By Joanne Peulen – Board & Governance Specialist
The Australian Government’s consultation on the draft Risk Management Program Rules (Rules), added via recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) concluded on 18 November 2022.
It is already clear that Responsible Entities with existing fit-for-purpose risk management frameworks and effective board risk oversight processes will be best placed to respond to the requirements of the new Rules once made by the Minister of Home Affairs.
The Rules are expected to impose board-level obligations on industry sectors that do not currently have equivalent risk management requirements under existing legislation.
Proposed asset classes are expected to include:
- critical electricity and energy market operator assets
- critical gas, liquid fuels, and water assets
- critical financial market infrastructure assets used in connection with the operation of payment systems
- critical data storage or processing assets and domain name systems
- critical food and grocery assets
- critical freight infrastructure and freight services assets
- critical broadcasting assets, and
- certain critical hospitals
Within 6-months of the Rules taking effect, Responsible Entities will be required to:
- have developed and implemented a board-approved critical infrastructure risk management program (RMP). That program must outline the material risks that affect their critical infrastructure asset(s), and the steps taken to minimise the risks related to four key hazard categories – cyber and information security, personnel security, supply chain, and physical and natural, and
- meet annual board-level reporting requirements to the Department of Home Affairs in respect to the characteristics and effectiveness of their RMP.
As the proposed Rules are principles-based, there is no set or defined template required for the risk assessment. Entities may develop a critical infrastructure risk management program in a format that is suitable for their business and its operational needs.
After a further 12 months, Responsible Entities will need to comply with the particular external cyber security framework identified within their RMP. Learn more at Engagement on critical infrastructure reforms (homeaffairs.gov.au)
Directors Australia assists boards across a range of sectors to uplift their risk governance and oversight with fit-for-purpose risk management solutions. We look forward to supporting our clients as they transition to this new level of risk management transparency.
You can find out more about Directors Australia’s risk and compliance advisory services here
 A Responsible Entity being an owner or operator of a critical infrastructure asset.