Critical national infrastructure (CNI) is vital for the everyday functioning of society. Such infrastructure is no longer defined by its static physical assets, but instead by the interplay between the digital layers, human behaviour and its interactions with other infrastructure systems. The growing scale of interdependency amplifies operational risk, as the entire network of connections becomes increasingly susceptible to disruptions. Therefore, resilience has become a desirable characteristic to ensure these systems remain operational.
In this blog we outline four steps to follow to help build resilience in CNI.
What does ‘resilience’ mean?
Common ideas of resilience can typically be grouped into three categories:
- a system property (stability, robustness, capacity, etc.)
- service delivery (normal operation or degraded service)
- ability to handle events (recover, response and impact)
These definitions are naive in that they do not capture the notion of resilience. Additionally, these terms require different implementation methods, which result in diverse outcomes that do not necessarily address system vulnerability. This conceptual ambiguity means resilience is often left undefined, its meaning is not consistently articulated nor shared across individuals, teams and organisations.
Step 1: The first step towards building resilience is to determine the meaning of resilience in the context of your organisational vision, mission and operational environment. This will help encourage more effective engagement and open discussion with consumers, suppliers and regulators.
Do you understand your system dependencies and consumer expectations?
System behaviour emerges from the network of relationships between system components and stakeholders, within and across system boundaries. Critical national infrastructure operates in a complex stakeholder environment. It is often subject to third-party operational, policy and regulatory decisions that exert influence and unintended consequences on systems beyond their immediate boundaries. If these relationships are decoupled and siloed within technical, economic, social and institution domains, we will likely miss signals of change that are identifiable from these system interactions.
Similarly, research suggests that there is an ‘expectation gap’ between consumers and CNI operators in relation to the provision of services in the event of a crisis. Consumer expectations are typically framed around minimal downtime. However, governments and critical infrastructure operators increasingly expect responsibility to be shared, with consumers taking an active role in preparing for and managing the impacts of outages.
Step 2: Map out operational interdependencies. This includes determining which suppliers, logistics partners and distribution channels are indispensable for sustaining minimum service levels and cash flow. As such, a more holistic assessment of the organisational environment can be conducted and potential opportunities and vulnerabilities can be identified.
The trilateral relationship between CNI operators, consumers and regulators exacerbates complexity and constrains organisational decision-making autonomy. Therefore, information sharing and continuous communication are recognised as key factors in setting realistic expectations that are in-line with operator capabilities.
Have you defined your Minimum Viable Operational Model?
When, yes when (and not if), your organisation faces a crisis, it is crucial that the essential systems and services underpinning its core operations have been clearly identified and appropriately prioritised. Once priority systems, suppliers or components have been identified, organisations should establish the level of impact they can tolerate, specifying the maximum disruption each critical element can sustain without causing unacceptable consequences. This approach aims to encourage organisations to look beyond a risk-centric approach to resilience, without disregarding the importance of risk assessment.
To ensure no critical system dependencies are overlooked, crisis exercises are a fundamental part of preparing for and planning against unexpected events. However, the effectiveness of exercises is constrained by the creativity and foresight of those designing them. Events seldom unfold exactly as anticipated. Therefore, diversity in approach, along with continuous and ongoing testing, is essential.
Step 3: Define your Minimum Viable Operational Model and test it thoroughly with diverse groups of stakeholders!
What is your budget?
Over the past few decades, CNI has experienced significant underinvestment and recapitalisation, resulting in extraordinarily high upfront costs to address some of the fundamental challenges. Additionally, the cost of cultivating resilience presents a significant challenge. Unlike traditional investments, where returns can be quantified through revenue or profit, resilience initiatives often do not generate immediately visible financial benefits. Consequently, securing ongoing funding for resilience measures, much like cyber security, can be difficult, as the value is realised through the avoidance of adverse outcomes – counterfactual scenarios that are inherently difficult to observe and communicate.
Don’t attempt to tackle every challenge at once. Large, complex problems are often too unwieldy to address in a single effort, and trying to do so can lead to wasted resources and missed opportunities. Instead, advance the system incrementally towards objectives through a series of viable, stable intermediate states. Rather than relying on a single, large-scale investment, that may not be economically viable, these stages provide fundable opportunities for progress along alternative pathways and allow for rollback if necessary. This approach requires striking a balance: taking sufficient risk to enable meaningful change, while avoiding exposure that the organisation cannot absorb.
Step 4: Invest in something today. Delaying investment only allows costs and risks to grow, making continuous investment essential. Instead of focusing solely on quick wins, prioritise solutions that address multiple vulnerabilities simultaneously, building long-term resilience while making tangible progress today.
To find out more about how QinetiQ’s experts can help you to build resilience in your organisation, please get in touch.
