Recent amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act) provide a decision point for  Australian infrastructure organisations across the 11 covered sectors1 and 22 asset classes. 

Infrastructure organisations now must decide whether:

  • they should respond with a mindset to comply with the minimum legislative requirements, or
  • they take this opportunity to drive continuous improvement and go beyond the mandatory compliance requirements, or
  • go even further and take the opportunity to integrate the organisational change activities into their operating model and become a market leader with a competitive edge

The purpose of the changes to the Australian Security of Critical Infrastructure Act is to uplift the security and resilience of Australia’s critical infrastructure to ensure that it continues to function and thrive without disruption from attacks or other major external threats. The estimates for the level of investment required to comply with the expanded obligations are significant, however, those that aim to just comply are missing out on the real opportunities these reforms bring.

Compliance with the SOCI reforms should be a natural by-product of an organisation taking the broader opportunity to fully integrate compliance, asset resilience, efficiency and effectiveness gains within their operating model. 


Boards' responsibility in meeting critical infrastructure obligations

Boards have a clear responsibility for compliance with the reforms. They will take a keen interest in how to immediately respond to their new obligations. However, a strategic look at certain compliance elements will help the organisation in further improving their efficiency and resilience.

For example, the SOCI reforms need to be addressed from a holistic, versus siloed, mindset, with joint effort from multiple teams or departments, even when the activities are treated as part of business as usual. The reforms may impact their overall asset footprint in the future in response to a change in strategy and how best to prepare for that. Furthermore, boards should ensure their approach to addressing the obligations are sustainable moving forward.



Asset management plays a critical role

There are a number of teams that will be involved in leading an organisation’s preparation and response to SOCI reforms. They include risk management, compliance and legal, resilience, cyber security and asset management.  Regardless of where ownership for coordinating an organisation’s response sits, asset management must be engaged as a key stakeholder due to its focus on the assets and the services providing “line of sight” through the entire organisation leading to value creation. Specifically, which assets are critical to the organisation, and how these assets are managed, protected and secured. 

As organisations start to prepare to respond to the reforms, the logical place to begin would be asset management’s critical asset register – a single source of truth and a core foundation which enables all hazard risk assessment required by the reforms. Asset management is also key to the ongoing management of the identified risks, providing a framework that can be used to ensure the operationalisation of mitigations and controls across all hazards.

While organisations should look to asset management to be central to their SOCI reforms activities, there needs to be an understanding of organisation-wide responsibilities and a shared ownership in achieving an integrated holistic response. For example, cyber and security teams are also a key stakeholder, having an operational focus in the information domain. Implementation of cyber obligations, mandatory reporting of cyber incidents to the Australian Cyber Security Centre (ACSC) and leveraging Government assistance in the event of a critical cyber-attack are activities that are not best placed with asset management. Considering the impact of these events on the asset portfolio, supply chain and workforce, are also an important part of the response activities. It is critical that internal partnerships are built across the entire organisation.


Creating additional value beyond protecting critical infrastructure and assets

Beyond their core role in the organisation’s operational response to the obligations, the SOCI reforms provide the perfect platform for asset management to demonstrate its real value through a more strategic approach. This includes driving holistic organisational change, enhanced planning and forecasting, risk and resilience, program delivery efficiency and performance, and transformation in the organisational operating model. A key driver for this is the recognition and understanding that strategic asset management is core to enabling clarity in decision making and achieving the desired balance between organisational objectives and performance, total cost and risk.

We believe there are three immediate opportunities to create more value from an organisation’s response to the reforms and to reposition Asset Management as a strategic business driver.

Opportunity 1: Whole of life of costs
Increasing cash flow by improving management of an organisation’s depreciation schedule and fixed asset register is a tangible opportunity. Taking this whole of life view, the total cost of asset ownership from “acquire to retire” is considered, including the impact of early decisions and/or interventions on future costs. Organisations are more easily able to analyse and understand the trade-off between OPEX and CAPEX by creating a singular asset register that also meets the needs of the reporting requirement for a Register of Critical Infrastructure Assets. For example, where organisations rely on large, complex, interconnected high value assets to provide essential services, it is cost prohibitive to make network-wide wholesale changes. Regulatory oversight drives the requirement to provide customer value within any investment case, while high CAPEX and budget pressures drive continuous improvement through OPEX.

Opportunity 2: A holistic approach to risk and benefit assessment
Organisations that use this moment to shift from a “compliance” mindset to a “continuous improvement” mindset will realise value through improved service delivery and/or reduced cost of operations. Taking a whole of system approach provides “clarity of risk” and line of sight “clarity of benefits”. Visibility across all parts of the system produces an outcome for the organisation where all elements (e.g., supply chain, facilities and equipment, people, process, data) are considered and all business activities can be traced back to the organisation’s strategy and objectives. Taking the opportunity to be explicit about what is required of an asset, and its criticality, in the context of organisational objectives, provides visibility and prioritises effort on high value areas. The risk management program rules that will come with the reforms can be integrated into the asset requirements, to ensure compliance whilst also managing productivity.

Opportunity 3: Defining Value to allow trade-offs
Understanding your organisation’s assets from a value, cost and risk perspective enables trade-offs between these dimensions. The requirement to review threats from an all-hazards perspective considering physical, cyber, personnel and supply chain, has never been more appropriate given the impact of the pandemic and global political tensions and threats. Strategic Asset Management, which brings a greater focus on risk and reward trade-offs and the interconnectivity of assets, helps organisations to optimise their strategies across the whole of system. This allows for a more accurate understanding of the potential return on investment through a value framework that aligns to the organisation’s objectives and its risk appetite.



It's not too late to start. KPMG can help.

Asset management is important to organisations as effective control and governance is essential in realising value to achieve the desired balance of performance delivery, cost and risk. Too many organisations view asset management as “maintenance of assets”. Leading organisations understand the value that can be derived by taking a strategic asset management approach.

KPMG's Infrastructure, Assets & Places team is highly experienced in helping organisations build the right asset management capabilities that will enable them to drive value beyond compliance.



Contact us



Relevant services and insights



Reference:

1. The 11 ‘critical infrastructure sectors’ include: communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage. https://www.homeaffairs.gov.au/reports-and-publications/submissions-and-discussion-papers/protecting-critical-infrastructure-systems