by George M. Karagiannis, Engineering Leadership Group Director, Resilience First
Infrastructure systems underpin modern economies and are needed for human well-being. Yet today they face unprecedented challenges, which transcend geographies and societies. Probably more than ever before, modern infrastructures face a systemic and dynamic set of risks, including natural, technological, cyber, geopolitical, market, liquidity, and others. In addition, climate change brings new hazards, stressors, and constraints.
Fundamentally, infrastructure are public goods provided by private organisations. Because of the ubiquity of infrastructure in our daily lives and the increasing reliance of modern households and economies on these systems, their disruptions may threaten public health and safety and reduce the capability of affected communities to recover from disaster. In addition, owing to their nature as public goods, infrastructure systems are compelled to a lower risk tolerance than other private sector entities. Furthermore, the vast interdependencies between infrastructure systems and global supply chains create additional vulnerabilities. The magnitude and scale of these situations transcend the boundaries of the capabilities of individual providers.
Responding to infrastructure disruptions involves two distinct, but interrelated, lines of effort: the temporary provision of the essential services to those most affected, and the repair of damaged systems. For example, a power outage will require a multi-faceted response, involving providing temporary emergency power to critical facilities (such as hospitals, police stations etc.), providing mass care to vulnerable populations, and expediting the restoration of the power grid. And although critical infrastructure operators will never be expected to take the lead on or contribute resources to all of these crisis response functions, the demands generated by disasters can easily be beyond the realm of what private sector firms would normally be expected to prepare for.
The challenges
Several issues complicate crisis management when it comes to infrastructure systems. First, standard enterprise risk and crisis management approaches will tend to produce substandard results when implemented in critical infrastructure. For instance, natural disasters are often insured against in enterprise risk management approaches or accepted as ‘force majeure’ in business continuity plans. And crisis management has been prone to limiting itself to legal, credit and reputational risks alone.
Second, crisis response is often undermined by the assumption that disasters can be managed by throwing more resources at them. Disaster management experience has demonstrated that this is hardly ever the case and steady-state organisational practices will not work in emergencies. Specifically, sequential damage control cannot address multiple, simultaneous incidents, and project management methodologies are unfit for the dynamic environment of disaster response. Crisis response needs to be based on a solid incident management system incorporating an adaptive organisation.
Third, a typical misconception is that corporate crisis management equates to crisis communication plus legal and financial subject-matter expertise. Nothing could be further from the truth, but critical infrastructures cannot afford to discover that when disaster strikes. Communication, legal and finance are important components of crisis response, but crises transcend numerous other corporate functions, such as operations, supply chain, business continuity, IT, security, safety, and others. Therefore, the crisis management function should coordinate the actions of all company departments to achieve unity of effort.
The solution
Critical infrastructure crisis management requires a comprehensive, capabilities-based and risk-driven approach. It needs to integrate the efforts of the public, private and not-for-profit sectors beyond the traditional confines of business continuity. An all-hazards mindset is a must: risk management can no longer be just about credit, IT and compliance, and crisis management needs to transcend the boundaries of reputational risks. In addition, crisis management should incorporate the entire spectrum of mitigation, preparedness, response, and recovery. Hazard mitigation is not just lifesaving for the communities infrastructures serve; it is also hugely beneficial to the operators’ bottom line. Preparedness should be based on capabilities and use sound risk management principles to assign priorities and resources.
A solid emergency plan is the cornerstone of crisis preparedness. Critical infrastructure emergency plans should describe emergency repair and recovery actions, determine priorities, assign responsibilities, identify resources, and address coordination and communication. They should also establish emergency rosters of, including on-call arrangements for, qualified personnel available to respond to natural disasters or other incidents. In addition, plans should address communications with other responding organisations, information management, logistics and communication to customers. Infrastructure operators’ plans need to be integrated and aligned with emergency plans developed by civil protection agencies to ensure that all needs are addressed without duplication of effort. They should be updated when gaps are identified and to take into account changing boundary conditions, e.g. in case of climate change.
Resource management is a critical part of infrastructure crisis management. Natural disasters and other emergencies may rapidly overwhelm the capabilities of any single infrastructure operator. Mutual aid agreements allow operators to rapidly expand their capabilities to respond to the added requirements of major emergencies. The lack of surge capabilities and resource typing undermines mutual aid, and needs to be a focus of crisis preparedness efforts.
Notwithstanding the benefits of capacity surge, it often comes with an entirely new set of response-generated demands, which need to be addressed in emergency plans. In addition, interoperability with external capabilities and government emergency management is a mission critical requirement. Moreover, the availability of spares and replacement parts and equipment for critical assets and facilities often makes the difference between a speedy and prolonged recovery. Although it may sound counter-intuitive from a supply chain perspective, this strategy is a form of self-insurance and can help expedite repairs and ultimately reduce the duration of disruptions.
Last, crisis response plans are merely words on paper until they have been tested in realistic simulations. Exercises aim at training personnel and putting emergency response systems to the test under realistic conditions. They help assess crisis management systems, and identify strengths and areas for improvement. Resilience First is planning to launch an organisational resilience simulation program for members. Simulations will be a forum for participants to identify and refine organisational resilience requirements and initiatives in collaboration with critical whole community stakeholders, supporting strategic long-term planning priorities of their respective organisations, the industry, and the community.