Skip to content

Manitoba Hydro’s Compliance Oversight Review Initiative Contributes to Reliability Excellence

In 2021, staff in the compliance section at Manitoba Hydro began to look at ways to identify the NERC reliability standards that were at the highest risk and most frequently violated at the provincial utility.

The aim of the exercise was simple: Manitoba Hydro needed to correct and deter non-compliance of NERC reliability standards. From this goal, staff developed a targeted oversight strategy with the primary objective to plan and schedule smaller periodic compliance reviews for the applicable areas of Manitoba Hydro, and more specifically, to gain reasonable assurance that Manitoba Hydro has sustainable compliance processes and procedures.

Other key objectives included:

  • Identifying existing and future internal controls
  • Self-identifying and mitigating reliability risks and compliance issues
  • reducing the burden for audit preparation by identifying audit requests from MRO that may be difficult to fulfill and by having staff become familiar with audit requests
  • Implementing a continuous monitoring process that reinforces a culture of compliance as reliability standards are examined on a more frequent basis rather than every few years
  • Improving reliability, security and tracking
  • Implementing recommendations by MRO from an MRO audit, spot-check, guided self-certification, self-report, periodic data submittal, or as a random check in response to operating problems or system events
  • Informing the risk-based approach for developing registered entity oversight and monitoring
  • Building a knowledge base and trust both within the organization and with Manitoba Hydro’s regulators
  • Addressing new or new versions of reliability standards before they become effective
  • Improving communication with stakeholders and owners prior to audits by MRO

This oversight strategy became Manitoba Hydro’s standards compliance oversight plan and documented the methodology in selecting the NERC reliability standards that would be recommended for a quarterly review by the compliance department.

What were the performance considerations?

Manitoba Hydro’s standards compliance oversight plan evaluated applicable NERC reliability standards to assess which of these standards should be scheduled to be periodically reviewed. To make this determination, a review of standards and requirements identified in the following areas was made:

  1. Electric Reliability Organization (ERO) Enterprise High-Risk Standards. A specific listing of the current high-risk reliability standards at risk for non-compliance, the corresponding requirements, responsible entities, and asset types are identified for each high-risk element.
  2. High-Population Reliability Standards[1]. Reliability Standards which require entities to manage large populations of items and associated data. Standards identified here remain consistent unless a new Standard is developed.
  3. MRO Compliance Severity Index (CSI)[2]. Created by MRO to measure the risk of noncompliance to reliability over time. The CSI is calculated using the risk determination and discovery method for each potential noncompliance (PNC). CSI represents the total risk that all instances of non-compliance present to the reliability and/or security of the bulk power system in the MRO region.[3]
  4. ERO Compliance Monitoring and Enforcement Program (CMEP) Activities and Risk Analysis – Risks in Aggregate[4]. MRO’s evaluation of aggregated risk considered for oversight identifies any critical reliability standards that, when evaluated across multiple low inherent risk registered entities, rise to a level that supports active monitoring.
  5. Internal Self-logged Possible Violations.Manitoba Hydro’s self-log data from the last three years.
  6. Standards Identified by Reliability Compliance Team. Identification of standards or areas of risk resulting from internal discussions among the compliance team during regular program meetings and updates.

In addition, the following areas were examined, in part to avoid duplication of scope or similar review efforts by other groups. This data was not used as the main driver in the overall analysis of reliability standards selected for review, and included:

  1. MRO Spot-Check Requests. Manitoba Hydro’s scope for the last three engagements.
  2. Self-Certification Requests[5]. Manitoba Hydro’s scope for the last three engagements, including a review of the most current MRO self-certification schedule.
  3. MRO Direct Audit Requests. Manitoba Hydro’s MRO audit scope for the last three engagements.
  4. Internal Audit Requests (IAR). Manitoba Hydro’s scope for the last three engagements.
  5. NERC GridEx[6]. Data for years Manitoba Hydro participated in this grid security and resilience exercise.
  6. NERC Alerts[7]. Recent NERC Alerts that have been issued as either an industry advisory or a recommendation to industry or essential action because of a discovery, identification, or information that is critical to ensuring the reliability of the bulk power system in North America.

What was the review scope?

A comprehensive review of performance considerations 1-6 and a comparative review of performance considerations 7-12 for reliability standards with the highest prevalence, identified across multiple categories of high-risk, was completed. The reliability standards captured in this selection reflected areas of non-compliance for potential review by the compliance department. From this listing, the compliance team selected one Operations & Planning standard and one Critical Infrastructure Protection (CIP) cyber security standard and requirement to review together during each applicable calendar quarter. This approach was also done in part to prevent overtaxing stakeholders, as only a single standard in each category was reviewed at one time. A review frequency of three calendar quarters per calendar year was also selected to avoid possible overlap with audits by MRO and give stakeholders an opportunity to catch their breath! The plan was dynamic and changed as new information on standards or requirements became available.

What was the review process?

Stakeholders were sent detailed letters of engagement outlining the scope of the review, roles and responsibilities, structure of the data requests, and the evidence request and evidence review schedule prior to each review. The compliance team then determined and issued separate requests for information (RFIs) for both the Operations & Planning and the CIP cyber security standard/requirement under review.

The Operations & Planning request was sent to the standard owner of the applicable standard/requirement under review. The RFI was based on guidance from Reliability Standard Audit Worksheets (RSAWs) that are provided by NERC. The requested information focuses on processes, procedures, and internal controls and includes data sampling if deemed appropriate.

A similar process was followed for the CIP cyber security standard/requirement under review except the RFI was issued to applicable CIP Asset Owner(s). All CIP requests considered the newest NERC and MRO RFIs from the NERC Evidence Request Tool (ERT), where applicable and the sampling request involved requesting asset inventories applicable to the requirement being reviewed (cyber assets, sites, repositories, etc.).

Once stakeholder responses were completed and forwarded to the compliance team, the real work began to review evidence and establish recommendations. After reviewing the requested evidence and procedures, the compliance group identified two types of actions:

  • Required: These actions directly relate to compliance with the reviewed standard and requirement. They are required to ensure ongoing compliance with the standard, either to directly meet the standard requirements or to implement internal controls to protect against Possible Violations, including concerns to be actioned immediately.
  • Administrative: These actions include procedure updates or suggestions to improve evidence submissions. These actions enhance the overall quality of Manitoba Hydro’s procedures and evidence but are not required to meet the minimum level of compliance. A general procedure/controls review of all documentation provided as evidence was also evaluated for potential enhancement in addition to each sub-requirement.

Findings, recommendations, and area(s) of concern, as well as existing internal controls and those that could be developed in the future were documented in a final report issued by the compliance department to applicable stakeholders at the end of each quarter’s review.

Oversight review activities started and finished within each applicable calendar quarter.

How were recommendations tracked?

Following each review, an RFI was issued (using a Compliance Information Request (CIR) tool) to the standard owner or CIP Asset Owner(s) for resulting action items of significance documented in the final report. If a Possible Violation was discovered during the oversight review, it was addressed and tracked through the compliance department’s usual process.

When was the plan updated?

The internal standards compliance oversight plan review was intended to encompass the current calendar year. To ensure relevance and confirm the validity of the underlying assumptions and principles, the plan is revisited annually, or as new reliability and security risks are identified or if Manitoba Hydro experiences significant changes or assumes new compliance responsibilities. Prior to each applicable quarter review, a check with other CMEP activities (internal audit, self-cert, MRO audit) is initiated after the plan is finalized by the compliance department, and if duplicated scope is performed, the plan is modified accordingly. 

Final Comments

Since its inception in 2021, Manitoba Hydro has successfully completed multiple compliance oversight reviews. Various stakeholder groups throughout Manitoba Hydro are involved in the corporation’s efforts to manage its compliance obligations with the NERC reliability standards. These include standard and requirement owners, CIP Asset Owners, compliance contacts, and task owners, who are responsible for maintaining documentation and performing essential processes and procedures required to actively maintain compliance with the standards. Each of these groups ensure that compliance reviews are conducted efficiently and adhered to the proposed timelines in the plan. This assistance entails the provision of documentary information and responses to oversight inquiries as needed or if requested. The compliance team aspires to coordinate this work to minimize any disruption of work schedules, and the outcome of this coordination is valuable in identifying and addressing reliability gaps and improving compliance evidence quality for future external audit submissions.

This initiative could not have been possible, or successful, without the valuable contributions of the compliance team at Manitoba Hydro (Duane Franke, Nazra Gladu, Ray Armstrong, Jay Sethi), management (Dawn Nedohin-Macek, Daryl Maxwell, Tony Clark, Reliability Compliance Steering Committee Members) and the many standard and requirement owners, CIP Asset Owners, task owners and compliance contacts, whose day to day focus is ensuring reliable energy for all Manitoban’s. Thank you!

We must remember that compliance is the servant of reliability, which means that compliance should be a natural outcome of robust processes that deliver reliable energy to our customers. By identifying gaps and strengthening our internal controls, programs, processes and procedures, we all play a small part in ensuring the reliable operation of the electric system.

If you have questions, comments or suggestions for us, we would be happy to hear from you. Please contact me at [email protected] or by telephone at 204-360-5310. 

– Nazra Gladu, Manitoba Hydro 

MRO is committed to providing non-binding guidance to industry stakeholders on important industry topics. Subject matter experts from MRO’s organizational groups have authored some of the articles in this publication, and the opinion and views expressed in these articles are those of the author(s) and do not necessarily represent the opinions and views of MRO.

[1] Midwest Reliability Matters dated December 2019, “Managing High-Population Standards”, Flink, Adam, Senior Risk Assessment and Mitigation Engineer and Flanery, Mark, Risk Assessment and Mitigation Principal, pp.9-11

[2] Prior to 2023 referenced the MRO Regional Risk Assessment (RRA)

[3] After 2023 referenced the biannual publication of the Quarterly CMEP Summary Report

[4] MRO Regional Reliability Assessment, ERO CMEP Activities and Risk Analysis

[5] MRO Self-Certification Schedule and Timeline

[6] Biennial grid security and resilience exercise, hosted by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC),

[7] NERC website, About Alerts; Alerts