The URL can be used to link to this page

Home My WebLink AboutAgenda Report - October 1, 2014 C-17AGENDA ITEM c'11 Crrv or Lour C ouNcIr, C ovTMUNICATIoN ÏM AGENDA TITLE: MEETING DATE: October 1,2014 PREPARED BY: Electric Utility Director Adopt Resolution Rescinding Resolution No. 2012-34 and Adopt Resolution to Approve Version 3.0 of City of Lodi Risk Management and Compliance Program for the Electric Utility RECOMMENDED ACTION Adopt a resolution rescinding Resolution No. 2012-34 and adopt a resolution to approve Version 3.0 of the City of Lodi Risk Management and Compliance Program for the Electric Utility. BACKGROUND INFORMATION: The City Council established a Risk Oversight Committee (ROC) on January 18, 2006 to ensure compliance with the City's energy risk management policies. ln20O7, requirements imposed on Lodi's Electric Utility (LEU) by the North American Electric Reliability Corporation (NERC) and the Western Electricity Coordinating Council (WECC) also required an internal compliance program to ensure compliance with NERC reliability standards. As a result, the ROC's responsibilities expanded, resulting in an all-encompassing "City of Lodi Risk Management and Compliance Program' (RMCP) which was approved by the City Council on April 4,2012. As electric utility industry requirements change, the RMCP requires revision and changes are brought before the ROC for consideration. The most recent change was the de-activation of LEU's reliability registration with WECC for NERC reliability standards, resulting in the suspension of Attachment B in the RMCP. ln addition, non-substantial changes have been made to reflect current staffing levels as well as improve consistency and flow throughout the document. On June 11,2014 the ROC discussed changes to the RMCP and provided comments to LEU. Staff recommends rescinding Resolution No. 2012-34 and adopting the attached resolution to approve Version 3.0 of the RMCP. FISCAL IMPAGT:Not applicable Not applicableFUNDING AVAILABLE A.rkley EAl(/lst APPROVED: Electric Utility Director nager City of Lodi Risk Management And Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Formatted: Different first page header City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 2 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt Table of Contents 1 Mission Statement/Statement of Commitment .............................................................. 6 2 Goal ............................................................................................................................... 7 3 Organizational Structure and Chart ................................................................................ 8 4 Leadership Support ...................................................................................................... 11 5 Lessons Learned ........................................................................................................... 11 6 Compliance Communications Protection for Whistleblowers ........................................ 11 7 Employee Incentives .................................................................................................... 11 8 Compliance Enforcement ............................................................................................. 12 9 Resources .................................................................................................................... 12 10 Compliance Communications ....................................................................................... 12 Attachment A ...................................................................................................................... 13 1 Purpose ....................................................................................................................... 14 2 Scope ........................................................................................................................... 14 3 Energy Risk Management Policies (“ERMP”) ................................................................. 14 4 Scope of the ERMP ....................................................................................................... 14 4.1 ERMP Objectives .......................................................................................................... 15 4.2 ERMP Implementation Process ..................................................................................... 15 4.3 Risk Inventory .............................................................................................................. 15 5 Transaction Limits and Controls ................................................................................... 17 5.1 Regulatory Compliance ................................................................................................ 17 5.2 Indirect Purchases (NCPA) ............................................................................................ 17 5.3 Direct Purchases .......................................................................................................... 19 5.4 All Purchases:............................................................................................................... 19 5.5 Prohibited and Authorized Transaction Types ............................................................... 20 6 ROC Reports ................................................................................................................ 21 6.1 ROC reports include but are not limited to: .................................................................. 21 7 Program Review/Evaluation/Modification/Distribution ............................................... 22 Attachment B ...................................................................................................................... 30 1 Background .................................................................................................................. 31 Formatted: TOC 1 Formatted: TOC 1 Formatted: TOC 1 City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 3 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 2 NERC/WECC Compliance Program Structure ................................................................. 32 3 Requirements Identification ......................................................................................... 32 4 NERC/WECC Standards Requirements - tracked and current. ........................................ 32 5 Risk Assessment ........................................................................................................... 33 6 NERC/WECC Compliance Program Oversight ................................................................ 34 7 Independent Access to Executives ................................................................................ 35 8 Independent Management ........................................................................................... 35 9 Resources .................................................................................................................... 35 10 Performance Targets .................................................................................................... 36 11 Compliance Training..................................................................................................... 37 12 Outreach ...................................................................................................................... 38 13 Employee Incentives .................................................................................................... 40 13.1 Incentives .................................................................................................................... 40 14 Procedures and Other Documents ................................................................................ 41 15 Controls and Program Monitoring ................................................................................ 42 15.1 Compliance Monitoring ................................................................................................ 42 15.2 Self-Audit ..................................................................................................................... 42 15.3 Hard Controls ............................................................................................................... 43 16 Self-Reporting .............................................................................................................. 44 16.1 Discovery of Potential Regulatory Violations – Review Process ..................................... 44 16.2 Responding to and Reporting Potential Violations ........................................................ 45 17 Remediating and Preventing Repeat Violations ............................................................ 47 18 Self-Certification .......................................................................................................... 48 19 Document Retention Policy .......................................................................................... 49 20 Storage ........................................................................................................................ 49 21 Compliance System ...................................................................................................... 50 22 References ................................................................................................................... 51 23 Internal Compliance Program Review ........................................................................... 51 24 Responsible Senior Manager or Delegate ..................................................................... 51 25 Revision History ........................................................................................................... 52 1 Purpose ......................................................................................................................... 3 2 Scope ............................................................................................................................. 3 Formatted: TOC 1 Formatted: TOC 1 Formatted: TOC 1 Formatted: Default Paragraph Font Formatted: Default Paragraph Font Formatted: Default Paragraph Font Formatted: Default Paragraph Font City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 4 of 52 Formatted ... Formatted ... Formatted ... 3 Mission Statement/Statement of Commitment .............................................................. 3 4 Goal ............................................................................................................................... 4 5 Organizational Structure and Chart ................................................................................ 5 6 Leadership Support ........................................................................................................ 7 7 Energy Risk Management Policies (“ERMP”) ................................................................... 7 7.1 Scope of the Risk Management Policies .......................................................................... 7 7.2 Program Objectives ........................................................................................................ 8 7.3 Program Strategies......................................................................................................... 8 7.4 Risk Inventory ................................................................................................................ 8 8 Transaction Limits and Controls ................................................................................... 10 8.1 Regulatory Compliance ................................................................................................ 10 8.2 Indirect Purchases (NCPA) ............................................................................................ 10 8.3 Direct Purchases .......................................................................................................... 11 8.4 All Purchases:............................................................................................................... 11 8.5 Prohibited and Authorized Transaction Types ............................................................... 12 9 Resources .................................................................................................................... 13 10 Employee Incentives .................................................................................................... 13 10.1 Personal Performance .................................................................................................. 13 11 Compliance Enforcement ............................................................................................. 13 12 Reporting ..................................................................................................................... 14 13 Compliance Communications ....................................................................................... 14 14 Lessons Learned ........................................................................................................... 14 14.1 Compliance Communications Protection for Whistleblowers ........................................ 14 15 Program Review/Evaluation/Modification/Distribution ............................................... 15 16 Risk Oversight Committee ............................................................................................ 17 17 Electric Utility Director (NERC Compliance Officer) ....................................................... 17 18 Engineering and Operations Manager (NERC Compliance Director) ............................... 18 19 As assigned or contracted (NERC Compliance Administrator) ........................................ 19 20 Subject Matter Experts (SMEs) ..................................................................................... 21 21 All Employees .............................................................................................................. 21 22 Background .................................................................................................................. 23 23 NERC/WECC Compliance Program Structure ................................................................. 24 Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 5 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 24 NERC/WECC Compliance Program Oversight ................................................................ 25 25 Independent Access to Executives ................................................................................ 27 26 Independent Management ........................................................................................... 27 27 Resources .................................................................................................................... 27 28 Performance Targets .................................................................................................... 27 29 Outreach ...................................................................................................................... 28 30 Requirements Identification ......................................................................................... 29 31 NERC/WECC Standards Requirements - tracked and current. ........................................ 30 32 Procedures and Other Documents ................................................................................ 30 33 Compliance Training..................................................................................................... 31 34 Risk Assessment ........................................................................................................... 32 35 Controls and Program Monitoring ................................................................................ 33 35.1 Compliance Monitoring ................................................................................................ 34 35.2 Self-Audit ..................................................................................................................... 34 35.3 Hard Controls ............................................................................................................... 35 36 Self-Reporting .............................................................................................................. 36 36.1 Discovery of Potential Regulatory Violations – Review Process ..................................... 36 36.2 Responding to and Reporting Potential Violations ........................................................ 36 37 Remediating and Preventing Repeat Violations ............................................................ 38 38 Self-Certification .......................................................................................................... 39 39 Document Retention Policy .......................................................................................... 40 40 Storage ........................................................................................................................ 40 41 Compliance System ...................................................................................................... 41 42 References ................................................................................................................... 42 43 Revision History ........................................................................................................... 42 44 Responsible Senior Manager or Delegate ..................................................................... 42 Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted: Default Paragraph Font Formatted: TOC 1 Formatted: Default Paragraph Font Formatted ... Formatted ... Formatted ... Formatted: Default Paragraph Font Formatted: TOC 1 Formatted: Default Paragraph Font Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted ... Formatted: Indent: Left: 0.31", Space After: 6 pt City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 6 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 1 Purpose The purpose of this Risk Management and Compliance Program (“Program”) is to foster a culture of compliance and control for the City of Lodi (“City”) Electric Utility DepartmentElectric Utility (“EUD”). The Program expects a high level of compliance to regulations, laws, and the City’s agreements, policies and procedure while managing risks on a routine basis. The Program is laid out to control the organization’s EU’s activities so that controlling risk and compliance are part of the City’s infrastructureculture. 2 Scope This Program outlines the City’s internal control foundation, providing discipline and structure to guide compliance with regulations, laws, and the City’s agreements, procedures and policies. It includes a cross–section of knowledgeable and skilled employees who are responsible to oversee, communicate, track, document, and monitor compliance and risk management and share the results with management and the City Council. The Program applies to all the City’s employees, contractors, and vendor personnel responsible for complying with regulations and the City’s policies and procedures. It is made readily available to all employees. 31 Mission Statement/Statement of Commitment The City’s compliance mission is to create a superior and effective program to manage risk and compliance which implements best electric utility practices and encourages a culture of compliance and control throughout the EUD. The City implements all opportunities to build compliance and controls into every business practice and to continuously improve its program to be robust, rigorous and transparent. The City is committed to complying with all applicable laws and regulations. In addition, the City is committed to prudent risk management and compliance awareness and continuous improvement of processes and procedures. This commitment allows the City to develop and maintain an organizational culture that supports staff in meeting these concerns through education/training, ethical conduct, decision making, and a culture of transparency. City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 7 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 42 Goal The goal of this the Energy Risk Management and Internal Compliance Program (“the Programs”) contained herein Pprogram isare to create a culture of compliance and control within daily activities that is characterized by clear communication, consistent documentation and implementation of the following practices: Step Description 1. Creating a culture of accountability. 2. Adopting reporting procedures to party’s manager, the Risk Oversight Committee (ROC) and the City Council. 3. Identifying and communicating specific concerns and opportunities for improvement. 4. Reviewing and developing goals that ensure a strong corporate commitment to compliance and control. 5. Conducting Creating awareness throughregular training and other communicationsawareness programs. 6. Assessing the PProgramss for adequacy and providing recommendations to address planning, auditing and budgeting issues. 7. Using appropriate communication among all parties involved with the Program. 