On February 19, 2015, the Commission approved the North American Electric Reliability Corporation’s (“NERC”) proposed implementation of the Reliability Assurance Initiative (“RAI”)—an initiative aimed at creating a “Risk-Based” approach for compliance monitoring and enforcement of mandatory Reliability Standards. Going forward, NERC believes that RAI will have Electric Reliability Organization (“ERO”) and industry resources more focused on higher-risk issues that significantly impact the reliability of the Bulk Electric System (“BES”).
On November 3, 2014, NERC submitted its proposed implementation of RAI to the Commission. In its filing, NERC described some of RAI’s major components and processes with respect to two primary ERO activities: 1) Risk-Based Compliance Monitoring; and 2) Risk-Based Enforcement. The various components of each include the following:
Risk-Based Compliance Monitoring Components
- Risk Elements Identification – a process that identifies and prioritizes ERO-wide risks based on significance, likelihood, vulnerability, and potential impact to the reliability of the BES. These identified risks will then be mapped to related Reliability Standards in order to develop the ERO’s annual Compliance Monitoring and Enforcement Program (“CMEP”) Implementation Plan, as well as Regional Entity Implementation Plans.
- Inherent Risk Assessment (“IRA”) – a specific and individualized review of the potential risks posed by a Registered Entity, conducted by a Regional Entity. The results of the review may alter the scope of compliance monitoring for a particular Registered Entity, including more, fewer, or different Reliability Standards than those contained in the ERO and Regional Entity annual CMEP Implementation Plans.
- Internal Controls Evaluation (“ICE”) – a voluntary evaluation by a Regional Entity of a Registered Entity’s internal controls that detect, correct, and mitigate the Registered Entity-specific risks identified in the IRA. The ICE may result in a refined scope of a Regional Entity compliance audit, including whether an audit is necessary, and may decrease the Registered Entity’s scope of compliance monitoring, if the Registered Entity demonstrates effective internal controls. If a Registered Entity does not demonstrate effective internal controls, the established IRA scope will not change.
- CMEP Tools – a Regional Entity will determine the type and frequency of application of ERO compliance monitoring tools (e.g., off-site or on-site audits, spot checks or self-certifications) appropriate for a particular Registered Entity, based on the Registered Entity’s specific reliability risks as evaluated through IRA and, if used, ICE.
Risk-Based Enforcement Components
- Compliance Exceptions – a process that identifies minimal risk instances of noncompliance with Reliability Standards that do not warrant a penalty, but are instead recorded and mitigated without triggering a formal enforcement action by NERC. A minimal risk determination will be based on the combination of the subject Reliability Standard requirement and the attendant facts and circumstances.
- Self-Logging Process – a process that allows Registered Entities with demonstrated effective management practices to self-identify, assess, and mitigate minimal risk instances of noncompliance and then record the issue in a log, in lieu of individually self-reporting each instance of possible noncompliance. A Regional Entity will periodically review and approve the log and, once approved, the logged issues will typically be resolved as compliance exceptions.
In its order, the Commission conditionally approved NERC’s proposed implementation of RAI, finding that NERC’s overall goal was reasonable. The Commission directed NERC to submit a compliance filing within 90 days to revise NERC’s Rules of Procedure in order to further articulate certain RAI concepts and programs, and provide additional details regarding programmatic oversight and how NERC intends to measure the programs’ overall success.
With regard to compliance exceptions, the Commission determined that NERC must publicly post such exceptions, and that NERC and the Regional Entities must: (i) consider a history of compliance exceptions where the failure to fully remediate the underlying compliance matter contributes to a subsequent serious and/or substantial noncompliance matter; and (ii) assess subsequent noncompliance to determine whether a Registered Entity should continue to qualify for compliance exception treatment. The Commission also determined that with respect to the self-logging process, NERC must: (i) require some level of formal review of a Registered Entity’s internal controls before granting the flexibility to self-log instances of noncompliance; and (ii) establish an appropriate level of standardization for the content and review of a Registered Entity’s compliance logs.
Finally, NERC will also need to submit an annual informational report on RAI to the Commission. A copy of the Commission’s order may be found here.