The recent disruption in the medicine supply in Ljubljana has proven that risks and adverse events are not just a theory, or something that happens only to others. The same can be said for the possible occurrence of multi-million-dollar financial damage and “immeasurable damage to the company’s reputation and customer confidence”.

In addition to the occurrence above, we know of many other business activities where loss events can have far greater and dire consequences, including human casualties.

What does the term »critical infrastructure« stand for?

Those facilities which are of key importance to the country, and whose disruption or destruction would have a significant impact and lead to serious consequences for national security, the economy, and other key social functions, health, safety, protection and well-being of the people,” are called critical infrastructure.

Based on the Critical Infrastructure Act (ZKI; Ur.l. RS, no. 75/17) the Slovenian Government established criteria for determining critical infrastructure of the Republic of Slovenia, their limit values and priorities for the operation of individual sectors, which are:

Energy (electricity supply, petroleum products, natural gas),
Transportation (railway, ports, airports),
Food (supply chain),
oskrba s pitno vodo,
Health Care (basic health care services and medical care),
Finance (money supply, state budget, payments),
Environmental Protection (pollution, radioactive contamination),
Electronic Information and Communication Networks and Systems.

Each of the above Sectors has its Head, which are usually the Ministries and the Bank of Slovenia.

Responsibilities of Critical Infrastructure Owners and Operators

Critical infrastructure owners and operators are companies, state bodies, institutes and the Bank of Slovenia, which are also responsible for its operation and protection. Under the Critical Infrastructure Act, they all have three key responsibilities:

They must produce critical infrastructure design planning documents. They include the risk assessment and critical infrastructure protection measures, for which they must also obtain the critical infrastructure sector approval.

They also must take all neccessary measures to protect critical infrastructure, taking into an account the permanent and additional measures. The first ones need to be implemented continuously, whereas the additional measures are needed in case of increased risk, emergency or crisis.

Their third key task is information and reporting with a purpose to inform the sector operator of any critical infrastructure disruption, and the protection measures implemented. Reporting, however, is an annual report submitted by the managers to the sectoral entity by the end of February for the previous year.

Critical Infrastructure Risk Assessment

Pursuant to the Critical Infrastructure Act, the Ministry of Defence adopted the Guideline for Risk Assessment for the operation of critical infrastructure of the Republic of Slovenia, which must include:

– the professional orientation of the competent carrier of the critical infrastructure sector (that is the ministries and the Bank of Slovenia),
– a description of the state of critical infrastructure under regular operating conditions,
– a list of identified sources of risk for the operation of critical infrastructure,
– descriptive analysis and evaluation of sources of risk for critical infrastructure operation.

A key part of risk assessment is the identification of the sources of risk and their analysis, in which the operator identifies:

– the likelihood of the source of the risk being realized,
– the severity of the potential harm arising from the realization of the source of the risk,
– the potential impacts of realizing the source of risk on business processes,
– other factors.

 

The Guideline for Risk Assessment also stipulates that “managers may use applicable risk management standards and risk assessment methods when making risk assessments and take into account existing threat and risk assessment to perform critical infrastructure activities.

Protecting Critical Infrastructure from Regulation to Practice

Let me also tell you why I feel comfortable discussing such complex topic: I have been personally involved in the field of security of persons and property for more than 25 years, and have therefore worked with most critical infrastructure managers, and some sector stakeholders. In addition, I have also been working with SBR colleagues on risk management for over a year.

Experience shows that we do not take risk management seriously enough, and give it (too) little attention, which is also understandable as we have (yet) to develop business culture and grow experience in this area.

Today, risk management is usually limited to security/protection, implemented through organizational and technical measures and security services, and, more recently, also through information security.

In majority of cases, the risks are only dealt with by individuals such as security or risk managers, who usually don’t have enough influence in the guidance for more serious actions. Even more, the area is often part of quality control management, being treated merely as one of the administrative activities.

