The URL can be used to link to this page

Home My WebLink AboutResolutions - No. 2016-140RESOLUTION NO 2016-140 A RESOLUTION OF THE LODI CITY COUNCIL RESCINDING RESOLUTION NO. 2014-180 AND FURTHER APPROVING THE CITY OF LODI RISK MANAGEMENT AND COMPLIANCE PROGRAM VERSION 3.0 WHEREAS, the City Council established a Risk Oversight Committee (ROC) on January 18, 2006 to ensure compliance with the City's energy risk management policies; and WHEREAS, in 2007, requirements imposed on Lodi's Electric Utility (LEU) by the North American Electric Reliability Corporation (NERC) and the Westem Electricity Coordinating Council (WECC) also required an internal. compliance program to ensure compliance with NERC reliability standards; as a result, the ROC's responsibilities expanded, resulting in an all- encompassing "City of Lodi Risk Management and Compliance Program" (RMCP) which was approved by the City Council on April 4, 2012; and WHEREAS, as electric utility industry requirements change, the RMCP requires revision and changes and are brought before the ROC for consideration; and WHEREAS, the City Council approved Version 2.0 on October 1, 2014, to reflect the de- activation of LEU's reliability registration with WECC for NERC reliability standards, resulting in the suspension of Attachment B in the RMCP; and WHEREAS, the attached version of the RMCP addresses non -substantial changes to reflect current staffing levels, as well as improve consistency and flow throughout the document; and WHEREAS, on June 27, 2016, the ROC approved these changes with a recommendation to seek City Council approval to rescind Resolution No. 2014-180 and approve Version 3.0 of the RMCP. NOW, THEREFORE, BE IT RESOLVED that the Lodi City Council does hereby rescind Resolution No. 2014-180; and BE IT FURTHER RESOLVED that the Lodi City Council does hereby approve the City of Lodi Risk Management and Compliance Program Version 3.0, as shown on Exhibit A attached hereto and made a part of this Resolution. Dated: July 20, 2016 I hereby certify that Resolution No. 2016-140 was passed and adopted by the City Council of the City of Lodi in a regular meeting held July 20, 2016, by the following vote: AYES: COUNCIL MEMBERS — Johnson, Kuehne, Mounce, and Mayor Chandler NOES: COUNCIL MEMBERS — None ABSENT: COUNCIL MEMBERS — Nakanishi ABSTAIN: COUNCIL MEMBERS — None �Nl4RFERRAIOLO City Clerk 2016-140 City of Loci Risk Management. And Compliance Program Version 3.0 Revised July 2016 Amended July 20, 2016 Exhibit A Table of Contents 1 Mission Statement/Statement of Commitment .............................................. 6.............&. 4 2 Goal.............................................................................................:................................. 5 3 Organizational Structure and Chart................................................................................ 6 4 Leadership Support ....................................................................................to.................. 8 5 Lessons Learned........................................................................................................0.... 8 6 Compliance Communications Protection for Whistleblowers....................*I................. Mo. 8 7 Employee Incentives...................................................................................................... 9 8 Compliance Enforcement............................................................................................... 9 9 Resources...................................................................................................................... 9 10 Compliance Communications......................................................................................... 9 AttachmentA...................................................................................................................... 10 1 Purpose...................................................................................................0................... 10 2 Scope...........................................................................................................................10 3 Energy Risk Management Policies("ERMP")................. —................ ......... 4 .... 4 .......... moo. 10 4 Scope of the ERMP....................................................................................................... 10 4.1 ERMP Objectives........................................................................................................1. 11 4.2 ERMP Implementation Process..................................................................................... 11 4.3 Risk Inventory.............................................................................................................. 11 5 Transaction Limits and Controls................................................................................... 12 5.1 Regulatory Compliance..........................................................................................4..... 13 5.2 Indirect Purchases(NCPA)............................... :....... ......................................... ............ 13 5.3 Direct Purchases.......................................................................................................... 13 5.4 All Purchases:.......................................................................................to...................... 14 5.5 Prohibited and Authorized Transaction Types............................................................... 14 6 ROC Reports................................................................................................................ 15 6.1 ROC reports include but are not limited to: .................................................................. 15 7 Program Review/Evaluation/Modification/Distribution..............................:................ 16 attachmentB...................................................................................................................... 17 1 Background.......................:..........................................................................................18 City of Lodi Risk Management and Compliance Program Page 2 of 38 City of Lodi Risk Management and UDDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 Table of Contents 1 Mission Statement/Statement of Commitment .............................................. 6.............&. 4 2 Goal.............................................................................................:................................. 5 3 Organizational Structure and Chart................................................................................ 6 4 Leadership Support ....................................................................................to.................. 8 5 Lessons Learned........................................................................................................0.... 8 6 Compliance Communications Protection for Whistleblowers....................*I................. Mo. 8 7 Employee Incentives...................................................................................................... 9 8 Compliance Enforcement............................................................................................... 9 9 Resources...................................................................................................................... 9 10 Compliance Communications......................................................................................... 9 AttachmentA...................................................................................................................... 10 1 Purpose...................................................................................................0................... 10 2 Scope...........................................................................................................................10 3 Energy Risk Management Policies("ERMP")................. —................ ......... 4 .... 4 .......... moo. 10 4 Scope of the ERMP....................................................................................................... 10 4.1 ERMP Objectives........................................................................................................1. 11 4.2 ERMP Implementation Process..................................................................................... 11 4.3 Risk Inventory.............................................................................................................. 11 5 Transaction Limits and Controls................................................................................... 12 5.1 Regulatory Compliance..........................................................................................4..... 13 5.2 Indirect Purchases(NCPA)............................... :....... ......................................... ............ 13 5.3 Direct Purchases.......................................................................................................... 13 5.4 All Purchases:.......................................................................................to...................... 14 5.5 Prohibited and Authorized Transaction Types............................................................... 14 6 ROC Reports................................................................................................................ 15 6.1 ROC reports include but are not limited to: .................................................................. 15 7 Program Review/Evaluation/Modification/Distribution..............................:................ 16 attachmentB...................................................................................................................... 17 1 Background.......................:..........................................................................................18 City of Lodi Risk Management and Compliance Program Page 2 of 38 2 NERC/WECC Compliance Program Structure...............................................0................. 19 3 Requirements identification......................................................................................... 19 4 NERC/WECC Standards Requirements - tracked and current ......................................... 19 5 Risk Assessment........................................................................................................... 20 6 NERC/WECC Compliance Program Oversight................................................................ 21 7 Independent Access to Executives................................................................................ 22 8 Independent Management........................................................................................... 22 9 Resources.................................................................................................................... 22 10 Performance Targets.................................................................................................... 22 11 Compliance Training..................................................................................................... 24 12 Outreach......................................................................................................................25 13 Employee Incentives.................................................................................................... 27 13.1 Incentives.................................................................................................................... 27 14 Procedures and Other Documents............................................................0................... 27 15 Controls and Program Monitoring................................................................................ 28 15.1 Compliance Monitoring........................................................................ ................... 28 15.2 Self-Audit..................................................................................................................... 29 15.3 Hard Controls............................................................................................................... 30 16 Self-Reporting..............................................................................................................31 16.1 Discovery of Potential Regulatory Violations — Review Process ..................................... 31 16.2 Responding to and Reporting Potential Violations........................................................ 31 17 Remediating and Preventing Repeat Violations............................................................ 33 18 Self-Certification.......................................................................................................... 34 19 Document Retention Policy.......................................................................................... 35 20 Storage........................................................................................................................ 35 21 Compliance System...................................................................................................... 36 22 References...................................................................................................................37 23 Internal Compliance Program Review........................................................................... 37 24 Responsible Senior Manager or Delegate..................................................................... 37 25 Revision History........................................................................................................... 38 City of Lodi Risk Management and Compliance Program Page 3 of 38 City of Lodi Risk Management and ODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 2 NERC/WECC Compliance Program Structure...............................................0................. 