Risk Management Guide for Critical Infrastructure Sectors

Foreword

Managing risk is a shared responsibility among all critical infrastructure stakeholders, including governments, industry partners, first responders and non-government organizations. While partnerships and information sharing represent the building blocks of the Canadian approach to enhancing the resiliency of critical infrastructure, these cannot be undertaken in isolation of risk management and the development of plans and exercises to address these risks.

Recognizing that the impacts of disruptions can cascade across sectors and jurisdictions, the purpose of this document is to provide practical guidance for implementing a coordinated, all-hazards approach to critical infrastructure risk management. Moving forward with this comprehensive risk management process requires federal departments and agencies to collaborate with their critical infrastructure partners, including industry stakeholders and other levels of government. While this guidance document promotes a common approach to critical infrastructure risk management, owners and operators and each jurisdiction are ultimately responsible for implementing a risk management approach appropriate to their situation.

This guide is adapted from the ISO 31000 International Standard: “Risk Management – Principles and guidelines on implementation”, and includes the following sections:

  1. Overview, Principles and Process
  2. Sector Networks: Communication and consultation
  3. Sector Overviews: Part 1 – Sector Operations
  4. Sector Overviews: Part 2 – Sector Risk Profile
  5. Sector Overviews: Part 3 – Sector Workplan
  6. Ongoing improvement and feedback

Sections 2 through 6 focus on implementation and contain the following sub-sections:

Key Elements: The inputs and expected deliverables.

Implementation: Recommended approaches to implementation.

Considerations: Questions, issues and challenges to consider.

One of the underlying principles of sound risk management is that of continuous improvement. To that end, this guide will be updated periodically based on lessons learned through the application of the process. The most recent guide, tools and other information to support an all-hazard risk management approach to critical infrastructure are being developed on an ongoing basis and can be found at the Public Safety Canada website at: http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-eng.aspx   

Amendments Record

The following is a list of amendments to this guide:
# Date Amended By Comments
1.0 2010 07 01 Critical Infrastructure Policy, Public Safety Canada Initial version

1. Overview, Principles and Process

The practice of risk management is well-developed within the insurance, engineering, finance, and political risk industries. It is clear, however, that risk management remains relatively immature in its application to the homeland security field. Some might argue that the implementation of risk assessment and management in the homeland security and counterterrorism fields may be more complex than in its industrial application where the primary objective is to protect against financial loss.

1.1 The value of managing risks collectively

Organizations undertake a number of activities to mitigate risks to their operations through a combination of:

Despite these actions, significant gaps remain. Some risks may be poorly addressed because their causes or effects are poorly understood, they are new, or because there is a lack of information on how to address them. Others may be outside of the organization’s sphere of influence, such as vulnerabilities due to dependencies, vulnerabilities in the supply chain or in cyber networks. Accountabilities for addressing risks may be misunderstood, unclear or shared – leading to inaction. Finally, some risks may be too rare to justify resources or the consequences too large for any organization to address by itself.

Sector Networks, the National Cross-Sector Forum, the Federal-Provincial-Territorial Critical Infrastructure Working Group, and other mechanisms established by the Strategy are designed to complement risk management activities at the organizational and regional level and address these gaps.

Through participation in Sector Networks, public and private sector partners can better respond in emergencies, better identify vulnerabilities due to interdependencies, collectively allocate their resources towards priority areas and develop more appropriate measures to mitigate risks that reflect a better understanding of sector-wide operations and requirements.

Governments and private-public sector partners will work together to clarify and define roles and responsibilities, where needed, and to build trusted partnerships within the sector and across sectors. Collective risk management activities will enable the Government to:

Collective risk management activities lead to benefits for the entire critical infrastructure community, including:

1.2 Principles

Based on lessons learned and best practices from international allies, provinces and territories and within the federal government, the following principles apply to the risk management process described herein:

Strategic level: The scope of this process is at the sector level – that is systemic, strategic, or national risks. It is intended to complement risk management activities at the organizational and regional level. Specifically:

Complement organizational processes: To the extent possible, the process and approach should build on, and complement existing mechanisms, as well as threat, vulnerability, and risk assessments undertaken at the organizational and sector level. Likewise, strategic planning, business continuity planning, emergency management planning, emergency response planning and other relevant activities should be considered and leveraged when undertaking critical infrastructure activities at the industry and sector level.