However, this is not enough, as risk management is far more complex and broader concept than just protecting or monitoring the data. The same goes for critical infrastructure security where an individual cannot cope with the difficulty of the task.

In risk management, the rule is that planning starts from the top down, and the implementation of the planned actions from the bottom up. This is why we can really reduce risks only when they become part of the safety culture of all employees which is respected in all times, and all areas.

Pursuant to the Critical Infrastructure Act and other regulations, companies and organizations that operate critical infrastructure will otherwise fulfil their formal obligations, but leave everything else to remain the same. As said before, the reason for this (usually) is they don’t have the adequate knowledge and experience to manage risks comprehensively.

If you would like to learn more on comprehensive approaches to risk assessment and management and their transition from planning to practice, let us know.

P.S.: If you have a question about risk management, you need help, or you want to leave me a comment, feel free to send me a message directly at [email protected].

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Bribery – as the most common form of corruption – was once considered a fairly common and socially acceptable practice in the business and private spheres. However, in the last twenty years, especially business rules around the world have changed considerably, which has led to a sharp tightening of anti-corruption legislation.

In the European Community, this happened after amended OECD Convention against Corruption entered in force in 2009. In Slovenia, the Integrity and Prevention of Corruption Act (ZIntPK) has been in force since 2011, which also determines the operation of the Commission for the Prevention of Corruption.

The common denominator of these new laws are high penalties for companies and individuals and the so-called extraterritorial reach in prosecuting offenders. This means that bribery committed by employees abroad can be punishable by imprisonment for directors of parent companies.

Harmful practices of giving and accepting bribes therefore pose a major business risk that threatens the financial and legal position and reputation of companies and individuals.

From a legal point of view, companies and individuals are held responsible for active and passive bribery at home and abroad.
The financial consequences of corruption are irrational spending of money and high fines and costs of legal proceedings that last for several years.

Companies found guilty of corruption lose their reputation. This includes the favor of the media, customers, suppliers and other business partners, which can even jeopardize their very existence.

Due to investigations of corrupt practices, operational delays and obstacles also occur that slow down the operation of companies and the fulfillment of obligations to customers and business partners in general.

Podkupovanje v številkah

Due to the prevalence of bribery and its destructive effect, companies and other organizations began introducing Anti-Bribery Management Systems = ABMS.
In October 2016, the first ISO standard “Management systems for the prevention of bribery” was adopted with the code ISO 37001: 2016.
The latter is currently intended to prevent bribery on the part of employees or representatives acting on behalf of or on behalf of organizations and acting corruptly for the benefit of the organization or for their own benefit.
It also helps companies and organizations to establish an ethical culture and practices with zero tolerance for corruption. It makes it easier for business partners to identify companies that are actively involved in bribery. In the future, this may become a condition and a competitive advantage over comparable bidders in (public) procurement procedures.
The ISO 37001 management system determines the scope of the organization’s anti-corruption compliance and operates on the principle of the PDCA Deming Circle:

PLAN
It means assessing the risks of corruption according to the characteristics of the organization. This allows the identification of risk areas and the status of current control measures.

PERFORM
It stands for formulating policy, determining responsibilities and means to ensure compliance with anti-corruption requirements, and delegating decision-making and also, the introduction of support procedures, operational control and action objectives for identified risks of bribery.

CHECK
It means improvements and updates to anti-corruption prevention and control mechanisms, in view of identified deficiencies and inconsistencies during day-to-day operations, inspections or audits.

ACT
Pomeni izboljšave in posodobitve protikorupcijskih preprečevalnih in nadzornih mehanizmov, glede na ugotovljene pomanjkljivosti in neskladnosti med vsakdanjih delovanjem, pregledi ali presojami.

 

Providing protection for whistleblowers

Most organizations identify bribery in their business in one of three ways: 31 per cent in internal audits, 29 per cent in due diligence in mergers or acquisitions, and 17 per cent based on whistleblowers.

