From Risk Management to Resilience Management in Critical Infrastructure

Abstract

This article discusses critical infrastructure resilience in terms of how it could be incorporated into the existing safety and security practices, namely the ISO 31000 risk management standard. The article starts by outlining the resilience discourse, focusing on the organizational, technological, and societal domains of resilience. It goes on to present an approach to how the risk management standard can be extended to a critical infrastructure resilience management framework. Focusing in particular on the organizational and technological resilience domains, which are considered those that can most readily be controlled by critical infrastructure operators, the article presents one of the resilience assessment techniques in some detail to operationalize the overall management framework. In so doing, the article proposes a prestandardization input for critical infrastructure resilience management, tested in an operational environment. The article concludes with five maxims for this objective: no duplicate practices; tailorability; plurality of assessment techniques; measurability; and relative ease of use.