as we began to make plans and start development for new capital additions that would be placed in service in the coming years. Table below shows our historical capital expenditures as well as projected capital expenditures through 01. We expect capital Docket No. E00/GR-1-

29 expenditures of approximately $1. in Business Systems from 01 through 01. Table 0-01 Forecasted Capital Expenditures (Dollars in Millions) NSPM Electric Utility Business Unit Business Systems $. $. $. $.0 $. Q. WHAT HAS BEEN THE COMPANY S CAPITAL ADDITIONS TREND FOR THE LAST THREE YEARS? A. An increasing number of capital additions have been placed in service over the past three years to serve our three key objectives with the most pronounced increase shown 01. Table below shows both historical and projected capital additions for 0 to 01. While the 01 capital additions shown in Table are related solely to the two 01 Step projects, Business Systems anticipates that there will be a number of other capital projects that will also go into service in 01. Table 0-01 Forecasted Capital Additions (Dollars in Millions) NSPM Electric Utility- Business Unit Business Systems $. $. $.1 $0. $. $.0 Docket No. E00/GR-1-

30 Q. PLEASE PROVIDE AN OVERVIEW OF BUSINESS SYSTEM S LONG-TERM CAPITAL INVESTMENT PLAN. A. As I mentioned previously, after several years of moderate capital investments, Business Systems is entering a phase of increased investment in IT infrastructure. We anticipate that this phase will continue for the next several years as we make necessary improvements to address cyber security, replace aging technology, and increase efficiencies. B. 01 Capital Additions Detail-Cyber Security 1. Identity & Access Management Q. PLEASE DESCRIBE THIS PROJECT. A. The purpose of the Identity & Access Management project is a convergence of business processes and technology that will facilitate the management of electronic identities. The Company has a large number of employees that each require access to different systems and data repositories, and each employee s access must also be limited to data within her or his purview. This project will provide security, trust, and privacy by identifying and authenticating users and authorizing access to identity-based IT systems, information resources, and applications. This project will also improve the accuracy and effectiveness of access control. Docket No. E00/GR-1-

31 Q. WHY IS THIS PROJECT NECESSARY? A. With the advent of web-enabled technologies, mobility, and federated networks for business units, Company technology is expanding to enable emerging platforms and solutions. This has resulted in complexity dealing with users and managing their access to our systems. There is also increased risk due to the need to manage user identities, establish trust, enable privacy, and comply with legal and regulatory requirements. The Identity & Access Management project mitigates these risks by further improving controls around access to our systems. Q. PLEASE EXPLAIN WHY THE COMPANY IS CONFIDENT THAT THE IN-SERVICE DATE OF THIS PROJECT IS REASONABLY CERTAIN. A. The scope and objectives of this project were identified during a comprehensive seven month requirements and design phase. Based on completion and certification of critical path events to date, this project will be placed in service in fourth quarter 01. Q. PLEASE EXPLAIN WHY THE SPECIFIC COSTS OF THE PROJECT ARE REASONABLE. A. All products and services within the Identity & Access Management project have been bid across a wide cross-section of vendors and solutions through a competitive RFP process. We selected vendors based in large part on the competitive nature of their pricing, and negotiated final agreements that we believe are reasonable in the current marketplace.. Risk and Compliance Q. PLEASE EXPLAIN THIS PROJECT AND WHY THIS PROJECT IS NECESSARY. A. This project installs new software that enables Company compliance with Docket No. E00/GR-1-

32 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, and also enables continuous security and compliance monitoring capabilities for NERC and other regulatory requirements. Ensuring compliance with these NERC CIP standards is important because fines for compliance violations can be up to $1 million per day. This new software also enables automation of compliance tasks that would otherwise need to be completed manually. As the organization adds new cyber security controls and processes to meet the ever-changing regulatory and data protection requirements, it is imperative to have the ability to track the effectiveness of these controls against each individual requirement across each regulation and law. An organization like Xcel Energy can have thousands of changing requirements that need to be tracked against thousands of controls and processes; manual management without a toolset like that provided in this project would be extremely difficult if not impossible. Q. HOW HAS THE COMPANY VERIFIED THAT THE COSTS AND IN-SERVICE DATE OF THE PROJECT ARE REASONABLY CERTAIN? A. We have completed our software selection process and ordered the necessary software. We have hired the project implementation vendor, and the contract with the vendor includes penalties for failing to meet the scheduled tasks. We are currently on schedule for a 01 in-service date. Q. PLEASE EXPLAIN WHY THE SPECIFIC COSTS OF THE PROJECT ARE REASONABLE. A. Both the software and the vendor were selected via a competitive bidding process. We had a number of applicants to these processes, and selected a 0 Docket No. E00/GR-1-

33 reasonably priced software and vendor that was able to meet our specifications. C. 01 Capital Additions Detail-Replace Aging Technology 1. Windows Upgrade Q. PLEASE EXPLAIN THIS PROJECT AND WHY IT IS NECESSARY. A. Xcel Energy is currently running Microsoft Windows XP on all computing workstations. Microsoft XP was initially released in 001, and Microsoft support for this operating system will expire in April 01. It is necessary to upgrade to a more current operating system to ensure Company assets are protected with up-to-date security measures supported by Microsoft. Failure to upgrade would expose the Company s computing environment to potential cyber security risks and vulnerabilities. Q. HOW HAS THE COMPANY VERIFIED THAT THE COSTS AND IN-SERVICE DATE OF THE PROJECT ARE REASONABLY CERTAIN? A. The project team has been working steadily on this upgrade for 1 months. Prior to implementation, it is necessary to thoroughly test it to ensure it is compatible with all other Xcel Energy applications. As this project has progressed in the application testing phase, we identified compatibility issues between Xcel Energy s application suite and Microsoft s upgraded Office Suite that required adoption of additional technical resources to mitigate. Due to the need to address these compatibility issues, additional dollars (totaling approximately $0,000 for the Minnesota jurisdiction) were utilized from the Emergent Demand Account (which I discuss in part E of this section of my testimony). Currently, approximately 0 percent of the Xcel Energy workforce has been migrated to Windows with very few post-upgrade 1 Docket No. E00/GR-1-

34 problems. As a result, we are confident of the 01 in-service date. Q. PLEASE EXPLAIN WHY THE SPECIFIC COSTS OF THE PROJECT ARE REASONABLE. A. The initial budget was approved through the IT Governance process that I previously described. In addition, preparation and migration services were established through a competitive market bidding process, which we believe ensures that the price of these services is fair and reasonable.. Annual PC Refresh Q. PLEASE DESCRIBE THIS PROJECT AND EXPLAIN WHY IT IS NECESSARY. A. Xcel Energy uses a rolling PC lifecycle refresh approach, which upgrades approximately 0 percent of desktop computing devices annually based on a first in first out basis. The average lifespan of an Xcel Energy desktop computing device is five years. This lifecycle program was established in 00, and our experience indicates this process and lifespan ensures that the personal computers maintain their functionality and are compatible with existing software and other systems. Q. HOW HAS THE COMPANY VERIFIED THAT THE COSTS AND IN-SERVICE DATE OF THE PROJECT ARE REASONABLY CERTAIN? A. Replacing existing desktops is an annual project for Business Systems, and therefore, we have developed a very systematic approach to implementation. This program has consistently completed the annual PC refresh on-time and on budget over the past six years. Q. WHY ARE THE SPECIFIC COSTS OF THE PROJECT REASONABLE? A. Computing device and deployment services for this project were awarded to Docket No. E00/GR-1-