

Australia’s Department of Home Affairs issued a warning to critical infrastructure stakeholders in February 2022 in the wake of widespread geopolitical instability, urging organisations to urgently establish a comprehensive risk management plan for their business, followed in April 2022 by mandatory obligations.
Given the obvious importance of critical infrastructure, it is perhaps concerning that such organisations would not already have such a plan!
With this warning in minds, here is:
Following the recommendations in February, the Security Legislation Amendment to the Security of Critical Infrastructure Act came into effect in April. These amendments introduced an obligation for responsible entities to create and maintain a critical infrastructure risk management program, alongside a framework for enhanced cyber security obligations required for operators of systems of national significance.
The risk management program rules require the entities to:
The risk assessments must cover cyber and information, personnel, supply chain, and physical and natural risks to the infrastructure assets. The enhanced cyber security obligations include mandatory cyber incidents reporting requirements.
These obligations may be supported by corresponding or supplementary resilience or emergency management legislation at the state level to support resilience of the critical infrastructure. These obligations may include having an emergency response plan, or performing exercises and scenarios.
The NSW Critical Infrastructure Resilience Strategy acknowledges the interdependencies between infrastructure, as pictured in the example below. Understanding these types of relationships will be important for responsible entities to consider in their risk assessments.
Source: NSW Government Critical Infrastructure Resilience Strategy
When risk assessments become regulatory obligations, there is a danger that they are seen as a ‘tick the box’ exercise, with only enough effort to provide evidence that one has been done. This undermines the value of a risk assessment done well; to understand the uncertainties that might impact on the organisation’s objectives.
One observation about these requirements is that the program needs to cover material risks to the critical infrastructure assets. This is somewhat narrow and isn’t aligned with outcomes. By way of example, people are not directly concerned as to whether a power station is operational; they care whether electricity is being delivered to them. That delivery of electricity is the objective that is ultimately being managed.
An enterprise risk management approach supported by appropriate systems allows an organisation to go beyond a ‘compliance only’ mindset which adds much greater value to the organisation. This may include:
All the above can and should be applied beyond critical infrastructure and cyber. When done well, understanding and addressing uncertainty that affects all of the organisational objectives improves the likelihood that they will be achieved.
In the realm of resilience, it is critical to develop a resilience program aligned to the outcomes delivered by the critical infrastructure. This includes:
Identifying and mapping all the interdependencies is particularly important. Assurance cannot be provided over something that isn’t mapped. The organisation’s operational resilience program should be integrated into its enterprise risk management program.
The level of risk management maturity of critical infrastructure stakeholders across the country will of course vary. Some will already have existing risk frameworks, departments and tools, while others may have given cursory lip service in an attempt to comply. The only thing we ask is that if you are mandated by these obligations, don’t settle for the illusion of risk management.
Protecht's Complete Guide to Achieving Operational Resilience eBook gives you a detailed look at Operational Resilience, to learn exactly what makes it different from Disaster Recovery and Business Continuity and to get a list of steps to help you develop your own Operational Resilience capability. Find out more and download it now.
4470 W Sunset Blvd Suite 107 PMB 95227 Los Angeles
California 90027
United States
Toll free: +1 (833) 328 5471
info@protechtgroup.com
77 New Cavendish Street
The Harley Building
London W1W 6XB
United Kingdom
+44 (0) 20 3978 1360
info@protechtgroup.com