Inside the ERPQ: How One Form Shapes Your Audit
By Patrick Miller
A deep dive into NERC's Currently Compliant Podcast Episode 9, the March 2026 Align 7.6 deployment that consolidated the Risk Factor Questionnaire into the Entity Risk Profile Questionnaire (ERPQ), and the 2026 ERO Enterprise CMEP Implementation Plan. Together, these tell a clear story: the ERPQ is no longer a risk scoring input. It is the primary feeder into the seven 2026 risk elements, the Compliance Oversight Plan, audit scoping, and registration workflows.
Overview
The North American Electric Reliability Corporation (NERC) "Currently Compliant" podcast continues to provide useful insight into how the ERO Enterprise is thinking about compliance. The podcast "…is intended to be a quick way to bring attention to frequently asked questions and provide clear insights on important compliance topics." Episode 9, focused on the Inherent Risk Assessment (IRA) and the Entity Risk Profile Questionnaire (ERPQ), arrived at the same time as two structural changes that matter more than the episode itself signaled.
On March 21, 2026, the ERO Enterprise deployed Align Release 7.6, which integrated the previously separate Risk Factor Questionnaire (RFQ) into the ERPQ. On March 25, 2026, NERC published an updated Align IRA and COP User Guide reflecting the merged workflow. And in February 2026, NERC published the 2026 ERO Enterprise CMEP Implementation Plan, which redefined the risk elements that Regional staff use to evaluate every registered entity. We covered the strategic shape of that plan in ERO CMEP 2026: Oversight in the Age of Transformation.
These three artifacts move together inside a framework that has been evolving since 2016 and was significantly reshaped in December 2025. Risk Elements set the initial scope. The IRA, fed by the ERPQ, narrows that scope to the registered entity. Internal controls are now evaluated continuously across every CMEP activity rather than through a separate Internal Controls Evaluation (ICE) program. CMEP tools are then selected, and the Compliance Oversight Plan is the output. Episode 9 explained one piece of that framework. This post connects the rest.
Why This Matters
The ERPQ looks administrative. It is not. It is one of the most leveraged documents an entity submits to its Region, because the answers cascade into:
The risk factor assessment that drives the entity's overall risk score
The Compliance Oversight Plan (COP) that defines monitoring intensity
Audit scoping and the depth of evidence requests
Registration workflows including IBR registration and Category 2 generating resources
Certification (and re-certification) triggers tied to control center and Energy Management System (EMS) upgrades
Alignment to the 2026 risk elements, including the new Grid Transformation element
In short, this single document influences how the Region sees you, how often you are engaged, and how deeply you are evaluated. Treating it as a form-fill exercise misses the point entirely.
Where the ERPQ Sits in the Framework
The ERO Enterprise Risk-based Compliance Monitoring Framework, formalized in the October 2016 ERO Enterprise Guide for Compliance Monitoring and refined every year since, has four interlocking components. The December 2025 ERO Enterprise Guide for Internal Controls eliminated the Internal Controls Evaluation (ICE) as a discrete step and embedded internal controls assessment continuously across every CMEP activity.
The framework now looks like this.
| Component | What It Does | What Feeds It |
|---|---|---|
| Risk Elements | Identify continent-wide and regional risks for prioritization | Annual CMEP IP, RISC reports, event analysis |
| IRA | Assess entity-specific inherent risk against pre-defined Risk Factor criteria | ERPQ, registration data, asset verification, TADS/GADS/MIDAS |
| CMEP Tools | Select appropriate monitoring tools (audits, spot checks, self-certifications) | IRA results, Risk Elements, performance considerations, internal controls posture |
| COP | Document the entity-specific monitoring strategy | Everything above, refreshed continuously |
Internal controls are no longer evaluated in a standalone ICE program. They are now assessed across every CMEP touchpoint, including the ERPQ itself. As covered in From Spot Evaluations to Continuous Oversight: NERC's New Internal Controls Model, this shift makes control design, evidence, and effectiveness a core driver of COPs, audit depth, and how the Regions measure compliance maturity.
The framework is explicitly cyclical, not linear. New events, registration changes, or emerging risks can trigger a refresh of any component, which then propagates downstream. The ERPQ is the primary data input that lets the rest of the framework function. Without current and accurate ERPQ data, every downstream component degrades.
