The new Align system enables NERC registered entities to create and submit mitigation milestones as part of mitigating activities or a mitigation plan linked to a Potential Noncompliance (PNC). Mitigation milestones provide entities with the method to document relevant, measurable, and realistic tasks to mitigate a noncompliance.
Mitigation milestone tasks are categorized as one of the following types: Remediating Action, Corrective Control, Preventative Control, Detective Control, or Other Action. The purpose of characterizing the mitigation milestone types is to understand the intended function of each mitigating activity, and to implement controls to remediate, correct, prevent, and detect a noncompliance. Mitigations and controls reduce the risk and likelihood of noncompliance and improve reliability of the Bulk Electric System (BES).
MRO characterizes the Align mitigation milestone types as follows:
Remediating Actions are the specific activities that remediate the noncompliance and end the noncompliance with the Reliability Standard and Requirement.
Corrective Controls are the actions or controls implemented to correct a noncompliance after it has occurred. Corrective Controls typically fix or mitigate the cause of a noncompliance, and act to reduce the risk of reoccurrence. Corrective Controls should focus on both procedural and technical controls that may be available to help correct future instances of noncompliance. Corrective Controls should also consider any other Reliability Standards impacted by the noncompliance.
Preventative Controls are the actions or controls implemented to prevent a noncompliance or reduce the likelihood of reoccurrence. Preventative Controls should focus on both procedural and technical controls that may be available to help prevent future instances of noncompliance. Addressing the cause and any contributing factors with controls to prevent the likelihood of reoccurrence will lead to effective and sustainable mitigation.
Detective Controls are the actions or controls implemented to detect a noncompliance during or after it has occurred. Detective Controls should focus on both procedural and technical controls that may be available to help detect future instances of noncompliance. Detecting an instance of noncompliance can limit its duration by drawing attention to places where remediating actions and corrective controls can be applied to end the noncompliance.
If there are any other milestone actions that do not fit under remediating, corrective, preventive, or detective actions and controls, the entity should classify it as “Other Action.” These may include additional “above and beyond” steps the entity committed to take but may not necessarily fall directly under correcting or preventing the issue.
Mitigation milestone tasks should take into consideration the findings from the extent of conditions and root cause analysis of the potential noncompliance when they are designed. The facts and circumstances surrounding the noncompliance scenario are important when determining which types of activities and controls to implement to appropriately reduce the risk to reliability. MRO expects to see at least two mitigating activities; one ending the identified noncompliance and one reducing the risks of reoccurrence. Entities can reach out to MRO HEROs ([email protected]) to discuss mitigation.
Example Mitigations: (1) (2)
In the above example, returning the AVR to automatic mode and notifying the TOP (1) ended the R3 noncompliance, so it is the Remediating Action. The task of adding a message for an operator to acknowledge, check whether the AVR status changed, and notify the TOP if necessary (2) can be either a Preventative Control or a Corrective Control(3), because it attempts to identify if the AVR status changed and prevent a noncompliance by notifying the TOP within 30 minutes, and can also serve to correct the noncompliance and notify the TOP if the status it not restored within 30 minutes. Reviewing procedures and updating the narrative of alarms (3), conducting training on revised procedures with operators (4), and holding a mandatory lessons learned meeting to discuss this issue (6) all serve to reduce the likelihood of reoccurrence, so they are labelled as Preventative Controls. Reviewing all AVR alarm logs in the past year and comparing against TOP notification (5) is a Detective Control, because this task aims to detect additional instances of noncompliance.
(3) Only a single mitigation milestone type can be selected for each task in Align; the selected type is based on the entity’s intention and purpose for the task.
In the above example, performing the evaluation of missed security patches during the period (1) and installing applicable patches (2) are Remediating Actions because they ended the R2 noncompliance. Deploying additional systems to detect and alert on issues with the patch scanning tool (3), updating the patch management process to require personnel verify the patch scanning tool has identified applicable patches (4), and training personnel on the updated process (5) all act as Preventative Controls, because they attempt to reduce the likelihood of reoccurrence. Reviewing all security patches in the last year in search of missed deadlines (6) and deploying systems to notify personnel of overdue patch evaluations (7) are Detective Controls because they act to detect and find instances of noncompliance. Training personnel to prioritize overdue patch evaluations (8) is a Corrective Control because it addresses the noncompliance after reoccurrence.
- (1) Registered Entity Self-Report and Mitigation Plan User Guide, Appendix A: Examples of Description, Scope, Cause, Risk, and Mitigation of Noncompliance
- (2) Some of the mitigations have been altered for example use
– Andrew Wu, MRO Risk Assessment and Mitigation Engineer (CIP)