Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

A Generation and Transmission Cooperative Strategic Priority

October 2012

Contact: Brad Kitchens (sbkitchens@scottmadden.com)

Marc Miller (mdmiller@scottmadden.com)

Zach Milner (zachmilner@scottmadden.com)

Copyright © 2012 by ScottMadden. All rights reserved.

Introduction

This ScottMadden insight is the third in a series on “Five Strategic Priorities for Generation and Transmission Cooperatives.”

Contents

Overview

Evolution of Rulemaking and Enforcement

Multiple Dimensions of Reliability

Effective Compliance Program Elements

Thinking Strategically

Contact Us

1

Managing Generation

Assets

Ensuring Grid Security

and Reliability

Gaining Access to

Capital Markets

Improving the Effectiveness

of Stakeholder Management

Fostering Economic

Development

Copyright © 2012 by ScottMadden. All rights reserved.

Overview

In 2008, FERC gave NERC the power to establish mandatory bulk power system requirements for security and reliability and to audit compliance and levy fines. Since then, NERC standards and requirements have grown and are growing with Critical Infrastructure Protection (CIP) standards making up a significant part of that growth.

2

NERC Compliance Maturity Model

Ongoing Compliance

Continuous cycle (as

standards evolve,

procedures are

updated and

personnel are

trained)

Demonstrated culture

of compliance

Active regulatory

relationships

Integration and

Automation

Requirements

coordinated by all

business units

Documents

managed

electronically

Workflow and

metrics automated

Accountability

Dedicated

compliance

organization

established

Individual standard

owners assigned

Defined Processes

Compliance

requirements defined

Mitigation activities

established

High Low Maturity Level

CIP violations were eight of the top 10 from March 2010 to March 2011

Top companies are working to ensure that their organizations can evolve to meet changing NERC and FERC priorities

In 2012 and beyond, NERC will employ a risk-based approach to managing and improving reliability

— This risk-based approach will include a heavy focus on CIP standards

In addition to managing key reliability metrics, companies should also build a mature and effective compliance program

Compliance programs are most effective when they impact multiple dimensions of an organization, including:

— Standards Development

— Employee Training

— Risk Management

— Organizational Structure

— Compliance Processes

— Program Management

— Use of Technology

— Culture of Compliance

Rulemaking and Enforcement is Evolving

Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

Evolution of Rulemaking and Enforcement

Since 2008, the number of violations has increased, especially the number and proportion of violations related to CIP.

3

Rulemaking and Enforcement is Evolving: Cooperatives must work to ensure their organizations can meet evolving demands

An effective compliance program is a natural outcome of the process of increasing security and reliability

The CIP program coordinates NERC’s efforts to improve physical and cyber security for the bulk power system of North America

— Since 2007, CIP violations have increased in total number and as a percentage of total violations

— Non-CIP violations have also increased

Focus on Cooperatives

Since the beginning of mandatory enforcement, 47 reliability standards had possible violations by cooperatives, yet 47% of the total number of violations are concentrated in only four standards:

— PRC-005: System Protection Maintenance and Testing

— CIP-001: Sabotage Reporting

— CIP-007: Systems Security Management

— CIP-005: Electronic Security Perimeters

Cooperatives can prioritize activities by focusing resources on these standards

0

10

20

30

40

50

60

70

80

90

100

Top 10 Violations by Cooperatives

Sources: NERC

Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

Multiple Dimensions of Reliability

Cooperatives must work to ensure the reliability of the overall bulk power system along multiple dimensions, including regulatory and environmental uncertainties and the adequacy of generation resources to meet projected demand.

4

Increasing dependence on digital technology to reduce costs, increase efficiency, and maintain reliability means that the networks and computer environments which support this technology must be adequately protected from attacks

— The constant vigilance that is required to ensure security in this environment is challenging for cooperatives due to the costs and specialized expertise associated with attaining it

Security for an increasingly “smart” grid

Generation Reliability

The results of NERC’s recent analysis of generation reliability showed upward trends in forced outage hours, maintenance events and planned outage events

— Forced outage hours jumped from 266 to 310 hours per unit from 2009 to 2010

— Maintenance events increased by 24 hours per unit from 2009 to 2010

— Planned outage events increased slightly from 2008 to 2010

Further investigation is required, but an aging generating fleet may be a primary driver of degrading generation reliability

Transmission Reliability

From 2008 to 2011, nearly 20% of automatic sustained outages were initiated by either failed AC substation equipment or failed AC circuit equipment

These equipment failures should be considered significant focus points in reducing outages and maintaining reliability

Other areas of reliability to consider*

*Sources: NERC, 2011 Risk Assessment of Reliability Performance

Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

Effective Compliance Program Elements

An organization can support increased security and reliability and their ability to respond to evolving rulemaking by working to ensure that eight compliance elements, described below, are incorporated into their compliance programs.