19 3 Requirements identification......................................................................................... 19 4 NERC/WECC Standards Requirements - tracked and current ......................................... 19 5 Risk Assessment........................................................................................................... 20 6 NERC/WECC Compliance Program Oversight................................................................ 21 7 Independent Access to Executives................................................................................ 22 8 Independent Management........................................................................................... 22 9 Resources.................................................................................................................... 22 10 Performance Targets.................................................................................................... 22 11 Compliance Training..................................................................................................... 24 12 Outreach......................................................................................................................25 13 Employee Incentives.................................................................................................... 27 13.1 Incentives.................................................................................................................... 27 14 Procedures and Other Documents............................................................0................... 27 15 Controls and Program Monitoring................................................................................ 28 15.1 Compliance Monitoring........................................................................ ................... 28 15.2 Self-Audit..................................................................................................................... 29 15.3 Hard Controls............................................................................................................... 30 16 Self-Reporting..............................................................................................................31 16.1 Discovery of Potential Regulatory Violations — Review Process ..................................... 31 16.2 Responding to and Reporting Potential Violations........................................................ 31 17 Remediating and Preventing Repeat Violations............................................................ 33 18 Self-Certification.......................................................................................................... 34 19 Document Retention Policy.......................................................................................... 35 20 Storage........................................................................................................................ 35 21 Compliance System...................................................................................................... 36 22 References...................................................................................................................37 23 Internal Compliance Program Review........................................................................... 37 24 Responsible Senior Manager or Delegate..................................................................... 37 25 Revision History........................................................................................................... 38 City of Lodi Risk Management and Compliance Program Page 3 of 38 1 Mission Statement/Statement of Commitment The City's compliance mission is to create a superior and effective program to manage risk and compliance which implements best electric utility practices and encourages a culture of compliance and control throughout the ELI. The City implements all opportunities to build compliance and controls into every business practice and to continuously improve its program to be robust, rigorous and transparent. The City is committed to complying with all applicable laws and regulations. In addition, the City is committed to prudent risk management and compliance awareness and continuous improvement of processes and procedures. This commitment allows the City to develop and maintain an organizational culture that supports staff in meeting these concerns through education/training, ethical conduct, decision making, and a culture of transparency. City of Lodi Risk Management and Compliance Program Page 4 of 38 City of Lodi Risk Management and LOU Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 1 Mission Statement/Statement of Commitment The City's compliance mission is to create a superior and effective program to manage risk and compliance which implements best electric utility practices and encourages a culture of compliance and control throughout the ELI. The City implements all opportunities to build compliance and controls into every business practice and to continuously improve its program to be robust, rigorous and transparent. The City is committed to complying with all applicable laws and regulations. In addition, the City is committed to prudent risk management and compliance awareness and continuous improvement of processes and procedures. This commitment allows the City to develop and maintain an organizational culture that supports staff in meeting these concerns through education/training, ethical conduct, decision making, and a culture of transparency. City of Lodi Risk Management and Compliance Program Page 4 of 38 2 Goal The goal of the Energy Risk Management and Internal Compliance Program ("the Program") contained herein are to create a culture of compliance and control within daily activities that is characterized by clear communication, consistent documentation and implementation of the following practices: -. City of Lodi Risk Management and L9DD1 Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 2 Goal The goal of the Energy Risk Management and Internal Compliance Program ("the Program") contained herein are to create a culture of compliance and control within daily activities that is characterized by clear communication, consistent documentation and implementation of the following practices: -. Description 1.' Creating a culture of accountability. 2. Adopting reporting procedures to the Risk Oversight Committee (ROC) and the City Council. 3. Identifying and communicating specific concerns and opportunities for improvement. 4. Reviewing and developing goals that ensure a strong corporate commitment to compliance and control. 5. Creating awareness through training and other communications. 6. Assessing the Programs for adequacy and providing recommendations to address planning, auditing and budgeting issues. 7. Identifying and assigning responsibilities to the key individuals, as appropriate, for applicable portions of the Programs. 8. Providing a documentation framework that supports compliance, and includes clear processes, policies, and procedures. 9. Creating a culture of continuous improvement through regular assessments and corrections. These assessments may be self—assessments, internal audits, and independent third—party assessments. 10. Adhering to approved regulatory requirements. 11. Cooperating with regulatory agencies. 12. Promptly assessing and reporting potential violations to regulatory agencies, if required. City of Lodi Risk Management and Compliance Program Page 5 of 38 11 OEM City of Lodi Risk Management and Lww DI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 3 organizational Structure and Chart The Programs are overseen by the Risk Oversight Committee (ROC) which is comprised of the City Council member who serves as a Northern California Power Agency (NCPA) commissioner or alternate, the City Manager, Deputy City Manager, City Attorney and the Electric Utility Director. In the event of absence or unavailability of the NCPA commissioner or alternate, City Manager, Deputy City Manager or City Attorney, the following alternates, in the order listed below based on availability, shall serve in their absence: 1. Business Development Manager 2. Deputy City Attorney 3. City Clerk In the event of absence or unavailability of the Electric Utility Director, the Rates & Resources Manager or other designee, may serve in his/her absence. The City Manager shall appoint the chair of the ROC. Additional non-voting members may be invited to participate on the ROC based on supporting expertise required by the ROC. Due to the confidential nature of the agenda items presented to the ROC, all ROC members and designees are required to sign and adhere to the terms of the NCPA Non -disclosure Agreement. The ROC shall meet every three (3) to six (6) months, or as otherwise called to order by the City Council or ROC member. The ROC shall keep minutes of all meetings and business transacted, the responsibility for which shall be assigned to staff within the Electric Utility Department. A quorum for the ROC to do business shall consist of all members, or their designees. The ROC shall request attendance at its meetings by, and/or reports from, other persons as appropriate. City of Lodi Risk Management and Compliance Program Page 6 of 38 1 I� i L i u P I' I; li 0416arsight Co;&Aee City Council The City Council is responsible for making high-level, broad policy decisions as contained in this document. The City Council sets the policy, and adopts the Programs as developed and recommended by the ROC and delegates the City Manager to execute them. The City Council will review the Programs every year. The City Council reviews the Program updates on a regular basis and provides direction and additional support, as needed. Risk Oversight Committee The ROC shall have the responsibility for ensuring that business is conducted in accordance with the Energy Risk Management Policies (ERMP) in Attachment A. The ROC shall adopt and bring current risk management business practices, defining in detail the internal controls, strategies and processes for managing risks associated with the adoption of those business practices; including but not limited to a Laddering Strategy. As used herein the term Laddering Strategy shall mean an objective and graduated program to secure varying percentages of the City's projected future power needs at any given point in time. Determination of regulatory non-compliance and direction to self-report such non- compliant activities shall be made by the ROC. City Manager The City Manager has overall responsibility for executing and ensuring compliance with policies adopted by the City Council. The City Manager shall make reports to the City Council every three (3) to six (6) months regarding business transacted by the ROC and upon such occasions as the City Council shall direct. City of Lodi Risk Management and Compliance Program Page 7 of 38 City of Lodi Risk Management and LODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 1 I� i L i u P I' I; li 0416arsight Co;&Aee City Council The City Council is responsible for making high-level, broad policy decisions as contained in this document. The City Council sets the policy, and adopts the Programs as developed and recommended by the ROC and delegates the City Manager to execute them. The City Council will review the Programs every year. The City Council reviews the Program updates on a regular basis and provides direction and additional support, as needed. Risk Oversight Committee The ROC shall have the responsibility for ensuring that business is conducted in accordance with the Energy Risk Management Policies (ERMP) in Attachment A. The ROC shall adopt and bring current risk management business practices, defining in detail the internal controls, strategies and processes for managing risks associated with the adoption of those business practices; including but not limited to a Laddering Strategy. As used herein the term Laddering Strategy shall mean an objective and graduated program to secure varying percentages of the City's projected future power needs at any given point in time. Determination of regulatory non-compliance and direction to self-report such non- compliant activities shall be made by the ROC. City Manager The City Manager has overall responsibility for executing and ensuring compliance with policies adopted by the City Council. The City Manager shall make reports to the City Council every three (3) to six (6) months regarding business transacted by the ROC and upon such occasions as the City Council shall direct. City of Lodi Risk Management and Compliance Program Page 7 of 38 DI City of Lodi Risk Management and Compliance Program Version 3.0 Revised July 2016 Amended July 20, 2016 Electric Utility Director - Compliance Officer The Electric Utility Director is the utility's Executive Officer, acts as the Compliance Officer for the EU, and is a voting member of the ROC. The Electric Utility Director has access to the City Council through the City Manager. This ensures communication of compliance concerns to the highest levels within the organization. Records of communication and reporting between the City Council and the City Manager are stored as required by the City's Records Management Program. Electric Utility Department The EU shall participate on the ROC through the Electric Utility Director. The Electric Utility Director shall provide load forecast information and coordinate the receipt and dissemination of relevant market and transactional information undertaken on the City's behalf through NCPA. Finance Department The Finance Department shall participate on the ROC through the Deputy City Manager and provide accounting and cash flow information to the ROC. Legal Department The Legal Department shall participate on the ROC through the City Attorney, provide legal advice and representation, and ensure that business is carried out in compliance with all applicable laws, regulations, executive orders, and court orders. 