The critical infrastructure reforms have brought additional focus to asset management and criticality. KPMG has been working closely with the Department of Home Affairs supporting several aspects of the reforms, including how to define asset criticality in an increasingly complex context. Combined with our broader experience working with critical infrastructure entities, KPMG has a deep understanding of the reforms and what industry should consider with respect of asset criticality.
Why language is important
Critical Infrastructure is now well beyond physical bricks and mortar. It is also much broader than isolating protections against cyber-attacks. Critical assets form an eco-system, generating a range of services that, if disrupted, would severely impact our society, economy, and security. It is important to understand the intersection of these critical assets within and across the eco-system, their upstream and downstream relationships and ultimately the services they support directly and indirectly.
Amendments to the Security of Critical Infrastructure Act 2018 have broadened coverage to 11 sectors and 22 asset classes. Whilst the definition of what is a critical asset is contained within the Act, there is potential for localised ‘language’ differences and interpretations to emerge which may result in industry inconsistently managing risks to their critical assets. Embracing a unified interpretation of asset criticality in the context of the Act will provide clarity and alignment for industry to determine proportionate risk mitigations.
Simply put, an asset's criticality directly relates to the consequence of a loss or disruption to the service it provides, either directly or within a critical ecosystem.
What does criticality mean to me and why is it important to my business?
Assets are created for a singular purpose, that is, "to provide value to the organisation and its stakeholders"1 But not all assets are equally critical and so viewing criticality in the context of ‘value’ is more important to organisations than ever. There are various considerations when determining asset criticality and these considerations will change across different entities and industries.
For example, a critical service failure for one industry might affect a key segment of a supply chain on a local, national, or global scale. Another critical service failure might impact a single industry or utility – affecting the economic or social stability at a regional or national level.
It is important to measure criticality appropriately, over estimating criticality can lead to an inefficient distribution of time and money to non-critical assets. In contrast, underestimating criticality could mean that assets remain unidentified, exposing an organisation to potentially significant risk and loss of service.
Viewing critical assets through this ‘service provision’ lens connects them to an organisation’s value, reputation, and market position. It creates important linkages to the wider ecosystem and a broader perspective when developing protections against service failures and/or disruptions.
Planning for disruption has become an essential activity for organisations which requires a multi-layered ‘all-hazards’ approach when defining which assets are service critical. This can be undertaken by initially quantifying the localised impact of a critical asset or asset systems failure and, secondly, assessing any upstream or downstream relationships or interactions.
How do I set myself up for success?
1. From organisational impact to customer impact
The lines that separate organisational impact and the impact felt at a customer level are no longer sharply defined in the connected environments in which we all operate. This means that a service failure or disruption at a single organisational level may have a direct impact on multiple customers or a single customer may be exposed to impacts from multiple service providers or organisations.
Customers are becoming increasingly vocal about what they expect from organisations and user experience is a key metric of success. Businesses need to reach beyond financial implications to better understand the environmental impacts, social impacts, impacts on cultural heritage and other areas that are of value to the customer.
Exposing vulnerabilities internally and externally through the identification of assets that are truly critical to your organisation's service delivery aspirations, will maximise service reliability and improve business resilience by putting the customer at the centre when assessing criticality.
2. From reactive to resilient
“If it ain't broke, don't fix it” is quickly becoming rhetoric of the past. In an ever-evolving landscape, organisations are seeing the benefits of being less reactive and more resilient. Although Australian infrastructure owners faired comparatively well against recent crises, such as the COVID-19 pandemic and extreme weather events, they brought to light what we already knew, that the security of critical assets is a vital business activity.
Reacting quickly to an event shows agility in business, however a focus on resilience promotes improved prediction of adverse or malicious events and therefore enables improved preparedness to respond. Operating a resilient organisation reduces unplanned work and down time, maximising asset life and improving service delivery outcomes. These benefits can be achieved by minimising unexpected disruptions. A shift from a reactive to a resilient mindset is cost effective, saves energy and resources, and improves efficiencies.
3. From reporting to value creation
Being resilient lies in an organisation's ability to predict and prepare for threats ahead of disruption; an activity that is underpinned by data driven and evidenced based scenario planning and decision making. The Security of Critical Infrastructure Act is a catalyst for a broader organisational value creation opportunity when viewed as an extension to, or inclusion in, an organisation's Asset Management System. Shifting focus from a narrowed perspective to an extended understanding of your 'network of assets' allowing for this value to be unlocked when qualifying critical assets.
Opportunity exists to embrace the Critical Infrastructure Act further as a catalyst, driving measurable benefits by shifting thinking from 'just' compliance to an integrated value creation opportunity.
Act now, with the future in mind
Australia’s critical infrastructure industries are increasingly exposed to a range of adverse natural events, malicious attacks and cyber incursions in increasing frequency and complexity. This means that a business-as-usual response to managing risk will need to shift to integrate criticality and service resilience when preparing and responding to this evolving threat landscape.
Understanding criticality focusses on the consequential impacts to your customers should your service delivery be disrupted. Robust risk management principles can then be applied to better understand how you can prevent or prepare for a disruption.
This approach compliments criticality assessment by further exploring the ever-evolving threat landscape with considerations of such factors as supply chain, cyber security, and personnel interaction. A systems view creates improved resiliency and overall performance in organisations.
Shaping actions today to focus on ‘around the corner’ and ‘over the horizon’ vulnerabilities, will drive greater service reliability and resilience, cementing confidence in the security of your critical assets.
1. International Organisation for Standardisation [ISO:55000], 2014, Asset Management
It's not too late to start. KPMG can help.
Asset intensive organisations are under constant pressure to meet changing demand, comply with new regulations and satisfy customer expectations. Too many organisations view asset management as a “cost”. Leading organisations understand the value that can be derived by taking a strategic asset management approach.
KPMG Infrastructure, Assets & Places is highly experienced in helping organisations build the right asset management capabilities that will enable them to drive value beyond compliance.