Common framework: Critical infrastructure draws together many different disciplines, industries and organizations – all of which may have different approaches and interpretations of risk and risk management, as well as different needs. To bridge these gaps, a common framework has been developed which allows flexible inputs from different organizations within a sector that may be combined in a way that allows risks to be identified, assessed and compared across sectors, so that they may be combined into a National Cross-Sector Profile.

Iterative and incremental process: The approach to describing the operations of the sectors, the interdependencies within and among sectors, assessing and evaluating risks and taking actions to mitigate these risks will evolve over time as lessons learned are incorporated, the risk environment changes and as sectors innovate and change. The process described herein builds on discrete and achievable objectives and deliverables and incorporates feedback and improvement to the process itself at every stage.

Future iterations and products may focus on specific high priority threats, impacts, and vulnerabilities; drill down as appropriate into sector operations such as technical operational requirements, specific asset types, regional operating environments and other details, as needed.

1.3 Process

The risk management process advanced in International Organization for Standardization’s ISO 31000 provides a flexible and generic approach to risk management that can be tailored to the needs of individual sectors and sub-sectors. When implemented, it enables:

The process of managing risks will help Sector Networks start and sustain a dialogue on critical infrastructure issues among the security and intelligence community, risk experts, the lead sector departments, governments, critical infrastructure associations and the owners and operators of critical infrastructure.

Aside from building trusted relationships, through dialogue and information sharing, the process is envisioned to have as output three separate but interlocking documents:

These documents may be combined into a Sector Overview. The information contained in the Sector Overviews will be combined into a National Cross-Sector Profile that identifies the key risks to critical infrastructure in Canada, outlines the key interdependencies within and across sectors and provides a roadmap for improving resiliency nation-wide.

The ISO process for managing risks has been adapted for the National Strategy and Action Plan and the context of Sector Networks and involves the following:

The diagram below illustrates the risk management process, the relationship between the main deliverables (the Sector Overviews Parts I, II and III) and the sections of this guidance document.

This diagram is described in the text that follows

2. Sector Networks: Communicate and Consult

“Analyzing homeland security risks is an especially “wicked” problem. Such problems are not amenable to solutions based on simple risk formulas, but rather require discourse-based, multi-party, conflict resolution techniques.”

Communication and consultation allows trusted relationships to form – which is particularly important in the area of managing risks to critical infrastructure.  It is an iterative exchange of information and opinion with the objectives of:

2.1. Key Elements

The key element of this step is to establish a consultative team in order to communicate and consult with internal and external stakeholders, and to ensure broad and diverse perceptions of risk are taken into account. Sector Networks and their members fulfill this role.

2.2. Implementation

Sector Networks provide standing fora for discussion and information exchange among sector-specific industry stakeholders and governments. They reflect a partnership model that enables governments and critical infrastructure sectors to undertake a range of activities (e.g. risk assessments, plans to address risks, exercises) unique to each sector. These Sector Networks also enable improved collaboration among critical infrastructure partners and information sharing activities both within and across interdependent Sector Networks.

Sector Networks, to the extent possible, are based on existing mechanisms. For this reason, many of the stakeholders have already been identified – they are the members of the Sector Network, and/or the organizations represented by the members of the Sector Network.

A terms of reference or other form of mutual understanding for the operation of Sector Networks provides a starting point to define how the network operates, what its goals are, and the resources that may be required to participate. It will also help define how the Sector Network will communicate and consult with the broader critical infrastructure stakeholder community.

Given the potential sensitivity of discussing threats, vulnerabilities, operations, capabilities and other related information, one of the first deliverables under the Action Plan, after the establishment of the Sector Network, is the development, adoption and implementation of an information sharing and protection protocol to allow the open discussion of risks, vulnerabilities and other issues.

2.3. Considerations

Information Sharing

Not all of the stakeholders affected by a risk to a sector are members of the Sector Network. Consideration should be given to whom, how and through what channels relevant information can be provided to all affected stakeholders. This includes interdependent stakeholders and organizations.

Likewise, consideration should be given to how best to exchange information on cross-sector risks and issues identified and addressed in the National Cross-Sector Forum, as well as the Federal, Provincial and Territorial Critical Infrastructure Working Group.

Information Protection

The protection of information is a key concern for both government and private sector organizations, however, this must find a balance with sharing of information – which is required to advance overall critical infrastructure resiliency.

