Critical infrastructure, as the name suggests, is fundamental to the operations of any country or organisation. It enhances socio-economic development, national security, and the provision of essential services across the country.

In Australia, critical infrastructure is vital across its vast landscape, from its high-traffic cities to the most remote of regions. This includes electricity, water, healthcare, telecommunications and other CI assets that are essential for people’s lives.

The Security of Critical Infrastructure Act of 2018—commonly referred to as the SOCI Act—outlines a set of reforms aimed at improving the security of these vital assets. While it was introduced in 2018, its full implementation happened in 2022 alongside new reforms, included in Part 2A of the Act.

This act also introduced obligations for certain CI assets to adopt, maintain, and comply with a Critical Infrastructure Risk Management Program (CIRMP).

In 2022, the Security Legislation Amendment (Critical Infrastructure Protection) Act (SLACIP) recognised 13 vital CI asset classes. These are;

  • Electricity assets
  • Gas assets
  • Water assets
  • Data processing or storage assets
  • Broadcasting assets
  • Financial market infrastructure assets (payment systems)
  • Domain name systems
  • Liquid fuels assets
  • Hospital assets
  • Energy market operator assets
  • Freight infrastructure
  • Freight services assets
  • Food and grocery assets

Each of these CI assets is required to comply with the CIRMP Rules or risk infringing on said rules and the SOCI Act.

As such, understanding what exactly the new Critical Infrastructure Risk Management Program entails and how CI entities can ensure compliance is extremely important. Here’s all you need to know about it.

What is the Critical Infrastructure Risk Management Program?

The CIRMP is a program that aims to improve the core security practices that relate to the management of the CI assets mentioned above. This is achieved by encouraging responsible entities to take a holistic and proactive approach towards identifying, assessing, and mitigating risks.

CIRMP Rules outline the necessity for entities to establish, maintain, and comply with a written risk management program that manages the material risk of a hazard occurring. This includes taking steps, as far as reasonably practicable, to minimise or eliminate these risks that could have relevant impacts on the asset in question.

How CIRMP Rules guide risk management practices

To understand how CIRMP Rules guide risk management practices, the principles-based outcomes of the CIRMP must first be understood.

The principles-based outcomes of the CIRMP are based on the following:

  • Identifying material risks
    Related entities have a responsibility to take an all-hazard approach when identifying risks that may affect their assets.
  • Developing and implementing risk management strategies
    Related entities must develop and implement strategies that effectively manage the material risks identified within the CIRMP.
  • Maintaining and continuously improving the CIRMP
    Related entities are responsible for maintaining, reviewing, and continuously improving their CIRMP to ensure it remains up-to-date.
  • Reporting annually on the CIRMP
    Related entities are required to report annually on their CIRMP to the relevant Commonwealth Regulator or the Secretary of the Department of Home Affairs.

These principles-based outcomes play a role in guiding the risk management practices of CI entities by requiring them to take a holistic and proactive approach to risk management through the all-hazards approach resulting in more effective risk mitigation strategies.

Additionally, the continuous monitoring and improvement practices ensure the Critical Infrastructure Risk Management Program remains effective and up-to-date, and the annual reporting requirement provides transparency and accountability to stakeholders.

How to ensure effective governance under the CIRMP rules

CIRMP Rules provide two main guidelines for compliance with their obligations. These are:

  • Appointing a senior executive as the accountable person for the CIRMP who will be responsible for its creation, implementation, and maintenance as per the SOCI Act and CIRMP Rules.
  • Establishing a governance framework that includes policies, procedures, and reporting mechanisms for risk management, incident management, business continuity, and crisis management.

Ensure compliance with the SOCI Act and CIRMP Rules with the support of risk management experts

To establish an effective Critical Infrastructure Risk Management Program, CI entities must take a holistic and proactive approach to risk management, continuously evaluate and improve their CIRMP, engage with stakeholders to address emerging risks and take the aforementioned steps for effective governance.

As the consequences of an ineffective CIRMP can range from relatively minor penalties like fines and other enforcement actions to catastrophic risks to CI assets which can affect public safety, national security, and the economy, non-compliance is simply not an option.

In such a high-stakes environment, CI entities can make use of critical infrastructure risk management experts to enhance their risk management operations and ensure compliance with the SOCI Act and CIRMP Rules.