The Compliance Model: A Framework for All Things Compliance. Director Corporate Compliance & Risk Management [email protected].

Transcription

1 The Compliance Model: A Framework for All Things Compliance Jana Utter Director Corporate Compliance & Risk Management [email protected] Disclaimer The information contained in this presentation is general in nature and applicable to the Midwest ISO s situation as a regional transmission organization and registered entity subject to certain NERC and RE reliability standards. Any information or examples provided herein should not be interpreted as repeatable or applicable validation of compliance by the auditing entities for other utilities. 1

2 What are we going to discuss? Brief Overview of Midwest ISO Governance, Risk, and Compliance GRC as a business function GRC as a system A Framework for All Things Compliance The Compliance Model The Compliance Platform 3 Midwest ISO Overview Supports the reliable delivery of electricity in 13 U.S. states and the Canadian Province of Manitoba Headquartered in Carmel, Indiana, with operations centers in Carmel and St. Paul, Minnesota Approximately $24 billion per year settled in energy markets 350 market participants serving 40+ million people Midwest ISO Reliability Coordination Area 2

3 Governance, Risk, Compliance A Set of Business Functions 5 Process-Driven Compliance Governance, Risk, Compliance A Set of Systems Supporting Compliance 6 3

4 A Framework for All Things Compliance THE COMPLIANCE MODEL Compliance Scope 8 4

5 The Compliance Model Compliance Model Implementation (CMI) provides additional assurance of compliance and systems to support efficient and effective management of compliance activities. The Compliance Model Database 10 5

6 The Compliance Model Interface with Business Processes A Framework for All Things Compliance MODEL IMPLEMENTATION 6

7 Compliance Model Implementation CMI Phase I CMI Phase II CMI Phase III CMI Phase IV Phased Implementation CM Phase I: Identify Requirements For example - NERC Standards applicable to Midwest ISO are identified CM Phase II: Validate and Assign Requirements Midwest ISO staff responsible for Requirement is verified CM Phase III: Document Compliance Processes & Records Processes to achieve compliance are identified and control activities and required Compliance Records determined CM Phase IV: Implement Processes within Compliance Platform Processes in Business Process Model tool and Records in Enterprise Content Management tool 13 Compliance Model - Phase I 14 7

8 Compliance Model - Phase II 15 Compliance Model - Phase III 16 8

9 Compliance Data Model Inputs Compliance Area Requirement Owner Requirement Identification # Text of Requirement Compliance Narrative (NERC) Internal Objective (NERC Element) Control Activity # Text of Control Activity Business Area Frequency Type Control Activity Owner Process Corroborating Evidence Supporting Department Category Risk Notes 17 CMI Phase III Activity Overview Tariff Requirements Matrix CMI Database (System of Record) Quality Assurance Review Process Identification Control Drafting NERC Requirements Matrix Evidence Production MATRIX CONTAINS - Unique Identifier Requirement Owner Requirement Text After Requirements have been passed to the CMI Database the focus shifts from documentation of requirements and identification of owners to Process Identification, Controls Documentation, Evidence Gathering and an independent Quality Assurance Review. 18 9

10 CMI Phase III Quality Assurance Process for Documenting Compliance Process /procedure, controls, and evidence documented for each Compliance Requirement and submitted for Quality Assurance Review Process / Controls Quality Assurance Reviewer reviews and Signs-off Technical Quality Assurance Reviewer reviews and Signs-off Requirements Owner and Compliance Area Owner reviews and Signs-off Process Documentation, Controls and Evidence for all Requirements Completed Quality Assurance Review Objective: Ensure effectiveness of processes, control activities, and evidence to demonstrate compliance Process/Controls Review: Ensure adequacy of controls Technical Review focus: Ensure sufficiency, appropriateness and reliability of evidence. 19 Compliance Model Database Example Requirement ID Requirement Text Associated Process Control Evidence TOA_A II.E - 3 No Midwest ISO Director, agent, Officer or employee shall directly own securities issued by any Owner, Member, or User of the Transmission System. Annual Standards of Conduct Recertification Process at Section [xx] The Human Resources Manager shall confirm that all Directors, agents, Officers and employees have signed the annual recertification form attesting that they do not directly own securities issued by any Owner, Member or User of the Transmission System. Signed Annual Recertification Form Spreadsheet tracking all signatures Unique Requirement Identifier Rate schedule language capturing obligation placed on Midwest ISO. Identification of a specific process Control language including language used in the requirement (where appropriate). Evidence showing a signed recertification form and method for tracking 20 10

11 Compliance Model Phase IV Business Process Management Readiness 21 Compliance Model Phase IV Business Process Management Implementation 22 11

12 A Framework for All Things Compliance THE COMPLIANCE PLATFORM A COLLECTION OF INTERFACING SYSTEMS Compliance Model Lifecycle Management 24 12

13 The Compliance Platform Compliance through integration of best-in-class software applications 25 The Compliance Platform Primary Activities related to Governance, Risk & Compliance (GRC) Monitoring and recording of business activity to ensure compliance with policies; providing corrective action when rules have been ignored or misconstrued. Identifying potential risks, prioritizing risk tolerance and implementing controls to manage and mitigate risk. Recording and monitoring policies, procedures and controls to enable compliance. Primary Activities related to Business Process Management (BPM) Process execution to accomplish defined business objectives related to compliance activities. Process performance measurement to ensure production and capture of compliance records. Efficient execution of processes with efficiency, improving human capital efficiency enabling support of an increasing number of compliance requirements. Primary Activities related to Enterprise Content Management (ECM) Preservation of compliance records in a structured, controlled environment. Implementation of records retention and management policies. Search and retrieval

14 Supporting Systems The Compliance Platform Process-Driven Compliance System Functions 27 Document-Driven Compliance Manual processes and unstructured data Process-Driven Compliance Manual Processes Burden Staff Reports Less Visibility Into Compliance Activities Apps Files Web Databases Evidence records may not be captured completely, or may even become lost

15 Process-Driven Compliance Process-Driven Compliance Process-Driven Compliance involves integration of three suites of applications to support risk management and compliance GRC Integration Point ECM Integration Point 29 Process Driven Compliance Process-Driven Compliance Process-Driven Compliance is Built-In Compliance providing control and visibility of compliance activities Sustainable Built-In Compliance Control of Compliance Activities Policies and standards establish expectation Procedures guide rules and responsibilities Workflows incorporate policies and procedures formalizing interactions Formalized workflows enforce rules, driving compliance activities Visibility of Compliance Activities Process models illustrate interactions and responsibilities Workflow adds rules policies, procedures and responsibilities to streamline process execution Workflow enables process automation and tracking enabling audit-ability and documented compliance 30 15

16 Governance, Risk Management & Compliance Building In-House, Java-Based Application Monitoring and recording of business activity to ensure compliance with policies; providing corrective action when rules have been ignored or misconstrued. Identifying potential risks, prioritizing risk tolerance and implementing controls to manage and mitigate risk Recording and monitoring policies, procedures and controls to enable compliance Business Process Management COR006: Corporate Attestations Process for NERC 16

17 Enterprise Content Management Find it Fast with ECMS Preservation of compliance records in a structured, controlled environment. Implementation of records retention and management policies. Search and retrieval Summary Process People Technology GRC is the integration of people, process and technology to support business functions of Governance, Risk Management, & Compliance 34 17