An integrated approach to infrastructure projects

Mark Whyte, William Brown and Aaron Thatcher of Control Risks discuss the importance of an integrated, multi-risk approach to large infrastructure projects.

The latest generation of developments in infrastructure and built environments – buildings, roads, internet lines, ports and waterways – provides an exciting glimpse into our future world.

These developments contribute to a sustainable, resilient, integrated and connected environment for residents and visitors to enjoy and thrive in.

The risks facing infrastructure and built environments, however, have never been as complex, inter-connected or dynamic.

The latest developments not only generate new risks but can also amplify those threats and risks that already exist.

The traditional threats – such as crime and terrorism – are now accompanied by more modern ones; cyber is an obvious example, particularly within smart cities such as Singapore.

This combination of risks creates the potential for financial, physical and reputational damage and loss that could threaten the current and future viability of a scheme. 

Compliance and regulatory risks are ever present, particularly within the ESG sphere, which is not just a major concern for investors, but for the population, which expects commercial organisations to be good corporate citizens adopting best practices.

And, as the construction phase of a project gets underway, fraud and corruption as well as worker welfare issues come to the fore. Climate-driven risks have become alarmingly commonplace across the globe.

The recent fires across Southern Europe are a stark example and make clear the scale of the management challenge. 

So, how are high performing organisations addressing these challenges and managing their risks? And, what trends are we seeing?

There appear to be two fundamentals to get right at project inception.

The first is a centralised and integrated approach to risk and security at the executive board level, founded on a forensic understanding of the multi-faceted risk environment.

This must be supported by a threat monitoring program that uses best-in-class, data driven technology.

Insights from threat monitoring will inform decision making throughout the design and construction stages through to the operational, in-use phase. 

The second fundamental aspect is ensuring that there is an inspiring and compelling vision and strategy for how risk will be managed through the entirety of the project.

This strategy should produce an agreed route map, security standard and goals and an effective stakeholder engagement program that extends through all design and engineering disciplines.

This will provide the essential handrail to guide design decisions and to measure progress and compliance.

It is also worth considering two specific areas that can be misunderstood within multi-disciplined design and engineering teams: Security master planning and managing cyber-risk at an enterprise level.

Integrating security into development planning

Security master planning – which is the integration of security solutions into the planning of a new infrastructure project to reduce vulnerability and risk exposure – has historically not been done early or well.

Integrating security into development projects is increasingly expected or mandated by governments, project sponsors and owners; planning and design consultants should view this integration and compliance with government mandates as key contributors to project success.

Experienced security risk, planning and design consultants can highlight issues and work with professionals in other disciplines to reduce the inherent vulnerability within the physical environment.

When understood and considered early, security, accessibility, placemaking, public realm and architectural inputs can combine to deliver an outstanding end user experience.

Understanding security threats, vulnerabilities and risks through detailed assessments and setting the project’s security brief and priorities at the earliest stage of development planning sets the foundation for decision making.

Security risk assessments aligned with ISO 31000-2018 and the more specific AS/NZ Handbook 167:2006 standards tend to be the most methodologically sound.

Whatever methodology is used, the terms threat and risk – and how they are assessed – should not be confused.

Assessments should include appropriate and specific graphics to provide a clear understanding of what can happen, where and the associated consequences.

Development projects will face different threat sources, actors and attack methodologies depending on the purpose of the land use and facilities.

Not all assets are equally attractive targets. Moreover, threats will increase and decrease over time.

To inform decisions, it is important to assess the credibility of a threat source and the type of attack that may be used based on target attractiveness.

The level of threat that exists is beyond the control of a physical development or its operations; developments will exist over long periods of time and, therefore, addressing the vulnerability to threats is arguably a more important evaluation when assessing risk.

A strong threat-informed but vulnerability-led risk-based foundation enables security professionals to develop a strategy and its component solutions as part of the planning and design process.

The security strategy should focus first on spatial planning and a fit-for-purpose design to have the greatest impact on reducing risks.

Once the physical environment is built, it determines the options available to a would-be attacker, then the technological and operational controls that are overlayed on the physical environment contribute to further risk reduction and overall resilience.

Cyber-risk

The more digitally interconnected a development becomes, the more reliant it is on the confidentiality, integrity and accessibility of systems and the respective data those systems rely on.

Addressing cyber and digital risk has traditionally been more effectively executed in the market sectors that have a specific regulatory framework.

This is no longer the case, as we now see cyber and digital risk becoming a discipline in the planning phase through to the design and development of large urban environments and smart city systems – with threats and vulnerabilities being assessed and control environments put in place to manage or mitigate those risks.

Exactly what smart city systems consist of is a longer discussion, but it ranges from automated traffic control and mobility support, automated metering of utilities, environmental controls like the positioning a deployment of shade or hydration systems through to the surveillance and security systems.

When looking specifically at security systems and the smart considerations around them, they are multi-facetted and vary by jurisdiction and data privacy legislation.

As security systems become more integrated and capable, we are seeing that the increased capabilities are driven by data.

Take, for example, the integration of ANPR systems with the municipality database, which includes biometric data on vehicle users and therefore presents risks such as data privacy, data breaches and potential misuse.

Video surveillance systems in public spaces and private property can also be integrated and the use of machine learning and AI specifically to identify persons of interest through behavioural analysis and gait analysis are all systems that are being integrated specifically with the aim of enabling preventative physical measures to be invoked in a true example of a converged security capability.

These types of integration make a vast quantity of data available within a single security operations centre.

There, data can be analysed and elements that might require attention from the security team can be presented in a practical and easily understood format to enable effective responses.

Final thoughts

Aligning the essential building blocks at the very start of a project will ensure addressing risk in all its facets and in a comprehensive and integrated way is embedded within the heart of the organisation, contributing to the overall success of the endeavour.

Key outputs, such as the security masterplan and the cyber-strategy, build on those foundations, provide a framework of understanding and decision making for all parties concerned with the design and engineering of a scheme. High performing organisations invariably get these basics right.