4 Leadership Support These Programs, as approved by the City Council require the support and participation of all appropriate City staff. During ROC meetings, status updates are provided, any instances of potential non-compliance are discussed and support is provided. ROC meeting minutes and agendas are stored as required by the City's Records Management Program. 5 Lessons Learned Any lessons learned from audits, violations, other similar entity violations, or near misses are encouraged to be shared with all staff. Lessons learned are shared regularly with staff and in employee training programs. This includes lessons learned provided by regulatory authorities, other industry members, and discovered within the City's business practices. 6 Compliance Communications Protection for Whistleblowers The City staff is encouraged to come forward with evidence to their manager that the City may be violating a law or regulation. Communication of potential violations plays a pivotal role in the detection, investigation, and prevention of violations. No employee will be subject to any type of retribution for speaking out on compliance issues of any type. City of Lodi Risk Management and Compliance Program Page 8 of 38 M_ City of Lodi Risk Management and DD Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 The City staff, contractors, and the public are encouraged to report evidence of possible compliance violations, unethical business conduct, questionable operations, problems with compliance controls, reporting or auditing concerns, and violations of laws or regulations. The City will promptly investigate all complaints and attempt to maintain the whistleblower's anonymity. Complaints may be made through the suggestion box, to the employee's supervisor manager, or director. 7 Employee Incentives Regulatory compliance is incorporated into applicable employee personal performance assessments. Employees are recognized by their management and among their peers for identifying opportunities for improving the Program. 8 Compliance Enforcement Compliance exceptions are actions, which violate the authority limits, requirements or directives set forth in the ERMP. All exceptions shall be reported to the ROC. Willful violations of the ERMP and Internal Compliance Program (ICP) will be subject to review and may be cause for discipline or dismissal. Such disciplinary action may include written notices to the individual involved that a violation has been determined, demotion or re -assignment of the individual involved, suspension with or without pay or benefits, or dismissal. Violations may also constitute violations of law and may result in criminal penalties and civil liabilities for the offending covered party and the City. 9 Resources The City is dedicated to making the best use of all appropriate resources from all applicable entities as part of these Programs. The City is committed to addressing all areas of high risk through the use of its own resources to improve its robust, rigorous, and transparent Program. The City Council has approved sufficient funding for the administration of the Program. The requirements of these Programs are budgeted and fully staffed on a year-round basis. 10 Compliance Communications City employees have various means in which to report business conduct issues including potential violations of regulatory requirements. Break room posters provide contact information. Additionally, the City's Internal Compliance Program is distributed via email to all employees after completion of the annual review. City of Lodi Risk Management and Compliance Program Page 9 of 38 Attachment A Energy Risk Management Policies 1 Purpose The purpose of this Risk Management and Compliance Program ("Program") is to foster a culture of compliance and control for the City of Lodi ("City") Electric Utility ("EU"). The Program expects a high level of compliance to regulations, laws, and the City's agreements, policies and procedures while managing risks on a routine basis. The Program is laid out to control EU's activities so that controlling risk and compliance are part of the City's culture. 2 Scope This Program outlines the City's internal control foundation, providing discipline and structure to guide compliance with regulations, laws, and the City's agreements, procedures and policies. It includes a cross—section of knowledgeable and skilled employees who are responsible to oversee, communicate, track, document, and monitor compliance and risk management and share the results with management and the City Council. The Program applies to all the City employees, contractors, and vendor personnel responsible for complying with regulations and the City's policies and procedures. It is made readily available to all employees. 3 Energy Risk Management Policies ("ERMP") The purpose of the ERMP is to ensure that risks associated with the City's bulk power procurement are properly identified, measured and controlled. The ROC manages the ERMP. 4 Scope of the ERMP The ERMP are applied to all aspects of the City's wholesale procurement and sales activities, long-term contracting associated with energy supplies, including generator fuel, capital projects and associated financing related to generation, transmission, transportation, storage, Renewable Energy Credits ("REC"), Green House Gas ("GHG") offsets, Resource Adequacy ("RA") capacity, ancillary services, participation in Joint Powers Agencies ("JPA"), and regulatory compliance as set forth in Exhibit B. This Program does not address the following types of general business risk, which are treated separately in other official policies, ordinances, and regulations of the City: fire, accident and casualty, health, safety; workers compensation and other such typically insurable perils. City of Lodi Risk Management and Compliance Program Page 10 of 38 City of Lodi Risk Management and D1 Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 Attachment A Energy Risk Management Policies 1 Purpose The purpose of this Risk Management and Compliance Program ("Program") is to foster a culture of compliance and control for the City of Lodi ("City") Electric Utility ("EU"). The Program expects a high level of compliance to regulations, laws, and the City's agreements, policies and procedures while managing risks on a routine basis. The Program is laid out to control EU's activities so that controlling risk and compliance are part of the City's culture. 2 Scope This Program outlines the City's internal control foundation, providing discipline and structure to guide compliance with regulations, laws, and the City's agreements, procedures and policies. It includes a cross—section of knowledgeable and skilled employees who are responsible to oversee, communicate, track, document, and monitor compliance and risk management and share the results with management and the City Council. The Program applies to all the City employees, contractors, and vendor personnel responsible for complying with regulations and the City's policies and procedures. It is made readily available to all employees. 3 Energy Risk Management Policies ("ERMP") The purpose of the ERMP is to ensure that risks associated with the City's bulk power procurement are properly identified, measured and controlled. The ROC manages the ERMP. 4 Scope of the ERMP The ERMP are applied to all aspects of the City's wholesale procurement and sales activities, long-term contracting associated with energy supplies, including generator fuel, capital projects and associated financing related to generation, transmission, transportation, storage, Renewable Energy Credits ("REC"), Green House Gas ("GHG") offsets, Resource Adequacy ("RA") capacity, ancillary services, participation in Joint Powers Agencies ("JPA"), and regulatory compliance as set forth in Exhibit B. This Program does not address the following types of general business risk, which are treated separately in other official policies, ordinances, and regulations of the City: fire, accident and casualty, health, safety; workers compensation and other such typically insurable perils. City of Lodi Risk Management and Compliance Program Page 10 of 38 4.1 ERMP Objectives 1. Maintain a regularly updated inventory of risks that could impact rates and security of the City's bulk power procurement program. 2. Establish risk metrics and reporting mechanisms that provide both quantitative and qualitative assessments of potential impacts to rate stability. 3. Adopt business practices that encourage compliance, development of appropriate levels of EU operating reserve funds, contribute to retail rate stability, and maintain appropriate security for established EU funds. 4. Minimize costs to maintain control of the City's electric utility rates. 4.2 ERMP Implementation Process 1. Identify, measure, and control risks that could have an adverse effect on retail rate stability. 2. Assign risk management responsibilities to appropriately qualified individuals and committees for each of these risks. 4.3 Risk Inventory The EU must inventory and address the following categories of risk as a component of the monitoring and reporting under the ERMP: 1. Price Risk 2. Volume Risk 3. Credit Risk 4. Operational Risk 5. Contingent Liabilities Price Risk —the risk associated with the change of power costs and can be segmented into two categories: 1. Wholesale prices may increase while positions are still open. 2. Wholesale prices may decrease after positions are closed. Volume Risk—the risk that demand for power will either fall below or exceed the existing contracted power supplies. Credit Risk —the risk associated with entering into any type of transaction with a counterparty, and can be segmented into the following five categories: 1. Counterparties fail to take delivery of, or pay for, energy sold to them. 2. Counterparties fail to deliver contracted energy. City of Lodi Risk Management and Compliance Program Page 11 of 38 City of Lodi Risk Management and Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 4.1 ERMP Objectives 1. Maintain a regularly updated inventory of risks that could impact rates and security of the City's bulk power procurement program. 2. Establish risk metrics and reporting mechanisms that provide both quantitative and qualitative assessments of potential impacts to rate stability. 3. Adopt business practices that encourage compliance, development of appropriate levels of EU operating reserve funds, contribute to retail rate stability, and maintain appropriate security for established EU funds. 4. Minimize costs to maintain control of the City's electric utility rates. 4.2 ERMP Implementation Process 1. Identify, measure, and control risks that could have an adverse effect on retail rate stability. 2. Assign risk management responsibilities to appropriately qualified individuals and committees for each of these risks. 4.3 Risk Inventory The EU must inventory and address the following categories of risk as a component of the monitoring and reporting under the ERMP: 1. Price Risk 2. Volume Risk 3. Credit Risk 4. Operational Risk 5. Contingent Liabilities Price Risk —the risk associated with the change of power costs and can be segmented into two categories: 1. Wholesale prices may increase while positions are still open. 2. Wholesale prices may decrease after positions are closed. Volume Risk—the risk that demand for power will either fall below or exceed the existing contracted power supplies. Credit Risk —the risk associated with entering into any type of transaction with a counterparty, and can be segmented into the following five categories: 1. Counterparties fail to take delivery of, or pay for, energy sold to them. 2. Counterparties fail to deliver contracted energy. City of Lodi Risk Management and Compliance Program Page 11 of 38 3. Counterparties refuse to extend credit or charge a premium for credit risks. 4. Counterparty transactions are too concentrated among a limited number of suppliers. 5. Inability to finance capital projects or meet financial obligations incurred in the course of wholesale operations. Operational Risk —the risk to effectively plan, execute or control business activities, including the potential for: 1. Inadequate organizational infrastructure, i.e., the lack of sufficient authority to make and execute decisions, inadequate supervision, absence of internal checks and balances, incomplete and untimely planning, incomplete and untimely reporting, failure to separate incompatible functions, etc. 2. Absence, shortage or loss of key personnel. 3. Lack or failure of facilities, equipment, systems and tools such as computers, software, communications links, and data services. 4. Exposure to litigation, fines, or sanctions as a result of violating laws and regulations, not meeting contractual obligations, failure to address legal issues and/or receive competent legal advice, not drafting contracts effectively, etc. Exposure includes the fines and litigation associated with the Federal Energy Regulatory Commission ("FERC"), North American Electric Reliability Corporation ("NERC") and/or Western Electricity Coordinating Council ("WECC") and environmental compliance violations. 5. Errors or omissions in the conduct of business, including failure to execute transactions, violations of guidelines and directives, etc. Contingent Liabilities — Contingent liabilities consist of liabilities that the City could incur in the event of the failure of other parties to discharge their obligations. At present, these consist of three principle categories: 1. Guarantees and step up provisions in the enabling agreements for the JPAs of which the City is a member. 2. Project closure, decommissioning, environmental remediation, and other obligations which result from the City's own activities as well as JPA projects and activities. 3. Provisions for take or pay, termination payments, and/or margin calls in the City's long-term electric power supply agreements. 5 Transaction Limits and Controls The EU utilizes transaction limits and controls to mitigate or prevent exposure to identified risks. City of Lodi Risk Management and Compliance Program Page 12 of 38 City of Lodi Risk Management and LODICompliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 3. Counterparties refuse to extend credit or charge a premium for credit risks. 4. Counterparty transactions are too concentrated among a limited number of suppliers. 5. Inability to finance capital projects or meet financial obligations incurred in the course of wholesale operations. Operational Risk —the risk to effectively plan, execute or control business activities, including the potential for: 1. Inadequate organizational infrastructure, i.e., the lack of sufficient authority to make and execute decisions, inadequate supervision, absence of internal checks and balances, incomplete and untimely planning, incomplete and untimely reporting, failure to separate incompatible functions, etc. 2. Absence, shortage or loss of key personnel. 3. Lack or failure of facilities, equipment, systems and tools such as computers, software, communications links, and data services. 4. Exposure to litigation, fines, or sanctions as a result of violating laws and regulations, not meeting contractual obligations, failure to address legal issues and/or receive competent legal advice, not drafting contracts effectively, etc. Exposure includes the fines and litigation associated with the Federal Energy Regulatory Commission ("FERC"), North American Electric Reliability Corporation ("NERC") and/or Western Electricity Coordinating Council ("WECC") and environmental compliance violations. 5. Errors or omissions in the conduct of business, including failure to execute transactions, violations of guidelines and directives, etc. Contingent Liabilities — Contingent liabilities consist of liabilities that the City could incur in the event of the failure of other parties to discharge their obligations. At present, these consist of three principle categories: 1. Guarantees and step up provisions in the enabling agreements for the JPAs of which the City is a member. 2. Project closure, decommissioning, environmental remediation, and other obligations which result from the City's own activities as well as JPA projects and activities. 3. Provisions for take or pay, termination payments, and/or margin calls in the City's long-term electric power supply agreements. 5 Transaction Limits and Controls The EU utilizes transaction limits and controls to mitigate or prevent exposure to identified risks. City of Lodi Risk Management and Compliance Program Page 12 of 38 5.1 Regulatory Compliance Regulatory compliance controls includes both soft and hard controls. Soft controls include self -audits, policies, and procedures. Hard controls include automated due date calendar reminders, forms with mandatory fields for collecting evidence, and self -assessments. 5.2 Indirect Purchases (NCPA) The City Manager and the Electric Utility Director are severally authorized to enter contracts for the purchase through NCPA of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and ancillary services to meet the City's service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC's Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. In addition, for purchases through NCPA, counterparty credit limits and minimum counterparty rating criteria shall be described in NCPA's then current "Energy Risk Management Policy", which is made a part of this document by reference, and the most recent policy is attached hereto and may also be found at: htto:llwww.ncoa.comlimaReslstories/`Finandals/`poll(; NCPA Energy Risk Managemen t Policy Version 1.3 Approved. 06-16-2011pdf. Moreover, the City Manager and Electric Utility Director are authorized to purchase electric energy, capacity and fuel to meet the City's share of amounts called for under NCPA's then current Energy Risk Management Policy upon approval of the ROC. 5.3 Direct Purchases The City Manager and the Electric Utility Director are severally authorized to enter into contracts for the direct purchase of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and Ancillary Services to meet the City's service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC's Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. For contracts executed directly by the City, the City uses standardized form contracts for such procurement, including, but not limited to form contracts created and copyrighted by the Edison Electric Institute, the Western States Power Pool, the California Department of City of Lodi Risk Management and Compliance Program Page 13 of 38 City of Lodi Risk Management and LODl Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 5.1 Regulatory Compliance Regulatory compliance controls includes both soft and hard controls. Soft controls include self -audits, policies, and procedures. Hard controls include automated due date calendar reminders, forms with mandatory fields for collecting evidence, and self -assessments. 5.2 Indirect Purchases (NCPA) The City Manager and the Electric Utility Director are severally authorized to enter contracts for the purchase through NCPA of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and ancillary services to meet the City's service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC's Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. In addition, for purchases through NCPA, counterparty credit limits and minimum counterparty rating criteria shall be described in NCPA's then current "Energy Risk Management Policy", which is made a part of this document by reference, and the most recent policy is attached hereto and may also be found at: htto:llwww.ncoa.comlimaReslstories/`Finandals/`poll(; NCPA Energy Risk Managemen t Policy Version 1.3 Approved. 06-16-2011pdf. Moreover, the City Manager and Electric Utility Director are authorized to purchase electric energy, capacity and fuel to meet the City's share of amounts called for under NCPA's then current Energy Risk Management Policy upon approval of the ROC. 5.3 Direct Purchases The City Manager and the Electric Utility Director are severally authorized to enter into contracts for the direct purchase of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and Ancillary Services to meet the City's service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC's Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. For contracts executed directly by the City, the City uses standardized form contracts for such procurement, including, but not limited to form contracts created and copyrighted by the Edison Electric Institute, the Western States Power Pool, the California Department of City of Lodi Risk Management and Compliance Program Page 13 of 38 General Services, and the North American Energy Standards Board, unless waived by resolution of the City Council. Counterparties shall obtain and maintain during the terms of the contract, the minimum credit rating established as of the date of award of the contract of not less than a BBB- investment grade credit rating or its equivalent as established by the rating agencies, such as Standard and Poor's, Moody's Investors Services, and/or Fitch, unless waived by resolution of the City Council. 5.4 All Purchases: Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for electricity shall specify generally at least the following terms and conditions and the description of energy and energy services to be procured, including, but not limited to: 1) a fixed or formula price; 2) energy and ancillary services to be included; 3) term, specifying a not -to -exceed period of time; 4) period of delivery denoted in years or months and whether deliveries are on -peak or off-peak; and 5) the point of delivery on the locus on the interstate transmission system on which the delivery is made. Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for generator fuel shall specify generally at least the following terms and conditions: 1) quantity and the description of fuel services to be procured, including but not limited to scheduled fuel and fuel transportation services, specifying a not -to -exceed period of time; 2) period of delivery denoted in years or months or years and months; and 3) point of delivery of the locus on the interstate transportation system at which the transfer of title is made. All procurement of electricity and generator fuel by contract shall conform to the requirements of the ERMP. 5.5 Prohibited and Authorized Transaction Types 5.5.1 Prohibited Transaction Types: Speculative buying and selling of energy products is prohibited. Speculation is defined as buying energy products that are not needed for meeting forecasted obligations, selling energy products that are not owned and/or selling energy products that are not surplus without simultaneously replacing that energy product at a lower cost. In no event shall transactions be entered into to speculate on the changes in market prices. 5.5.2 Authorized Transaction Types: 1. Purchase capacity, RECs or REC types, or energy to meet the City's obligations. 2. Sell existing capacity, RECs or REC types, or energy that is expected to be in excess of the City's obligations. City of Lodi Risk Management and Compliance Program Page 14 of 38 City of Lodi Risk Management and ODICompliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 General Services, and the North American Energy Standards Board, unless waived by resolution of the City Council. Counterparties shall obtain and maintain during the terms of the contract, the minimum credit rating established as of the date of award of the contract of not less than a BBB- investment grade credit rating or its equivalent as established by the rating agencies, such as Standard and Poor's, Moody's Investors Services, and/or Fitch, unless waived by resolution of the City Council. 5.4 All Purchases: Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for electricity shall specify generally at least the following terms and conditions and the description of energy and energy services to be procured, including, but not limited to: 1) a fixed or formula price; 2) energy and ancillary services to be included; 3) term, specifying a not -to -exceed period of time; 4) period of delivery denoted in years or months and whether deliveries are on -peak or off-peak; and 5) the point of delivery on the locus on the interstate transmission system on which the delivery is made. Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for generator fuel shall specify generally at least the following terms and conditions: 1) quantity and the description of fuel services to be procured, including but not limited to scheduled fuel and fuel transportation services, specifying a not -to -exceed period of time; 2) period of delivery denoted in years or months or years and months; and 3) point of delivery of the locus on the interstate transportation system at which the transfer of title is made. All procurement of electricity and generator fuel by contract shall conform to the requirements of the ERMP. 5.5 Prohibited and Authorized Transaction Types 5.5.1 Prohibited Transaction Types: Speculative buying and selling of energy products is prohibited. Speculation is defined as buying energy products that are not needed for meeting forecasted obligations, selling energy products that are not owned and/or selling energy products that are not surplus without simultaneously replacing that energy product at a lower cost. In no event shall transactions be entered into to speculate on the changes in market prices. 5.5.2 Authorized Transaction Types: 1. Purchase capacity, RECs or REC types, or energy to meet the City's obligations. 2. Sell existing capacity, RECs or REC types, or energy that is expected to be in excess of the City's obligations. City of Lodi Risk Management and Compliance Program Page 14 of 38 3. Purchase generator fuel required to run the City's share of generating facilities. 4. Sell surplus generator fuel if more economic energy is available for purchase, becomes surplus due to load being lower than previously forecasted, or due to increased energy due to hydrological conditions. 5. Execute financial transactions to fix the price of variable commodity purchases or sales. 6. Purchase simple call options or collars to limit price exposure on short generator fuel or electricity positions. 7. Sell simple call options or tolling agreements on the City's share of generating facilities that are expected to be in excess of the City's obligations. 8. Purchase or sell, emission allowances, including GHG offsets, deemed necessary to comply with regulations for the City's share of generating facilities. 9. Purchase or sell, firm transmission rights or congestion revenue rights to manage congestion price risk. 10. Purchase or sell, energy at the California Oregon Border and an offsetting sale/purchase of energy at North Path 15 ("NP15") to take advantage of the City's share of transmission capacity rights. 11. Simultaneously purchase generator fuel and sell energy when the transaction provides the City a financial advantage. 12. Sell generator fuel and purchase energy to take advantage of market heat rate. 6 ROC Reports 6.1 ROC reports include but are not limited to: 1. Load and resource balances as forecast and adopted in the current operating year's budget (including regulatory, state and federally mandated resource balances). 2. Load and resource balances as adjusted due to operating conditions or purchases occurring during the quarter. 3. An assessment of market exposure. 4. An assessment of the quarterly change in power supply cost from budget. 5. Credit exposure by counterparty. 