New Australian Risk Legislation deep-dive: Managing your critical infrastructure with sub-contractors and personnel

Authors: James Mackay, Andrew Harris, Bruce Clarke
224284462_Sysney-harbour

At a glance

Risk management regulations are now in place for organisations owning or operating critical infrastructure. The Security and Resilience of Critical Infrastructure (SOCI) Act requires those entities responsible for managing defined critical infrastructure to develop and endorse a Critical Infrastructure Risk Management Program (CIRMP) for assets covered by the regulations. This article explores managing the risk across stakeholder groups.

Risk management regulations are now in place for organisations owning or operating critical infrastructure. The Security and Resilience of Critical Infrastructure (SOCI) Act requires those entities responsible for managing defined critical infrastructure to develop and endorse a Critical Infrastructure Risk Management Program (CIRMP) for assets covered by the regulations.
In addressing requirements that need to be included in an organisation’s CIRMP, we shared details on leveraging the opportunity for increasing the maturity of overall organisation risk management and culture uplift. In addition to looking at mature risk management, there are some broader implications and challenges from introducing the new rules. Organisations cannot take the set-it-and-forget-it approach. Thought and consideration need to be given to the role of sub-contractors across the management of the CIRMP hazard vectors, which include: cyber, physical, supply chain and personnel.

Handling risk profiles outside of owners and operators

Organisations must successfully shift towards a more secure, robust, risk-resilient asset management program. As part of that process, it’s critical to have challenging discussions with suppliers and asset owners/operators. The introduction of the CIRMPs is being felt beyond the owners and operators of the critical infrastructure. Those who supply and support the critical infrastructure also have a crucial role. Let’s consider two hazard vectors: supply chain and personnel, and take an all-hazards approach to determine how one impacts the other.

Who’s paying for what?

Collaboration and information exchanges are critical to assess the risk level in your supply chain accurately. A commercial agreement that was put in place before introducing the new regulations may no longer stack up. Does the usual compliance with law provisions extend far enough? Are the administrative costs of collating and handing over the relevant information, participating in risk assessments, or changing the nature of the services being provided?

Information exchange, collaboration and rethinking commercial and operational terms and conditions should be undertaken using a reasonably practicable approach. Resetting current commercial arrangements, entering future agreements or undertaking due diligence during acquisition will require considering how those who contribute to the ongoing operation of a critical asset will play their part in the continuing security and resilience.


Factoring in the maturity levels of each sector.

The providers of information and operational technology services in the expanding energy renewables sector are more likely accustomed to ensuring that cyber security and personnel security controls are in place. By comparison, on-the-ground personnel operating and providing complex infrastructure keeps working may be harder to find given demand. Those personnel may also need to become more familiar with the controls required to address the cyber and personnel risks as they apply to their services.
501978273_Gas storage reservoir

A guide to unlocking your organisation’s infrastructure risk resilience

If you own, manage or operate infrastructure, you already know about the new regulations requiring organisations to create a Critical Infrastructure Risk Management Program (CIRMP). In our first article in our CIRMP series we break down the impact on your business and provide guidance on next steps.
Read more

Authors