Several issues should be considered when sharing and protecting information:

Protection of information under the federal Access to Information Act:  The legal framework provided by the Emergency Management Act, recognizes that the ability to exchange specific and reliable information in a timely manner with the private sector is essential to the government's role in providing national leadership in critical infrastructure.  This Act includes a consequential amendment to the Access to Information Act that allows the Government of Canada to protect critical infrastructure information supplied in confidence to the government by third parties, subject to criteria laid out in the Act.

Classification of material:  Unclassified information or open source information allows the freest flow of information. Classified information or other sensitive information (e.g., trade secrets, operational information, intellectual property) is subject to legal, physical and procedural protection. Whenever possible, parties should consider developing an unclassified or high-level version of the sensitive or classified information so that it can be shared (subject to the information sharing and protection protocols of the Sector Networks).

Constraints on actions and information sharing: Federal, provincial and territorial departments and agencies are subject to laws, regulations, and procedures that they and their representatives are expected to follow. The private sector may also have constraints and limitations on how they can operate within the Sector Network from issues such as serving as boards of directors, company policies, grant restrictions, and legal regulations. Small businesses may be limited in the amount of resources they can contribute and the amount of time they can devote to the partnership. Recognizing and understanding the constraints and limitations of all sides and developing strategies to address the issues will enable the network to function more effectively.

Use of expertise outside of Sector Networks

Depending on the nature of the communication, others may be invited for specific agenda items, such as:

3. Part I – Sector Operations

 “Risk comes from not knowing what you are doing”

- Warren Buffet

Risk refers to the uncertainty that surrounds future incidents and their outcomes. It is the chance of something happening that will have an impact on objectives.

The potential consequences of a disruption of a critical service or product can only be assessed and addressed if the service or product is identified; threats and hazards can only be identified in relation to the systems and assets they threaten; and cascading effects due to dependencies can only be addressed to the extent they are known. Therefore, in order to assess the significant risks to a sector, it is necessary to identify the objectives and functions of the sector, as well as its services and products, and to understand its supply chain and operations.

3.1. Key Elements

The key deliverable of this stage of the risk management process is “Sector Overview Part I – Sector Operations”. It is a document that is to capture the context of the sector, the sector’s critical services and products and the dependencies of the sector. 

3.2. Implementation

The most important part of this step is to capture why the sector is critical. Different sectors operate in different contexts, have different expectations placed on them, different requirements in terms of continuity of service delivery, and different cultures. There is no one size fits all approach to determining what is critical about a sector. Sectors may use a number of methods and approachesFootnote 1 to determine what is critical. At a minimum, the Sector Operations document should include:

This document can also:

Lead sector departments may wish to hold workshop(s), conduct surveys or other consultative methods to identify critical services, products, systems and dependencies.

3.3. Considerations

Most business continuity planning processes consider the critical services and products as well as the interdependencies of an organization. This information, when aggregated to the sector level can provide insight as to what may be considered critical at the sector level.

It is anticipated that as the risk management process advances, the view of what is critical, what are the dependencies and how the supply chain operates will evolve.  The first iteration will set a baseline, providing a way to measure progress over time.

Including the appropriate level of detail requires an understanding of what is important to the sector and what will best enable the identification of risks and risk mitigation measures. Some sectors may wish to have a very detailed description of the sector, others a simplified one, still others may wish to have both.

Describing the critical products and services, the supply chain, and dependencies of a sector provide a common baseline to discuss risks. The purpose is not to determine relative worth of any asset, system, service or product. A system may have a high replacement value, but not be critical in terms of providing a critical service or product.

Determining what is critical will depend on a number of factors, such as:

4. Part II – Sector Risk Profiles

The second module of the Sector Overview concerns risks. The process is to identify those hazards and threats – natural or human induced which are most likely to affect the sector, to assess their relative likelihood and consequences and to evaluate them. The output of this module is to create a Sector Risk Profile – a description of the risks to the sector, as well as their relative priority.

An all-hazards approach to risk management does not mean that all hazards will be assessed, evaluated and treated, rather that all hazards will be considered. Those threats and hazards which could disrupt sectors at a strategic, systemic or national level should be assessed and evaluated in depth. This includes natural hazards, threats and accidents.  Annex B provides a list of threats and hazards to be considered, although the sector may have additional input.  