Among other things, ISO 37001 requires the introduction of procedures that allow employees to report suspicions of corruption through anonymous reporting channels. It is necessary to ensure the confidentiality of the content of the applications and to prevent all forms of revenge against informants. Based on the rules and training, employees need to know who they can turn to if they encounter corruption-related issues in their work.

 

And what are the key benefits of a governance system to prevent corruption?

 
Ethical culture of the organization. One of the most durable safeguards against bribery is the moral culture of the organization which starts from the top-down, with management communication with employees, commitment and personal example, and the introduction of systemic measures such as ABMS.

Employees and managers understand their roles. It clearly sets out responsibilities for exposed individuals and ensures that they know their role in preventing bribery.

Message to business partners. The anti-corruption system is a message to business partners that the organization is actively combating bribery. In this way, it works to prevent providers from even attempting corruption.

It allows easy integration with other management systems. The ISO 37001 system can operate alone or in conjunction with other ISO management systems. This is ensured by its basic structure, which enables the harmonization of judgments and reporting with different standards.

Reduction of business risks. By strengthening the ethical culture of the organization, the system for the prevention of bribery, clearly defined responsibilities of exposed persons, reporting channels and open communication to business partners, the exposure to the risks of corrupt activities and their consequences is also reduced.

As we know, there is no complete security. The same is true of corruption, which cannot be eliminated due to the human factor of corrupt individuals.

However, with the introduction of a system such as ISO 37001 and the consistent implementation of organizational and control measures, we can introduce an additional level of protection and at least significantly reduce the risk of bribery.

***

Contact our team if you need help risk management.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

SOURCES (in Slovene language)
– Komisija za preprečevanje korupcije: Ocena stanja korupcije v RS v letu 2016; 2017
– Bureau Veritas: Sistemi vodenja za preprečevanje podkupovanja/Vgrajevanje kulturnih sprememb z ISO 37001; 2019

Content on risk management often seems theoretical and something that has little to do with the reality. This is why this time I am presenting a practical example of how we identified the main risks and took measures to prevent their realization, that could in a worst-case scenario jeopardize the very existence of our company.

It happened years ago, when I was working in an information technology company. In the scope of our preparations for obtaining the ISO 27001 Certificate we also needed to assess the risks. Our approach wasn’t just a formality to meet the requirements of the standard, but very practical to prevent the risks we identified.

We soon agreed the sole heart of our activity were the servers and their equipment. If anything affected our infrastructure, we wouldn’t be able to perform most of our services. This is why we solved this issue firstly.

We identified two main risks for the server room, namely the unauthorized access and fire hazard.

To protect the space against unauthorized access or burglary, we installed an anti-theft door and significantly restricted entry with the access control system. To protect the room from fire, we started to follow the room temperature and installed an automatic fire alarm system, which was then extended to other areas too. We have also agreed to store backups outside of the company and coordinated a protocol of quick information and intervention with the security service in the event of triggering an alarm.

Among the measures, we also considered the installation of a stable automatic fire extinguisher system and the possibility of running servers at other location, however we decided not to follow them through.

Another crucial factor for our business was the Internet, because we performed the majority of our services on remote. And when, for example, during construction work the main optical connection was carelessly interrupted, we ended up without having access to the web for almost a day.

Besides the fact that we were unable to offer support to our customers, this seemingly small error had severe financial implication for us. Each hour without Internet meant a revenue loss of between 500 to 1000 euros.

To increase our network reliability, we arranged Internet access through two operators, assuring we had physically separated network connections.

These are just a few of the measures we have taken on the basis of a risk assessment. In a similar way, we analyzed all the processes in the company, from the treatment of employees, to the sale, procurement, development and execution of orders, and took measures for each department separately.

P.S.: If you find this article interesting, you can learn more here:

How to identify risks?
How to manage risks systematically?
How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.