8.7. Identifying and assigning responsibilities to the key individuals, as appropriate, who are accountable for applicable portions of the PPrograms. 9.8. Providing a documentation framework that supports compliance, and includes clear processes, policies, and procedures. 10.9. Creating a culture of continuous improvement through regular assessments and corrections. These assessments may be self–assessments, internal audits, and independent third–party assessments. 11.10. Adhering to approved regulatory requirements. 12.11. Cooperating with regulatory agencies. 13.12. Promptly assessing and reporting of potential violations to regulatory agencies, if required. Formatted: Not Highlight Formatted: Not Highlight Formatted: Not Highlight Formatted: Not Highlight Formatted: Not Highlight City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 8 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 53 Organizational Structure and Chart The Program Programs are is overseen by the Risk Oversight Committee (ROC) which is comprised of the City Council member who serves as a Northern California Power Agency (NCPA) commissioner or alternate, the City Manager, Deputy City Manager, City Attorney and the Electric Utility Director; or in the case of their absence, their designees. The City Manager shall appoint the chair of the ROC. Additional non-voting members may be invited to participate on the ROC based on supporting expertise required by the ROC. The ROC shall meet every three (3) to six (6) months, or as otherwise called to order by the City Manager or City Council or a ROC member. The ROC shall keep minutes of all meetings and business transacted and shall appoint one of its members, or that member’s designee, to perform this task. A quorum for the ROC to do business shall consist of all members, or their designees. The ROC shall request attendance at its meetings by, and/or reports from, other persons as appropriate. City Council City Manager Risk Oversight Committee Compliance Officer Electric Utility Director City Attorney Deputy City Manager City Council The City Council is responsible for making high-level, broad policy and strategy statementsdecisions as contained in this document. The City Council sets the policy, and adopts the PPrograms as developed and recommended by the ROC and delegates the City Manager to execute themit. The City Council will review the pPPrograms every year. Additionally, the City Council will receive reports every three (3) to six (6) months from the Formatted: Not Highlight Formatted: Not Highlight Formatted: Not Highlight Formatted: Not Highlight City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 9 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt City Manager regarding risk management activities. The City Council reviews the PProgram updates on a regular basis and provides direction and additional support, as needed. Risk Oversight Committee The ROC shall have the responsibility for ensuring that business is conducted in accordance with the Energy Risk Management Policies (ERMP) in SectionAttachment A 7, Energy Risk Management Policies (“ERMP”)7. The ROC shall adopt and bring current risk management business practices, defining in detail the internal controls, strategies and processes for managing risks associated with the adoption of those business practices; including but not limited to a Laddering Strategy. As used herein the term Laddering Strategy shall mean an objective and graduated program to secure varying percentages of the City’s projected future power needs at any given point in time. Determination of regulatory non- compliance and direction to self-report such non-compliant activities shall be made by the ROC. The ROC shall recommend to the City Council the categories of transactions permitted and set risk limits for those transactions. City Manager The City Manager has overall responsibility for executing and ensuring compliance with policy policies adopted by the City Council. The City Manager shall make regular reports to the City Council every three (3) to six (6) months regarding business transacted by the ROC at such intervals and/or upon such occasions as the City Council shall direct. Reports shall be provided at least every three (3) to six (6) months to the City Council regarding energy risk management activities. Electric Utility Director - Compliance Officer The Electric Utility Director is the utility’s Executive Officer, acts as the Compliance Officer for the EUD, and is a voting member of the ROC. The Electric Utility Director has access to the City Council through the City Manager. This ensures communication of compliance concerns to the highest levels within the organization. Records of communication and reporting between the City Council and the City Manager are stored as required by the City’s Records Management Program.for at least 48 months. Electric Utility Department The EUD EU shall participate on the ROC through the Electric Utility Director. The Electric Utility Director shall provide load forecast information and coordinate the receipt and dissemination of relevant market and transactional information undertaken on the City’s behalf through NCPA. Finance Department Field Code Changed Field Code Changed City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 10 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt The Finance Department shall participate on the ROC through the Deputy City Manager and provide accounting and cash flow information to the ROC. City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 11 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt Legal Department The Legal Department shall participate on the ROC through the City Attorney, and provide legal advice and representation, and ensure that business is carried out in compliance with all applicable laws, regulations, executive orders, and court orders. Specific responsibilities for some positions are further described in Attachment AAttachment A. 64 Leadership Support This These Programs, as approved by the City Council, has requires the support and participation of all appropriate City staffsenior management. Senior management reviews related reports, participates in meetings, and communicates to employees about their commitment to compliance formally and informally. During ROC meetings, status updates are provided, any instances of potential non-compliance are discussed and support is provided. ROC meeting minutes and agendas are stored for at least 48 monthsas required by the City’s Records Management Program. 5 Lessons Learned Any lessons learned from audits, violations, other similar entity violations, or near misses are encouraged to be shared with all staff. Lessons learned are shared regularly with staff and in employee training programs. This includes lessons learned provided by regulatory authorities, other industry members, and discovered within the City’s business practices. 6 Compliance Communications Protection for Whistleblowers The City staff is encouraged to come forward with evidence to their manager that the City may be violating a law or regulation. Communication of potential violations plays a pivotal role in the detection, investigation, and prevention of violations. No employee will be subject toreceive any type of retribution for speaking out on compliance issues of any type. The City staff, contractors, and the public are encouraged to report evidence of possible compliance violations, unethical business conduct, questionable operations, problems with compliance controls, reporting or auditing concerns, and violations of laws or regulations. The City will promptly investigate all complaints and attempt to maintain the whistleblower’s anonymity. Complaints may be made through the suggestion box, to the employee’s supervisor manager, or director. 7 Employee Incentives Regulatory compliance is incorporated into applicable employee personal performance assessments. Employees are recognized by their management and among their peers for identifying opportunities for improving the Program. Field Code Changed Formatted: Heading 1, Don't adjust space between Latin and Asian text City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 12 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 8 Compliance Enforcement Compliance exceptions are actions, which violate the authority limits, requirements or directives set forth in the ERMP. All exceptions shall be reported to the ROC. Willful violations of the ERMP and Internal Compliance Program (ICP) will be subject to review and may be cause for discipline or dismissal. Such disciplinary action may include written notices to the individual involved that a violation has been determined, demotion or re-assignment of the individual involved, and suspension with or without pay or benefits, or dismissal. Violations may also constitute violations of law and may result in criminal penalties and civil liabilities for the offending covered party and the City. 79 Resources The City is dedicated to making the best use of all appropriate resources from all applicable entities as part of these Programs. The City is committed to addressing all areas of high risk through the use of its own resources to improve its robust, rigorous, and transparent Program. The City Council has approved sufficient funding for the administration of the Program. The requirements of theseis Programs are budgeted and fully staffed on a year-round basis. 10 Compliance Communications Cityompany employees have various means in which to report business conduct issues including potential violations of regulatory requirements. Break room posters provide contact information. Additionally, the City’s Internal Compliance Program is distributed via email to all employees after completion of the annual review. Formatted: Indent: Left: 0.3", No bullets or numbering City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 13 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt Attachment A Energy Risk Management Policies Formatted: Indent: Left: 0.31", Space After: 6 pt Formatted: Centered, Indent: Left: 0.3", No bullets or numbering, Don't adjust space between Latin and Asian text Formatted: Normal, Centered Formatted: Heading 1 City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 14 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 1 Purpose The purpose of this Risk Management and Compliance Program (“Program”) is to foster a culture of compliance and control for the City of Lodi (“City”) Electric Utility (“EU”). The Program expects a high level of compliance to regulations, laws, and the City’s agreements, policies and procedures while managing risks on a routine basis. The Program is laid out to control EU’s activities so that controlling risk and compliance are part of the City’s culture. 2 Scope This Program outlines the City’s internal control foundation, providing discipline and structure to guide compliance with regulations, laws, and the City’s agreements, procedures and policies. It includes a cross–section of knowledgeable and skilled employees who are responsible to oversee, communicate, track, document, and monitor compliance and risk management and share the results with management and the City Council. The Program applies to all the City’s employees, contractors, and vendor personnel responsible for complying with regulations and the City’s policies and procedures. It is made readily available to all employees. 83 Energy Risk Management Policies (“ERMP”) The purpose of the Program and ERMP is to ensure that risks associated with the City’s bulk power procurement are properly identified, measured and controlled. The ROC manages the ProgramERMP. The ROC meets every three (3) to six (6) months, or as otherwise called to order by the City Manager or City Council. The ROC keeps minutes of all meetings and transacted business and appoints one of its members, or that member’s designee, to perform this task. A quorum for the ROC to do business consists of all members or their designees. The ROC requests attendance at its meetings by, and/or reports from, other persons as appropriate. The City Manager makes regular reports to the City Council regarding business transacted by the ROC at such intervals and/or upon such occasions as the City Council directs. 8.14 Scope of the ERMP [Fix Format]Risk Management Policies The risk management policiesERMP are applied to all aspects of the City’s wholesale procurement and sales activities, long-term contracting associated with energy supplies, including generator fuel, capital projects and associated financing related to generation, transmission, transportation, storage, Renewable Energy Credits (“REC”), Green House Gas (“GHG”) offsets, Resource Adequacy (“RA”) capacity, ancillary services, and participation in Joint Powers Agencies (“JPA”), and regulatory compliance as set forth in Eexhibit B to this policy. Formatted: Outline numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0" + Indent at: 0.3", Don't adjust space between Latin and Asian text Formatted: Heading 1, Don't adjust space between Latin and Asian text Formatted: Highlight Comment [EAK1]: hyperlink City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 15 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt This Program does not address the following types of general business risk, which are treated separately in other official policies, ordinances, and regulations of the City: fire, accident and casualty, health, safety; workers compensation and other such typically insurable perils. 8.24.1 Program ERMP Objectives 1. Maintain a regularly updated inventory of risks that could impact rates and security of the City’s bulk power procurement program. 2. Establish risk metrics and reporting mechanisms that provide both quantitative and qualitative assessments of potential impacts to rate stability. 3. Adopt business practices that encourage compliance, development of appropriate levels of EU operating reserve funds, contribute to retail rate stability, and maintain appropriate security for established EU funds. 4. Minimize costs to maintain control of the City’s electric utility rates. 8.34.2 Program ERMP StrategiesImplementation Process 1. Identify, measure, and control risks that could have an adverse effect on retail rate stability. 2. Assign risk management responsibilities to appropriately qualified individuals and committees for each of these risks. 8.44.3 Risk Inventory The EUD EU must inventory and address the following categories of risk as a component of the monitoring and reporting under the risk management programERMP: •1. Price Risk •2. Volume Risk •3. Credit Risk •4. Operational Risk •5. Contingent Liabilities Price Risk – Price risk is the risk associated with the change of power costs and can be segmented into two categories: 1. Wholesale prices may increase while positions are still open. 2. Wholesale prices may decrease after positions are closed. 2. Volume Risk – Volume risk is the risk that demand for power will either fall below or Formatted: Numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.56" + Indent at: 0.81" Formatted: List Paragraph, Numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.56" + Indent at: 0.81" City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 16 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt exceed the existing contracted power supplies. Credit Risk – Credit risk is the risk associated with entering into any type of transaction with a counterparty, and can be segmented into the following five categories: 1. Counterparties fail to take delivery of, or pay for, energy sold to them. 2. Counterparties fail to deliver contracted for energy. 3. Counterparties refuse to extend credit or charge a premium for credit risks. 4. Counterparty transactions are too concentrated among a limited number of suppliers. 5. Inability to finance capital projects or meet financial obligations incurred in the course of wholesale operations. Operational Risk – Operational risk consists of the risk to effectively plannned, executed or controlled business activities, including the potential for:. Operational risk includes the potential for: 1. Inadequate organizational infrastructure, i.e., the lack of sufficient authority to make and execute decisions, inadequate supervision, absence of internal checks and balances, incomplete and untimely planning, incomplete and untimely reporting, failure to separate incompatible functions, etc. 2. Absence, shortage or loss of key personnel. 3. Lack or failure of facilities, equipment, systems and tools such as computers, software, communications links, and data services. 4. Exposure to litigation, fines, or sanctions as a result of violating laws and regulations, not meeting contractual obligations, failure to address legal issues and/or receive competent legal advice, not drafting contracts effectively, etc. Exposure includes the fines and litigation associated with the Federal Energy Regulatory Commission (“FERC”), North American Electric Reliability Corporation (“NERC”) and/or Western Electricity Coordinating Council (“WECC”) and environmental compliance violations. 5. Errors or omissions in the conduct of business, including failure to execute transactions, violations of guidelines and directives, etc. Contingent Liabilities – Contingent liabilities consist of liabilities that the City could incur in the event of the failure of other parties to discharge their obligations. At present, these consist of three principle categories: 1. Guarantees and step up provisions in the enabling agreements for the JPAs of which the City is a member. City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 17 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 2. Project closure, decommissioning, environmental remediation, and other obligations which result from the City’s own activities as well asand from JPA projects and activities. 3. Provisions for take or pay, termination payments, and/or margin calls in the City’s long-term electric power supply agreements. 95 Transaction Limits and Controls The EUD EU utilizes transaction limits and controls to mitigate or prevent exposure to identified risks. 9.15.1 Regulatory Compliance Regulatory compliance controls includes both soft and hard controls. Soft controls includes self-audits, policies, and procedures. Hard controls include automated due date calendar reminders, forms with mandatory fields for collecting evidence, and self- assessments. 9.25.2 Indirect Purchases (NCPA) The City Manager and the Electric Utility Director are severally authorized to enter contracts for the purchase through NCPA of electric energy, capacity, and generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and ancillary services to meet the City’s service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC’s Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. In addition, for purchases through NCPA, counterparty credit limits and minimum counterparty rating criteria shall be described in NCPA’s then current “Energy Risk Management Policy”, which areis made a part of this document by reference, and the most recent policy is attached hereto and may also be found at: http://www.ncpa.com/images/stories/Financials/policies/NCPA_Energy_Risk_Managemen t_Policy_Version_1.3_Approved_06-16-2011.pdf. Mhttp://www.ncpa.com/financial-information/5.html. Moreover, the City Manager and Electric Utility Director are authorized to purchase electric energy, capacity and fuel to meet the City’s share of amounts called for under NCPA’s then current Energy Risk Management Policy upon approval of the ROC. Material changes to NCPA’s Energy Risk Management Policy are reported to the City Council as part of the quarterly reporting under the City’s ERMP. Comment [EAK2]: Verify website Formatted: Font: Calibri, 11 pt City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 18 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt Formatted: Indent: Left: 0.31", Space After: 6 pt City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 19 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 9.35.3 Direct Purchases The City Manager and the Electric Utility Director are severally authorized to enter into contracts for the direct purchase of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and Ancillary Services to meet the City’s service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC’s Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. For contracts executed directly by the City, the City uses standardized form contracts for the such procurement, including, but not limited to form contracts created and copyrighted by the Edison Electric Institute, the Western States Power Pool, the California Department of General Services, and the North American Energy Standards Board, unless waived by resolution of the City Council. Counterparties shall obtain and maintain during the terms of the contract, the minimum credit rating established as of the date of award of the contract of not less than a BBB- investment grade credit rating or its equivalent as established by the rating agencies, such as established by Standard and Poor’s, and a Baa3 credit rating established by Moody’s Investors Services, and/or Fitch, unless waived by resolution of the City Council. 