Quick Summary: What the Region Already Has vs. What the ERPQ Provides
| Source | Data the Region Already Has | What the ERPQ Adds |
|---|---|---|
| CORES and Asset Verification | Functional registration, assets in scope | Confirmation, current state, planned changes |
| TADS / GADS / MIDAS | Generation, transmission, system data | Operational context, non-conforming loads |
| Compliance History | Public enforcement record | Internal controls, recent system events |
| ERPQ Risk Factor Questions | Not available elsewhere with currency | High water mark BES Cyber System impact, peak load, UFLS load, BES generation nameplate capacity |
| ERPQ Profile Questions | Not available elsewhere | Control center upgrades, weather impacts, system diagrams, monitoring tools, dispatch constraints, future plans |
This is the structural insight. The ERPQ is not duplicative of registration data. It is filling specific gaps that drive specific outcomes.
What Changed When Align 7.6 Deployed
The March 21, 2026 deployment consolidated two questionnaires into one. Before 7.6, entities completed an RFQ (driving the formal risk factor assessment) and a separate ERPQ (driving the broader risk profile). The Primary Compliance Contact had to assign each RFQ question to an individual SME within Align, fragmenting the work across multiple tasks.
After 7.6, the RFQ is incorporated into the ERPQ as a single questionnaire that the PCC assigns once. The Regions specifically targeted redundancy with other data sources (CORES, asset verification, TADS, GADS, MIDAS) and revised many questions for clarity.
The mechanics are also worth understanding. The ERPQ in Align uses conditional logic, hiding or showing questions based on previous responses. The PDF export, by contrast, shows every question regardless of applicability. This matters when entities use the export for internal review, because the export is not a one-to-one match with what the SME actually answered.
| Before March 21, 2026 | After March 21, 2026 |
|---|---|
| Separate RFQ and ERPQ | Single ERPQ (RFQ incorporated) |
| Per-question SME assignment | Whole questionnaire assigned at once |
| Significant redundancy with other data sources | Reduced overlap, focused on gaps |
| Higher administrative overhead for PCCs | Lower administrative overhead |
One operational note that often gets missed: once the ERPQ is submitted to the CEA, the entity cannot self-edit responses. Updates after submission require working directly with the Region. This is not a portal issue. It is a deliberate workflow choice that reinforces the importance of getting it right before submission.
Section 1: Risk Factor Questions (Now Inside the ERPQ)
These are the questions that feed directly into the formal ERO risk factor assessment. Question IDs follow an RF1_ prefix in Align.
How Risk Factors Actually Work
Each Risk Factor has pre-defined criteria that bucket entities into Low, Medium, or High risk based on quantitative thresholds. The ERPQ collects the data; the criteria determine the resulting risk level. For example, peak load thresholds, generation nameplate capacity in MVA, transmission voltage in kV, and percentage of variable generation in the BA Area all have specific numeric breakpoints documented in the ERO Enterprise Guide for Compliance Monitoring (Appendix B). Some criteria use regional flexibility (notably UFLS thresholds) to account for technical variances across Interconnections.
This matters because the data point itself is rarely interesting in isolation. What matters is which side of the criteria threshold it falls on. An entity with 999 MW of peak load and an entity with 1,001 MW of peak load look almost identical operationally, but they bucket into different risk tiers. Understanding where your entity sits relative to the thresholds is part of understanding your own risk profile.
Risk Factors Evaluated Through the ERPQ
The risk factors evaluated through the ERPQ include:
Planned Facilities
CIP: Monitor and Control Capability
Largest Generation Facility
CIP: Impact Rating Criteria
CIP: External Electronic Communication
Voltage Control
System Restoration
Total Generation Capacity
RAS/SPS
Core Risk Factor Inputs
Representative questions and their Align IDs:
(RF1_BAC_01) Total generation capacity within your Balancing Authority Area, including Pseudo Tie Generation, in MW
(RF1_CIPRC_01) Does the entity have high impact BES Cyber Systems?
(RF1_CIPRC_02) Does the entity have medium impact BES Cyber Systems?
(RF1_CIPRC_03) Does the entity have at least one asset that contains a low impact BES Cyber System?
(RF1_LD_01) Peak load served within the entity's area or system within the last three calendar years, with a separate MW value for each year
(RF1_TGC_01) Total BES generation nameplate capacity that the entity owns or operates, in MVA
Why These Specifically
Each of these is a risk multiplier in the assessment. A High Impact BCS designation, large peak load, or substantial generation nameplate elevates the entity's risk profile. Small inaccuracies here produce outsized errors in the resulting risk score, and those errors propagate into the Compliance Oversight Plan.
