Not off the shelf: Tailoring your Critical Infrastructure Risk Management Program

What a program looks like for one organisation may be different for another. While the guidelines are consistent, the risk program output varies depending on the combination of industry and hazards. Notably, the lasting result of CIRMPs remains the same: more secure and resilient organisations.

There are several minimum requirements to be met under the regulations, which guide what needs to be covered and how to address it. So why is it that with some extensive guidance, things might look quite different depending on the organisation?

Organisations start from different places. The CIRMPs leverage existing risk frameworks and consider management systems and standards that may already be in place.

For organisations with mature risk management systems and frameworks, the task of putting together the CIRMP at a higher level, and knowing where to go looking for baseline risk and hazard information, may be a small one. Initially, focusing on ongoing maintenance and applying risk management assessments will take some heavy lifting.

What approach are you taking to integrate and align the outcomes of your risk assessment to comply with the rules and your current framework? Let’s take an example. An assessment using an existing matrix may have resulted in a risk level within acceptable parameters. That same risk profile then requires the application of the principle of So Far as is Reasonably Practicable (SFAIRP) to safety or Occupational Health and Safety focused hazards.

Under the new CIRMP rules, SFAIRP will be used across cybersecurity, personnel, supply chain and physical/climate risks. The result may change by applying the SFAIRP test, an all-hazards approach, and an impact threshold where material risk guidance is given via the regulations. You may end up with a risk outside your organisation’s risk appetite?

Given that the regulations provide threshold-level guidance for material risk, you can use a discreet impact matrix for CIRMP hazards and then maintain an overarching compliance approach for CIRMPs in your enterprise profile.

• In addition to looking at the structure and content of internal risk management systems, organisations developing, maturing and monitoring their CIRMPs should also consider how previously adopted management standards or models are being implemented. By their very nature, the applications of prototypes and maturity models support better practice, not just in day-to-day operations but also in risk management. The new regulations cover this cyber risk by outlining four frameworks (or their equivalent) for compliance.
• Many other standards may be relevant for your organisation to reference in the final or future versions of the CIRMPs, e.g., ISO27001 Information Security Management, ISO55000 Asset Management, ISO 22301 Business Continuity ISO: 31000 Risk Management. Track the alignment between standards, business and risk management systems and how they inform your CIRMP.
• With a global escalation in security threats, building a more risk-aware and resilient organisation protects and promotes value. The August deadline provided a significant initial step in reflecting and taking stock. Getting the most value out of the exercise will require:
  • Ongoing monitoring of internal and external risks.
  • Testing of controls.
  • Internal and external reviews.
  • Audits to track progress.
  • Keeping your risk and management systems up to date and “speaking to each other”.