6. A summary of any purchases made during the quarter. 7. An assessment of any counterparty credit problems. 8. NERC/WECC Compliance program status. Other reports are provided to the City Council on request. City of Lodi Risk Management and Compliance Program Page 15 of 38 City of Lodi Risk Management and DICompliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 3. Purchase generator fuel required to run the City's share of generating facilities. 4. Sell surplus generator fuel if more economic energy is available for purchase, becomes surplus due to load being lower than previously forecasted, or due to increased energy due to hydrological conditions. 5. Execute financial transactions to fix the price of variable commodity purchases or sales. 6. Purchase simple call options or collars to limit price exposure on short generator fuel or electricity positions. 7. Sell simple call options or tolling agreements on the City's share of generating facilities that are expected to be in excess of the City's obligations. 8. Purchase or sell, emission allowances, including GHG offsets, deemed necessary to comply with regulations for the City's share of generating facilities. 9. Purchase or sell, firm transmission rights or congestion revenue rights to manage congestion price risk. 10. Purchase or sell, energy at the California Oregon Border and an offsetting sale/purchase of energy at North Path 15 ("NP15") to take advantage of the City's share of transmission capacity rights. 11. Simultaneously purchase generator fuel and sell energy when the transaction provides the City a financial advantage. 12. Sell generator fuel and purchase energy to take advantage of market heat rate. 6 ROC Reports 6.1 ROC reports include but are not limited to: 1. Load and resource balances as forecast and adopted in the current operating year's budget (including regulatory, state and federally mandated resource balances). 2. Load and resource balances as adjusted due to operating conditions or purchases occurring during the quarter. 3. An assessment of market exposure. 4. An assessment of the quarterly change in power supply cost from budget. 5. Credit exposure by counterparty. 6. A summary of any purchases made during the quarter. 7. An assessment of any counterparty credit problems. 8. NERC/WECC Compliance program status. Other reports are provided to the City Council on request. City of Lodi Risk Management and Compliance Program Page 15 of 38 7 Program Review/Evaluation/Modification/Distribution The review of the ERMP is designed to: 1) ensure that reporting parties report to their supervisors; 2) ensure that the Electric Utility Director promotes, maintains, and monitors compliance; 3) discuss the effectiveness of the Program; and 4) evaluate alignment of the Program with the City's organization. Interim to the annual review, the Program will be reviewed and modified as necessary if: 1. An event analysis determines that a modification to this program would be beneficial. 2. The City experiences a regulation violation. 3. Lessons learned or changes have been identified in best practices. 4. Any significant changes to the Program are approved by the City Council. Minor changes are approved by the ROC. New revisions of the Program are distributed to all parties involved and comments are solicited from the ROC. The City employees are informed of new significant revisions, including contractors and vendors as applicable, and they will all have access to the current Program. City of Lodi Risk Management and Compliance Program Page 16 of 38 City of Lodi Risk Management and UDDI Compliance Program version Revised Amended 3.0 July 2016 July 20, 2016 7 Program Review/Evaluation/Modification/Distribution The review of the ERMP is designed to: 1) ensure that reporting parties report to their supervisors; 2) ensure that the Electric Utility Director promotes, maintains, and monitors compliance; 3) discuss the effectiveness of the Program; and 4) evaluate alignment of the Program with the City's organization. Interim to the annual review, the Program will be reviewed and modified as necessary if: 1. An event analysis determines that a modification to this program would be beneficial. 2. The City experiences a regulation violation. 3. Lessons learned or changes have been identified in best practices. 4. Any significant changes to the Program are approved by the City Council. Minor changes are approved by the ROC. New revisions of the Program are distributed to all parties involved and comments are solicited from the ROC. The City employees are informed of new significant revisions, including contractors and vendors as applicable, and they will all have access to the current Program. City of Lodi Risk Management and Compliance Program Page 16 of 38 Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 Attachment B Electric Utility NERC / WECC Internal Compliance Program Attachment B is suspended effective February 10, 2014. On this date the City of Lodi was notified that WECC and NERC had accepted our request to deactivate our registration for Distribution Provider and Load Serving Entity and the City was removed from the NERC Compliance Registry. A deactivation from the NERC Compliance Registry indicates that an entity is no longer subject to mandatory compliance with the applicable NERC Reliability Standards that have been approved by the FERC. Continued voluntary compliance with NERC Reliability Standards is considered good operating practice by the industry and is recommended by NERC. NERC.retains, the right 'to register the City for any function at any t e,�inaac, ordance with N ERCs:St atement-d_1rq l nce egist Attachment B Page 17 of 38 LODI Electric Utility — NERC / WECC Internal Compliance Program Version 3.0 Revised July 2016 Amended July 20, 2016 1 Background The Federal Energy Policy Act of 2005 provides the FERC authority to approve and enforce rules and regulations to protect and improve the reliability of the nation's bulk power system. Through this Act, all electric power entities that impact the Bulk Electric System must comply with FERC approved Regulatory Standards, and public utilities that sell electricity at market-based rates must comply with market rules of conduct and ongoing reporting and compliance requirements. The NERC Statement of Compliance Registry criteria describe which entities are required to register with NERC and comply with the Regulatory Standards. For those entities, mandatory compliance Regulatory Standards with the first set of standards approved by FERC came into effect on June 18, 2007. The Statement of Compliance Registry requires, among other things, utilities to register into the program as a participant of the regions Under Frequency Program. The City is registered as a Distribution Provider (DP) and Load Serving Entity (LSE) based on this sole criteria and does not meet any of the other registration criteria. Under this statutory framework, standards are proposed by electric reliability organizations and approved by FERC. The NERC has been delegated authority as the electric reliability organization for the four interconnections in North America that include Quebec, Electric Reliability Council of Texas ("ERCOT"), Eastern, and Western interconnections. Within the NERC interconnection, NERC has further delegated regional reliability organization functionality to eight (8) regional entities. The City is located within the WECC region. The City's EU is required to comply with all FERC approved Reliability Standards applicable to its registered functions as a Load Serving Entity ("LSE"), and Distribution Provider ("DP"). The EU's NERC Internal Compliance Program (ICP) is supported by the City's Risk Management and Compliance Program. The ICP support the four -pillars of compliance framework presented in the FERC's October 2008 Policy Statement on Compliance. Role of senior management in fostering compliance; Effective preventive measures to ensure compliance; ■ Prompt detection, cessation, and reporting of violations; and • Remediation efforts This ICP provides the framework to support compliance with the FERC reporting requirements and NERC and WECC Reliability Standards. Attachment B Page 18 of 38 2 NERC/WECC Internal Compliance Program Structure The EU's ICP is a rigorous, established and formal program. The EU strives to achieve a high level of business and personal ethical standards, as well as compliance with the laws and regulations that apply to its business. The EU ICP is managed at a high level and programs and systems are in place to continuously monitor, evaluate, update, and implement the program. To effectively and efficiently manage the compliance program, the EU has implemented a centralized compliance management system utilizing Microsoft SharePoint. Within the system, the EU has identified and documented all processes used to comply with each requirement. In order to continuously be audit ready, all processes, procedures, evidence, and supporting documentation have been identified and are continuously logged. Forms are used in the compliance system that incorporates controls to ensure completeness, accuracy and timeliness. The NERC Compliance Administrator continuously monitors NERC and WECC for updates and guidance, including WECC Bulletins, NERC Compliance Application Notices, and best practice guidance documents. The ICP is continuously evaluated by the NERC Compliance Director and the NERC Compliance Administrator. 3 Requirements Identification The City is registered with NERC as an LSE and DP. It is interconnected to the PG&E transmission system, who is the Transmission Owner and Transmission Planner. The City is within the CAISO Balancing Authority and Planning Authority. PG&E and the CAISO share responsibilities through a Coordinated Function Registration Agreement as the Transmission Operator and Transmission Service Provider of the facilities that interconnect the City. The Regional Reliability Organization over the City is the WECC Regional Reliability Organization. The City develops its processes to comply with all agreements or related procedures of these organizations as it relates to compliance with the NERC Standards. The NERC Standards Requirements that are applicable to the City are listed on the City compliance website under the "Standards and Processes - FERC Approved Standards" folder: https://Iodieud.sharepoint.com/ 4 NERC/WECC Standards Requirements - tracked and current The City maintains a list of applicable NERC/WECC Standard requirements and updates this list as the standards change. New updates to the list are tracked to insure that all changes to the list are in compliance within 30 days of the requirement becoming effective. Any Attachment B Page 19 of 38 Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 2 NERC/WECC Internal Compliance Program Structure The EU's ICP is a rigorous, established and formal program. The EU strives to achieve a high level of business and personal ethical standards, as well as compliance with the laws and regulations that apply to its business. The EU ICP is managed at a high level and programs and systems are in place to continuously monitor, evaluate, update, and implement the program. To effectively and efficiently manage the compliance program, the EU has implemented a centralized compliance management system utilizing Microsoft SharePoint. Within the system, the EU has identified and documented all processes used to comply with each requirement. In order to continuously be audit ready, all processes, procedures, evidence, and supporting documentation have been identified and are continuously logged. Forms are used in the compliance system that incorporates controls to ensure completeness, accuracy and timeliness. The NERC Compliance Administrator continuously monitors NERC and WECC for updates and guidance, including WECC Bulletins, NERC Compliance Application Notices, and best practice guidance documents. The ICP is continuously evaluated by the NERC Compliance Director and the NERC Compliance Administrator. 3 Requirements Identification The City is registered with NERC as an LSE and DP. It is interconnected to the PG&E transmission system, who is the Transmission Owner and Transmission Planner. The City is within the CAISO Balancing Authority and Planning Authority. PG&E and the CAISO share responsibilities through a Coordinated Function Registration Agreement as the Transmission Operator and Transmission Service Provider of the facilities that interconnect the City. The Regional Reliability Organization over the City is the WECC Regional Reliability Organization. The City develops its processes to comply with all agreements or related procedures of these organizations as it relates to compliance with the NERC Standards. The NERC Standards Requirements that are applicable to the City are listed on the City compliance website under the "Standards and Processes - FERC Approved Standards" folder: https://Iodieud.sharepoint.com/ 4 NERC/WECC Standards Requirements - tracked and current The City maintains a list of applicable NERC/WECC Standard requirements and updates this list as the standards change. New updates to the list are tracked to insure that all changes to the list are in compliance within 30 days of the requirement becoming effective. Any Attachment B Page 19 of 38 significant changes are automatically forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. The City's NERC Compliance Administrator performs the process of updating all versions of the FERC Approved Reliability Standards as new Standards are revised. The procedure for this process is maintained by the NERC Compliance Administrator and is called "Updating the FERC Approved Reliability Standards List." 5 Risk Assessment A risk assessment is conducted annually to identify and quantify internal and external risks of non-compliance to the Regulatory Standards. The risk inventory is identified through employee surveys; past experience within the EU, industry announcements and forums, and other agencies shared experiences. Resource decisions for addressing risks are determined based on the score. High risk items are added to the City's overall risk inventory. The following describes the organization's method for conducting a risk assessment. -. Electric Utility — NERC / WECC USDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 significant changes are automatically forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. The City's NERC Compliance Administrator performs the process of updating all versions of the FERC Approved Reliability Standards as new Standards are revised. The procedure for this process is maintained by the NERC Compliance Administrator and is called "Updating the FERC Approved Reliability Standards List." 5 Risk Assessment A risk assessment is conducted annually to identify and quantify internal and external risks of non-compliance to the Regulatory Standards. The risk inventory is identified through employee surveys; past experience within the EU, industry announcements and forums, and other agencies shared experiences. Resource decisions for addressing risks are determined based on the score. High risk items are added to the City's overall risk inventory. The following describes the organization's method for conducting a risk assessment. -. Method for Applying 1. A NERC/WECC risk assessment is conducted annually or as -needed. 