As a compliance manager in the electric utility industry, I have been involved with the North American Electric Reliability Corporation (NERC) compliance program since 2010, and in that time, I have seen NERC and the Regional Entities transition from a compliance-focused Electric Reliability Organization (ERO) Enterprise to a risk-based ERO.
I have been part of the ongoing discussions on internal controls (back when they were called management practices) since ERO inception. I have also seen the NERC Reliability Standards evolve, including the transition from CIP v3 to CIP v5. As part of the Minnkota team, I have been involved in maturing our internal compliance program from something very basic and new, to something that is well established and well known throughout the organization. I have also made a fair number of NERC compliance friends and am so grateful to have peers who also speak the same language of industry acronyms!
It has been an interesting journey that I am happy to have been a part of because I feel like I am doing something important to help ensure the ERO Enterprise vision of a reliable and secure North American bulk power system. A vision we all share.
I have seen the NERC compliance program mature and have naturally amassed information along the way…much of what I know and take for granted is not so obvious to people who are new to the field. This became perfectly clear to me while training a new compliance analyst at Minnkota and I did not have a clue where to begin! There is just SO MUCH to learn and so many resources available. How do we teach all of this in a way that will make sense to someone new to the topic? How about new to the industry? How do we teach new NERC compliance professionals that, in 2023, we are not only concerned with being compliant, but also about the management of risk? Well, I have bad news, and I have good news. The bad news is I still do not have the silver bullet answer to these questions. But the good news is I have compiled some tips and resources that I am eager to share.
Introduction to NERC
I think the first thing to teach someone new to NERC compliance is this: “What is NERC, and why do we care about it?” To answer this question, I start by directing new employees to the Federal Energy Regulatory Commission (FERC) Reliability Primer. Although this document is dated (for example, it shows the ERO Enterprise has eight Regional Entities when it currently has six), it is an easy-to-read guide that can either be read as a traditional text – front to back – or used as a reference guide. This publication provides an overview of all the important background facts that NERC professionals must know, including an overview and history of the electric power system, the Energy Policy Act of 2005, and the role of NERC as the ERO. It even covers the Reliability Standards development process, standards categories, and NERC compliance and enforcement. This primer is a must-read and an excellent resource for all new NERC compliance professionals. In addition to the FERC primer, the NERC Essentials video is a very useful, high-level introduction to NERC.
Phase two of onboarding a new compliance professional should involve a visit to the Midwest Reliability Organization website: MRO.net. The first task should be to subscribe to MRO’s monthly electronic newsletter. This will ensure the new NERC professional stays up to date on current regional news and information. Second, the employee should become familiar with MRO’s online library. MRO has some excellent materials posted in the online library. My personal recommendation is to search for “Internal Controls” or filter on “CMEP Advisory Council” and read some of the exceptional presentations and articles that have been published. In addition, employees should familiarize themselves with what it means to be a Highly Effective Reliability Organization (HERO), which is MRO’s gold standard for compliance programs. I wrote an article on this topic last year, and MRO also has a full page dedicated to this important topic.
It is also worth pointing out an excellent document authored by the former Performance and Risk Oversight Subcommittee (PROS) called the Governance Risk Program. This document supports the HERO concept. Another interesting page for employees to be aware of is the Standards Application Guides page. These guidance documents are intended to assist stakeholders in understanding the application of certain NERC reliability standards and requirements. Since I’m a member of the Compliance Monitoring and Enforcement Program Advisory Council (CMEPAC), I would be remiss if I didn’t put in a plug for the CMEPAC’s monthly calls and how these calls dive into a CMEP topic with other employees from registered entities!
Finally, I would send new NERC professionals to MRO’s Vimeo page and tell them to bookmark that link, so they have quick access to MRO training videos. Every presentation, since 2017, is posted here. This is an engaging way to learn about specific compliance topics.
NERC and Other Resources
The NERC website has a lot of great information on it! The current website is in the process of being replaced, so while I am suggesting you bookmark the following pages, those bookmarks may need to be replaced when the new site is rolled out. Because there are so many useful links, I am grouping them by category in bulleted format.
Compliance & Enforcement – this section of the website contains many of NERC’s core documents related to compliance, violations, and audits.
- The One-Stop Shop provides a list of all the pages under NERC’s Compliance Monitoring and Enforcement Program (CMEP). Theoretically, a person could just go here and not worry about any of the next links I point out. Personally, I find this page useful, but also frequently reference the following links.
- Align and the SEL provides information on how to access and use Align and the Secure Evidence Locker (SEL). I do not personally go to this page often, but it is worth pointing out that this page is available.
- Compliance Guidance includes Standards Implementation Guidance and CMEP Practice guides, which are both excellent sources of information.
- Enforcement and Mitigation is useful for getting a sense of how others have violated a particular requirement and what actions were taken to mitigate the risk of recurrence.
- RSAWs, or Reliability Standards Audit Worksheets, are prepared by NERC for audit teams to use to provide assessment effort guidance and to support compliance evaluation consistency between regions for standards. These worksheets provide insight into NERC’s interpretation of requirements and can assist when producing and maintaining compliance evidence by verifying that compliance evidence addresses the compliance assessment approach checklist for each requirement.
- CIP CMEP FAQs is simply a list of CIP related FAQs. Currently, only CIP-012 and CIP-013 are represented, but hopefully other standards will join this FAQ page at some point.
- Compliance Webinars lists both Enforcement and Operations webinars since 2019.
Standards – this section provides all the information related to currently enforceable standards as well as reliability standards under development.
- The One-Stop Shop (not to be confused with the One-Stop Shop under Compliance & Enforcement) is a spreadsheet that lists all of the NERC standards (effective, inactive, or future enforceable), links to the standard, implementation plans, Project Pages, RSAWs, and more.
