New Australian Risk Legislation deep-dive: Managing your critical infrastructure with sub-contractors and personnel

In addressing requirements that need to be included in an organisation’s CIRMP, we shared details on leveraging the opportunity for increasing the maturity of overall organisation risk management and culture uplift. In addition to looking at mature risk management, there are some broader implications and challenges from introducing the new rules. Organisations cannot take the set-it-and-forget-it approach. Thought and consideration need to be given to the role of sub-contractors across the management of the CIRMP hazard vectors, which include: cyber, physical, supply chain and personnel.

Organisations must successfully shift towards a more secure, robust, risk-resilient asset management program. As part of that process, it’s critical to have challenging discussions with suppliers and asset owners/operators. The introduction of the CIRMPs is being felt beyond the owners and operators of the critical infrastructure. Those who supply and support the critical infrastructure also have a crucial role. Let’s consider two hazard vectors: supply chain and personnel, and take an all-hazards approach to determine how one impacts the other.

Collaboration and information exchanges are critical to assess the risk level in your supply chain accurately. A commercial agreement that was put in place before introducing the new regulations may no longer stack up. Does the usual compliance with law provisions extend far enough? Are the administrative costs of collating and handing over the relevant information, participating in risk assessments, or changing the nature of the services being provided?

Information exchange, collaboration and rethinking commercial and operational terms and conditions should be undertaken using a reasonably practicable approach. Resetting current commercial arrangements, entering future agreements or undertaking due diligence during acquisition will require considering how those who contribute to the ongoing operation of a critical asset will play their part in the continuing security and resilience.

The providers of information and operational technology services in the expanding energy renewables sector are more likely accustomed to ensuring that cyber security and personnel security controls are in place. By comparison, on-the-ground personnel operating and providing complex infrastructure keeps working may be harder to find given demand. Those personnel may also need to become more familiar with the controls required to address the cyber and personnel risks as they apply to their services.