Audit Prep Questions
Has anyone validated our highest impact rating against current CIP-002-5.1a categorization?
Is our reported peak load reconciled with what the BA actually sees?
Does the three-year peak load series we are about to submit match what we submitted in prior years (or do we have a defensible explanation for any change)?
Are our generation and transmission totals reconciled across CORES, asset verification, and the ERPQ?
If we have RAS/SPS, is the inventory in the ERPQ consistent with what is in our protection system database?
Where does each of our quantitative inputs sit relative to the Risk Factor criteria thresholds, and are we close to a tier boundary that could shift our risk score in either direction?
Section 2: Entity Risk Profile Questions
This is where most of the ERPQ's downstream value lives. Risk profile data does not always feed the risk score directly. It feeds the COP, audit scoping, registration follow-ups, and operational context the Region uses to interpret everything else. Question IDs follow an EQ_ prefix in Align.
If you treat this section as a checklist, you miss the leverage. If you treat it as your opportunity to shape how the Region understands your environment, you get a more proportionate monitoring posture.
Operational Context
Representative questions and their Align IDs:
(EQ_002) Describe the type of monitoring and situational awareness tools used
(EQ_004) Describe any dispatch constraints or loop-flow issues, including the characteristics
(EQ_064) Did entity experience any loss of generation or transmission due to hurricanes or tornados?
Internal Controls and System Documentation
The ERPQ also captures information about internal controls, system diagrams, maps, and recent control center or EMS upgrades. The Region uses this material to scope audits and to anticipate certification triggers.
The internal controls section deserves specific attention because of how it interacts with the continuous internal controls model formalized in the December 2025 ERO Enterprise Guide for Internal Controls. With ICE eliminated as a discrete program, the ERPQ is now one of the earliest opportunities the Region has to capture an entity's control posture. WECC has done this for years through its Internal Controls Data Collection Template (ICDCT), distributed in advance of audit scoping. Other Regions use early RFIs or pre-audit surveys. The ERPQ now performs a similar function across all six Regions: control information is captured early enough to influence risk-based oversight, not reconstructed later through interviews.
The December 2025 guide is explicit about how Regions assess internal controls. Each control is evaluated across three dimensions: design (does it logically address the risk), implementation (is it operating as designed), and effectiveness (is it actually reducing risk). Equally important, the guide states directly that a description of a control activity, without supporting evidence, is not sufficient to rank that control as effective. Narrative answers in the ERPQ that gesture at controls without producing artifacts will not carry weight. The standard is reasonable assurance of future compliance, and that standard is met through evidence, not assertions.
There is also a leverage point worth knowing about. The guide notes that registered entities may volunteer internal controls for assessment beyond those tied to the prioritized risks the Region is already focused on. The ERPQ is one of the practical places this can happen. An entity that surfaces a strong, well-documented control in the ERPQ, even one the Region did not specifically ask about, is shaping how the COP gets built for the next monitoring cycle.
Why This Section Drives Your Audit
Regional staff use this information to scope audits. If your diagrams reveal complexity that registration data does not capture, expect a deeper scope. If your internal controls are well documented and demonstrably effective, expect a more streamlined evaluation. If your operational context shows recent disruption (weather, upgrades, dispatch constraints), expect specific lines of inquiry tied to those events.
This is where many entities under-invest. The ERPQ gets filled in by someone who knows the form, not someone who understands how the Region will use the answers.
Section 3: Forward-Looking Disclosures
A growing share of the ERPQ's value comes from what entities disclose about future state, not current state. The Region uses this information to anticipate registration changes, certification needs, and monitoring adjustments.
This is also where the ERPQ most clearly serves the entity. Disclosing planned changes early reduces friction later.
Planned Asset and System Changes
Future or planned assets (substations, generation, transmission)
Upgrades that would change your functional footprint
Inverter-Based Resources and Category 2 Generating Resources
IBR additions that would trigger registration under the IBR registration initiative
Category 2 generating resources entering the picture
Registration timeline and associated dependencies
Control Center and EMS Changes
Future control center upgrades
EMS upgrades that could trigger certification
Expected timeline and Region engagement
Why This Matters Now
The IBR registration initiative and the Category 2 generating resources framework are actively reshaping the registered footprint across all six Regions. MOD-032-1 begins applying to Category 2 IBRs on May 15, 2026, and PRC-029-1 (frequency and voltage ride-through requirements for inverter-based resources) becomes effective October 1, 2026. Entities that disclose changes early in the IRA cycle avoid surprise registration actions and have more time to align their compliance programs to new functional obligations.
