What is infrastructure?
Infrastructure is built to support an operation. Resilient infrastructure will also facilitate incident management and response and enable efficient recovery to normal operations post incident. Because of its relationship with the other components of the operation, the operation itself and the operating environment, infrastructure will have multiple dimensions. These are the physical attributes, a temporal attribute in which the infrastructure network/system changes periodically and over its life, a human attribute concern how it is operated and maintained, and the cyber attribute. These attributes are sometimes collectively referred to as the 6-dimensional nature of infrastructure. It is therefore far more than a collection of structures and plant; it is defined by the operation.
What is resilience?
It is that essential ability of an operation to respond to and absorb the effects of shocks and stresses and to recover as rapidly as possible normal capacity and efficiency.
What is the difference between resilience and protection of critical infrastructure?
Protection focuses on an asset and seeks to prevent a given magnitude hazard adversely affecting or otherwise compromising that asset. Protection is not complete and can always be overcome or exceeded. However, resilience refers to the operation and assumes that at some point an extreme event is going to compromise the existing levels of protection and the assets are going to be compromised. The resilience plan seeks to ensure that the operation continues throughout the event and recovery.
Will protecting the infrastructure protect the operation?
Not necessarily. An operation is supported by three components: infrastructure, personnel and the organisation. All three need to be in balance, with each other and the operating environment, which they influence and are in turn influenced by. Focusing on one component at the expense of others will cause an imbalance and not achieve resilience.
Do CARVER2 and similar tools work?
Absolutely. These assessment tools are typically very good when applied to the situations for which they were envisaged. However, one needs to fully appreciate the assumptions behind the system and when it is most appropriately applied. They also have the disadvantage of being too subjective when multiple surveys by different teams are collated, making all but the most extreme prioritisation extremely difficult. If in any doubt, it is more reliable to use a first principles approach to the survey and assessment.
Is Resilience Planning the same as Business Continuity Planning (BCP) or Enterprise Risk Management (ERM)?
No. BCP is an essential starting point for the ‘understanding’ stage of resilience planning, though in itself remains introspective and takes little account of a catastrophic event that simultaneously affects the businesses/operation and those of the stand-by suppliers and alternative sites.
Resilience planning runs in parallel to ERM and they use many of the same data. However, ERM is a risk-based approach to business management. While not exclusive of infrastructure resilience planning, it does not replace it and has its own distinct purpose and function. The Casualty Actuarial Society has produced a useful guide to ERM, which it defines as ‘the discipline by which an organisation in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organisation’s short and long term value to its stakeholders’.