2. The electric department surveys its staff each year to identify areas for improvement in its procedures and processes. In addition, staff is encouraged to make suggestions to all policies, procedures and processes at any time during the year. 3. The NERC Compliance Director and the NERC Compliance Administrator conduct risk assessment meetings as necessary and maintain the minutes/agendas. 4. The following are identified as part of the risk assessment: • Prior violations High violation risk factors Violation Severity Levels • Periodic performance related Requirements that have a higher probability of occurrence. ■ Weaknesses where additional self -audits or controls should be added Attachment B Page 20 of 38 5. The Compliance Administrator calculates a risk score after applying the assessment and utilizes it to evaluate areas for additional controls. Several high risk processes have automated controls in place to ensure completeness, accuracy and timeliness. 6 NERC/WECC Compliance Program Oversight The EU's ICP operates under the overall City Risk Management and Compliance Program, which is overseen by the ROC and is directed by the Compliance Officer. I L � I I I I I' I; I I; I, I IF I I Is I Iz 1 Compliance Officer I' Electric Utility I: I` Director Rorie cinwc Comm Ctee- =Compi!lance ICompliance Administrator I NERC/WECC Compliance Program Oversight Structure The NERC Compliance Administrator oversees the ICP and works directly with the Engineering and Operations Manager, who has the direct responsibility for performing reliability functions. The Compliance Administrator also reports to the Compliance Officer. The NERC Compliance Director is responsible for performance of the NERC compliance program including CIP programs and assigns responsibility to address compliance concerns as well as monitoring the process to address those concerns. They act as a business Attachment B Page 21 of 38 Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 5. The Compliance Administrator calculates a risk score after applying the assessment and utilizes it to evaluate areas for additional controls. Several high risk processes have automated controls in place to ensure completeness, accuracy and timeliness. 6 NERC/WECC Compliance Program Oversight The EU's ICP operates under the overall City Risk Management and Compliance Program, which is overseen by the ROC and is directed by the Compliance Officer. I L � I I I I I' I; I I; I, I IF I I Is I Iz 1 Compliance Officer I' Electric Utility I: I` Director Rorie cinwc Comm Ctee- =Compi!lance ICompliance Administrator I NERC/WECC Compliance Program Oversight Structure The NERC Compliance Administrator oversees the ICP and works directly with the Engineering and Operations Manager, who has the direct responsibility for performing reliability functions. The Compliance Administrator also reports to the Compliance Officer. The NERC Compliance Director is responsible for performance of the NERC compliance program including CIP programs and assigns responsibility to address compliance concerns as well as monitoring the process to address those concerns. They act as a business Attachment B Page 21 of 38 partner to the NERC Compliance Administrator. They also attend annual cross departmental team meetings to provide updates on compliance and standards developmental activities. The NERC Compliance Officer, supported by the NERC Compliance Director and Subject Matter Experts (SMEs), shares the effort to ensure that all Reliability Standards, requirements, sub—requirements and the appropriate controls are clearly reflected in operational and business processes. SMEs work directly with the NERC Compliance Director and have direct responsibilities for performing reliability functions. The NERC Compliance Administrator assists directly with the SMEs to provide compliance expertise. The NERC Compliance Officer is the Electric Utility Director. 7 Independent Access to Executives The NERC Compliance Administrator monitors and reports the department's compliance status with the NERC and WECC Reliability Standards to the Compliance Officer and the ROC. The NERC Compliance Administrator has access to the Compliance Officer to provide input and ask questions regarding any concerns with the compliance program. The Compliance Officer has direct access to the City Manager and City Council. 8 Independent Management It is crucial that the Compliance Administrator provide meaningful results and no conflict of interest exist nor any other impairment exist to provide unbiased findings. The Compliance Administrator is not responsible for the management of the work groups responsible for compliance. 9 Resources The EU is dedicated to making the best use of all appropriate resources from PG&E, WECC, NERC, FERC and others as part of the compliance program effort. The Compliance Officer is committed to use any and all of its resources to improve its robust, rigorous, and transparent NERC compliance program supported by the ICP. The City Council has approved sufficient funding for the administration of the ICP. The requirements of this compliance program are budgeted and fully staffed on a year-round basis. 10 Performance Targets The EU promotes compliance by identifying measurable performance targets. Key performance indicators help the EU understand performance in relation to strategic goals Attachment B Page 22 of 38 Electric Utility — NERC / WECC Internal Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 partner to the NERC Compliance Administrator. They also attend annual cross departmental team meetings to provide updates on compliance and standards developmental activities. The NERC Compliance Officer, supported by the NERC Compliance Director and Subject Matter Experts (SMEs), shares the effort to ensure that all Reliability Standards, requirements, sub—requirements and the appropriate controls are clearly reflected in operational and business processes. SMEs work directly with the NERC Compliance Director and have direct responsibilities for performing reliability functions. The NERC Compliance Administrator assists directly with the SMEs to provide compliance expertise. The NERC Compliance Officer is the Electric Utility Director. 7 Independent Access to Executives The NERC Compliance Administrator monitors and reports the department's compliance status with the NERC and WECC Reliability Standards to the Compliance Officer and the ROC. The NERC Compliance Administrator has access to the Compliance Officer to provide input and ask questions regarding any concerns with the compliance program. The Compliance Officer has direct access to the City Manager and City Council. 8 Independent Management It is crucial that the Compliance Administrator provide meaningful results and no conflict of interest exist nor any other impairment exist to provide unbiased findings. The Compliance Administrator is not responsible for the management of the work groups responsible for compliance. 9 Resources The EU is dedicated to making the best use of all appropriate resources from PG&E, WECC, NERC, FERC and others as part of the compliance program effort. The Compliance Officer is committed to use any and all of its resources to improve its robust, rigorous, and transparent NERC compliance program supported by the ICP. The City Council has approved sufficient funding for the administration of the ICP. The requirements of this compliance program are budgeted and fully staffed on a year-round basis. 10 Performance Targets The EU promotes compliance by identifying measurable performance targets. Key performance indicators help the EU understand performance in relation to strategic goals Attachment B Page 22 of 38 yAdombb.Electric Utility — NERC / WECC Internal DI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 and objectives. The following key performance indicators are the 2013 year's NERC/WECC compliance goals: • Regulatory Requirements - tracked and current. The EU maintains a list of applicable regulatory requirements that are applicable to the City and updates this list as the regulations change. Any significant changes to the list are forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. • Recommended improvements are acted on. Following a mock audit or through other means, the EU considers and acts on recommendations for improvement within ninety (90) days of any accepted recommendations. • Mitigation plans are timely. The EU determines appropriate mitigation plans for applicable violations. The EU has a goal to submit all mitigation plans within thirty (30) days of submitting a Self -Report of a potential violation. • Operates with no NERC regulatory violations. The EU strives for full compliance with no violations occurring. If a possible violation is discovered, the EU has established a goal to submit all possible violations to NERC/WECC within thirty (30) days of discovery. • Respond to all NERC Alerts timely. The EU reviews, determines response and logs all NERC Alerts. The EU will take timely action on alerts that are determined to require a response by the City. ■ Provide timely training. Attachment B Page 23 of 38 Version Revised 3.0 1 July 2016 11 Compliance Training Electric Utility — NERC / WECC Internal Compliance Program Amended July 20, 2016 The City continually develops processes, procedures, and controls to help prevent the occurrence of regulatory violations. In addition, they encourage staff to participate in compliance related training and educational opportunities. • New Orientation All new employees are sufficiently trained to perform compliance related activity, including affected contractors and vendors, prior to them performing any compliance related duties. This training incorporates basic elements pertaining to NERC compliance and the EU's Internal Compliance Program. • Annual Training Annual training is provided to all applicable employees as described in the table below. Documentation of the training (sign -in sheets, training materials, completion certificates, and other reference materials) will be maintained in the Training log for each employee. Controls are in place to automate reminders for upcoming training refreshers by employee. Attachment B Page 24 of 38 Training Description Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised This training provides general information on Amended 3.0 July 2016 expected changes, and internal compliance July 20, 2016 Training Description Applicability Overview Awareness EU employees and long-term contractors who are responsible for This training provides general information on NERC Compliance or could be an NERC, FERC, and WECC requirements, recent and interface to NERC or WECC. expected changes, and internal compliance program changes. Sabotage Rec nitlon and Incident Response All EU employees and long-term This training describes methodologies for contractors. Note: Any EU identifying sabotage, responding to sabotage, and employee or long-term contractor maintaining records. It supports the Sabotage who does not receive this training Recognition and Incident Response procedure. shall be made aware of trained employees that can be contacted in order to report a potential sabotage event. Event Analwis SMEs responsible for maintenance This training describes the analysis, actions, and and incident reporting. reporting requirements for all events. The training describes Bulk Electric System Disturbances, Protection System Misoperations, and Vegetation interruptions. Communication and Emergency Response SMEs responsible for receiving This training describes required protocol for verbal communications from the verbal communications when receiving directives Transmission Operator, Balancing Authority, or Reliability Coordinator. or when providing emergency assistance. ■ Training Comprehension As part of each training, the EU conducts comprehension tests to ensure that trainings are effective. Additionally, the NERC Compliance Administrator annually reviews the trainings to ensure that proper information is included within the individual training programs. 