Pillars of Internal Controls Part 1 Harold G

  • Slides: 25
Download presentation
Pillars of Internal Controls Part 1 Harold G. Sherrill Sr. Internal Controls Analyst Risk

Pillars of Internal Controls Part 1 Harold G. Sherrill Sr. Internal Controls Analyst Risk Assessment and Mitigation W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

2 Common Enterprise Risk Management (ERM) Objectives BUSINESS OBJECTIVES • Market share growth •

2 Common Enterprise Risk Management (ERM) Objectives BUSINESS OBJECTIVES • Market share growth • Client satisfaction • Volume • Cost containment • Quality • Innovation and technology • Profitability W E S T E R N E L E C GOVERNANCE OBJECTIVES • Information Reliability (i. e. accounting) • Legal • Social Responsibility • Reliability and Security T R I C I T Y C O U N C I L C O O R D I N A T I N G

3 Alignment of Program Objectives Common ERM Objectives Top. Down approach W E S

3 Alignment of Program Objectives Common ERM Objectives Top. Down approach W E S Bottom. Up Approach Risk-Based Internal Controls Objectives T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

4 What You Will Learn Today Part 1 – Pillar 1 Risk Assessment –

4 What You Will Learn Today Part 1 – Pillar 1 Risk Assessment – Pillar 2 Design and Implementation – Exercise: Change Management Risk Assessment Part 2 – Pillar 3 Controls Monitoring – Pillar 4 Controls Evaluation – Panel: Controls Monitoring and Evaluation W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

5 Pillar 1 – Risk Assessment Review activities and process in operation • Identify

5 Pillar 1 – Risk Assessment Review activities and process in operation • Identify all practices • Document entity practices for use in the Risk Assessment process W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

6 Pillar 1 – Risk Assessment Identify potential failure scenarios of practices that prevent

6 Pillar 1 – Risk Assessment Identify potential failure scenarios of practices that prevent you from achieving objective • Potential Failures Points • Potential Causes of Failure Points – risk targets • Align/Map practices to risk – address gaps W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

Risk Assessment Example Insurance Scenario W E S T E R N E L

Risk Assessment Example Insurance Scenario W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

8 Risk Assessment Example How do I get a lower rate? • Safety is

8 Risk Assessment Example How do I get a lower rate? • Safety is a key factor • Research risk associated W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

9 Risk Assessment Example Enterprise Risk Objective Cost containment via reduced risks evaluation outcome.

9 Risk Assessment Example Enterprise Risk Objective Cost containment via reduced risks evaluation outcome. Risk-based determination of insurance cost Risk Assessment Objective Identify risk elements that may result in failure to achieve a favorable risk evaluation Internal Control Objective Achieve a favorable risk evaluation outcome based on designed and implemented controls W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

10 Risk Assessment Example Potential Failure Potential Cause of Failure Potential Effects of Failure

10 Risk Assessment Example Potential Failure Potential Cause of Failure Potential Effects of Failure Poor driver experience or education Failure to have education on safe driving practices to avoid collision Ineffective skills to prevent collision Inability to stop Failure to have ability to stop to avoid collision due to inability to stop Inability to detect hazards Failure to have ability to rapidly detect hazards to avoid collision due to inability to rapidly detect hazards W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I Controls We will see these later in the presentation N A T I N G

11 The Essence of a Control …activities and/or process in operation that mitigate an

11 The Essence of a Control …activities and/or process in operation that mitigate an identified risk. W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

12 Design and Implementation Pillar 2 – Design W E S Level of coverage

12 Design and Implementation Pillar 2 – Design W E S Level of coverage relevant to address specific business and governance needs such as: • Training, Change Management, Compliance, etc. Controls are capable of mitigating the intended risk targets • Reliability and Security T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

13 Design and Implementation Pillar 2 – Design W E S Control narratives adequately

13 Design and Implementation Pillar 2 – Design W E S Control narratives adequately describe the 5 Ws + how • What is being performed • Why is it being performed • When is it being performed • Who is performing the what • How is who performing the what • Where is who performing the what T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

14 Design and Implementation Pillar 2 – Implementation W E S Controls will operate

14 Design and Implementation Pillar 2 – Implementation W E S Controls will operate to: • Mitigate risk targets within the enterprise • Address all identified requirementlevel risk targets T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

15 Risk and CONTROL Assessment Example Potential Failure Potential Cause of Failure Potential Effects

15 Risk and CONTROL Assessment Example Potential Failure Potential Cause of Failure Potential Effects of Failure Controls Poor driver experience or education Failure to have education on safe driving practices to avoid collision Ineffective skills to prevent collision Taken Safe Driving course Inability to stop Failure to have ability to stop to avoid collision due to inability to stop Purchased Antilock Brakes Inability to detect hazards Failure to have ability to rapidly detect hazards to avoid collision due to inability to rapidly detect hazards Purchased Collision Detection W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

