ReliabilityFirst > Resource Center Page > Reminders for entities submitting self-reports and mitigation activities  

Reminders for entities submitting self-reports and mitigation activities

By Joe Pilch, Senior Analyst, Risk Analysis & Mitigation

 

Are you interested in saving your company valuable time and resources? Here are some things to keep in mind the next time you must report a potential noncompliance of the NERC Reliability Standards to your Compliance Enforcement Authority (CEA) that can expedite the process and reduce delays.

The NERC Reliability Standards exist to ensure the stable and reliable operation of the Bulk Electric System (BES), where compliance is essential to maintaining the security of the grid and avoiding costly disruptions. However, even the most diligent organizations can occasionally fall short. When instances of noncompliance occur, entities should self-report instances of potential noncompliance to their regional CEA. One of the most important aspects of a case is the accompanying mitigation activities, demonstrating that the noncompliance has been remediated and sufficient internal controls have been established to prevent future occurrences of similar type issues.

Provided below are several elements that should be included in every self-report and attributes of quality mitigation activity evidence submittals.

Self-Report Descriptions

Self-reports are submitted via the Align web application and should provide a clear and concise description of the violation, which includes but is not limited to:

• the specific NERC standard and requirement violated

•  relevant facts, including the circumstances surrounding the event

• the root cause of the noncompliance

• potential impact on the BES

• any immediate mitigating actions taken

• applicable dates and times (i.e., discovery date, violation start/end dates, etc.)

Ambiguous or vague reporting can lead to extended delays in the assessment process by necessitating additional Requests for Information (RFIs), consuming additional resources for both the entity and the CEA.

Mitigation Activities and Associated Evidence

In addition to self-reporting potential violations, the entity must submit mitigating activities and retain evidence demonstrating the completion of said activities for potential upload and verification. Effective mitigation not only corrects the immediate issue (remediating act) but also ensures that similar instances do not occur in the future (preventive acts). It is critical to identify and address the root cause of the violation to prevent recurrence. Mitigation may also involve the creation of corrective or detective controls. When submitting mitigation activities and the associated evidence, consider the following:

  1. An explicit mitigation activity must be established in Align that captures the steps taken to correct the noncompliance and timeframe in which the activity will be completed, if not already completed.a. If a test was missed – a mitigation activity must demonstrate that the test was subsequently completed.
    b. If Protection System settings were incorrect – a mitigation activity must demonstrate that the settings were corrected.
  2. All mitigation activities must clearly identify when the associated actions will be or were performed.a. If training was provided – the training date can be shown via signed training rosters or learning management system (LMS) time stamp.
    b. If a procedure or policy was updated – a revision history block can be included showing the date on which the new procedure was released and the reason for its update.
  3. All provided evidence must clearly demonstrate how it supports the mitigation activity. Entity staff is most familiar with their evidence and how it relates to mitigation, and thus something readily apparent to entity SMEs may not be obvious to external SMEs (RF staff) on review. Pointing to or explaining certain evidence uploads and how they map to milestones is beneficial for both parties interested in resolving the case.a. It may be appropriate to create a cover sheet for evidence that provides additional context. This could include providing the business purpose of the document, explaining if the document is periodically updated or if it is event driven, identifying business units who created or use the document, describing which specific sections of the document are applicable to the mitigation activity, etc.
    b. It may be appropriate to annotate the evidence with boxes, arrows, highlights, or a combination thereof to direct the attention of the CEA to the pertinent section or part of the documentation and how it relates to a specific mitigation activity.

Self-reporting noncompliance is a critical part of maintaining reliability across the BES. By fulfilling these expectations, entities can effectively mitigate the impact of noncompliance but also enhance the overall resiliency of the grid.