The following are outside the current scope of this risk management process:

It should be noted that risks due to external factors, such as disruptions of interdependent goods and services, and intentional, but non-malicious acts such as border closures are included in the scope of this process.

Note: A risk assessment method has been developed by Defence Research and Development Canada for use by Sector Networks. Lead sector departments can obtain this method from Critical Infrastructure Policy, Public Safety Canada.

4.1 Identify Risks

4.1.1 Key Elements

This step in the risk assessment process seeks to identify those threats and hazards which could disrupt the critical services and products identified by the Sector Networks. It takes, as input, the sector’s collective knowledge of its risks – based on the Sector Operations document, organizational threat, vulnerability, and risk assessments; any sector level threat and risk assessments; and any other relevant information (e.g., policy documents, criticality assessments). The output of this step is to:

4.1.2 Implementation

The aim of this step is to generate a clear, concise and comprehensive list of potential risks (sometimes referred to as a “risk register”) based on those events that might prevent, degrade or delay the provision of critical goods and services.

The risk register is generally in the form of a table, spreadsheet or database, and may contain the following information:

Only threats and hazards which have a potential impact on the sector should be considered. A list of threats and hazards may be found at Annex B of this document. This provides a starting point - other sources of information to further develop the list include:

The reliability and availability of information should be considered in creating the scenarios and determining their relative importance. If there are gaps in information, this should also be recorded and provided in the risk register.

It is anticipated that the number of potential risks to a sector would be very large. It is not feasible to assess all of them. The next step is for the Sector Network to determine what should be assessed in further detail.

The factors in making this determination should be recorded and provided in the risk register. There are a number of criteria that can be considered, including:

It should be noted that the priority threats and hazards for further evaluation in this process may not necessarily be the same priorities as determined by other risk assessments, even if these are all-hazards risk assessments.

4.1.3 Considerations

It is important to develop as comprehensive a list as possible. What is not identified at this stage will not be included in further analysis.

Threats and hazards identified at this stage may be outside the scope of the process described here (i.e., climate change). They should still be recorded in the register, as it may be that future risk assessment processes will consider these threats, or that the Sector Network may choose to take action to mitigate the associated risk even though it was not formally assessed.

A risk register is a living document that provides continuity on the issue of threat identification and risk assessment in between assessment periods. It allows the prioritization of action, and ensures that all known threats and hazards are considered – even if they are not formally assessed.

From the risk register and the assessment and evaluation process a Sector Risk Profile will be produced. Section 4.3 of this document discusses the Sector Risk Profile in depth.

4.2. Analyze Risks

Risk analysis is the assessment of the consequences and their likelihood, and other attributes of the risk.  

The analysis of risks allows:

4.2.1 Key Elements

The inputs are the potential threats and hazards that have been identified as higher priority, the outputs are a ranked list of risks based on likelihood and consequences of the incident in question.

4.2.2. Implementation

At a minimum, the risk assessment should:  

  1. Assess the disruption to the critical services and products provided by the sector. 
  2. Assess the risk
    1. Determine the likelihood of the threat or hazard; and
    2. Determine the consequences of the threat or hazard, taking into account the disruption of the critical services and products. 

There are many techniques to undertake this analysis:

Assumptions made in the analysis should be recorded.  Factors that affect consequences and likelihood should be identified and recorded.

4.2.3 Considerations

There is no single way to assess risks – the method and best practices to assess risks will evolve. No matter what technique is used to assess the risks, lessons learned and recommendations for improvement should be captured.

An event can have multiple consequences and can affect multiple objectives. Existing risk controls and their effectiveness should be taken into account.

The consequences are to be considered from a system and sector level – not from an organizational or asset-specific level, unless the effects on an organization or to an asset are of national, systemic, and sectoral significance.

Recognizing and taking into account the varying interests of the parties assessing the risk at the sector level will allow common ground to found and trusted partnerships to develop. Considerations should be given to the different interests: private sector organizations would be concerned with the costs associated with the risk such as lost revenue, damage to reputation and other concerns to the organization; whereas public sector organizations may focus on public safety and security issues.

Tip: Risk assessments are more consistent across sectors and inter-sector understanding is accelerated if peers from other sectors (especially interdependent ones) are a part of the risk assessment process.

