WAPA » Newsroom » News features » 2015

Rocky Mountain impresses compliance auditors

​by Lisa Meiman

Rocky Mountain employees should be blushing with praise after successfully completing an intensive North American Electric Reliability Corporation reliability compliance audit, Aug. 27-Sept. 4, with kudos from auditors, senior leadership and other regions alike.

“It was one of the best executed audits we have ever had,” said Rocky Mountain Reliability Compliance Manager Brent Sessions. “The auditors have a high opinion of Western. They commented on our professionalism and felt we demonstrated a culture of compliance.”

About 50 employees were involved in the audit, including the regional reliability compliance managers, a data request team and subject matters experts from power operations, maintenance, information technology, supervisory control and data acquisition, or SCADA, transmission planning and office of security and emergency management. 

“The outcome is a reflection of the tremendous dedication and professionalism employees bring to the job every day,” said Administrator and CEO Mark Gabriel. “Thank you for all your hard work.”

The two-week audit actually began May 26 with the official notification of the upcoming dates for the audit as well as the initial data request, which is so enormous it is dubbed the “Big Bubba.” For one of the 50 requirements under review, RM gave auditors a list of all the cyber assets subject to compliance. Auditors pick a random sample of those cyber assets, and then asked for everything related to each component’s compliance documentation for the last three years.

“It’s a huge, huge data request. It takes weeks to compile the evidence, more than 100 megabytes,” said Desert Southwest Reliability Compliance Manager Matt Schmehl. 

In total, RM provided more than 1,000 documents to the auditors to review by the end of July. The bulk of the document review is completed in the first week of the audit and can indicate how the audit is going.

“A measure we go by is how many data requests we received in the first week,” said Schmehl. “If we did a good job with the reliability standard audit worksheets, we see fewer requests. If we get a bunch of data requests, we didn’t do a good job presenting the story.”

RM completed, on time, 57 data requests to clarify the evidence and other documentation through interviews, tours or written responses. Previous audits exceeded 100 requests. “The auditors were complimentary of how we formatted the big data request and arranged evidence for them,” said Schmehl. 

Audits are primarily about evaluating Western procedures and documentation for compliance and not spot checks and observations of these practices in action, although auditors do visit facilities and a small number of substations during the second week, which also went well.

“Tours are surprisingly tough to manage,” said Sessions. “This time, we had one person responsible for coordinating all the tours, and that really helped. We also better structured the tours and provided training to Western employees who would be involved.”  

On Sept. 4, the auditors presented an informal out brief, identifying only two potential violations as a result of the audit. Both were minor infractions that stemmed from compliance documentation of the standard in question. “Potential violations are not a failure of the audit. They are rather a statement by the auditors that they believe we were not able to demonstrate compliance with respect to a specific requirement of a standard,” said Schmehl.

“On behalf of the reliability compliance managers, we are thankful for work people put into this,” said Sessions. “It is a lot of work and not a lot of fun. Through all the difficulties getting it ready, it all came together for the audit. Everyone should be very happy with their performance as should their managers.”

Learning cycle lessens stress 

Reliability audits, conducted every three years by NERC’s regional reliability organizations, are a comprehensive review of each region’s evidence and procedures to comply with more than 50 requirements listed in about 30 reliability standards. With four NERC-registered regions, Western experiences an almost constant cycle of preparing for, completing and learning from audits. 

“The standards cover all areas of reliability, from bulk power system operations, the training of the dispatchers, engineering and modeling of the bulk power system to vegetation management, coordination of operations and outages with neighboring utilities, maintenance of the protection systems and responses to system emergencies,” said Schmehl.  

RM began preparing for the audit in summer 2014, collecting and organizing three years’ worth of documentation for the upcoming data requests, a daunting task. RM built their effort around lessons learned from other regions’ recent audits including DSW’s in 2014 and Sierra Nevada’s earlier this year—an effective use of time that has lessened employees’ stress about audits. 

“Last year, DSW set up a Critical Infrastructure Protection, or CIP, War Room,” said Sessions. “Everyone who had a role in CIP met in a big room and answered the CIP data request questions together. It was much more efficient so we used it in SN and RM. RM developed a SharePoint site to share information, a practice first used in SN, so everyone could see the data request log, contact numbers and key information.” 

Preparation also included a mock audit in February, essentially a dress rehearsal of the real thing that included data requests, tours and interviews with the subject matter experts. “The real audits are less stressful than the mock audits have been, which is a good thing,” said Schmehl. “The mock audits are when we are supposed to shake out the machinery and find the bugs.” 

2016: UGP up next

During its audit in early 2016, UGP will benefit again from DSW’s and SN’s lessons, as well as early improvements from RM, such as the single tour coordinator and how to organize responses to data requests. “We also plan to have subteams during tours so auditors can get more done at once,” said Sessions. UGP’s audit will give clues on how NERC’s transition to risk-based enforcement and monitoring will affect audits to better prepare DSW in 2017.  

In the meantime, the Reliability Compliance Standards Team is encouraging people to continue compliance-friendly documenting practices between audits to prepare for future reviews. “There is now a standing team at DSW who will make sure evidence is being accumulated and stored correctly in real time,” said Schmehl. 

Sessions added, “We have figured out a lot of things to make the audit process smoother, and we will continue to improve each time we are audited. If people do compliance every day, when it comes time for the audit, the amount of effort to prepare will not be as much as it used to be.”

Page Last Updated: 9/22/2015 12:27 PM