12 Outreach Attachment B Page 25 of 38 The EU's outreach focuses on a commitment to improve reliability. The City maintains a good relationship with PG&E, WECC, NERC, and FERC by promoting meaningful training/education opportunities, and providing compliance assistance. The following describes the methods for meeting the outreach program: Communications — Operations staff are trained annually on NERC related activities in order to promote continual awareness of the importance of compliance with regulatory requirements, the Electric Utility Director, Engineering and Operations Manager and the NERC Compliance Administrator sends out compliance emails, with compliance updates, compliance clarifications, compliance notices and provides periodic City Council reports. The Internal Compliance Program is distributed to all employees at least annually and is available on the City's SharePoint site. • Training and Education —Training is provided as described in Section 11. ■ NERC Alerts — NERC Alerts are communicated to all appropriate staff. • Participation in the Standards, Policy, and WECC Criteria Development Drafting Process —The City is committed to improving reliability of the electric system. We participate in the drafting process of Standards, policies and WECC Criteria by providing comments, assisting drafting teams, and voting. • Users Groups/Conferences/Webinars—The NERC Compliance Administrator and other City staff attend and participate in regional and national events, conferences, and trainings to help ensure the City maintains awareness of emerging or changing regulations and to learn and share best -compliance practices. The City is able to stay up-to-date on new and pending developments as they relate to the Reliability Standards by attending industry related seminars, as well as regional sponsored training. Meeting topics are summarized and reviewed by the Electric Utility Director, Engineering and Operations Manager, Departmental Management, SMEs and other key individuals. Examples of such conferences, meetings, and trainings include: o WECC compliance user groups o WECC monthly call o Critical Infrastructure Protection ("CIP") Standards user groups o Western Interconnection Compliance Forum (WICF) meetings o NERC and FERC Sponsored Conferences and Training Programs o Rule Making Proceedings Attachment B Page 26 of 38 Electric Utility — NERC / WECC Internal MDICompliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 The EU's outreach focuses on a commitment to improve reliability. The City maintains a good relationship with PG&E, WECC, NERC, and FERC by promoting meaningful training/education opportunities, and providing compliance assistance. The following describes the methods for meeting the outreach program: Communications — Operations staff are trained annually on NERC related activities in order to promote continual awareness of the importance of compliance with regulatory requirements, the Electric Utility Director, Engineering and Operations Manager and the NERC Compliance Administrator sends out compliance emails, with compliance updates, compliance clarifications, compliance notices and provides periodic City Council reports. The Internal Compliance Program is distributed to all employees at least annually and is available on the City's SharePoint site. • Training and Education —Training is provided as described in Section 11. ■ NERC Alerts — NERC Alerts are communicated to all appropriate staff. • Participation in the Standards, Policy, and WECC Criteria Development Drafting Process —The City is committed to improving reliability of the electric system. We participate in the drafting process of Standards, policies and WECC Criteria by providing comments, assisting drafting teams, and voting. • Users Groups/Conferences/Webinars—The NERC Compliance Administrator and other City staff attend and participate in regional and national events, conferences, and trainings to help ensure the City maintains awareness of emerging or changing regulations and to learn and share best -compliance practices. The City is able to stay up-to-date on new and pending developments as they relate to the Reliability Standards by attending industry related seminars, as well as regional sponsored training. Meeting topics are summarized and reviewed by the Electric Utility Director, Engineering and Operations Manager, Departmental Management, SMEs and other key individuals. Examples of such conferences, meetings, and trainings include: o WECC compliance user groups o WECC monthly call o Critical Infrastructure Protection ("CIP") Standards user groups o Western Interconnection Compliance Forum (WICF) meetings o NERC and FERC Sponsored Conferences and Training Programs o Rule Making Proceedings Attachment B Page 26 of 38 Electric Utility — NERC / WECC Internal UDDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 o Committees and Work Groups The City employs the NERC Compliance Administrator to monitor WECC, NERC, and FERC committee activities as well as various standards drafting committees. The City assigns SMEs to provide input to various standards drafting committees through the NERC Compliance Administrator. Any personnel involved in these activities provide information to the appropriate NERC Compliance Administrator and the NERC Compliance Director. Once aware of a new or changing regulatory requirement, the NERC Compliance Director coordinates with the affected personnel to ensure that: 1) the new regulatory requirements are understood and 2) processes and procedures are developed to help ensure compliance with the requirements. 13 Employee Incentives 13.1 Incentives Employee incentives related to the ICP are not limited to but may include any of the following: • Certificate of acknowledgement • Gift Certificate 14 Procedures and Other Documents The City maintains the following compliance related procedures that are available to all staff at https:Hlodieud.sharepoint.com • Communication and Emergency Response • Event Analysis • Facility Coordination • Model Data Submittal • Protection System Testing Maintenance and Validation • Risk Based Assessment Methodology • Sabotage Recognition and Reporting • NERC Alert Response Instruction Guide • Under Frequency Load Shedding Program Validation ■ Updating the FERC Approved Reliability Standards List Attachment B Page 27 of 38 Electric Utility — NERC / WECC Internal LISDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 The following compliance related reporting forms, lists, documents, and logs are available on https://Iodieud.sharepoint.com: ■ Risk Management and Compliance Program o Attachment B: ICP • FERC Approved Standards • Risk Based Assessment Methodology Form • Processes • Evidence Documents • Compliance Task • Training Log • Call Log • Substation Maintenance Log Sabotage Reporting Log UFLS Validation Form • Misoperation Log • Data Submittal Communications • Facility Modifications Documents 15 Controls and Program Monitoring The electric department continuously manages regulatory compliance risk through (1) monitoring programs and continuously updating policies, procedures, (2) annual self - assessments and audits, and (3) Internal Controls including hard and soft controls. Hard controls include automated due date calendar reminders and forms with mandatory fields for collecting evidence. These hard and soft controls are part of a control environment that will help prevent the occurrence and, especially, the reoccurrence of violations. 15.1 Compliance Monitoring The NERC Compliance Administrator, who may be a contracted consultant, will monitor industry changes that impact the Program. The EU has documented processes that address each regulatory requirement. The process statements, policies, procedures, and on-line forms are regularly modified when impacted by industry changes or identified internal opportunities for efficiency and effectiveness. Controls are identified and Attachment B Page 28 of 38 documented for each regulatory standard in the online compliance tool used to control the program. In addition, the City encourages its staff to participate in training and educational opportunities. Each NERC and WECC Reliability Standard applicable to the City will be continually monitored on an ongoing basis. This monitoring process includes maintaining a thorough knowledge of standard requirements, performing periodic reviews to confirm compliance, performing an annual internal audit (self -audit), and informing management of any instances of potential non-compliance. The City will consider or implement changes based on recommendations that come out of this monitoring process. 15.2 Self -Audit An annual formal internal compliance self -audit is conducted for compliance with all applicable Reliability Standards. The following areas of concern are addressed in the self - audit: -. Electric Utility — NERC / WECC Internal USDI Compliance Program Version Revised 2. Amended 3.0 July 2016 July 20, 2016 documented for each regulatory standard in the online compliance tool used to control the program. In addition, the City encourages its staff to participate in training and educational opportunities. Each NERC and WECC Reliability Standard applicable to the City will be continually monitored on an ongoing basis. This monitoring process includes maintaining a thorough knowledge of standard requirements, performing periodic reviews to confirm compliance, performing an annual internal audit (self -audit), and informing management of any instances of potential non-compliance. The City will consider or implement changes based on recommendations that come out of this monitoring process. 15.2 Self -Audit An annual formal internal compliance self -audit is conducted for compliance with all applicable Reliability Standards. The following areas of concern are addressed in the self - audit: -. Description The NERC Compliance Administrator takes the role of the enforcement official and conducts the level of investigation that is anticipated from the regulator. 2. The self -audit is conducted at least annually. Audit results are reported and reviewed internally after each self -audit. Reports are retained in the SharePoint site with the Self -Certification program. 3. Spot checks are performed prior to each self -certification. A self-report is provided to the Compliance Officer with a recommendation for approval. 4. A self -audit allows the City to find potential red -flag issues and allows time to understand the issue prior to review with the regulator. 5. The self -audit provides a focus on areas of high risk. 6. Prompt self -reporting is initiated. Self -reporting may result in lower fines and indicate a mature compliance program that could mitigate future penalties. All audits are shared with the applicable City staff and any other staff requesting it. Areas identified as high risk through the risk assessment may undergo a self -audit procedure on a more frequent basis. Attachment B Page 29 of 38 15.3 Hard Controls Hard controls include mandatory fields used to collect maintenance information, automatic reminders, automatic escalation reminders, self -reviews, and NERC Compliance Administrator reviews. Automated controls are in place to ensure completeness and timeliness. SharePoint logs have required fields to ensure completeness. To help ensure that compliance -related deadlines and deliverables are met on a proactive basis, the City utilizes automated reminders also, associated with Microsoft Outlook. Through the use of this system, tasks and related deadlines are created for specific deliverables and assigned to a responsible party. The Compliance Administrator is able to monitor task status and take action, if needed. Examples of hard coded controls include: Protection System Electric Utility — NERC / WECC LODI Compliance Program Version Revised Amended 3.0 July 2016 Model Data July 20, 2016 15.3 Hard Controls Hard controls include mandatory fields used to collect maintenance information, automatic reminders, automatic escalation reminders, self -reviews, and NERC Compliance Administrator reviews. Automated controls are in place to ensure completeness and timeliness. SharePoint logs have required fields to ensure completeness. To help ensure that compliance -related deadlines and deliverables are met on a proactive basis, the City utilizes automated reminders also, associated with Microsoft Outlook. Through the use of this system, tasks and related deadlines are created for specific deliverables and assigned to a responsible party. The Compliance Administrator is able to monitor task status and take action, if needed. Examples of hard coded controls include: Protection System To ensure completeness, the maintenance system forms have Maintenance required fields that do not allow the maintenance personnel to Tracking System submit the form until complete. To ensure timeliness, workflows send reminder messages to maintenance staff and escalation messages to management. Model Data To ensure timeliness, workflows send reminder messages to Submittals maintenance staff and escalation messages to management, Event Analysis All events are logged. To ensure proper reporting, controls are in place to identify when an under frequency load shedding (UFLS) event occurs, equipment misoperation, or a Bulk Electric System Disturbance occurs. The controls provide instructions for proper reporting. Automatic email reporting is sent. To ensure timely reporting, controls are in place to send reminders for timely investigation and reporting of UFLS Events, misoperation, and Bulk Electric System Disturbances. Procedure Approvals To ensure timely review and approval, controls are in place to ensure reminders are sent. Reminders are escalated if reviews and approvals are not timely. Training To ensure timely reporting, controls are in place to monitor training and retraining dates, as well as to send reminders and escalation reminders. Critical To ensure timely review, controls are in place to send automatic Attachment B Page 30 of 38 Infrastructure reminders when the review of the City's electric assets is due. I Protection Review 16 Self -Reporting 16.1 Discovery of