4.3 Evaluate Risks

The evaluation of risks should lead to a discussion on:

4.3.1 Key Elements

The inputs to this step are the assessed risks; these risks are to be evaluated to create a Sector Risk Profile that includes:

Part II of the Sector Overview: Sector Risk Profile, is to be an unclassified version of the Sector Risk Profile, if the Profile, or a portion thereof, is classified.

4.3.2 Implementation

Risks may be evaluated by dividing them into three bands:

The criteria for evaluation should be based on:

As risks are evaluated, the risk register should be updated with some of the following information from the assessment and evaluation, including:

4.3.3 Considerations

As the understanding of the risks evolve, it may be worthwhile to revisit and update the risk register.

Other considerations in evaluating the risks include:

5. Part III – Sector Workplan

“The time to repair the roof is when the sun is shinning.”

- John F. Kennedy

By Year 3 of the Action Plan, Sector Networks are to have developed Sector Specific Workplans to reduce risks and undertake other critical infrastructure activities.  It is anticipated that the Sector Specific Workplans will continue to evolve as the critical infrastructure, threats against them, and strategies for protecting against and responding to these threats and incidents evolve.

Workplans should be:

5.1 Key Elements

This stage of the process involves identifying options to address the risks, evaluating the options and producing a plan to implement and monitor the selected options.

The key deliverable is a Sector Workplan that outlines the activities of the Sector Network to reduce risk, which should include:

  1. Goals and objectives;
  2. Mitigation Actions - the specific actions to achieve the goals and objectives and the risks they address;
  3. An Implementation Plan that includes a plan to monitor and track results; and
  4. An Exercise Plan to test and validate actions taken.

5.2 Implementation

The process used to develop a successful risk mitigation plan is just as important as the plan itself. The steps below provide a generic approach to developing the risk mitigation plan - it may be necessary to alter the sequence of steps or tasks below to fit the needs of the sector.

5.2.1 Develop Mitigation Goals and Objectives

Developing clear goals and objectives improves focus and clarifies solutions to problems and issues as they arise. Well articulated goals and objectives provide the necessary framework by which decisions on mitigation actions will be based.

Goals are broad, forward-looking statements that succinctly describe the aim of the risk mitigation process and what the Sector Network wants to achieve.  These should not identify specific mitigation actions (those will be developed later), but identify the overall improvements desired.

Objectives define strategies or implementation steps to attain the identified goals. Unlike goals, objectives are specific and measurable. They expand on the goals and provide more detail on the ways to accomplish them. It is important to have measurable objectives because they provide a roadmap for successfully implementing the strategy.

The formulation of risk mitigation goals and objectives should be based on the review and analysis of the risk assessment.

5.2.2. Develop an Implementation Plan

Once goals and objectives have been identified, actions to accomplish the objectives should be identified, evaluated and prioritized.

5.2.2.1 Developing an Implementation Plan: Step 1- Identify Options

The starting point for identifying options is often a review of existing domestic and international measures, best practices and lessons learned for reducing that type of risk.

The options for mitigating risks may seek to:

The analysis of the risks should provide a comprehensive understanding of its underlying causes, sources, chain of events leading to the incidents, consequences and other facets, including:

Business continuity planning, consequence management, emergency management, disaster mitigation, vulnerability assessment, insurance and other related disciplines all provide a wealth of possible actions. These disciplines are well-developed and will not be treated in this document.

Scientists and hazard experts (e.g., geologists, seismologists, hydrologists, etc.), as well as floodplain managers, emergency managers, fire marshals, public works engineers, transportation engineers, and civil engineers who are expert in applying mitigation and emergency management principles all have valuable experience in knowing what works to mitigate hazards.

Some potential alternative actions may require additional study before a solution or alternative mitigation action can be identified.

5.2.2.2 Developing an Implementation Plan: Step 2 - Identify and analyze federal, provincial, territorial and local mitigation capabilities

Understanding what capabilities are available to mitigate risks will help determine which actions are most likely to yield positive results. This analysis could list local government agencies, departments, and offices with responsibility for planning, building code enforcement, mapping, building, and/or managing physical assets, as well as for emergency management functions. Not-for-profit (e.g., Red Cross Society of Canada) and for-profit organizations (e.g., private security firms) may also have applicable capabilities, as well as other departments or agencies that do not appear to have a direct impact on mitigation but could have an indirect effect on the overall mitigation program.