- The Reliability Standards menu offers a few additional ways to access the NERC Reliability Standards. They can be accessed in a drop-down list format or through the Complete Set of Reliability Standards. Depending on the situation, both ways to access the standards can be useful.
- The Glossary of Terms used in NERC Reliability Standards is a must-read. Capitalized terms within the NERC Reliability Standards are defined within that document.
- The Balloting and Commenting page gives information on how to ballot and comment on NERC Projects, as well as upcoming ballots.
- The Reliability Standards Under Development page provides access to all NERC Projects. The archived NERC Projects pages can be useful even after a new standard is enforceable because it’s a place to go to review things like Technical Rationales, webinars, and balloting comments.
- The Webinars pages contain webinars pertaining to standards under development.
- The Standards Development Resources page contains a list of useful documents.
Other Resources – there are also a few miscellaneous links that are worth pointing out:
- NERC’s Currently Compliant podcast series on Vimeo.
- The guidelines/technical reference documents/white papers authored by the Reliability and Security Technical Committee (RSTC) subcommittees.
- The Reliability Issues Steering Committee (RISC), especially the Framework to Address Known and Emerging Reliability and Security Risks and the ERO Reliability Risk Priorities Report.
- NERC Rules of Procedure, but do not plan to read all 449 pages of it. Refer to the table of contents and become familiar with each section over the course of time as needed.
Your Own Company’s Internal Compliance Program
Your own company’s internal compliance program is going to give specific details on how NERC compliance is managed within your organization. Make sure new compliance staff know about and completely understand each of the items below. If this information is not currently documented, consider documenting to better communicate with MRO on how compliance is managed at your organization and to make it easier to train newcomers on your company’s programs and processes.
- Standards Development and Readiness – How does your organization track the standards development process, and how do you ensure compliance prior to a standard’s enforcement date? Who are the subject matter experts for each standard and requirement? What does each standard’s implementation consist of?
- Policies and Procedures – How does your organization modify and store policies and procedures? Is there an automated workflow or is it a manual process?
- Evidence – Where is evidence stored and how long is it kept? Who oversees collecting it?
- Controls – Is there an internal controls program? Are controls tested?
- Training – What level of NERC training is offered to subject matter experts and all employees? How is it administered and maintained? What other forms of communication are used, and how frequently are they utilized? How does the Compliance Department communicate industry news to the correct personnel?
- Regulatory Oversight – Who is the Primary Compliance Contact (PCC) and Secondary Compliance Contact (SCC)? How are audits, self-certifications, and NERC Alerts managed within your organization? How are RSAWs maintained?
- Monitoring – How are potential violations and self-logs/self-reports managed? Is there a formal inquiry and investigation process? Does the compliance program implement any form of compliance assurance monitoring?
- Risk – Is there a process to rank the risk of violating the NERC standards? How does the assessment of that risk impact the rest of the compliance program?
Other Helpful Tips
All NERC registered entities are assigned to one Regional Entity or could be registered in more than one region if the criteria warrant. Some compliance oversight activities are implemented or interpreted a little differently in each region. The Reliability Standards, however, are the same across all regions. Information acquired from neighboring Regional Entities is credible and useful to organizations who are registered in multiple regions. Even if this scenario does not apply to your organization, I encourage you to review other Regional Entities’ websites (Reliability First, SERC Reliability Corporation, Texas RE, Western Electricity Coordinating Council, and Northeast Power Coordinating Council) for training offerings, to subscribe to their newsletters, and to explore what else they have to offer. In addition, I recommend the following:
- Have a question? Ask your compliance peers from outside your organization, ask MRO at [email protected], or ask the CMEPAC at [email protected].
- At a minimum read the ERO Enterprise Informational Package.
- Get involved! Join industry committees, working groups, mailing lists, etc. For example, the Mid-Continent Compliance Forum (MCCF) hosts compliance information and presentations from past forums. Also, MRO’s NERC Standards Review Forum (NSRF) is highly engaged in the development of NERC Reliability Standards. The NSRF holds discussions on Wednesday mornings, and anyone can participate.
- Participate in education and training opportunities, either in person or online. NERC and the MRO, as well as the other Regions, offer lots of free webinars.
- Read, read, read!
- Take plenty of notes. OneNote is an excellent and readily available tool for notetaking.
- Be patient! Becoming a fully functioning NERC compliance professional takes time and experience.
As you can see, there is no shortage of things to learn about in the world of NERC compliance. In fact, even after over 10 years in a compliance role, I am still learning something new every day. Hopefully, this article serves as a starting point for those individuals that are new to NERC compliance or those responsible for onboarding a new NERC professional. This is not a comprehensive list; it is simply an effort to organize some of the many resources that are available for compliance professionals.
– Theresa Allard, Compliance Manager at Minnkota Power Cooperative and MRO CMEP Advisory Council member
ABOUT THE AUTHOR
Theresa Allard is the NERC Compliance Manager at Minnkota Power Cooperative (MPC), a generation and transmission cooperative that serves eastern North Dakota and northwestern Minnesota. Allard became involved in NERC Compliance in 2010 as a Compliance Coordinator and has been the Compliance Manager since 2015. She is responsible for implementing MPC’s NERC Compliance Program, which includes oversight of both the Critical Infrastructure Protection (CIP) program and Operations and Planning standards. Allard is currently a member of the MRO CMEPAC. She earned a Bachelor of Science in Industrial Technology from the University of North Dakota and has been a member of the Minnkota team since 2007. In her free time, Allard enjoys traveling, hanging out with friends and family, and outdoor activities such as running, golfing, kayaking, and camping.
MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO.