The recent disruption in the medicine supply in Ljubljana has proven that risks and adverse events are not just a theory, or something that happens only to others. The same can be said for the possible occurrence of multi-million-dollar financial damage and “immeasurable damage to the company’s reputation and customer confidence”.

In addition to the occurrence above, we know of many other business activities where loss events can have far greater and dire consequences, including human casualties.

What does the term »critical infrastructure« stand for?

Those facilities which are of key importance to the country, and whose disruption or destruction would have a significant impact and lead to serious consequences for national security, the economy, and other key social functions, health, safety, protection and well-being of the people,” are called critical infrastructure.

Based on the Critical Infrastructure Act (ZKI; Ur.l. RS, no. 75/17) the Slovenian Government established criteria for determining critical infrastructure of the Republic of Slovenia, their limit values and priorities for the operation of individual sectors, which are:

Energy (electricity supply, petroleum products, natural gas),
Transportation (railway, ports, airports),
Food (supply chain),
oskrba s pitno vodo,
Health Care (basic health care services and medical care),
Finance (money supply, state budget, payments),
Environmental Protection (pollution, radioactive contamination),
Electronic Information and Communication Networks and Systems.

Each of the above Sectors has its Head, which are usually the Ministries and the Bank of Slovenia.

Responsibilities of Critical Infrastructure Owners and Operators

Critical infrastructure owners and operators are companies, state bodies, institutes and the Bank of Slovenia, which are also responsible for its operation and protection. Under the Critical Infrastructure Act, they all have three key responsibilities:

They must produce critical infrastructure design planning documents. They include the risk assessment and critical infrastructure protection measures, for which they must also obtain the critical infrastructure sector approval.

They also must take all neccessary measures to protect critical infrastructure, taking into an account the permanent and additional measures. The first ones need to be implemented continuously, whereas the additional measures are needed in case of increased risk, emergency or crisis.

Their third key task is information and reporting with a purpose to inform the sector operator of any critical infrastructure disruption, and the protection measures implemented. Reporting, however, is an annual report submitted by the managers to the sectoral entity by the end of February for the previous year.

Critical Infrastructure Risk Assessment

Pursuant to the Critical Infrastructure Act, the Ministry of Defence adopted the Guideline for Risk Assessment for the operation of critical infrastructure of the Republic of Slovenia, which must include:

– the professional orientation of the competent carrier of the critical infrastructure sector (that is the ministries and the Bank of Slovenia),
– a description of the state of critical infrastructure under regular operating conditions,
– a list of identified sources of risk for the operation of critical infrastructure,
– descriptive analysis and evaluation of sources of risk for critical infrastructure operation.

A key part of risk assessment is the identification of the sources of risk and their analysis, in which the operator identifies:

– the likelihood of the source of the risk being realized,
– the severity of the potential harm arising from the realization of the source of the risk,
– the potential impacts of realizing the source of risk on business processes,
– other factors.

 

The Guideline for Risk Assessment also stipulates that “managers may use applicable risk management standards and risk assessment methods when making risk assessments and take into account existing threat and risk assessment to perform critical infrastructure activities.

Protecting Critical Infrastructure from Regulation to Practice

Let me also tell you why I feel comfortable discussing such complex topic: I have been personally involved in the field of security of persons and property for more than 25 years, and have therefore worked with most critical infrastructure managers, and some sector stakeholders. In addition, I have also been working with SBR colleagues on risk management for over a year.

Experience shows that we do not take risk management seriously enough, and give it (too) little attention, which is also understandable as we have (yet) to develop business culture and grow experience in this area.

Today, risk management is usually limited to security/protection, implemented through organizational and technical measures and security services, and, more recently, also through information security.

In majority of cases, the risks are only dealt with by individuals such as security or risk managers, who usually don’t have enough influence in the guidance for more serious actions. Even more, the area is often part of quality control management, being treated merely as one of the administrative activities.

However, this is not enough, as risk management is far more complex and broader concept than just protecting or monitoring the data. The same goes for critical infrastructure security where an individual cannot cope with the difficulty of the task.

In risk management, the rule is that planning starts from the top down, and the implementation of the planned actions from the bottom up. This is why we can really reduce risks only when they become part of the safety culture of all employees which is respected in all times, and all areas.

Pursuant to the Critical Infrastructure Act and other regulations, companies and organizations that operate critical infrastructure will otherwise fulfil their formal obligations, but leave everything else to remain the same. As said before, the reason for this (usually) is they don’t have the adequate knowledge and experience to manage risks comprehensively.

If you would like to learn more on comprehensive approaches to risk assessment and management and their transition from planning to practice, let us know.

P.S.: If you have a question about risk management, you need help, or you want to leave me a comment, feel free to send me a message directly at [email protected].

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

Content on risk management often seems theoretical and something that has little to do with the reality. This is why this time I am presenting a practical example of how we identified the main risks and took measures to prevent their realization, that could in a worst-case scenario jeopardize the very existence of our company.

It happened years ago, when I was working in an information technology company. In the scope of our preparations for obtaining the ISO 27001 Certificate we also needed to assess the risks. Our approach wasn’t just a formality to meet the requirements of the standard, but very practical to prevent the risks we identified.

We soon agreed the sole heart of our activity were the servers and their equipment. If anything affected our infrastructure, we wouldn’t be able to perform most of our services. This is why we solved this issue firstly.

We identified two main risks for the server room, namely the unauthorized access and fire hazard.

To protect the space against unauthorized access or burglary, we installed an anti-theft door and significantly restricted entry with the access control system. To protect the room from fire, we started to follow the room temperature and installed an automatic fire alarm system, which was then extended to other areas too. We have also agreed to store backups outside of the company and coordinated a protocol of quick information and intervention with the security service in the event of triggering an alarm.

Among the measures, we also considered the installation of a stable automatic fire extinguisher system and the possibility of running servers at other location, however we decided not to follow them through.

Another crucial factor for our business was the Internet, because we performed the majority of our services on remote. And when, for example, during construction work the main optical connection was carelessly interrupted, we ended up without having access to the web for almost a day.

Besides the fact that we were unable to offer support to our customers, this seemingly small error had severe financial implication for us. Each hour without Internet meant a revenue loss of between 500 to 1000 euros.

To increase our network reliability, we arranged Internet access through two operators, assuring we had physically separated network connections.

These are just a few of the measures we have taken on the basis of a risk assessment. In a similar way, we analyzed all the processes in the company, from the treatment of employees, to the sale, procurement, development and execution of orders, and took measures for each department separately.

P.S.: If you find this article interesting, you can learn more here:

How to identify risks?
How to manage risks systematically?
How to define “a risk”?

***

Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.