Internal Compliance Program Assessment

CONTACT INFORMATION

Entity Name: / Click here to enter text. /
NERC # Registry ID: / Click here to enter text. /
Primary Compliance Contact Name: / Click here to enter text. /
Primary Contact Title: / Click here to enter text. /
Office Phone: / Click here to enter text. /
Cell Phone: / Click here to enter text. /
Email: / Click here to enter text. /
Alternate Compliance Contact Name: / Click here to enter text. /
Alternate Compliance Contact Title: / Click here to enter text. /
Office Phone: / Click here to enter text. /
Cell Phone: / Click here to enter text. /
Email: / Click here to enter text. /
Authorizing Entity Officer Name: / Click here to enter text. /
Authorizing Entity Officer Title: / Click here to enter text. /
Mailing address (Not a P.O. Box): / Click here to enter text. /
Telephone: / Click here to enter text. /
Email: / Click here to enter text. /

WECC Compliance Monitoring and Enforcement Program

Internal Compliance Program Self-Assessment Version 2.0 12/3/12

1

Internal Compliance Program Assessment

TABLE OF CONTENTS

PURPOSE

INSTRUCTIONS

SURVEY QUESTIONS

1.Established Formal Internal Compliance Program

2.Well Documented and Widely Disseminated

3.Officers/Personnel

4.Independent Access to Executives

5.Independently Managed

6.Resources

7.Leadership Support

8.Program Evaluation and Modification

9. Compliance Training

10.Self-Audit

11.Enforcement

12.Internal Controls

13. Risk Assessment

AUTHORIZATION

APPENDIX A: Selected Example ICP Practices

1

Internal Compliance Program Assessment

PURPOSE

The WECC Internal Compliance Program Assessment (ICPA) is a tool to help entities assess their internal compliance programs. The ICPA will assist WECC in its review and understanding of the programs that entities have implemented to ensure compliance with the NERC Reliability Standards. The ICPA is:

  • Based on relevant FERC orders, FERC direction, and WECC and NERC experience related to robust internal compliance programs.
  • Composed of questions designed to focus on various aspects of an entity’s program.
  • Designed to prompt an entity to identify and gather specific, relevant information related to its internal compliance program.
  • Adaptable to allow for the unique constraints of smaller entities, as well as flexible enough to recognize distinct characteristics across the variety of programs.

INSTRUCTIONS

  1. For each question below, choose the statement that best describes the responsible entity’s current status.
  1. Please attach supporting documentation or provide associated page numbers and paragraph references within the ICP, and submit this completed package to WECC.

For example, this documentation package may include, but not be limited to:

  • Organizational charts
  • Internal plans, policies, processes and/or procedures
  • Emails
  • Training manuals
  • PowerPoint presentations with associated attendance rosters
  • ICP workshops; and/or
  • Computer Based Training modules.

Note: For the purposes of this document, “compliance program(s)” refers to programs concerned with compliance with NERC Reliability Standards.

1

Internal Compliance Program Assessment

SURVEY QUESTIONS

1.Established Formal Internal Compliance Program

Is the ICP an established, formal program? For example, does the ICP contain fully documented plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures for the governance and management of compliance with NERC Reliability Standards?

Note: See Appendix A for example practices.

Choose the statement that best describes the ICP:

☐ / NO / The ICP does not have any documentedplans, policies, processes and/or procedures, internal controls, and other systematic preventive measures.
☐ / PARTIAL / The ICP has some documentedplans, policies, processes and/or procedures, internal controls, and other systematic preventive measures, but does not address all.
☐ / YES / The ICP has well documentedplans, policies, processes and/or procedures, internal controls, and other systematic preventative measures.

Describe, in narrative form, how the entity documents its ICP:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • The entity’s ICP document(s)
  • Plans, policies, processes and/or procedures, internal controls, and other systematic preventive measures associated with the entity’s governance and management of compliance with NERC Reliability Standards
  • Other documented processes and/or procedures as applicable

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

2.Well Documented and Widely Disseminated

Does the ICP require communication to all employees, including contractors and vendors, etc.? Has the ICP, (i.e. all plans, policies, processes and/or procedures) been widely disseminated throughout the entity?

Choose the statement that best describes the ICP:

☐ / NO / The ICP has not been distributed.
☐ / PARTIAL / The ICP has been distributed only to the employees that are involved in the development and implementation of the ICP.
☐ / PARTIAL / The ICP has been distributed only to the employees that have a direct responsibility for compliance with the NERC Reliability Standards.
☐ / YES / The ICP has been distributed to all employees, and, if applicable, to contractors and vendors.