Potential Regulatory Violations — Review Process The City is committed to continuous improvement in order to design the ICP to prevent non- compliant activities from occurring or to detect non-compliance immediately. To ensure that potential violations are detected, mitigated, and reported in a timely manner, the City has implemented the following measures: • Periodic review of the ICP Detecting and Mitigating Potential Violations ■ Periodic Compliance Reviews • City Personnel • Annual Internal Audits 16.2 Responding to and Reporting Potential Violations Once potential non-compliance is discovered, the issue is reviewed and investigated with the assistance of applicable parties and a final determination as to whether a violation exists is made by the ROC. Once determined, appropriate action is taken, including self -reporting or other remedial actions. Attachment B Page 31 of 38 Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 Infrastructure reminders when the review of the City's electric assets is due. I Protection Review 16 Self -Reporting 16.1 Discovery of Potential Regulatory Violations — Review Process The City is committed to continuous improvement in order to design the ICP to prevent non- compliant activities from occurring or to detect non-compliance immediately. To ensure that potential violations are detected, mitigated, and reported in a timely manner, the City has implemented the following measures: • Periodic review of the ICP Detecting and Mitigating Potential Violations ■ Periodic Compliance Reviews • City Personnel • Annual Internal Audits 16.2 Responding to and Reporting Potential Violations Once potential non-compliance is discovered, the issue is reviewed and investigated with the assistance of applicable parties and a final determination as to whether a violation exists is made by the ROC. Once determined, appropriate action is taken, including self -reporting or other remedial actions. Attachment B Page 31 of 38 The City's process for responding to, investigating and reporting potential violations includes the following steps: Step Electric Utility — NERC / WECC Internal LODI Compliance Program Version Revised 2. Amended 3.0 July 2016 July 20, 2016 The City's process for responding to, investigating and reporting potential violations includes the following steps: Step Description 1. Potential violations of regulatory requirements are communicated and discussed with the Compliance Officer and the NERC Compliance Director. 2. The NERC Compliance Director and the NERC Compliance Administrator leads an investigation with the SMEs and owners. The NERC Compliance Administrator will provide a report to the Compliance Officer with recommendations. 3. The Compliance Officer will submit the report to the ROC for determining if a violation has occurred and requires self -reporting to the applicable regulatory agencies. 4. For instances where the NERC Compliance Administrator and NERC Compliance Director believe a potential violation exists or where process enhancements are needed, the office leads the investigation to (1) document a description of the potential violation (2) determine the root cause, (3) determine steps being taken to prevent similar incidents from reoccurring (4) document a mitigation plan. 5. The NERC Compliance Administrator initiates the reporting of the potential violation to the applicable regulatory agencies, as necessary. The Self -Report form can be found on the WECC Compliance Web Portal at: httys://portal.wecc.biz and is reported through WebCDMS. The submitted self-report and mitigation plan are also stored on the compliance system for internal tracking. 6. It is the WECC compliance staff obligation to submit all alleged non-compliance information to NERC in accordance with the NERC Compliance Monitoring and Enforcement Program (CMEP) and WECC internal enforcement guidelines. Attachment B Page 32 of 38 17 Remediating and Preventing Repeat Violations To ensure that violations are remediated and prevented from recurring, the City EU implements the following measures: Step Electric Utility — NERC / WECC LIDDI Compliance Program Version Revised 2. Amended 3.0 July 2016 3. July 20, 2016 17 Remediating and Preventing Repeat Violations To ensure that violations are remediated and prevented from recurring, the City EU implements the following measures: Step Description M1 1. The risk assessment is updated and reviewed to determine any other potential risks associated with the identified activity. 2. All related processes, procedures, controls, and training programs are reviewed to ensure clarity. Updates to the ICP are provided where necessary. 3. The mitigation plan is logged, tracked and verified to ensure remediation items are completed timely. 4. The NERC Compliance Administrator will provide additional data or information requested by the regulatory authority and will provide timely updates on the status of the remediation plan to the regulatory authority (WECC, NERC, or FERC). Attachment B Page 33 of 38 18 Self -Certification Step Electric Utility — NERC / WECC Internal UDDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 18 Self -Certification Step Description 1. WECC will post Self -Certification or periodic data collection forms on the OATI WECC webCDMS at least sixty (60) days prior to the submittal period, but the City cannot submit forms until the submittal period has begun. Section 6 of the WECC Web Portal User Guide provides information concerning the Self -Certification submittal process. 2. The NERC Compliance Administrator will perform a formal review of all actively monitored Standards prior to each annual self -certification to ensure compliance. A formal report will be provided to the Compliance Officer for review and approval. 3. During the annual self -certification time line and after receiving approval from the Compliance Officer, the NERC Compliance Administrator will self -certify compliance with the Reliability Standards. 4. WECC will accept Self -Certification forms only during the submittal period. Failure to submit the forms prior to the end of the submittal period will result in non- compliance. The WECC Compliance Staff are to review Self -Certification submittals to determine acceptability, and may request additional information if necessary. 5. Semi-annual Self -Certifications are required for the CIP-002 through CIP-009 NERC Reliability Standards, and are not part of the annual Self -Certification process for all other Reliability Standards. Semi-annual Self -Certification forms will be posted on the WECC Compliance Web Portal at least thirty (30) days prior to the submittal period. Semi-annual Self -Certifications must be received by WECC from the City on January 15th and July 15th according to the CIP implementation schedule. The "Guidance for Enforcement of CIP Standards" document can be found on the NERC Website at: htto:!/www.nerc.com/files/Guidance on CIP Standards ndf. The "(Revised) Implementation Plan for Cyber Security Standards for CIP-002-1— CIP- 009-1" can also be found on the NERC Website at: httg.llwwr►v.nrc.aoml#ifeUdtoadslFilelStandArds/Revised Implementation Plan CI P-QR2-fln9.odf. Attachment B Page 34 of 38 19 Document Retention Policy Unless otherwise specified, all major revisions of this ICP and evidence demonstrating implementation of the ICP should be maintained for six (6) years or for one (1) year after a NERC/WECC off-site audit, whichever is greater. The maximum required data retention period is seven (7) years. Requests by WECC or NERC for such documentation will be provided within thirty (30) calendar days. 20 Storage All documents are stored in the compliance system at https:Hlodieud.sharepoint.com. Attachment B Page 35 of 38 Electric Utility — NERC / WECC LIDDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 19 Document Retention Policy Unless otherwise specified, all major revisions of this ICP and evidence demonstrating implementation of the ICP should be maintained for six (6) years or for one (1) year after a NERC/WECC off-site audit, whichever is greater. The maximum required data retention period is seven (7) years. Requests by WECC or NERC for such documentation will be provided within thirty (30) calendar days. 20 Storage All documents are stored in the compliance system at https:Hlodieud.sharepoint.com. Attachment B Page 35 of 38 21 Compliance System The compliance system is used to monitor and track the NERC Compliance Program and for tracking the ICP and evidence that it is implemented. Instructions to access this information are as follows. -. 1. Electric Utility — NERC / WECC Internal UDDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 21 Compliance System The compliance system is used to monitor and track the NERC Compliance Program and for tracking the ICP and evidence that it is implemented. Instructions to access this information are as follows. -. 1. Action Log on to the compliance system at: https://Iodieud.sharepoint.com Enter your user name and password. Contact the Engineering and Operations Manager if you do not have access. 2. Select Internal Compliance Program Team Site Compliance Forms Training Center Maintenance Center Compliance Contacts Compliance P s Team Site 201 a Audit City of Lodi Electric Utility Department Compliance Program Site Procedures 9fa CO[A0HM Nlkft IStafem9nl Vitemel [ontipiialice Pr+q The City's compliance mission is to create a superior and effective program to manage risk and compliance which implem, Sh WC759 utility practices and encourages a culture of compliance and control throughout the EUD. The City implements all opporn Narratives compliance and controls into every business practice and to continuously improve its program to be robust, rigorous and Compliance Performance Targets Surveys Terms and DefinitionsT— Trnsmission Service Provlden (TSP( .PG&E/CAM Drop Off Library Transmission Operator {TOP) PG&E/ CAISO Cooper Compliance Tracking Log Balancing Authority (BA) CAISO Tasks planning Authority (PA) CAISO NERC Alert Fai ms Transmission Planner (TP) PG&E Recent Reliability r_oordinator (RC) WECC Page not found Transmission Chvner (1"0) PG&E i EDIT LINKS Site Contents Lead Serving Entity (BE) Lodi Distribution Provider (DP) Lodi 3. Add additional information to the ICP evidence files by clicking the "new document" link and then choosing "Upload Existing File." Attachment B Page 36 of 38 22 References FERC Revised Policy Statement on Enforcement, (May 15, 2008) NERC Compliance Monitoring and Enforcement Program , WECC, (2010) WECC CMEP — Self -Reporting Form, (April 13, 2009, Version 1) WECC internal Compliance Program Self -Assessment and Survey Upd_a(Feb. 9, 2011) 23 Internal Compliance Program Review The ICP is reviewed on an annual basis. However, more frequent reviews may be conducted following any possible instances of noncompliance. Appropriate adjustments to the ICP will be made in order to prevent recurrence of possible violations. 24 Responsible Senior Manager or Delegate This NERC/WECC Internal Compliance Program is approved by the Risk Oversight Committee prior to approval by the NERC Compliance Officer. Major modifications are approved by City Council resolution. 1. I, Elizabeth Kirkley, Electric Utility Director, serving as the Compliance Officer certify that I have read and am familiar with the contents of the ICP and any related documents submitted herein. 2. 1 understand that based on the answers herein, WECC may request more information specific to the City of Lodi's ICP. 3. To the best of my knowledge, the information provided in this document is correct. x Elizabeth A. Kirkley Electric Utility Director Revision 3.0 Approval Page Page 37 of 38 Electric Utility — NERC / WECC Internal LISDI Compliance Program Version Revised Amended 3.0 July 2016 July 20, 2016 22 References FERC Revised Policy Statement on Enforcement, (May 15, 2008) NERC Compliance Monitoring and Enforcement Program , WECC, (2010) WECC CMEP — Self -Reporting Form, (April 13, 2009, Version 1) WECC internal Compliance Program Self -Assessment and Survey Upd_a(Feb. 9, 2011) 23 Internal Compliance Program Review The ICP is reviewed on an annual basis. However, more frequent reviews may be conducted following any possible instances of noncompliance. Appropriate adjustments to the ICP will be made in order to prevent recurrence of possible violations. 24 Responsible Senior Manager or Delegate This NERC/WECC Internal Compliance Program is approved by the Risk Oversight Committee prior to approval by the NERC Compliance Officer. Major modifications are approved by City Council resolution. 1. I, Elizabeth Kirkley, Electric Utility Director, serving as the Compliance Officer certify that I have read and am familiar with the contents of the ICP and any related documents submitted herein. 2. 1 understand that based on the answers herein, WECC may request more information specific to the City of Lodi's ICP. 3. To the best of my knowledge, the information provided in this document is correct. x Elizabeth A. Kirkley Electric Utility Director Revision 3.0 Approval Page Page 37 of 38 25 Revision History Version 1.0 Electric Utility — NERC / WECC Internal LIDDI Compliance Program Version Revised Revised to identify personnel Amended 3.0 July 2016 changes within the compliance July 20, 2016 25 Revision History Version 1.0 Author MJCooper Description of Changes First version Date 11/28/2011 2.0 MJCooper Revised to identify personnel October 1, 2014 changes within the compliance program. Other grammatical corrections are made. Attachment B suspended effective February 10, 2014. 3.0 EAKirkley Revised to identify personnel July 20, 2016 changes within the compliance program. Other grammatical and formatting corrections are made. Added NCPA Non -disclosure Agreement requirement for ROC members. Non -substantial edits for consistency and clarification. Approval Page Page 38 of 38