Australia’s Department of Home Affairs issued a warning to critical infrastructure stakeholders in February 2022 in the wake of widespread geopolitical instability, urging organisations to urgently establish a comprehensive risk management plan for their business, followed in April 2022 by mandatory obligations.
Given the obvious importance of critical infrastructure, it is perhaps concerning that such organisations would not already have such a plan!
With this warning in minds, here is:
- A summary of the obligations
- How to think bigger using an Enterprise Risk Management (ERM) approach
- How an operational resilience process can improve assurance
Risk management obligations for critical infrastructure stakeholders
Following the recommendations in February, the Security Legislation Amendment to the Security of Critical Infrastructure Act came into effect in April. These amendments introduced an obligation for responsible entities to create and maintain a critical infrastructure risk management program, alongside a framework for enhanced cyber security obligations required for operators of systems of national significance.
The risk management program rules require the entities to:
- adopt a risk management program
- comply with the program that it sets out (i.e. not just shelfware)
- Ensure that the risk management program remains up to date
- Submit an annual report to the relevant regulator.
The risk assessments must cover cyber and information, personnel, supply chain, and physical and natural risks to the infrastructure assets. The enhanced cyber security obligations include mandatory cyber incidents reporting requirements.
These obligations may be supported by corresponding or supplementary resilience or emergency management legislation at the state level to support resilience of the critical infrastructure. These obligations may include having an emergency response plan, or performing exercises and scenarios.
The NSW Critical Infrastructure Resilience Strategy acknowledges the interdependencies between infrastructure, as pictured in the example below. Understanding these types of relationships will be important for responsible entities to consider in their risk assessments.
Source: NSW Government Critical Infrastructure Resilience Strategy
How to think bigger using an ERM approach
When risk assessments become regulatory obligations, there is a danger that they are seen as a ‘tick the box’ exercise, with only enough effort to provide evidence that one has been done. This undermines the value of a risk assessment done well; to understand the uncertainties that might impact on the organisation’s objectives.
One observation about these requirements is that the program needs to cover material risks to the critical infrastructure assets. This is somewhat narrow and isn’t aligned with outcomes. By way of example, people are not directly concerned as to whether a power station is operational; they care whether electricity is being delivered to them. That delivery of electricity is the objective that is ultimately being managed.
An enterprise risk management approach supported by appropriate systems allows an organisation to go beyond a ‘compliance only’ mindset which adds much greater value to the organisation. This may include:
- Bow tie analysis to understand the causal pathways of disruption and their impacts on organisational objectives, allowing for appropriate allocation of resources to mitigate risk
- Control mapping to gain insights into how risks are being managed
- Controls assurance processes to ensure those controls remain effective
- Integrated incident and issue management processes to track near misses, control failures or incidents
- Tracking of key risk indicators to understand potential threats
- Workflows to drive action where risks are outside of tolerance or issues are identified
- Reporting that can be tailored to specific audiences, such as management or boards to inform decision making, or directly to regulators
All the above can and should be applied beyond critical infrastructure and cyber. When done well, understanding and addressing uncertainty that affects all of the organisational objectives improves the likelihood that they will be achieved.
Operational resilience programs can improve assurance
In the realm of resilience, it is critical to develop a resilience program aligned to the outcomes delivered by the critical infrastructure. This includes:
- Defining impact tolerances; how long can your stakeholders withstand disruption?
- Understanding and mapping the critical processes that enable the required outcomes
- Identifying the resources, including those provided by third parties, that support those processes
- Assessing the health and vulnerabilities of those resources
- Conducting scenarios to validate impacts and determine how quickly you can recover
Identifying and mapping all the interdependencies is particularly important. Assurance cannot be provided over something that isn’t mapped. The organisation’s operational resilience program should be integrated into its enterprise risk management program.
Where to next?
The level of risk management maturity of critical infrastructure stakeholders across the country will of course vary. Some will already have existing risk frameworks, departments and tools, while others may have given cursory lip service in an attempt to comply. The only thing we ask is that if you are mandated by these obligations, don’t settle for the illusion of risk management.
Protecht's Complete Guide to Achieving Operational Resilience eBook gives you a detailed look at Operational Resilience, to learn exactly what makes it different from Disaster Recovery and Business Continuity and to get a list of steps to help you develop your own Operational Resilience capability. Find out more and download it now.