The following is an excerpt from Ice Miller's Pathways to Success for Utilities Guide which provides insights on a variety of topics potentially impacting utility service providers.
Under the risk-based compliance monitoring approach, an entity’s compliance program will be determined by the potential risks the entity poses to the reliability of the Bulk-Power System. Implementing this entity-specific, risk-assessment approach may change the Reliability Standards of compliance monitoring for entities. The two primary components of the risk-based enforcement program are the creation of a self-logging process and compliance exceptions. Registered entities can elect to “self-log” instances of minimal-risk noncompliance and record the mitigating activities. The new “compliance exceptions” process provides an alternative enforcement process for risk instances of noncompliance that do not warrant a penalty. NERC’s filing indicates that a significant percentage of compliance matters will be processed using this new compliance exception and logging program.
The Impact of Cybersecurity Risks
The risk-based strategy for compliance monitoring will also include a significant focus on cybersecurity and the CIP Version 5 Reliability Standards. NERC advocates that the concepts of Inherent Risk Assessment (IRA) and Internal Control Evaluation (ICE) will be essential in order to monitor compliance with CIP Version 5.
- IRA: Conducted by a Regional Entity, an IRA will be a review of an individual Registered Entity’s potential risks to the reliability of the Bulk Electric System. An IRA will consider factors such as assets, systems, geography, interconnectivity and functions performed, which will allow the Regional Entity to tailor appropriate oversight. If a Registered Entity shows minimal risk in an IRA, a Regional Entity may choose to limit its monitoring scope.
- ICE: ICE is a voluntary process whereby a Registered Entity may provide information concerning the internal controls it uses to manage reliability risks which, in turn, will help a Regional Entity focus its compliance oversight.