How to reduce critical infrastructure risks by enhancing the security culture among employees?

The recent disruption in the medicine supply in Ljubljana has proven that risks and adverse events are not just a theory, or something that happens only to others. The same can be said for the possible occurrence of multi-million-dollar financial damage and “immeasurable damage to the company’s reputation and customer confidence”.

In addition to the occurrence above, we know of many other business activities where loss events can have far greater and dire consequences, including human casualties.

What does the term »critical infrastructure« stand for?

Those facilities which are of key importance to the country, and whose disruption or destruction would have a significant impact and lead to serious consequences for national security, the economy, and other key social functions, health, safety, protection and well-being of the people,” are called critical infrastructure.

Based on the Critical Infrastructure Act (ZKI; Ur.l. RS, no. 75/17) the Slovenian Government established criteria for determining critical infrastructure of the Republic of Slovenia, their limit values and priorities for the operation of individual sectors, which are:

Energy (electricity supply, petroleum products, natural gas),
Transportation (railway, ports, airports),
Food (supply chain),
oskrba s pitno vodo,
Health Care (basic health care services and medical care),
Finance (money supply, state budget, payments),
Environmental Protection (pollution, radioactive contamination),
Electronic Information and Communication Networks and Systems.

Each of the above Sectors has its Head, which are usually the Ministries and the Bank of Slovenia.

Responsibilities of Critical Infrastructure Owners and Operators

Critical infrastructure owners and operators are companies, state bodies, institutes and the Bank of Slovenia, which are also responsible for its operation and protection. Under the Critical Infrastructure Act, they all have three key responsibilities:

They must produce critical infrastructure design planning documents. They include the risk assessment and critical infrastructure protection measures, for which they must also obtain the critical infrastructure sector approval.

They also must take all neccessary measures to protect critical infrastructure, taking into an account the permanent and additional measures. The first ones need to be implemented continuously, whereas the additional measures are needed in case of increased risk, emergency or crisis.

Their third key task is information and reporting with a purpose to inform the sector operator of any critical infrastructure disruption, and the protection measures implemented. Reporting, however, is an annual report submitted by the managers to the sectoral entity by the end of February for the previous year.

Critical Infrastructure Risk Assessment

Pursuant to the Critical Infrastructure Act, the Ministry of Defence adopted the Guideline for Risk Assessment for the operation of critical infrastructure of the Republic of Slovenia, which must include:

– the professional orientation of the competent carrier of the critical infrastructure sector (that is the ministries and the Bank of Slovenia),
– a description of the state of critical infrastructure under regular operating conditions,
– a list of identified sources of risk for the operation of critical infrastructure,
– descriptive analysis and evaluation of sources of risk for critical infrastructure operation.

A key part of risk assessment is the identification of the sources of risk and their analysis, in which the operator identifies:

– the likelihood of the source of the risk being realized,
– the severity of the potential harm arising from the realization of the source of the risk,
– the potential impacts of realizing the source of risk on business processes,
– other factors.


The Guideline for Risk Assessment also stipulates that “managers may use applicable risk management standards and risk assessment methods when making risk assessments and take into account existing threat and risk assessment to perform critical infrastructure activities.

Protecting Critical Infrastructure from Regulation to Practice

Let me also tell you why I feel comfortable discussing such complex topic: I have been personally involved in the field of security of persons and property for more than 25 years, and have therefore worked with most critical infrastructure managers, and some sector stakeholders. In addition, I have also been working with SBR colleagues on risk management for over a year.

Experience shows that we do not take risk management seriously enough, and give it (too) little attention, which is also understandable as we have (yet) to develop business culture and grow experience in this area.

Today, risk management is usually limited to security/protection, implemented through organizational and technical measures and security services, and, more recently, also through information security.

In majority of cases, the risks are only dealt with by individuals such as security or risk managers, who usually don’t have enough influence in the guidance for more serious actions. Even more, the area is often part of quality control management, being treated merely as one of the administrative activities.

However, this is not enough, as risk management is far more complex and broader concept than just protecting or monitoring the data. The same goes for critical infrastructure security where an individual cannot cope with the difficulty of the task.

In risk management, the rule is that planning starts from the top down, and the implementation of the planned actions from the bottom up. This is why we can really reduce risks only when they become part of the safety culture of all employees which is respected in all times, and all areas.

Pursuant to the Critical Infrastructure Act and other regulations, companies and organizations that operate critical infrastructure will otherwise fulfil their formal obligations, but leave everything else to remain the same. As said before, the reason for this (usually) is they don’t have the adequate knowledge and experience to manage risks comprehensively.

If you would like to learn more on comprehensive approaches to risk assessment and management and their transition from planning to practice, let us know.

P.S.: If you have a question about risk management, you need help, or you want to leave me a comment, feel free to send me a message directly at [email protected].


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.