9.45.4 All Purchases: Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for electricity shall specify generally at least the following terms and conditions and the description of energy and energy services to be procured, including, but not limited to: ,1) a fixed or formula price; 2), energy and ancillary services to be included; 3) term, specifying a not-to-exceed period of time; 4) period of delivery denoted in years or months and whether deliveries are on-peak or off-peak; and 5) the point of delivery on the locus on the interstate transmission system on which the delivery is made. Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for generator fuel shall specify generally at least the following terms and conditions: ;1) quantity and the description of fuel services to be procured, including but not limited to scheduled fuel and fuel transportation services, specifying a not-to-exceed period of time; 2) period of delivery denoted in years or months or years and months; and 3) point of delivery of the locus on the interstate transportation system at which the transfer of title is made. Comment [EAK3]: Check on forms Comment [EAK4]: Talk with City Attorney and Deputy City Manager. City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 20 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt All procurement of electricity and generator fuel by contract shall conform to the requirements of the ERMP. 9.55.5 Prohibited and Authorized Transaction Types 9.5.15.5.1 Prohibited Transaction Types: Speculative buying and selling of energy products is prohibited. Speculation is defined as buying energy products that are not needed for meeting forecasted obligations, selling energy products that are not owned and/or selling energy products that are not surplus without simultaneously replacing that energy product at a lower cost. In no event shall transactions be entered into to speculate on the changes in market prices. 9.5.25.5.2 Authorized Transaction Types: 1. Purchase capacity, RECs or REC types, or energy to meet the City’s obligations above what is expected to be generated or purchased from owned generating facilities or contracts. 2. Sell existing capacity, RECs or REC types, or energy that is expected to be in excess of the City’s obligations. 3. Purchase generator fuel that is expected to be neededrequired to run the City’s share of owned generating facilities. 4. Sell surplus generator fuel if more economic energy is available for purchase, becomes surplus due to load being lower than previously forecasted, or due to increased energy due to hydrological conditions. 5. Execute financial transactions to fix the price of variable commodity purchases or sales. 6. Purchase simple call options or collars to limit price exposure on short generator fuel or electricity positions. 7. Sell simple call options or tolling agreements on owned the City’s share of generating facilities that are expected to be in excess of the City’s obligations. 8. Purchase or sell, emission allowances, including GHG offsets, deemed necessary to comply with regulations for owned the City’s share of generating facilities. 9. Purchase or sell, firm transmission rights or congestion revenue rights to manage congestion price risk. 10. A purchase/salePurchase or sell, of energy at the California Oregon Border and an offsetting sale/purchase of energy at North Path 15 (“NP15”) to take advantage of the City’s share of-owned transmission capacity rights. City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 21 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 11. Simultaneously purchase generator fuel and sell energy when the transaction provides the City a financial advantage. A purchase of generator fuel and a sale of energy to take advantage of excess owned generating facilities. 12. A saleSell of generator fuel and a purchase energyof electricity to take advantage of market heat rate. 13. Exercise costless collars. 10 Resources The City is dedicated to making the best use of all appropriate resources from all applicable entities as part of the Program. The City is committed to addressing all areas of high risk through the use of its own resources to improve its robust, rigorous, and transparent Program. The City Council has approved sufficient funding for the administration of the Program. The requirements of this Program are budgeted and fully staffed on a year-round basis. 11 Employee Incentives 11.1 Personal Performance Regulatory compliance is incorporated into applicable employee personal performance assessments. Employees are recognized by their management and among their peers for identifying opportunities for improving the Program. 12 Compliance Enforcement Compliance exceptions are actions, which violate the authority limits, requirements or directives set forth in the ERMP. All exceptions shall be reported immediately to the ROCCity Manager and quarterly to the City Council in the quarterly exception report. Willful violations of the ERMP will be subject to review and may be cause for discipline or dismissal. Such disciplinary action may include written notices to the individual involved that a violation has been determined, demotion or re-assignment of the individual involved and suspension with or without pay or benefits. Violations may also constitute violations of law and may result in criminal penalties and civil liabilities for the offending covered party and the City. 12. 6 ROC Reports include but are not limited to: 6.1 ROC reports include but are not limited to: Formatted: Indent: Left: -0.31" Formatted: List Paragraph Formatted: List Paragraph, Indent: Left: 0.31", Hanging: 0.31", Numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.63" + Indent at: 0.88" Formatted: Heading 1, Don't adjust space between Latin and Asian text Formatted: Heading 2, Indent: Left: 0.3", Don't adjust space between Latin and Asian text Comment [EAK5]: Turn into paragraph Formatted: Default Paragraph Font City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 22 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt 1. Load and resource balances as forecast and adopted in the current operating year’s budget (including regulatory, state and federally mandated resource balances). 2. Load and resource balances as adjusted due to operating conditions or purchases occurring during the quarter. 3. An assessment of market exposure. 4. An assessment of the quarterly change in power supply cost from budget. 5. Credit exposure by counterparty. 6. A summary of any purchases made during the quarter. 7. An assessment of any counterparty credit problems. 8. NERC/WECC Compliance program status. Other reports are provided to the City Council on request. 13 Compliance Communications Company employees have various means in which to report business conduct issues including potential violations of regulatory requirements. Break room posters provide contact information. Additionally, the City’s Internal Compliance Program is distributed via email to all employees after completion of the annual review.at least annually. 14 Lessons Learned Any lessons learned from audits, violations, other similar entity violations, or near misses are encouraged to be shared with all staff. Lessons learned are shared regularly with staff and in employee training programs. This includes lessons learned provided by regulatory authorities, other industry members, and discovered within the City’s business practices. 14.1 Compliance Communications Protection for Whistleblowers The City staff is encouraged to come forward with evidence to their manager that the City may be violating a law or regulation. Communication of potential violations plays a pivotal role in the detection, investigation, and prevention of violations. No employee will receive any type of retribution for speaking out on compliance issues of any type. The City staff, contractors, and the public are encouraged to report evidence of possible compliance violations, unethical business conduct, questionable operations, problems with compliance controls, reporting or auditing concerns, and violations of laws or regulations. The City will promptly investigate all complaints and attempt to maintain the whistleblower’s anonymity. Complaints may be made through the suggestion box, to the employee’s supervisor, to the employee’s manager, or director. The City employs a hotline that allows for anonymous reporting. 157 Program Review/Evaluation/Modification/Distribution City of Lodi Risk Management and Compliance Program Version 22.0 Revised. Date: 7/8/2013July 2014 Adopted Amended October 1, 20144/4/2012 City of Lodi Risk Management and Compliance Program Page 23 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Formatted: Space After: 0 pt Formatted: Space After: 0 pt The review of the Program ERMP is designed to: 1) ensure that reporting parties report to their supervisors;, 2) to ensure that the Electric Utility Director promotes, maintains, and monitors compliance; 3) to discuss the effectiveness of the Program; and 4) to evaluate alignment of the Program and with the City’s organization. Interim to the annual review, the Program will be reviewed and modified as necessary if: •1. An event analysis determines that a modification to this program would be beneficial. •2. The City experiences a regulation violation. •3. Lessons learned or changes have been identified in best practices. •4. Any significant changes to the Program are approved by the City Council. Minor changes are approved by the ROC. New revisions of the Program are distributed to all parties involved and comments are solicited from the ROC. The City employees are informed of new significant revisions, including contractors and vendors as applicable, and they will all have access to the current Program. Formatted: Numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.3" + Indent at: 0.55" Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 24 of 52 Attachment A Risk Management and Compliance Program Responsibilities Formatted: Heading 1, Indent: Left: 0.3", Don't adjust space between Latin and Asian text Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 25 of 52 1 Risk Oversight Committee The ROC has the responsibility for following: 1. Ensure that business is conducted in accordance with the Program and the ERMP. 2. Adopt and bring current risk management business practices, defining in detail the internal controls, strategies and processes for managing risks associated with the adoption of those business practices; including but not limited to a Laddering Strategy. As used herein, the term Laddering Strategy shall mean an objective and graduated method to secure varying percentages of the City’s projected power needs at least three years into the future at any given point in time. Recommend to the City Council the categories of transactions permitted and set risk limits for those transactions. 3. Regularly assess risk and monitor exposures. 4. Evaluate effectiveness of controls. 5. Determine if non-compliance has occurred and take proper actions. 6. Review and provide input to the NERC/WECC Compliance Program. 7. Address cross–functional planning, auditing and budgeting issues. 8. Notify the City Human Resources department and the Electric Utility Director of performance issues and individual actions pertaining to compliance with applicable laws and regulations. 9. Communicate Program updates/changes to all parties involved. 10. Manage compliance issues reported through the Internal Hotline. 11. Review status reports. 12. Provide status updates to the City Council. 13. Obtain City Council approval of Program modifications. 2 Electric Utility Director (NERC Compliance Officer) 1. Oversee the execution of the NERC Internal Compliance Program (ICP). 2. Serves as the Critical Infrastructure Standards (CIP) senior manager responsible for ensuring all CIP Standards (CIP-002 through CIP-009) are in compliance. 3. Approve all required procedures and assessments (i.e. critical infrastructure assessment, etc.). Formatted: Font: Not Bold Formatted: Font: Not Bold Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 26 of 52 4. Review status reports, industry updates, and compliance meeting notes (NERC, WECC, environmental). 5. Provide input to and approve the risk assessment and control plan. 6. Continually assess the effectiveness of the ICP. 7. Communicate operational and regulatory compliance issues to the ROC. 8. Prioritize and oversee corrective actions. 9. Make recommendations on any disciplinary action. 10. Identify Subject Matter Experts (“SME”) for various risk related projects, and assign responsibility and authority supported at the appropriate departmental level. Monitor compliance status by reviewing self-assessments and other reporting activities. 11. Manage and sign-off on audits and the audit process, NERC self–certifications, and annual self-assessments. 12. Track, approve and oversee implementation of compliance mitigation plans to completion. 13. Create and manage NERC/WECC Reliability Standards working teams, as required. 14. Assign staff responsible for participating in and influencing the development and revision of NERC/WECC Reliability Standards. 15. Direct and review internal audits, self-assessments and third party assessments/audits and City Council reports. 3 Engineering and Operations Manager (NERC Compliance Director) 1. Report to the Electric Utility Director. 2. Act as business partner to NERC/WECC Compliance Administrator to ensure compliance and accurate reporting. 3. Provide regular compliance updates to the Electric Utility Director. 4. Along with Compliance Administrator, act as the liaison between the California Independent System Operator (“CAISO”) and PG&E for NERC and WECC regulatory compliance reporting requirements. Ensure that no reliability obligation is missed or overlooked, identify the responsible entity and assign the SMEs for each requirement of the NERC and WECC reliability standards. 5. Along with the Compliance Administrator, consolidates documentation to ensure that the reliability obligation is met. Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 27 of 52 6. Review and monitor progress and status of action plans, milestones, and deadlines provided by the NERC/WECC Compliance Administrator or responsible department managers. 7. Implement compliance mitigation plans to completion and report the status to the Electric Utility Director. 8. Assess adequacy and make recommendations to the Electric Utility Director to address cross–functional planning, auditing and budgeting issues. 9. Review compliance meeting notes, status reports, and industry updates. 10. Manages City actions and documents for participating in and influencing the development and revision of NERC/WECC Reliability Standards. 4 As assigned or contracted (NERC Compliance Administrator) 1. Assigned by the Compliance Officer 2. Serve as the NERC/WECC Reliability Standards SMEs. 3. Attend, as determined by the Engineering and Operations Manager, Federal Energy Regulatory Commission (“FERC”), NERC and WECC conferences and workshops associated with Reliability Standards and prepare meeting notes for City review. 4. Share best practices with the Engineering and Operations Manager and Electric Utility Director to improve process efficiencies and effectiveness. 5. Monitor pending and approved changes to the NERC/WECC Reliability Standards and report those changes to the Engineering and Operations Manager. 6. Coordinate NERC/WECC Standards Authorization Request comments and seek the SMEs, Engineering and Operations Manager, and Electric Utility Director reviews and approvals prior to submitting. 7. Notify the SMEs of changes or additional information related to Standards in their areas of responsibility. 8. Develop and maintain a consistent framework for compliance to NERC/WECC Standards and ensure compliance processes are maintained. 9. Provide NERC/WECC compliance related internal training and awareness programs throughout the organization and notifications of external training opportunities related to Reliability Standards. Develop and provide notes to the Engineering and Operations Manager. 10. Develop and provide SMEs training for NERC/WECC standard compliance. Formatted: Font: Not Bold Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 28 of 52 11. Assist with the evaluation of NERC Compliance risks and recommend controls. 12. Verify sufficient processes are in place to ensure NERC/WECC compliance with applicable Reliability Standards. 13. Coordinate and assist with the development and revisions to NERC/WECC compliance policies, processes, and procedures. 14. Recommend and assist oversight of NERC and regional Compliance Working Groups where cross – functional cooperation is required. 15. Monitor to assure NERC/WECC related policies, processes, and procedures for all applicable Reliability Standards are reviewed and updated in a timely manner. 16. Prepare the City for NERC/WECC audits and act as the lead contact for all NERC/WECC audits. 17. Monitor the status of SMEs, deadlines leading up to NERC/WECC self-certification, spot checks, audits and action plan milestone due dates and report the results to the Engineering and Operations Manager. 18. Immediately report NERC/WECC Standards vulnerabilities, potential non–compliance, or events approaching non–compliance to the Engineering and Operations Manager and the Risk Oversight Committee. 19. Assist the Engineering and Operations Manager and the Risk Oversight Committee to assess the root causes of potential NERC/WECC non-compliance activities and provide recommendations for addressing those causes. 20. Provide NERC/WECC self–reporting information to the Engineering and Operations Manager, Risk Oversight Committee, and WECC. 21. Develop and maintain an NERC/WECC incident response and reporting process. 22. Assist the Engineering and Operations Manager with implementing the NERC/WECC incident response and reporting process. 23. Perform, or cause to be performed, any actions related to mitigation plans submitted to WECC and provide sufficient documentation of mitigation actions to the Engineering and Operations Manager. 24. Track NERC/WECC compliance mitigation plans to completion. 25. Regularly report NERC/WECC compliance status to the Engineering and Operations Manager. 26. Monitor and administer the NERC Alert program. Risk Management and Compliance Program - Responsibilities Version 2.0 Rev. Date: 7/8/2013 Document: Annual Approval: Attachment A Page 29 of 52 27. Prepare quarterly NERC/WECC compliance status reports for the City Council that include updates on compliance and Standards development activities. 28. Monitor the implementation of the NERC/WECC Internal Compliance Program and report progress to the Engineering and Operations Manager. 29. Administer the centralized compliance management system for maintaining NERC/WECC compliance related information. 5 Subject Matter Experts (SMEs) 1. Understand NERC/WECC Reliability Standards applicable to them. 2. Assist the NERC/WECC Compliance Administrator with revising and updating compliance policies, processes, and procedures. 3. Attend all required compliance training. 4. Follow compliance policies, processes, and procedures. 5. Perform duties in a manner that complies with applicable regulations. 6. Monitor controls and perform and report self-audits of compliance activities. 7. Fully document all compliance activities. 8. Meet deadlines leading up to internal audits, self–certifications, spot checks, regulator audits, compliance activities, and action plans. 9. Cooperate with entities reviewing compliance records and documentation. 10. Immediately notify management of any potential non–compliant events. 11. Participate in work groups that review and comment on regulations or NERC/WECC standards relative to one’s technical expertise. 12. Cooperate with the Compliance Administrators and any authorized entities reviewing compliance and documentation, including providing access to documentation and evidence. 6 All Employees 1. Every employee at the City has an obligation and responsibility to help ensure that the City is complying with all applicable regulatory requirements. If any employee becomes aware of a potential compliance issue, the employee must notify a member of management immediately for further review. 2. Attend any annual (or more frequent) required training which includes regulatory compliance updates. Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Formatted: Font: Not Bold Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 30 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Attachment B Electric Utility DepartmentElectric Utility NERC / WECC Internal Compliance Program Attachment B is suspended effective February 10, 2014. On this date the City of Lodi was notified that WECC and NERC had accepted our request to deactivate our registration for Distribution Provider and Load Serving Entity and the City was removed from the NERC Compliance Registry. A deactivation from the NERC Compliance Registry indicates that an entity is no longer subject to mandatory compliance with the applicable NERC Reliability Standards that have been approved by the FERC. Continued voluntary compliance with NERC Reliability Standards is considered good operating practice by the industry and is recommended by NERC. NERC retains the right to register the City for any function at any time, in accordance with NERC’s Statement of Compliance Registry Criteria, as the criteria may be amended from time to time, if the facts and circumstances so warrant. Should NERC reactivate the City of Lodi’s registration, then the City shall reinstate Attachment B. Formatted: Heading 1, Indent: Left: 0.3", Don't adjust space between Latin and Asian text Formatted: Heading 1, Centered, Indent: Left: 0.3" Formatted: Indent: Left: 0.13", Space After: 6 pt, Adjust space between Latin and Asian text, Adjust space between Asian text and numbers Formatted: Indent: Left: 0.13" Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 31 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1 Background The Federal Energy Policy Act of 2005 provides the FERC authority to approve and enforce rules and regulations to protect and improve the reliability of the nation’s bulk power system. Through this Act, all electric power entities that impact the Bulk Electric System must comply with FERC approved Regulatory Standards, and public utilities that sell electricity at market-based rates must comply with market rules of conduct and ongoing reporting and compliance requirements. The NERC Statement of Compliance Registry criteria describe which entities are required to register with NERC and comply with the Regulatory Standards. For those entities, mandatory compliance Regulatory Standards with the first set of standards approved by FERC came into effect on June 18, 2007. The Statement of Compliance Registry requires, among other things, utilities to register into the program as a participant of the regions Under Frequency Program. The City is registered as a Distribution Provider (DP) and Load Serving Entity (LSE) based on this sole criteria and does not meet any of the other registration criteria. Under this statutory framework, standards are proposed by electric reliability organizations and approved by FERC. The NERC has been delegated authority as the electric reliability organization for the four interconnections in North America that include Quebec, Electric Reliability Council of Texas (“ERCOT”), Eastern, and Western interconnections. Within the NERC interconnection, NERC has further delegated regional reliability organization functionality to eight (8) regional entities. The City is located within the WECC region. The City’s EUD EU is required to comply with all FERC approved Reliability Standards applicable to its registered functions as a Load Serving Entity (“LSE”), and Distribution Provider (“DP”). The EUD’s NERC Internal Compliance Program (ICP) is supported by the City’s Risk Management and Compliance Program (the Program). The ICP support the four-pillars of compliance framework presented in the FERC’s October 2008 Policy Statement on Compliance. • Role of senior management in fostering compliance; • Effective preventive measures to ensure compliance; • Prompt detection, cessation, and reporting of violations; and • Remediation efforts This ICP provides the framework to support compliance with the FERC reporting requirements and NERC and WECC Reliability Standards. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 32 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 2 NERC/WECC Compliance Program Structure The EUD’s ICP is a rigorous, established and formal program. The EUD EU strives to achieve a high level of business and personal ethical standards, as well as compliance with the laws and regulations that apply to its business. The EUD EU ICP is managed at a high level and programs and systems are in place to continuously monitor, evaluate, update, and implement the program. To effectively and efficiently manage the compliance program, the EUD EU has implemented a centralized compliance management system utilizing Microsoft SharePoint. Within the system, the EUD EU has identified and documented all processes used to comply with each requirement. In order to continuously be audit ready, all processes, procedures, evidence, and supporting documentation have been identified and are continuously logged. Forms are used in the compliance system that incorporates controls to ensure completeness, accuracy and timeliness. The NERC Compliance Administrator continuously monitors NERC and WECC for updates and guidance, including WECC Bulletins, NERC Compliance Application Notices, and best practice guidance documents. The ICP is continuously evaluated by the NERC Compliance Director and the NERC Compliance Administrator. 3 Requirements Identification The City is registered with NERC as an LSE, and DP. It is interconnected to the PG&E transmission system, who is the Transmission Owner and Transmission Planner. The City is within the CAISO Balancing Authority and Planning Authority. PG&E and the CAISO share responsibilities through a Coordinated Function Registration Agreement as the Transmission Operator of the facilities that interconnect the City. The Regional Reliability Organization over the City is the WECC Regional Reliability Organization. The City develops its processes to comply with the all agreements or related procedures of these organizations as it relates to compliance with the NERC Standards. The NERC Standards Requirements that are applicable to the City are listed on the City compliance website under the “Standards and Processes - FERC Approved Standards” folder: https://lodieud.sharepoint.com/ 4 NERC/WECC Standards Requirements - tracked and current. The City maintains a list of applicable NERC/WECC Standard requirements and updates this list as the standards change. New updates to the list are tracked to insure that all changes to the list are in compliance within 30 days of the requirement becoming effective. Any Comment [TS6]: and Transmission Service Provicer? (TSP) Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 33 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt significant changes are automatically forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. The City’s NERC Compliance Administrator performs the process of updating all versions of the FERC Approved Reliability Standards as new Standards are revised. The procedure for this process is maintained by the NERC Compliance Administrator and is called “Updating the FERC Approved Reliability Standards List.” 5 Risk Assessment A risk assessment is conducted annually to identify and quantify internal and external risks of non-compliance to the Regulatory Standards. The risk inventory is identified through employee surveys,surveys; past experience within the EUD, industry announcements and forums, and other agencies shared experiences. Resource decisions for addressing risks are determined based on the score. High risk items are added to the City’s overall risk inventory. The following describes the organization’s method for conducting a risk assessment. Step Method for Applying Risk Assessment 1. A NERC/WECC risk assessment is conducted annually or as-needed. 2. The electric department surveys its staff each year to identify areas for improvement in itsthe procedures and processes. In addition, staff is encouraged to make suggestions to all policies, procedures and processes at any time during the year. 3. The NERC Compliance Director and the NERC Compliance Administrator conduct risk assessment meetings as necessary and maintain the minutes/agendas. 4. The following are identified as part of the risk assessment: • Prior violations • High violation risk factors • Violation Severity Levels • Periodic performance related Requirements that have a higher probability of occurrence. • Weaknesses where additional self-audits or controls should be added Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 34 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 5. The Compliance Administrator calculates a risk score after applying the assessment and utilizes it to evaluate areas for additional controls. Several high risk processes have automated controls in place to ensure completeness, accuracy and timeliness. 6 NERC/WECC Compliance Program Oversight The EUD’s ICP operates under the overall City Risk Management and Compliance Program, which is overseen by the ROC and is directed by the Compliance Officer. City Council City Manager Risk Oversight Committee Compliance Officer Electric Utility Director City Attorney Deputy City Manager NERC Compliance Director Engineering and Operations Manager Compliance Administrator NERC/WECC Compliance Program Oversight Structure The NERC Compliance Administrator oversees the ICP and works directly with the Engineering and Operations Manager, who has the direct responsibility for performing reliability functions. The Compliance Administrator also reports to the Compliance Officer. The NERC Compliance Director is responsible for performance of the NERC compliance program including CIP programs and assigns responsibility to address compliance concerns Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 35 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt as well as monitoring the process to address those concerns. They act as a business partner to the NERC Compliance Administrator. They also attend annual cross departmental team meetings to provide updates on compliance and standards developmental activities. The NERC Compliance Officer, supported by the NERC Compliance Director and Subject Matter Experts (SMEs), shares the effort to ensure that all Reliability Standards, requirements, sub–requirements and the appropriate controls are clearly reflected in operational and business processes. SMEs work directly with the NERC Compliance Director and have direct responsibilities for performing reliability functions. The NERC Compliance Administrator assists directly with the SMEs to provide compliance expertise. The NERC Compliance Officer is the Electric Utility DirectorElizabeth Kirkely. 7 Independent Access to Executives The NERC Compliance Administrator monitors and reports the department’s compliance status with the NERC and WECC Reliability Standards to the Compliance Officer and the ROC. The NERC Compliance Administrator has access to the Compliance Officer to provide input and ask questions regarding any concerns with the compliance program. The Compliance Officer has direct access to the City Manager and City Council. 8 Independent Management It is crucial that the Compliance Administrator provide meaningful results and no conflict of interest exist nor any other impairment exist to provide unbiased findings. The Compliance Administrator is not responsible for the management of the work groups responsible for compliance. 9 Resources The EUD EU is dedicated to making the best use of all appropriate resources from PG&E, WECC, NERC, FERC and others as part of the compliance program effort. The Compliance Officer is committed to use any and all of its resources to improve its robust, rigorous, and transparent NERC compliance program supported by the ICP. The City Council has approved sufficient funding for the administration of the ICP. The requirements of this compliance program are budgeted and fully staffed on a year-round basis. Leadership Support Formatted: Heading 1, Don't adjust space between Latin and Asian text Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 36 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt The ICP is supported at the highest level. Meetings are held every three (3) to six (6)at least quarterly with City management and the City Council to ensure that compliance related objectives are being met and any possible compliance issues are properly resolved. 10 Performance Targets The EUD EU promotes compliance by identifying measurable performance targets. Key performance indicators help the EUD EU understand performance in relation to strategic goals and objectives. The following key performance indicators are the 2013 year’s NERC/WECC compliance goals: • Regulatory Requirements - tracked and current. The EUD EU maintains a list of applicable regulatory requirements that are applicable to the City and updates this list as the regulations change. Any significant changes to the list are forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. • Recommended improvements are acted on. Following a mock audit or through other means, the EUD EU considers and acts on recommendations for improvement within ninety (90) days of any accepted recommendations. • Mitigation plans are timely. The EUD EU determines appropriate mitigation plans for applicable violations. The EUD EU has a goal to submit all mitigation plans within thirty (30) days of submitting a Self-Report of a potential violation. • Operates with no NERC regulatory violations. The EUD EU strives for full compliance with no violations occurring. If a possible violation is discovered, the EUD EU has established a goal to submit all possible violations to NERC/WECC within thirty (30) days of discovery. • Respond to all NERC Alerts timely. The EUD EU reviews, determines response and logs all NERC Alerts. The EUD EU will take timely action on alerts that are determined to require a response by the City. • Provide timely training. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 37 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 11 Compliance Training The City continually develops processes, procedures, and controls to help prevent the occurrence of regulatory violations. In addition, they encourage staff to participate in compliance related training and educational opportunities. • New Orientation All new employees are sufficiently trained to perform compliance related activity, including affected contractors and vendors, prior to them performing any compliance related duties. This training incorporates basic elements pertaining to NERC compliance and the EUD’s Internal Compliance Program. • Annual Training Annual training is provided to all applicable employees as described in the table below. Documentation of the training (sign-in sheets, training materials, completion certificates, and other reference materials) will be maintained in the Training log for each employee. Controls are in place to automate reminders for upcoming training refreshers by employee. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 38 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Training Description Applicability Overview Awareness This training provides general information on NERC, FERC, and WECC requirements, recent and expected changes, and internal compliance program changes. EUD employees and long-term contractors who are responsible for NERC Compliance or could be an interface to NERC or WECC. Sabotage Recognition and Incident Response This training describes methodologies for identifying sabotage, responding to sabotage, and maintaining records. It supports the Sabotage Recognition and Incident Response procedure. All EUD EU employees and long- term contractors. Note: Any EUD EU employee or long-term contractor who does not receive this training shall be made aware of trained employees that can be contacted in order to report a potential sabotage event. Event Analysis This training describes the analysis, actions, and reporting requirements for all events. The training describes Bulk Electric System Disturbances, Protection System Misoperations, and Vegetation interruptions. SMEs responsible for maintenance and incident reporting. Communication and Emergency Response This training describes required protocol for verbal communications when receiving directives or when providing emergency assistance. SMEs responsible for receiving verbal communications from the Transmission Operator, Balancing Authority, or Reliability Coordinator. • Training Comprehension As part of each training, the EUD EU conducts comprehension examinations tests to ensure that trainings are effective. Additionally, the NERC Compliance Administrator annually reviews the trainings to ensure that proper information is included within the individual training programs. 12 Outreach Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 39 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt The EUD’s outreach focuses on a commitment to improve reliability. The City maintains a good relationship with PG&E, WECC, NERC, and FERC by promoting meaningful training/education opportunities, and providing compliance assistance. The following describes the methods for meeting the outreach program: • Communications -– Operations staff are trained annually on NERC related activities in order to promote continual awareness of the importance of compliance with regulatory requirements, the Electric Utility Director, Engineering and Operations Manager and the NERC Compliance Administrator sends out compliance emails, with compliance updates, compliance clarifications, compliance notices and provides periodic City Council reports. The Internal Compliance Program is distributed to all employees at least annually and is available on the City’s SharePoint site. • Training and Education -– Training is provided as described in Section 3311. • NERC Alerts – NERC Alerts are communicated to all appropriate staff. • Participation in the Standards, Policy, and WECC Criteria Development Drafting Process -– The City is committed to improving reliability of the electric system. We participate in the drafting process of Standards, policies and WECC Criteria by providing comments, assisting drafting teams, and voting. • Users Groups/Conferences/Webinars -– The NERC Compliance Administrator and other City staff attend and participate in regional and national events, conferences, and trainings to help ensure the Citycompany maintains awareness of emerging or changing regulations and to learn and share best-compliance practices. The City is able to stay up-to-date on new and pending developments as they relate to the Reliability Standards by attending industry related seminars, as well as regional sponsored training. Meeting topics are summarized and reviewed by the Electric Utility Director, Engineering and Operations Manager, Departmental Management, SMEs and other key individuals. Examples of such conferences, meetings, and trainings include: o WECC compliance user groups o WECC monthly call o Critical Infrastructure Protection (“CIP”) Standards user groups o Western Interconnection Compliance Forum (WICF) meetings o NERC and FERC Sponsored Conferences and Training Programs Comment [MS7]: Make sure it’s true. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 40 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt o Rule Making Proceedings o Committees and Work Groups The City employs the NERC Compliance Administrator to monitor WECC, NERC, and FERC committee activities as well as various standards drafting committees. The City assigns SMEs to provide input to various standards drafting committees through the NERC Compliance Administrator. Any personnel involved in these activities provide information to the appropriate NERC Compliance Administrator and the NERC Compliance Director. Once aware of a new or changing regulatory requirement, the NERC Compliance Director coordinates with the affected personnel to ensure that: 1) the new regulatory requirements are understood and 2) processes and procedures are developed to help ensure compliance with the requirements. 13 Employee Incentives Personal Performance Regulatory compliance is incorporated into applicable employee personal performance assessments. Employees are recognized by their management and among their peers for identifying opportunities for improving the Program. 