Internal Controls: Spring cleaning to ensure critical controls and compliance steps are in place in 2024
By Courtney Fasca, Senior Technical Auditor, Operations & Planning Compliance Monitoring
In this recurring column, we dive into the world of internal controls – covering risks, common root causes, and mitigation efforts as well as conversation starters to help you on your controls journey. Controls are to help create and maintain a sustainable plan that keeps entities compliant and ahead of evolving risks. Our goal is to help highlight opportunities for control conversations and improvement and offer our insight and aid in your internal controls journey toward a more reliable electric grid.
While it may seem late, happy new year and welcome to 2024! A lot happened in 2023 – from the Internal Controls Workshop to the on-site winterization visits, it was one busy year. We talked about controls in everyday life, how people are the foundation of any strong internal controls program, and how your winterization efforts (and contractors) feed into your controls. But how do we ensure we’re ready for the new year?
As shown in the 2024 ERO Enterprise Compliance Monitoring and Enforcement Program Implementation Plan (CMEP IP), the ERO Enterprise is focusing on many of the same risks as last year, while adding physical security as a new risk element and expanding from a focus on cold weather response to extreme weather response (which also encompasses hot weather and space weather events).
What does this mean for you?
This means the risks from last year are still on the top of our minds – and it’s an opportunity for you too. Have you brushed up on your controls mitigating these risks, such as considering adding walk-downs of equipment when working on facility ratings? Have you reviewed and improved procedures to monitor remote access and disable remote access, leaning on better and best practices of your peers? Maybe this is the year to implement time limits that will disconnect remote sessions? Monitoring, verifying, and testing your existing controls – and making improvements – should be in your 2024 plans.
But as the risk landscape keeps evolving, there are also new areas of focus this year and we must stay on top of them. Reading the Enforcement Explained: Physical Security Common Failure Points article from Q1 2023 is a good place to start focusing your physical security risk mitigation efforts. Plus, there is the annual GridSecCon, which is being held Oct. 22-25 in Minneapolis this year. Attendees will be able to learn from cyber and physical security professionals about the threat landscape, effective mitigation programs, best practices and more. Registration will open in May, so mark your calendars!
What else can you do today? It’s almost spring – consider doing some spring cleaning of your controls!
Is there a calendar reminder set up for a critical control or compliance step? If the person managing that control goes on vacation or wins the lottery, will that task still be completed or caught in time? All those controls you designed and implemented last year – why not schedule a review with the SMEs who perform them, get their feedback, and test them to ensure they’re still in good working order? Spring-clean your risk assessment and risk register – it may be time to take another look to see if any of your risks have changed priority or, like the CMEP IP, maybe you find some new risks to flag this year.
Start up a 2024 resolution! Run through the list below and ask yourself, ‘how do we ensure…’ and fill in the blank (that will be a new control to capture).
Remote connectivity: How do we ensure vendor access gets disabled?
➡️ What triggers the need to disable access?
➡️ How do we monitor the triggers that call for disabling access?
➡️ How do we ensure these triggers are performing as expected and required?
Inverter-based resources: How do we maintain and manage our frequency and voltage protection?
➡️ How do we ensure protection settings are being checked and coordinated after any applicable changes (e.g., emergency repairs, construction, updates) that occur?
➡️ Is there a process to verify that appropriate follow-up actions are triggered after a change?
➡️ How do we ensure the frequency and voltage protection is set to prevent trips and momentary cessations within the “no trip zone”?
➡️ If we use contractors, how do we follow up and verify their work?
Facility ratings: How do we ensure our facility ratings reflect the current assets?
➡️ Are physical walk-downs conducted periodically – comparing and updating prints and other relevant documentation?
➡️ How do we ensure the ratings are still accurate after events (e.g., emergency repairs, construction)?
➡️ Is a risk-based approach used to identify the most critical facilities when determining the frequency of walk-downs?
Extreme weather response: How do we ensure the System models and GIC (geomagnetically-induced currents) System models are accurate?
➡️ Is the person responsible for maintaining the GIS (geographic information system) model identified along with the associated tasks?
➡️ Is there a trigger to ensure the tasks are completed in a timely manner?
➡️ Is there a qualified back-up SME identified who can perform the tasks?
➡️ How frequently are the facilities updated in the model?
➡️ How frequently are personnel trained to perform planned performance assessments?
➡️ Is there a process to do a quality check once the tasks are completed?
This is not an exhaustive list, and not all of these may apply, but these questions promote a sustainability mindset beyond just “do we meet the standard and requirement as stated?”
While 2023 may be behind us, 2024 marches on – and the ever-evolving risk landscape with it. Take some time to review the CMEP IP, increase your knowledge and reach out to others for improvement ideas, take a moment to review your controls while looking forward, and resolve (think: ‘how do we ensure…’) to improve even more in 2024.
If you’re still feeling a little nostalgic for 2023, try your hand at this crossword puzzle based on the 2023 internal controls newsletter articles! If you need a refresher, here are the links to last year’s articles:
• Innovative approach to Internal Controls Workshop (Q1 2023)
• People play an important role in growing the maturity of your internal controls program (Q2 2023)
• Internal controls reminders for the winter season (Q4 2023)