5

Organizational Structure

• Dedicated compliance organization; supervised by the “compliance officer”

• Identified compliance leaders and structure in each applicable organization

Employee Training

• Staff at all levels are trained; communications clear

• Methodology to ensure alignment between documentation compliance and training

Culture of Compliance

• Recognition of the importance of reliability/compliance

• Employees are encouraged to identify and self-report violations through the corporate process

• Key compliance indicators identified and monitored; “dashboard” status reporting

Standards Development

• Proactive involvement in standards development

• Process in place for rollout of new standards

Compliance Processes

• Established corporate-wide standards

• Ongoing audit readiness process to prepare for self-certification, self-reporting, compliance audits, spot checks, and readiness evaluations

Program Management

• A master schedule exists for all compliance-related activities; activities are managed as a program

• The compliance group assists the business units

Risk Management

• Enterprise-wide risk management assessment conducted to evaluate compliance risk

• Formal reviews of company reliability “incidents” and “near misses” are held in a timely manner

Use of Technology

• Computer-based tracking systems

• Central repository for auditable documents

• Appropriate tools selected to support NERC

Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

Effective Compliance Program Elements (Cont’d)

Some key questions to consider under each of the eight compliance elements are listed below.

6

The degree to which an organization has addressed these questions is indicative of program maturity and effectiveness

Organizational Structure

• Who is the NERC chief compliance officer? Why?

• Do they have access to the COO/CEO?

• To whom does the compliance manager report?

• How are responsibilities divided between compliance and the SMEs?

Employee Training

• Once procedures are complete, how are staff trained?

• How frequently are procedures reviewed?

• Who signs off on staff knowledge?

Culture of Compliance

• Does senior management consider NERC compliance a primary responsibility?

• What communications have been made to the staff and board regarding NERC compliance? Are these messages reinforced?

• How is performance managed?

Standards Development

• How does the enterprise stay apprised of standards under development?

• What is the internal process to comment and vote on standards?

• Who are the representatives on the RRO and NERC standards development committees?

Compliance Processes

• How are procedures vetted internally?

• How does the signing officer know they are correct and have been implemented?

• Are the procedures for self-certification, self-reporting, audit preparation, etc. followed?

• Who is responsible for compliance with those procedures?

Program Management

• Is there a master plan of compliance-related activities? How is it managed?

• Who is responsible for tracking activities and ensuring completion?

• How are procedures integrated within and across departments?

Risk Management

• Is NERC compliance included in the ERM process?

• How is potential compliance exposure communicated to management?

• Are compliance resources allocated consistent with potential risks?

Use of Technology

• Which tools are used for project management? Work management?

• How is procedure version control managed?

• How are tasks tracked and communicated?

Copyright © 2012 by ScottMadden. All rights reserved.

Ensuring Grid Security and Reliability

Thinking Strategically

In today’s dynamic and challenging environment, it is more important than ever to ask the right questions and understand the implication of the answers.

7

With which violations are we most at risk for non-compliance?

What components of an effective compliance program are priorities for my organization right now?

How do our compliance activities compare to other organizations?

What systems, tools, and training are available to help facilitate a culture of compliance?

Do we have well-defined processes that will keep us in compliance while improving security and reliability over time?

Does our organization structure support clear and undiluted accountabilities?

Practical Questions for Management

Possible Goals for the Organization

Identify standards where the organization may be at risk and perform an internal assessment

Review the most violated standards and largest penalties in the industry to identify those which could present the most risk

Assess the NERC compliance governance structure to ensure roles and responsibilities support the goal of corporate compliance

Ensure processes that touch CIP standards efficiently meet current and likely future business requirements

Develop a governance model that clarifies key accountabilities associated with ensuring grid security and reliability

Copyright © 2012 by ScottMadden. All rights reserved.

Contact Us

ScottMadden has undertaken numerous consulting projects for cooperatives across the country. If you are interested in learning more about ensuring grid security and reliability, please contact us.

Zach Milner

Senior Associate ScottMadden, Inc.

3495 Piedmont Rd, Bldg 10

Suite 805

Atlanta, GA 30305

Phone: 404-814-0020

zachmilner@scottmadden.com

Marc Miller

Director ScottMadden, Inc.

3495 Piedmont Rd, Bldg 10

Suite 805

Atlanta, GA 30305

Phone: 404-814-0020

mdmiller@scottmadden.com

Brad Kitchens

President and CEO ScottMadden, Inc.

3495 Piedmont Rd, Bldg 10

Suite 805

Atlanta, GA 30305

Phone: 404-814-0020

sbkitchens@scottmadden.com

8