16 20 minutes Risk & Controls Assessment Change Management W E S T E

16 20 minutes Risk & Controls Assessment Change Management W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

17 SCENARIO Black Start Generating Facility - Going in Service 2022 WHAT CONTROLS ARE

17 SCENARIO Black Start Generating Facility - Going in Service 2022 WHAT CONTROLS ARE NEEDED TO ADDRESS CHANGE MANAGEMENT? List of Business Units Impacted NERC Compliance System Impact Studies W E S T E R N E L E C Physical Security Changes Documentation Cyber System Changes T R I C I T Y C O U N C I L C O O R D I N A T I N G

POTENTIAL FAILURE POTENTIAL CAUSE OF FAILURE (failure points) POTENTIAL EFFECTS OF FAILURE CONTROLS Unmanaged

POTENTIAL FAILURE POTENTIAL CAUSE OF FAILURE (failure points) POTENTIAL EFFECTS OF FAILURE CONTROLS Unmanaged change Failure to have a formalized change standards and procedures Changes performed without ability to detect, manage, or mitigate risk to enterprise Changes performed without management of enterprise risk Enterprise-wide change management policy, standards, and procedures Lack of knowledge about change standards and procedures Failure to provide training on change standards and procedures Change execution without knowledge of impacts to systems Failure to develop entity specific impact assessment criteria Change execution without awareness of business operational needs Failure to develop entity specific prioritization process Needs of the operation hindered by change process Uncoordinated change Change process unmanageability Changes performed that did not align with enterprise business operations Failure to develop entity specific authorization process Changes performed that did not inform enterprise risk owners Failure to develop entity specific emergency change qualification criteria Inability to support real-time business needs due to lack of resiliency in change process Failure to develop entity specific change status tracking System owner/business owner unaware of changes or status of changes that may impact operations Impact to mission critical systems during a change Unauthorized change Failure to develop entity specific reporting process Failure to develop entity specific closure criteria Mandatory training on enterprise change management program via CBT during onboarding and with refreshers. Enterprise-wide procedure on development and documentation of assets, systems, and functional architecture Enterprise-wide documentation of assets, systems, and functional architecture relationship to business operations Enterprise-wide documentation of asset, system, and functional ownership Enterprise-wide documentation of criteria for Emergency Changes Inability to see opportunity and risk in governance of change process Enterprise-wide change process methodology and workflow Inability to manage opportunity and risk in governance of change process Enterprise-wide change process workflow and reporting requirements Incomplete changes and undocumented change performance metrics Policy requiring procedural or technical task to close records

Pillars of Internal Controls - Part 2 Harold G. Sherrill Sr. Internal Controls Analyst

Pillars of Internal Controls - Part 2 Harold G. Sherrill Sr. Internal Controls Analyst Risk Assessment and Mitigation (RAM) W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

20 What You Will Learn Today Part 2 – Pillar 3 Controls Monitoring –

20 What You Will Learn Today Part 2 – Pillar 3 Controls Monitoring – Pillar 4 Controls Evaluation – Panel: Controls Monitoring and Evaluation W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

21 Pillar 3 – Controls Monitoring of Internal Controls Ensure your controls are implemented

21 Pillar 3 – Controls Monitoring of Internal Controls Ensure your controls are implemented as designed on a consistent basis. • Frequency • Scope • Placement W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

22 Pillar 4 – Controls Evaluation of Internal Controls Designed and implemented controls continue

22 Pillar 4 – Controls Evaluation of Internal Controls Designed and implemented controls continue to meet overall objectives. Possible triggers for a controls evaluation W • Changes in operational responsibilities • Changes impacting the entity such as; – system events, – compliance activities. E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

23 Controls Monitoring and Evaluation Panel Harold Sherrill, WECC Joe Carluccio, BPA Tina Kilgore-Goodwin,

23 Controls Monitoring and Evaluation Panel Harold Sherrill, WECC Joe Carluccio, BPA Tina Kilgore-Goodwin, CAISO Lisa Milanes, CAISO Eric Olsen, SMUD W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

24 Ultimate Reliability & Security Approach Proactive risk posture instinctively aides in compliance excellence!

24 Ultimate Reliability & Security Approach Proactive risk posture instinctively aides in compliance excellence! W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G

25 Key Takeaway! “…. A truly effective and efficient internal control structure requires taking

25 Key Takeaway! “…. A truly effective and efficient internal control structure requires taking a deliberate and fundamental approach to the design, execution, and monitoring of the controls, rather than just creating them to address perceived outcomes. ” - Kevin Hickey, Keynote Speaker, Signature Bank NY W E S T E R N E L E C T R I C I T Y C O U N C I L C O O R D I N A T I N G