Regulatory Compliance Framework An Electric Utility Model. Abstract. Grier Consulting Group LLC



Similar documents
Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Sample Enterprise Risk Management Work Plan Fiscal Years 20XX and 20YY Revised June Internal Environment / Objectives Setting

A. Introduction. B. Requirements. Standard PER System Personnel Training

Regulatory Compliance Management for Energy and Utilities

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Developing an Effective Enterprise Risk Management Program

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Enterprise Risk Management & Information Technology

Enterprise Risk Management

MISO Annual Compliance Program Update

Fraud Prevention and Deterrence

CIP Cyber Security Security Management Controls

COMPLIANCE CHARTER 1

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

RISK MANAGEMENT IN A FOR-

RISK MANAGEMENT AND COMPLIANCE

Matthew E. Breecher Breecher & Company PC November 12, 2008

Audit-Ready SharePoint Applications

Risk Management Services

Enterprise Risk Management in Compliance 360

Fraud Risk Management

Ethical Maturity Index: Questionnaire Authors: Elena Demidenko and Patrick McNutt

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

NERC CIP VERSION 5 COMPLIANCE

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

ENTERPRISE RISK MANAGEMENT POLICY

SAI GLOBAL LIMITED Risk Management Policy

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Enterprise Risk Management (ERM) & Compliance

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

POLICY : CORPORATE RISK MANAGEMENT

Best Practices for Managing Bank Transaction Risk Using a Continuous Data Analytics Approach

How To Improve Your Business

Strategic Risk Management for School Board Trustees

Enterprise risk management: A pragmatic, four-phase implementation plan

JIRA RAID User Manual

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Improving Financial Performance, Governance and Compliance

[RELEASE NOS ; ; FR-77; File No. S ]

WHITE PAPER Third-Party Risk Management Lifecycle Guide

RSA ARCHER OPERATIONAL RISK MANAGEMENT

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Risk Assessment & Enterprise Risk Management

Enterprise Risk Management

Implementing an Integrated City-wide Risk Management Framework

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Infrastructure Ontario Enterprise Risk Management Program. National Executive Forum Yellowknife, NWT May 2013

Audit of the Test of Design of Entity-Level Controls

Policy : Enterprise Risk Management Policy

Process Improvement Plan

and Risk Tolerance in an Effective ERM Program

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

ERM Standards of Practice and Shared Risk Principles

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Quality Management in Clinical Trials

ENTERPRISE RISK MANAGEMENT. J. Joseph Hoey, Ed.D. Bridgepoint Education CAIR 2015

Enterprise Risk Management

Compliance Policy AGL Energy Limited

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008

Analyzing Risks in Healthcare. February 12, 2014

Supply Chain Shared Services (SCSS)

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

APPENDIX 50. Enterprise risk management - Risk management overview

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Global Compliance Audit

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

WFP ENTERPRISE RISK MANAGEMENT POLICY

Sarbanes-Oxley Control Transformation Through Automation

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

The Changing Landscape for Trade Compliance Enterprise Risk (and Opportunity) Management

ERM Program. Enterprise Risk Management Guideline

Moving Forward with IT Governance and COBIT

Enterprise Risk Management Integrated Framework. Executive Summary

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Audit of the Policy on Internal Control Implementation

The Role of the Board in Enterprise Risk Management

SHARED SERVICES. An Enabler for Managing Risk. Steve Tracy, Principal Consultant, ISG.

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

Framework for Enterprise Risk Management

Innovation in Work Health and Safety Solutions

Information Security and Governance in ERP Implementation (JD Edwards)

Paisley Enterprise GRC Audit Profile. Linda Bergs

Re: NERC Notice of Penalty regarding Pacific Gas and Electric Company FERC Docket No. NP10-_-000

Transcription:

Regulatory Compliance Framework An Electric Utility Model Abstract This presentation will describe the development of a regulatory compliance framework and toolset for use by a utility regulatory services department. The framework was developed to help the utility to identify, risk assess, manage and control the variety of policies, standards, orders and requirements of federal, regional, and state regulatory commissions and agencies. The compliance framework was based on selected segments of the Committee of Sponsoring Organizations ("COSO") framework standard. These include: 1. Requirement Identification - The catalog of specific external compliance requirement elements against the applicable FERC, NERC, Regional ERO, state public utility, and CFTC standards, orders, rules, and other requirements; 2. Risk Assessment - How to define the inherent and residual risks associated with each compliance requirement and how these risks are analyzed; 3. Control Activities - An approach to the policies and procedures which are necessary to implement the framework and to ensure that risk mitigations (commitments) are effectively carried out; 4. Information and Communication - How to identify, capture, and communicate appropriate information to internal personnel in a timeframe that enables people to carry out their compliance responsibilities; and 5. Monitoring - Plans for ongoing monitoring of the compliance framework. In addition, the presentation will describe a risk ranking approach and directional scale to allow an assessment of compliance maturity, as well as the expected likelihood and impact of non-compliance across all in-scope compliance areas. 2008. Not to be reproduced without permission. 2

