Risk-based Compliance Monitoring and Enforcement
The Reliability Assurance Initiative (RAI) program was the Electric Reliability Organization's (ERO) strategic initiative to transform the current compliance and enforcement program into one that is forward-looking, focuses on high reliability risk areas and reduces the administrative burden on Registered Entities. Since RAI was completed in 2014, the programs generated by RAI are now referred to as Risk-Based Compliance Monitoring and Enforcement or simply Risk-Based Compliance.
This page provides stakeholders with links to helpful information about Risk-Based Compliance and will be updated as additional materials become available.
Risk-Based Compliance shifts the regulatory paradigm. Please see these diagrams for graphical illustrations of the shift.
Note: The Inherent Risk Assessment (IRA) process may result in a reduced scope, but may, in some cases, result in an expanded scope.
Risk-Based Compliance Monitoring
Currently, SPP RE is performing an IRA for Registered Entities that have an upcoming audit. Over the next two years, SPP RE will perform an IRA for the remaining Registered Entities. The IRA process transitions away from a "one size fits all" approach to risk-based compliance oversight framework. See slide 8 for timing.
A Registered Entity should notify SPP RE if it has a material change in its assets and/or footprint. These changes could initiate a re-evaluation of the Registered Entity's IRA.
- Overview of the ERO Enterprise's Risk-Based Compliance Monitoring and Enforcement Program
- Visual Overview of the ERO Enterprise's Risk-Based CMEP
- NERC Risk Elements Guide for Development of the 2015 CMEP IP
- 2015 ERO Compliance Monitoring and Enforcement Implementation Plan (for SPP specific elements see Appendix A6, page 59)
- ERO Enterprise Inherent Risk Assessment Guide
- SPP RE's Inherent Risk Assessment Overview
- SPP RE Entity Risk Assessment Questionnaire
Internal Control Evaluation (ICE)
ICE is an optional process for Registered Entities – not mandatory. When the auditor has reasonable assurance that internal controls (including internal assessments) are functioning to protect reliability, the auditor may scale back testing of documentation for those individual standards. An ICE review may be tied to the audit schedule (slide 8), or may be requested outside of the audit schedule.
Self-Logging of Minimal Risk Issues
The NERC guidance document for self-logging, ERO Enterprise Self-Logging Program, was issued May 20, 2015.
The self-logging program allows Registered Entities that have demonstrated effective management practices to keep track of minimal risk noncompliance (and their mitigation) on a log that is periodically submitted to SPP RE.
To request participation in the self-logging program, or if you have any questions concerning self-logging, please email firstname.lastname@example.org.