The recent disruption in the medicine supply in Ljubljana has proven that risks and adverse events are not just a theory, or something that happens only to others. The same can be said for the possible occurrence of multi-million-dollar financial damage and “immeasurable damage to the company’s reputation and customer confidence”.

In addition to the occurrence above, we know of many other business activities where loss events can have far greater and dire consequences, including human casualties.

What does the term »critical infrastructure« stand for?

Those facilities which are of key importance to the country, and whose disruption or destruction would have a significant impact and lead to serious consequences for national security, the economy, and other key social functions, health, safety, protection and well-being of the people,” are called critical infrastructure.

Based on the Critical Infrastructure Act (ZKI; Ur.l. RS, no. 75/17) the Slovenian Government established criteria for determining critical infrastructure of the Republic of Slovenia, their limit values and priorities for the operation of individual sectors, which are:

Energy (electricity supply, petroleum products, natural gas),
Transportation (railway, ports, airports),
Food (supply chain),
oskrba s pitno vodo,
Health Care (basic health care services and medical care),
Finance (money supply, state budget, payments),
Environmental Protection (pollution, radioactive contamination),
Electronic Information and Communication Networks and Systems.

Each of the above Sectors has its Head, which are usually the Ministries and the Bank of Slovenia.

Responsibilities of Critical Infrastructure Owners and Operators

Critical infrastructure owners and operators are companies, state bodies, institutes and the Bank of Slovenia, which are also responsible for its operation and protection. Under the Critical Infrastructure Act, they all have three key responsibilities:

They must produce critical infrastructure design planning documents. They include the risk assessment and critical infrastructure protection measures, for which they must also obtain the critical infrastructure sector approval.

They also must take all neccessary measures to protect critical infrastructure, taking into an account the permanent and additional measures. The first ones need to be implemented continuously, whereas the additional measures are needed in case of increased risk, emergency or crisis.

Their third key task is information and reporting with a purpose to inform the sector operator of any critical infrastructure disruption, and the protection measures implemented. Reporting, however, is an annual report submitted by the managers to the sectoral entity by the end of February for the previous year.

Critical Infrastructure Risk Assessment

Pursuant to the Critical Infrastructure Act, the Ministry of Defence adopted the Guideline for Risk Assessment for the operation of critical infrastructure of the Republic of Slovenia, which must include:

– the professional orientation of the competent carrier of the critical infrastructure sector (that is the ministries and the Bank of Slovenia),
– a description of the state of critical infrastructure under regular operating conditions,
– a list of identified sources of risk for the operation of critical infrastructure,
– descriptive analysis and evaluation of sources of risk for critical infrastructure operation.

A key part of risk assessment is the identification of the sources of risk and their analysis, in which the operator identifies:

– the likelihood of the source of the risk being realized,
– the severity of the potential harm arising from the realization of the source of the risk,
– the potential impacts of realizing the source of risk on business processes,
– other factors.


The Guideline for Risk Assessment also stipulates that “managers may use applicable risk management standards and risk assessment methods when making risk assessments and take into account existing threat and risk assessment to perform critical infrastructure activities.

Protecting Critical Infrastructure from Regulation to Practice

Let me also tell you why I feel comfortable discussing such complex topic: I have been personally involved in the field of security of persons and property for more than 25 years, and have therefore worked with most critical infrastructure managers, and some sector stakeholders. In addition, I have also been working with SBR colleagues on risk management for over a year.

Experience shows that we do not take risk management seriously enough, and give it (too) little attention, which is also understandable as we have (yet) to develop business culture and grow experience in this area.

Today, risk management is usually limited to security/protection, implemented through organizational and technical measures and security services, and, more recently, also through information security.

In majority of cases, the risks are only dealt with by individuals such as security or risk managers, who usually don’t have enough influence in the guidance for more serious actions. Even more, the area is often part of quality control management, being treated merely as one of the administrative activities.

However, this is not enough, as risk management is far more complex and broader concept than just protecting or monitoring the data. The same goes for critical infrastructure security where an individual cannot cope with the difficulty of the task.

In risk management, the rule is that planning starts from the top down, and the implementation of the planned actions from the bottom up. This is why we can really reduce risks only when they become part of the safety culture of all employees which is respected in all times, and all areas.

Pursuant to the Critical Infrastructure Act and other regulations, companies and organizations that operate critical infrastructure will otherwise fulfil their formal obligations, but leave everything else to remain the same. As said before, the reason for this (usually) is they don’t have the adequate knowledge and experience to manage risks comprehensively.