Outline The US Electric Utility Industry A Snapshot Electric Utility Compliance The Scope and Scale of the Challenge COSO The Basis of a Compliance Framework Model A Simple Compliance Process (KISS) A Role for Technology Conclusions 2008. Not to be reproduced without permission. 3 Electric Utility Industry A Snapshot 2008. Not to be reproduced without permission. 4

The US Electric Utility Industry A Snapshot Revenue from Ultimate Sales (2005) $342 B 1 Employment 400,000 1 U.S. Electric Utility Market Structure 1 Investor Owned Electric Utility Market Capitalization 72% -Investor Owned 12% -Cooperatives 11% -Municipal Systems 5% -Other + $562 B 2 Sources: 1. Edison Electric Institute 2. Yahoo Finance (February 10, 2009) 2008. Not to be reproduced without permission. 5 Electric Utility Compliance The Scope and Scale of the Challenge 2008. Not to be reproduced without permission. 6

An Electric Utility May Be Under Compliance Requirements from a Large Variety of Federal, Regional, and State Regulatory Agencies Western Electricity Coordinating Council 2008. Not to be reproduced without permission. 7 For Example, The Federal Electric Reliability Standards Demonstrate the Scope and Scale for a Single Set of Compliance Requirements FERC Regulates Electric Reliability under US 18 CFR Part 40 Penalties for Non-Compliance to Electric Reliability Standards May Be $1M per day Per Occurrence The North American Electric Reliability Corporation oversees the reliability of the bulk power system in North America Currently 110 Standards representing over 1,800 specific requirements Western Electricity Coordinating Council Regional Reliability Organizations are Charged With Monitoring Utilities in Meeting the Standard s Requirements Electric Utility Must Be Auditably Compliant to 100 s of Applicable Requirements 24-7, 365 Days Per Year 2008. Not to be reproduced without permission. 8

COSO The Basis of a Compliance Framework Model 2008. Not to be reproduced without permission. 9 COSO ERM The Basis for A Compliance Framework Model Assess Operating Environment setting the basis for how the organization views compliance. Set Compliance Objectives defining appropriate compliance objectives. Identify Compliance Obligations internal and external compliance events. Assess Noncompliance Risk on an inherent and a residual basis. Develop Risk Response management s set of actions. Perform Control Activities ensure responses are effectively carried out. 1. Grier Consulting Group analysis of Enterprise Risk Management Integrated Framework, Committee of Sponsoring Organizations (COSO) of the Treadway Commission, 2004. Communicate Performance appropriate form and timeframe. Monitor and Improve Performance the compliance management process is monitored and modifications 10 made as necessary. 2008. Not to be reproduced without permission. 10

Model Compliance Framework Assessing the Operating Environment Assess Operating Environment Understand how compliance might be viewed by the organization and provide the appropriate communication and guidance to ensure the organization meets the expectations of management. Determine and establish the appropriate governance structures. Identify the appropriate risk management philosophy associated with the compliance (may or may not be well defined by the regulator). 2008. Not to be reproduced without permission. 11 Model Compliance Framework Set Compliance Objectives Set Compliance Objectives Management s clearly state compliance objectives. The processes developed to support and align management s compliance objectives. The set of workflows which represent appropriate processes to support the compliance process. 2008. Not to be reproduced without permission. 12

Model Compliance Framework Identify Compliance Obligations Identify Compliance Obligations Each requirement set out in federal and state law and regulation are assessed for their potential for the risk of non-compliance (each potential non-compliance is an event). Determine the impacted organization (is it across the enterprise, multiple, or single business unit?) 2008. Not to be reproduced without permission. 13 Model Compliance Framework Assess Non-Compliance Risk Assess Non-Compliance Risk Risk The detrimental effect a violation of the requirement could have on the organization (typically measured as, High Medium, and Lower). Overall Red, Amber, Green (RAG) Status in $ per Day Impact Very Low $0 $50K Estimated Impact of Non-Compliance (Total $) Low $50K $500K Medium $500K $1M High $1M $10M Very High $10M $100M Inherent Risk Defined as the product of likelihood and impact to a negative event on the organization without any use of appropriate risk management techniques. Likelihood of Non-Compliance Very High 1 Day 1 1 Mo High 1 Mo 1 1 Yr Medium 1 Yr 5 5 Yrs Long 5 Yrs 20 Yrs Very Long 20 Yrs 100 Yrs $208 $833 $3,123 $10,411 $208,219 $14 $55 $205 $685 $13,699 $7 $28 $104 $347 $6,944 $2 $7 $25 $83 $1,667 $0 $1 $5 $17 $347 2008. Not to be reproduced without permission. 14