Control center and EMS upgrades are a particular pressure point. Certain changes trigger re-certification, and re-certification is not a process anyone wants to discover after the fact.
Section 4: How the ERPQ Feeds the 2026 Risk Elements
This is the connection the podcast did not draw, but it is the most important one. The 2026 ERO Enterprise CMEP Implementation Plan, published February 2026, identifies seven risk elements that Regional staff use to prioritize compliance monitoring across all registered entities. The ERPQ is the data input that lets Regions evaluate each entity against those elements.
| 2026 Risk Element | ERPQ Inputs That Inform It |
|---|---|
| Remote Connectivity | High/medium/low impact BCS designations; CIP-005-7 R2/R3 posture; CIP-003-9 low impact controls |
| Supply Chain | Vendor relationships and software integrity context; CIP-013-2 R1 and CIP-010-4 R1 alignment |
| Physical Security | CIP-014-3 designations; CIP-006-6 program context; low impact CIP-003-9 R2 implementations |
| Grid Transformation | IBR additions, Category 2 resources, large loads, control center aggregation, third-party operations |
| Facility Ratings | FAC-008-5 R6 program context; AAR transition status under FERC Order 881 |
| Extreme Weather Response | EQ_064 hurricane/tornado loss disclosures; cold weather preparedness under EOP-012-3 |
| Communication Protocols & Operating Instructions | RC operating instruction posture; COM-002-4 program context |
Two of these risk elements are new for 2026. Grid Transformation replaces the prior Inverter-Based Resources and Transmission Planning and Modeling elements, expanding the scope to cover IBRs, large loads, resource adequacy, energy policy uncertainty, workforce adequacy, and aggregation of control. Communication Protocols & Operating Instructions was added in February 2026 specifically to address Reliability Coordinator practices around mandatory and binding operating instructions.
Grid Transformation: The Aggregation of Control Concern
One specific Grid Transformation focus deserves attention because it directly intersects with the ERPQ. The 2026 CMEP IP highlights situations where multiple registered Generator Owners and Generator Operators contract with the same unregistered third party to perform day-to-day operations. The ERO Enterprise has observed that this aggregates control of significant amounts of energy production in a common, unregistered control center.
This is exactly the kind of arrangement the ERPQ surfaces, through questions about monitoring tools, control center configurations, and operational dependencies. Entities with third-party operational arrangements should expect deeper inquiry, and should be prepared to demonstrate how reliability and security obligations are met when day-to-day operations sit outside the registered entity.
Incident Response Was Eliminated
The 2026 CMEP IP eliminated the prior Incident Response risk element, citing a consistently low frequency of CIP-008 violations and minimal reliability impact from past incidents, with sufficient coverage continuing under Physical Security. This does not mean incident response stopped mattering. It means it stopped warranting independent prioritization in the IP. The ERPQ still captures the relevant context.
Section 5: Triggers for IRA Refresh
The IRA is not a one-time exercise. It is refreshed on multiple triggering events.
| Trigger | What It Means |
|---|---|
| New Entity Registration | A new IRA is required as part of registration |
| Functional Registration Changes | Adding or removing functions triggers refresh |
| Coordinated Oversight Changes | Changes in lead Region or oversight arrangement |
| Upcoming Monitoring Engagement | Audit, spot check, or other engagement on the calendar |
| Time-Based Refresh | Periodic refresh based on time since last assessment |
The practical implication: any significant change in your functional footprint, your oversight arrangement, or your monitoring schedule will produce a new ERPQ. Treat each one as a fresh opportunity to update the Region's understanding of your environment, not as a copy-paste of the prior submission.
Cross-Cutting Expectations
Several expectations run throughout the ERPQ, even when they are not framed as discrete sections.
Currency. The Region expects current data, not data that was true two years ago.
Reconciliation. The Region expects internal consistency across CORES, asset verification, TADS, GADS, MIDAS, and the ERPQ.
Documentation. The Region expects diagrams, maps, and supporting artifacts where appropriate, uploaded through the Secure Evidence Locker (SEL) using the reference ID provided in Align.