5.2.2.3 Developing an Implementation Plan: Step3 - Evaluate and prioritize mitigation actions

The evaluation should determine whether the action would work for the specific mitigation goals and objectives formulated by the Sector Network.

Once options for reducing risk have been developed, they should be evaluated and prioritized. The following are possible considerations:

5.2.2.4. Developing an Implementation Plan: Step 4 – Write the Plan

Once actions have been identified, an implementation plan should be developed and agreed to. The plan should include target dates, responsibilities, and key milestones.

Potential partners in developing and implementing the workplan could include local, provincial, territorial and federal governments, private sector organizations and businesses, academic institutions and upstream and downstream organizations and interdependent sectors.

Sector Networks should incorporate the principles of results based management into the implementation plan - this could include a logic model, performance indicators and expected results and outcomes.

The manner in which implementation will be monitored should also be developed. Key aspects of monitoring implementation may include:

The Sector Workplan should also take into consideration that the risk environment, the sector’s operating environment and other factors change. The Workplan should also monitor and track:

To maintain support throughout the implementation process, stakeholders should be kept informed about the incremental progress and success of the program. The findings of progress reports, key activities, can be distributed or posted on the Public Safety Critical Infrastructure Website to keep stakeholders up-to-date on accomplishments and possible setbacks.

If applicable, it may be worthwhile to integrate the monitoring of implementation into already existing processes, such as budget cycles and other reporting cycles.

5.3 Develop an Exercise Plan

One of the key mechanisms to validate and test risk mitigation actions, plans and systems is through exercises. Exercises serve to:

Sector Networks should include a plan and timeline to undertake exercises in order to test and validate the risk mitigation actions taken.

Tip: Including interdependent sectors and organizations, as well as emergency management / response personnel, as both exercise design partners and players in the exercise increases resiliency.

Exercises may range from simple tabletop exercises, to fully operational simulations.

Tabletop exercise

A method of exercising plans in which participants review and discuss the actions they would take in response to a specific scenario, as presented by a facilitator. Specific actions are not performed.

Functional exercise

A method of exercising plans in which participants perform some or all of the actions they would take in the event of plan activation to respond to a specific scenario.

Full operational exercise

A method of exercising plans in which the participants suspend normal operation and activate the plans as if the event were real.

The results of an exercise should capture any gaps and limitations in current actions.

Departments and agencies with responsibility for supporting Sector Networks should, to the extent possible, adapt the lessons learned for general sector-wide use and distribute these generic lessons learned throughout the sector’s stakeholders.

Exercises should be planned and conducted taking the following into consideration:

5.4 Considerations

Decisions surrounding rare but severe risks require careful consideration as the legal, moral and social responsibilities may override the economic considerations. These low likelihood, but high consequence risks are less likely to be on the radar than high likelihood, but low consequence risks. It may very well be that these low likelihood but high consequence risks are more important as sectors are less likely to be resilient to these types of incidents.

Any gaps in information, resources, or capabilities should be noted and included in the Sector Workplan.

Special scheduling needs, such as seasonal climate conditions, funding cycles, agency work plans, and budgets should be considered in any resource requirements.

Not adequately incorporating lessons learned from an exercise into operations is an all too common in emergency management and critical infrastructure activities. The lessons learned should be documented and used to improve and revise operations, risk mitigation actions and other plans, and an organizations senior management should monitor and track this implementation.

6. Ongoing improvement and feedback

The risk environment is not static – the implementation of the risk mitigation plan, and experience gained dealing with incidents lowers risk. On the other hand, new threats emerge, new goods and services and the new entrants to the sectors change the context and operations, innovation spurs new technologies – all of which introduces new risks and vulnerabilities. Sector Networks provide a lasting forum to monitor and respond to this changing risk environment.

6.1 Key Elements

Ongoing improvement and feedback should be incorporated into every aspect of the risk management process.

Sector Networks should continually capture and share lessons learned and best practices to improve the resilience of sectors, the operations of the Sector Network, other Sector Networks, the actions of governments at all levels, the processes, methods and tools used to manage risks – this includes during normal operations and after an incident.

6.2 Implementation

Lessons learned can and should be captured during sector operations, after an incident occurred and during and after an exercise.

