by Lisa Meiman
Rocky Mountain employees should be blushing with praise after
successfully completing an intensive North American Electric Reliability
Corporation reliability compliance audit, Aug. 27-Sept. 4, with kudos from
auditors, senior leadership and other regions alike.
“It was one of the best executed audits we have ever had,” said Rocky
Mountain Reliability Compliance Manager Brent
Sessions. “The auditors have a high opinion of Western. They commented on
our professionalism and felt we demonstrated a culture of compliance.”
About 50 employees were involved in the audit, including the regional
reliability compliance managers, a data request team and subject matters
experts from power operations, maintenance, information technology, supervisory
control and data acquisition, or SCADA, transmission planning and office of
security and emergency management.
“The outcome is a reflection of the tremendous dedication and
professionalism employees bring to the job every day,” said Administrator and
CEO Mark Gabriel. “Thank you for all
your hard work.”
The two-week audit actually began May 26 with the official notification
of the upcoming dates for the audit as well as the initial data request, which
is so enormous it is dubbed the “Big Bubba.” For one of the 50 requirements under
review, RM gave auditors a list of all the cyber assets subject to compliance.
Auditors pick a random sample of those cyber assets, and then asked for
everything related to each component’s compliance documentation for the last
“It’s a huge, huge data request. It takes weeks to compile the
evidence, more than 100 megabytes,” said Desert Southwest Reliability
Compliance Manager Matt Schmehl.
In total, RM provided more than 1,000 documents to the auditors to
review by the end of July. The bulk of the document review is completed in the
first week of the audit and can indicate how the audit is going.
“A measure we go by is how many data requests we received in the first
week,” said Schmehl. “If we did a good job with the reliability standard audit worksheets,
we see fewer requests. If we get a bunch of data requests, we didn’t do a good
job presenting the story.”
RM completed, on time, 57 data requests to clarify the evidence and
other documentation through interviews, tours or written responses. Previous
audits exceeded 100 requests. “The auditors were complimentary of how we
formatted the big data request and arranged evidence for them,” said Schmehl.
Audits are primarily about evaluating Western procedures and
documentation for compliance and not spot checks and observations of these
practices in action, although auditors do visit facilities and a small number
of substations during the second week, which also went well.
“Tours are surprisingly tough to manage,” said Sessions. “This time, we
had one person responsible for coordinating all the tours, and that really
helped. We also better structured the tours and provided training to Western
employees who would be involved.”
On Sept. 4, the auditors presented an informal out brief, identifying
only two potential violations as a result of the audit. Both were minor
infractions that stemmed from compliance documentation of the standard in
question. “Potential violations are not a failure of the audit. They are rather
a statement by the auditors that they believe we were not able to demonstrate
compliance with respect to a specific requirement of a standard,” said Schmehl.
“On behalf of the reliability compliance managers, we are thankful for
work people put into this,” said Sessions. “It is a lot of work and not a lot
of fun. Through all the difficulties getting it ready, it all came together for
the audit. Everyone should be very happy with their performance as should their
Learning cycle lessens stress
Reliability audits, conducted every three years by NERC’s regional
reliability organizations, are a comprehensive review of each region’s evidence
and procedures to comply with more than 50 requirements listed in about 30
reliability standards. With four NERC-registered regions, Western experiences
an almost constant cycle of preparing for, completing and learning from audits.
“The standards cover all areas of reliability, from bulk power system
operations, the training of the dispatchers, engineering and modeling of the
bulk power system to vegetation management, coordination of operations and
outages with neighboring utilities, maintenance of the protection systems and
responses to system emergencies,” said Schmehl.
RM began preparing for the audit in summer 2014, collecting and
organizing three years’ worth of documentation for the upcoming data requests,
a daunting task. RM built their effort around lessons learned from other
regions’ recent audits including DSW’s in 2014 and Sierra Nevada’s earlier this
year—an effective use of time that has lessened employees’ stress about audits.
“Last year, DSW set up a Critical Infrastructure Protection, or CIP,
War Room,” said Sessions. “Everyone who had a role in CIP met in a big room and
answered the CIP data request questions together. It was much more efficient so
we used it in SN and RM. RM developed a SharePoint site to share information, a
practice first used in SN, so everyone could see the data request log, contact
numbers and key information.”
Preparation also included a mock audit in February, essentially a dress
rehearsal of the real thing that included data requests, tours and interviews
with the subject matter experts. “The real audits are less stressful than the
mock audits have been, which is a good thing,” said Schmehl. “The mock audits
are when we are supposed to shake out the machinery and find the bugs.”
2016: UGP up next
During its audit in early 2016, UGP will benefit again from DSW’s and
SN’s lessons, as well as early improvements from RM, such as the single tour
coordinator and how to organize responses to data requests. “We also plan to
have subteams during tours so auditors can get more done at once,” said
Sessions. UGP’s audit will give clues on how NERC’s transition to risk-based enforcement
and monitoring will affect audits to better prepare DSW in 2017.
In the meantime, the Reliability Compliance Standards Team is
encouraging people to continue compliance-friendly documenting practices between
audits to prepare for future reviews. “There is now a standing team at DSW who
will make sure evidence is being accumulated and stored correctly in real
time,” said Schmehl.
Sessions added, “We have figured out a lot of
things to make the audit process smoother, and we will continue to improve each
time we are audited. If people do compliance every day, when it comes time for
the audit, the amount of effort to prepare will not be as much as it used to