How an Infrastructure Risk Assessment Can Improve Operational Resilience

Imagine trying to operate an e-commerce business if your network were unavailable. Or running a delivery company if roads around your warehouse were impassable. And being without power would bring nearly any modern business to a standstill.

It’s no secret you need critical infrastructure to operate. But do you realize how reliant you actually are on a given service or asset? And do you have a plan to maintain operational resilience when they break?

“You’re never as prepared as you think you’re going to be,” says Robert Glenn, Director of the Office of Business, Industry, and Infrastructure Integration at the Federal Emergency Management Agency (FEMA). “Sometimes, it’s not just the disaster…it’s the disruption caused to infrastructure or to people, and that creates second- and third-order effects to contend with.”

What Is an Infrastructure Risk Assessment?

With an infrastructure risk assessment process, you identify your company’s operational systems and assets, analyze hazards they face, and develop methods to manage the potential risk. This process has two primary inputs that enable you to conduct a thorough infrastructure risk and vulnerability assessment: infrastructural components and the hazards that potentially threaten them.

Infrastructure

When most people think of “infrastructure,” they imagine roads and power grids. Of course, this is just the start for your complex business ecosystem. Infrastructure includes both internal and external systems, assets, and resources, such as

• The power grid and internet connections
• Networks and phone systems
• Databases and software systems
• Equipment, machinery, buildings, and inventory

Hazards

Your infrastructure systems face hazards ranging from minor to existential. They can be utility issues, cyber threats, natural disasters, and physical risks, such as

• Loss of power, water, or internet connectivity
• Data theft, ransomware, or other cyberattacks
• Supply chain interruptions
• Earthquakes, hurricanes, or severe storms
• Active shooters, terrorist attacks, or civil unrest

Why Are Infrastructure Risk Assessments Important?

Risk awareness is the gateway to active mitigation, and a risk assessment enables a detailed view of the threats that may upset your business, so you’ll have a clearer understanding of how to respond to these risks. But risk awareness can’t end with the threats immediately and obviously connected to your systems and operations. Even distant threats have the power to bring your company’s operations to a halt.

Take supply chains, for example. Many of us took the availability of common goods, like toilet paper or flour, for granted. But as Robert Glenn discussed, the COVID-19 pandemic was a startling reminder of how fragile our systems can be.

“We’re all much more aware now because of COVID of how fragile our supply chains are,” Glenn noted. “We set up our supply chains to be highly efficient, just-in-time supply chains. And now that we are in a global supply chain disruption due to COVID, that is definitely something that requires some additional attention. Companies that know their suppliers, have validated their operational readiness, and have executed and learned from their business continuity plans are just better prepared companies.”

By understanding risks and working to mitigate them, you can:

• Reduce service outages and business disruptions that impact customers
• Reduce economic losses caused by those outages
• Protect your employees from safety hazards
• Promote organizational adaptability
• Comply with regulatory requirements in industries where public safety is a factor
• Minimize your dependencies on vendors and suppliers

5 Key Steps to a Successful Infrastructure Risk Assessment

Organizations may have their own methodology for infrastructure risk assessments, but most of them share these five steps.

1. Set objectives

First, consider what your goal in managing risk is. This usually involves understanding what type of operational disruptions are acceptable. For example, a regional pizza chain might face the risk of closing for a day because of power outages due to a winter storm. The loss of revenue would be rough but not a crisis. However, a hospital needs to maintain power 24/7, and going dark would be a life-and-death situation. When you can clarify your limits, you’ll know how you’re measuring the relative impact of any infrastructure risks.

2. Identify infrastructure

To protect your infrastructure, you need a thorough understanding of what it entails. Compiling a list is an organization-wide affair, and you’ll want to consider both internal and external infrastructure. As you’re taking stock of assets and systems, make sure to note the following:

• The item or system
• The purpose it serves
• The primary internal point of contact
• The primary external point of contact, if any
• The criticality of the item to your operations

3. Analyze and assess risks

Next, analyze the potential threats to the items you identified above. A risk matrix can help you understand the various threats’ risk levels and inform your decision-making when it’s time to prioritize and deploy resources. Key questions to ask during this step include

• How likely is this risk to materialize?
• What damage would we suffer if the risk happens?
• How severe would the impact be?
• How can we better manage the risk?
• What’s the cost of managing the risk relative to absorbing it?

4. Implement risk management strategies

Once you develop a risk profile, you can work to manage those potential threats. Based on your risk analysis, you’ll want to focus on the highest-priority risks, relative to likelihood and potential impact.

The “best” approach to risk reduction depends on the situation. For example, if you’re an online brand concerned about missing sales due to website downtime, you could invest in redundant servers in data centers across the country. In doing so, you take direct action toward reducing the likelihood of the risk.

Other times, you may have to address a risk indirectly. Say you operate a factory in Oklahoma—if a tornado is heading right for you, there’s nothing you can do to avoid it. But you can reduce collateral damage by installing more secure spaces and improving severe weather training. In this case, you’re not reducing the likelihood, but you’re reducing the impact the risk could have.