Post-incident analysis, in particular, provides useful insight into improving the risk management process. This analysis could include:

6.3 Considerations

Sector Networks should capture what worked well and what did not work well throughout the risk management process and share these insights with sector stakeholders as well as lead sector departments, other Sector Networks, the National Cross Sector Forum and Public Safety Canada, in accordance with the information sharing and protection protocol.

Annex A: Terms and Glossary

It should be noted that these terms are not intended to define how the various elements interact and/or are assessed, nor is it a Government of Canada standard. Rather, they are common definitions chosen for clarity in order to provide a common language across diverse disciplines.

It is recognized that these terms may be applied differently within different disciplines and sectors. It is anticipated that this lexicon will evolve as the critical infrastructure stakeholder community evolves.

This has been developed in consultation with Public Safety Canada, the Integrated Threat Assessment Centre, the Royal Canadian Mounted Police, the Canadian Security Intelligence Service and Defence Research and Development Canada.

All-hazards: The Strategy sets out an all-hazards risk management approach – under which the full range of sources and causes of potentially harmful or dangerous incidents are considered. All-hazards incorporates traditional emergency management events such as flooding and industrial accidents; as well as national security events such as acts of terrorism; and cyber events. (source: adapted from Federal Emergency Response Plan (2009). Public Safety Canada)

Asset: Any person, personal capability, facility, material, information, or activity that contributes to the accomplishment of an objective. (source: adapted from DHS Risk Lexicon)

Consequences: results or effects of an incident. (source: Oxford English Dictionary)

Note: The type of incident, its magnitude, and the vulnerabilities, value and functions of the assets affected determine the consequences.

Critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. (source: National Strategy and Action Plan for Critical Infrastructure)

Critical services and products: the outputs of critical infrastructure – those services and products whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians, or to the effective functioning of the government. (source: Policy on Government Security)

Dependency: one-directional reliance of an asset, system, network, or collection thereof, within and/or across sectors, on input, interaction, or other requirement from other sources in order to function properlyFootnote 2. (source: new)

Incident: Occurrence, caused by either human action or natural phenomena, that may cause harm and that may require action. (source: DHS Risk Lexicon)

Interdependency: mutual, shared or reciprocal dependencies. (source: new)

Likelihood: Probability of an incident occurring. (source: new)

Risk refers to the uncertainty that surrounds future incidents and outcomes. It is a function of the likelihood and consequences of an incident - the higher the likelihood and/or the greater the consequences, the greater the risk. (source: TBS Integrated Risk Management Framework)

Risk management is systematically setting the best course of action under uncertainty by identifying, assessing, understanding, acting on and communicating risk issues. (source: TBS Integrated Risk Management Framework)

System: A set of assets, resources, or elements that work together as a mechanism or interconnecting network. (source: adapted from Oxford Dictionary)

Threat: The presence of a hazard and an exposure pathway; threats may be natural or human-induced, either accidental or intentional. (source: Federal Emergency Response Plan (2009). Public Safety Canada)

Note: The threat may be assessed to determine the likelihood of hostile or harmful actions. To do so, the actor’s intent and capability to undertake such actions may be assessed. The assessment may also consider specific targets (such as specific persons or assets), generic targets (such as sectors, categories of targets, or regions), attack methods, vulnerabilities, as well as provide recommendations to mitigate or eliminate the threat.

Vulnerability: a characteristic or attribute of an asset which renders it susceptible to effects of an incident. Vulnerability informs both the likelihood and consequence of an incident. (source: SARMA consensus definition)

Annex B: List of Hazards and Threats

Note: No list of threats and hazards is ever complete. Below is a list of common threats and hazards that could affect critical infrastructure. It is anticipated that this list will evolve.

Natural Hazards

Meteorological:

Glacier, iceberg

Geophysical:

Fire:

Biological:

Intentional / Deliberate threats

Attacks:

Enemy attack / war Electromagnetic pulse

Accidental / Technical Hazards

Accident

Failure / Technical

Footnotes

  1. 1

    See Tools & Information

  2. 2

    Dependencies may be:

    • Physical: dependency on products, services and resources for continued operation.
    • Informational: dependency on information for continued operation.
    • Geographic: dependency due to the geographic proximity of the infrastructures.
    • Logical: dependency due to economic, political, or management factors (i.e., effects of markets and prices of inputs, command and control of large organizations, border effects on flow of goods and people, and others.)
Date modified: