Launch of the Critical Infrastructure Resilience Strategy

Canberra

15 June 2010

First, may I acknowledge the traditional owners of the land we meet on – and pay my respects to their elders, both past and present.

It’s a great pleasure to join you this afternoon to launch the Government’s new Critical Infrastructure Resilience Strategy. It has been some six months since we last met and at that time I announced the Government’s shift from critical infrastructure protection to critical infrastructure resilience.

As you will know, since taking Office, the Government has focused on broadening the scope of Australia’s national security policies and programs to ensure Australia is best placed to prepare for, prevent against and if necessary, respond to a hazard of any kind - man-made or natural.

The security environment we face today – and into the future – is increasingly complex and continually changing. As a result, we face a range of hazards. The prospect of a terrorist attack is well known and considerable resources are directed at preventing such an event. But that is not the only risk. Other risks range from natural disasters, to equipment failure and other forms of serious crime.  These can all damage or destroy critical infrastructure and also disrupt the continuity of essential services.

Because of our reliance on these services, such incidents could hit Australians hard.  And indeed past incidents have certainly shown this to be the case. Australia’s critical infrastructure is, as its name suggests - critical.  Without it our prosperity as a nation, and individually, is compromised.

Our critical infrastructure is highly interdependent so we can’t look at one company or one sector in isolation as failure or disruption in one sector could lead to disruptions in other sectors.  For example, owners and operators of water infrastructure rely on electricity for pumping and telecommunications for monitoring operations.  Similarly, the communications industry needs telemetry services to run their operations and participate in the electricity market. The list could go on.

Increasingly, the growing complexity of markets and technology makes it difficult for even the most responsible operator to truly understand and measure the risk associated with each and every reasonably likely event. It is imperative, therefore, that we work together to share knowledge, experience and methodologies to ensure the continuity of our critical infrastructure. This is what the concept of resilience is about. 

It also means coordinating our plans, preparations and responses across sectors and networks. Those responses need to be flexible and ensure quickest possible recovery. It also means developing an organisational culture that focuses on providing at least a minimum level of service during interruptions, emergencies and disasters before quickly returning to full operations.

Let me draw on an example to illustrate my point.  During the Victorian bushfires, a local bank branch located in a bushfire affected area burnt to the ground. To enable the community to continue to have access to banking facilities – critical in the time of a crisis – the bank drew on one of its resilience initiatives: “bank-in-a-box”. Bank-in-a-box enabled the bank to effectively set up shop in any available premises so that customers were able to quickly access their money. This initiative enabled many families to sustain themselves during the crisis. Deservedly, the banks action justifiably enhanced its reputation.

The previous Critical Infrastructure Protection program has been very successful. It has established strong business-government partnerships, most notably through the Trusted Information Sharing Network (TISN).  Indeed, the previous program has also provided a very solid foundation from which we can move forward by establishing risk management and business continuity as essential elements of the program.

In the current security environment, however, this approach needs updating.  In particular, to a large extent, the usual application of these elements focuses primarily on reasonably foreseeable risks. Unfortunately, many risks are not always reasonably foreseeable. Because of the constantly and rapidly changing nature of the economy, technology and society – past events don’t always provide adequate guidance on determining plausible future hazards.  As with any military operation, planning to win the last battle may not adequately prepare us for the next.

For example, in the 1990s – who would have known just how important the internet was going to be to the operation of business, government and our communities? Any sort of historical analysis probably wouldn’t have forecast this or provided guidance on future planning.  Today, literally billions of dollars are being spent on ensuring internet connectivity in times of conflict or natural disaster.

Similarly, an approach based on writing plans for all aspects of likely events can lead to an overly rigid response that emphasises centralised decision making. Because of the growing complexity of critical infrastructure systems, networks and the environments in which they operate, it’s virtually impossible for individual owners and operators to fully comprehend all relevant vulnerabilities and threats. In addition, as complexity increases, owners and operators are forced to make decisions on increasingly imperfect or un-tested information.

This is why we need an approach that helps organisations address hazards and risks that are also unforeseen or unexpected. Shifting the focus will enable us to better adapt to change, reduce our exposure to risk, be better able to bounce back from any type of hazard, and learn from incidents when they occur.

We can think about the concept of resilience as similar to a game of rugby.  Some might disagree, but playing a rugby match is quite a complicated exercise. It involves an understanding of the strategy, the rules of the game, the roles of each player, and so on. A plan can be written that describes all this information but it cannot provide instruction of what to do in each and every scenario, including the unexpected - such as a sudden change in the weather, or the referee interpreting the rules in a different way. Each individual player needs to adapt and use their inherent and learned skills to make reactive decisions on the field. Many decisions are not always part of a plan or set moves. The coach’s role is to provide them with the skill set and the framework to make those critical decisions and have the confidence to carry them out when it counts.

Using that same analogy, organisational resilience is effectively the ability to make the most out of the situation at the time, make better decisions, adjust any relevant plans or strategies as required, react to the conditions, while continuing to achieve the end goal –  win the game or at least, reduce the extent of the loss.

The new Critical Infrastructure Resilience Strategy, which I am launching today, has this added dimension.  It builds on the previous program by encouraging traditional risk management and business continuity practices, while also embracing organisational resilience initiatives. This approach helps organisations develop an enhanced capacity to deal with issues and threats. It is far more sophisticated than the more traditional approach of developing plans to deal with a limited number of scenarios.

Returning to the rugby analogy, building organisational resilience requires distributed decision making, backed up by the individual responsibility of those persons who have been properly trained.  That is, having a situation where everyone knows their job and accepts responsibility for ensuring that it gets done.  When aided by adaptable tools and techniques, this can significantly improve and organisations ability to deal with both foreseeable and unforeseen events.

Taking this more flexible and innovative approach means that decision makers are not just senior management, they are at every level of a business. As such, individual decision makers are expected to act consistently with their training, experience and allocated level of responsibility.  Under this structure all decision makers need to see risk mitigation and response as part of their role – and they need to be empowered to carry it out. This approach gives the organisation a greater ability to respond to events that may have been unforeseen or assessed as being a very low likelihood and therefore excluded from planning.
It is in this way that critical infrastructure resilience is achieved – by undertaking traditional risk management and business continuity practices, as well as organisational initiatives to allocate responsibility according to training and empowering management and staff to respond to crises in a flexible and effective way. There are many direct benefits to business being more organisationally resilient to hazards, including improved reputation, minimising lost revenue or supply disruption, and reduced exposure to litigation.

Improving the resilience of individual organisations is important but, even then, bolstering Australia’s overall critical infrastructure resilience requires more than the efforts of individual organisations. It takes a team effort to bring about positive change. That is why the continuity of critical infrastructure must be a shared responsibility – by all governments and the owners and operators of the infrastructure.

The new strategy I am launching today is therefore based on partnership. 

The most visible component of this partnership is the TISN. It provides a very important mechanism to foster cooperation between public and private stakeholders on mutually important issues. To help support the work of each sector in the TISN, I am pleased to announce that both the TISN public and secure websites have been upgraded – and have gone live today. These are key avenues for sharing information and promoting the good work of each group and gaining a better understanding of cross-sectoral issues.

Another important dimension of the business-government partnership relates to the positive impact this can have on the Australian community. A community that continues to receive essential services in times of crisis is likely to be more resilient to disasters.

Australia is facing a likely escalation in disaster risk – and we need to be able to manage it. In order to do this, we need a national, coordinated and cooperative effort. A partnership involving individuals, households, communities, business and governments. Being able to adapt to change, reduce our exposure to risks, and bounce back from disasters is a responsibility that we all share.

I would like to thank everyone involved in helping to create the new Critical Infrastructure Resilience Strategy. I believe it demonstrates the Government’s commitment to working with owners and operators, and State and Territory governments, to achieve complementary and mutually beneficial outcomes.

Over the next few months an implementation plan will be developed, and I encourage all parties to continue working together on this important issue.

It is now my pleasure to formally launch the Australian Government’s Critical Infrastructure Resilience Strategy.

Thank you.