If you would like to learn more on comprehensive approaches to risk assessment and management and their transition from planning to practice, let us know.

P.S.: If you have a question about risk management, you need help, or you want to leave me a comment, feel free to send me a message directly at [email protected].


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Bribery – as the most common form of corruption – was once considered a fairly common and socially acceptable practice in the business and private spheres. However, in the last twenty years, especially business rules around the world have changed considerably, which has led to a sharp tightening of anti-corruption legislation.

In the European Community, this happened after amended OECD Convention against Corruption entered in force in 2009. In Slovenia, the Integrity and Prevention of Corruption Act (ZIntPK) has been in force since 2011, which also determines the operation of the Commission for the Prevention of Corruption.

The common denominator of these new laws are high penalties for companies and individuals and the so-called extraterritorial reach in prosecuting offenders. This means that bribery committed by employees abroad can be punishable by imprisonment for directors of parent companies.

Harmful practices of giving and accepting bribes therefore pose a major business risk that threatens the financial and legal position and reputation of companies and individuals.

From a legal point of view, companies and individuals are held responsible for active and passive bribery at home and abroad.
The financial consequences of corruption are irrational spending of money and high fines and costs of legal proceedings that last for several years.

Companies found guilty of corruption lose their reputation. This includes the favor of the media, customers, suppliers and other business partners, which can even jeopardize their very existence.

Due to investigations of corrupt practices, operational delays and obstacles also occur that slow down the operation of companies and the fulfillment of obligations to customers and business partners in general.

Podkupovanje v številkah

Due to the prevalence of bribery and its destructive effect, companies and other organizations began introducing Anti-Bribery Management Systems = ABMS.
In October 2016, the first ISO standard “Management systems for the prevention of bribery” was adopted with the code ISO 37001: 2016.
The latter is currently intended to prevent bribery on the part of employees or representatives acting on behalf of or on behalf of organizations and acting corruptly for the benefit of the organization or for their own benefit.
It also helps companies and organizations to establish an ethical culture and practices with zero tolerance for corruption. It makes it easier for business partners to identify companies that are actively involved in bribery. In the future, this may become a condition and a competitive advantage over comparable bidders in (public) procurement procedures.
The ISO 37001 management system determines the scope of the organization’s anti-corruption compliance and operates on the principle of the PDCA Deming Circle:

It means assessing the risks of corruption according to the characteristics of the organization. This allows the identification of risk areas and the status of current control measures.

It stands for formulating policy, determining responsibilities and means to ensure compliance with anti-corruption requirements, and delegating decision-making and also, the introduction of support procedures, operational control and action objectives for identified risks of bribery.

It means improvements and updates to anti-corruption prevention and control mechanisms, in view of identified deficiencies and inconsistencies during day-to-day operations, inspections or audits.

Pomeni izboljšave in posodobitve protikorupcijskih preprečevalnih in nadzornih mehanizmov, glede na ugotovljene pomanjkljivosti in neskladnosti med vsakdanjih delovanjem, pregledi ali presojami.


Providing protection for whistleblowers

Most organizations identify bribery in their business in one of three ways: 31 per cent in internal audits, 29 per cent in due diligence in mergers or acquisitions, and 17 per cent based on whistleblowers.

Among other things, ISO 37001 requires the introduction of procedures that allow employees to report suspicions of corruption through anonymous reporting channels. It is necessary to ensure the confidentiality of the content of the applications and to prevent all forms of revenge against informants. Based on the rules and training, employees need to know who they can turn to if they encounter corruption-related issues in their work.


And what are the key benefits of a governance system to prevent corruption?

Ethical culture of the organization. One of the most durable safeguards against bribery is the moral culture of the organization which starts from the top-down, with management communication with employees, commitment and personal example, and the introduction of systemic measures such as ABMS.

Employees and managers understand their roles. It clearly sets out responsibilities for exposed individuals and ensures that they know their role in preventing bribery.

Message to business partners. The anti-corruption system is a message to business partners that the organization is actively combating bribery. In this way, it works to prevent providers from even attempting corruption.

It allows easy integration with other management systems. The ISO 37001 system can operate alone or in conjunction with other ISO management systems. This is ensured by its basic structure, which enables the harmonization of judgments and reporting with different standards.

Reduction of business risks. By strengthening the ethical culture of the organization, the system for the prevention of bribery, clearly defined responsibilities of exposed persons, reporting channels and open communication to business partners, the exposure to the risks of corrupt activities and their consequences is also reduced.

As we know, there is no complete security. The same is true of corruption, which cannot be eliminated due to the human factor of corrupt individuals.