13.1 Incentives Employee incentives related to the ICP are not limited to but may include any of the following: Recognition in a compliance newsletter; • Certificate of acknowledgement; Improved parking spot. • Gift Certificate. Enforcement Willful violations of the ICP will be subject to review and may be cause for discipline or dismissal. Such disciplinary action may include written notices to the individual involved that a violation has been determined, demotion or re-assignment of the individual involved and suspension with or without pay or benefits. Violations may also constitute violations of law and may result in criminal penalties and civil liabilities for the offending covered party and the City. Formatted: Heading 2, Don't adjust space between Latin and Asian text Formatted: Heading 1, No bullets or numbering, Don't adjust space between Latin and Asian text Formatted: Heading 2, No bullets or numbering, Don't adjust space between Latin and Asian text Formatted: Normal, No bullets or numbering Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 41 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1314 Procedures and Other Documents The City maintains the following compliance related procedures that are available to all staff at https://lodieud.sharepoint.com • Communication and Emergency Response • Event Analysis • Facility Coordination • Model Data Submittal • Protection System Testing Maintenance and Validation • Risk Based Assessment Methodology • Sabotage Recognition and Reporting • NERC Alert Response Instruction Guide • Under Frequency Load Shedding Program Validation • Updating the FERC Approved Reliability Standards List The following compliance related reporting forms, lists, documents, and logs are available on https://lodieud.sharepoint.com: • Risk Management and Compliance Program o Attachment B: ICP • FERC Approved Standards • Risk Based Assessment Methodology Form • Processes • Evidence Documents • Compliance Task • Training Log • Call Log • Substation Maintenance Log • Sabotage Reporting Log • UFLS Validation Form Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 42 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt • Misoperation Log • Data Submittal Communications • Facility Modifications Documents 1415 Controls and Program Monitoring The electric department continuously manages regulatory compliance risk through (1) monitoring programs and continuously updating policies, procedures, (2) annual self- assessments and audits, and (3) Internal Controls including hard and softcoded controls. Hard controls include automated due date calendar reminders and forms with mandatory fields for collecting evidence. These hard and soft controls are part of a control environment that will help prevent the occurrence and, especially, the reoccurrence of violations. 14.115.1 Compliance Monitoring The NERC Compliance Administrator, who may be a contracted consultant, will monitor industry changes that impact the Program. The EUD EU has documented processes that address each regulatory requirement. The process statements, policies, procedures, and on-line forms are regularly modified when impacted by industry changes or identified internal opportunities for efficiency and effectiveness. Controls are identified and documented for each regulatory standard in the online compliance tool used to control the program. In addition, the City encourages its staff to participate in training and educational opportunities. Each NERC and WECC Reliability Standard applicable to the City will be continually monitored on an ongoing basis. This monitoring process includes maintaining a thorough knowledge of standard requirements, performing periodic reviews to confirm compliance, performing an annual internal audit (self-audit), and informing management of any instances of potential non-compliance. The City will consider or implement changes based on recommendations that come out of this monitoring process. 14.215.2 Self-Audit An annual formal internal compliance self-audit is conducted for compliance with all applicable Reliability Standards. The following areas of concern are addressed in the self- audit: Step Description Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 43 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1. The NERC Compliance Administrator takes the role of the enforcement official and conducts the level of investigation that is anticipated from the regulator. 2. The self-audit is conducted at least annually. Audit results are reported and reviewed internally after each self-audit. Reports are retained in in the SharePoint site with the Self-Certification program. 3. Spot checks are performed prior to each self-certification. A self-report is provided to the Compliance Officer with a recommendation for approval. 4. A self-audit allows the City to find potential red-flag issues and allows time to understand the issue prior to review with the regulator. 5. The self-audit provides a focus on areas of high risk. 6. Prompt self-reporting is initiated. Self-reporting may result in lower fines and indicate a mature compliance program that could mitigate future penalties. All audits are shared with the applicable City staff and any other staff requesting it. Areas identified as high risk through the risk assessment may undergo a self-audit procedure on a more frequent basis. 14.315.3 Hard Controls Hard controls include mandatory fields used to collect maintenance information, automatic reminders, automatic escalation reminders, self-reviews, and NERC Compliance Administrator reviews. Automated controls are in place to ensure completeness and timeliness. SharePoint logs have required fields to ensure completeness. To help ensure that compliance-related deadlines and deliverables are met on a proactive basis, the City utilizes automated reminders also, associated with Microsoft Outlook. Through the use of this system, tasks and related deadlines are created for specific deliverables and assigned to a responsible party. The Compliance Administrator is able to monitor task status and take action, if needed. Examples of hard coded controls include: Protection System Maintenance Tracking System To ensure completeness, the maintenance system forms have required fields that do not allow the maintenance personnel to submit the form until complete. To ensure timeliness, workflows send reminder messages to maintenance staff and escalation messages to management. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 44 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt Model Datae Submittals To ensure timeliness, workflows send reminder messages to maintenance staff and escalation messages to management. Event Analysis All events are logged. To ensure proper reporting, controls are in place to ensure identify when an under frequency load shedding (UFLS) event occurs, equipment misoperation, or a Bulk Electric System Disturbance occurs. The controls provide instructions for proper reporting. Automatic email reporting is sent. To ensure timely reporting, controls are in place to send reminders for timely investigation and reporting of UFLS Events, misoperation, and Bulk Electric System Disturbances. Procedure Approvals To ensure timely review and approval, controls are in place to ensure reminders are sent. Reminders are escalated if reviews and approvals are not timely. Training To ensure timely reporting, controls are in place to monitor training and retraining dates, as well as to send reminders and escalation reminders. Critical Infrastructure Protection Review To ensure timely review, controls are in place to send automatic reminders when the review of the City’s electric assets is due. 1516 Self-Reporting 15.116.1 Discovery of Potential Regulatory Violations – Review Process The City is committed to continuous improvement in order to design the ICP to prevent non- compliancet activities from occurring or to detect non-compliance immediately. To ensure that potential violations are detected, mitigated, and reported in a timely manner, the City has implemented the following measures: • Periodic review of the ICP • Detecting and Mitigating Potential Violations • Periodic Compliance Reviews • Cityompany Personnel • Annual Internal Audits Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 45 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 15.216.2 Responding to and Reporting Potential Violations Once potential non-compliance is discovered, the issue is reviewed and investigated with the assistance of applicable parties and a final determination as to whether a violation exists is made by the ROC. Once determined, appropriate action is taken, including self-reporting or other remedial actions. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 46 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt The City’s process for responding to, investigating and reporting potential violations includes the following steps: Step Description 1. Potential violations of regulatory requirements are communicated and discussed with the Compliance Officer and the NERC Compliance Director. 2. The NERC Compliance Director and the NERC Compliance Administrator leads an investigation with the SMEs and owners. The NERC Compliance Administrator will provide a report to the Compliance Officer with recommendations. 3. The Compliance Officer will submit the report to the ROC for determining if a violation has occurred and requires self-reporting to the applicable regulatory agencies. 4. For instances where the NERC Compliance Administrator and NERC Compliance Director believes a potential violations exists or where process enhancements are needed, the office leads the investigation to (1) document a description of the potential violation (2) determine the root cause, (3) determine steps being taken to prevent similar incidents from reoccurring (4) document a mitigation plan. 5. The NERC Compliance Administrator initiates the reporting of the potential violation to the applicable regulatory agencies, as necessary. The Self-Report form can be found on the WECC Compliance Web Portal at: https://portal.wecc.biz and is reported through WebCDMS. The submitted self-report and mitigation plan are also stored on the compliance system for internal tracking. 6. It is the WECC compliance staff obligation to submit all alleged non-compliance information to NERC in accordance with the NERC Compliance Monitoring and Enforcement Program (CMEP) and WECC internal enforcement guidelines. Comment [TS8]: I can't get this website to open. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 47 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1617 Remediating and Preventing Repeat Violations To ensure that violations are remediated and prevented from recurring, the City EUD EU is implementsing the following measures: Step Description 1. The risk assessment is updated and reviewed to determine any other potential risks associated with the identified activity. 2. All related processes, procedures, controls, and training programs are reviewed to ensure clarity. Updates to the ICP are provided where necessary. 3. The mitigation plan is logged, tracked and verified to ensure remediation items are completed timely. 4. The NERC Compliance Administrator will provide additional data or information requested by the regulatory authority and will provide timely updates on the status of the remediation plan to the regulatory authority (WECC, NERC, or FERC). Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 48 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1718 Self-Certification Step Description 1. WECC will post Self-Certification or periodic data collection forms on the OATI WECC webCDMS at least sixty (60) days prior to the submittal period, but the City cannot submit forms until the submittal period has begun. Section 6 of the WECC Web Portal User Guide provides information concerning the Self-Certification submittal process. 2. The NERC Compliance Administrator will perform a formal review of all actively monitored Standards prior to each annual self-certification to ensure compliance. A formal report will be provided to the Compliance Officer for review and approval. 3. During the annual self-certification time line and after receiving approval from the Compliance Officer, the NERC Compliance Administrator will self-certify compliance with the Reliability Standards. 4. WECC will accept Self-Certification forms only during the submittal period. Failure to submit the forms prior to the end of the submittal period will result in non- compliance. The WECC Compliance Staff are to review Self-Certification submittals to determine acceptability, and may request additional information if necessary. 5. Semi-annual Self-Certifications are required for the CIP-002 through CIP-009 NERC Reliability Standards, and are not part of the annual Self-Certification process for all other Reliability Standards. Semi-annual Self-Certification forms will be posted on the WECC Compliance Web Portal at least thirty (30) days prior to the submittal period. Semi-annual Self-Certifications must be received by WECC from the City on January 15th and July 15th according to the CIP implementation schedule. The “Guidance for Enforcement of CIP Standards” document can be found on the NERC Website at: http://www.nerc.com/files/Guidance_on_CIP_Standards.pdf. The “(Revised) Implementation Plan for Cyber Security Standards for CIP-002-1 – CIP- 009-1” can also be found on the NERC Website at: http://www.nerc.com/fileUploads/File/Standards/Revised_Implementation_Plan_CI P-002-009.pdf. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 49 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 1819 Document Retention Policy Unless otherwise specified, all major revisions of this ICP and evidence demonstrating implementation of the ICP should be maintained for six (6) years or for one (1) year after a NERC/WECC off-site audit, whichever is greater. The maximum required data retention period is seven (7) years. Requests by WECC or NERC for suchProvide documentation will be provided to WECC and NERC upon their request within thirty (30) calendar days. 1920 Storage All documents are stored in the compliance system at https://lodieud.sharepoint.com. Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Attachment B Page 50 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 2021 Compliance System The compliance system is used to monitor and track the NERC Compliance Program and for tracking the ICP and evidence that it is implemented. Instructions to access this information are as follows. Step Action 1. Log on to the compliance system at: hhttps://lodieud.sharepoint.com Enter your user name and password. Contact the Engineering and Operations Manager if you do not have access. 2. Select Internal Compliance Program 3. Add additional information to the ICP evidence files by clicking the “new document” link and then choosing “Upload Existing File.” Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Approval Page Page 51 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 2122 References FERC Revised Policy Statement on Enforcement, (May 15, 2008) NERC Compliance Monitoring and Enforcement Program , WECC, (2010) WECC CMEP – Self-Reporting Form, (April 13, 2009, Version 1) WECC Internal Compliance Program Self-Assessment and Survey Update, (Feb. 9, 2011) 23 Internal Compliance Program Review The ICP is reviewed on an annual basis. However, more frequent reviews may be conducted following any possible instances of noncompliance. Appropriate adjustments to the ICP will be made in order to prevent recurrence of possible violations. 2224 Responsible Senior Manager or Delegate This NERC/WECC Internal Compliance Program is approved by the Risk Oversight Committee prior to approval by the NERC Compliance Officer. Major modifications are approved by the City Council Board resolution. 11. I, Elizabeth Kirkley, Electric Utility Director, serving as the Compliance Officer certify thatIthat I have read and am familiar with the contents of the ICP and any related documents submitted herein. 22. I understand that based on the answers herein, WECC may request more information specific to the City of Lodi’s ICP. 33. To the best of my knowledge, the information provided in this document is correct. Revision 2.0 X Elizabeth A. Kirkley Electric Utility Director Formatted: Outline numbered + Level: 1 + Numbering Style: 1, 2, 3, … + Start at: 1 + Alignment: Left + Aligned at: 0.3" + Indent at: 0.6" Electric Utility DepartmentElectric Utility -– NERC / WECC Internal Compliance Program Version 2.0Versio n 2.0 Revised July 2014Rev. Date: 7/8/2013 Document: Amended October 1, 2014Annual Approval: Approval Page Page 52 of 52 Formatted: Centered, Indent: Left: 0", Space After: 0 pt 2325 Revision History Version Author Description of Changes Date 1.0 MJCooper First version 11/28/2011 2.0 MJCooper Revised to identify personnel changes within the compliance program. Other grammatical corrections are made. Attachment B suspended effective February 10, 2014. 7/8/2013July 2014 RESOLUTION NO 2014-180 A RESOLUTION OF THE LODI CITY COUNCIL RESCINDING RESOLUTION NO. 2012.34, AND FURTHER APPROVING THE CITY OF LODI RISK MANAGEIUENT AND COMPLIANCE PROGRAM VERSION 3.0 WHEREAS, the City Council established a Risk Oversight Committee (ROC) on January 18, 2006 to ensure compliance with the City's energy risk management policies; and WHEREAS , in 2007, requirements imposed on Lodi's Electric Utility (LEU) by the North American Electric Reliability Corporation (NERC) and the Western Electricity Coordinating Council (WECC) also requìred an internal compliance program to ensure compliance with NERC reliability standards, expanding the ROC's responsibilities and resulting in an all- encompassing ;City of Lodi Risk Management and Compliance Program" (RMCP) which was approved by the City Council on April 4,2012; and WHEREAS, as electric utility industry requirements change, the RMCP requires revision and changes are brought before the ROC for consideration; and WHEREAS, the most recent change was the de-activation of LEU's reliability registration with WECC for NERC reliability standardl, resulting in the suspension of Attachment B in the RMCP; and WHEREAS, in addition, non-substantial changes have been made to reflect current staffing levels, as well as to improve consistency and flow throughout the document; and WHEREAS, on June 11,2014, the ROC discussed changes to the RMCP and provided comments to LEU; and WHEREAS, staff recommends rescinding Resolution No. 2012-34 and approving Version 3.0 the ERMP. NOW, THEREFORE, BE ¡T RESOLVED that the Lodi city council does hereby rescind Resolution No. 2012-34, and further approves the City of Lodi Risk Management and Compliance Program Version 3.0, as shown on Exhibit A attached hereto and made a part of this Resolution. Dated: October 1,2014 -Ê-i=---- J=------- f hereby certify that Resolution No. 2014-180 was passed and ado,pted by the City Council of the City of Lodi in a regular meeting held October 1,2014, by the following vote: AYES: COUNCIL MEMBERS - Hansen, Johnson, Mounce, and Nakanishi COUNCIL MEMBERS - None COUNCIL MEMBERS - MaYor Katzakian COUNCIL MEMBERS - NO NOES: ABSENT: ABSTAIN J c 2014-180 IFER M Clerk OBISON City of Lodi Risk Management And Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 2 of 38 Table of Contents 1 Mission Statement/Statement of Commitment .............................................................. 4 2 Goal ............................................................................................................................... 5 3 Organizational Structure and Chart ................................................................................ 6 4 Leadership Support ........................................................................................................ 8 5 Lessons Learned ............................................................................................................. 8 6 Compliance Communications Protection for Whistleblowers .......................................... 8 7 Employee Incentives ...................................................................................................... 8 8 Compliance Enforcement ............................................................................................... 8 9 Resources ...................................................................................................................... 9 10 Compliance Communications ......................................................................................... 9 Attachment A ...................................................................................................................... 10 1 Purpose ....................................................................................................................... 10 2 Scope ........................................................................................................................... 10 3 Energy Risk Management Policies (“ERMP”) ................................................................. 10 4 Scope of the ERMP ....................................................................................................... 10 4.1 ERMP Objectives .......................................................................................................... 10 4.2 ERMP Implementation Process ..................................................................................... 11 4.3 Risk Inventory .............................................................................................................. 11 5 Transaction Limits and Controls ................................................................................... 12 5.1 Regulatory Compliance ................................................................................................ 13 5.2 Indirect Purchases (NCPA) ............................................................................................ 13 5.3 Direct Purchases .......................................................................................................... 13 5.4 All Purchases:............................................................................................................... 