5. Measure effectiveness

As you can imagine, the risk management process is highly iterative. Each time you implement a new procedure, you’ll want to collect metrics to understand how effective the procedure is at managing and mitigating risk.

That being said, some risks are difficult to measure. For example, your company might go years between earthquakes. And you hope you’ll never face an active shooter situation. But by using emergency drills and exercises, you can model your risk management plans’ effectiveness and find room for improvement.

Best Practices to Improve Infrastructure Resilience

Undertaking an infrastructure risk assessment can seem daunting, given all the systems you rely on and the hazards you face.

Here are four ways to maximize your infrastructure risk assessment.

1. Integrate existing frameworks

Every company’s infrastructure is different, with unique challenges to assess and address. But most of the risks you face fall into a few broad categories. Rather than reinventing the wheel, lean on the work experts have already done for you:

• FEMA: FEMA’s website offers a wide selection of resources and guidance for risk management. While some of the content is for government organizations, most of it is valuable for private-sector companies as well.
• National Institute of Standards and Technology (NIST): The NIST Cybersecurity Framework is a widely used set of guidelines and best practices to protect your company’s network and data.
• International Organization for Standardization (ISO): There are two ISO frameworks related to infrastructure risk assessments. ISO 31000 covers risk management in general, while ISO 55000 provides guidance for asset management.

2. Develop key partnerships

Whether it’s government-maintained roads and power grids or private networks and supply chains, your company relies on other organizations to maintain business operations.

Thus, collaboration and building the right partnerships are critical to effective risk mitigation strategies. Work with external partners to understand their risk management plans, what to expect of them in an emergency scenario, and how you can best communicate during the recovery phase.

3. Take a holistic view

Infrastructure risks are rarely just one person’s responsibility. Say, for example, your company is responsible for consumer data security. You probably have a database admin to manage the data itself, a systems administrator who runs the information systems, a network admin, and a head of physical security who manages access to the server room.

So, which person would you consult for an infrastructure risk assessment? All of them. Looking at risks in isolation creates gaps that expose your company to unnecessary security risks. Instead, take a holistic view and include all key stakeholders to ensure you approach hazards from every angle.

4. Continuously monitor and update

Your company’s critical infrastructure is constantly evolving. Change is a constant, whether it’s new technology, changing service providers, or adjusting your supply chain.

As your business infrastructure evolves, you must update your risk assessment accordingly. Take a proactive approach to assessing risks by:

• Making it part of the procedure to onboard new providers or deploy new systems
• Scheduling periodic company-wide checkups to spot changes you’ve missed
• Keeping your risk management plans current

Common Challenges in Infrastructure Risk Assessments

While the process itself isn’t complicated, companies often face difficulties when they dive into the nuances of their infrastructure.

Here are three common sticking points when performing an infrastructure risk assessment.

Reliance on outside parties

As we mentioned, most modern companies have a number of interdependencies built-in. Unfortunately, third-party partners may not be interested in discussing or proactively addressing risk management initiatives. And if they provide a specialized product or service, finding an alternative vendor might not be possible.

In this case, your best option in the short-term is to identify and document the risk. Long-term, weigh your options to better reduce the risk. Can you replace the vendor by bringing their function in-house? Are there other possibilities you haven’t explored? Discovering new ways to manage risk is part of the continuous process.

Budget constraints

Managing infrastructure risk can get expensive quickly. Think about how many systems your company uses on a day-to-day business. Now consider how much it would cost to add redundancy and backups for all of them.

For most companies, that sort of approach isn’t feasible. Instead, prioritize your most critical infrastructure and focus on managing risk in those areas. For example, an e-commerce company in Chicago must invest heavily in cybersecurity to ensure they’re online 24/7/365. Whereas earthquake protection for their offices is lower down the list.

Aging technology

Most of us probably remember the Y2K problem, when the dawn of a new century risked bringing down electronic infrastructure (we thought). The crisis didn’t occur thanks to large-scale reprogramming efforts. But aging information technology remains a significant risk.

For example, more than 40% of banking systems today rely on COBOL, a programming language whose popularity—and pool of experts—is rapidly dwindling. When problems crop up, finding an expert who can address the issue is expensive and increasingly difficult. Other industries face similar situations, and understanding your company’s reliance on aging technology is a key aspect of infrastructure risk assessment.

Maximizing Your Organization’s Critical Infrastructure Protection

For most companies, managing infrastructure is becoming more complex. The digital world presents a host of cybersecurity challenges. Global supply chains are full of cascading dependencies. Equipment is frequently replaced, repaired, or repurposed.

Managing the risks such complex systems present can seem difficult. But with clear risk assessment methodologies and full organizational buy-in, you can turn it into a set of smaller problems more easily tackled. You might not eliminate risks to your critical infrastructure, but you can start each day knowing you’ve done your best to maximize your operational resilience.