However, with the introduction of a system such as ISO 37001 and the consistent implementation of organizational and control measures, we can introduce an additional level of protection and at least significantly reduce the risk of bribery.


Contact our team if you need help risk management.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

SOURCES (in Slovene language)
– Komisija za preprečevanje korupcije: Ocena stanja korupcije v RS v letu 2016; 2017
– Bureau Veritas: Sistemi vodenja za preprečevanje podkupovanja/Vgrajevanje kulturnih sprememb z ISO 37001; 2019

[GUEST AUTHOR]: doc. dr. Brane Bertoncelj, Former director of cash management department at the Bank of Slovenia

Risk is a personal, professional and social overburden. “How safe is safe enough?” is the common denominator of an increasingly difficult decision-making in identifying an acceptable risk in a precarious social environment.

Risk perception requires us the assessment of probability and the ability to think intelligently and deductively about an unlikely, but relevant emergency. Usually, the individual attributes the probabilistic nature to the event, thus assesses it as more or less probable, and makes risk management decisions accordingly.

Zaznava tveganja

However, the process of risk perception is limited with our mental and physical perception, since an individual can only process the stimuli and cognitions that he/she perceives. This is why risk perception is a very personal decision-making process based on a frame of reference that an individual has developed throughout his/her lie. Consequently, the central issue in risk perception is the multifaceted understanding of the individual as a risk assessor, and the ways he/she thinks, feels and acts on the hazard, threat and associated risks.

The risk self-perception is, in fact, fraught with flaws as it is influenced by many factors, in particular the personal characteristics of the assessor, the fatal consequences of the risk, high damage, loss of reputation, impact on future generation, involuntary exposure to threats, ignorance of the threat, recent emergencies, inadequate sources of information, distrust of authority, media attention etc.

The results of psychological experiments show that an individual is not the best risk assessor, and that in the face of uncertainty he/she systematically violates the principles of rational decision-making. Risk management thus does not meet the basic requirements of reasonableness and consistency, since risk perception is most influenced by personal experience, foresight, thinking, feelings and desires.

Risk perception is therefore rarely completely rational. Instead, the individual perceives the risk by using a mix of cognitive skills (e.g. assessment of evidence, use of arguments and logic to reach conclusion) and emotional assessment (intuition or imagination). The process is further aggravated by an overconfidence about the correctness of one’s own judgement, in which an individual too often trusts its own judgement, even if it is incorrect.

Such overconfidence is dangerous as it shows that we are often unaware of how little we know about the potential threats and risks, and how much additional information and interdisciplinary approach we would still need. This excessive self-esteem is also fueled by the individual’s desire for certainty which is often manifested as a denial of uncertainty. In this aspect, the asymmetry between profit and loss is also interesting (an individual prefers to believe he/she is playing a game with high profits, even though he/she may end up with nothing).

As seen above, risk perception is a very complex processes based on theoretical analyzes more than on direct experience. Risk perception contains at least two sources of uncertainty, namely the variable of natural uncertainty (the uncertainty which needs to be assessed) and the uncertainty, arising from the lack of expertise, knowledge and information of the risk assessor. However, these two uncertainties are uniform and cannot be synthetically separated.

Based on good practices and my own experience, I suggest the following activities to improve risk perception:

When anticipating what will happen, try to reduce the pessimism. This approach affects the feelings of fear and causes you to assess the risk higher than it is.

Because of our need to control we often perceive we have more control over situation that we actually do. This “control illusion” leads us to perceive the risk as a lesser threat than it is.

Risks we have not yet perceived lead us to think about them more, and therefore evaluate them as riskier.

Choosing between two equally risky events can cause the risk to be perceived lower than it actually is probably out of a sense of control that gives us the possibility to choose.

If the risk is getting a lot of public attention, it is rated as more important than it really is by the heuristic availability.

If we are exposed to risk personally, we rate it higher.

If opportunities and risks are intertwined, and the choice could lead to benefits, we may perceive the actual risk as lower than it actually is.

When the risk involves the actions of others, the way we access the risk will have a significant impact on the extent of the trust of the parties involved.

An individual’s risk perception system is subconsciously and quickly established by his/her mind (the amygdala) even before acquiring the actual facts. This “flashing” instinct may be useful for avoiding simple and immediate dangers, but it is not the most thoughtful way to figure out what to do about complex future threats.

One can be overly optimistic when the details are unclear. Try to imagine that threats are more difficult and imminent.



Contact Silver Bullet Risk team if you need help with risk management.

For more information about risk management follow their LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.