Describe, in narrative form, how the entity disseminates the ICP to all appropriate relevant employees, including contractors and vendors:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • Compliance Training Program
  • Compliance Communications Program
  • Website samples
  • Sample e-mail memos, newsletters, etc.

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

3.Officers/Personnel

Has the entity named and staffed a Compliance Officer, FERC/NERC Director, or additional FERC/NERC personnel as required to support its ICP?

Smaller Entities: A smaller entity may not have sufficient staff to dedicate one employee as a full-time Compliance Officer or FERC/NERC Director. In such cases, has the entity assigned one person the responsibility to coordinate or monitor the entity’s compliance responsibilities?

Choose the statement that best describes the ICP:

☐ / NO / The entity has not identified or assigned compliance responsibility and accountability to a Compliance Officer, FERC/NERC Director/Manager, or other high-ranking official.
☐ / PARTIAL / The entity has identified and assigned responsibility for some compliance activities to various employees throughout the organization.
☐ / YES / The entity has identified and assigned responsibility and accountability to a Compliance Officer or other high-ranking official, FERC/NERC Director/Manager, and additional personnel as required. For larger organizations, at least one position is fully dedicated to FERC/NERC compliance. For smaller organizations, at least one position is partially dedicated to FERC/NERC compliance. Below, provide the name(s) and title(s) of the employee(s) currently staffing this/these position(s).
Name(s): / Click here to enter text.

Describe, in narrative form, how the entity has assigned compliance responsibility in the organization:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • Compliance Organizational Chart
  • Defined Roles and Responsibilities assigned to entity personnel for each NERC Reliability Standard identified in Item 2 above

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

4.Independent Access to Executives

Does the assigned compliance official(s) have independent access to the CEO or equivalent and/or Board of Directors?

Note: If your entity does not currently have an assigned compliance official, please answer “NO” to this question.

Choose the statement that best describes the ICP:

☐ / NO / The entity’s assigned compliance official does not have independent access to the CEO or equivalent and/or Board of Directors.
☐ / YES / The entity’s assigned compliance official has independent access to the CEO and/or Board of Directors.

Describe, in narrative form, how the entity provides independent access to the CEO or equivalent and/or Board of Directors for its employee(s) responsible for compliance:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • Organizational chart or plan showing independent access
  • Sample meeting minutes, notes, agendas, emails, etc., showing independent access to senior management

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

5.Independently Managed

Is the ICP operated and managed so it is independent of those responsible for compliance with the NERC Reliability Standards?

Smaller Entities: A smaller entitymay not have the available personnel to manage its ICP separately from the work groups that are responsible for complying with NERC Reliability Standards. In such cases, those personnel responsible for compliance should at minimum have independent access to the company’s assigned compliance official, the CEO or equivalent, and/or the Board of Directors (see item 5 above).

Choose the statement that best describes the ICP:

☐ / NO / The ICP is not managed or operated independently of the work groups that are responsible for complying with NERC Reliability Standards.
☐ / PARTIAL / The ICP is managed by the work groups that are responsible for complying with NERC Reliability Standards, but it is managed independently.
☐ / YES / The ICP is managed and operated independently of the work groups that are responsible for complying with NERC Reliability Standards.

Describe, in narrative form, how the entity independently manages its ICP:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

  • Organizational chart or plan which shows how the program is independently managed
  • For smaller entities, please provide applicable documentation

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

6.Resources

Has the entity dedicated resources (staff and budget) to support its ICP?

Choose the statement that best describes the ICP:

☐ / NO / The entity’s budget does not provide for any staff resources to work on compliance with NERC Reliability Standards.
☐ / PARTIAL / The entity has provided for staff resources within its budget but cannot demonstrate that staff resources were allocated to compliance with NERC Reliability Standards.
☐ / YES / The ICP is fully budgeted and fully or partially staffed (relative to the number of full time equivalent staff that implements the Reliability Standards) on a year-round basis.

Describe, in narrative form, the support the entity allocates to its ICP:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include the following document or equivalent:

  • Organizational chart or plan which shows compliance roles and responsibilities and how they are staffed

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

7.Leadership Support

Does the ICP have the support and participation of senior management (Officer Level)? This includes reviewing compliance reports, participating in compliance meetings, and communicating the importance of compliance to entity personnel on a regular basis.

Choose the statement that best describes the ICP:

☐ / NO / Senior management does not actively support or routinely participate in the ICP.
☐ / PARTIAL / Senior management reviews compliance reports, participates in compliance meetings, and communicates to employees their commitment to compliance at least semi-annually.
☐ / YES / Senior management is actively involved in compliance efforts, reviews compliance reports, participates in compliance meetings, and communicates to employees its commitment to compliance frequently, both formally and informally. Compliance activities occur at least quarterly.

