Risk-based Compliance Monitoring and Enforcement Program

The Compliance Monitoring and Enforcement Program (CMEP) is implemented based on several considerations, including risk factors and registered entity management practices related to the detection, assessment, mitigation, and reporting of noncompliance. A risk-based approach is necessary to allocate resources correctly and to encourage registered entities to enhance internal controls, including those focused on the self-identification of noncompliance. Inherent Risk Assessments and Internal Controls Evaluations are key components in the risk-based approach to compliance monitoring.

Inherent Risk Assessments

The Inherent Risk Assessment (IRA) is a review of potential risks posed by an individual registered entity to the reliability of the bulk power system (BPS). To complete the IRA, SERC must identify and aggregate each registered entity’s risk factors and consider the risks’ potential impact to BPS reliability. The ERO Enterprise Guide for Compliance Monitoring describes the process Compliance Enforcement Authorities (CEAs) use to assess inherent risk of registered entities and serves as a common approach for NERC and the six Regional Entities (REs) for implementing and performing an IRA.



Self-logging is open to all registered entities that qualify. If SERC approves a registered entity for self-logging, the entity may log self-identified minimal risk issues of noncompliance and submit the log to SERC (every three months.) Self-logged minimal risk issues are presumed to be appropriate for disposition as compliance exceptions.

To apply for the Self-Logging Program, interested registered entities should complete the Entity Request for Evaluation of Eligibility for Self-Logging Privileges application, and submit it to SERCComply@serc1.org. During the application process, the registered entity must provide detailed information regarding its ability to identify noncompliance and risks to reliability in general, assess the risk posed by identified issues, and implement and track corrective actions. SERC also considers other relevant factors that are explained in more detail in the application and SERC’s Procedure for Self-Logging Minimal Risk Instances of Noncompliance.

After evaluating a registered entity’s application, SERC provides the registered entity with a report detailing the basis for granting or denying self-logging privileges. SERC may grant self-logging privileges on a requirement-by-requirement basis, or by program (i.e., Critical Infrastructure Protection or Operations and Planning). The SERC report also provides feedback on how the registered entity can gain the ability to Self-Log, if initially denied, including the considerations that led to denial.

If SERC grants self-logging privileges, SERC provides training in risk assessment to the registered entity. In addition, a registered entity granted self-logging privileges is required to create, train appropriate staff on, and maintain an internal self-logging procedure that governs the creation, maintenance, and submittal of logs to SERC.

Compliance Exception

Minimal risk noncompliance is eligible for processing as a Compliance Exception regardless of the discovery method.  In determining that a minimal risk issue is eligible, SERC considers whether the mitigation activity performed or planned is appropriate to resolve the noncompliance and prevent recurrence.  When SERC determines that an issue will be treated as a Compliance Exception, SERC provides information regarding the issue to NERC and FERC. 

Find, Fix and Track (FFT)

The Find, Fix, and Track (FFT) program is a processing mechanism that the REs can use to resolve lower-risk issues efficiently. SERC evaluates moderate risk issues, especially noncompliance that registered entities self-identify using internal controls, as candidates for FFT treatment. The FFT program encourages registered entities to continuously self-monitor their compliance with NERC Reliability Standards, and to self-report Possible Violations.

Quick Links