Not off the shelf: Tailoring your Critical Infrastructure Risk Management Program
At a glance
Are your organisation’s current risk systems and frameworks aligned to the new Critical Infrastructure Risk Management Programs (CIRMP) legislation and at a level of maturity to support compliance?
What a program looks like for one organisation may be different for another. While the guidelines are consistent, the risk program output varies depending on the combination of industry and hazards. Notably, the lasting result of CIRMPs remains the same: more secure and resilient organisations.
It depends on where you are on your risk management maturity journey.
There are several minimum requirements to be met under the regulations, which guide what needs to be covered and how to address it. So why is it that with some extensive guidance, things might look quite different depending on the organisation?
Organisations start from different places. The CIRMPs leverage existing risk frameworks and consider management systems and standards that may already be in place.
For organisations with mature risk management systems and frameworks, the task of putting together the CIRMP at a higher level, and knowing where to go looking for baseline risk and hazard information, may be a small one. Initially, focusing on ongoing maintenance and applying risk management assessments will take some heavy lifting.
Even for a mature risk profile, applying the regulations requires careful thought.
What approach are you taking to integrate and align the outcomes of your risk assessment to comply with the rules and your current framework? Let’s take an example. An assessment using an existing matrix may have resulted in a risk level within acceptable parameters. That same risk profile then requires the application of the principle of So Far as is Reasonably Practicable (SFAIRP) to safety or Occupational Health and Safety focused hazards.
Under the new CIRMP rules, SFAIRP will be used across cybersecurity, personnel, supply chain and physical/climate risks. The result may change by applying the SFAIRP test, an all-hazards approach, and an impact threshold where material risk guidance is given via the regulations. You may end up with a risk outside your organisation’s risk appetite?
Given that the regulations provide threshold-level guidance for material risk, you can use a discreet impact matrix for CIRMP hazards and then maintain an overarching compliance approach for CIRMPs in your enterprise profile.