14 5.5 Prohibited and Authorized Transaction Types ............................................................... 14 6 ROC Reports ................................................................................................................ 15 6.1 ROC reports include but are not limited to: .................................................................. 15 7 Program Review/Evaluation/Modification/Distribution ............................................... 16 Attachment B ...................................................................................................................... 17 1 Background .................................................................................................................. 18 City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 3 of 38 2 NERC/WECC Compliance Program Structure ................................................................. 18 3 Requirements Identification ......................................................................................... 19 4 NERC/WECC Standards Requirements - tracked and current. ........................................ 19 5 Risk Assessment ........................................................................................................... 20 6 NERC/WECC Compliance Program Oversight ................................................................ 21 7 Independent Access to Executives ................................................................................ 22 8 Independent Management ........................................................................................... 22 9 Resources .................................................................................................................... 22 10 Performance Targets .................................................................................................... 22 11 Compliance Training..................................................................................................... 24 12 Outreach ...................................................................................................................... 25 13 Employee Incentives .................................................................................................... 27 13.1 Incentives .................................................................................................................... 27 14 Procedures and Other Documents ................................................................................ 27 15 Controls and Program Monitoring ................................................................................ 28 15.1 Compliance Monitoring ................................................................................................ 28 15.2 Self-Audit ..................................................................................................................... 29 15.3 Hard Controls ............................................................................................................... 29 16 Self-Reporting .............................................................................................................. 30 16.1 Discovery of Potential Regulatory Violations – Review Process ..................................... 31 16.2 Responding to and Reporting Potential Violations ........................................................ 31 17 Remediating and Preventing Repeat Violations ............................................................ 33 18 Self-Certification .......................................................................................................... 34 19 Document Retention Policy .......................................................................................... 35 20 Storage ........................................................................................................................ 35 21 Compliance System ...................................................................................................... 36 22 References ................................................................................................................... 37 23 Internal Compliance Program Review ........................................................................... 37 24 Responsible Senior Manager or Delegate ..................................................................... 37 25 Revision History ........................................................................................................... 38 City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 4 of 38 1 Mission Statement/Statement of Commitment The City’s compliance mission is to create a superior and effective program to manage risk and compliance which implements best electric utility practices and encourages a culture of compliance and control throughout the EU. The City implements all opportunities to build compliance and controls into every business practice and to continuously improve its program to be robust, rigorous and transparent. The City is committed to complying with all applicable laws and regulations. In addition, the City is committed to prudent risk management and compliance awareness and continuous improvement of processes and procedures. This commitment allows the City to develop and maintain an organizational culture that supports staff in meeting these concerns through education/training, ethical conduct, decision making, and a culture of transparency. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 5 of 38 2 Goal The goal of the Energy Risk Management and Internal Compliance Program (“the Programs”) contained herein are to create a culture of compliance and control within daily activities that is characterized by clear communication, consistent documentation and implementation of the following practices: Step Description 1. Creating a culture of accountability. 2. Adopting reporting procedures to the Risk Oversight Committee (ROC) and the City Council. 3. Identifying and communicating specific concerns and opportunities for improvement. 4. Reviewing and developing goals that ensure a strong corporate commitment to compliance and control. 5. Creating awareness through training and other communications. 6. Assessing the Programs for adequacy and providing recommendations to address planning, auditing and budgeting issues. 7. Identifying and assigning responsibilities to the key individuals, as appropriate, for applicable portions of the Programs. 8. Providing a documentation framework that supports compliance, and includes clear processes, policies, and procedures. 9. Creating a culture of continuous improvement through regular assessments and corrections. These assessments may be self–assessments, internal audits, and independent third–party assessments. 10. Adhering to approved regulatory requirements. 11. Cooperating with regulatory agencies. 12. Promptly assessing and reporting potential violations to regulatory agencies, if required. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 6 of 38 3 Organizational Structure and Chart The Programs are overseen by the Risk Oversight Committee (ROC) which is comprised of the City Council member who serves as a Northern California Power Agency (NCPA) commissioner or alternate, the City Manager, Deputy City Manager, City Attorney and the Electric Utility Director; or in the case of their absence, their designees. The City Manager shall appoint the chair of the ROC. Additional non-voting members may be invited to participate on the ROC based on supporting expertise required by the ROC. The ROC shall meet every three (3) to six (6) months, or as otherwise called to order by the City Council or ROC member. The ROC shall keep minutes of all meetings and business transacted. A quorum for the ROC to do business shall consist of all members, or their designees. The ROC shall request attendance at its meetings by, and/or reports from, other persons as appropriate. City Council City Manager Risk Oversight Committee Compliance Officer Electric Utility Director City Attorney Deputy City Manager City Council The City Council is responsible for making high-level, broad policy decisions as contained in this document. The City Council sets the policy, and adopts the Programs as developed and recommended by the ROC and delegates the City Manager to execute them. The City Council will review the Programs every year. The City Council reviews the Program updates on a regular basis and provides direction and additional support, as needed. Risk Oversight Committee City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 7 of 38 The ROC shall have the responsibility for ensuring that business is conducted in accordance with the Energy Risk Management Policies (ERMP) in Attachment A. The ROC shall adopt and bring current risk management business practices, defining in detail the internal controls, strategies and processes for managing risks associated with the adoption of those business practices; including but not limited to a Laddering Strategy. As used herein the term Laddering Strategy shall mean an objective and graduated program to secure varying percentages of the City’s projected future power needs at any given point in time. Determination of regulatory non-compliance and direction to self-report such non- compliant activities shall be made by the ROC. City Manager The City Manager has overall responsibility for executing and ensuring compliance with policies adopted by the City Council. The City Manager shall make reports to the City Council every three (3) to six (6) months regarding business transacted by the ROC and upon such occasions as the City Council shall direct. Electric Utility Director - Compliance Officer The Electric Utility Director is the utility’s Executive Officer, acts as the Compliance Officer for the EU, and is a voting member of the ROC. The Electric Utility Director has access to the City Council through the City Manager. This ensures communication of compliance concerns to the highest levels within the organization. Records of communication and reporting between the City Council and the City Manager are stored as required by the City’s Records Management Program.. Electric Utility Department The EU shall participate on the ROC through the Electric Utility Director. The Electric Utility Director shall provide load forecast information and coordinate the receipt and dissemination of relevant market and transactional information undertaken on the City’s behalf through NCPA. Finance Department The Finance Department shall participate on the ROC through the Deputy City Manager and provide accounting and cash flow information to the ROC. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 8 of 38 Legal Department The Legal Department shall participate on the ROC through the City Attorney, provide legal advice and representation, and ensure that business is carried out in compliance with all applicable laws, regulations, executive orders, and court orders. 4 Leadership Support These Programs, as approved by the City Council require the support and participation of all appropriate City staff. During ROC meetings, status updates are provided, any instances of potential non-compliance are discussed and support is provided. ROC meeting minutes and agendas are stored as required by the City’s Records Management Program. 5 Lessons Learned Any lessons learned from audits, violations, other similar entity violations, or near misses are encouraged to be shared with all staff. Lessons learned are shared regularly with staff and in employee training programs. This includes lessons learned provided by regulatory authorities, other industry members, and discovered within the City’s business practices. 6 Compliance Communications Protection for Whistleblowers The City staff is encouraged to come forward with evidence to their manager that the City may be violating a law or regulation. Communication of potential violations plays a pivotal role in the detection, investigation, and prevention of violations. No employee will be subject to any type of retribution for speaking out on compliance issues of any type. The City staff, contractors, and the public are encouraged to report evidence of possible compliance violations, unethical business conduct, questionable operations, problems with compliance controls, reporting or auditing concerns, and violations of laws or regulations. The City will promptly investigate all complaints and attempt to maintain the whistleblower’s anonymity. Complaints may be made through the suggestion box, to the employee’s supervisor manager, or director. 7 Employee Incentives Regulatory compliance is incorporated into applicable employee personal performance assessments. Employees are recognized by their management and among their peers for identifying opportunities for improving the Program. 8 Compliance Enforcement Compliance exceptions are actions, which violate the authority limits, requirements or directives set forth in the ERMP. All exceptions shall be reported to the ROC. Willful violations of the ERMP and Internal Compliance Program (ICP) will be subject to review and may be cause for discipline or dismissal. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 9 of 38 Such disciplinary action may include written notices to the individual involved that a violation has been determined, demotion or re-assignment of the individual involved, suspension with or without pay or benefits, or dismissal. Violations may also constitute violations of law and may result in criminal penalties and civil liabilities for the offending covered party and the City. 9 Resources The City is dedicated to making the best use of all appropriate resources from all applicable entities as part of these Programs. The City is committed to addressing all areas of high risk through the use of its own resources to improve its robust, rigorous, and transparent Program. The City Council has approved sufficient funding for the administration of the Program. The requirements of these Programs are budgeted and fully staffed on a year-round basis. 10 Compliance Communications City employees have various means in which to report business conduct issues including potential violations of regulatory requirements. Break room posters provide contact information. Additionally, the City’s Internal Compliance Program is distributed via email to all employees after completion of the annual review. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 10 of 38 Attachment A Energy Risk Management Policies 1 Purpose The purpose of this Risk Management and Compliance Program (“Program”) is to foster a culture of compliance and control for the City of Lodi (“City”) Electric Utility (“EU”). The Program expects a high level of compliance to regulations, laws, and the City’s agreements, policies and procedures while managing risks on a routine basis. The Program is laid out to control EU’s activities so that controlling risk and compliance are part of the City’s culture. 2 Scope This Program outlines the City’s internal control foundation, providing discipline and structure to guide compliance with regulations, laws, and the City’s agreements, procedures and policies. It includes a cross–section of knowledgeable and skilled employees who are responsible to oversee, communicate, track, document, and monitor compliance and risk management and share the results with management and the City Council. The Program applies to all the City employees, contractors, and vendor personnel responsible for complying with regulations and the City’s policies and procedures. It is made readily available to all employees. 3 Energy Risk Management Policies (“ERMP”) The purpose of the ERMP is to ensure that risks associated with the City’s bulk power procurement are properly identified, measured and controlled. The ROC manages the ERMP. 4 Scope of the ERMP The ERMP are applied to all aspects of the City’s wholesale procurement and sales activities, long-term contracting associated with energy supplies, including generator fuel, capital projects and associated financing related to generation, transmission, transportation, storage, Renewable Energy Credits (“REC”), Green House Gas (“GHG”) offsets, Resource Adequacy (“RA”) capacity, ancillary services, participation in Joint Powers Agencies (“JPA”), and regulatory compliance as set forth in Exhibit B. This Program does not address the following types of general business risk, which are treated separately in other official policies, ordinances, and regulations of the City: fire, accident and casualty, health, safety; workers compensation and other such typically insurable perils. 4.1 ERMP Objectives Comment [EAK1]: hyperlink City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 11 of 38 1. Maintain a regularly updated inventory of risks that could impact rates and security of the City’s bulk power procurement program. 2. Establish risk metrics and reporting mechanisms that provide both quantitative and qualitative assessments of potential impacts to rate stability. 3. Adopt business practices that encourage compliance, development of appropriate levels of EU operating reserve funds, contribute to retail rate stability, and maintain appropriate security for established EU funds. 4. Minimize costs to maintain control of the City’s electric utility rates. 4.2 ERMP Implementation Process 1. Identify, measure, and control risks that could have an adverse effect on retail rate stability. 2. Assign risk management responsibilities to appropriately qualified individuals and committees for each of these risks. 4.3 Risk Inventory The EU must inventory and address the following categories of risk as a component of the monitoring and reporting under the ERMP: 1. Price Risk 2. Volume Risk 3. Credit Risk 4. Operational Risk 5. Contingent Liabilities Price Risk –the risk associated with the change of power costs and can be segmented into two categories: 1. Wholesale prices may increase while positions are still open. 2. Wholesale prices may decrease after positions are closed. Volume Risk –the risk that demand for power will either fall below or exceed the existing contracted power supplies. Credit Risk –the risk associated with entering into any type of transaction with a counterparty, and can be segmented into the following five categories: 1. Counterparties fail to take delivery of, or pay for, energy sold to them. 2. Counterparties fail to deliver contracted energy. 3. Counterparties refuse to extend credit or charge a premium for credit risks. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 12 of 38 4. Counterparty transactions are too concentrated among a limited number of suppliers. 5. Inability to finance capital projects or meet financial obligations incurred in the course of wholesale operations. Operational Risk –the risk to effectively plan, execute or control business activities, including the potential for: 1. Inadequate organizational infrastructure, i.e., the lack of sufficient authority to make and execute decisions, inadequate supervision, absence of internal checks and balances, incomplete and untimely planning, incomplete and untimely reporting, failure to separate incompatible functions, etc. 2. Absence, shortage or loss of key personnel. 3. Lack or failure of facilities, equipment, systems and tools such as computers, software, communications links, and data services. 4. Exposure to litigation, fines, or sanctions as a result of violating laws and regulations, not meeting contractual obligations, failure to address legal issues and/or receive competent legal advice, not drafting contracts effectively, etc. Exposure includes the fines and litigation associated with the Federal Energy Regulatory Commission (“FERC”), North American Electric Reliability Corporation (“NERC”) and/or Western Electricity Coordinating Council (“WECC”) and environmental compliance violations. 5. Errors or omissions in the conduct of business, including failure to execute transactions, violations of guidelines and directives, etc. Contingent Liabilities – Contingent liabilities consist of liabilities that the City could incur in the event of the failure of other parties to discharge their obligations. At present, these consist of three principle categories: 1. Guarantees and step up provisions in the enabling agreements for the JPAs of which the City is a member. 2. Project closure, decommissioning, environmental remediation, and other obligations which result from the City’s own activities as well as JPA projects and activities. 3. Provisions for take or pay, termination payments, and/or margin calls in the City’s long-term electric power supply agreements. 5 Transaction Limits and Controls The EU utilizes transaction limits and controls to mitigate or prevent exposure to identified risks. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 13 of 38 5.1 Regulatory Compliance Regulatory compliance controls includes both soft and hard controls. Soft controls include self-audits, policies, and procedures. Hard controls include automated due date calendar reminders, forms with mandatory fields for collecting evidence, and self-assessments. 