Forward visibility. The Region expects disclosure of planned changes, not just current state.
Internal controls context. The Region expects entities to articulate the controls they rely on, not just the obligations they meet.
Retention. CEAs retain ERPQ submissions and supporting documentation as part of the IRA record, alongside narrative descriptions, checklists, and flowcharts. What you submit becomes part of the durable record the Region works from across multiple monitoring cycles.
What This Signals for Compliance Programs
Taken together, the ERPQ, the Align 7.6 consolidation, and the 2026 CMEP IP point in a consistent direction.
The ERPQ Drives the COP, Which Drives Everything Else
The Inherent Risk Assessment is the foundation for the Compliance Oversight Plan, and the COP determines how the Region engages with the entity over the monitoring cycle. If the ERPQ is built on stale or incomplete data, the COP is misaligned, and the entity ends up with monitoring that is either too heavy or too light relative to actual risk. The 2026 CMEP IP risk elements are the lens through which that alignment happens.
Risk Profile Data Is Now Operational, Not Optional
Internal controls, system diagrams, weather impacts, dispatch constraints, and non-conforming loads are not background detail. They directly shape audit scope and evidence requests. Entities that submit thin risk profile responses give the Region less context to calibrate, which often results in broader audit scopes by default. The standard the Region is working toward is reasonable assurance of future compliance, and that standard is reached through evidence and demonstrable practice, not through descriptions of what controls are supposed to do.
Forward-Looking Disclosure Is a Two-Way Street
Disclosing planned changes early gives the Region time to plan registration actions, certifications, and monitoring adjustments without surprise. It also gives the entity time to align its compliance program to new functional obligations. With CIP-003-9 effective April 1, 2026, CIP-012-2 effective July 1, 2026, and PRC-029-1 effective October 1, 2026, the alignment work is ongoing.
The ERPQ Is a Compliance Program Health Check
If the people who fill out the ERPQ cannot answer the questions confidently, that is a signal. If the answers are inconsistent with registration data or asset verification, that is a signal. If the diagrams do not exist or are out of date, that is a signal. The ERPQ is, in effect, a self-assessment of program maturity disguised as a regulatory submission.
Open Questions Worth Tracking
How will Regions weigh ERPQ disclosures of third-party operational arrangements as the Grid Transformation risk element matures through 2026 and into 2027?
As more entities transition to Ambient-Adjusted Ratings under FERC Order 881, will the ERPQ be revised to capture AAR program status as a risk factor input?
With CIP-015-1 (Internal Network Security Monitoring) becoming effective October 1, 2028, when will INSM-related questions enter the ERPQ?
Closing Thought
The underlying message is straightforward, but important. The ERPQ is not a form. It is the primary mechanism the Region uses to calibrate everything else it does with you. Risk Elements scope it, the IRA narrows it, the CMEP tools execute it, and the COP captures it. Internal controls are now evaluated continuously across all of those steps, not in a separate ICE program. The 2026 risk elements are the lens. Every cycle.
That calibration is becoming more structured, more consistent, and more reliant on professional judgment tied to documented risk and control effectiveness. As outlined in How CMEP Version 8 Reshapes NERC's Compliance Model, the standards themselves are not what changed. What changed is how they are applied, evaluated, and defended. The move toward an internal controls-driven model reinforces that direction further. Internal controls are no longer a separate or periodic evaluation activity. They are now continuously assessed across all CMEP interactions and used to determine residual risk, shape Compliance Oversight Plans, and influence how deeply an entity is monitored. As CMEP Version 9 confirmed, tooling is becoming part of the audit process itself, not just a delivery mechanism. Align is that tooling. The ERPQ runs through it.
The ERPQ is where that continuous assessment begins. Every answer informs the Region's view of your residual risk. Every gap or inconsistency adds friction. Every forward-looking disclosure either reduces or increases surprise downstream. And every response now feeds into a redefined set of risk elements that includes Grid Transformation and Communication Protocols, both new for 2026.
The shift is not about more questions. It is about questions being used more effectively. Entities that understand this shift will find their monitoring posture proportionate to their actual risk. Entities that do not will find themselves explaining the same things twice in audit, often without a clear sense of why.
In that context, the ERPQ is no longer paperwork. It is the entry point into how the ERO Enterprise sees you for the next monitoring cycle.
