Risk-based Compliance Monitoring and Enforcement Program

The Compliance Monitoring and Enforcement Program (CMEP) is implemented based on several considerations, including risk factors and registered entity management practices related to the detection, assessment, mitigation, and reporting of noncompliance. A risk-based approach is necessary to allocate resources correctly and to encourage registered entities to enhance internal controls, including those focused on the self-identification of noncompliance. Inherent Risk Assessments and Internal Controls Evaluations are key components in the risk-based approach to compliance monitoring.

Inherent Risk Assessments

The Inherent Risk Assessment (IRA) is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS). To complete the IRA, SERC must identify and aggregate each registered entity’s risk factors and consider the risks’ potential impact to BPS reliability. The ERO Enterprise Inherent Risk Assessment Guide describes the process Compliance Enforcement Authorities (CEAs) use to assess inherent risk of registered entities and serves as a common approach for NERC and the eight Regional Entities (REs) for implementing and performing an IRA.

Internal Controls Evaluation

The Internal Controls Evaluation (ICE) is a voluntary process to determine the focus and selection of appropriate tools the Regional Entity should use under the CMEP.  In an effective program, a registered entity’s internal control components work together to provide reasonable assurance to achieve compliance with mandatory NERC Reliability Standards. The ERO Enterprise Internal Control Evaluation Guide describes the common ERO Enterprise process for evaluating internal controls. Many elements described in this Guide may be part of current compliance monitoring activities. The Guide will assist SERC to identify and consider existing registered entity risk mitigation practices (commonly referred to as internal controls) in the development of the CEA’s oversight plan for that registered entity. The ICE process is part of the overall Risk-Based Compliance Oversight Framework.

Self-Logging

Self-logging was previously a pilot program under the Reliability Assurance Initiative (RAI). Self-logging is now open to all registered entities that qualify. If SERC approves a registered entity for self-logging, the entity may log self-identified minimal risk issues of noncompliance and submit the log to SERC periodically (initially every three months). Self-logged minimal risk issues are presumed to be appropriate for disposition as compliance exceptions.

To apply for the Self-Logging Program, interested registered entities should complete the Entity Request for Evaluation of Eligibility for Self-Logging Privileges application, and submit it to SERCComply@serc1.org. During the application process, the registered entity must provide detailed information regarding its ability to identify noncompliance and risks to reliability in general, assess the risk posed by identified issues, and implement and track corrective actions. SERC also considers other relevant factors that are explained in more detail in the application and SERC’s Procedure for Self-Logging Minimal Risk Instances of Noncompliance.

After evaluating a registered entity’s application, SERC provides the registered entity with a report detailing the basis for granting or denying self-logging privileges. SERC may grant self-logging privileges on a requirement-by-requirement basis, or by program (i.e., Critical Infrastructure and Protection or Operations and Planning). The SERC report also provides feedback on how the registered entity can earn or expand the scope of self-logging privileges in the future.

If SERC grants self-logging privileges, SERC provides training in risk assessment to the registered entity. In addition, a registered entity granted self-logging privileges is required to create and maintain an internal self-logging procedure that governs the creation, maintenance, and submittal of logs to SERC.

Compliance Exception

Minimal risk noncompliance is eligible for processing as a Compliance Exception regardless of the discovery method.  In determining that a minimal risk issue is eligible, SERC considers whether the mitigation activity performed or planned is appropriate to resolve the noncompliance and prevent recurrence.  When SERC determines that an issue will be treated as a Compliance Exception, SERC provides information regarding the issue to NERC and FERC. 

Find, Fix and Track (FFT)

The Find, Fix, and Track (FFT) program is a processing mechanism that the REs can use to resolve lower-risk issues efficiently. SERC evaluates moderate risk issues, especially noncompliance that registered entities self-identify using internal controls, as candidates for FFT treatment. The FFT program encourages registered entities to continuously self-monitor their compliance with NERC Reliability Standards, and to self-report Possible Violations.

Quick Links