5.2 Indirect Purchases (NCPA) The City Manager and the Electric Utility Director are severally authorized to enter contracts for the purchase through NCPA of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and ancillary services to meet the City’s service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC’s Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. In addition, for purchases through NCPA, counterparty credit limits and minimum counterparty rating criteria shall be described in NCPA’s then current “Energy Risk Management Policy”, which is made a part of this document by reference, and the most recent policy is attached hereto and may also be found at: http://www.ncpa.com/images/stories/Financials/policies/NCPA_Energy_Risk_Managemen t_Policy_Version_1.3_Approved_06-16-2011.pdf. Moreover, the City Manager and Electric Utility Director are authorized to purchase electric energy, capacity and fuel to meet the City’s share of amounts called for under NCPA’s then current Energy Risk Management Policy upon approval of the ROC. 5.3 Direct Purchases The City Manager and the Electric Utility Director are severally authorized to enter into contracts for the direct purchase of electric energy, capacity, generator fuel, transmission, transportation, storage, RECs, GHG offsets, RA capacity, and Ancillary Services to meet the City’s service obligations in amounts and for such quantities as are: 1) necessary to meet the minimum amounts called for in ROC’s Laddering Strategy; 2) consistent with this ERMP; and 3) approved by the ROC. Purchases outside the authority granted above may be authorized by specific City Council resolution. The resolution may specify the limits of the authority delegated, including the maximum dollar amount of the authority and the duration of the contracts and/or transactions that may be executed. For contracts executed directly by the City, the City uses standardized form contracts for such procurement, including, but not limited to form contracts created and copyrighted by the Edison Electric Institute, the Western States Power Pool, the California Department of City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 14 of 38 General Services, and the North American Energy Standards Board, unless waived by resolution of the City Council. Counterparties shall obtain and maintain during the terms of the contract, the minimum credit rating established as of the date of award of the contract of not less than a BBB- investment grade credit rating or its equivalent as established by the rating agencies, such as Standard and Poor’s, Moody’s Investors Services, and/or Fitch, unless waived by resolution of the City Council. 5.4 All Purchases: Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for electricity shall specify generally at least the following terms and conditions and the description of energy and energy services to be procured, including, but not limited to: 1) a fixed or formula price; 2) energy and ancillary services to be included; 3) term, specifying a not-to-exceed period of time; 4) period of delivery denoted in years or months and whether deliveries are on-peak or off-peak; and 5) the point of delivery on the locus on the interstate transmission system on which the delivery is made. Any City Council resolution or ROC recommendation authorizing the City Manager or Electric Utility Director to contract for generator fuel shall specify generally at least the following terms and conditions: 1) quantity and the description of fuel services to be procured, including but not limited to scheduled fuel and fuel transportation services, specifying a not-to-exceed period of time; 2) period of delivery denoted in years or months or years and months; and 3) point of delivery of the locus on the interstate transportation system at which the transfer of title is made. All procurement of electricity and generator fuel by contract shall conform to the requirements of the ERMP. 5.5 Prohibited and Authorized Transaction Types 5.5.1 Prohibited Transaction Types: Speculative buying and selling of energy products is prohibited. Speculation is defined as buying energy products that are not needed for meeting forecasted obligations, selling energy products that are not owned and/or selling energy products that are not surplus without simultaneously replacing that energy product at a lower cost. In no event shall transactions be entered into to speculate on the changes in market prices. 5.5.2 Authorized Transaction Types: 1. Purchase capacity, RECs or REC types, or energy to meet the City’s obligations. 2. Sell existing capacity, RECs or REC types, or energy that is expected to be in excess of the City’s obligations. Comment [EAK2]: Check on forms Comment [EAK3]: Talk with City Attorney and Deputy City Manager. City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 15 of 38 3. Purchase generator fuel required to run the City’s share of generating facilities. 4. Sell surplus generator fuel if more economic energy is available for purchase, becomes surplus due to load being lower than previously forecasted, or due to increased energy due to hydrological conditions. 5. Execute financial transactions to fix the price of variable commodity purchases or sales. 6. Purchase simple call options or collars to limit price exposure on short generator fuel or electricity positions. 7. Sell simple call options or tolling agreements on the City’s share of generating facilities that are expected to be in excess of the City’s obligations. 8. Purchase or sell, emission allowances, including GHG offsets, deemed necessary to comply with regulations for the City’s share of generating facilities. 9. Purchase or sell, firm transmission rights or congestion revenue rights to manage congestion price risk. 10. Purchase or sell, energy at the California Oregon Border and an offsetting sale/purchase of energy at North Path 15 (“NP15”) to take advantage of the City’s share of transmission capacity rights. 11. Simultaneously purchase generator fuel and sell energy when the transaction provides the City a financial advantage. 12. Sell generator fuel and purchase energy to take advantage of market heat rate. 6 ROC Reports 6.1 ROC reports include but are not limited to: 1. Load and resource balances as forecast and adopted in the current operating year’s budget (including regulatory, state and federally mandated resource balances). 2. Load and resource balances as adjusted due to operating conditions or purchases occurring during the quarter. 3. An assessment of market exposure. 4. An assessment of the quarterly change in power supply cost from budget. 5. Credit exposure by counterparty. 6. A summary of any purchases made during the quarter. 7. An assessment of any counterparty credit problems. 8. NERC/WECC Compliance program status. Other reports are provided to the City Council on request. Comment [EAK4]: Turn into paragraph City of Lodi Risk Management and Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 City of Lodi Risk Management and Compliance Program Page 16 of 38 7 Program Review/Evaluation/Modification/Distribution The review of the ERMP is designed to: 1) ensure that reporting parties report to their supervisors; 2) ensure that the Electric Utility Director promotes, maintains, and monitors compliance; 3) discuss the effectiveness of the Program; and 4) evaluate alignment of the Program with the City’s organization. Interim to the annual review, the Program will be reviewed and modified as necessary if: 1. An event analysis determines that a modification to this program would be beneficial. 2. The City experiences a regulation violation. 3. Lessons learned or changes have been identified in best practices. 4. Any significant changes to the Program are approved by the City Council. Minor changes are approved by the ROC. New revisions of the Program are distributed to all parties involved and comments are solicited from the ROC. The City employees are informed of new significant revisions, including contractors and vendors as applicable, and they will all have access to the current Program. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 17 of 38 Attachment B Electric Utility NERC / WECC Internal Compliance Program Attachment B is suspended effective February 10, 2014. On this date the City of Lodi was notified that WECC and NERC had accepted our request to deactivate our registration for Distribution Provider and Load Serving Entity and the City was removed from the NERC Compliance Registry. A deactivation from the NERC Compliance Registry indicates that an entity is no longer subject to mandatory compliance with the applicable NERC Reliability Standards that have been approved by the FERC. Continued voluntary compliance with NERC Reliability Standards is considered good operating practice by the industry and is recommended by NERC. NERC retains the right to register the City for any function at any time, in accordance with NERC’s Statement of Compliance Registry Criteria, as the criteria may be amended from time to time, if the facts and circumstances so warrant. Should NERC reactivate the City of Lodi’s registration, then the City shall reinstate Attachment B. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 18 of 38 1 Background The Federal Energy Policy Act of 2005 provides the FERC authority to approve and enforce rules and regulations to protect and improve the reliability of the nation’s bulk power system. Through this Act, all electric power entities that impact the Bulk Electric System must comply with FERC approved Regulatory Standards, and public utilities that sell electricity at market-based rates must comply with market rules of conduct and ongoing reporting and compliance requirements. The NERC Statement of Compliance Registry criteria describe which entities are required to register with NERC and comply with the Regulatory Standards. For those entities, mandatory compliance Regulatory Standards with the first set of standards approved by FERC came into effect on June 18, 2007. The Statement of Compliance Registry requires, among other things, utilities to register into the program as a participant of the regions Under Frequency Program. The City is registered as a Distribution Provider (DP) and Load Serving Entity (LSE) based on this sole criteria and does not meet any of the other registration criteria. Under this statutory framework, standards are proposed by electric reliability organizations and approved by FERC. The NERC has been delegated authority as the electric reliability organization for the four interconnections in North America that include Quebec, Electric Reliability Council of Texas (“ERCOT”), Eastern, and Western interconnections. Within the NERC interconnection, NERC has further delegated regional reliability organization functionality to eight (8) regional entities. The City is located within the WECC region. The City’s EU is required to comply with all FERC approved Reliability Standards applicable to its registered functions as a Load Serving Entity (“LSE”), and Distribution Provider (“DP”). The EU’s NERC Internal Compliance Program (ICP) is supported by the City’s Risk Management and Compliance Program. The ICP support the four-pillars of compliance framework presented in the FERC’s October 2008 Policy Statement on Compliance. • Role of senior management in fostering compliance; • Effective preventive measures to ensure compliance; • Prompt detection, cessation, and reporting of violations; and • Remediation efforts This ICP provides the framework to support compliance with the FERC reporting requirements and NERC and WECC Reliability Standards. 2 NERC/WECC Compliance Program Structure Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 19 of 38 The EUD’s ICP is a rigorous, established and formal program. The EU strives to achieve a high level of business and personal ethical standards, as well as compliance with the laws and regulations that apply to its business. The EU ICP is managed at a high level and programs and systems are in place to continuously monitor, evaluate, update, and implement the program. To effectively and efficiently manage the compliance program, the EU has implemented a centralized compliance management system utilizing Microsoft SharePoint. Within the system, the EU has identified and documented all processes used to comply with each requirement. In order to continuously be audit ready, all processes, procedures, evidence, and supporting documentation have been identified and are continuously logged. Forms are used in the compliance system that incorporates controls to ensure completeness, accuracy and timeliness. The NERC Compliance Administrator continuously monitors NERC and WECC for updates and guidance, including WECC Bulletins, NERC Compliance Application Notices, and best practice guidance documents. The ICP is continuously evaluated by the NERC Compliance Director and the NERC Compliance Administrator. 3 Requirements Identification The City is registered with NERC as an LSE, and DP. It is interconnected to the PG&E transmission system, who is the Transmission Owner and Transmission Planner. The City is within the CAISO Balancing Authority and Planning Authority. PG&E and the CAISO share responsibilities through a Coordinated Function Registration Agreement as the Transmission Operator of the facilities that interconnect the City. The Regional Reliability Organization over the City is the WECC Regional Reliability Organization. The City develops its processes to comply with all agreements or related procedures of these organizations as it relates to compliance with the NERC Standards. The NERC Standards Requirements that are applicable to the City are listed on the City compliance website under the “Standards and Processes - FERC Approved Standards” folder: https://lodieud.sharepoint.com/ 4 NERC/WECC Standards Requirements - tracked and current The City maintains a list of applicable NERC/WECC Standard requirements and updates this list as the standards change. New updates to the list are tracked to insure that all changes to the list are in compliance within 30 days of the requirement becoming effective. Any significant changes are automatically forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. Comment [TS5]: and Transmission Service Provicer? (TSP) Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 20 of 38 The City’s NERC Compliance Administrator performs the process of updating all versions of the FERC Approved Reliability Standards as new Standards are revised. The procedure for this process is maintained by the NERC Compliance Administrator and is called “Updating the FERC Approved Reliability Standards List.” 5 Risk Assessment A risk assessment is conducted annually to identify and quantify internal and external risks of non-compliance to the Regulatory Standards. The risk inventory is identified through employee surveys; past experience within the EU, industry announcements and forums, and other agencies shared experiences. Resource decisions for addressing risks are determined based on the score. High risk items are added to the City’s overall risk inventory. The following describes the organization’s method for conducting a risk assessment. Step Method for Applying Risk Assessment 1. A NERC/WECC risk assessment is conducted annually or as-needed. 2. The electric department surveys its staff each year to identify areas for improvement in its procedures and processes. In addition, staff is encouraged to make suggestions to all policies, procedures and processes at any time during the year. 3. The NERC Compliance Director and the NERC Compliance Administrator conduct risk assessment meetings as necessary and maintain the minutes/agendas. 4. The following are identified as part of the risk assessment: • Prior violations • High violation risk factors • Violation Severity Levels • Periodic performance related Requirements that have a higher probability of occurrence. • Weaknesses where additional self-audits or controls should be added 5. The Compliance Administrator calculates a risk score after applying the assessment and utilizes it to evaluate areas for additional controls. Several high risk processes have automated controls in place to ensure completeness, accuracy and timeliness. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 21 of 38 6 NERC/WECC Compliance Program Oversight The EUD’s ICP operates under the overall City Risk Management and Compliance Program, which is overseen by the ROC and is directed by the Compliance Officer. City Council City Manager Risk Oversight Committee Compliance Officer Electric Utility Director City Attorney Deputy City Manager NERC Compliance Director Engineering and Operations Manager Compliance Administrator NERC/WECC Compliance Program Oversight Structure The NERC Compliance Administrator oversees the ICP and works directly with the Engineering and Operations Manager, who has the direct responsibility for performing reliability functions. The Compliance Administrator also reports to the Compliance Officer. The NERC Compliance Director is responsible for performance of the NERC compliance program including CIP programs and assigns responsibility to address compliance concerns as well as monitoring the process to address those concerns. They act as a business partner to the NERC Compliance Administrator. They also attend annual cross departmental team meetings to provide updates on compliance and standards developmental activities. The NERC Compliance Officer, supported by the NERC Compliance Director and Subject Matter Experts (SMEs), shares the effort to ensure that all Reliability Standards, Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 22 of 38 requirements, sub–requirements and the appropriate controls are clearly reflected in operational and business processes. SMEs work directly with the NERC Compliance Director and have direct responsibilities for performing reliability functions. The NERC Compliance Administrator assists directly with the SMEs to provide compliance expertise. The NERC Compliance Officer is the Electric Utility Director. 7 Independent Access to Executives The NERC Compliance Administrator monitors and reports the department’s compliance status with the NERC and WECC Reliability Standards to the Compliance Officer and the ROC. The NERC Compliance Administrator has access to the Compliance Officer to provide input and ask questions regarding any concerns with the compliance program. The Compliance Officer has direct access to the City Manager and City Council. 8 Independent Management It is crucial that the Compliance Administrator provide meaningful results and no conflict of interest exist nor any other impairment exist to provide unbiased findings. The Compliance Administrator is not responsible for the management of the work groups responsible for compliance. 9 Resources The EU is dedicated to making the best use of all appropriate resources from PG&E, WECC, NERC, FERC and others as part of the compliance program effort. The Compliance Officer is committed to use any and all of its resources to improve its robust, rigorous, and transparent NERC compliance program supported by the ICP. The City Council has approved sufficient funding for the administration of the ICP. The requirements of this compliance program are budgeted and fully staffed on a year-round basis. 10 Performance Targets The EU promotes compliance by identifying measurable performance targets. Key performance indicators help the EU understand performance in relation to strategic goals and objectives. The following key performance indicators are the 2013 year’s NERC/WECC compliance goals: • Regulatory Requirements - tracked and current. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 23 of 38 The EU maintains a list of applicable regulatory requirements that are applicable to the City and updates this list as the regulations change. Any significant changes to the list are forwarded to the applicable supervisor for inclusion in annual training and/or email notifications if necessary. • Recommended improvements are acted on. Following a mock audit or through other means, the EU considers and acts on recommendations for improvement within ninety (90) days of any accepted recommendations. • Mitigation plans are timely. The EU determines appropriate mitigation plans for applicable violations. The EU has a goal to submit all mitigation plans within thirty (30) days of submitting a Self-Report of a potential violation. • Operates with no NERC regulatory violations. The EU strives for full compliance with no violations occurring. If a possible violation is discovered, the EU has established a goal to submit all possible violations to NERC/WECC within thirty (30) days of discovery. • Respond to all NERC Alerts timely. The EU reviews, determines response and logs all NERC Alerts. The EU will take timely action on alerts that are determined to require a response by the City. • Provide timely training. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 24 of 38 11 Compliance Training The City continually develops processes, procedures, and controls to help prevent the occurrence of regulatory violations. In addition, they encourage staff to participate in compliance related training and educational opportunities. • New Orientation All new employees are sufficiently trained to perform compliance related activity, including affected contractors and vendors, prior to them performing any compliance related duties. This training incorporates basic elements pertaining to NERC compliance and the EUD’s Internal Compliance Program. • Annual Training Annual training is provided to all applicable employees as described in the table below. Documentation of the training (sign-in sheets, training materials, completion certificates, and other reference materials) will be maintained in the Training log for each employee. Controls are in place to automate reminders for upcoming training refreshers by employee. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 25 of 38 Training Description Applicability Overview Awareness This training provides general information on NERC, FERC, and WECC requirements, recent and expected changes, and internal compliance program changes. EUD employees and long-term contractors who are responsible for NERC Compliance or could be an interface to NERC or WECC. Sabotage Recognition and Incident Response This training describes methodologies for identifying sabotage, responding to sabotage, and maintaining records. It supports the Sabotage Recognition and Incident Response procedure. All EU employees and long-term contractors. Note: Any EU employee or long-term contractor who does not receive this training shall be made aware of trained employees that can be contacted in order to report a potential sabotage event. Event Analysis This training describes the analysis, actions, and reporting requirements for all events. The training describes Bulk Electric System Disturbances, Protection System Misoperations, and Vegetation interruptions. SMEs responsible for maintenance and incident reporting. Communication and Emergency Response This training describes required protocol for verbal communications when receiving directives or when providing emergency assistance. SMEs responsible for receiving verbal communications from the Transmission Operator, Balancing Authority, or Reliability Coordinator. • Training Comprehension As part of each training, the EU conducts comprehension tests to ensure that trainings are effective. Additionally, the NERC Compliance Administrator annually reviews the trainings to ensure that proper information is included within the individual training programs. 12 Outreach Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 26 of 38 The EU’s outreach focuses on a commitment to improve reliability. The City maintains a good relationship with PG&E, WECC, NERC, and FERC by promoting meaningful training/education opportunities, and providing compliance assistance. The following describes the methods for meeting the outreach program: • Communications – Operations staff are trained annually on NERC related activities in order to promote continual awareness of the importance of compliance with regulatory requirements, the Electric Utility Director, Engineering and Operations Manager and the NERC Compliance Administrator sends out compliance emails, with compliance updates, compliance clarifications, compliance notices and provides periodic City Council reports. The Internal Compliance Program is distributed to all employees at least annually and is available on the City’s SharePoint site. • Training and Education – Training is provided as described in Section 11. • NERC Alerts – NERC Alerts are communicated to all appropriate staff. • Participation in the Standards, Policy, and WECC Criteria Development Drafting Process – The City is committed to improving reliability of the electric system. We participate in the drafting process of Standards, policies and WECC Criteria by providing comments, assisting drafting teams, and voting. • Users Groups/Conferences/Webinars – The NERC Compliance Administrator and other City staff attend and participate in regional and national events, conferences, and trainings to help ensure the City maintains awareness of emerging or changing regulations and to learn and share best-compliance practices. The City is able to stay up-to-date on new and pending developments as they relate to the Reliability Standards by attending industry related seminars, as well as regional sponsored training. Meeting topics are summarized and reviewed by the Electric Utility Director, Engineering and Operations Manager, Departmental Management, SMEs and other key individuals. Examples of such conferences, meetings, and trainings include: o WECC compliance user groups o WECC monthly call o Critical Infrastructure Protection (“CIP”) Standards user groups o Western Interconnection Compliance Forum (WICF) meetings o NERC and FERC Sponsored Conferences and Training Programs o Rule Making Proceedings Comment [MS6]: Make sure it’s true. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 27 of 38 o Committees and Work Groups The City employs the NERC Compliance Administrator to monitor WECC, NERC, and FERC committee activities as well as various standards drafting committees. The City assigns SMEs to provide input to various standards drafting committees through the NERC Compliance Administrator. Any personnel involved in these activities provide information to the appropriate NERC Compliance Administrator and the NERC Compliance Director. Once aware of a new or changing regulatory requirement, the NERC Compliance Director coordinates with the affected personnel to ensure that: 1) the new regulatory requirements are understood and 2) processes and procedures are developed to help ensure compliance with the requirements. 13 Employee Incentives 13.1 Incentives Employee incentives related to the ICP are not limited to but may include any of the following: • Certificate of acknowledgement; • Gift Certificate. 14 Procedures and Other Documents The City maintains the following compliance related procedures that are available to all staff at https://lodieud.sharepoint.com • Communication and Emergency Response • Event Analysis • Facility Coordination • Model Data Submittal • Protection System Testing Maintenance and Validation • Risk Based Assessment Methodology • Sabotage Recognition and Reporting • NERC Alert Response Instruction Guide • Under Frequency Load Shedding Program Validation • Updating the FERC Approved Reliability Standards List The following compliance related reporting forms, lists, documents, and logs are available on https://lodieud.sharepoint.com: Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 28 of 38 • Risk Management and Compliance Program o Attachment B: ICP • FERC Approved Standards • Risk Based Assessment Methodology Form • Processes • Evidence Documents • Compliance Task • Training Log • Call Log • Substation Maintenance Log • Sabotage Reporting Log • UFLS Validation Form • Misoperation Log • Data Submittal Communications • Facility Modifications Documents 15 Controls and Program Monitoring The electric department continuously manages regulatory compliance risk through (1) monitoring programs and continuously updating policies, procedures, (2) annual self- assessments and audits, and (3) Internal Controls including hard and soft controls. Hard controls include automated due date calendar reminders and forms with mandatory fields for collecting evidence. These hard and soft controls are part of a control environment that will help prevent the occurrence and, especially, the reoccurrence of violations. 15.1 Compliance Monitoring The NERC Compliance Administrator, who may be a contracted consultant, will monitor industry changes that impact the Program. The EU has documented processes that address each regulatory requirement. The process statements, policies, procedures, and on-line forms are regularly modified when impacted by industry changes or identified internal opportunities for efficiency and effectiveness. Controls are identified and documented for each regulatory standard in the online compliance tool used to control the program. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 29 of 38 In addition, the City encourages its staff to participate in training and educational opportunities. Each NERC and WECC Reliability Standard applicable to the City will be continually monitored on an ongoing basis. This monitoring process includes maintaining a thorough knowledge of standard requirements, performing periodic reviews to confirm compliance, performing an annual internal audit (self-audit), and informing management of any instances of potential non-compliance. The City will consider or implement changes based on recommendations that come out of this monitoring process. 15.2 Self-Audit An annual formal internal compliance self-audit is conducted for compliance with all applicable Reliability Standards. The following areas of concern are addressed in the self- audit: Step Description 1. The NERC Compliance Administrator takes the role of the enforcement official and conducts the level of investigation that is anticipated from the regulator. 2. The self-audit is conducted at least annually. Audit results are reported and reviewed internally after each self-audit. Reports are retained in the SharePoint site with the Self-Certification program. 3. Spot checks are performed prior to each self-certification. A self-report is provided to the Compliance Officer with a recommendation for approval. 4. A self-audit allows the City to find potential red-flag issues and allows time to understand the issue prior to review with the regulator. 5. The self-audit provides a focus on areas of high risk. 6. Prompt self-reporting is initiated. Self-reporting may result in lower fines and indicate a mature compliance program that could mitigate future penalties. All audits are shared with the applicable City staff and any other staff requesting it. Areas identified as high risk through the risk assessment may undergo a self-audit procedure on a more frequent basis. 15.3 Hard Controls Hard controls include mandatory fields used to collect maintenance information, automatic reminders, automatic escalation reminders, self-reviews, and NERC Compliance Administrator reviews. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 30 of 38 Automated controls are in place to ensure completeness and timeliness. SharePoint logs have required fields to ensure completeness. To help ensure that compliance-related deadlines and deliverables are met on a proactive basis, the City utilizes automated reminders also, associated with Microsoft Outlook. Through the use of this system, tasks and related deadlines are created for specific deliverables and assigned to a responsible party. The Compliance Administrator is able to monitor task status and take action, if needed. Examples of hard coded controls include: Protection System Maintenance Tracking System To ensure completeness, the maintenance system forms have required fields that do not allow the maintenance personnel to submit the form until complete. To ensure timeliness, workflows send reminder messages to maintenance staff and escalation messages to management. Model Data Submittals To ensure timeliness, workflows send reminder messages to maintenance staff and escalation messages to management. Event Analysis All events are logged. To ensure proper reporting, controls are in place to identify when an under frequency load shedding (UFLS) event occurs, equipment misoperation, or a Bulk Electric System Disturbance occurs. The controls provide instructions for proper reporting. Automatic email reporting is sent. To ensure timely reporting, controls are in place to send reminders for timely investigation and reporting of UFLS Events, misoperation, and Bulk Electric System Disturbances. Procedure Approvals To ensure timely review and approval, controls are in place to ensure reminders are sent. Reminders are escalated if reviews and approvals are not timely. Training To ensure timely reporting, controls are in place to monitor training and retraining dates, as well as to send reminders and escalation reminders. Critical Infrastructure Protection Review To ensure timely review, controls are in place to send automatic reminders when the review of the City’s electric assets is due. 16 Self-Reporting Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 31 of 38 16.1 Discovery of Potential Regulatory Violations – Review Process The City is committed to continuous improvement in order to design the ICP to prevent non- compliant activities from occurring or to detect non-compliance immediately. To ensure that potential violations are detected, mitigated, and reported in a timely manner, the City has implemented the following measures: • Periodic review of the ICP • Detecting and Mitigating Potential Violations • Periodic Compliance Reviews • City Personnel • Annual Internal Audits 16.2 Responding to and Reporting Potential Violations Once potential non-compliance is discovered, the issue is reviewed and investigated with the assistance of applicable parties and a final determination as to whether a violation exists is made by the ROC. Once determined, appropriate action is taken, including self-reporting or other remedial actions. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 32 of 38 The City’s process for responding to, investigating and reporting potential violations includes the following steps: Step Description 1. Potential violations of regulatory requirements are communicated and discussed with the Compliance Officer and the NERC Compliance Director. 2. The NERC Compliance Director and the NERC Compliance Administrator leads an investigation with the SMEs and owners. The NERC Compliance Administrator will provide a report to the Compliance Officer with recommendations. 3. The Compliance Officer will submit the report to the ROC for determining if a violation has occurred and requires self-reporting to the applicable regulatory agencies. 4. For instances where the NERC Compliance Administrator and NERC Compliance Director believe a potential violation exists or where process enhancements are needed, the office leads the investigation to (1) document a description of the potential violation (2) determine the root cause, (3) determine steps being taken to prevent similar incidents from reoccurring (4) document a mitigation plan. 5. The NERC Compliance Administrator initiates the reporting of the potential violation to the applicable regulatory agencies, as necessary. The Self-Report form can be found on the WECC Compliance Web Portal at: https://portal.wecc.biz and is reported through WebCDMS. The submitted self-report and mitigation plan are also stored on the compliance system for internal tracking. 6. It is the WECC compliance staff obligation to submit all alleged non-compliance information to NERC in accordance with the NERC Compliance Monitoring and Enforcement Program (CMEP) and WECC internal enforcement guidelines. Comment [TS7]: I can't get this website to open. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 33 of 38 17 Remediating and Preventing Repeat Violations To ensure that violations are remediated and prevented from recurring, the City EU implements the following measures: Step Description 1. The risk assessment is updated and reviewed to determine any other potential risks associated with the identified activity. 2. All related processes, procedures, controls, and training programs are reviewed to ensure clarity. Updates to the ICP are provided where necessary. 3. The mitigation plan is logged, tracked and verified to ensure remediation items are completed timely. 4. The NERC Compliance Administrator will provide additional data or information requested by the regulatory authority and will provide timely updates on the status of the remediation plan to the regulatory authority (WECC, NERC, or FERC). Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 34 of 38 18 Self-Certification Step Description 1. WECC will post Self-Certification or periodic data collection forms on the OATI WECC webCDMS at least sixty (60) days prior to the submittal period, but the City cannot submit forms until the submittal period has begun. Section 6 of the WECC Web Portal User Guide provides information concerning the Self-Certification submittal process. 2. The NERC Compliance Administrator will perform a formal review of all actively monitored Standards prior to each annual self-certification to ensure compliance. A formal report will be provided to the Compliance Officer for review and approval. 3. During the annual self-certification time line and after receiving approval from the Compliance Officer, the NERC Compliance Administrator will self-certify compliance with the Reliability Standards. 4. WECC will accept Self-Certification forms only during the submittal period. Failure to submit the forms prior to the end of the submittal period will result in non- compliance. The WECC Compliance Staff are to review Self-Certification submittals to determine acceptability, and may request additional information if necessary. 5. Semi-annual Self-Certifications are required for the CIP-002 through CIP-009 NERC Reliability Standards, and are not part of the annual Self-Certification process for all other Reliability Standards. Semi-annual Self-Certification forms will be posted on the WECC Compliance Web Portal at least thirty (30) days prior to the submittal period. Semi-annual Self-Certifications must be received by WECC from the City on January 15th and July 15th according to the CIP implementation schedule. The “Guidance for Enforcement of CIP Standards” document can be found on the NERC Website at: http://www.nerc.com/files/Guidance_on_CIP_Standards.pdf. The “(Revised) Implementation Plan for Cyber Security Standards for CIP-002-1 – CIP- 009-1” can also be found on the NERC Website at: http://www.nerc.com/fileUploads/File/Standards/Revised_Implementation_Plan_CI P-002-009.pdf. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 35 of 38 19 Document Retention Policy Unless otherwise specified, all major revisions of this ICP and evidence demonstrating implementation of the ICP should be maintained for six (6) years or for one (1) year after a NERC/WECC off-site audit, whichever is greater. The maximum required data retention period is seven (7) years. Requests by WECC or NERC for such documentation will be provided within thirty (30) calendar days. 20 Storage All documents are stored in the compliance system at https://lodieud.sharepoint.com. Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Attachment B Page 36 of 38 21 Compliance System The compliance system is used to monitor and track the NERC Compliance Program and for tracking the ICP and evidence that it is implemented. Instructions to access this information are as follows. Step Action 1. Log on to the compliance system at: https://lodieud.sharepoint.com Enter your user name and password. Contact the Engineering and Operations Manager if you do not have access. 2. Select Internal Compliance Program 3. Add additional information to the ICP evidence files by clicking the “new document” link and then choosing “Upload Existing File.” Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Approval Page Page 37 of 38 22 References FERC Revised Policy Statement on Enforcement, (May 15, 2008) NERC Compliance Monitoring and Enforcement Program , WECC, (2010) WECC CMEP – Self-Reporting Form, (April 13, 2009, Version 1) WECC Internal Compliance Program Self-Assessment and Survey Update, (Feb. 9, 2011) 23 Internal Compliance Program Review The ICP is reviewed on an annual basis. However, more frequent reviews may be conducted following any possible instances of noncompliance. Appropriate adjustments to the ICP will be made in order to prevent recurrence of possible violations. 24 Responsible Senior Manager or Delegate This NERC/WECC Internal Compliance Program is approved by the Risk Oversight Committee prior to approval by the NERC Compliance Officer. Major modifications are approved by City Council resolution. 1. I, Elizabeth Kirkley, Electric Utility Director, serving as the Compliance Officer certify that I have read and am familiar with the contents of the ICP and any related documents submitted herein. 2. I understand that based on the answers herein, WECC may request more information specific to the City of Lodi’s ICP. 3. To the best of my knowledge, the information provided in this document is correct. Revision 2.0 X Elizabeth A. Kirkley Electric Utility Director Electric Utility – NERC / WECC Internal Compliance Program Version 2.0 Revised July 2014 Amended October 1, 2014 Approval Page Page 38 of 38 25 Revision History Version Author Description of Changes Date 1.0 MJCooper First version 11/28/2011 2.0 MJCooper Revised to identify personnel changes within the compliance program. Other grammatical corrections are made. Attachment B suspended effective February 10, 2014. July 2014