Model Compliance Framework Develop Risk Response Develop Risk Response Performed as a result of the risk assessment and, when complete, provides a new condition to be assessed relative to compliance requirements. Maintain a process for determining appropriate mitigation responses to any level of event non-compliance. Manage all commitments made to remediate identified non-compliance items. 2008. Not to be reproduced without permission. 15 Model Compliance Framework Control Activities Perform Control Activities Policies and procedures established and implemented to help ensure the risk responses are effectively carried out. The organization (e.g., Internal Audit) should provide appropriate control testing of the compliance management program. 2008. Not to be reproduced without permission. 16

Model Compliance Framework Communicate Performance Communicate Performance Use of a compliance management tool (CMT) and related processes provide a vehicle for the identification, capture and communication of important information relative to compliance. The CMT allows large volumes of compliance items to be assessed and managed. Those who are responsible for managing the governing rules, regulations, requirements, risk controls and risk mitigation can use the CMT to identify at a glance which risks require additional mitigation and control. 2008. Not to be reproduced without permission. 17 Model Compliance Framework Monitor and Improve Performance Monitor and Improve Performance The entirety of the compliance management program is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. 2008. Not to be reproduced without permission. 18

A Simple Compliance Process (KISS) 2008. Not to be reproduced without permission. 19 A Simple Compliance Process Two Steps Do we have sufficient evidence to demonstrate compliance to each Compliance Element? Compliance Element Owners Monitor Type & Quality of Evidence of Compliance Set Compliance Sufficiency Report Ongoing Performance Step 2 Set Performance Expectations Step 1 Evidence Gatherers Add / Modify Evidence of Compliance Monitor Good Thru Date Regulatory Compliance We are compliant and have captured appropriate Evidence to Demonstrate Compliance. Are we auditably compliant? 2008. Not to be reproduced without permission. 20

Compliance Framework Process Roles and Responsibilities Compliance Element Owners Evidence Gatherers Regulatory Compliance Monitor Standards Compliance (Are we doing the Right Things?) Review Evidence of Compliance (Are we able to show we are Doing the Right Things?) Set Compliance Sufficiency (Are we ready for an Audit?) Effectively Support Regulatory Compliance Efforts (Reviews and Audits) Understand the Requirements (What does Doing the Right Thing mean?) Execute to the Requirements (Doing the Right Thing.) Capture Evidence (Demonstrate we are Doing the Right Thing.) Maintain Compliance Diligence (Does evidence still provide appropriate substantiation?) Primary Compliance Interface (To the regulator) Provide Compliance Support (Governance, Process, Tools) Monitor Performance (Heads-Up Reports, Aging Reports, etc.) Report to Management (Are we prepared to show that we are in Auditably Compliant?) 2008. Not to be reproduced without permission. 21 A Role for Technology 2008. Not to be reproduced without permission. 22

Thoughts on Technology Solution Familiar technology platform friendly to large number of users Processes and workflows established and facilitated by experts to drive consistency Intuitive user interface simplifying training Extensive use of pull-down menus or radio buttons to support consistency of assessment input Utilization of dashboards to monitoring and review performance 2008. Not to be reproduced without permission. 23 Conclusions 2008. Not to be reproduced without permission. 24

Conclusions The public s desire for more transparency has led the regulator to promulgate more compliance requirements Scope and Scale are becoming so complex that ad-hoc monitoring of compliance is no longer realistic COSO can provide a recognized compliance framework model The compliance entity (utility) must: Define what a Compliance Event means to them Depend on a simple process to address each Compliance Event Provide overall monitoring of the Compliance Framework for effectiveness and be able to modify when it is not working Technology can play an important role in managing large, diverse, systems of compliance requirements 2008. Not to be reproduced without permission. 25 Contact details: APS Linda Thompson Arizona Public Service Co. Director Ethics and Compliance 602-250-2366 Linda.Thompson@aps.com Chris Grier President 480-282-0150 chris.grier@grierconsulting.com 2008. Not to be reproduced without permission. 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information