Describe, in narrative form, the support the ICP receives from the entity’s Officer Level leadership:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • Samples of Senior Management Communications for the past 12 months
  • Samples of Compliance meeting agendas for the past 12 months
  • Samples of Compliance committee meeting minutes for the past 12 months
  • Samples of relevant e-mail memos, newsletters, etc. for the past 12 months
  • Description of management review/approval process and/or procedure

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

8.Program Evaluation and Modification

Does the entity regularly review and modify its ICP? This includes a process and/or procedure to trigger a review of the ICP either following a violation or following changes to NERC Reliability Standards, and modifying the ICP, if necessary. Does the ICP contain a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity?

Choose the statement that best describes the ICP:

☐ / NO / The ICP does not have an identified review cycle or a process and/or procedure to trigger a review. ICP does not have a list of NERC Reliability Standards applicable to the entity or a process and/or procedure to identify and update that list.
☐ / PARTIAL / The ICP does not specify a review cycle; however, the entity has a process and/or procedure to trigger a review, or has reviewed and modified its ICP since the entity was registered. The ICP has a list of NERC Reliability Standards applicable to the entity but it does not have a process and/or procedure for updating its list.
☐ / YES / The ICP is reviewed on at least an annual cycle. In addition, the entity has a process and/or procedure to trigger a review either following a violation or following changes to NERC Reliability Standards. The ICP is modified as necessary. The ICP contains a process and/or procedure for identifying and updating its list of NERC Reliability Standards applicable to the entity.

Describe, in narrative form, how the entity reviews and modifies its ICP:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • ICP review and modification process and/or procedure
  • A sample of recent ICP reviews, including version control records
  • A plan or other document that lists NERC Reliability Standards that apply to the entity
  • A description of the process and/or procedure the entity follows to update this list when Standards change, as applicable
  • Version control records of the entity’s Reliability Standards lists

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

9. Compliance Training

Does the ICP require compliance training for all entity staff, contractors and vendors who have direct responsibility for the implementation of the processes and/or procedures that demonstrate compliance with the NERC Reliability Standards? Relevant personnel may include but are not limited to: Subject Matter Experts (SMEs), Engineers, Technicians, Vegetation Management implementers and System Operators (as applicable). Does this training measure understanding through quizzes, exams, surveys, etc. consistent with a Registered Entity’s collective bargaining agreements?

Note: See Appendix A for example practices.

Choose the statement that best describes the ICP:

☐ / NO / The ICP does not require training for relevant personnel.
☐ / PARTIAL / The ICP requires training for personnel that have a direct responsibility for compliance with NERC Reliability Standards.
☐ / YES / The ICP includes detailed training for personnel, including contractors and vendors that have a direct responsibility for compliance with NERC Reliability Standards, including assisting personnel who must keep professional credentials up-to-date. Training also includes overview compliance awareness training for other employees that do not have a direct responsibility for compliance with NERC Reliability Standards. All training includes processes and/or procedures that measure the degree of understanding and comprehension of such Standards (quizzes, etc.), consistent with a Registered Entity’s collective bargaining agreements.

Describe, in narrative form, how the entity provides compliance training to all personnel, including contractors and vendors (see above):

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one or more of the following or equivalent:

  • Compliance Training Program
  • Compliance Communications Program
  • Samples of training modules
  • Attendance records

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

10.Self-Audit

Does the ICP include a formal, internal self-auditing process and/or procedure for compliance with all applicable NERC Reliability Standards on an annual basis? Are results reported internally?

Choose the statement that best describes the ICP:

☐ / NO / The ICP does not include an internal self-auditing and reporting process and/or procedure.
☐ / PARTIAL / Although the ICP includes a process and/or procedure for internal self-auditing and reporting, the entity does not self-audit and report on at least an annual basis.
☐ / YES / The ICP includes internal self-auditing and reporting for compliance on an annual basis for full compliance with all applicable NERC Reliability Standards. Audit results are reported and reviewed internally.

Describe, in narrative form, how the entity self-audits its ICP:

Click here to enter text.

Please provide supporting evidence. Examples of supporting evidence may include one of more of the following or equivalent:

  • ICP self-audit program
  • Sample of the audit reports or other results (past 12-24 months) – redacted if necessary

Applicable Document(s), Page and Section / Date and/or Version
Click here to enter text. / Click here to enter text.

11.Enforcement

Does the ICP include processes and/or procedures for disciplinary action for employees involved in violations of the Reliability Standards? Are available Human Resources (HR) disciplinary programs utilized as necessary? Is Senior Leadership or the Board involved as necessary? Conversely, does the entity’s ICP include employee compliance with NERC Reliability Standards as a performance factor on job descriptions and performance evaluations to encourage accountability?